npm - @spidy092/auth-client - Versions diffs - 2.0.7 → 2.1.0 - Mend

@spidy092/auth-client 2.0.7 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/config.js CHANGED Viewed

@@ -5,7 +5,6 @@ let config = {
   redirectUri: null,
   accountUiUrl: null,
   isRouter: false, // ✅ Add router flag
-  usePkce: false,
 };
 export function setConfig(customConfig = {}) {

package/core.js CHANGED Viewed

@@ -12,7 +12,7 @@ import { getConfig, isRouterMode } from './config';
 let callbackProcessed = false;
-export function login(clientKeyArg, redirectUriArg, options = {}) {
+export function login(clientKeyArg, redirectUriArg) {
   // ✅ Reset callback state when starting new login
   resetCallbackState();
@@ -25,14 +25,11 @@ export function login(clientKeyArg, redirectUriArg, options = {}) {
   const clientKey = clientKeyArg || defaultClientKey;
   const redirectUri = redirectUriArg || defaultRedirectUri;
-  const { codeChallenge, codeChallengeMethod, state } = options;
   console.log('🔄 Smart Login initiated:', {
     mode: isRouterMode() ? 'ROUTER' : 'CLIENT',
     clientKey,
-    redirectUri,
-    hasPKCE: !!codeChallenge,
-    hasState: !!state
+    redirectUri
   });
   if (!clientKey || !redirectUri) {
@@ -44,39 +41,27 @@ export function login(clientKeyArg, redirectUriArg, options = {}) {
   if (isRouterMode()) {
     // Router mode: Direct backend authentication
-    return routerLogin(clientKey, redirectUri, { codeChallenge, codeChallengeMethod, state });
+    return routerLogin(clientKey, redirectUri);
   } else {
     // Client mode: Redirect to centralized login
-    return clientLogin(clientKey, redirectUri, { codeChallenge, codeChallengeMethod, state });
+    return clientLogin(clientKey, redirectUri);
   }
 }
 // ✅ Router mode: Direct backend call
-function routerLogin(clientKey, redirectUri, options = {}) {
+function routerLogin(clientKey, redirectUri) {
   const { authBaseUrl } = getConfig();
-  const { codeChallenge, codeChallengeMethod, state } = options;
-  // Build URL with PKCE and state parameters
-  const params = new URLSearchParams({
-    redirect_uri: redirectUri
-  });
-  if (codeChallenge) {
-    params.append('code_challenge', codeChallenge);
-    params.append('code_challenge_method', codeChallengeMethod || 'S256');
+  const params = new URLSearchParams();
+  if (redirectUri) {
+    params.append('redirect_uri', redirectUri);
   }
-  if (state) {
-    params.append('state', state);
-  }
-  const backendLoginUrl = `${authBaseUrl}/login/${clientKey}?${params.toString()}`;
+  const query = params.toString();
+  const backendLoginUrl = `${authBaseUrl}/login/${clientKey}${query ? `?${query}` : ''}`;
   console.log('🏭 Router Login: Direct backend authentication', {
     clientKey,
     redirectUri,
-    hasPKCE: !!codeChallenge,
-    hasState: !!state,
     backendUrl: backendLoginUrl
   });
@@ -84,32 +69,20 @@ function routerLogin(clientKey, redirectUri, options = {}) {
 }
 // ✅ Client mode: Centralized login
-function clientLogin(clientKey, redirectUri, options = {}) {
+function clientLogin(clientKey, redirectUri) {
   const { accountUiUrl } = getConfig();
-  const { codeChallenge, codeChallengeMethod, state } = options;
-  // Build URL with PKCE and state parameters
   const params = new URLSearchParams({
-    client: clientKey,
-    redirect_uri: redirectUri
+    client: clientKey
   });
-  if (codeChallenge) {
-    params.append('code_challenge', codeChallenge);
-    params.append('code_challenge_method', codeChallengeMethod || 'S256');
-  }
-  if (state) {
-    params.append('state', state);
+  if (redirectUri) {
+    params.append('redirect_uri', redirectUri);
   }
   const centralizedLoginUrl = `${accountUiUrl}/login?${params.toString()}`;
   console.log('🔄 Client Login: Redirecting to centralized login', {
     clientKey,
     redirectUri,
-    hasPKCE: !!codeChallenge,
-    hasState: !!state,
     centralizedUrl: centralizedLoginUrl
   });
@@ -187,23 +160,12 @@ export function handleCallback() {
   const params = new URLSearchParams(window.location.search);
   const accessToken = params.get('access_token');
   const error = params.get('error');
-  const state = params.get('state');
   console.log('🔄 Callback handling:', {
     hasAccessToken: !!accessToken,
-    error,
-    hasState: !!state
+    error
   });
-  // ✅ Validate state parameter
- if (state) {
-  console.warn("⚠️ State returned but validation disabled (demo mode)");
-  // Clean up any existing stored state
-  sessionStorage.removeItem('oauth_state');
-  sessionStorage.removeItem('pkce_timestamp');
-}
   // ✅ Prevent duplicate callback processing
   if (callbackProcessed) {
     const existingToken = getToken();
@@ -218,7 +180,6 @@ export function handleCallback() {
   callbackProcessed = true;
   sessionStorage.removeItem('originalApp');
   sessionStorage.removeItem('returnUrl');
-  sessionStorage.removeItem('pkce_code_verifier'); // Clear PKCE verifier after use
   if (error) {
     const errorDescription = params.get('error_description') || error;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@spidy092/auth-client",
-  "version": "2.0.7",
+  "version": "2.1.0",
   "description": "Scalable frontend auth SDK for centralized login using Keycloak + Auth Service.",
   "main": "index.js",
   "module": "index.js",

