@trimble-oss/trimble-id-react 1.0.0-rc.3 → 1.0.1

package/README.md

@@ -1,5 +1,11 @@
 # @trimble-oss/trimble-id-react
 
+> **Important Notice:**
+> 
+> As of version 1.0.0, `PersistentOptions` have been removed. By default, the SDK now supports in-memory token storage. 
+> 
+> When you upgrade to version 1.x, storage options will no longer be available, resulting in a breaking change. For those using an older version of the SDK (i.e., <1.x), it is highly recommended to use the default in-memory storage to avoid any security issues.
+
 Trimble Identity SDK for React app.
 
 🚀 [Getting Started](#getting-started) - 📚 [Usage Reference](#usage-reference) - 💬 [Support](#support)
@@ -61,7 +67,7 @@ process related to the authentication for you. Configure the SDK by wrapping you
 
 Here TIDProvider can take two parameters :  
 * **tidClient**  : TID client instance. You can send an instance of the TID Client if you want to handle the initialization yourself
-* **onRedirectCallback** -  When the redirect callback occur this function will be call once the user is login using the TIDClient. This could allow you to redirect the user into another page after the login happen.
+* **onRedirectCallback** -  When the redirect callback occur this function will be call once the user is login using the TIDClient. This function receives an `authState` parameter that contains a `redirectTo` property with the user's original location before authentication, allowing you to redirect the user back to their intended destination after login.
 
 
 After wrapping your app with the TIDProvider, you have to configure the TID credentials registered in TrimbleCloud console. There are two ways of doing this:
@@ -96,6 +102,15 @@ After wrapping your app with the TIDProvider, you have to configure the TID cred
 </TIDProvider>
 ```
 
+```tsx
+const handleRedirect = (authState) => {
+  // Use redirectTo for automatic redirection to original location
+  const redirectTo = authState.redirectTo || '/dashboard'
+  // Navigate to the intended destination
+  navigate(redirectTo)
+}
+```
+
 Below are the parameters of TIDClient.
 ### 1. TID Client configurations:
 
@@ -106,12 +121,6 @@ Production: https://id.trimble.com/.well-known/openid-configuration  <br />
 * **logoutRedirectUrl** : The URL to which Trimble Identity should redirect after successfully logout a user
 * **scopes** :  The type of credentials you want (openID, or application_name)
 
-
-> **_NOTE:_** 
-> 
-> As of version 1.0.0, PersistentOptions have been removed. By default, the SDK now supports in-memory token storage. Using localStorage and sessionStorage for storing sensitive information poses several security risks, including vulnerability to XSS attacks, lack of secure attributes and session hijacking. 
-
-> When you upgrade to version 1.x, storage options will no longer be available, resulting in a breaking change. For those using an older version of the SDK (i.e., <1.x), it is highly recommended to use the default in-memory storage to avoid any security issues.
 ### useAuth
 Use the `useAuth` hook in your components to access authentication state (`isLoading`, `isAuthenticated`, `user`, `error`) and authentication methods (`loginWithRedirect` and `logout`):
 
@@ -131,6 +140,21 @@ const {logout}= useAuth()
 await logout()
 ```
 
+### handleCallback
+
+Handle OAuth callback to complete user authentication and returns the auth state with redirect path.
+
+```tsx
+const { handleCallback } = useAuth()
+
+// Handle callback and get redirect information
+const authState = await handleCallback()
+
+// Use redirectTo for automatic redirection to original location
+const redirectTo = authState.redirectTo || '/dashboard'
+navigate(redirectTo)
+```
+
 ### isAuthenticated
 
 True if the user is authenticated.
@@ -206,5 +230,4 @@ To provide feedback or report a bug, please [raise an issue on our issue tracker
 
 ## <a name="support">Support</a>
 
-Send email to [cloudplatform_support@trimble.com](mailto:cloudplatform_support@trimble.com)
-
+Send email to [cloudplatform_support@trimble.com](mailto:cloudplatform_support@trimble.com)

package/dist/TIDClient/TIDClient.d.ts

@@ -100,6 +100,10 @@ export declare class TIDClient {
      * @param {CacheManagerOptions} props - TID client configuration
      */
     constructor(props: TIDClientOptions);
+    /**
+     * Clean up expired state payloads to prevent storage bloat
+     */
+    private cleanupExpiredState;
     /**
      * Redirect the user to TID using the browser
      * @param {LoginWithRedirectOptions} options - Custom configuration for the redirection
@@ -107,6 +111,7 @@ export declare class TIDClient {
      * @example No configuration
      * loginWithRedirect()
      * // Automatically redirects the user to TID with all necessary parameters
+     * // After authentication, user will be redirected back to the current page
      * @example Custom redirect
      * loginWithRedirect({onRedirect: (url) => router.navigate(url)})
      * // Redirect calls onRedirect with the log-out url for TID
@@ -116,8 +121,9 @@ export declare class TIDClient {
     /**
      * Authenticated the user using the url callback params
      * @param {string} url - Custom configuration for the redirection
-     * @return {Promise<AuthState>} Object contain the state returned from TID
+     * @return {Promise<AuthState>} Object contain the state returned from TID and redirect path
      * @throws {CodeVerifierNotFoundException} Will throw an exception if the session doesn't contain the code verifier
+     * @throws {Error} Will throw an exception if state validation fails or replay attack is detected
      * @example No configuration
      * handleCallback()
      * // Will automatically take the url from the browser and try to log in the user
@@ -133,6 +139,23 @@ export declare class TIDClient {
      */
     private generateToken;
     private reloadCodeVerifier;
+    /**
+     * Create and encode state payload for replay attack protection
+     * @param {string} redirectTo - Path to redirect to after authentication
+     * @return {string} - Base64 encoded state payload
+     */
+    private createStatePayload;
+    /**
+     * Generate a random nonce for state validation
+     * @return {string} - Random nonce
+     */
+    private generateNonce;
+    /**
+     * Validate state payload to prevent replay attacks
+     * @param {string} receivedState - State received from OAuth callback
+     * @return {StateValidationResult} - Validation result with redirect path if valid
+     */
+    private validateStatePayload;
     /**
      * Return the user stored in cache
      * @return {Promise<TIDUser | undefined>} User in cache

package/dist/TIDClient/constants.d.ts

@@ -8,3 +8,9 @@ export declare const CLOCK_SKEW_TIME: number;
  * @type {Array<string>}
  */
 export declare const LIST_PARAMS_REQUIRED: Array<string>;
+/**
+ * Maximum time allowed for state parameter to be valid (10 minutes)
+ * Used to prevent replay attacks
+ * @type {number}
+ */
+export declare const STATE_EXPIRATION_TIME: number;

package/dist/TIDClient/exceptions.d.ts

@@ -6,3 +6,6 @@ export declare class TokenNotFoundException extends Error {
 }
 export declare class CodeVerifierNotFoundException extends Error {
 }
+/** Class representing an OAuth state validation exception for CSRF protection */
+export declare class StateValidationException extends Error {
+}

package/dist/TIDClient/interfaces.d.ts

@@ -175,4 +175,15 @@ export interface TIDJWTUser {
 }
 export interface AuthState {
     authState: any;
+    returnTo?: string;
+}
+export interface StatePayload {
+    redirectTo: string;
+    timestamp: number;
+    nonce: string;
+}
+export interface StateValidationResult {
+    isValid: boolean;
+    redirectTo?: string;
+    error?: string;
 }

package/dist/TIDClient/storage/cookies/CookiesManager.d.ts

@@ -12,6 +12,11 @@ interface CookieValue {
      * @type {string}
      */
     code_verifier: string;
+    /**
+     * State information used for replay attack protection
+     * @type {string}
+     */
+    state_payload?: string;
 }
 /** Class to manage cookies */
 export declare class CookiesManager {
@@ -32,9 +37,18 @@ export declare class CookiesManager {
     constructor(options: CookiesManagerOptions);
     /**
      * Store cookies in the browser
-     * @param {CookieValue} value - information to store
+     * @param {Partial<CookieValue>} value - information to store
+     */
+    save(value: Partial<CookieValue>): void;
+    /**
+     * Retrieve state payload from cookies
+     * @return {string | undefined} - State payload from cookies
+     */
+    getStatePayload(): string | undefined;
+    /**
+     * Clear state payload from cookies
      */
-    save(value: CookieValue): void;
+    clearStatePayload(): void;
     /**
      * Retrieve cookies in the browser
      * @return {CookieValue | undefined}  - Cookies from the browser

