@trimble-oss/trimble-id-react 1.0.0 → 1.0.2-rc1

package/README.md

@@ -67,7 +67,7 @@ process related to the authentication for you. Configure the SDK by wrapping you
 
 Here TIDProvider can take two parameters :  
 * **tidClient**  : TID client instance. You can send an instance of the TID Client if you want to handle the initialization yourself
-* **onRedirectCallback** -  When the redirect callback occur this function will be call once the user is login using the TIDClient. This could allow you to redirect the user into another page after the login happen.
+* **onRedirectCallback** -  When the redirect callback occur this function will be call once the user is login using the TIDClient. This function receives an `authState` parameter that contains a `returnTo` property with the user's original location before authentication, allowing you to redirect the user back to their intended destination after login.
 
 
 After wrapping your app with the TIDProvider, you have to configure the TID credentials registered in TrimbleCloud console. There are two ways of doing this:
@@ -102,6 +102,15 @@ After wrapping your app with the TIDProvider, you have to configure the TID cred
 </TIDProvider>
 ```
 
+```tsx
+const handleRedirect = (authState: AuthState) => {
+  // Use returnTo for automatic redirection to original location
+  const redirectTo = authState.returnTo || '/dashboard'
+  // Navigate to the intended destination
+  navigate(redirectTo)
+}
+```
+
 Below are the parameters of TIDClient.
 ### 1. TID Client configurations:
 
@@ -131,6 +140,21 @@ const {logout}= useAuth()
 await logout()
 ```
 
+### handleCallback
+
+Handle OAuth callback to complete user authentication and returns the auth state with redirect path.
+
+```tsx
+const { handleCallback } = useAuth()
+
+// Handle callback and get redirect information
+const authState = await handleCallback()
+
+// Use returnTo for automatic redirection to original location
+const redirectTo = authState.returnTo || '/dashboard'
+navigate(redirectTo)
+```
+
 ### isAuthenticated
 
 True if the user is authenticated.
@@ -198,7 +222,7 @@ See here for [Sample Code](https://github.com/trimble-oss/trimble-id-sdk-docs-fo
 
 ## Release notes
 
-See here for [releases](./CHANGELOG.md)
+See here for [releases](https://github.com/trimble-oss/trimble-id-sdk-docs-for-react/blob/main/release-notes/CHANGELOG.md)
 
 ## Raise an issue
 

package/dist/TIDClient/TIDClient.d.ts

@@ -90,16 +90,15 @@ export declare class TIDClient {
      * @type {string}
      */
     private readonly redirectUrl;
-    /**
-      * AnalyticsHttpClient for sending events
-      * @type {AnalyticsHttpClient}
-      */
-    private readonly analyticshttpclient;
     /**
      * Create a TID client to handle manage all user authentication functions and information
      * @param {CacheManagerOptions} props - TID client configuration
      */
     constructor(props: TIDClientOptions);
+    /**
+     * Clean up expired state payloads to prevent storage bloat
+     */
+    private cleanupExpiredState;
     /**
      * Redirect the user to TID using the browser
      * @param {LoginWithRedirectOptions} options - Custom configuration for the redirection
@@ -107,6 +106,7 @@ export declare class TIDClient {
      * @example No configuration
      * loginWithRedirect()
      * // Automatically redirects the user to TID with all necessary parameters
+     * // After authentication, user will be redirected back to the current page
      * @example Custom redirect
      * loginWithRedirect({onRedirect: (url) => router.navigate(url)})
      * // Redirect calls onRedirect with the log-out url for TID
@@ -116,8 +116,9 @@ export declare class TIDClient {
     /**
      * Authenticated the user using the url callback params
      * @param {string} url - Custom configuration for the redirection
-     * @return {Promise<AuthState>} Object contain the state returned from TID
+     * @return {Promise<AuthState>} Object contain the state returned from TID and redirect path
      * @throws {CodeVerifierNotFoundException} Will throw an exception if the session doesn't contain the code verifier
+     * @throws {Error} Will throw an exception if state validation fails or replay attack is detected
      * @example No configuration
      * handleCallback()
      * // Will automatically take the url from the browser and try to log in the user
@@ -133,6 +134,23 @@ export declare class TIDClient {
      */
     private generateToken;
     private reloadCodeVerifier;
+    /**
+     * Create and encode state payload for replay attack protection
+     * @param {string} redirectTo - Path to redirect to after authentication
+     * @return {string} - Base64 encoded state payload
+     */
+    private createStatePayload;
+    /**
+     * Generate a random nonce for state validation
+     * @return {string} - Random nonce
+     */
+    private generateNonce;
+    /**
+     * Validate state payload to prevent replay attacks
+     * @param {string} receivedState - State received from OAuth callback
+     * @return {StateValidationResult} - Validation result with redirect path if valid
+     */
+    private validateStatePayload;
     /**
      * Return the user stored in cache
      * @return {Promise<TIDUser | undefined>} User in cache

package/dist/TIDClient/constants.d.ts

@@ -8,3 +8,9 @@ export declare const CLOCK_SKEW_TIME: number;
  * @type {Array<string>}
  */
 export declare const LIST_PARAMS_REQUIRED: Array<string>;
+/**
+ * Maximum time allowed for state parameter to be valid (10 minutes)
+ * Used to prevent replay attacks
+ * @type {number}
+ */
+export declare const STATE_EXPIRATION_TIME: number;

package/dist/TIDClient/exceptions.d.ts

@@ -6,3 +6,6 @@ export declare class TokenNotFoundException extends Error {
 }
 export declare class CodeVerifierNotFoundException extends Error {
 }
+/** Class representing an OAuth state validation exception for CSRF protection */
+export declare class StateValidationException extends Error {
+}

package/dist/TIDClient/interfaces.d.ts

@@ -51,6 +51,8 @@ export interface TIDUser {
     email?: string;
     /** True if the End-User's e-mail address has been verified; otherwise false. */
     email_verified?: boolean;
+    /** Account id of the user */
+    account_id?: string;
 }
 export interface TIDJWTUser {
     /**
@@ -172,7 +174,23 @@ export interface TIDJWTUser {
      * @type {string}
      */
     data_region: string;
+    /**
+     * Account id of the user
+     * @type {string}
+     */
+    account_id: string;
 }
 export interface AuthState {
     authState: any;
+    returnTo?: string;
+}
+export interface StatePayload {
+    redirectTo: string;
+    timestamp: number;
+    nonce: string;
+}
+export interface StateValidationResult {
+    isValid: boolean;
+    redirectTo?: string;
+    error?: string;
 }

package/dist/TIDClient/storage/cookies/CookiesManager.d.ts

@@ -12,6 +12,11 @@ interface CookieValue {
      * @type {string}
      */
     code_verifier: string;
+    /**
+     * State information used for replay attack protection
+     * @type {string}
+     */
+    state_payload?: string;
 }
 /** Class to manage cookies */
 export declare class CookiesManager {
@@ -32,9 +37,18 @@ export declare class CookiesManager {
     constructor(options: CookiesManagerOptions);
     /**
      * Store cookies in the browser
-     * @param {CookieValue} value - information to store
+     * @param {Partial<CookieValue>} value - information to store
+     */
+    save(value: Partial<CookieValue>): void;
+    /**
+     * Retrieve state payload from cookies
+     * @return {string | undefined} - State payload from cookies
+     */
+    getStatePayload(): string | undefined;
+    /**
+     * Clear state payload from cookies
      */
-    save(value: CookieValue): void;
+    clearStatePayload(): void;
     /**
      * Retrieve cookies in the browser
      * @return {CookieValue | undefined}  - Cookies from the browser

package/dist/index.d.ts

@@ -1,4 +1,4 @@
 export { TIDClient } from './TIDClient';
 export { TIDContext, useAuth, TIDProvider } from './TIDProvider';
 export { AuthenticationGuard } from './AuthenticationGuard/AuthenticationGuard';
-export type { TokenResponse } from './TIDClient';
+export type { TokenResponse, AuthState } from './TIDClient';

