@unwanted/matrix-sdk-mini 34.12.0 → 36.0.0

package/lib/oidc/discovery.js

@@ -19,7 +19,7 @@ limitations under the License.
 */
 
 import { MetadataService, OidcClientSettingsStore } from "oidc-client-ts";
-import { isValidatedIssuerMetadata, validateOIDCIssuerWellKnown } from "./validate.js";
+import { validateAuthMetadata } from "./validate.js";
 import { Method, timeoutSignal } from "../http-api/index.js";
 /**
  * @experimental
@@ -31,36 +31,47 @@ import { Method, timeoutSignal } from "../http-api/index.js";
  * @param issuer - the OIDC issuer as returned by the /auth_issuer API
  * @returns validated authentication metadata and optionally signing keys
  * @throws when delegated auth config is invalid or unreachable
+ * @deprecated in favour of {@link MatrixClient#getAuthMetadata}
  */
 export var discoverAndValidateOIDCIssuerWellKnown = /*#__PURE__*/function () {
   var _ref = _asyncToGenerator(function* (issuer) {
-    var _yield$metadataServic;
     var issuerOpenIdConfigUrl = new URL(".well-known/openid-configuration", issuer);
     var issuerWellKnownResponse = yield fetch(issuerOpenIdConfigUrl, {
       method: Method.Get,
       signal: timeoutSignal(5000)
     });
     var issuerWellKnown = yield issuerWellKnownResponse.json();
-    var validatedIssuerConfig = validateOIDCIssuerWellKnown(issuerWellKnown);
+    return validateAuthMetadataAndKeys(issuerWellKnown);
+  });
+  return function discoverAndValidateOIDCIssuerWellKnown(_x) {
+    return _ref.apply(this, arguments);
+  };
+}();
+/**
+ * @experimental
+ * Validate the authentication metadata and fetch the signing keys from the jwks_uri in the metadata
+ * @param authMetadata - the authentication metadata to validate
+ * @returns validated authentication metadata and signing keys
+ */
+export var validateAuthMetadataAndKeys = /*#__PURE__*/function () {
+  var _ref2 = _asyncToGenerator(function* (authMetadata) {
+    var validatedIssuerConfig = validateAuthMetadata(authMetadata);
 
     // create a temporary settings store, so we can use metadata service for discovery
     var settings = new OidcClientSettingsStore({
-      authority: issuer,
+      authority: validatedIssuerConfig.issuer,
+      metadata: validatedIssuerConfig,
       redirect_uri: "",
       // Not known yet, this is here to make the type checker happy
       client_id: "" // Not known yet, this is here to make the type checker happy
     });
     var metadataService = new MetadataService(settings);
-    var metadata = yield metadataService.getMetadata();
-    var signingKeys = (_yield$metadataServic = yield metadataService.getSigningKeys()) !== null && _yield$metadataServic !== void 0 ? _yield$metadataServic : undefined;
-    isValidatedIssuerMetadata(metadata);
     return _objectSpread(_objectSpread({}, validatedIssuerConfig), {}, {
-      metadata,
-      signingKeys
+      signingKeys: yield metadataService.getSigningKeys()
     });
   });
-  return function discoverAndValidateOIDCIssuerWellKnown(_x) {
-    return _ref.apply(this, arguments);
+  return function validateAuthMetadataAndKeys(_x2) {
+    return _ref2.apply(this, arguments);
   };
 }();
 //# sourceMappingURL=discovery.js.map