package/dist/index.d.ts

@@ -1,4 +1,4 @@
 export { TIDClient } from './TIDClient';
 export { TIDContext, useAuth, TIDProvider } from './TIDProvider';
 export { AuthenticationGuard } from './AuthenticationGuard/AuthenticationGuard';
-export type { TokenResponse } from './TIDClient';
+export type { TokenResponse, AuthState } from './TIDClient';

package/dist/trimble-id-react.es.js

@@ -1,12 +1,12 @@
-var F = Object.defineProperty;
-var B = (i, e, t) => e in i ? F(i, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : i[e] = t;
-var c = (i, e, t) => (B(i, typeof e != "symbol" ? e + "" : e, t), t);
-import { OpenIdEndpointProvider as $, AuthorizationCodeGrantTokenProvider as R, AnalyticsHttpClient as H, BearerTokenHttpClientProvider as Q } from "@trimble-oss/trimble-id";
-import * as w from "es-cookie";
-import J from "jwt-decode";
-import { createContext as q, useContext as L, useState as z, useReducer as X, useRef as Y, useMemo as M, useEffect as D, useCallback as y } from "react";
-import { jsx as K, Fragment as Z } from "react/jsx-runtime";
-class j {
+var $ = Object.defineProperty;
+var B = (i, e, t) => e in i ? $(i, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : i[e] = t;
+var l = (i, e, t) => (B(i, typeof e != "symbol" ? e + "" : e, t), t);
+import { OpenIdEndpointProvider as J, AuthorizationCodeGrantTokenProvider as R, AnalyticsHttpClient as H, BearerTokenHttpClientProvider as Q } from "@trimble-oss/trimble-id";
+import * as T from "es-cookie";
+import X from "jwt-decode";
+import { createContext as q, useContext as L, useState as z, useReducer as Y, useRef as Z, useMemo as M, useEffect as N, useCallback as m } from "react";
+import { jsx as V, Fragment as j } from "react/jsx-runtime";
+class ee {
   constructor() {
     /**
      * This function generate a encapsulation function to store
@@ -15,7 +15,7 @@ class j {
      * @see {https://medium.com/javascript-scene/encapsulation-in-javascript-26be60e325b4} Encapsulation
      * @return {CacheStorage} Key for the token
      */
-    c(this, "generateCache", function() {
+    l(this, "generateCache", function() {
       const e = {
         token: void 0,
         user: void 0
@@ -62,14 +62,14 @@ class j {
     }());
   }
 }
-class ee {
+class te {
   constructor() {
     /**
      * Cache option selected
      * @type {CacheStorage}
      */
-    c(this, "cacheStorage");
-    this.cacheStorage = new j().generateCache;
+    l(this, "cacheStorage");
+    this.cacheStorage = new ee().generateCache;
   }
   /**
    * Store token in cache
@@ -109,7 +109,7 @@ class ee {
     await this.cacheStorage.clear();
   }
 }
-const x = 5 * 6e4, te = ["code", "state"], A = (i) => i.split("?")[0], ie = (i) => i.split("?")[1], b = (i) => {
+const x = 5 * 6e4, ie = ["code", "state"], A = 10 * 60 * 1e3, U = (i) => i.split("?")[0], re = (i) => i.split("?")[1], b = (i) => {
   let e = i;
   if (!i.startsWith("?"))
     try {
@@ -119,16 +119,16 @@ const x = 5 * 6e4, te = ["code", "state"], A = (i) => i.split("?")[0], ie = (i)
   return new URLSearchParams(e);
 }, ne = (i = window.location.href, e) => {
   if (e != null) {
-    const n = A(e), r = A(i ?? "");
-    if (n !== r)
+    const r = U(e), n = U(i ?? "");
+    if (r !== n)
       return !1;
   }
   const t = b(i);
-  for (const n of te)
-    if (!t.has(n))
+  for (const r of ie)
+    if (!t.has(r))
       return !1;
   return !0;
-}, re = (i) => ({
+}, ae = (i) => ({
   id: i.sub,
   name: `${i.given_name} ${i.family_name}`,
   given_name: i.given_name,
@@ -136,14 +136,14 @@ const x = 5 * 6e4, te = ["code", "state"], A = (i) => i.split("?")[0], ie = (i)
   picture: i.picture,
   email: i.email,
   email_verified: i.email_verified
-}), se = "@TID_COOKIE";
-class oe {
+}), oe = "@TID_COOKIE";
+class se {
   /**
    * Retrieve a cookie from the browser
    * @param {string} key - Key to retrieve the cookies
    */
   get(e) {
-    const t = w.get(e);
+    const t = T.get(e);
     if (t == null)
       throw new Error("Cookie not found");
     return JSON.parse(t);
@@ -158,12 +158,12 @@ class oe {
    * @example Save cookies with a custom domain
    * cookiesStorage.set('key',{data:{...}},{domain:'https://example.com/subpath'})
    */
-  set(e, t, n) {
-    let r = {};
-    window.location.protocol === "https:" && (r = {
+  set(e, t, r) {
+    let n = {};
+    window.location.protocol === "https:" && (n = {
       secure: !0,
       sameSite: "none"
-    }), n != null && n.expires && (r.expires = n.expires), n != null && n.domain && (r.domain = n.domain), w.set(e, JSON.stringify(t), r);
+    }), r != null && r.expires && (n.expires = r.expires), r != null && r.domain && (n.domain = r.domain), T.set(e, JSON.stringify(t), n);
   }
   /**
    * Remove a cookie from the browser
@@ -175,11 +175,11 @@ class oe {
    * cookiesStorage.remove('key',{domain:'https://example.com/subpath'})
    */
   remove(e, t) {
-    const n = {};
-    t != null && t.domain && (n.domain = t.domain), w.remove(e, n);
+    const r = {};
+    t != null && t.domain && (r.domain = t.domain), T.remove(e, r);
   }
 }
-class ae {
+class ce {
   /**
    * Create a cookies manager to extract or save cookies in the browser
    * @param {CookiesManagerOptions} options - Configuration for the managing the cookies
@@ -189,23 +189,39 @@ class ae {
      * Cookie full key to store and retrieve the information from cookies
      * @type {string}
      */
-    c(this, "cookieKey");
+    l(this, "cookieKey");
     /**
      * Cookie storage. This object contain all functions necessary to retrieve and store tokens using cookies
      * @type {CookiesStorage}
      */
-    c(this, "cookiesStorage");
-    this.cookieKey = `${se}.${e.clientId}`, this.cookiesStorage = new oe();
+    l(this, "cookiesStorage");
+    this.cookieKey = `${oe}.${e.clientId}`, this.cookiesStorage = new se();
   }
   /**
    * Store cookies in the browser
-   * @param {CookieValue} value - information to store
+   * @param {Partial<CookieValue>} value - information to store
    */
   save(e) {
-    this.cookiesStorage.set(this.cookieKey, e, {
+    const r = { ...this.get() || {}, ...e };
+    this.cookiesStorage.set(this.cookieKey, r, {
       expires: 1
     });
   }
+  /**
+   * Retrieve state payload from cookies
+   * @return {string | undefined} - State payload from cookies
+   */
+  getStatePayload() {
+    const e = this.get();
+    return e == null ? void 0 : e.state_payload;
+  }
+  /**
+   * Clear state payload from cookies
+   */
+  clearStatePayload() {
+    const e = this.get();
+    e && (delete e.state_payload, this.cookiesStorage.set(this.cookieKey, e, { expires: 1 }));
+  }
   /**
    * Retrieve cookies in the browser
    * @return {CookieValue | undefined}  - Cookies from the browser
@@ -224,20 +240,20 @@ class ae {
     this.cookiesStorage.remove(this.cookieKey);
   }
 }
-class U extends Error {
-}
 class O extends Error {
 }
-class ce extends Error {
+class D extends Error {
+}
+class le extends Error {