package/dist/trimble-id-react.es.js

@@ -1,75 +1,70 @@
-var F = Object.defineProperty;
-var B = (i, e, t) => e in i ? F(i, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : i[e] = t;
-var c = (i, e, t) => (B(i, typeof e != "symbol" ? e + "" : e, t), t);
-import { OpenIdEndpointProvider as $, AuthorizationCodeGrantTokenProvider as R, AnalyticsHttpClient as H, BearerTokenHttpClientProvider as Q } from "@trimble-oss/trimble-id";
-import * as w from "es-cookie";
+import { OpenIdEndpointProvider as $, AuthorizationCodeGrantTokenProvider as R, AnalyticsHttpClient as h, BearerTokenHttpClientProvider as B } from "@trimble-oss/trimble-id";
+import * as m from "es-cookie";
 import J from "jwt-decode";
-import { createContext as q, useContext as L, useState as z, useReducer as X, useRef as Y, useMemo as M, useEffect as D, useCallback as y } from "react";
-import { jsx as K, Fragment as Z } from "react/jsx-runtime";
-class j {
-  constructor() {
-    /**
-     * This function generate a encapsulation function to store
-     * the user and token information in a secure way disabled the
-     * access from the outside
-     * @see {https://medium.com/javascript-scene/encapsulation-in-javascript-26be60e325b4} Encapsulation
-     * @return {CacheStorage} Key for the token
-     */
-    c(this, "generateCache", function() {
-      const e = {
-        token: void 0,
-        user: void 0
-      };
-      return {
-        /**
-         * Get token store in cache
-         * @return {Promise<TIDAuthToken | undefined>} Token store in memory
-         */
-        async getToken() {
-          return e.token;
-        },
-        /**
-         * Get user store in cache
-         * @return {Promise<TIDUser | undefined>} User store in memory
-         */
-        async getUser() {
-          return e.user;
-        },
-        /**
-         * Store token in cache
-         * @param {TIDAuthToken} token - Token that you want to store in cache
-         * @return {Promise<void>} Empty promise
-         */
-        async storeToken(t) {
-          e.token = t;
-        },
-        /**
-         * Store user in cache
-         * @param {TIDUser} user - User that you want to store in cache
-         * @return {Promise<void>} Empty promise
-         */
-        async storeUser(t) {
-          e.user = t;
-        },
-        /**
-         * The clear the cache from the storage
-         * @return {Promise<void>} Empty promise
-         */
-        clear() {
-          return e.token = void 0, e.user = void 0, Promise.resolve(void 0);
-        }
-      };
-    }());
-  }
+import { createContext as H, useContext as L, useState as Q, useReducer as X, useRef as q, useMemo as M, useEffect as N, useCallback as y } from "react";
+import { jsx as V, Fragment as z } from "react/jsx-runtime";
+class Y {
+  /**
+   * This function generate a encapsulation function to store
+   * the user and token information in a secure way disabled the
+   * access from the outside
+   * @see {https://medium.com/javascript-scene/encapsulation-in-javascript-26be60e325b4} Encapsulation
+   * @return {CacheStorage} Key for the token
+   */
+  generateCache = /* @__PURE__ */ (function() {
+    const e = {
+      token: void 0,
+      user: void 0
+    };
+    return {
+      /**
+       * Get token store in cache
+       * @return {Promise<TIDAuthToken | undefined>} Token store in memory
+       */
+      async getToken() {
+        return e.token;
+      },
+      /**
+       * Get user store in cache
+       * @return {Promise<TIDUser | undefined>} User store in memory
+       */
+      async getUser() {
+        return e.user;
+      },
+      /**
+       * Store token in cache
+       * @param {TIDAuthToken} token - Token that you want to store in cache
+       * @return {Promise<void>} Empty promise
+       */
+      async storeToken(t) {
+        e.token = t;
+      },
+      /**
+       * Store user in cache
+       * @param {TIDUser} user - User that you want to store in cache
+       * @return {Promise<void>} Empty promise
+       */
+      async storeUser(t) {
+        e.user = t;
+      },
+      /**
+       * The clear the cache from the storage
+       * @return {Promise<void>} Empty promise
+       */
+      clear() {
+        return e.token = void 0, e.user = void 0, Promise.resolve(void 0);
+      }
+    };
+  })();
 }
-class ee {
+class Z {
+  /**
+   * Cache option selected
+   * @type {CacheStorage}
+   */
+  cacheStorage;
   constructor() {
-    /**
-     * Cache option selected
-     * @type {CacheStorage}
-     */
-    c(this, "cacheStorage");
-    this.cacheStorage = new j().generateCache;
+    this.cacheStorage = new Y().generateCache;
   }
   /**
    * Store token in cache
@@ -109,41 +104,42 @@ class ee {
     await this.cacheStorage.clear();
   }
 }
-const x = 5 * 6e4, te = ["code", "state"], A = (i) => i.split("?")[0], ie = (i) => i.split("?")[1], b = (i) => {
-  let e = i;
-  if (!i.startsWith("?"))
+const x = 5 * 6e4, j = ["code", "state"], A = 600 * 1e3, U = (o) => o.split("?")[0], ee = (o) => o.split("?")[1], b = (o) => {
+  let e = o;
+  if (!o.startsWith("?"))
     try {
-      e = new URL(i).search;
+      e = new URL(o).search;
     } catch {
     }
   return new URLSearchParams(e);
-}, ne = (i = window.location.href, e) => {
+}, te = (o = window.location.href, e) => {
   if (e != null) {
-    const n = A(e), r = A(i ?? "");
-    if (n !== r)
+    const r = U(e), n = U(o ?? "");
+    if (r !== n)
       return !1;
   }
-  const t = b(i);
-  for (const n of te)
-    if (!t.has(n))
+  const t = b(o);
+  for (const r of j)
+    if (!t.has(r))
       return !1;
   return !0;
-}, re = (i) => ({
-  id: i.sub,
-  name: `${i.given_name} ${i.family_name}`,
-  given_name: i.given_name,
-  family_name: i.family_name,
-  picture: i.picture,
-  email: i.email,
-  email_verified: i.email_verified
-}), se = "@TID_COOKIE";
-class oe {
+}, oe = (o) => ({
+  id: o.sub,
+  name: `${o.given_name} ${o.family_name}`,
+  given_name: o.given_name,
+  family_name: o.family_name,
+  picture: o.picture,
+  email: o.email,
+  email_verified: o.email_verified,
+  ...o.account_id && { account_id: o.account_id }
+}), re = "@TID_COOKIE";
+class ne {
   /**
    * Retrieve a cookie from the browser
    * @param {string} key - Key to retrieve the cookies
    */
   get(e) {
-    const t = w.get(e);
+    const t = m.get(e);
     if (t == null)
       throw new Error("Cookie not found");
     return JSON.parse(t);
@@ -158,12 +154,12 @@ class oe {
    * @example Save cookies with a custom domain
    * cookiesStorage.set('key',{data:{...}},{domain:'https://example.com/subpath'})
    */
-  set(e, t, n) {
-    let r = {};
-    window.location.protocol === "https:" && (r = {
+  set(e, t, r) {
+    let n = {};
+    window.location.protocol === "https:" && (n = {
       secure: !0,
       sameSite: "none"
-    }), n != null && n.expires && (r.expires = n.expires), n != null && n.domain && (r.domain = n.domain), w.set(e, JSON.stringify(t), r);
+    }), r?.expires && (n.expires = r.expires), r?.domain && (n.domain = r.domain), m.set(e, JSON.stringify(t), n);
   }
   /**
    * Remove a cookie from the browser
@@ -175,37 +171,52 @@ class oe {
    * cookiesStorage.remove('key',{domain:'https://example.com/subpath'})
    */
   remove(e, t) {
-    const n = {};
-    t != null && t.domain && (n.domain = t.domain), w.remove(e, n);
+    const r = {};
+    t?.domain && (r.domain = t.domain), m.remove(e, r);
   }
 }
-class ae {
+class ie {
+  /**
+   * Cookie full key to store and retrieve the information from cookies
+   * @type {string}
+   */
+  cookieKey;
+  /**
+   * Cookie storage. This object contain all functions necessary to retrieve and store tokens using cookies
+   * @type {CookiesStorage}
+   */
+  cookiesStorage;
   /**
    * Create a cookies manager to extract or save cookies in the browser
    * @param {CookiesManagerOptions} options - Configuration for the managing the cookies
    */
   constructor(e) {
-    /**
-     * Cookie full key to store and retrieve the information from cookies
-     * @type {string}
-     */
-    c(this, "cookieKey");
-    /**
-     * Cookie storage. This object contain all functions necessary to retrieve and store tokens using cookies
-     * @type {CookiesStorage}
-     */
-    c(this, "cookiesStorage");
-    this.cookieKey = `${se}.${e.clientId}`, this.cookiesStorage = new oe();
+    this.cookieKey = `${re}.${e.clientId}`, this.cookiesStorage = new ne();
   }
   /**
    * Store cookies in the browser
-   * @param {CookieValue} value - information to store
+   * @param {Partial<CookieValue>} value - information to store
    */
   save(e) {
-    this.cookiesStorage.set(this.cookieKey, e, {
+    const r = { ...this.get() || {}, ...e };
+    this.cookiesStorage.set(this.cookieKey, r, {
       expires: 1
     });
   }
+  /**
+   * Retrieve state payload from cookies
+   * @return {string | undefined} - State payload from cookies
+   */
+  getStatePayload() {
+    return this.get()?.state_payload;
+  }
+  /**
+   * Clear state payload from cookies
+   */
+  clearStatePayload() {
+    const e = this.get();
+    e && (delete e.state_payload, this.cookiesStorage.set(this.cookieKey, e, { expires: 1 }));
+  }
   /**
    * Retrieve cookies in the browser
    * @return {CookieValue | undefined}  - Cookies from the browser
@@ -224,70 +235,79 @@ class ae {
     this.cookiesStorage.remove(this.cookieKey);
   }
 }
-class U extends Error {
-}
 class O extends Error {
 }
-class ce extends Error {
+class D extends Error {
 }
-const d = "@trimble-oss/trimble-id-react", h = "1.0.0", le = {
+class ae extends Error {
+}
+const u = "@trimble-oss/trimble-id-react", g = "1.0.2-rc1", se = {
   configurationEndpoint: "",
   clientId: "",
   redirectUrl: "",
   logoutRedirectUrl: "",
   scopes: []
 };
-class de {
+class ce {
+  /**
+   * Token provider SDK. This object handles all necessary communication with TID
+   * @type {AuthorizationCodeGrantTokenProvider}
+   */
+  tokenProvider;
+  /**
+   * This object manage all caching, and all configurations necessary
+   * @type {CacheManager}
+   */
+  cacheManager;
+  /**
+   * This object manage all cookies administration, and all configurations necessary
+   * @type {CookiesManager}
+   */
+  cookiesManager;
+  /**
+   * Client id of the application created in trimble developer console
+   * @type {string}
+   */
+  clientId;
+  /**
+   * Callback url to redirect the user after the authentication is successful
+   * @type {string}
+   */
+  redirectUrl;
   /**
    * Create a TID client to handle manage all user authentication functions and information
    * @param {CacheManagerOptions} props - TID client configuration
    */
   constructor(e) {
-    /**
-     * Token provider SDK. This object handles all necessary communication with TID
-     * @type {AuthorizationCodeGrantTokenProvider}
-     */
-    c(this, "tokenProvider");
-    /**
-     * This object manage all caching, and all configurations necessary
-     * @type {CacheManager}
