@superbuilders/primer-tives 2.2.1 → 3.5.1

package/dist/client/index.js

@@ -3,7 +3,6 @@ import * as errors from "@superbuilders/errors";
 var ErrNetwork = errors.new("network");
 var ErrJsonParse = errors.new("json parse");
 var ErrUnsupportedPci = errors.new("unsupported pci");
-var ErrMissingRequiredPci = errors.new("missing required pci");
 var ErrInvalidAccessToken = errors.new("invalid access token");
 var ErrMalformedAccessToken = errors.new("malformed access token");
 var ErrTokenExpired = errors.new("access token expired");
@@ -17,7 +16,12 @@ var ErrRateLimited = errors.new("rate limited");
 var ErrServiceUnavailable = errors.new("service unavailable");
 var ErrNotSerializable = errors.new("PrimerState is live in-memory state and must not be serialized or stored");
 var ErrInvalidSubmission = errors.new("invalid submission");
-var ErrInvalidSecretKey = errors.new("invalid secret key");
+var ErrAuthUnavailable = errors.new("auth unavailable");
+var ErrAuthConfigInvalid = errors.new("auth config invalid");
+var ErrAuthCallbackInvalid = errors.new("auth callback invalid");
+var ErrAuthStateMismatch = errors.new("auth state mismatch");
+var ErrAuthPopupBlocked = errors.new("auth popup blocked");
+var ErrAuthCancelled = errors.new("auth cancelled");
 var ErrSdkUpgradeRequired = errors.new("sdk upgrade required");
 // src/contracts/content.ts
 function inlinesToPlainText(nodes) {
@@ -333,16 +337,11 @@ function validateSubmissionForInteraction(interaction, submission) {
 function submissionValidationMessage(result) {
   return result.issues.join("; ");
 }
-// src/subject.ts
-var SUBJECTS = ["math", "vocabulary", "science"];
-// src/client/create.ts
-import * as errors10 from "@superbuilders/errors";
-
 // src/client/transport.ts
 import * as errors2 from "@superbuilders/errors";
 
 // src/version.ts
-var SDK_VERSION = "2.2.1";
+var SDK_VERSION = "3.5.1";
 var NPM_PACKAGE_URL = "https://www.npmjs.com/package/@superbuilders/primer-tives";
 
 // src/client/transport.ts
@@ -477,7 +476,8 @@ function createTransport(tc) {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
-        Authorization: `Bearer ${tc.accessToken}`,
+        Authorization: `Bearer ${tc.accessToken.value}`,
+        "X-Primer-Publishable-Key": tc.publishableKey,
         "X-Primer-SDK-Version": SDK_VERSION
       },
       body: JSON.stringify(body),
@@ -1065,7 +1065,12 @@ function makeSession(sc) {
           phase,
           intentKind: intent.kind
         });
-        return { phase: "fatal", error: result.error, retriable: false, toJSON: poisonToJSON };
+        return {
+          phase: "fatal",
+          error: result.error,
+          retriable: false,
+          toJSON: poisonToJSON
+        };
       }
       logger.warn("retriable transport error", {
         error: result.error,
@@ -1128,39 +1133,222 @@ function makeSession(sc) {
   return { execute };
 }
 