 }
-const d = "@trimble-oss/trimble-id-react", h = "1.0.0-rc.2", le = {
+const u = "@trimble-oss/trimble-id-react", g = "1.0.1", de = {
   configurationEndpoint: "",
   clientId: "",
   redirectUrl: "",
   logoutRedirectUrl: "",
   scopes: []
 };
-class de {
+class he {
   /**
    * Create a TID client to handle manage all user authentication functions and information
    * @param {CacheManagerOptions} props - TID client configuration
@@ -247,47 +263,61 @@ class de {
      * Token provider SDK. This object handles all necessary communication with TID
      * @type {AuthorizationCodeGrantTokenProvider}
      */
-    c(this, "tokenProvider");
+    l(this, "tokenProvider");
     /**
      * This object manage all caching, and all configurations necessary
      * @type {CacheManager}
      */
-    c(this, "cacheManager");
+    l(this, "cacheManager");
     /**
      * This object manage all cookies administration, and all configurations necessary
      * @type {CookiesManager}
      */
-    c(this, "cookiesManager");
+    l(this, "cookiesManager");
     /**
      * Client id of the application created in trimble developer console
      * @type {string}
      */
-    c(this, "clientId");
+    l(this, "clientId");
     /**
      * Callback url to redirect the user after the authentication is successful
      * @type {string}
      */
-    c(this, "redirectUrl");
+    l(this, "redirectUrl");
     /**
       * AnalyticsHttpClient for sending events
       * @type {AnalyticsHttpClient}
       */
-    c(this, "analyticshttpclient");
-    const { config: t = le } = e;
+    l(this, "analyticshttpclient");
+    const { config: t = de } = e;
     if (this.redirectUrl = t.redirectUrl, t.configurationEndpoint == null || t.configurationEndpoint == "")
       throw new Error("Configuration endpoint not defined");
     if (t.clientId == null || t.clientId == "")
       throw new Error("Consumer key is not defined");
-    this.cookiesManager = new ae({
+    this.cookiesManager = new ce({
       clientId: t.clientId
     });
-    const n = this.cookiesManager.get(), r = new $(t.configurationEndpoint);
-    let a = new R(
-      r,
+    const r = this.cookiesManager.get(), n = new J(t.configurationEndpoint);
+    let s = new R(
+      n,
       t.clientId,
       t.redirectUrl
     ).WithScopes(t.scopes);
-    t.logoutRedirectUrl && (a = a.WithLogoutRedirect(t.logoutRedirectUrl)), (n == null ? void 0 : n.code_verifier) != null && (a = a.WithProofKeyForCodeExchange(n.code_verifier)), this.tokenProvider = a, this.cacheManager = new ee(), this.clientId = t.clientId, this.analyticshttpclient = H, this.analyticshttpclient.sendInitEvent("TIDClient", this.clientId, d, h);
+    t.logoutRedirectUrl && (s = s.WithLogoutRedirect(t.logoutRedirectUrl)), (r == null ? void 0 : r.code_verifier) != null && (s = s.WithProofKeyForCodeExchange(r.code_verifier)), this.tokenProvider = s, this.cacheManager = new te(), this.clientId = t.clientId, this.analyticshttpclient = H, this.analyticshttpclient.sendInitEvent("TIDClient", this.clientId, u, g), this.cleanupExpiredState();
+  }
+  /**
+   * Clean up expired state payloads to prevent storage bloat
+   */
+  cleanupExpiredState() {
+    try {
+      const e = this.cookiesManager.getStatePayload();
+      if (e) {
+        const t = atob(e), r = JSON.parse(t);
+        Date.now() - r.timestamp > A && this.cookiesManager.clearStatePayload();
+      }
+    } catch {
+      this.cookiesManager.clearStatePayload();
+    }
   }
   /**
    * Redirect the user to TID using the browser
@@ -296,23 +326,27 @@ class de {
    * @example No configuration
    * loginWithRedirect()
    * // Automatically redirects the user to TID with all necessary parameters
+   * // After authentication, user will be redirected back to the current page
    * @example Custom redirect
    * loginWithRedirect({onRedirect: (url) => router.navigate(url)})
    * // Redirect calls onRedirect with the log-out url for TID
    * // So it can be handled by the developer
    */
   async loginWithRedirect(e) {
-    this.analyticshttpclient.sendMethodEvent(this.loginWithRedirect.name, this.clientId, d, h);
-    const { onRedirect: t } = e || {}, n = R.GenerateCodeVerifier();
-    this.cookiesManager.save({ code_verifier: n }), this.tokenProvider = this.tokenProvider.WithProofKeyForCodeExchange(n);
-    const r = await this.tokenProvider.GetOAuthRedirect("state");
-    t != null ? t(r) : window.location.assign(r);
+    this.analyticshttpclient.sendMethodEvent(this.loginWithRedirect.name, this.clientId, u, g);
+    const { onRedirect: t } = e || {}, r = window.location.pathname + window.location.search, n = this.createStatePayload(r);
+    this.cookiesManager.save({ state_payload: n });
+    const s = R.GenerateCodeVerifier();
+    this.cookiesManager.save({ code_verifier: s }), this.tokenProvider = this.tokenProvider.WithProofKeyForCodeExchange(s);
+    const c = await this.tokenProvider.GetOAuthRedirect(n);
+    t != null ? t(c) : window.location.assign(c);
   }
   /**
    * Authenticated the user using the url callback params
    * @param {string} url - Custom configuration for the redirection
-   * @return {Promise<AuthState>} Object contain the state returned from TID
+   * @return {Promise<AuthState>} Object contain the state returned from TID and redirect path
    * @throws {CodeVerifierNotFoundException} Will throw an exception if the session doesn't contain the code verifier
+   * @throws {Error} Will throw an exception if state validation fails or replay attack is detected
    * @example No configuration
    * handleCallback()
    * // Will automatically take the url from the browser and try to log in the user
@@ -323,10 +357,13 @@ class de {
   async handleCallback(e = window.location.href) {
     const t = this.cookiesManager.get();
     if (t == null || (t == null ? void 0 : t.code_verifier) == null)
-      throw new ce("Code verifier not available");
-    const n = ie(e), r = b(e), a = r.get("identity_provider") ?? "", g = r.get("state") ?? "";
-    return await this.tokenProvider.ValidateQuery(n), await this.generateToken(a), {
-      authState: g
+      throw new le("Code verifier not available");
+    const r = re(e), n = b(e), s = n.get("identity_provider") ?? "", c = n.get("state") ?? "", d = this.validateStatePayload(c);
+    if (!d.isValid)
+      throw new Error(`State validation failed: ${d.error}`);
+    return await this.tokenProvider.ValidateQuery(r), await this.generateToken(s), {
+      authState: c,
+      returnTo: d.redirectTo
     };
   }
   /**
@@ -335,32 +372,79 @@ class de {
    * @return {Promise<void>} Empty promise
    */
   async generateToken(e) {
-    var s, f;
-    const t = await this.tokenProvider.RetrieveToken(), n = await this.tokenProvider.RetrieveRefreshToken(), r = await this.tokenProvider.RetrieveIdToken(), a = await this.tokenProvider.RetrieveTokenExpiry(), k = new Date(a).getTime(), v = (f = (s = this.tokenProvider) == null ? void 0 : s._scopes) == null ? void 0 : f.join(" ");