package/lib/oidc/discovery.js.map

@@ -1 +1 @@
-{"version":3,"file":"discovery.js","names":["MetadataService","OidcClientSettingsStore","isValidatedIssuerMetadata","validateOIDCIssuerWellKnown","Method","timeoutSignal","discoverAndValidateOIDCIssuerWellKnown","_ref","_asyncToGenerator","issuer","_yield$metadataServic","issuerOpenIdConfigUrl","URL","issuerWellKnownResponse","fetch","method","Get","signal","issuerWellKnown","json","validatedIssuerConfig","settings","authority","redirect_uri","client_id","metadataService","metadata","getMetadata","signingKeys","getSigningKeys","undefined","_objectSpread","_x","apply","arguments"],"sources":["../../src/oidc/discovery.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { MetadataService, OidcClientSettingsStore } from \"oidc-client-ts\";\n\nimport { isValidatedIssuerMetadata, validateOIDCIssuerWellKnown } from \"./validate.ts\";\nimport { Method, timeoutSignal } from \"../http-api/index.ts\";\nimport { OidcClientConfig } from \"./index.ts\";\n\n/**\n * @experimental\n * Discover and validate delegated auth configuration\n * - delegated auth issuer openid-configuration is reachable\n * - delegated auth issuer openid-configuration is configured correctly for us\n * Fetches https://oidc-issuer.example.com/.well-known/openid-configuration and other files linked therein.\n * When successful, validated metadata is returned\n * @param issuer - the OIDC issuer as returned by the /auth_issuer API\n * @returns validated authentication metadata and optionally signing keys\n * @throws when delegated auth config is invalid or unreachable\n */\nexport const discoverAndValidateOIDCIssuerWellKnown = async (issuer: string): Promise<OidcClientConfig> => {\n    const issuerOpenIdConfigUrl = new URL(\".well-known/openid-configuration\", issuer);\n    const issuerWellKnownResponse = await fetch(issuerOpenIdConfigUrl, {\n        method: Method.Get,\n        signal: timeoutSignal(5000),\n    });\n    const issuerWellKnown = await issuerWellKnownResponse.json();\n    const validatedIssuerConfig = validateOIDCIssuerWellKnown(issuerWellKnown);\n\n    // create a temporary settings store, so we can use metadata service for discovery\n    const settings = new OidcClientSettingsStore({\n        authority: issuer,\n        redirect_uri: \"\", // Not known yet, this is here to make the type checker happy\n        client_id: \"\", // Not known yet, this is here to make the type checker happy\n    });\n    const metadataService = new MetadataService(settings);\n    const metadata = await metadataService.getMetadata();\n    const signingKeys = (await metadataService.getSigningKeys()) ?? undefined;\n\n    isValidatedIssuerMetadata(metadata);\n\n    return {\n        ...validatedIssuerConfig,\n        metadata,\n        signingKeys,\n    };\n};\n"],"mappings":";;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,eAAe,EAAEC,uBAAuB,QAAQ,gBAAgB;AAEzE,SAASC,yBAAyB,EAAEC,2BAA2B,QAAQ,eAAe;AACtF,SAASC,MAAM,EAAEC,aAAa,QAAQ,sBAAsB;AAG5D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,sCAAsC;EAAA,IAAAC,IAAA,GAAAC,iBAAA,CAAG,WAAOC,MAAc,EAAgC;IAAA,IAAAC,qBAAA;IACvG,IAAMC,qBAAqB,GAAG,IAAIC,GAAG,CAAC,kCAAkC,EAAEH,MAAM,CAAC;IACjF,IAAMI,uBAAuB,SAASC,KAAK,CAACH,qBAAqB,EAAE;MAC/DI,MAAM,EAAEX,MAAM,CAACY,GAAG;MAClBC,MAAM,EAAEZ,aAAa,CAAC,IAAI;IAC9B,CAAC,CAAC;IACF,IAAMa,eAAe,SAASL,uBAAuB,CAACM,IAAI,CAAC,CAAC;IAC5D,IAAMC,qBAAqB,GAAGjB,2BAA2B,CAACe,eAAe,CAAC;;IAE1E;IACA,IAAMG,QAAQ,GAAG,IAAIpB,uBAAuB,CAAC;MACzCqB,SAAS,EAAEb,MAAM;MACjBc,YAAY,EAAE,EAAE;MAAE;MAClBC,SAAS,EAAE,EAAE,CAAE;IACnB,CAAC,CAAC;IACF,IAAMC,eAAe,GAAG,IAAIzB,eAAe,CAACqB,QAAQ,CAAC;IACrD,IAAMK,QAAQ,SAASD,eAAe,CAACE,WAAW,CAAC,CAAC;IACpD,IAAMC,WAAW,IAAAlB,qBAAA,SAAUe,eAAe,CAACI,cAAc,CAAC,CAAC,cAAAnB,qBAAA,cAAAA,qBAAA,GAAKoB,SAAS;IAEzE5B,yBAAyB,CAACwB,QAAQ,CAAC;IAEnC,OAAAK,aAAA,CAAAA,aAAA,KACOX,qBAAqB;MACxBM,QAAQ;MACRE;IAAW;EAEnB,CAAC;EAAA,gBA1BYtB,sCAAsCA,CAAA0B,EAAA;IAAA,OAAAzB,IAAA,CAAA0B,KAAA,OAAAC,SAAA;EAAA;AAAA,GA0BlD","ignoreList":[]}
+{"version":3,"file":"discovery.js","names":["MetadataService","OidcClientSettingsStore","validateAuthMetadata","Method","timeoutSignal","discoverAndValidateOIDCIssuerWellKnown","_ref","_asyncToGenerator","issuer","issuerOpenIdConfigUrl","URL","issuerWellKnownResponse","fetch","method","Get","signal","issuerWellKnown","json","validateAuthMetadataAndKeys","_x","apply","arguments","_ref2","authMetadata","validatedIssuerConfig","settings","authority","metadata","redirect_uri","client_id","metadataService","_objectSpread","signingKeys","getSigningKeys","_x2"],"sources":["../../src/oidc/discovery.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { MetadataService, OidcClientSettingsStore } from \"oidc-client-ts\";\n\nimport { validateAuthMetadata } from \"./validate.ts\";\nimport { Method, timeoutSignal } from \"../http-api/index.ts\";\nimport { OidcClientConfig } from \"./index.ts\";\n\n/**\n * @experimental\n * Discover and validate delegated auth configuration\n * - delegated auth issuer openid-configuration is reachable\n * - delegated auth issuer openid-configuration is configured correctly for us\n * Fetches https://oidc-issuer.example.com/.well-known/openid-configuration and other files linked therein.\n * When successful, validated metadata is returned\n * @param issuer - the OIDC issuer as returned by the /auth_issuer API\n * @returns validated authentication metadata and optionally signing keys\n * @throws when delegated auth config is invalid or unreachable\n * @deprecated in favour of {@link MatrixClient#getAuthMetadata}\n */\nexport const discoverAndValidateOIDCIssuerWellKnown = async (issuer: string): Promise<OidcClientConfig> => {\n    const issuerOpenIdConfigUrl = new URL(\".well-known/openid-configuration\", issuer);\n    const issuerWellKnownResponse = await fetch(issuerOpenIdConfigUrl, {\n        method: Method.Get,\n        signal: timeoutSignal(5000),\n    });\n    const issuerWellKnown = await issuerWellKnownResponse.json();\n    return validateAuthMetadataAndKeys(issuerWellKnown);\n};\n/**\n * @experimental\n * Validate the authentication metadata and fetch the signing keys from the jwks_uri in the metadata\n * @param authMetadata - the authentication metadata to validate\n * @returns validated authentication metadata and signing keys\n */\nexport const validateAuthMetadataAndKeys = async (authMetadata: unknown): Promise<OidcClientConfig> => {\n    const validatedIssuerConfig = validateAuthMetadata(authMetadata);\n\n    // create a temporary settings store, so we can use metadata service for discovery\n    const settings = new OidcClientSettingsStore({\n        authority: validatedIssuerConfig.issuer,\n        metadata: validatedIssuerConfig,\n        redirect_uri: \"\", // Not known yet, this is here to make the type checker happy\n        client_id: \"\", // Not known yet, this is here to make the type checker happy\n    });\n    const metadataService = new MetadataService(settings);\n    \n    return {\n        ...validatedIssuerConfig,\n        signingKeys: await metadataService.getSigningKeys(),\n    };\n};\n"],"mappings":";;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,eAAe,EAAEC,uBAAuB,QAAQ,gBAAgB;AAEzE,SAASC,oBAAoB,QAAQ,eAAe;AACpD,SAASC,MAAM,EAAEC,aAAa,QAAQ,sBAAsB;AAG5D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,sCAAsC;EAAA,IAAAC,IAAA,GAAAC,iBAAA,CAAG,WAAOC,MAAc,EAAgC;IACvG,IAAMC,qBAAqB,GAAG,IAAIC,GAAG,CAAC,kCAAkC,EAAEF,MAAM,CAAC;IACjF,IAAMG,uBAAuB,SAASC,KAAK,CAACH,qBAAqB,EAAE;MAC/DI,MAAM,EAAEV,MAAM,CAACW,GAAG;MAClBC,MAAM,EAAEX,aAAa,CAAC,IAAI;IAC9B,CAAC,CAAC;IACF,IAAMY,eAAe,SAASL,uBAAuB,CAACM,IAAI,CAAC,CAAC;IAC5D,OAAOC,2BAA2B,CAACF,eAAe,CAAC;EACvD,CAAC;EAAA,gBARYX,sCAAsCA,CAAAc,EAAA;IAAA,OAAAb,IAAA,CAAAc,KAAA,OAAAC,SAAA;EAAA;AAAA,GAQlD;AACD;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMH,2BAA2B;EAAA,IAAAI,KAAA,GAAAf,iBAAA,CAAG,WAAOgB,YAAqB,EAAgC;IACnG,IAAMC,qBAAqB,GAAGtB,oBAAoB,CAACqB,YAAY,CAAC;;IAEhE;IACA,IAAME,QAAQ,GAAG,IAAIxB,uBAAuB,CAAC;MACzCyB,SAAS,EAAEF,qBAAqB,CAAChB,MAAM;MACvCmB,QAAQ,EAAEH,qBAAqB;MAC/BI,YAAY,EAAE,EAAE;MAAE;MAClBC,SAAS,EAAE,EAAE,CAAE;IACnB,CAAC,CAAC;IACF,IAAMC,eAAe,GAAG,IAAI9B,eAAe,CAACyB,QAAQ,CAAC;IAErD,OAAAM,aAAA,CAAAA,aAAA,KACOP,qBAAqB;MACxBQ,WAAW,QAAQF,eAAe,CAACG,cAAc,CAAC;IAAC;EAE3D,CAAC;EAAA,gBAhBYf,2BAA2BA,CAAAgB,GAAA;IAAA,OAAAZ,KAAA,CAAAF,KAAA,OAAAC,SAAA;EAAA;AAAA,GAgBvC","ignoreList":[]}