-// src/subject-pcis.ts
-var REQUIRED_PCIS_BY_SUBJECT = {
-  math: ["urn:primer:pci:fraction-input"],
-  vocabulary: [],
-  science: []
-};
-function requiredPcisForSubject(subject) {
-  if (subject === "all") {
-    const all = [];
-    for (const s of SUBJECTS) {
-      for (const pci of REQUIRED_PCIS_BY_SUBJECT[s]) {
-        if (!all.includes(pci)) {
-          all.push(pci);
-        }
-      }
+// src/client/auth/browser.ts
+import * as errors10 from "@superbuilders/errors";
+function browserStorage(options, logger) {
+  if (options !== undefined && options.storage !== undefined) {
+    return options.storage;
+  }
+  if (typeof globalThis.sessionStorage === "undefined") {
+    logger.error("auth storage unavailable");
+    throw ErrAuthUnavailable;
+  }
+  return globalThis.sessionStorage;
+}
+function currentUrl(options, logger) {
+  if (options !== undefined && options.currentUrl !== undefined) {
+    if (!URL.canParse(options.currentUrl)) {
+      logger.error("auth current url invalid", { currentUrl: options.currentUrl });
+      throw ErrAuthConfigInvalid;
     }
-    return all;
+    return new URL(options.currentUrl);
   }
-  return REQUIRED_PCIS_BY_SUBJECT[subject];
+  if (typeof globalThis.location === "undefined") {
+    logger.error("auth location unavailable");
+    throw ErrAuthUnavailable;
+  }
+  return new URL(globalThis.location.href);
 }
-function missingPcisForSubject(subject, provided) {
-  const required = requiredPcisForSubject(subject);
-  const missing = [];
-  for (const pci of required) {
-    if (provided === undefined || !provided.includes(pci)) {
-      missing.push(pci);
+function redirectUri(options, url, logger) {
+  if (options !== undefined && options.redirectUri !== undefined) {
+    if (!URL.canParse(options.redirectUri)) {
+      logger.error("auth redirect uri invalid", { redirectUri: options.redirectUri });
+      throw ErrAuthConfigInvalid;
     }
+    return options.redirectUri;
+  }
+  return `${url.origin}${url.pathname}${url.search}`;
+}
+function randomClientState(logger) {
+  if (typeof globalThis.crypto === "undefined") {
+    logger.error("auth crypto unavailable");
+    throw ErrAuthUnavailable;
+  }
+  const bytes = new Uint8Array(24);
+  globalThis.crypto.getRandomValues(bytes);
+  let result = "";
+  for (const byte of bytes) {
+    result += byte.toString(16).padStart(2, "0");
+  }
+  return result;
+}
+function clearCallbackHash(options, url) {
+  if (options !== undefined && options.currentUrl !== undefined) {
+    return;
+  }
+  if (typeof globalThis.history === "undefined") {
+    return;
+  }
+  const cleanUrl = `${url.pathname}${url.search}`;
+  globalThis.history.replaceState(globalThis.history.state, "", cleanUrl);
+}
+function openAuthPopup(url, options, logger) {
+  if (typeof globalThis.open === "undefined") {
+    logger.error("auth popup api unavailable");
+    throw ErrAuthUnavailable;
+  }
+  let target = "primer-auth";
+  if (options !== undefined && options.popupTarget !== undefined) {
+    target = options.popupTarget;
+  }
+  let features = "popup,width=480,height=720";
+  if (options !== undefined && options.popupFeatures !== undefined) {
+    features = options.popupFeatures;
+  }
+  const popup = globalThis.open(url, target, features);
+  if (popup === null) {
+    logger.error("auth popup blocked");
+    throw ErrAuthPopupBlocked;
+  }
+  return popup;
+}
+function readablePopupUrl(popup) {
+  const result = errors10.trySync(function readLocation() {
+    return popup.location.href;
+  });
+  if (result.error) {
+    return null;
   }
-  return missing;
+  return result.data;
+}
+function sleep(ms) {
+  return new Promise(function resolveLater(resolve) {
+    setTimeout(resolve, ms);
+  });
 }
 