-     */
-    c(this, "cacheManager");
-    /**
-     * This object manage all cookies administration, and all configurations necessary
-     * @type {CookiesManager}
-     */
-    c(this, "cookiesManager");
-    /**
-     * Client id of the application created in trimble developer console
-     * @type {string}
-     */
-    c(this, "clientId");
-    /**
-     * Callback url to redirect the user after the authentication is successful
-     * @type {string}
-     */
-    c(this, "redirectUrl");
-    /**
-      * AnalyticsHttpClient for sending events
-      * @type {AnalyticsHttpClient}
-      */
-    c(this, "analyticshttpclient");
-    const { config: t = le } = e;
+    const { config: t = se } = e;
     if (this.redirectUrl = t.redirectUrl, t.configurationEndpoint == null || t.configurationEndpoint == "")
       throw new Error("Configuration endpoint not defined");
     if (t.clientId == null || t.clientId == "")
       throw new Error("Consumer key is not defined");
-    this.cookiesManager = new ae({
+    this.cookiesManager = new ie({
       clientId: t.clientId
     });
-    const n = this.cookiesManager.get(), r = new $(t.configurationEndpoint);
-    let a = new R(
-      r,
+    const r = this.cookiesManager.get(), n = new $(t.configurationEndpoint);
+    let i = new R(
+      n,
       t.clientId,
       t.redirectUrl
     ).WithScopes(t.scopes);
-    t.logoutRedirectUrl && (a = a.WithLogoutRedirect(t.logoutRedirectUrl)), (n == null ? void 0 : n.code_verifier) != null && (a = a.WithProofKeyForCodeExchange(n.code_verifier)), this.tokenProvider = a, this.cacheManager = new ee(), this.clientId = t.clientId, this.analyticshttpclient = H, this.analyticshttpclient.sendInitEvent("TIDClient", this.clientId, d, h);
+    t.logoutRedirectUrl && (i = i.WithLogoutRedirect(t.logoutRedirectUrl)), r?.code_verifier != null && (i = i.WithProofKeyForCodeExchange(r.code_verifier)), this.tokenProvider = i, this.cacheManager = new Z(), this.clientId = t.clientId, h.sendInitEvent("TIDClient", this.clientId, u, g), this.cleanupExpiredState();
+  }
+  /**
+   * Clean up expired state payloads to prevent storage bloat
+   */
+  cleanupExpiredState() {
+    try {
+      const e = this.cookiesManager.getStatePayload();
+      if (e) {
+        const t = atob(e), r = JSON.parse(t);
+        Date.now() - r.timestamp > A && this.cookiesManager.clearStatePayload();
+      }
+    } catch {
+      this.cookiesManager.clearStatePayload();
+    }
   }
   /**
    * Redirect the user to TID using the browser
@@ -296,23 +316,27 @@ class de {
    * @example No configuration
    * loginWithRedirect()
    * // Automatically redirects the user to TID with all necessary parameters
+   * // After authentication, user will be redirected back to the current page
    * @example Custom redirect
    * loginWithRedirect({onRedirect: (url) => router.navigate(url)})
    * // Redirect calls onRedirect with the log-out url for TID
    * // So it can be handled by the developer
    */
   async loginWithRedirect(e) {
-    this.analyticshttpclient.sendMethodEvent(this.loginWithRedirect.name, this.clientId, d, h);
-    const { onRedirect: t } = e || {}, n = R.GenerateCodeVerifier();
-    this.cookiesManager.save({ code_verifier: n }), this.tokenProvider = this.tokenProvider.WithProofKeyForCodeExchange(n);
-    const r = await this.tokenProvider.GetOAuthRedirect("state");
-    t != null ? t(r) : window.location.assign(r);
+    h.sendMethodEvent(this.loginWithRedirect.name, this.clientId, u, g);
+    const { onRedirect: t } = e || {}, r = window.location.pathname + window.location.search, n = this.createStatePayload(r);
+    this.cookiesManager.save({ state_payload: n });
+    const i = R.GenerateCodeVerifier();
+    this.cookiesManager.save({ code_verifier: i }), this.tokenProvider = this.tokenProvider.WithProofKeyForCodeExchange(i);
+    const c = await this.tokenProvider.GetOAuthRedirect(n);
+    t != null ? t(c) : window.location.assign(c);
   }
   /**
    * Authenticated the user using the url callback params
    * @param {string} url - Custom configuration for the redirection
-   * @return {Promise<AuthState>} Object contain the state returned from TID
+   * @return {Promise<AuthState>} Object contain the state returned from TID and redirect path
    * @throws {CodeVerifierNotFoundException} Will throw an exception if the session doesn't contain the code verifier
+   * @throws {Error} Will throw an exception if state validation fails or replay attack is detected
    * @example No configuration
    * handleCallback()
    * // Will automatically take the url from the browser and try to log in the user
@@ -322,11 +346,14 @@ class de {
    */
   async handleCallback(e = window.location.href) {
     const t = this.cookiesManager.get();
-    if (t == null || (t == null ? void 0 : t.code_verifier) == null)
-      throw new ce("Code verifier not available");
-    const n = ie(e), r = b(e), a = r.get("identity_provider") ?? "", g = r.get("state") ?? "";
-    return await this.tokenProvider.ValidateQuery(n), await this.generateToken(a), {
-      authState: g
+    if (t == null || t?.code_verifier == null)
+      throw new ae("Code verifier not available");
+    const r = ee(e), n = b(e), i = n.get("identity_provider") ?? "", c = n.get("state") ?? "", d = this.validateStatePayload(c);
+    if (!d.isValid)
+      throw new Error(`State validation failed: ${d.error}`);
+    return await this.tokenProvider.ValidateQuery(r), await this.generateToken(i), {
+      authState: c,
+      returnTo: d.redirectTo
     };
   }
   /**
@@ -335,32 +362,81 @@ class de {
    * @return {Promise<void>} Empty promise
    */
   async generateToken(e) {
-    var s, f;
-    const t = await this.tokenProvider.RetrieveToken(), n = await this.tokenProvider.RetrieveRefreshToken(), r = await this.tokenProvider.RetrieveIdToken(), a = await this.tokenProvider.RetrieveTokenExpiry(), k = new Date(a).getTime(), v = (f = (s = this.tokenProvider) == null ? void 0 : s._scopes) == null ? void 0 : f.join(" ");
+    const t = await this.tokenProvider.RetrieveToken(), r = await this.tokenProvider.RetrieveRefreshToken(), n = await this.tokenProvider.RetrieveIdToken(), i = await this.tokenProvider.RetrieveTokenExpiry(), d = new Date(i).getTime(), k = this.tokenProvider?._scopes?.join(" ");
     await this.cacheManager.setToken({
-      scope: v,
+      scope: k,
       state: "",
       session_state: "",
       identity_provider: e,
       token_type: "bearer",
       access_token: t,
-      refresh_token: n,
-      id_token: r,
-      expires_at: k
+      refresh_token: r,
+      id_token: n,
+      expires_at: d
     });
-    const m = J(r), T = re(m);
-    await this.cacheManager.setUser(T), await this.reloadCodeVerifier();
+    const v = J(n), p = oe(v);
+    await this.cacheManager.setUser(p), await this.reloadCodeVerifier();
   }
   async reloadCodeVerifier() {
     const e = await this.tokenProvider.RetrieveCodeVerifier();
     this.cookiesManager.save({ code_verifier: e }), this.tokenProvider = this.tokenProvider.WithProofKeyForCodeExchange(e);
   }
+  /**
+   * Create and encode state payload for replay attack protection
+   * @param {string} redirectTo - Path to redirect to after authentication
+   * @return {string} - Base64 encoded state payload
+   */
+  createStatePayload(e) {
+    const t = this.generateNonce(), r = Date.now();
+    return btoa(JSON.stringify({
+      redirectTo: e,
+      timestamp: r,
+      nonce: t
+    }));
+  }
+  /**
+   * Generate a random nonce for state validation
+   * @return {string} - Random nonce
+   */
+  generateNonce() {
+    const e = new Uint8Array(16);
+    return crypto.getRandomValues(e), Array.from(e, (t) => t.toString(16).padStart(2, "0")).join("");
+  }
+  /**
+   * Validate state payload to prevent replay attacks
+   * @param {string} receivedState - State received from OAuth callback
+   * @return {StateValidationResult} - Validation result with redirect path if valid
+   */
+  validateStatePayload(e) {
+    try {
+      if (!e || e.trim() === "")
+        return { isValid: !1, error: "Empty state parameter" };
+      const t = this.cookiesManager.getStatePayload();
+      if (!t)
+        return { isValid: !1, error: "No stored state found" };
+      const r = atob(e), n = JSON.parse(r), i = atob(t), c = JSON.parse(i);
+      if (!n.nonce || !n.timestamp || !n.redirectTo)
+        return { isValid: !1, error: "Invalid state payload structure" };
+      if (n.nonce !== c.nonce)
+        return { isValid: !1, error: "State nonce mismatch" };
+      const k = Date.now() - n.timestamp;
+      return k > A ? { isValid: !1, error: "State expired - possible replay attack" } : k < 0 ? {
+        isValid: !1,
+        error: "State timestamp is in the future - possible replay attack"
+      } : (this.cookiesManager.clearStatePayload(), {
+        isValid: !0,
+        redirectTo: n.redirectTo
+      });
+    } catch {
+      return { isValid: !1, error: "Invalid state format" };
+    }
+  }
   /**
    * Return the user stored in cache
    * @return {Promise<TIDUser | undefined>} User in cache
    */
   async getUser() {
-    return this.analyticshttpclient.sendMethodEvent(this.getUser.name, this.clientId, d, h), await this.cacheManager.getUser();
+    return h.sendMethodEvent(this.getUser.name, this.clientId, u, g), await this.cacheManager.getUser();
   }
   /**
    * Gets the access token from cache. If the token already expired,
@@ -370,46 +446,75 @@ class de {
    * @throws {TokenExpiredException} Will throw an exception if the user token expired
    */
   async getAccessTokenSilently() {
-    this.analyticshttpclient.sendMethodEvent(this.getAccessTokenSilently.name, this.clientId, d, h);
+    h.sendMethodEvent(
+      this.getAccessTokenSilently.name,
+      this.clientId,
+      u,
+      g
+    );
     let e = await this.cacheManager.getToken();
     if (e == null)
-      throw this.analyticshttpclient.sendExceptionEvent(this.getAccessTokenSilently.name, "No token available", this.clientId, d, h), new O("No token available");
+      throw h.sendExceptionEvent(
+        this.getAccessTokenSilently.name,
+        "No token available",
+        this.clientId,
+        u,
+        g
+      ), new D("No token available");
     const t = new Date((/* @__PURE__ */ new Date()).getTime() + x);
-    if ((e == null ? void 0 : e.expires_at) == null || (e == null ? void 0 : e.expires_at) < t.getTime()) {
+    if (e?.expires_at == null || e?.expires_at < t.getTime()) {
       try {
         await this.tokenProvider.RetrieveToken();
-      } catch (n) {
-        throw this.analyticshttpclient.sendExceptionEvent(this.getAccessTokenSilently.name, n.message, this.clientId, d, h), new U(n.message);
+      } catch (r) {
+        throw h.sendExceptionEvent(
+          this.getAccessTokenSilently.name,
+          r.message,
+          this.clientId,
+          u,
+          g
+        ), new O(r.message);
       }
-      await this.generateToken((e == null ? void 0 : e.identity_provider) ?? ""), e = await this.cacheManager.getToken();