package/lib/oidc/index.d.ts

@@ -1,5 +1,5 @@
 import type { SigningKey } from "oidc-client-ts";
-import { ValidatedIssuerConfig, ValidatedIssuerMetadata } from "./validate.ts";
+import { ValidatedAuthMetadata } from "./validate.ts";
 export * from "./authorize.ts";
 export * from "./discovery.ts";
 export * from "./error.ts";
@@ -10,8 +10,7 @@ export * from "./validate.ts";
  * Validated config for native OIDC authentication, as returned by {@link discoverAndValidateOIDCIssuerWellKnown}.
  * Contains metadata and signing keys from the issuer's well-known (https://oidc-issuer.example.com/.well-known/openid-configuration).
  */
-export interface OidcClientConfig extends ValidatedIssuerConfig {
-    metadata: ValidatedIssuerMetadata;
-    signingKeys?: SigningKey[];
+export interface OidcClientConfig extends ValidatedAuthMetadata {
+    signingKeys: SigningKey[] | null;
 }
 //# sourceMappingURL=index.d.ts.map

package/lib/oidc/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/oidc/index.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AAE/E,cAAc,gBAAgB,CAAC;AAC/B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,YAAY,CAAC;AAC3B,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC;AACpC,cAAc,eAAe,CAAC;AAE9B;;;GAGG;AACH,MAAM,WAAW,gBAAiB,SAAQ,qBAAqB;IAC3D,QAAQ,EAAE,uBAAuB,CAAC;IAClC,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;CAC9B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/oidc/index.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAEtD,cAAc,gBAAgB,CAAC;AAC/B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,YAAY,CAAC;AAC3B,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC;AACpC,cAAc,eAAe,CAAC;AAE9B;;;GAGG;AACH,MAAM,WAAW,gBAAiB,SAAQ,qBAAqB;IAC3D,WAAW,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC;CACpC"}

package/lib/oidc/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../src/oidc/index.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport type { SigningKey } from \"oidc-client-ts\";\nimport { ValidatedIssuerConfig, ValidatedIssuerMetadata } from \"./validate.ts\";\n\nexport * from \"./authorize.ts\";\nexport * from \"./discovery.ts\";\nexport * from \"./error.ts\";\nexport * from \"./register.ts\";\nexport * from \"./tokenRefresher.ts\";\nexport * from \"./validate.ts\";\n\n/**\n * Validated config for native OIDC authentication, as returned by {@link discoverAndValidateOIDCIssuerWellKnown}.\n * Contains metadata and signing keys from the issuer's well-known (https://oidc-issuer.example.com/.well-known/openid-configuration).\n */\nexport interface OidcClientConfig extends ValidatedIssuerConfig {\n    metadata: ValidatedIssuerMetadata;\n    signingKeys?: SigningKey[];\n}\n"],"mappings":"AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAKA,cAAc,gBAAgB;AAC9B,cAAc,gBAAgB;AAC9B,cAAc,YAAY;AAC1B,cAAc,eAAe;AAC7B,cAAc,qBAAqB;AACnC,cAAc,eAAe;;AAE7B;AACA;AACA;AACA;AAHA","ignoreList":[]}
+{"version":3,"file":"index.js","names":[],"sources":["../../src/oidc/index.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport type { SigningKey } from \"oidc-client-ts\";\nimport { ValidatedAuthMetadata } from \"./validate.ts\";\n\nexport * from \"./authorize.ts\";\nexport * from \"./discovery.ts\";\nexport * from \"./error.ts\";\nexport * from \"./register.ts\";\nexport * from \"./tokenRefresher.ts\";\nexport * from \"./validate.ts\";\n\n/**\n * Validated config for native OIDC authentication, as returned by {@link discoverAndValidateOIDCIssuerWellKnown}.\n * Contains metadata and signing keys from the issuer's well-known (https://oidc-issuer.example.com/.well-known/openid-configuration).\n */\nexport interface OidcClientConfig extends ValidatedAuthMetadata {\n    signingKeys: SigningKey[] | null;\n}\n"],"mappings":"AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAKA,cAAc,gBAAgB;AAC9B,cAAc,gBAAgB;AAC9B,cAAc,YAAY;AAC1B,cAAc,eAAe;AAC7B,cAAc,qBAAqB;AACnC,cAAc,eAAe;;AAE7B;AACA;AACA;AACA;AAHA","ignoreList":[]}