+    var a, k;
+    const t = await this.tokenProvider.RetrieveToken(), r = await this.tokenProvider.RetrieveRefreshToken(), n = await this.tokenProvider.RetrieveIdToken(), s = await this.tokenProvider.RetrieveTokenExpiry(), d = new Date(s).getTime(), f = (k = (a = this.tokenProvider) == null ? void 0 : a._scopes) == null ? void 0 : k.join(" ");
     await this.cacheManager.setToken({
-      scope: v,
+      scope: f,
       state: "",
       session_state: "",
       identity_provider: e,
       token_type: "bearer",
       access_token: t,
-      refresh_token: n,
-      id_token: r,
-      expires_at: k
+      refresh_token: r,
+      id_token: n,
+      expires_at: d
     });
-    const m = J(r), T = re(m);
-    await this.cacheManager.setUser(T), await this.reloadCodeVerifier();
+    const v = X(n), p = ae(v);
+    await this.cacheManager.setUser(p), await this.reloadCodeVerifier();
   }
   async reloadCodeVerifier() {
     const e = await this.tokenProvider.RetrieveCodeVerifier();
     this.cookiesManager.save({ code_verifier: e }), this.tokenProvider = this.tokenProvider.WithProofKeyForCodeExchange(e);
   }
+  /**
+   * Create and encode state payload for replay attack protection
+   * @param {string} redirectTo - Path to redirect to after authentication
+   * @return {string} - Base64 encoded state payload
+   */
+  createStatePayload(e) {
+    const t = this.generateNonce(), r = Date.now();
+    return btoa(JSON.stringify({
+      redirectTo: e,
+      timestamp: r,
+      nonce: t
+    }));
+  }
+  /**
+   * Generate a random nonce for state validation
+   * @return {string} - Random nonce
+   */
+  generateNonce() {
+    const e = new Uint8Array(16);
+    return crypto.getRandomValues(e), Array.from(e, (t) => t.toString(16).padStart(2, "0")).join("");
+  }
+  /**
+   * Validate state payload to prevent replay attacks
+   * @param {string} receivedState - State received from OAuth callback
+   * @return {StateValidationResult} - Validation result with redirect path if valid
+   */
+  validateStatePayload(e) {
+    try {
+      if (!e || e.trim() === "")
+        return { isValid: !1, error: "Empty state parameter" };
+      const t = this.cookiesManager.getStatePayload();
+      if (!t)
+        return { isValid: !1, error: "No stored state found" };
+      const r = atob(e), n = JSON.parse(r), s = atob(t), c = JSON.parse(s);
+      if (!n.nonce || !n.timestamp || !n.redirectTo)
+        return { isValid: !1, error: "Invalid state payload structure" };
+      if (n.nonce !== c.nonce)
+        return { isValid: !1, error: "State nonce mismatch" };
+      const f = Date.now() - n.timestamp;
+      return f > A ? { isValid: !1, error: "State expired - possible replay attack" } : f < 0 ? { isValid: !1, error: "State timestamp is in the future - possible replay attack" } : (this.cookiesManager.clearStatePayload(), {
+        isValid: !0,
+        redirectTo: n.redirectTo
+      });
+    } catch {
+      return { isValid: !1, error: "Invalid state format" };
+    }
+  }
   /**
    * Return the user stored in cache
    * @return {Promise<TIDUser | undefined>} User in cache
    */
   async getUser() {
-    return this.analyticshttpclient.sendMethodEvent(this.getUser.name, this.clientId, d, h), await this.cacheManager.getUser();
+    return this.analyticshttpclient.sendMethodEvent(this.getUser.name, this.clientId, u, g), await this.cacheManager.getUser();
   }
   /**
    * Gets the access token from cache. If the token already expired,
@@ -370,16 +454,16 @@ class de {
    * @throws {TokenExpiredException} Will throw an exception if the user token expired
    */
   async getAccessTokenSilently() {
-    this.analyticshttpclient.sendMethodEvent(this.getAccessTokenSilently.name, this.clientId, d, h);
+    this.analyticshttpclient.sendMethodEvent(this.getAccessTokenSilently.name, this.clientId, u, g);
     let e = await this.cacheManager.getToken();
     if (e == null)
-      throw this.analyticshttpclient.sendExceptionEvent(this.getAccessTokenSilently.name, "No token available", this.clientId, d, h), new O("No token available");
+      throw this.analyticshttpclient.sendExceptionEvent(this.getAccessTokenSilently.name, "No token available", this.clientId, u, g), new D("No token available");
     const t = new Date((/* @__PURE__ */ new Date()).getTime() + x);
     if ((e == null ? void 0 : e.expires_at) == null || (e == null ? void 0 : e.expires_at) < t.getTime()) {
       try {
         await this.tokenProvider.RetrieveToken();
-      } catch (n) {
-        throw this.analyticshttpclient.sendExceptionEvent(this.getAccessTokenSilently.name, n.message, this.clientId, d, h), new U(n.message);
+      } catch (r) {
+        throw this.analyticshttpclient.sendExceptionEvent(this.getAccessTokenSilently.name, r.message, this.clientId, u, g), new O(r.message);
       }
       await this.generateToken((e == null ? void 0 : e.identity_provider) ?? ""), e = await this.cacheManager.getToken();
     }
@@ -393,16 +477,16 @@ class de {
    * @throws {TokenExpiredException} Will throw an exception if the user token expired
    */
   async getTokens() {
-    this.analyticshttpclient.sendMethodEvent(this.getTokens.name, this.clientId, d, h);
+    this.analyticshttpclient.sendMethodEvent(this.getTokens.name, this.clientId, u, g);
     let e = await this.cacheManager.getToken();
     if (e == null)
-      throw this.analyticshttpclient.sendExceptionEvent(this.getTokens.name, "No token available", this.clientId, d, h), new O("No token available");
+      throw this.analyticshttpclient.sendExceptionEvent(this.getTokens.name, "No token available", this.clientId, u, g), new D("No token available");
     const t = new Date((/* @__PURE__ */ new Date()).getTime() + x);
     if ((e == null ? void 0 : e.expires_at) == null || (e == null ? void 0 : e.expires_at) < t.getTime()) {
       try {
         await this.tokenProvider.RetrieveToken();
-      } catch (n) {
-        throw this.analyticshttpclient.sendExceptionEvent(this.getTokens.name, n.message, this.clientId, d, h), new U(n.message);
+      } catch (r) {
+        throw this.analyticshttpclient.sendExceptionEvent(this.getTokens.name, r.message, this.clientId, u, g), new O(r.message);
       }
       await this.generateToken((e == null ? void 0 : e.identity_provider) ?? ""), e = await this.cacheManager.getToken();
     }
@@ -425,13 +509,13 @@ class de {
    * // So it can be handled by the developer
    */
   async logout(e) {
-    this.analyticshttpclient.sendMethodEvent(this.logout.name, this.clientId, d, h);
-    const { onRedirect: t, disabledAutoRedirect: n } = e || {};
+    this.analyticshttpclient.sendMethodEvent(this.logout.name, this.clientId, u, g);
+    const { onRedirect: t, disabledAutoRedirect: r } = e || {};
     this.cacheManager && await this.cacheManager.clear(), this.cookiesManager && this.cookiesManager.clear();