+      await this.generateToken(e?.identity_provider ?? ""), e = await this.cacheManager.getToken();
     }
-    return (e == null ? void 0 : e.access_token) || "";
+    return e?.access_token || "";
   }
   /**
    * Retrieves token details from the cache, including the access token, ID token, and expiration time.
-   * If the token already expired, will try to refresh it using the refresh token. 
+   * If the token already expired, will try to refresh it using the refresh token.
    * @return {Promise<TokenResponse>} Token response
    * @throws {TokenNotFoundException} Will throw an exception if there are no tokens in cache
    * @throws {TokenExpiredException} Will throw an exception if the user token expired
    */
   async getTokens() {
-    this.analyticshttpclient.sendMethodEvent(this.getTokens.name, this.clientId, d, h);
+    h.sendMethodEvent(this.getTokens.name, this.clientId, u, g);
     let e = await this.cacheManager.getToken();
     if (e == null)
-      throw this.analyticshttpclient.sendExceptionEvent(this.getTokens.name, "No token available", this.clientId, d, h), new O("No token available");
+      throw h.sendExceptionEvent(
+        this.getTokens.name,
+        "No token available",
+        this.clientId,
+        u,
+        g
+      ), new D("No token available");
     const t = new Date((/* @__PURE__ */ new Date()).getTime() + x);
-    if ((e == null ? void 0 : e.expires_at) == null || (e == null ? void 0 : e.expires_at) < t.getTime()) {
+    if (e?.expires_at == null || e?.expires_at < t.getTime()) {
       try {
         await this.tokenProvider.RetrieveToken();
-      } catch (n) {
-        throw this.analyticshttpclient.sendExceptionEvent(this.getTokens.name, n.message, this.clientId, d, h), new U(n.message);
+      } catch (r) {
+        throw h.sendExceptionEvent(
+          this.getTokens.name,
+          r.message,
+          this.clientId,
+          u,
+          g
+        ), new O(r.message);
       }
-      await this.generateToken((e == null ? void 0 : e.identity_provider) ?? ""), e = await this.cacheManager.getToken();
+      await this.generateToken(e?.identity_provider ?? ""), e = await this.cacheManager.getToken();
     }
     return {
-      access_token: (e == null ? void 0 : e.access_token) || "",
-      expires_at: (e == null ? void 0 : e.expires_at) || 0,
-      id_token: (e == null ? void 0 : e.id_token) || ""
+      access_token: e?.access_token || "",
+      expires_at: e?.expires_at || 0,
+      id_token: e?.id_token || ""
     };
   }
   /**
@@ -425,13 +530,13 @@ class de {
    * // So it can be handled by the developer
    */
   async logout(e) {
-    this.analyticshttpclient.sendMethodEvent(this.logout.name, this.clientId, d, h);
-    const { onRedirect: t, disabledAutoRedirect: n } = e || {};
+    h.sendMethodEvent(this.logout.name, this.clientId, u, g);
+    const { onRedirect: t, disabledAutoRedirect: r } = e || {};
     this.cacheManager && await this.cacheManager.clear(), this.cookiesManager && this.cookiesManager.clear();
-    const r = await this.tokenProvider.GetOAuthLogoutRedirect("state");
+    const n = await this.tokenProvider.GetOAuthLogoutRedirect("state");
     if (t != null)
-      return t(r);
-    n || window.location.assign(r);
+      return t(n);
+    r || window.location.assign(n);
   }
   /**
    * Check if the user still has a valid session
@@ -460,15 +565,15 @@ class de {
     const e = await this.cacheManager.getToken();
     if (e == null)
       return;
-    const t = e.access_token, n = e.refresh_token || "", r = e.id_token, a = e.expires_at;
-    this.tokenProvider = this.tokenProvider.WithAccessToken(t, a).WithRefreshToken(n).WithIdToken(r);
+    const t = e.access_token, r = e.refresh_token || "", n = e.id_token, i = e.expires_at;
+    this.tokenProvider = this.tokenProvider.WithAccessToken(t, i).WithRefreshToken(r).WithIdToken(n);
   }
   /**
    * Get a http bearer token client to use it for another SDK (Ex: Processing framework)
    * @return {any} - BearerTokenHttpClientProvider
    */
   getBearerTokenHttpClient(e) {
-    return new Q(this.tokenProvider, e);
+    return new B(this.tokenProvider, e);
   }
   /**
    * Get the redirect url to TID
@@ -478,11 +583,11 @@ class de {
     return this.redirectUrl;
   }
 }
-const E = q(null), W = () => L(E) ?? {}, he = (i, e) => {
+const T = H(null), K = () => L(T) ?? {}, de = (o, e) => {
   switch (e.type) {
     case "INIT":
       return {
-        ...i,
+        ...o,
         isLoading: !1,
         isAuthenticated: e.user != null,
         user: e.user,
@@ -492,7 +597,7 @@ const E = q(null), W = () => L(E) ?? {}, he = (i, e) => {
     case "HANDLE_CALLBACK_COMPLETE":
     case "GET_ACCESS_TOKEN_COMPLETE":
       return {
-        ...i,
+        ...o,
         isLoading: !1,
         isAuthenticated: e.user != null,
         user: e.user,
@@ -500,136 +605,134 @@ const E = q(null), W = () => L(E) ?? {}, he = (i, e) => {
       };
     case "LOGOUT":
       return {
-        ...i,
+        ...o,
         isAuthenticated: !1,
         user: void 0
       };
     case "ERROR":
       return {
-        ...i,
+        ...o,
         isLoading: !1,
         error: e.error
       };
   }
-}, ue = {
+}, le = {
   isLoading: !0,
   isAuthenticated: !1
-}, ge = (i) => {
-  if (i == null || Object.keys(i).length <= 0)
+}, he = (o) => {
+  if (o == null || Object.keys(o).length <= 0)
     return !0;
-  const e = Object.keys(i);
+  const e = Object.keys(o);
   for (const t of e)
-    if (i[t] != null && i[t] !== "")
+    if (o[t] != null && o[t] !== "")
       return !1;
   return !0;
-}, ke = (i) => !ge(i.config), fe = (i) => {
+}, ue = (o) => !he(o.config), ge = (o) => {
   const {
     children: e,
     configurationEndpoint: t,
-    clientId: n,
-    redirectUrl: r,
-    logoutRedirectUrl: a,
-    scopes: g,
-    onRedirectCallback: k,
-    checkRedirectUrlMatch: v
-  } = i;
-  if (L(E) != null)
+    clientId: r,
+    redirectUrl: n,
+    logoutRedirectUrl: i,
+    scopes: c,
+    onRedirectCallback: d,
+    checkRedirectUrlMatch: k
+  } = o;
+  if (L(T) != null)
     throw new Error("TID Provider already defined");
-  const T = {
+  const p = {
     config: {
       configurationEndpoint: t ?? "",
-      clientId: n ?? "",
-      redirectUrl: r ?? "",
-      logoutRedirectUrl: a ?? "",
-      scopes: g ?? [""]
+      clientId: r ?? "",
+      redirectUrl: n ?? "",
+      logoutRedirectUrl: i ?? "",
+      scopes: c ?? [""]
     }
-  }, [s] = z(i.tidClient ?? new de(T)), [f, u] = X(he, ue), p = Y(!1), N = M(
-    () => v ? s.getRedirectUrl() : void 0,
-    [v, s]
+  }, [a] = Q(o.tidClient ?? new ce(p)), [w, f] = X(de, le), E = q(!1), W = M(
+    () => k ? a.getRedirectUrl() : void 0,
+    [k, a]
   );
-  D(() => {
-    p.current || (i.tidClient != null && ke({
+  N(() => {
+    E.current || (o.tidClient != null && ue({
       config: {
         configurationEndpoint: t,
-        clientId: n,
-        redirectUrl: r,
-        logoutRedirectUrl: a,
-        scopes: g
+        clientId: r,
+        redirectUrl: n,
+        logoutRedirectUrl: i,
+        scopes: c
       }
     }) && console.warn(
       "When TID client is pass as prop, any client configuration property sent directly to the TID Provider component will be ignored"
-    ), p.current = !0, (async () => {
+    ), E.current = !0, (async () => {
       try {
-        let o;
-        if (ne(void 0, N)) {
-          const { authState: l } = await s.handleCallback();
-          o = await s.getUser(), k != null && k(l);
+        let s;
+        if (te(void 0, W)) {
+          const l = await a.handleCallback();
+          s = await a.getUser(), d?.(l);
         } else
-          await s.loadUserSession(), o = await s.getUser();
-        u({ type: "INIT", user: o });
-      } catch (o) {
-        let l = o;
-        typeof o == "string" && (l = new Error(o)), u({ type: "ERROR", error: l });
+          await a.loadUserSession(), s = await a.getUser();
+        f({ type: "INIT", user: s });
+      } catch (s) {
+        let l = s;
+        typeof s == "string" && (l = new Error(s)), f({ type: "ERROR", error: l });
       }
     })());
-  }, [s, k]);
-  const _ = y(async () => {
-    const o = await s.getAccessTokenSilently(), l = await s.getUser();
-    return u({
+  }, [a, d]);
+  const S = y(async () => {
+    const s = await a.getAccessTokenSilently(), l = await a.getUser();
+    return f({
       type: "GET_ACCESS_TOKEN_COMPLETE",
       user: l
-    }), o;
-  }, [s]), C = y(async () => {
-    const o = await s.getTokens(), l = await s.getUser();
-    return u({
+    }), s;
+  }, [a]), _ = y(async () => {
+    const s = await a.getTokens(), l = await a.getUser();
+    return f({
       type: "GET_TOKENS_COMPLETE",
       user: l
-    }), o;
-  }, [s]), S = y(
-    async (o) => {
-      await s.loginWithRedirect(o);
+    }), s;
+  }, [a]), P = y(
+    async (s) => {
+      await a.loginWithRedirect(s);
     },
-    [s]
-  ), I = y(
-    async (o) => {
-      await s.logout(o), (o == null ? void 0 : o.disabledAutoRedirect) != null && o.disabledAutoRedirect && u({
+    [a]
+  ), C = y(
+    async (s) => {
+      await a.logout(s), s?.disabledAutoRedirect != null && s.disabledAutoRedirect && f({
         type: "LOGOUT"
       });
     },
-    [s]
-  ), P = y(
-    async (o) => {
-      const { authState: l } = await s.handleCallback(o), V = await s.getUser();
-      return u({
+    [a]
+  ), I = y(
+    async (s) => {
+      const l = await a.handleCallback(s), F = await a.getUser();
+      return f({
         type: "HANDLE_CALLBACK_COMPLETE",
-        user: V
-      }), {
-        authState: l
-      };
+        user: F
+      }), l;
     },
-    [s]
+    [a]
   ), G = M(
     () => ({
-      ...f,
-      getAccessTokenSilently: _,
-      getTokens: C,
-      loginWithRedirect: S,
-      handleCallback: P,
-      logout: I
+      ...w,
+      getAccessTokenSilently: S,
+      getTokens: _,
+      loginWithRedirect: P,
+      handleCallback: I,
+      logout: C
     }),
-    [f, _, C, S, P, I]
+    [w, S, _, P, I, C]
   );
-  return /* @__PURE__ */ K(E.Provider, { value: G, children: e });
-}, me = W, pe = fe, _e = ({ renderComponent: i, loader: e }) => {
-  const { isAuthenticated: t, isLoading: n, loginWithRedirect: r } = W();
-  return D(() => {
-    !n && !t && (async () => await r())();
-  }, [n, t, r]), t ? i : e || /* @__PURE__ */ K(Z, {});
+  return /* @__PURE__ */ V(T.Provider, { value: G, children: e });
+}, me = K, Te = ge, ve = ({ renderComponent: o, loader: e }) => {
+  const { isAuthenticated: t, isLoading: r, loginWithRedirect: n } = K();
+  return N(() => {
+    !r && !t && (async () => await n())();
+  }, [r, t, n]), t ? o : e || /* @__PURE__ */ V(z, {});
 };
 export {
-  _e as AuthenticationGuard,
-  de as TIDClient,
-  E as TIDContext,
-  pe as TIDProvider,
+  ve as AuthenticationGuard,
+  ce as TIDClient,
+  T as TIDContext,
+  Te as TIDProvider,
   me as useAuth
 };