-// src/client/create.ts
+// src/client/auth/callback.ts
+var ACCESS_TOKEN_HASH_PARAM = "primer_access_token";
+var AUTH_STATUS_HASH_PARAM = "primer_auth";
+var AUTH_STATE_HASH_PARAM = "primer_state";
+var AUTH_SUCCESS = "success";
+var AUTH_ERROR = "error";
+function readAuthCallback(url, logger) {
+  if (url.hash.length === 0) {
+    return null;
+  }
+  const hash = new URLSearchParams(url.hash.slice(1));
+  const authStatus = hash.get(AUTH_STATUS_HASH_PARAM);
+  if (authStatus === null) {
+    return null;
+  }
+  if (authStatus === AUTH_ERROR) {
+    logger.error("auth callback returned error");
+    throw ErrAuthCallbackInvalid;
+  }
+  if (authStatus !== AUTH_SUCCESS) {
+    logger.error("auth callback status invalid", { authStatus });
+    throw ErrAuthCallbackInvalid;
+  }
+  const accessToken = hash.get(ACCESS_TOKEN_HASH_PARAM);
+  const state = hash.get(AUTH_STATE_HASH_PARAM);
+  if (accessToken === null || accessToken.length === 0 || state === null || state.length === 0) {
+    logger.error("auth callback missing token or state");
+    throw ErrAuthCallbackInvalid;
+  }
+  return { accessToken, state };
+}
+function requireMatchingCallbackState(callback, expectedState, logger) {
+  if (expectedState === null) {
+    logger.error("auth callback expected state missing");
+    throw ErrAuthCallbackInvalid;
+  }
+  if (callback.state !== expectedState) {
+    logger.error("auth callback state mismatch");
+    throw ErrAuthStateMismatch;
+  }
+}
+
+// src/client/auth/hosted-popup.ts
+import * as errors11 from "@superbuilders/errors";
+var DEFAULT_POPUP_TIMEOUT_MS = 10 * 60 * 1000;
+var POPUP_POLL_MS = 250;
+function hostedAuthUrl(config) {
+  const logger = config.logger;
+  if (!URL.canParse(config.origin)) {
+    logger.error("hosted auth origin invalid", { origin: config.origin });
+    throw ErrAuthCallbackInvalid;
+  }
+  const authUrl = new URL("/auth/timeback", config.origin);
+  authUrl.searchParams.set("publishableKey", config.publishableKey);
+  authUrl.searchParams.set("redirectUri", redirectUri(config.options, config.currentUrl, logger));
+  authUrl.searchParams.set("state", config.clientState);
+  return authUrl.toString();
+}
+function popupTimeoutMs(options) {
+  if (options !== undefined && options.popupTimeoutMs !== undefined) {
+    return options.popupTimeoutMs;
+  }
+  return DEFAULT_POPUP_TIMEOUT_MS;
+}
+function readPopupCallback(href, config) {
+  const logger = config.logger;
+  if (!URL.canParse(href)) {
+    return null;
+  }
+  const callbackResult = errors11.trySync(function readCallback() {
+    return readAuthCallback(new URL(href), logger);
+  });
+  if (callbackResult.error) {
+    logger.error("hosted auth popup callback invalid", { error: callbackResult.error });
+    throw callbackResult.error;
+  }
+  const callback = callbackResult.data;
+  if (callback === null) {
+    return null;
+  }
+  if (callback.state !== config.clientState) {
+    logger.error("hosted auth popup state mismatch");
+    throw ErrAuthStateMismatch;
+  }
+  return callback.accessToken;
+}
+async function beginHostedPopup(config) {
+  const logger = config.logger;
+  const popup = openAuthPopup(hostedAuthUrl(config), config.options, logger);
+  const expiresAt = Date.now() + popupTimeoutMs(config.options);
+  while (Date.now() < expiresAt) {
+    if (popup.closed) {
+      logger.error("hosted auth popup closed");
+      throw ErrAuthCancelled;
+    }
+    const href = readablePopupUrl(popup);
+    if (href !== null) {
+      const accessTokenResult = errors11.trySync(function readAccessToken() {
+        return readPopupCallback(href, config);
+      });
+      if (accessTokenResult.error) {
+        popup.close();
+        logger.error("hosted auth popup failed", { error: accessTokenResult.error });
+        throw accessTokenResult.error;
+      }
+      if (accessTokenResult.data !== null) {
+        popup.close();
+        logger.debug("hosted auth popup completed");
+        return accessTokenResult.data;
+      }
+    }
+    await sleep(POPUP_POLL_MS);
+  }
+  popup.close();
+  logger.error("hosted auth popup timed out");
+  throw ErrAuthCancelled;
+}
+
+// src/client/auth/access-token.ts
+import * as errors12 from "@superbuilders/errors";
 var ACCESS_TOKEN_PREFIX = "eyJ";
+var resolvedAccessTokenBrand = Symbol("primer resolved access token");
 function isMalformedJws(token) {
   if (!token.startsWith(ACCESS_TOKEN_PREFIX)) {
     return true;
@@ -1168,53 +1356,127 @@ function isMalformedJws(token) {
   const dotCount = token.split(".").length - 1;
   return dotCount !== 2;
 }
-function create(config) {
-  const logger = config.logger;
-  let supportedPcis = [];
-  if (config.supportedPcis !== undefined) {
-    supportedPcis = config.supportedPcis;
+function resolveAccessToken(token, logger) {
+  if (isMalformedJws(token)) {
+    logger.error("malformed access token", { prefix: ACCESS_TOKEN_PREFIX });
+    throw errors12.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
   }
-  const missingPcis = missingPcisForSubject(config.subject, supportedPcis);
