@spidy092/auth-client 2.1.1 → 2.1.5

package/core.js

@@ -189,18 +189,22 @@ export function handleCallback() {
   if (accessToken) {
     setToken(accessToken);
     
-    // ✅ Refresh token should NOT be in URL - it's in httpOnly cookie
-    // If refresh token is in URL, log warning but don't store it client-side
+    // ✅ For HTTP development, store refresh token from URL
+    // In HTTPS production, refresh token is in httpOnly cookie (more secure)
     const refreshTokenInUrl = params.get('refresh_token');
     if (refreshTokenInUrl) {
-      console.warn('⚠️ SECURITY WARNING: Refresh token found in URL - this should not happen!');
-      // DO NOT store refresh token from URL - it should only be in httpOnly cookie
+      const isHttpDev = typeof window !== 'undefined' && window.location?.protocol === 'http:';
+      if (isHttpDev) {
+        console.log('📦 HTTP dev mode: Storing refresh token from callback URL');
+        setRefreshToken(refreshTokenInUrl);
+      } else {
+        console.log('🔒 HTTPS mode: Refresh token is in httpOnly cookie (ignoring URL param)');
+      }
     }
     
     const url = new URL(window.location);
     url.searchParams.delete('access_token');
     url.searchParams.delete('refresh_token');
-    url.searchParams.delete('refresh_token');
     url.searchParams.delete('state');
     url.searchParams.delete('error');
     url.searchParams.delete('error_description');
@@ -233,15 +237,31 @@ export async function refreshToken() {
   refreshInProgress = true;
   refreshPromise = (async () => {
     try {
+      // Get stored refresh token (for HTTP development)
+      const storedRefreshToken = getRefreshToken();
+      
       console.log('🔄 Refreshing token:', { 
         clientKey, 
-        mode: isRouterMode() ? 'ROUTER' : 'CLIENT' 
+        mode: isRouterMode() ? 'ROUTER' : 'CLIENT',
+        hasStoredRefreshToken: !!storedRefreshToken
       });
       
-      const response = await fetch(`${authBaseUrl}/refresh/${clientKey}`, {
+      // Build request options - send refresh token in body and header for HTTP dev
+      const requestOptions = {
         method: 'POST',
-        credentials: 'include', // ✅ Include httpOnly cookies
-      });
+        credentials: 'include', // ✅ Include httpOnly cookies (for HTTPS)
+        headers: {
+          'Content-Type': 'application/json'
+        }
+      };
+      
+      // For HTTP development, send refresh token in body and header
+      if (storedRefreshToken) {
+        requestOptions.headers['X-Refresh-Token'] = storedRefreshToken;
+        requestOptions.body = JSON.stringify({ refreshToken: storedRefreshToken });
+      }
+      
+      const response = await fetch(`${authBaseUrl}/refresh/${clientKey}`, requestOptions);
 
       if (!response.ok) {
         const errorText = await response.text();
@@ -249,7 +269,8 @@ export async function refreshToken() {
         throw new Error(`Refresh failed: ${response.status}`);
       }
 
-      const { access_token } = await response.json();
+      const data = await response.json();
+      const { access_token, refresh_token: new_refresh_token } = data;
       
       if (!access_token) {
         throw new Error('No access token in refresh response');
@@ -257,6 +278,13 @@ export async function refreshToken() {
       
       // ✅ This will trigger token listeners
       setToken(access_token);
+      
+      // ✅ Store new refresh token if provided (token rotation)
+      if (new_refresh_token) {
+        setRefreshToken(new_refresh_token);
+        console.log('🔄 New refresh token stored from rotation');
+      }
+      
       console.log('✅ Token refresh successful, listeners notified');
       return access_token;
     } catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@spidy092/auth-client",
-  "version": "2.1.1",
+  "version": "2.1.5",
   "description": "Scalable frontend auth SDK for centralized login using Keycloak + Auth Service.",
   "main": "index.js",
   "module": "index.js",