package/dist/trimble-id-react.umd.js

@@ -1 +1 @@
-(function(o,c){typeof exports=="object"&&typeof module<"u"?c(exports,require("@trimble-oss/trimble-id"),require("es-cookie"),require("jwt-decode"),require("react"),require("react/jsx-runtime")):typeof define=="function"&&define.amd?define(["exports","@trimble-oss/trimble-id","es-cookie","jwt-decode","react","react/jsx-runtime"],c):(o=typeof globalThis<"u"?globalThis:o||self,c(o.ReactTID={},o.trimbleId,o.esCookie,o.jwt_decode,o.React,o.jsxRuntime))})(this,function(o,c,k,W,l,p){"use strict";var le=Object.defineProperty;var de=(o,c,k)=>c in o?le(o,c,{enumerable:!0,configurable:!0,writable:!0,value:k}):o[c]=k;var h=(o,c,k)=>(de(o,typeof c!="symbol"?c+"":c,k),k);function G(i){const e=Object.create(null,{[Symbol.toStringTag]:{value:"Module"}});if(i){for(const t in i)if(t!=="default"){const n=Object.getOwnPropertyDescriptor(i,t);Object.defineProperty(e,t,n.get?n:{enumerable:!0,get:()=>i[t]})}}return e.default=i,Object.freeze(e)}const C=G(k);class V{constructor(){h(this,"generateCache",function(){const e={token:void 0,user:void 0};return{async getToken(){return e.token},async getUser(){return e.user},async storeToken(t){e.token=t},async storeUser(t){e.user=t},clear(){return e.token=void 0,e.user=void 0,Promise.resolve(void 0)}}}())}}class F{constructor(){h(this,"cacheStorage");this.cacheStorage=new V().generateCache}async setToken(e){await this.cacheStorage.storeToken(e)}async setUser(e){await this.cacheStorage.storeUser(e)}async getUser(){return this.cacheStorage.getUser()}async getToken(){return this.cacheStorage.getToken()}async clear(){await this.cacheStorage.clear()}}const S=5*6e4,j=["code","state"],P=i=>i.split("?")[0],q=i=>i.split("?")[1],I=i=>{let e=i;if(!i.startsWith("?"))try{e=new URL(i).search}catch{}return new URLSearchParams(e)},B=(i=window.location.href,e)=>{if(e!=null){const n=P(e),r=P(i??"");if(n!==r)return!1}const t=I(i);for(const n of j)if(!t.has(n))return!1;return!0},$=i=>({id:i.sub,name:`${i.given_name} ${i.family_name}`,given_name:i.given_name,family_name:i.family_name,picture:i.picture,email:i.email,email_verified:i.email_verified}),H="@TID_COOKIE";class z{get(e){const t=C.get(e);if(t==null)throw new Error("Cookie not found");return JSON.parse(t)}set(e,t,n){let r={};window.location.protocol==="https:"&&(r={secure:!0,sameSite:"none"}),n!=null&&n.expires&&(r.expires=n.expires),n!=null&&n.domain&&(r.domain=n.domain),C.set(e,JSON.stringify(t),r)}remove(e,t){const n={};t!=null&&t.domain&&(n.domain=t.domain),C.remove(e,n)}}class Q{constructor(e){h(this,"cookieKey");h(this,"cookiesStorage");this.cookieKey=`${H}.${e.clientId}`,this.cookiesStorage=new z}save(e){this.cookiesStorage.set(this.cookieKey,e,{expires:1})}get(){try{return this.cookiesStorage.get(this.cookieKey)}catch{return}}clear(){this.cookiesStorage.remove(this.cookieKey)}}class R extends Error{}class M extends Error{}class J extends Error{}const u="@trimble-oss/trimble-id-react",g="1.0.0",X={configurationEndpoint:"",clientId:"",redirectUrl:"",logoutRedirectUrl:"",scopes:[]};class x{constructor(e){h(this,"tokenProvider");h(this,"cacheManager");h(this,"cookiesManager");h(this,"clientId");h(this,"redirectUrl");h(this,"analyticshttpclient");const{config:t=X}=e;if(this.redirectUrl=t.redirectUrl,t.configurationEndpoint==null||t.configurationEndpoint=="")throw new Error("Configuration endpoint not defined");if(t.clientId==null||t.clientId=="")throw new Error("Consumer key is not defined");this.cookiesManager=new Q({clientId:t.clientId});const n=this.cookiesManager.get(),r=new c.OpenIdEndpointProvider(t.configurationEndpoint);let d=new c.AuthorizationCodeGrantTokenProvider(r,t.clientId,t.redirectUrl).WithScopes(t.scopes);t.logoutRedirectUrl&&(d=d.WithLogoutRedirect(t.logoutRedirectUrl)),(n==null?void 0:n.code_verifier)!=null&&(d=d.WithProofKeyForCodeExchange(n.code_verifier)),this.tokenProvider=d,this.cacheManager=new F,this.clientId=t.clientId,this.analyticshttpclient=c.AnalyticsHttpClient,this.analyticshttpclient.sendInitEvent("TIDClient",this.clientId,u,g)}async loginWithRedirect(e){this.analyticshttpclient.sendMethodEvent(this.loginWithRedirect.name,this.clientId,u,g);const{onRedirect:t}=e||{},n=c.AuthorizationCodeGrantTokenProvider.GenerateCodeVerifier();this.cookiesManager.save({code_verifier:n}),this.tokenProvider=this.tokenProvider.WithProofKeyForCodeExchange(n);const r=await this.tokenProvider.GetOAuthRedirect("state");t!=null?t(r):window.location.assign(r)}async handleCallback(e=window.location.href){const t=this.cookiesManager.get();if(t==null||(t==null?void 0:t.code_verifier)==null)throw new J("Code verifier not available");const n=q(e),r=I(e),d=r.get("identity_provider")??"",T=r.get("state")??"";return await this.tokenProvider.ValidateQuery(n),await this.generateToken(d),{authState:T}}async generateToken(e){var s,w;const t=await this.tokenProvider.RetrieveToken(),n=await this.tokenProvider.RetrieveRefreshToken(),r=await this.tokenProvider.RetrieveIdToken(),d=await this.tokenProvider.RetrieveTokenExpiry(),v=new Date(d).getTime(),m=(w=(s=this.tokenProvider)==null?void 0:s._scopes)==null?void 0:w.join(" ");await this.cacheManager.setToken({scope:m,state:"",session_state:"",identity_provider:e,token_type:"bearer",access_token:t,refresh_token:n,id_token:r,expires_at:v});const U=W(r),_=$(U);await this.cacheManager.setUser(_),await this.reloadCodeVerifier()}async reloadCodeVerifier(){const e=await this.tokenProvider.RetrieveCodeVerifier();this.cookiesManager.save({code_verifier:e}),this.tokenProvider=this.tokenProvider.WithProofKeyForCodeExchange(e)}async getUser(){return this.analyticshttpclient.sendMethodEvent(this.getUser.name,this.clientId,u,g),await this.cacheManager.getUser()}async getAccessTokenSilently(){this.analyticshttpclient.sendMethodEvent(this.getAccessTokenSilently.name,this.clientId,u,g);let e=await this.cacheManager.getToken();if(e==null)throw this.analyticshttpclient.sendExceptionEvent(this.getAccessTokenSilently.name,"No token available",this.clientId,u,g),new M("No token available");const t=new Date(new Date().getTime()+S);if((e==null?void 0:e.expires_at)==null||(e==null?void 0:e.expires_at)<t.getTime()){try{await this.tokenProvider.RetrieveToken()}catch(n){throw this.analyticshttpclient.sendExceptionEvent(this.getAccessTokenSilently.name,n.message,this.clientId,u,g),new R(n.message)}await this.generateToken((e==null?void 0:e.identity_provider)??""),e=await this.cacheManager.getToken()}return(e==null?void 0:e.access_token)||""}async getTokens(){this.analyticshttpclient.sendMethodEvent(this.getTokens.name,this.clientId,u,g);let e=await this.cacheManager.getToken();if(e==null)throw this.analyticshttpclient.sendExceptionEvent(this.getTokens.name,"No token available",this.clientId,u,g),new M("No token available");const t=new Date(new Date().getTime()+S);if((e==null?void 0:e.expires_at)==null||(e==null?void 0:e.expires_at)<t.getTime()){try{await this.tokenProvider.RetrieveToken()}catch(n){throw this.analyticshttpclient.sendExceptionEvent(this.getTokens.name,n.message,this.clientId,u,g),new R(n.message)}await this.generateToken((e==null?void 0:e.identity_provider)??""),e=await this.cacheManager.getToken()}return{access_token:(e==null?void 0:e.access_token)||"",expires_at:(e==null?void 0:e.expires_at)||0,id_token:(e==null?void 0:e.id_token)||""}}async logout(e){this.analyticshttpclient.sendMethodEvent(this.logout.name,this.clientId,u,g);const{onRedirect:t,disabledAutoRedirect:n}=e||{};this.cacheManager&&await this.cacheManager.clear(),this.cookiesManager&&this.cookiesManager.clear();const r=await this.tokenProvider.GetOAuthLogoutRedirect("state");if(t!