-  if (missingPcis.length > 0) {
-    logger.error("renderer missing required pcis", { subject: config.subject, missingPcis });
-    throw errors10.wrap(ErrMissingRequiredPci, `subject '${config.subject}'`);
+  return { value: token, [resolvedAccessTokenBrand]: true };
+}
+
+// src/client/auth/storage.ts
+var ACCESS_TOKEN_KEY_PREFIX = "primer:access-token";
+var AUTH_STATE_KEY_PREFIX = "primer:auth-state";
+function accessTokenStorageKey(publishableKey) {
+  return `${ACCESS_TOKEN_KEY_PREFIX}:${publishableKey}`;
+}
+function authStateStorageKey(publishableKey) {
+  return `${AUTH_STATE_KEY_PREFIX}:${publishableKey}`;
+}
+function loadStoredAccessToken(storage, publishableKey) {
+  const token = storage.getItem(accessTokenStorageKey(publishableKey));
+  if (token === null || token.length === 0) {
+    return null;
   }
-  if (isMalformedJws(config.accessToken)) {
-    logger.error("malformed access token", { prefix: ACCESS_TOKEN_PREFIX });
-    throw errors10.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
+  return token;
+}
+function storeAccessToken(storage, publishableKey, accessToken) {
+  storage.setItem(accessTokenStorageKey(publishableKey), accessToken);
+}
+function loadAuthState(storage, publishableKey) {
+  const state = storage.getItem(authStateStorageKey(publishableKey));
+  if (state === null || state.length === 0) {
+    return null;
   }
-  const transport = createTransport({
-    accessToken: config.accessToken,
-    subject: config.subject,
-    origin: config.origin,
-    fetch: config.fetch,
-    abort: config.abort,
+  return state;
+}
+function storeAuthState(storage, publishableKey, state) {
+  storage.setItem(authStateStorageKey(publishableKey), state);
+}
+function clearAuthState(storage, publishableKey) {
+  storage.removeItem(authStateStorageKey(publishableKey));
+}
+
+// src/client/auth/provider.ts
+async function resolveHostedAccessToken(options) {
+  const logger = options.logger;
+  const storage = browserStorage(options.hostedAuth, logger);
+  const url = currentUrl(options.hostedAuth, logger);
+  const callback = readAuthCallback(url, logger);
+  if (callback !== null) {
+    requireMatchingCallbackState(callback, loadAuthState(storage, options.publishableKey), logger);
+    storeAccessToken(storage, options.publishableKey, callback.accessToken);
+    clearAuthState(storage, options.publishableKey);
+    clearCallbackHash(options.hostedAuth, url);
+    return resolveAccessToken(callback.accessToken, logger);
+  }
+  const stored = loadStoredAccessToken(storage, options.publishableKey);
+  if (stored !== null) {
+    return resolveAccessToken(stored, logger);
+  }
+  const clientState = randomClientState(logger);
+  storeAuthState(storage, options.publishableKey, clientState);
+  const accessToken = await beginHostedPopup({
+    origin: options.origin,
+    publishableKey: options.publishableKey,
+    currentUrl: url,
+    clientState,
+    options: options.hostedAuth,
     logger
   });
-  let startPromise;
-  async function doStart() {
-    logger.debug("start");
-    const s = makeSession({
-      subject: config.subject,
-      supportedPcis,
-      logger,
-      transport
-    });
-    return s.execute({ kind: "observation" }, "observation");
+  storeAccessToken(storage, options.publishableKey, accessToken);
+  clearAuthState(storage, options.publishableKey);
+  return resolveAccessToken(accessToken, logger);
+}
+async function resolveRuntimeAccessToken(options) {
+  if (options.accessToken !== undefined) {
+    return resolveAccessToken(options.accessToken, options.logger);
   }
-  return {
-    start() {
-      if (startPromise) {
-        logger.debug("start already called");
-        return startPromise;
-      }
-      startPromise = doStart();
-      return startPromise;
-    }
-  };
+  return resolveHostedAccessToken(options);
+}
+
+// src/client/create.ts
+function supportedPcisOrEmpty(supportedPcis) {
+  if (supportedPcis !== undefined) {
+    return supportedPcis;
+  }
+  return [];
+}
+function runtimeSubject(subject) {
+  if (subject === undefined) {
+    return "all";
+  }
+  return subject;
+}
+async function create(options) {
+  const logger = options.logger;
+  logger.debug("create");
+  const subject = runtimeSubject(options.subject);
+  const accessToken = await resolveRuntimeAccessToken({
+    accessToken: options.accessToken,
+    publishableKey: options.publishableKey,
+    origin: options.origin,
+    logger
+  });
+  const transport = createTransport({
+    accessToken,
+    publishableKey: options.publishableKey,
+    subject,
+    origin: options.origin,
+    fetch: options.fetch,
+    abort: options.abort,
+    logger
+  });
+  const session = makeSession({
+    subject,
+    supportedPcis: supportedPcisOrEmpty(options.supportedPcis),
+    logger,
+    transport
+  });
+  return session.execute({ kind: "observation" }, "observation");
 }
 export {
   create
 };
 
-//# debugId=859C0D980BD7BD1D64756E2164756E21
+//# debugId=DE8A27A355B8A82664756E2164756E21