package/lib/oidc/register.js

@@ -38,11 +38,11 @@ export var DEVICE_CODE_SCOPE = "urn:ietf:params:oauth:grant-type:device_code";
  */
 export var registerOidcClient = /*#__PURE__*/function () {
   var _ref = _asyncToGenerator(function* (delegatedAuthConfig, clientMetadata) {
-    if (!delegatedAuthConfig.registrationEndpoint) {
+    if (!delegatedAuthConfig.registration_endpoint) {
       throw new Error(OidcError.DynamicRegistrationNotSupported);
     }
     var grantTypes = ["authorization_code", "refresh_token"];
-    if (grantTypes.some(scope => !delegatedAuthConfig.metadata.grant_types_supported.includes(scope))) {
+    if (grantTypes.some(scope => !delegatedAuthConfig.grant_types_supported.includes(scope))) {
       throw new Error(OidcError.DynamicRegistrationNotSupported);
     }
 
@@ -66,7 +66,7 @@ export var registerOidcClient = /*#__PURE__*/function () {
       "Content-Type": "application/json"
     };
     try {
-      var response = yield fetch(delegatedAuthConfig.registrationEndpoint, {
+      var response = yield fetch(delegatedAuthConfig.registration_endpoint, {
         method: Method.Post,
         headers,
         body: JSON.stringify(metadata)