=null)return t(r);n||window.location.assign(r)}async checkSession(){try{await this.getAccessTokenSilently()}catch{return!1}return!0}async loadUserSession(){await this.loadCacheSessionIntoSDK(),await this.checkSession()||await this.cacheManager.clear()}async loadCacheSessionIntoSDK(){const e=await this.cacheManager.getToken();if(e==null)return;const t=e.access_token,n=e.refresh_token||"",r=e.id_token,d=e.expires_at;this.tokenProvider=this.tokenProvider.WithAccessToken(t,d).WithRefreshToken(n).WithIdToken(r)}getBearerTokenHttpClient(e){return new c.BearerTokenHttpClientProvider(this.tokenProvider,e)}getRedirectUrl(){return this.redirectUrl}}const E=l.createContext(null),A=()=>l.useContext(E)??{},Y=(i,e)=>{switch(e.type){case"INIT":return{...i,isLoading:!1,isAuthenticated:e.user!=null,user:e.user,error:void 0};case"GET_TOKENS_COMPLETE":case"HANDLE_CALLBACK_COMPLETE":case"GET_ACCESS_TOKEN_COMPLETE":return{...i,isLoading:!1,isAuthenticated:e.user!=null,user:e.user,error:void 0};case"LOGOUT":return{...i,isAuthenticated:!1,user:void 0};case"ERROR":return{...i,isLoading:!1,error:e.error}}},Z={isLoading:!0,isAuthenticated:!1},ee=i=>{if(i==null||Object.keys(i).length<=0)return!0;const e=Object.keys(i);for(const t of e)if(i[t]!=null&&i[t]!=="")return!1;return!0},te=i=>!ee(i.config),ie=i=>{const{children:e,configurationEndpoint:t,clientId:n,redirectUrl:r,logoutRedirectUrl:d,scopes:T,onRedirectCallback:v,checkRedirectUrlMatch:m}=i;if(l.useContext(E)!=null)throw new Error("TID Provider already defined");const _={config:{configurationEndpoint:t??"",clientId:n??"",redirectUrl:r??"",logoutRedirectUrl:d??"",scopes:T??[""]}},[s]=l.useState(i.tidClient??new x(_)),[w,y]=l.useReducer(Y,Z),O=l.useRef(!1),oe=l.useMemo(()=>m?s.getRedirectUrl():void 0,[m,s]);l.useEffect(()=>{O.current||(i.tidClient!=null&&te({config:{configurationEndpoint:t,clientId:n,redirectUrl:r,logoutRedirectUrl:d,scopes:T}})&&console.warn("When TID client is pass as prop, any client configuration property sent directly to the TID Provider component will be ignored"),O.current=!0,(async()=>{try{let a;if(B(void 0,oe)){const{authState:f}=await s.handleCallback();a=await s.getUser(),v!=null&&v(f)}else await s.loadUserSession(),a=await s.getUser();y({type:"INIT",user:a})}catch(a){let f=a;typeof a=="string"&&(f=new Error(a)),y({type:"ERROR",error:f})}})())},[s,v]);const D=l.useCallback(async()=>{const a=await s.getAccessTokenSilently(),f=await s.getUser();return y({type:"GET_ACCESS_TOKEN_COMPLETE",user:f}),a},[s]),b=l.useCallback(async()=>{const a=await s.getTokens(),f=await s.getUser();return y({type:"GET_TOKENS_COMPLETE",user:f}),a},[s]),L=l.useCallback(async a=>{await s.loginWithRedirect(a)},[s]),K=l.useCallback(async a=>{await s.logout(a),(a==null?void 0:a.disabledAutoRedirect)!=null&&a.disabledAutoRedirect&&y({type:"LOGOUT"})},[s]),N=l.useCallback(async a=>{const{authState:f}=await s.handleCallback(a),ce=await s.getUser();return y({type:"HANDLE_CALLBACK_COMPLETE",user:ce}),{authState:f}},[s]),ae=l.useMemo(()=>({...w,getAccessTokenSilently:D,getTokens:b,loginWithRedirect:L,handleCallback:N,logout:K}),[w,D,b,L,N,K]);return p.jsx(E.Provider,{value:ae,children:e})},ne=A,re=ie,se=({renderComponent:i,loader:e})=>{const{isAuthenticated:t,isLoading:n,loginWithRedirect:r}=A();return l.useEffect(()=>{!n&&!t&&(async()=>await r())()},[n,t,r]),t?i:e||p.jsx(p.Fragment,{})};o.AuthenticationGuard=se,o.TIDClient=x,o.TIDContext=E,o.TIDProvider=re,o.useAuth=ne,Object.defineProperty(o,Symbol.toStringTag,{value:"Module"})});
+(function(d,c){typeof exports=="object"&&typeof module<"u"?c(exports,require("@trimble-oss/trimble-id"),require("es-cookie"),require("jwt-decode"),require("react"),require("react/jsx-runtime")):typeof define=="function"&&define.amd?define(["exports","@trimble-oss/trimble-id","es-cookie","jwt-decode","react","react/jsx-runtime"],c):(d=typeof globalThis<"u"?globalThis:d||self,c(d.ReactTID={},d.trimbleId,d.esCookie,d.jwt_decode,d.React,d.jsxRuntime))})(this,(function(d,c,b,K,l,m){"use strict";function W(n){const e=Object.create(null,{[Symbol.toStringTag]:{value:"Module"}});if(n){for(const t in n)if(t!=="default"){const i=Object.getOwnPropertyDescriptor(n,t);Object.defineProperty(e,t,i.get?i:{enumerable:!0,get:()=>n[t]})}}return e.default=n,Object.freeze(e)}const v=W(b);class G{generateCache=(function(){const e={token:void 0,user:void 0};return{async getToken(){return e.token},async getUser(){return e.user},async storeToken(t){e.token=t},async storeUser(t){e.user=t},clear(){return e.token=void 0,e.user=void 0,Promise.resolve(void 0)}}})()}class H{cacheStorage;constructor(){this.cacheStorage=new G().generateCache}async setToken(e){await this.cacheStorage.storeToken(e)}async setUser(e){await this.cacheStorage.storeUser(e)}async getUser(){return this.cacheStorage.getUser()}async getToken(){return this.cacheStorage.getToken()}async clear(){await this.cacheStorage.clear()}}const E=5*6e4,F=["code","state"],S=600*1e3,C=n=>n.split("?")[0],$=n=>n.split("?")[1],P=n=>{let e=n;if(!n.startsWith("?"))try{e=new URL(n).search}catch{}return new URLSearchParams(e)},q=(n=window.location.href,e)=>{if(e!=null){const i=C(e),o=C(n??"");if(i!==o)return!1}const t=P(n);for(const i of F)if(!t.has(i))return!1;return!0},B=n=>({id:n.sub,name:`${n.given_name} ${n.family_name}`,given_name:n.given_name,family_name:n.family_name,picture:n.picture,email:n.email,email_verified:n.email_verified,...n.account_id&&{account_id:n.account_id}}),J="@TID_COOKIE";class j{get(e){const t=v.get(e);if(t==null)throw new Error("Cookie not found");return JSON.parse(t)}set(e,t,i){let o={};window.location.protocol==="https:"&&(o={secure:!0,sameSite:"none"}),i?.expires&&(o.expires=i.expires),i?.domain&&(o.domain=i.domain),v.set(e,JSON.stringify(t),o)}remove(e,t){const i={};t?.domain&&(i.domain=t.domain),v.remove(e,i)}}class z{cookieKey;cookiesStorage;constructor(e){this.cookieKey=`${J}.${e.clientId}`,this.cookiesStorage=new j}save(e){const i={...this.get()||{},...e};this.cookiesStorage.set(this.cookieKey,i,{expires:1})}getStatePayload(){return this.get()?.state_payload}clearStatePayload(){const e=this.get();e&&(delete e.state_payload,this.cookiesStorage.set(this.cookieKey,e,{expires:1}))}get(){try{return this.cookiesStorage.get(this.cookieKey)}catch{return}}clear(){this.cookiesStorage.remove(this.cookieKey)}}class _ extends Error{}class A extends Error{}class Q extends Error{}const h="@trimble-oss/trimble-id-react",g="1.0.2-rc1",X={configurationEndpoint:"",clientId:"",redirectUrl:"",logoutRedirectUrl:"",scopes:[]};class M{tokenProvider;cacheManager;cookiesManager;clientId;redirectUrl;constructor(e){const{config:t=X}=e;if(this.redirectUrl=t.redirectUrl,t.configurationEndpoint==null||t.configurationEndpoint=="")throw new Error("Configuration endpoint not defined");if(t.clientId==null||t.clientId=="")throw new Error("Consumer key is not defined");this.cookiesManager=new z({clientId:t.clientId});const i=this.cookiesManager.get(),o=new c.OpenIdEndpointProvider(t.configurationEndpoint);let r=new c.AuthorizationCodeGrantTokenProvider(o,t.clientId,t.redirectUrl).WithScopes(t.scopes);t.logoutRedirectUrl&&(r=r.WithLogoutRedirect(t.logoutRedirectUrl)),i?.code_verifier!=null&&(r=r.WithProofKeyForCodeExchange(i.code_verifier)),this.tokenProvider=r,this.cacheManager=new H,this.clientId=t.clientId,c.AnalyticsHttpClient.sendInitEvent("TIDClient",this.clientId,h,g),this.cleanupExpiredState()}cleanupExpiredState(){try{const e=this.cookiesManager.getStatePayload();if(e){const t=atob(e),i=JSON.parse(t);Date.now()-i.timestamp>S&&this.cookiesManager.clearStatePayload()}}catch{this.cookiesManager.clearStatePayload()}}async loginWithRedirect(e){c.AnalyticsHttpClient.sendMethodEvent(this.loginWithRedirect.name,this.clientId,h,g);const{onRedirect:t}=e||{},i=window.location.pathname+window.location.search,o=this.createStatePayload(i);this.cookiesManager.save({state_payload:o});const r=c.AuthorizationCodeGrantTokenProvider.GenerateCodeVerifier();this.cookiesManager.save({code_verifier:r}),this.tokenProvider=this.tokenProvider.WithProofKeyForCodeExchange(r);const u=await this.tokenProvider.GetOAuthRedirect(o);t!