-    const r = await this.tokenProvider.GetOAuthLogoutRedirect("state");
+    const n = await this.tokenProvider.GetOAuthLogoutRedirect("state");
     if (t != null)
-      return t(r);
-    n || window.location.assign(r);
+      return t(n);
+    r || window.location.assign(n);
   }
   /**
    * Check if the user still has a valid session
@@ -460,8 +544,8 @@ class de {
     const e = await this.cacheManager.getToken();
     if (e == null)
       return;
-    const t = e.access_token, n = e.refresh_token || "", r = e.id_token, a = e.expires_at;
-    this.tokenProvider = this.tokenProvider.WithAccessToken(t, a).WithRefreshToken(n).WithIdToken(r);
+    const t = e.access_token, r = e.refresh_token || "", n = e.id_token, s = e.expires_at;
+    this.tokenProvider = this.tokenProvider.WithAccessToken(t, s).WithRefreshToken(r).WithIdToken(n);
   }
   /**
    * Get a http bearer token client to use it for another SDK (Ex: Processing framework)
@@ -478,7 +562,7 @@ class de {
     return this.redirectUrl;
   }
 }
-const E = q(null), W = () => L(E) ?? {}, he = (i, e) => {
+const w = q(null), K = () => L(w) ?? {}, ue = (i, e) => {
   switch (e.type) {
     case "INIT":
       return {
@@ -511,10 +595,10 @@ const E = q(null), W = () => L(E) ?? {}, he = (i, e) => {
         error: e.error
       };
   }
-}, ue = {
+}, ge = {
   isLoading: !0,
   isAuthenticated: !1
-}, ge = (i) => {
+}, fe = (i) => {
   if (i == null || Object.keys(i).length <= 0)
     return !0;
   const e = Object.keys(i);
@@ -522,114 +606,112 @@ const E = q(null), W = () => L(E) ?? {}, he = (i, e) => {
     if (i[t] != null && i[t] !== "")
       return !1;
   return !0;
-}, ke = (i) => !ge(i.config), fe = (i) => {
+}, ye = (i) => !fe(i.config), ke = (i) => {
   const {
     children: e,
     configurationEndpoint: t,
-    clientId: n,
-    redirectUrl: r,
-    logoutRedirectUrl: a,
-    scopes: g,
-    onRedirectCallback: k,
-    checkRedirectUrlMatch: v
+    clientId: r,
+    redirectUrl: n,
+    logoutRedirectUrl: s,
+    scopes: c,
+    onRedirectCallback: d,
+    checkRedirectUrlMatch: f
   } = i;
-  if (L(E) != null)
+  if (L(w) != null)
     throw new Error("TID Provider already defined");
-  const T = {
+  const p = {
     config: {
       configurationEndpoint: t ?? "",
-      clientId: n ?? "",
-      redirectUrl: r ?? "",
-      logoutRedirectUrl: a ?? "",
-      scopes: g ?? [""]
+      clientId: r ?? "",
+      redirectUrl: n ?? "",
+      logoutRedirectUrl: s ?? "",
+      scopes: c ?? [""]
     }
-  }, [s] = z(i.tidClient ?? new de(T)), [f, u] = X(he, ue), p = Y(!1), N = M(
-    () => v ? s.getRedirectUrl() : void 0,
-    [v, s]
+  }, [a] = z(i.tidClient ?? new he(p)), [k, y] = Y(ue, ge), E = Z(!1), W = M(
+    () => f ? a.getRedirectUrl() : void 0,
+    [f, a]
   );
-  D(() => {
-    p.current || (i.tidClient != null && ke({
+  N(() => {
+    E.current || (i.tidClient != null && ye({
       config: {
         configurationEndpoint: t,
-        clientId: n,
-        redirectUrl: r,
-        logoutRedirectUrl: a,
-        scopes: g
+        clientId: r,
+        redirectUrl: n,
+        logoutRedirectUrl: s,
+        scopes: c
       }
     }) && console.warn(
       "When TID client is pass as prop, any client configuration property sent directly to the TID Provider component will be ignored"
-    ), p.current = !0, (async () => {
+    ), E.current = !0, (async () => {
       try {
         let o;
-        if (ne(void 0, N)) {
-          const { authState: l } = await s.handleCallback();
-          o = await s.getUser(), k != null && k(l);
+        if (ne(void 0, W)) {
+          const h = await a.handleCallback();
+          o = await a.getUser(), d != null && d(h);
         } else
-          await s.loadUserSession(), o = await s.getUser();
-        u({ type: "INIT", user: o });
+          await a.loadUserSession(), o = await a.getUser();
+        y({ type: "INIT", user: o });
       } catch (o) {
-        let l = o;
-        typeof o == "string" && (l = new Error(o)), u({ type: "ERROR", error: l });
+        let h = o;
+        typeof o == "string" && (h = new Error(o)), y({ type: "ERROR", error: h });
       }
     })());
-  }, [s, k]);
-  const _ = y(async () => {
-    const o = await s.getAccessTokenSilently(), l = await s.getUser();
-    return u({
+  }, [a, d]);
+  const S = m(async () => {
+    const o = await a.getAccessTokenSilently(), h = await a.getUser();
+    return y({
       type: "GET_ACCESS_TOKEN_COMPLETE",
-      user: l
+      user: h
     }), o;
-  }, [s]), C = y(async () => {
-    const o = await s.getTokens(), l = await s.getUser();
-    return u({
+  }, [a]), P = m(async () => {
+    const o = await a.getTokens(), h = await a.getUser();
+    return y({
       type: "GET_TOKENS_COMPLETE",
-      user: l
+      user: h
     }), o;
-  }, [s]), S = y(
+  }, [a]), _ = m(
     async (o) => {
-      await s.loginWithRedirect(o);
+      await a.loginWithRedirect(o);
     },
-    [s]
-  ), I = y(
+    [a]
+  ), C = m(
     async (o) => {
-      await s.logout(o), (o == null ? void 0 : o.disabledAutoRedirect) != null && o.disabledAutoRedirect && u({
+      await a.logout(o), (o == null ? void 0 : o.disabledAutoRedirect) != null && o.disabledAutoRedirect && y({
         type: "LOGOUT"
       });
     },
-    [s]
-  ), P = y(
+    [a]
+  ), I = m(
     async (o) => {
-      const { authState: l } = await s.handleCallback(o), V = await s.getUser();
-      return u({
+      const h = await a.handleCallback(o), F = await a.getUser();
+      return y({
         type: "HANDLE_CALLBACK_COMPLETE",
-        user: V
-      }), {
-        authState: l
-      };
+        user: F
+      }), h;
     },
-    [s]
+    [a]
   ), G = M(
     () => ({
-      ...f,
-      getAccessTokenSilently: _,
-      getTokens: C,
-      loginWithRedirect: S,
-      handleCallback: P,
-      logout: I
+      ...k,
+      getAccessTokenSilently: S,
+      getTokens: P,
+      loginWithRedirect: _,
+      handleCallback: I,
+      logout: C
     }),
-    [f, _, C, S, P, I]
+    [k, S, P, _, I, C]
   );
-  return /* @__PURE__ */ K(E.Provider, { value: G, children: e });
-}, me = W, pe = fe, _e = ({ renderComponent: i, loader: e }) => {
-  const { isAuthenticated: t, isLoading: n, loginWithRedirect: r } = W();
-  return D(() => {
-    !n && !t && (async () => await r())();
-  }, [n, t, r]), t ? i : e || /* @__PURE__ */ K(Z, {});
+  return /* @__PURE__ */ V(w.Provider, { value: G, children: e });
+}, Ee = K, Se = ke, Pe = ({ renderComponent: i, loader: e }) => {
+  const { isAuthenticated: t, isLoading: r, loginWithRedirect: n } = K();
+  return N(() => {
+    !r && !t && (async () => await n())();
+  }, [r, t, n]), t ? i : e || /* @__PURE__ */ V(j, {});
 };
 export {
-  _e as AuthenticationGuard,
-  de as TIDClient,
-  E as TIDContext,
-  pe as TIDProvider,
-  me as useAuth
+  Pe as AuthenticationGuard,
+  he as TIDClient,
+  w as TIDContext,
+  Se as TIDProvider,
+  Ee as useAuth
 };