package/lib/oidc/register.js.map

@@ -1 +1 @@
-{"version":3,"file":"register.js","names":["OidcError","Method","logger","DEVICE_CODE_SCOPE","registerOidcClient","_ref","_asyncToGenerator","delegatedAuthConfig","clientMetadata","registrationEndpoint","Error","DynamicRegistrationNotSupported","grantTypes","some","scope","metadata","grant_types_supported","includes","client_name","clientName","client_uri","clientUri","response_types","grant_types","redirect_uris","redirectUris","id_token_signed_response_alg","token_endpoint_auth_method","application_type","applicationType","logo_uri","logoUri","contacts","policy_uri","policyUri","tos_uri","tosUri","headers","response","fetch","method","Post","body","JSON","stringify","status","DynamicRegistrationFailed","json","clientId","DynamicRegistrationInvalid","error","Object","values","message","_x","_x2","apply","arguments"],"sources":["../../src/oidc/register.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { OidcClientConfig } from \"./index.ts\";\nimport { OidcError } from \"./error.ts\";\nimport { Method } from \"../http-api/index.ts\";\nimport { logger } from \"../logger.ts\";\nimport { NonEmptyArray } from \"../@types/common.ts\";\n\n/**\n * Client metadata passed to registration endpoint\n */\nexport type OidcRegistrationClientMetadata = {\n    clientName: OidcRegistrationRequestBody[\"client_name\"];\n    clientUri: OidcRegistrationRequestBody[\"client_uri\"];\n    logoUri?: OidcRegistrationRequestBody[\"logo_uri\"];\n    applicationType: OidcRegistrationRequestBody[\"application_type\"];\n    redirectUris: OidcRegistrationRequestBody[\"redirect_uris\"];\n    contacts: OidcRegistrationRequestBody[\"contacts\"];\n    tosUri: OidcRegistrationRequestBody[\"tos_uri\"];\n    policyUri: OidcRegistrationRequestBody[\"policy_uri\"];\n};\n\n/**\n * Request body for dynamic registration as defined by https://github.com/matrix-org/matrix-spec-proposals/pull/2966\n */\ninterface OidcRegistrationRequestBody {\n    client_name?: string;\n    client_uri: string;\n    logo_uri?: string;\n    contacts?: string[];\n    tos_uri?: string;\n    policy_uri?: string;\n    redirect_uris?: NonEmptyArray<string>;\n    response_types?: NonEmptyArray<string>;\n    grant_types?: NonEmptyArray<string>;\n    id_token_signed_response_alg?: string;\n    token_endpoint_auth_method: string;\n    application_type: \"web\" | \"native\";\n}\n\nexport const DEVICE_CODE_SCOPE = \"urn:ietf:params:oauth:grant-type:device_code\";\n\n/**\n * Attempts dynamic registration against the configured registration endpoint\n * @param delegatedAuthConfig - Auth config from {@link discoverAndValidateOIDCIssuerWellKnown}\n * @param clientMetadata - The metadata for the client which to register\n * @returns Promise<string> resolved with registered clientId\n * @throws when registration is not supported, on failed request or invalid response\n */\nexport const registerOidcClient = async (\n    delegatedAuthConfig: OidcClientConfig,\n    clientMetadata: OidcRegistrationClientMetadata,\n): Promise<string> => {\n    if (!delegatedAuthConfig.registrationEndpoint) {\n        throw new Error(OidcError.DynamicRegistrationNotSupported);\n    }\n\n    const grantTypes: NonEmptyArray<string> = [\"authorization_code\", \"refresh_token\"];\n    if (grantTypes.some((scope) => !delegatedAuthConfig.metadata.grant_types_supported.includes(scope))) {\n        throw new Error(OidcError.DynamicRegistrationNotSupported);\n    }\n\n    // https://openid.net/specs/openid-connect-registration-1_0.html\n    const metadata: OidcRegistrationRequestBody = {\n        client_name: clientMetadata.clientName,\n        client_uri: clientMetadata.clientUri,\n        response_types: [\"code\"],\n        grant_types: grantTypes,\n        redirect_uris: clientMetadata.redirectUris,\n        id_token_signed_response_alg: \"RS256\",\n        token_endpoint_auth_method: \"none\",\n        application_type: clientMetadata.applicationType,\n        logo_uri: clientMetadata.logoUri,\n        contacts: clientMetadata.contacts,\n        policy_uri: clientMetadata.policyUri,\n        tos_uri: clientMetadata.tosUri,\n    };\n    const headers = {\n        \"Accept\": \"application/json\",\n        \"Content-Type\": \"application/json\",\n    };\n\n    try {\n        const response = await fetch(delegatedAuthConfig.registrationEndpoint, {\n            method: Method.Post,\n            headers,\n            body: JSON.stringify(metadata),\n        });\n\n        if (response.status >= 400) {\n            throw new Error(OidcError.DynamicRegistrationFailed);\n        }\n\n        const body = await response.json();\n        const clientId = body[\"client_id\"];\n        if (!clientId || typeof clientId !== \"string\") {\n            throw new Error(OidcError.DynamicRegistrationInvalid);\n        }\n\n        return clientId;\n    } catch (error) {\n        if (Object.values(OidcError).includes((error as Error).message as OidcError)) {\n            throw error;\n        } else {\n            logger.error(\"Dynamic registration request failed\", error);\n            throw new Error(OidcError.DynamicRegistrationFailed);\n        }\n    }\n};\n"],"mappings":";AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAGA,SAASA,SAAS,QAAQ,YAAY;AACtC,SAASC,MAAM,QAAQ,sBAAsB;AAC7C,SAASC,MAAM,QAAQ,cAAc;;AAGrC;AACA;AACA;;AAYA;AACA;AACA;;AAgBA,OAAO,IAAMC,iBAAiB,GAAG,8CAA8C;;AAE/E;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,kBAAkB;EAAA,IAAAC,IAAA,GAAAC,iBAAA,CAAG,WAC9BC,mBAAqC,EACrCC,cAA8C,EAC5B;IAClB,IAAI,CAACD,mBAAmB,CAACE,oBAAoB,EAAE;MAC3C,MAAM,IAAIC,KAAK,CAACV,SAAS,CAACW,+BAA+B,CAAC;IAC9D;IAEA,IAAMC,UAAiC,GAAG,CAAC,oBAAoB,EAAE,eAAe,CAAC;IACjF,IAAIA,UAAU,CAACC,IAAI,CAAEC,KAAK,IAAK,CAACP,mBAAmB,CAACQ,QAAQ,CAACC,qBAAqB,CAACC,QAAQ,CAACH,KAAK,CAAC,CAAC,EAAE;MACjG,MAAM,IAAIJ,KAAK,CAACV,SAAS,CAACW,+BAA+B,CAAC;IAC9D;;IAEA;IACA,IAAMI,QAAqC,GAAG;MAC1CG,WAAW,EAAEV,cAAc,CAACW,UAAU;MACtCC,UAAU,EAAEZ,cAAc,CAACa,SAAS;MACpCC,cAAc,EAAE,CAAC,MAAM,CAAC;MACxBC,WAAW,EAAEX,UAAU;MACvBY,aAAa,EAAEhB,cAAc,CAACiB,YAAY;MAC1CC,4BAA4B,EAAE,OAAO;MACrCC,0BAA0B,EAAE,MAAM;MAClCC,gBAAgB,EAAEpB,cAAc,CAACqB,eAAe;MAChDC,QAAQ,EAAEtB,cAAc,CAACuB,OAAO;MAChCC,QAAQ,EAAExB,cAAc,CAACwB,QAAQ;MACjCC,UAAU,EAAEzB,cAAc,CAAC0B,SAAS;MACpCC,OAAO,EAAE3B,cAAc,CAAC4B;IAC5B,CAAC;IACD,IAAMC,OAAO,GAAG;MACZ,QAAQ,EAAE,kBAAkB;MAC5B,cAAc,EAAE;IACpB,CAAC;IAED,IAAI;MACA,IAAMC,QAAQ,SAASC,KAAK,CAAChC,mBAAmB,CAACE,oBAAoB,EAAE;QACnE+B,MAAM,EAAEvC,MAAM,CAACwC,IAAI;QACnBJ,OAAO;QACPK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC7B,QAAQ;MACjC,CAAC,CAAC;MAEF,IAAIuB,QAAQ,CAACO,MAAM,IAAI,GAAG,EAAE;QACxB,MAAM,IAAInC,KAAK,CAACV,SAAS,CAAC8C,yBAAyB,CAAC;MACxD;MAEA,IAAMJ,IAAI,SAASJ,QAAQ,CAACS,IAAI,CAAC,CAAC;MAClC,IAAMC,QAAQ,GAAGN,IAAI,CAAC,WAAW,CAAC;MAClC,IAAI,CAACM,QAAQ,IAAI,OAAOA,QAAQ,KAAK,QAAQ,EAAE;QAC3C,MAAM,IAAItC,KAAK,CAACV,SAAS,CAACiD,0BAA0B,CAAC;MACzD;MAEA,OAAOD,QAAQ;IACnB,CAAC,CAAC,OAAOE,KAAK,EAAE;MACZ,IAAIC,MAAM,CAACC,MAAM,CAACpD,SAAS,CAAC,CAACiB,QAAQ,CAAEiC,KAAK,CAAWG,OAAoB,CAAC,EAAE;QAC1E,MAAMH,KAAK;MACf,CAAC,MAAM;QACHhD,MAAM,CAACgD,KAAK,CAAC,qCAAqC,EAAEA,KAAK,CAAC;QAC1D,MAAM,IAAIxC,KAAK,CAACV,SAAS,CAAC8C,yBAAyB,CAAC;MACxD;IACJ;EACJ,CAAC;EAAA,gBA3DY1C,kBAAkBA,CAAAkD,EAAA,EAAAC,GAAA;IAAA,OAAAlD,IAAA,CAAAmD,KAAA,OAAAC,SAAA;EAAA;AAAA,GA2D9B","ignoreList":[]}