package/token.js

@@ -145,55 +145,77 @@ export function clearToken() {
   });
 }
 
-export function setRefreshToken(token) {
-  // ✅ SECURITY: Refresh tokens should ONLY be in httpOnly cookies set by server
-  // This function should NOT be used - refresh tokens must come from server cookies
-  // Keeping for backwards compatibility but logging warning
+// ========== REFRESH TOKEN STORAGE FOR HTTP DEVELOPMENT ==========
+// In production (HTTPS), refresh tokens should ONLY be in httpOnly cookies set by server
+// For HTTP development (cross-origin cookies don't work), we store in localStorage
+const REFRESH_TOKEN_KEY = 'auth_refresh_token';
 
+function isHttpDevelopment() {
+  try {
+    return typeof window !== 'undefined' && 
+           window.location?.protocol === 'http:';
+  } catch (err) {
+    return false;
+  }
+}
+
+export function setRefreshToken(token) {
   if (!token) {
     clearRefreshToken();
     return;
   }
 
-  console.warn('⚠️ SECURITY WARNING: setRefreshToken() called - refresh tokens should only be in httpOnly cookies!');
-  console.warn('⚠️ Refresh tokens set client-side are insecure and should be removed');
-
-  // ❌ DO NOT store refresh token in client-side storage
-  // The server sets it in httpOnly cookie, which is the only secure way
-
-  // Only clear any existing client-side storage
-  try {
-    sessionStorage.removeItem(REFRESH_COOKIE);
-  } catch (err) {
-    // Ignore
+  // For HTTP development, store in localStorage (since httpOnly cookies don't work cross-origin)
+  if (isHttpDevelopment()) {
+    try {
+      localStorage.setItem(REFRESH_TOKEN_KEY, token);
+      console.log('📦 Refresh token stored in localStorage (HTTP dev mode)');
+    } catch (err) {
+      console.warn('Could not store refresh token:', err);
+    }
+  } else {
+    // In production (HTTPS), refresh token should be in httpOnly cookie only
+    console.log('🔒 Refresh token managed by server httpOnly cookie (production mode)');
   }
 }
 
 export function getRefreshToken() {
-  // ✅ Refresh tokens are stored in httpOnly cookies by the server
-  // We cannot read httpOnly cookies from JavaScript - they're only sent with requests
-  // This function is kept for backwards compatibility but returns null
-  // The refresh endpoint will automatically use the httpOnly cookie via credentials: 'include'
-
-  // ❌ DO NOT try to read refresh token from client-side storage
-  // httpOnly cookies are not accessible via document.cookie
-
-  console.warn('⚠️ getRefreshToken() called - refresh tokens are in httpOnly cookies and cannot be read from JavaScript');
-  console.warn('⚠️ The refresh endpoint will automatically use the httpOnly cookie via credentials: "include"');
-
-  return null; // Refresh token is in httpOnly cookie, not accessible to JavaScript
+  // For HTTP development, read from localStorage
+  if (isHttpDevelopment()) {
+    try {
+      const token = localStorage.getItem(REFRESH_TOKEN_KEY);
+      return token;
+    } catch (err) {
+      console.warn('Could not read refresh token:', err);
+      return null;
+    }
+  }
+  
+  // In production, refresh token is in httpOnly cookie (not accessible via JS)
+  // The refresh endpoint uses credentials: 'include' to send the cookie
+  return null;
 }
 
 export function clearRefreshToken() {
+  // Clear localStorage (for HTTP dev)
+  try {
+    localStorage.removeItem(REFRESH_TOKEN_KEY);
+  } catch (err) {
+    // Ignore
+  }
+  
+  // Clear cookie (for production)
   try {
     document.cookie = `${REFRESH_COOKIE}=; Path=/; SameSite=Strict${secureAttribute()}; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
   } catch (err) {
     console.warn('Could not clear refresh token cookie:', err);
   }
+  
+  // Clear sessionStorage
   try {
     sessionStorage.removeItem(REFRESH_COOKIE);
   } catch (err) {
-    console.warn('Could not clear refresh token from sessionStorage:', err);
+    // Ignore
   }
 }