package/dist/trimble-id-react.umd.js

@@ -1 +1 @@
-(function(o,c){typeof exports=="object"&&typeof module<"u"?c(exports,require("@trimble-oss/trimble-id"),require("es-cookie"),require("jwt-decode"),require("react"),require("react/jsx-runtime")):typeof define=="function"&&define.amd?define(["exports","@trimble-oss/trimble-id","es-cookie","jwt-decode","react","react/jsx-runtime"],c):(o=typeof globalThis<"u"?globalThis:o||self,c(o.ReactTID={},o.trimbleId,o.esCookie,o.jwt_decode,o.React,o.jsxRuntime))})(this,function(o,c,k,W,l,p){"use strict";var le=Object.defineProperty;var de=(o,c,k)=>c in o?le(o,c,{enumerable:!0,configurable:!0,writable:!0,value:k}):o[c]=k;var h=(o,c,k)=>(de(o,typeof c!="symbol"?c+"":c,k),k);function G(i){const e=Object.create(null,{[Symbol.toStringTag]:{value:"Module"}});if(i){for(const t in i)if(t!=="default"){const n=Object.getOwnPropertyDescriptor(i,t);Object.defineProperty(e,t,n.get?n:{enumerable:!0,get:()=>i[t]})}}return e.default=i,Object.freeze(e)}const C=G(k);class V{constructor(){h(this,"generateCache",function(){const e={token:void 0,user:void 0};return{async getToken(){return e.token},async getUser(){return e.user},async storeToken(t){e.token=t},async storeUser(t){e.user=t},clear(){return e.token=void 0,e.user=void 0,Promise.resolve(void 0)}}}())}}class F{constructor(){h(this,"cacheStorage");this.cacheStorage=new V().generateCache}async setToken(e){await this.cacheStorage.storeToken(e)}async setUser(e){await this.cacheStorage.storeUser(e)}async getUser(){return this.cacheStorage.getUser()}async getToken(){return this.cacheStorage.getToken()}async clear(){await this.cacheStorage.clear()}}const S=5*6e4,j=["code","state"],P=i=>i.split("?")[0],q=i=>i.split("?")[1],I=i=>{let e=i;if(!i.startsWith("?"))try{e=new URL(i).search}catch{}return new URLSearchParams(e)},B=(i=window.location.href,e)=>{if(e!=null){const n=P(e),r=P(i??"");if(n!==r)return!1}const t=I(i);for(const n of j)if(!t.has(n))return!1;return!0},$=i=>({id:i.sub,name:`${i.given_name} ${i.family_name}`,given_name:i.given_name,family_name:i.family_name,picture:i.picture,email:i.email,email_verified:i.email_verified}),H="@TID_COOKIE";class z{get(e){const t=C.get(e);if(t==null)throw new Error("Cookie not found");return JSON.parse(t)}set(e,t,n){let r={};window.location.protocol==="https:"&&(r={secure:!0,sameSite:"none"}),n!=null&&n.expires&&(r.expires=n.expires),n!=null&&n.domain&&(r.domain=n.domain),C.set(e,JSON.stringify(t),r)}remove(e,t){const n={};t!=null&&t.domain&&(n.domain=t.domain),C.remove(e,n)}}class Q{constructor(e){h(this,"cookieKey");h(this,"cookiesStorage");this.cookieKey=`${H}.${e.clientId}`,this.cookiesStorage=new z}save(e){this.cookiesStorage.set(this.cookieKey,e,{expires:1})}get(){try{return this.cookiesStorage.get(this.cookieKey)}catch{return}}clear(){this.cookiesStorage.remove(this.cookieKey)}}class R extends Error{}class M extends Error{}class J extends Error{}const u="@trimble-oss/trimble-id-react",g="1.0.0-rc.2",X={configurationEndpoint:"",clientId:"",redirectUrl:"",logoutRedirectUrl:"",scopes:[]};class x{constructor(e){h(this,"tokenProvider");h(this,"cacheManager");h(this,"cookiesManager");h(this,"clientId");h(this,"redirectUrl");h(this,"analyticshttpclient");const{config:t=X}=e;if(this.redirectUrl=t.redirectUrl,t.configurationEndpoint==null||t.configurationEndpoint=="")throw new Error("Configuration endpoint not defined");if(t.clientId==null||t.clientId=="")throw new Error("Consumer key is not defined");this.cookiesManager=new Q({clientId:t.clientId});const n=this.cookiesManager.get(),r=new c.OpenIdEndpointProvider(t.configurationEndpoint);let d=new c.AuthorizationCodeGrantTokenProvider(r,t.clientId,t.redirectUrl).WithScopes(t.scopes);t.logoutRedirectUrl&&(d=d.WithLogoutRedirect(t.logoutRedirectUrl)),(n==null?void 0:n.code_verifier)!=null&&(d=d.WithProofKeyForCodeExchange(n.code_verifier)),this.tokenProvider=d,this.cacheManager=new F,this.clientId=t.clientId,this.analyticshttpclient=c.AnalyticsHttpClient,this.analyticshttpclient.sendInitEvent("TIDClient",this.clientId,u,g)}async loginWithRedirect(e){this.analyticshttpclient.sendMethodEvent(this.loginWithRedirect.name,this.clientId,u,g);const{onRedirect:t}=e||{},n=c.AuthorizationCodeGrantTokenProvider.GenerateCodeVerifier();this.cookiesManager.save({code_verifier:n}),this.tokenProvider=this.tokenProvider.WithProofKeyForCodeExchange(n);const r=await this.tokenProvider.GetOAuthRedirect("state");t!=null?t(r):window.location.assign(r)}async handleCallback(e=window.location.href){const t=this.cookiesManager.get();if(t==null||(t==null?void 0:t.code_verifier)==null)throw new J("Code verifier not available");const n=q(e),r=I(e),d=r.get("identity_provider")??"",T=r.get("state")??"";return await this.tokenProvider.ValidateQuery(n),await this.generateToken(d),{authState:T}}async generateToken(e){var s,w;const t=await this.tokenProvider.RetrieveToken(),n=await this.tokenProvider.RetrieveRefreshToken(),r=await this.tokenProvider.RetrieveIdToken(),d=await this.tokenProvider.RetrieveTokenExpiry(),v=new Date(d).getTime(),m=(w=(s=this.tokenProvider)==null?void 0:s._scopes)==null?void 0:w.join(" ");await this.cacheManager.setToken({scope:m,state:"",session_state:"",identity_provider:e,token_type:"bearer",access_token:t,refresh_token:n,id_token:r,expires_at:v});const U=W(r),_=$(U);await this.cacheManager.setUser(_),await this.reloadCodeVerifier()}async reloadCodeVerifier(){const e=await this.tokenProvider.RetrieveCodeVerifier();this.cookiesManager.save({code_verifier:e}),this.tokenProvider=this.tokenProvider.WithProofKeyForCodeExchange(e)}async getUser(){return this.analyticshttpclient.sendMethodEvent(this.getUser.name,this.clientId,u,g),await this.cacheManager.getUser()}async getAccessTokenSilently(){this.analyticshttpclient.sendMethodEvent(this.getAccessTokenSilently.name,this.clientId,u,g);let e=await this.cacheManager.getToken();if(e==null)throw this.analyticshttpclient.sendExceptionEvent(this.getAccessTokenSilently.name,"No token available",this.clientId,u,g),new M("No token available");const t=new Date(new Date().getTime()+S);if((e==null?void 0:e.expires_at)==null||(e==null?void 0:e.expires_at)<t.getTime()){try{await this.tokenProvider.RetrieveToken()}catch(n){throw this.analyticshttpclient.sendExceptionEvent(this.getAccessTokenSilently.name,n.message,this.clientId,u,g),new R(n.message)}await this.generateToken((e==null?void 0:e.identity_provider)??""),e=await this.cacheManager.getToken()}return(e==null?void 0:e.access_token)||""}async getTokens(){this.analyticshttpclient.sendMethodEvent(this.getTokens.name,this.clientId,u,g);let e=await this.cacheManager.getToken();if(e==null)throw this.analyticshttpclient.sendExceptionEvent(this.getTokens.name,"No token available",this.clientId,u,g),new M("No token available");const t=new Date(new Date().getTime()+S);if((e==null?void 0:e.expires_at)==null||(e==null?void 0:e.expires_at)<t.getTime()){try{await this.tokenProvider.RetrieveToken()}catch(n){throw this.analyticshttpclient.sendExceptionEvent(this.getTokens.name,n.message,this.clientId,u,g),new R(n.message)}await this.generateToken((e==null?void 0:e.identity_provider)??""),e=await this.cacheManager.getToken()}return{access_token:(e==null?void 0:e.access_token)||"",expires_at:(e==null?void 0:e.expires_at)||0,id_token:(e==null?void 0:e.id_token)||""}}async logout(e){this.analyticshttpclient.sendMethodEvent(this.logout.name,this.clientId,u,g);const{onRedirect:t,disabledAutoRedirect:n}=e||{};this.cacheManager&&await this.cacheManager.clear(),this.cookiesManager&&this.cookiesManager.clear();const r=await this.tokenProvider.GetOAuthLogoutRedirect("state");if(t!=null)return t(r);n||window.location.assign(r)}async checkSession(){try{await this.getAccessTokenSilently()}catch{return!1}return!0}async loadUserSession(){await this.loadCacheSessionIntoSDK(),await this.checkSession()||await this.cacheManager.clear()}async loadCacheSessionIntoSDK(){const e=await this.cacheManager.getToken();if(e==null)return;const t=e.access_token,n=e.refresh_token||"",r=e.id_token,d=e.expires_at;this.tokenProvider=this.tokenProvider.WithAccessToken(t,d).WithRefreshToken(n).WithIdToken(r)}getBearerTokenHttpClient(e){return new c.BearerTokenHttpClientProvider(this.tokenProvider,e)}getRedirectUrl(){return this.redirectUrl}}const E=l.createContext(null),A=()=>l.useContext(E)??