+{"version":3,"file":"register.js","names":["OidcError","Method","logger","DEVICE_CODE_SCOPE","registerOidcClient","_ref","_asyncToGenerator","delegatedAuthConfig","clientMetadata","registration_endpoint","Error","DynamicRegistrationNotSupported","grantTypes","some","scope","grant_types_supported","includes","metadata","client_name","clientName","client_uri","clientUri","response_types","grant_types","redirect_uris","redirectUris","id_token_signed_response_alg","token_endpoint_auth_method","application_type","applicationType","logo_uri","logoUri","contacts","policy_uri","policyUri","tos_uri","tosUri","headers","response","fetch","method","Post","body","JSON","stringify","status","DynamicRegistrationFailed","json","clientId","DynamicRegistrationInvalid","error","Object","values","message","_x","_x2","apply","arguments"],"sources":["../../src/oidc/register.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { OidcClientConfig } from \"./index.ts\";\nimport { OidcError } from \"./error.ts\";\nimport { Method } from \"../http-api/index.ts\";\nimport { logger } from \"../logger.ts\";\nimport { NonEmptyArray } from \"../@types/common.ts\";\n\n/**\n * Client metadata passed to registration endpoint\n */\nexport type OidcRegistrationClientMetadata = {\n    clientName: OidcRegistrationRequestBody[\"client_name\"];\n    clientUri: OidcRegistrationRequestBody[\"client_uri\"];\n    logoUri?: OidcRegistrationRequestBody[\"logo_uri\"];\n    applicationType: OidcRegistrationRequestBody[\"application_type\"];\n    redirectUris: OidcRegistrationRequestBody[\"redirect_uris\"];\n    contacts: OidcRegistrationRequestBody[\"contacts\"];\n    tosUri: OidcRegistrationRequestBody[\"tos_uri\"];\n    policyUri: OidcRegistrationRequestBody[\"policy_uri\"];\n};\n\n/**\n * Request body for dynamic registration as defined by https://github.com/matrix-org/matrix-spec-proposals/pull/2966\n */\ninterface OidcRegistrationRequestBody {\n    client_name?: string;\n    client_uri: string;\n    logo_uri?: string;\n    contacts?: string[];\n    tos_uri?: string;\n    policy_uri?: string;\n    redirect_uris?: NonEmptyArray<string>;\n    response_types?: NonEmptyArray<string>;\n    grant_types?: NonEmptyArray<string>;\n    id_token_signed_response_alg?: string;\n    token_endpoint_auth_method: string;\n    application_type: \"web\" | \"native\";\n}\n\nexport const DEVICE_CODE_SCOPE = \"urn:ietf:params:oauth:grant-type:device_code\";\n\n/**\n * Attempts dynamic registration against the configured registration endpoint\n * @param delegatedAuthConfig - Auth config from {@link discoverAndValidateOIDCIssuerWellKnown}\n * @param clientMetadata - The metadata for the client which to register\n * @returns Promise<string> resolved with registered clientId\n * @throws when registration is not supported, on failed request or invalid response\n */\nexport const registerOidcClient = async (\n    delegatedAuthConfig: OidcClientConfig,\n    clientMetadata: OidcRegistrationClientMetadata,\n): Promise<string> => {\n    if (!delegatedAuthConfig.registration_endpoint) {\n        throw new Error(OidcError.DynamicRegistrationNotSupported);\n    }\n\n    const grantTypes: NonEmptyArray<string> = [\"authorization_code\", \"refresh_token\"];\n    if (grantTypes.some((scope) => !delegatedAuthConfig.grant_types_supported.includes(scope))) {\n        throw new Error(OidcError.DynamicRegistrationNotSupported);\n    }\n\n    // https://openid.net/specs/openid-connect-registration-1_0.html\n    const metadata: OidcRegistrationRequestBody = {\n        client_name: clientMetadata.clientName,\n        client_uri: clientMetadata.clientUri,\n        response_types: [\"code\"],\n        grant_types: grantTypes,\n        redirect_uris: clientMetadata.redirectUris,\n        id_token_signed_response_alg: \"RS256\",\n        token_endpoint_auth_method: \"none\",\n        application_type: clientMetadata.applicationType,\n        logo_uri: clientMetadata.logoUri,\n        contacts: clientMetadata.contacts,\n        policy_uri: clientMetadata.policyUri,\n        tos_uri: clientMetadata.tosUri,\n    };\n    const headers = {\n        \"Accept\": \"application/json\",\n        \"Content-Type\": \"application/json\",\n    };\n\n    try {\n        const response = await fetch(delegatedAuthConfig.registration_endpoint, {\n            method: Method.Post,\n            headers,\n            body: JSON.stringify(metadata),\n        });\n\n        if (response.status >= 400) {\n            throw new Error(OidcError.DynamicRegistrationFailed);\n        }\n\n        const body = await response.json();\n        const clientId = body[\"client_id\"];\n        if (!clientId || typeof clientId !== \"string\") {\n            throw new Error(OidcError.DynamicRegistrationInvalid);\n        }\n\n        return clientId;\n    } catch (error) {\n        if (Object.values(OidcError).includes((error as Error).message as OidcError)) {\n            throw error;\n        } else {\n            logger.error(\"Dynamic registration request failed\", error);\n            throw new Error(OidcError.DynamicRegistrationFailed);\n        }\n    }\n};\n"],"mappings":";AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAGA,SAASA,SAAS,QAAQ,YAAY;AACtC,SAASC,MAAM,QAAQ,sBAAsB;AAC7C,SAASC,MAAM,QAAQ,cAAc;;AAGrC;AACA;AACA;;AAYA;AACA;AACA;;AAgBA,OAAO,IAAMC,iBAAiB,GAAG,8CAA8C;;AAE/E;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,kBAAkB;EAAA,IAAAC,IAAA,GAAAC,iBAAA,CAAG,WAC9BC,mBAAqC,EACrCC,cAA8C,EAC5B;IAClB,IAAI,CAACD,mBAAmB,CAACE,qBAAqB,EAAE;MAC5C,MAAM,IAAIC,KAAK,CAACV,SAAS,CAACW,+BAA+B,CAAC;IAC9D;IAEA,IAAMC,UAAiC,GAAG,CAAC,oBAAoB,EAAE,eAAe,CAAC;IACjF,IAAIA,UAAU,CAACC,IAAI,CAAEC,KAAK,IAAK,CAACP,mBAAmB,CAACQ,qBAAqB,CAACC,QAAQ,CAACF,KAAK,CAAC,CAAC,EAAE;MACxF,MAAM,IAAIJ,KAAK,CAACV,SAAS,CAACW,+BAA+B,CAAC;IAC9D;;IAEA;IACA,IAAMM,QAAqC,GAAG;MAC1CC,WAAW,EAAEV,cAAc,CAACW,UAAU;MACtCC,UAAU,EAAEZ,cAAc,CAACa,SAAS;MACpCC,cAAc,EAAE,CAAC,MAAM,CAAC;MACxBC,WAAW,EAAEX,UAAU;MACvBY,aAAa,EAAEhB,cAAc,CAACiB,YAAY;MAC1CC,4BAA4B,EAAE,OAAO;MACrCC,0BAA0B,EAAE,MAAM;MAClCC,gBAAgB,EAAEpB,cAAc,CAACqB,eAAe;MAChDC,QAAQ,EAAEtB,cAAc,CAACuB,OAAO;MAChCC,QAAQ,EAAExB,cAAc,CAACwB,QAAQ;MACjCC,UAAU,EAAEzB,cAAc,CAAC0B,SAAS;MACpCC,OAAO,EAAE3B,cAAc,CAAC4B;IAC5B,CAAC;IACD,IAAMC,OAAO,GAAG;MACZ,QAAQ,EAAE,kBAAkB;MAC5B,cAAc,EAAE;IACpB,CAAC;IAED,IAAI;MACA,IAAMC,QAAQ,SAASC,KAAK,CAAChC,mBAAmB,CAACE,qBAAqB,EAAE;QACpE+B,MAAM,EAAEvC,MAAM,CAACwC,IAAI;QACnBJ,OAAO;QACPK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC3B,QAAQ;MACjC,CAAC,CAAC;MAEF,IAAIqB,QAAQ,CAACO,MAAM,IAAI,GAAG,EAAE;QACxB,MAAM,IAAInC,KAAK,CAACV,SAAS,CAAC8C,yBAAyB,CAAC;MACxD;MAEA,IAAMJ,IAAI,SAASJ,QAAQ,CAACS,IAAI,CAAC,CAAC;MAClC,IAAMC,QAAQ,GAAGN,IAAI,CAAC,WAAW,CAAC;MAClC,IAAI,CAACM,QAAQ,IAAI,OAAOA,QAAQ,KAAK,QAAQ,EAAE;QAC3C,MAAM,IAAItC,KAAK,CAACV,SAAS,CAACiD,0BAA0B,CAAC;MACzD;MAEA,OAAOD,QAAQ;IACnB,CAAC,CAAC,OAAOE,KAAK,EAAE;MACZ,IAAIC,MAAM,CAACC,MAAM,CAACpD,SAAS,CAAC,CAACgB,QAAQ,CAAEkC,KAAK,CAAWG,OAAoB,CAAC,EAAE;QAC1E,MAAMH,KAAK;MACf,CAAC,MAAM;QACHhD,MAAM,CAACgD,KAAK,CAAC,qCAAqC,EAAEA,KAAK,CAAC;QAC1D,MAAM,IAAIxC,KAAK,CAACV,SAAS,CAAC8C,yBAAyB,CAAC;MACxD;IACJ;EACJ,CAAC;EAAA,gBA3DY1C,kBAAkBA,CAAAkD,EAAA,EAAAC,GAAA;IAAA,OAAAlD,IAAA,CAAAmD,KAAA,OAAAC,SAAA;EAAA;AAAA,GA2D9B","ignoreList":[]}

