@spidy092/auth-client 2.1.0 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/index.js +4 -1
  2. package/package.json +1 -1
  3. package/token.js +27 -49
package/index.js CHANGED
@@ -1,7 +1,7 @@
1
1
  // auth-client/index.js
2
2
  import { setConfig, getConfig, isRouterMode } from './config';
3
3
  import { login, logout, handleCallback, refreshToken, resetCallbackState, validateCurrentSession } from './core';
4
- import { getToken, setToken, clearToken, addTokenListener, removeTokenListener, getListenerCount } from './token';
4
+ import { getToken, setToken, clearToken, setRefreshToken, getRefreshToken, clearRefreshToken, addTokenListener, removeTokenListener, getListenerCount } from './token';
5
5
  import api from './api';
6
6
  import { decodeToken, isTokenExpired, isAuthenticated } from './utils/jwt';
7
7
 
@@ -23,6 +23,9 @@ export const auth = {
23
23
  getToken,
24
24
  setToken,
25
25
  clearToken,
26
+ setRefreshToken, // ✅ Refresh token for HTTP dev
27
+ getRefreshToken,
28
+ clearRefreshToken,
26
29
  addTokenListener, // ✅ Export new functions
27
30
  removeTokenListener,
28
31
  getListenerCount, // ✅ Debug function
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@spidy092/auth-client",
3
- "version": "2.1.0",
3
+ "version": "2.1.1",
4
4
  "description": "Scalable frontend auth SDK for centralized login using Keycloak + Auth Service.",
5
5
  "main": "index.js",
6
6
  "module": "index.js",
package/token.js CHANGED
@@ -145,77 +145,55 @@ export function clearToken() {
145
145
  });
146
146
  }
147
147
 
148
- // ========== REFRESH TOKEN STORAGE FOR HTTP DEVELOPMENT ==========
149
- // In production, refresh tokens should ONLY be in httpOnly cookies set by server
150
- // For HTTP development (cross-origin cookies don't work), we store in localStorage
151
- const REFRESH_TOKEN_KEY = 'auth_refresh_token';
152
-
153
- function isHttpDevelopment() {
154
- try {
155
- return typeof window !== 'undefined' &&
156
- window.location?.protocol === 'http:';
157
- } catch (err) {
158
- return false;
159
- }
160
- }
161
-
162
148
  export function setRefreshToken(token) {
149
+ // ✅ SECURITY: Refresh tokens should ONLY be in httpOnly cookies set by server
150
+ // This function should NOT be used - refresh tokens must come from server cookies
151
+ // Keeping for backwards compatibility but logging warning
152
+
163
153
  if (!token) {
164
154
  clearRefreshToken();
165
155
  return;
166
156
  }
167
157
 
168
- // For HTTP development, store in localStorage (since httpOnly cookies don't work cross-origin)
169
- if (isHttpDevelopment()) {
170
- try {
171
- localStorage.setItem(REFRESH_TOKEN_KEY, token);
172
- console.log('📦 Refresh token stored in localStorage (HTTP dev mode)');
173
- } catch (err) {
174
- console.warn('Could not store refresh token:', err);
175
- }
176
- } else {
177
- // In production (HTTPS), refresh token should be in httpOnly cookie only
178
- console.log('🔒 Refresh token managed by server httpOnly cookie (production mode)');
158
+ console.warn('⚠️ SECURITY WARNING: setRefreshToken() called - refresh tokens should only be in httpOnly cookies!');
159
+ console.warn('⚠️ Refresh tokens set client-side are insecure and should be removed');
160
+
161
+ // ❌ DO NOT store refresh token in client-side storage
162
+ // The server sets it in httpOnly cookie, which is the only secure way
163
+
164
+ // Only clear any existing client-side storage
165
+ try {
166
+ sessionStorage.removeItem(REFRESH_COOKIE);
167
+ } catch (err) {
168
+ // Ignore
179
169
  }
180
170
  }
181
171
 
182
172
  export function getRefreshToken() {
183
- // For HTTP development, read from localStorage
184
- if (isHttpDevelopment()) {
185
- try {
186
- const token = localStorage.getItem(REFRESH_TOKEN_KEY);
187
- return token;
188
- } catch (err) {
189
- console.warn('Could not read refresh token:', err);
190
- return null;
191
- }
192
- }
173
+ // Refresh tokens are stored in httpOnly cookies by the server
174
+ // We cannot read httpOnly cookies from JavaScript - they're only sent with requests
175
+ // This function is kept for backwards compatibility but returns null
176
+ // The refresh endpoint will automatically use the httpOnly cookie via credentials: 'include'
177
+
178
+ // DO NOT try to read refresh token from client-side storage
179
+ // httpOnly cookies are not accessible via document.cookie
180
+
181
+ console.warn('⚠️ getRefreshToken() called - refresh tokens are in httpOnly cookies and cannot be read from JavaScript');
182
+ console.warn('⚠️ The refresh endpoint will automatically use the httpOnly cookie via credentials: "include"');
193
183
 
194
- // In production, refresh token is in httpOnly cookie (not accessible via JS)
195
- // The refresh endpoint uses credentials: 'include' to send the cookie
196
- return null;
184
+ return null; // Refresh token is in httpOnly cookie, not accessible to JavaScript
197
185
  }
198
186
 
199
187
  export function clearRefreshToken() {
200
- // Clear localStorage (for HTTP dev)
201
- try {
202
- localStorage.removeItem(REFRESH_TOKEN_KEY);
203
- } catch (err) {
204
- // Ignore
205
- }
206
-
207
- // Clear cookie (for production)
208
188
  try {
209
189
  document.cookie = `${REFRESH_COOKIE}=; Path=/; SameSite=Strict${secureAttribute()}; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
210
190
  } catch (err) {
211
191
  console.warn('Could not clear refresh token cookie:', err);
212
192
  }
213
-
214
- // Clear sessionStorage
215
193
  try {
216
194
  sessionStorage.removeItem(REFRESH_COOKIE);
217
195
  } catch (err) {
218
- // Ignore
196
+ console.warn('Could not clear refresh token from sessionStorage:', err);
219
197
  }
220
198
  }
221
199