{},Y=(i,e)=>{switch(e.type){case"INIT":return{...i,isLoading:!1,isAuthenticated:e.user!=null,user:e.user,error:void 0};case"GET_TOKENS_COMPLETE":case"HANDLE_CALLBACK_COMPLETE":case"GET_ACCESS_TOKEN_COMPLETE":return{...i,isLoading:!1,isAuthenticated:e.user!=null,user:e.user,error:void 0};case"LOGOUT":return{...i,isAuthenticated:!1,user:void 0};case"ERROR":return{...i,isLoading:!1,error:e.error}}},Z={isLoading:!0,isAuthenticated:!1},ee=i=>{if(i==null||Object.keys(i).length<=0)return!0;const e=Object.keys(i);for(const t of e)if(i[t]!=null&&i[t]!=="")return!1;return!0},te=i=>!ee(i.config),ie=i=>{const{children:e,configurationEndpoint:t,clientId:n,redirectUrl:r,logoutRedirectUrl:d,scopes:T,onRedirectCallback:v,checkRedirectUrlMatch:m}=i;if(l.useContext(E)!=null)throw new Error("TID Provider already defined");const _={config:{configurationEndpoint:t??"",clientId:n??"",redirectUrl:r??"",logoutRedirectUrl:d??"",scopes:T??[""]}},[s]=l.useState(i.tidClient??new x(_)),[w,y]=l.useReducer(Y,Z),O=l.useRef(!1),oe=l.useMemo(()=>m?s.getRedirectUrl():void 0,[m,s]);l.useEffect(()=>{O.current||(i.tidClient!=null&&te({config:{configurationEndpoint:t,clientId:n,redirectUrl:r,logoutRedirectUrl:d,scopes:T}})&&console.warn("When TID client is pass as prop, any client configuration property sent directly to the TID Provider component will be ignored"),O.current=!0,(async()=>{try{let a;if(B(void 0,oe)){const{authState:f}=await s.handleCallback();a=await s.getUser(),v!=null&&v(f)}else await s.loadUserSession(),a=await s.getUser();y({type:"INIT",user:a})}catch(a){let f=a;typeof a=="string"&&(f=new Error(a)),y({type:"ERROR",error:f})}})())},[s,v]);const D=l.useCallback(async()=>{const a=await s.getAccessTokenSilently(),f=await s.getUser();return y({type:"GET_ACCESS_TOKEN_COMPLETE",user:f}),a},[s]),b=l.useCallback(async()=>{const a=await s.getTokens(),f=await s.getUser();return y({type:"GET_TOKENS_COMPLETE",user:f}),a},[s]),L=l.useCallback(async a=>{await s.loginWithRedirect(a)},[s]),K=l.useCallback(async a=>{await s.logout(a),(a==null?void 0:a.disabledAutoRedirect)!=null&&a.disabledAutoRedirect&&y({type:"LOGOUT"})},[s]),N=l.useCallback(async a=>{const{authState:f}=await s.handleCallback(a),ce=await s.getUser();return y({type:"HANDLE_CALLBACK_COMPLETE",user:ce}),{authState:f}},[s]),ae=l.useMemo(()=>({...w,getAccessTokenSilently:D,getTokens:b,loginWithRedirect:L,handleCallback:N,logout:K}),[w,D,b,L,N,K]);return p.jsx(E.Provider,{value:ae,children:e})},ne=A,re=ie,se=({renderComponent:i,loader:e})=>{const{isAuthenticated:t,isLoading:n,loginWithRedirect:r}=A();return l.useEffect(()=>{!n&&!t&&(async()=>await r())()},[n,t,r]),t?i:e||p.jsx(p.Fragment,{})};o.AuthenticationGuard=se,o.TIDClient=x,o.TIDContext=E,o.TIDProvider=re,o.useAuth=ne,Object.defineProperty(o,Symbol.toStringTag,{value:"Module"})});
+(function(o,l){typeof exports=="object"&&typeof module<"u"?l(exports,require("@trimble-oss/trimble-id"),require("es-cookie"),require("jwt-decode"),require("react"),require("react/jsx-runtime")):typeof define=="function"&&define.amd?define(["exports","@trimble-oss/trimble-id","es-cookie","jwt-decode","react","react/jsx-runtime"],l):(o=typeof globalThis<"u"?globalThis:o||self,l(o.ReactTID={},o.trimbleId,o.esCookie,o.jwt_decode,o.React,o.jsxRuntime))})(this,function(o,l,p,W,d,E){"use strict";var de=Object.defineProperty;var he=(o,l,p)=>l in o?de(o,l,{enumerable:!0,configurable:!0,writable:!0,value:p}):o[l]=p;var u=(o,l,p)=>(he(o,typeof l!="symbol"?l+"":l,p),p);function G(i){const e=Object.create(null,{[Symbol.toStringTag]:{value:"Module"}});if(i){for(const t in i)if(t!=="default"){const n=Object.getOwnPropertyDescriptor(i,t);Object.defineProperty(e,t,n.get?n:{enumerable:!0,get:()=>i[t]})}}return e.default=i,Object.freeze(e)}const S=G(p);class F{constructor(){u(this,"generateCache",function(){const e={token:void 0,user:void 0};return{async getToken(){return e.token},async getUser(){return e.user},async storeToken(t){e.token=t},async storeUser(t){e.user=t},clear(){return e.token=void 0,e.user=void 0,Promise.resolve(void 0)}}}())}}class j{constructor(){u(this,"cacheStorage");this.cacheStorage=new F().generateCache}async setToken(e){await this.cacheStorage.storeToken(e)}async setUser(e){await this.cacheStorage.storeUser(e)}async getUser(){return this.cacheStorage.getUser()}async getToken(){return this.cacheStorage.getToken()}async clear(){await this.cacheStorage.clear()}}const C=5*6e4,$=["code","state"],_=10*60*1e3,I=i=>i.split("?")[0],q=i=>i.split("?")[1],M=i=>{let e=i;if(!i.startsWith("?"))try{e=new URL(i).search}catch{}return new URLSearchParams(e)},B=(i=window.location.href,e)=>{if(e!=null){const n=I(e),r=I(i??"");if(n!==r)return!1}const t=M(i);for(const n of $)if(!t.has(n))return!1;return!0},J=i=>({id:i.sub,name:`${i.given_name} ${i.family_name}`,given_name:i.given_name,family_name:i.family_name,picture:i.picture,email:i.email,email_verified:i.email_verified}),H="@TID_COOKIE";class z{get(e){const t=S.get(e);if(t==null)throw new Error("Cookie not found");return JSON.parse(t)}set(e,t,n){let r={};window.location.protocol==="https:"&&(r={secure:!0,sameSite:"none"}),n!=null&&n.expires&&(r.expires=n.expires),n!=null&&n.domain&&(r.domain=n.domain),S.set(e,JSON.stringify(t),r)}remove(e,t){const n={};t!=null&&t.domain&&(n.domain=t.domain),S.remove(e,n)}}class Q{constructor(e){u(this,"cookieKey");u(this,"cookiesStorage");this.cookieKey=`${H}.${e.clientId}`,this.cookiesStorage=new z}save(e){const n={...this.get()||{},...e};this.cookiesStorage.set(this.cookieKey,n,{expires:1})}getStatePayload(){const e=this.get();return e==null?void 0:e.state_payload}clearStatePayload(){const e=this.get();e&&(delete e.state_payload,this.cookiesStorage.set(this.cookieKey,e,{expires:1}))}get(){try{return this.cookiesStorage.get(this.cookieKey)}catch{return}}clear(){this.cookiesStorage.remove(this.cookieKey)}}class R extends Error{}class x extends Error{}class X extends Error{}const g="@trimble-oss/trimble-id-react",f="1.0.1",Y={configurationEndpoint:"",clientId:"",redirectUrl:"",logoutRedirectUrl:"",scopes:[]};class A{constructor(e){u(this,"tokenProvider");u(this,"cacheManager");u(this,"cookiesManager");u(this,"clientId");u(this,"redirectUrl");u(this,"analyticshttpclient");const{config:t=Y}=e;if(this.redirectUrl=t.redirectUrl,t.configurationEndpoint==null||t.configurationEndpoint=="")throw new Error("Configuration endpoint not defined");if(t.clientId==null||t.clientId=="")throw new Error("Consumer key is not defined");this.cookiesManager=new Q({clientId:t.clientId});const n=this.cookiesManager.get(),r=new l.OpenIdEndpointProvider(t.configurationEndpoint);let c=new l.AuthorizationCodeGrantTokenProvider(r,t.clientId,t.redirectUrl).WithScopes(t.scopes);t.logoutRedirectUrl&&(c=c.WithLogoutRedirect(t.logoutRedirectUrl)),(n==null?void 0:n.code_verifier)!=null&&(c=c.WithProofKeyForCodeExchange(n.code_verifier)),this.tokenProvider=c,this.cacheManager=new j,this.clientId=t.clientId,this.analyticshttpclient=l.AnalyticsHttpClient,this.analyticshttpclient.sendInitEvent("TIDClient",this.clientId,g,f),this.cleanupExpiredState()}cleanupExpiredState(){try{const e=this.cookiesManager.getStatePayload();if(e){const t=atob(e),n=JSON.parse(t);Date.now()-n.timestamp>_&&this.cookiesManager.clearStatePayload()}}catch{this.cookiesManager.clearStatePayload()}}async loginWithRedirect(e){this.analyticshttpclient.sendMethodEvent(this.loginWithRedirect.name,this.clientId,g,f);const{onRedirect:t}=e||{},n=window.location.pathname+window.location.search,r=this.createStatePayload(n);this.cookiesManager.save({state_payload:r});const c=l.AuthorizationCodeGrantTokenProvider.GenerateCodeVerifier();this.cookiesManager.save({code_verifier:c}),this.tokenProvider=this.tokenProvider.WithProofKeyForCodeExchange(c);const h=await this.tokenProvider.GetOAuthRedirect(r);t!