package/lib/oidc/tokenRefresher.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tokenRefresher.d.ts","sourceRoot":"","sources":["../../src/oidc/tokenRefresher.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,aAAa,EAAoC,MAAM,gBAAgB,CAAC;AAEjF,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAKpD;;;;;;GAMG;AACH,qBAAa,kBAAkB;IA4BvB;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,aAAa;IA/BlC;;;;;OAKG;IACH,SAAgB,eAAe,EAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChD,OAAO,CAAC,UAAU,CAAc;IAChC,OAAO,CAAC,sBAAsB,CAAC,CAAwB;;IAGnD;;OAEG;IACH,MAAM,EAAE,MAAM;IACd;;OAEG;IACH,QAAQ,EAAE,MAAM;IAChB;;OAEG;IACH,WAAW,EAAE,MAAM;IACnB;;OAEG;IACH,QAAQ,EAAE,MAAM;IAChB;;;OAGG;IACc,aAAa,EAAE,aAAa;YAKnC,oBAAoB;IAyBlC;;;;;OAKG;IACU,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAY9E;;;;;;;OAOG;IACU,aAAa,CAAC,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;YAInF,YAAY;CA0B7B"}
+{"version":3,"file":"tokenRefresher.d.ts","sourceRoot":"","sources":["../../src/oidc/tokenRefresher.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,aAAa,EAAoC,MAAM,gBAAgB,CAAC;AAEjF,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAKpD;;;;;;GAMG;AACH,qBAAa,kBAAkB;IA4BvB;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,aAAa;IA/BlC;;;;;OAKG;IACH,SAAgB,eAAe,EAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChD,OAAO,CAAC,UAAU,CAAc;IAChC,OAAO,CAAC,sBAAsB,CAAC,CAAwB;;IAGnD;;OAEG;IACH,MAAM,EAAE,MAAM;IACd;;OAEG;IACH,QAAQ,EAAE,MAAM;IAChB;;OAEG;IACH,WAAW,EAAE,MAAM;IACnB;;OAEG;IACH,QAAQ,EAAE,MAAM;IAChB;;;OAGG;IACc,aAAa,EAAE,aAAa;YAKnC,oBAAoB;IA0BlC;;;;;OAKG;IACU,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAY9E;;;;;;;OAOG;IACU,aAAa,CAAC,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;YAInF,YAAY;CA0B7B"}