=null?t(u):window.location.assign(u)}async handleCallback(e=window.location.href){const t=this.cookiesManager.get();if(t==null||t?.code_verifier==null)throw new Q("Code verifier not available");const i=$(e),o=P(e),r=o.get("identity_provider")??"",u=o.get("state")??"",f=this.validateStatePayload(u);if(!f.isValid)throw new Error(`State validation failed: ${f.error}`);return await this.tokenProvider.ValidateQuery(i),await this.generateToken(r),{authState:u,returnTo:f.redirectTo}}async generateToken(e){const t=await this.tokenProvider.RetrieveToken(),i=await this.tokenProvider.RetrieveRefreshToken(),o=await this.tokenProvider.RetrieveIdToken(),r=await this.tokenProvider.RetrieveTokenExpiry(),f=new Date(r).getTime(),y=this.tokenProvider?._scopes?.join(" ");await this.cacheManager.setToken({scope:y,state:"",session_state:"",identity_provider:e,token_type:"bearer",access_token:t,refresh_token:i,id_token:o,expires_at:f});const I=K(o),w=B(I);await this.cacheManager.setUser(w),await this.reloadCodeVerifier()}async reloadCodeVerifier(){const e=await this.tokenProvider.RetrieveCodeVerifier();this.cookiesManager.save({code_verifier:e}),this.tokenProvider=this.tokenProvider.WithProofKeyForCodeExchange(e)}createStatePayload(e){const t=this.generateNonce(),i=Date.now();return btoa(JSON.stringify({redirectTo:e,timestamp:i,nonce:t}))}generateNonce(){const e=new Uint8Array(16);return crypto.getRandomValues(e),Array.from(e,t=>t.toString(16).padStart(2,"0")).join("")}validateStatePayload(e){try{if(!e||e.trim()==="")return{isValid:!1,error:"Empty state parameter"};const t=this.cookiesManager.getStatePayload();if(!t)return{isValid:!1,error:"No stored state found"};const i=atob(e),o=JSON.parse(i),r=atob(t),u=JSON.parse(r);if(!o.nonce||!o.timestamp||!o.redirectTo)return{isValid:!1,error:"Invalid state payload structure"};if(o.nonce!==u.nonce)return{isValid:!1,error:"State nonce mismatch"};const y=Date.now()-o.timestamp;return y>S?{isValid:!1,error:"State expired - possible replay attack"}:y<0?{isValid:!1,error:"State timestamp is in the future - possible replay attack"}:(this.cookiesManager.clearStatePayload(),{isValid:!0,redirectTo:o.redirectTo})}catch{return{isValid:!1,error:"Invalid state format"}}}async getUser(){return c.AnalyticsHttpClient.sendMethodEvent(this.getUser.name,this.clientId,h,g),await this.cacheManager.getUser()}async getAccessTokenSilently(){c.AnalyticsHttpClient.sendMethodEvent(this.getAccessTokenSilently.name,this.clientId,h,g);let e=await this.cacheManager.getToken();if(e==null)throw c.AnalyticsHttpClient.sendExceptionEvent(this.getAccessTokenSilently.name,"No token available",this.clientId,h,g),new A("No token available");const t=new Date(new Date().getTime()+E);if(e?.expires_at==null||e?.expires_at<t.getTime()){try{await this.tokenProvider.RetrieveToken()}catch(i){throw c.AnalyticsHttpClient.sendExceptionEvent(this.getAccessTokenSilently.name,i.message,this.clientId,h,g),new _(i.message)}await this.generateToken(e?.identity_provider??""),e=await this.cacheManager.getToken()}return e?.access_token||""}async getTokens(){c.AnalyticsHttpClient.sendMethodEvent(this.getTokens.name,this.clientId,h,g);let e=await this.cacheManager.getToken();if(e==null)throw c.AnalyticsHttpClient.sendExceptionEvent(this.getTokens.name,"No token available",this.clientId,h,g),new A("No token available");const t=new Date(new Date().getTime()+E);if(e?.expires_at==null||e?.expires_at<t.getTime()){try{await this.tokenProvider.RetrieveToken()}catch(i){throw c.AnalyticsHttpClient.sendExceptionEvent(this.getTokens.name,i.message,this.clientId,h,g),new _(i.message)}await this.generateToken(e?.identity_provider??""),e=await this.cacheManager.getToken()}return{access_token:e?.access_token||"",expires_at:e?.expires_at||0,id_token:e?.id_token||""}}async logout(e){c.AnalyticsHttpClient.sendMethodEvent(this.logout.name,this.clientId,h,g);const{onRedirect:t,disabledAutoRedirect:i}=e||{};this.cacheManager&&await this.cacheManager.clear(),this.cookiesManager&&this.cookiesManager.clear();const o=await this.tokenProvider.GetOAuthLogoutRedirect("state");if(t!=null)return t(o);i||window.location.assign(o)}async checkSession(){try{await this.getAccessTokenSilently()}catch{return!1}return!0}async loadUserSession(){await this.loadCacheSessionIntoSDK(),await this.checkSession()||await this.cacheManager.clear()}async loadCacheSessionIntoSDK(){const e=await this.cacheManager.getToken();if(e==null)return;const t=e.access_token,i=e.refresh_token||"",o=e.id_token,r=e.expires_at;this.tokenProvider=this.tokenProvider.WithAccessToken(t,r).WithRefreshToken(i).WithIdToken(o)}getBearerTokenHttpClient(e){return new c.BearerTokenHttpClientProvider(this.tokenProvider,e)}getRedirectUrl(){return this.redirectUrl}}const T=l.createContext(null),R=()=>l.useContext(T)??{},Y=(n,e)=>{switch(e.type){case"INIT":return{...n,isLoading:!1,isAuthenticated:e.user!=null,user:e.user,error:void 0};case"GET_TOKENS_COMPLETE":case"HANDLE_CALLBACK_COMPLETE":case"GET_ACCESS_TOKEN_COMPLETE":return{...n,isLoading:!1,isAuthenticated:e.user!=null,user:e.user,error:void 0};case"LOGOUT":return{...n,isAuthenticated:!1,user:void 0};case"ERROR":return{...n,isLoading:!1,error:e.error}}},Z={isLoading:!0,isAuthenticated:!1},ee=n=>{if(n==null||Object.keys(n).length<=0)return!0;const e=Object.keys(n);for(const t of e)if(n[t]!=null&&n[t]!=="")return!1;return!0},te=n=>!ee(n.config),ne=n=>{const{children:e,configurationEndpoint:t,clientId:i,redirectUrl:o,logoutRedirectUrl:r,scopes:u,onRedirectCallback:f,checkRedirectUrlMatch:y}=n;if(l.useContext(T)!=null)throw new Error("TID Provider already defined");const w={config:{configurationEndpoint:t??"",clientId:i??"",redirectUrl:o??"",logoutRedirectUrl:r??"",scopes:u??[""]}},[a]=l.useState(n.tidClient??new M(w)),[x,p]=l.useReducer(Y,Z),O=l.useRef(!1),ae=l.useMemo(()=>y?a.getRedirectUrl():void 0,[y,a]);l.useEffect(()=>{O.current||(n.tidClient!=null&&te({config:{configurationEndpoint:t,clientId:i,redirectUrl:o,logoutRedirectUrl:r,scopes:u}})&&console.warn("When TID client is pass as prop, any client configuration property sent directly to the TID Provider component will be ignored"),O.current=!0,(async()=>{try{let s;if(q(void 0,ae)){const k=await a.handleCallback();s=await a.getUser(),f?.(k)}else await a.loadUserSession(),s=await a.getUser();p({type:"INIT",user:s})}catch(s){let k=s;typeof s=="string"&&(k=new Error(s)),p({type:"ERROR",error:k})}})())},[a,f]);const D=l.useCallback(async()=>{const s=await a.getAccessTokenSilently(),k=await a.getUser();return p({type:"GET_ACCESS_TOKEN_COMPLETE",user:k}),s},[a]),U=l.useCallback(async()=>{const s=await a.getTokens(),k=await a.getUser();return p({type:"GET_TOKENS_COMPLETE",user:k}),s},[a]),L=l.useCallback(async s=>{await a.loginWithRedirect(s)},[a]),N=l.useCallback(async s=>{await a.logout(s),s?.disabledAutoRedirect!=null&&s.disabledAutoRedirect&&p({type:"LOGOUT"})},[a]),V=l.useCallback(async s=>{const k=await a.handleCallback(s),ce=await a.getUser();return p({type:"HANDLE_CALLBACK_COMPLETE",user:ce}),k},[a]),se=l.useMemo(()=>({...x,getAccessTokenSilently:D,getTokens:U,loginWithRedirect:L,handleCallback:V,logout:N}),[x,D,U,L,V,N]);return m.jsx(T.Provider,{value:se,children:e})},ie=R,oe=ne,re=({renderComponent:n,loader:e})=>{const{isAuthenticated:t,isLoading:i,loginWithRedirect:o}=R();return l.useEffect(()=>{!i&&!t&&(async()=>await o())()},[i,t,o]),t?n:e||m.jsx(m.Fragment,{})};d.AuthenticationGuard=re,d.TIDClient=M,d.TIDContext=T,d.TIDProvider=oe,d.useAuth=ie,Object.defineProperty(d,Symbol.toStringTag,{value:"Module"})}));