package/token.js CHANGED Viewed

@@ -53,7 +53,7 @@ function readAccessToken() {
 //   }
 //   const expires = new Date(Date.now() + COOKIE_MAX_AGE * 1000);
 //   try {
 //     document.cookie = `${REFRESH_COOKIE}=${encodeURIComponent(token)}; Path=/; SameSite=Lax${secureAttribute()}; Expires=${expires.toUTCString()}`;
 //   } catch (err) {
@@ -66,14 +66,14 @@ function readAccessToken() {
 //     const match = document.cookie
 //       ?.split('; ')
 //       ?.find((row) => row.startsWith(`${REFRESH_COOKIE}=`));
 //     if (match) {
 //       return decodeURIComponent(match.split('=')[1]);
 //     }
 //   } catch (err) {
 //     console.warn('Could not read refresh token:', err);
 //   }
 //   return null;
 // }
@@ -145,55 +145,77 @@ export function clearToken() {
   });
 }
+// ========== REFRESH TOKEN STORAGE FOR HTTP DEVELOPMENT ==========
+// In production, refresh tokens should ONLY be in httpOnly cookies set by server
+// For HTTP development (cross-origin cookies don't work), we store in localStorage
+const REFRESH_TOKEN_KEY = 'auth_refresh_token';
+function isHttpDevelopment() {
+  try {
+    return typeof window !== 'undefined' &&
+      window.location?.protocol === 'http:';
+  } catch (err) {
+    return false;
+  }
+}
 export function setRefreshToken(token) {
-  // ✅ SECURITY: Refresh tokens should ONLY be in httpOnly cookies set by server
-  // This function should NOT be used - refresh tokens must come from server cookies
-  // Keeping for backwards compatibility but logging warning
   if (!token) {
     clearRefreshToken();
     return;
   }
-  console.warn('⚠️ SECURITY WARNING: setRefreshToken() called - refresh tokens should only be in httpOnly cookies!');
-  console.warn('⚠️ Refresh tokens set client-side are insecure and should be removed');
-  // ❌ DO NOT store refresh token in client-side storage
-  // The server sets it in httpOnly cookie, which is the only secure way
-  // Only clear any existing client-side storage
-  try {
-    sessionStorage.removeItem(REFRESH_COOKIE);
-  } catch (err) {
-    // Ignore
+  // For HTTP development, store in localStorage (since httpOnly cookies don't work cross-origin)
+  if (isHttpDevelopment()) {
+    try {
+      localStorage.setItem(REFRESH_TOKEN_KEY, token);
+      console.log('📦 Refresh token stored in localStorage (HTTP dev mode)');
+    } catch (err) {
+      console.warn('Could not store refresh token:', err);
+    }
+  } else {
+    // In production (HTTPS), refresh token should be in httpOnly cookie only
+    console.log('🔒 Refresh token managed by server httpOnly cookie (production mode)');
   }
 }
 export function getRefreshToken() {
-  // ✅ Refresh tokens are stored in httpOnly cookies by the server
-  // We cannot read httpOnly cookies from JavaScript - they're only sent with requests
-  // This function is kept for backwards compatibility but returns null
-  // The refresh endpoint will automatically use the httpOnly cookie via credentials: 'include'
-  // ❌ DO NOT try to read refresh token from client-side storage
-  // httpOnly cookies are not accessible via document.cookie
-  console.warn('⚠️ getRefreshToken() called - refresh tokens are in httpOnly cookies and cannot be read from JavaScript');
-  console.warn('⚠️ The refresh endpoint will automatically use the httpOnly cookie via credentials: "include"');
-  return null; // Refresh token is in httpOnly cookie, not accessible to JavaScript
+  // For HTTP development, read from localStorage
+  if (isHttpDevelopment()) {
+    try {
+      const token = localStorage.getItem(REFRESH_TOKEN_KEY);
+      return token;
+    } catch (err) {
+      console.warn('Could not read refresh token:', err);
+      return null;
+    }
+  }
+  // In production, refresh token is in httpOnly cookie (not accessible via JS)
+  // The refresh endpoint uses credentials: 'include' to send the cookie
+  return null;
 }
 export function clearRefreshToken() {
+  // Clear localStorage (for HTTP dev)
+  try {
+    localStorage.removeItem(REFRESH_TOKEN_KEY);
+  } catch (err) {
+    // Ignore
+  }
+  // Clear cookie (for production)
   try {
     document.cookie = `${REFRESH_COOKIE}=; Path=/; SameSite=Strict${secureAttribute()}; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
   } catch (err) {
     console.warn('Could not clear refresh token cookie:', err);
   }
+  // Clear sessionStorage
   try {
     sessionStorage.removeItem(REFRESH_COOKIE);
   } catch (err) {
-    console.warn('Could not clear refresh token from sessionStorage:', err);
+    // Ignore
   }
 }