=null?t(h):window.location.assign(h)}async handleCallback(e=window.location.href){const t=this.cookiesManager.get();if(t==null||(t==null?void 0:t.code_verifier)==null)throw new X("Code verifier not available");const n=q(e),r=M(e),c=r.get("identity_provider")??"",h=r.get("state")??"",y=this.validateStatePayload(h);if(!y.isValid)throw new Error(`State validation failed: ${y.error}`);return await this.tokenProvider.ValidateQuery(n),await this.generateToken(c),{authState:h,returnTo:y.redirectTo}}async generateToken(e){var a,v;const t=await this.tokenProvider.RetrieveToken(),n=await this.tokenProvider.RetrieveRefreshToken(),r=await this.tokenProvider.RetrieveIdToken(),c=await this.tokenProvider.RetrieveTokenExpiry(),y=new Date(c).getTime(),T=(v=(a=this.tokenProvider)==null?void 0:a._scopes)==null?void 0:v.join(" ");await this.cacheManager.setToken({scope:T,state:"",session_state:"",identity_provider:e,token_type:"bearer",access_token:t,refresh_token:n,id_token:r,expires_at:y});const U=W(r),P=J(U);await this.cacheManager.setUser(P),await this.reloadCodeVerifier()}async reloadCodeVerifier(){const e=await this.tokenProvider.RetrieveCodeVerifier();this.cookiesManager.save({code_verifier:e}),this.tokenProvider=this.tokenProvider.WithProofKeyForCodeExchange(e)}createStatePayload(e){const t=this.generateNonce(),n=Date.now();return btoa(JSON.stringify({redirectTo:e,timestamp:n,nonce:t}))}generateNonce(){const e=new Uint8Array(16);return crypto.getRandomValues(e),Array.from(e,t=>t.toString(16).padStart(2,"0")).join("")}validateStatePayload(e){try{if(!e||e.trim()==="")return{isValid:!1,error:"Empty state parameter"};const t=this.cookiesManager.getStatePayload();if(!t)return{isValid:!1,error:"No stored state found"};const n=atob(e),r=JSON.parse(n),c=atob(t),h=JSON.parse(c);if(!r.nonce||!r.timestamp||!r.redirectTo)return{isValid:!1,error:"Invalid state payload structure"};if(r.nonce!==h.nonce)return{isValid:!1,error:"State nonce mismatch"};const T=Date.now()-r.timestamp;return T>_?{isValid:!1,error:"State expired - possible replay attack"}:T<0?{isValid:!1,error:"State timestamp is in the future - possible replay attack"}:(this.cookiesManager.clearStatePayload(),{isValid:!0,redirectTo:r.redirectTo})}catch{return{isValid:!1,error:"Invalid state format"}}}async getUser(){return this.analyticshttpclient.sendMethodEvent(this.getUser.name,this.clientId,g,f),await this.cacheManager.getUser()}async getAccessTokenSilently(){this.analyticshttpclient.sendMethodEvent(this.getAccessTokenSilently.name,this.clientId,g,f);let e=await this.cacheManager.getToken();if(e==null)throw this.analyticshttpclient.sendExceptionEvent(this.getAccessTokenSilently.name,"No token available",this.clientId,g,f),new x("No token available");const t=new Date(new Date().getTime()+C);if((e==null?void 0:e.expires_at)==null||(e==null?void 0:e.expires_at)<t.getTime()){try{await this.tokenProvider.RetrieveToken()}catch(n){throw this.analyticshttpclient.sendExceptionEvent(this.getAccessTokenSilently.name,n.message,this.clientId,g,f),new R(n.message)}await this.generateToken((e==null?void 0:e.identity_provider)??""),e=await this.cacheManager.getToken()}return(e==null?void 0:e.access_token)||""}async getTokens(){this.analyticshttpclient.sendMethodEvent(this.getTokens.name,this.clientId,g,f);let e=await this.cacheManager.getToken();if(e==null)throw this.analyticshttpclient.sendExceptionEvent(this.getTokens.name,"No token available",this.clientId,g,f),new x("No token available");const t=new Date(new Date().getTime()+C);if((e==null?void 0:e.expires_at)==null||(e==null?void 0:e.expires_at)<t.getTime()){try{await this.tokenProvider.RetrieveToken()}catch(n){throw this.analyticshttpclient.sendExceptionEvent(this.getTokens.name,n.message,this.clientId,g,f),new R(n.message)}await this.generateToken((e==null?void 0:e.identity_provider)??""),e=await this.cacheManager.getToken()}return{access_token:(e==null?void 0:e.access_token)||"",expires_at:(e==null?void 0:e.expires_at)||0,id_token:(e==null?void 0:e.id_token)||""}}async logout(e){this.analyticshttpclient.sendMethodEvent(this.logout.name,this.clientId,g,f);const{onRedirect:t,disabledAutoRedirect:n}=e||{};this.cacheManager&&await this.cacheManager.clear(),this.cookiesManager&&this.cookiesManager.clear();const r=await this.tokenProvider.GetOAuthLogoutRedirect("state");if(t!=null)return t(r);n||window.location.assign(r)}async checkSession(){try{await this.getAccessTokenSilently()}catch{return!1}return!0}async loadUserSession(){await this.loadCacheSessionIntoSDK(),await this.checkSession()||await this.cacheManager.clear()}async loadCacheSessionIntoSDK(){const e=await this.cacheManager.getToken();if(e==null)return;const t=e.access_token,n=e.refresh_token||"",r=e.id_token,c=e.expires_at;this.tokenProvider=this.tokenProvider.WithAccessToken(t,c).WithRefreshToken(n).WithIdToken(r)}getBearerTokenHttpClient(e){return new l.BearerTokenHttpClientProvider(this.tokenProvider,e)}getRedirectUrl(){return this.redirectUrl}}const w=d.createContext(null),O=()=>d.useContext(w)??{},Z=(i,e)=>{switch(e.type){case"INIT":return{...i,isLoading:!1,isAuthenticated:e.user!=null,user:e.user,error:void 0};case"GET_TOKENS_COMPLETE":case"HANDLE_CALLBACK_COMPLETE":case"GET_ACCESS_TOKEN_COMPLETE":return{...i,isLoading:!1,isAuthenticated:e.user!=null,user:e.user,error:void 0};case"LOGOUT":return{...i,isAuthenticated:!1,user:void 0};case"ERROR":return{...i,isLoading:!1,error:e.error}}},ee={isLoading:!0,isAuthenticated:!1},te=i=>{if(i==null||Object.keys(i).length<=0)return!0;const e=Object.keys(i);for(const t of e)if(i[t]!=null&&i[t]!=="")return!1;return!0},ie=i=>!te(i.config),ne=i=>{const{children:e,configurationEndpoint:t,clientId:n,redirectUrl:r,logoutRedirectUrl:c,scopes:h,onRedirectCallback:y,checkRedirectUrlMatch:T}=i;if(d.useContext(w)!=null)throw new Error("TID Provider already defined");const P={config:{configurationEndpoint:t??"",clientId:n??"",redirectUrl:r??"",logoutRedirectUrl:c??"",scopes:h??[""]}},[a]=d.useState(i.tidClient??new A(P)),[v,m]=d.useReducer(Z,ee),D=d.useRef(!1),se=d.useMemo(()=>T?a.getRedirectUrl():void 0,[T,a]);d.useEffect(()=>{D.current||(i.tidClient!=null&&ie({config:{configurationEndpoint:t,clientId:n,redirectUrl:r,logoutRedirectUrl:c,scopes:h}})&&console.warn("When TID client is pass as prop, any client configuration property sent directly to the TID Provider component will be ignored"),D.current=!0,(async()=>{try{let s;if(B(void 0,se)){const k=await a.handleCallback();s=await a.getUser(),y!=null&&y(k)}else await a.loadUserSession(),s=await a.getUser();m({type:"INIT",user:s})}catch(s){let k=s;typeof s=="string"&&(k=new Error(s)),m({type:"ERROR",error:k})}})())},[a,y]);const b=d.useCallback(async()=>{const s=await a.getAccessTokenSilently(),k=await a.getUser();return m({type:"GET_ACCESS_TOKEN_COMPLETE",user:k}),s},[a]),L=d.useCallback(async()=>{const s=await a.getTokens(),k=await a.getUser();return m({type:"GET_TOKENS_COMPLETE",user:k}),s},[a]),N=d.useCallback(async s=>{await a.loginWithRedirect(s)},[a]),V=d.useCallback(async s=>{await a.logout(s),(s==null?void 0:s.disabledAutoRedirect)!=null&&s.disabledAutoRedirect&&m({type:"LOGOUT"})},[a]),K=d.useCallback(async s=>{const k=await a.handleCallback(s),le=await a.getUser();return m({type:"HANDLE_CALLBACK_COMPLETE",user:le}),k},[a]),ce=d.useMemo(()=>({...v,getAccessTokenSilently:b,getTokens:L,loginWithRedirect:N,handleCallback:K,logout:V}),[v,b,L,N,K,V]);return E.jsx(w.Provider,{value:ce,children:e})},re=O,ae=ne,oe=({renderComponent:i,loader:e})=>{const{isAuthenticated:t,isLoading:n,loginWithRedirect:r}=O();return d.useEffect(()=>{!n&&!t&&(async()=>await r())()},[n,t,r]),t?i:e||E.jsx(E.Fragment,{})};o.AuthenticationGuard=oe,o.TIDClient=A,o.TIDContext=w,o.TIDProvider=ae,o.useAuth=re,Object.defineProperty(o,Symbol.toStringTag,{value:"Module"})});

package/package.json

@@ -1,8 +1,7 @@
-
 {
   "name": "@trimble-oss/trimble-id-react",
   "private": false,
-  "version": "1.0.0-rc.3",
+  "version": "1.0.1",
   "homepage": "https://github.com/trimble-oss/trimble-id-sdk-docs-for-react",
   "author": "Trimble developers <developers@trimble.com>",
   "license": "MIT",