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@trimble-oss/trimble-id-react",
   "private": false,
-  "version": "1.0.0",
+  "version": "1.0.2-rc1",
   "homepage": "https://github.com/trimble-oss/trimble-id-sdk-docs-for-react",
   "author": "Trimble developers <developers@trimble.com>",
   "license": "MIT",
@@ -14,8 +14,8 @@
     "build": "tsc && vite build",
     "test": "jest --coverage",
     "docs": "typedoc --out ./docs/documentation ./src/ --tsconfig ./tsconfig.json",
-    "lint": "eslint --ext ts,tsx --report-unused-disable-directives",
-    "lint:fix": "eslint --fix 'src/**/*.{jsx,ts,tsx}'",
+    "lint": "eslint src/",
+    "lint:fix": "eslint --fix src/",
     "format": "prettier --write src//**/*.{ts,tsx,css} --config ./.prettierrc",
     "prepare": "husky install"
   },
@@ -31,7 +31,7 @@
   "module": "./dist/trimble-id-react.es.js",
   "types": "./dist/index.d.ts",
   "dependencies": {
-    "@trimble-oss/trimble-id": "^0.0.7",
+    "@trimble-oss/trimble-id": "^1.0.0",
     "es-cookie": "^1.4.0",
     "husky": "^8.0.3",
     "jwt-decode": "^3.1.2"
@@ -42,29 +42,30 @@
   },
   "devDependencies": {
     "@babel/preset-env": "^7.22.20",
+    "@eslint/js": "^9.37.0",
     "@testing-library/react": "^14.0.0",
     "@types/jest": "^29.5.3",
     "@types/react": "^18.2.15",
     "@types/react-dom": "^18.2.7",
-    "@typescript-eslint/eslint-plugin": "^6.2.0",
-    "@typescript-eslint/parser": "^6.2.0",
-    "@vitejs/plugin-react": "^4.0.3",
+    "@vitejs/plugin-react": "^5.1.2",
     "babel-jest": "^29.7.0",
-    "eslint": "^8.45.0",
-    "eslint-config-prettier": "^8.9.0",
-    "eslint-plugin-prettier": "^5.0.0",
-    "eslint-plugin-react": "^7.33.0",
-    "eslint-plugin-react-hooks": "^4.6.0",
-    "eslint-plugin-react-refresh": "^0.4.3",
-    "gts": "^5.0.0",
+    "eslint": "^9.37.0",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-prettier": "^5.5.4",
+    "eslint-plugin-react": "^7.37.5",
+    "eslint-plugin-react-hooks": "^5.2.0",
+    "eslint-plugin-react-refresh": "^0.4.26",
+    "globals": "^16.2.0",
+    "gts": "^7.0.0",
+    "typescript-eslint": "^8.46.0",
     "jest": "^29.6.2",
     "jest-environment-jsdom": "^29.6.2",
-    "lint-staged": "^13.2.3",
+    "lint-staged": "^16.2.7",
     "prettier": "^3.0.0",
     "ts-jest": "^29.1.1",
     "typedoc": "^0.25.2",
     "typescript": "^5.0.2",
-    "vite": "^4.4.5",
+    "vite": "^7.3.0",
     "vite-plugin-dts": "^1.4.1",
     "vite-plugin-linter": "^1.2.0",
     "vite-tsconfig-paths": "^3.5.0"