package/lib/oidc/tokenRefresher.js

@@ -1,7 +1,5 @@
 import _asyncToGenerator from "@babel/runtime/helpers/asyncToGenerator";
 import _defineProperty from "@babel/runtime/helpers/defineProperty";
-function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
-function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
 /*
 Copyright 2023 The Matrix.org Foundation C.I.C.
 
@@ -69,18 +67,21 @@ export class OidcTokenRefresher {
     var _this = this;
     return _asyncToGenerator(function* () {
       try {
+        var _config$signingKeys;
         var config = yield discoverAndValidateOIDCIssuerWellKnown(issuer);
         var scope = generateScope(deviceId);
-        _this.oidcClient = new OidcClient(_objectSpread(_objectSpread({}, config.metadata), {}, {
+        _this.oidcClient = new OidcClient({
+          metadata: config,
+          signingKeys: (_config$signingKeys = config.signingKeys) !== null && _config$signingKeys !== void 0 ? _config$signingKeys : undefined,
           client_id: clientId,
           scope,
           redirect_uri: redirectUri,
-          authority: config.metadata.issuer,
+          authority: config.issuer,
           stateStore: new WebStorageStateStore({
             prefix: "mx_oidc_",
             store: window.sessionStorage
           })
-        }));
+        });
       } catch (error) {
         logger.error("Failed to initialise OIDC client.", error);
         throw new Error("Failed to initialise OIDC client.");

package/lib/oidc/tokenRefresher.js.map

@@ -1 +1 @@
-{"version":3,"file":"tokenRefresher.js","names":["OidcClient","WebStorageStateStore","generateScope","discoverAndValidateOIDCIssuerWellKnown","logger","OidcTokenRefresher","constructor","issuer","clientId","redirectUri","deviceId","idTokenClaims","_defineProperty","oidcClientReady","initialiseOidcClient","_this","_asyncToGenerator","config","scope","oidcClient","_objectSpread","metadata","client_id","redirect_uri","authority","stateStore","prefix","store","window","sessionStorage","error","Error","doRefreshAccessToken","refreshToken","_this2","inflightRefreshRequest","getNewTokens","tokens","undefined","persistTokens","_this3","refreshTokenState","refresh_token","session_state","data","profile","response","useRefreshToken","state","timeoutInSeconds","accessToken","access_token"],"sources":["../../src/oidc/tokenRefresher.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { IdTokenClaims, OidcClient, WebStorageStateStore } from \"oidc-client-ts\";\n\nimport { AccessTokens } from \"../http-api/index.ts\";\nimport { generateScope } from \"./authorize.ts\";\nimport { discoverAndValidateOIDCIssuerWellKnown } from \"./discovery.ts\";\nimport { logger } from \"../logger.ts\";\n\n/**\n * @experimental\n * Class responsible for refreshing OIDC access tokens\n *\n * Client implementations will likely want to override {@link persistTokens} to persist tokens after successful refresh\n *\n */\nexport class OidcTokenRefresher {\n    /**\n     * Promise which will complete once the OidcClient has been initialised\n     * and is ready to start refreshing tokens.\n     *\n     * Will reject if the client initialisation fails.\n     */\n    public readonly oidcClientReady!: Promise<void>;\n    private oidcClient!: OidcClient;\n    private inflightRefreshRequest?: Promise<AccessTokens>;\n\n    public constructor(\n        /**\n         * The OIDC issuer as returned by the /auth_issuer API\n         */\n        issuer: string,\n        /**\n         * id of this client as registered with the OP\n         */\n        clientId: string,\n        /**\n         * redirectUri as registered with OP\n         */\n        redirectUri: string,\n        /**\n         * Device ID of current session\n         */\n        deviceId: string,\n        /**\n         * idTokenClaims as returned from authorization grant\n         * used to validate tokens\n         */\n        private readonly idTokenClaims: IdTokenClaims,\n    ) {\n        this.oidcClientReady = this.initialiseOidcClient(issuer, clientId, deviceId, redirectUri);\n    }\n\n    private async initialiseOidcClient(\n        issuer: string,\n        clientId: string,\n        deviceId: string,\n        redirectUri: string,\n    ): Promise<void> {\n        try {\n            const config = await discoverAndValidateOIDCIssuerWellKnown(issuer);\n\n            const scope = generateScope(deviceId);\n\n            this.oidcClient = new OidcClient({\n                ...config.metadata,\n                client_id: clientId,\n                scope,\n                redirect_uri: redirectUri,\n                authority: config.metadata.issuer,\n                stateStore: new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage }),\n            });\n        } catch (error) {\n            logger.error(\"Failed to initialise OIDC client.\", error);\n            throw new Error(\"Failed to initialise OIDC client.\");\n        }\n    }\n\n    /**\n     * Attempt token refresh using given refresh token\n     * @param refreshToken - refresh token to use in request with token issuer\n     * @returns tokens - Promise that resolves with new access and refresh tokens\n     * @throws when token refresh fails\n     */\n    public async doRefreshAccessToken(refreshToken: string): Promise<AccessTokens> {\n        if (!this.inflightRefreshRequest) {\n            this.inflightRefreshRequest = this.getNewTokens(refreshToken);\n        }\n        try {\n            const tokens = await this.inflightRefreshRequest;\n            return tokens;\n        } finally {\n            this.inflightRefreshRequest = undefined;\n        }\n    }\n\n    /**\n     * Persist the new tokens, called after tokens are successfully refreshed.\n     *\n     * This function is intended to be overriden by the consumer when persistence is necessary.\n     *\n     * @param tokens.accessToken - new access token\n     * @param tokens.refreshToken - OPTIONAL new refresh token\n     */\n    public async persistTokens(tokens: { accessToken: string; refreshToken?: string }): Promise<void> {\n        // NOOP\n    }\n\n    private async getNewTokens(refreshToken: string): Promise<AccessTokens> {\n        if (!this.oidcClient) {\n            throw new Error(\"Cannot get new token before OIDC client is initialised.\");\n        }\n\n        const refreshTokenState = {\n            refresh_token: refreshToken,\n            session_state: \"test\",\n            data: undefined,\n            profile: this.idTokenClaims,\n        };\n\n        const response = await this.oidcClient.useRefreshToken({\n            state: refreshTokenState,\n            timeoutInSeconds: 300,\n        });\n\n        const tokens = {\n            accessToken: response.access_token,\n            refreshToken: response.refresh_token,\n        };\n\n        await this.persistTokens(tokens);\n\n        return tokens;\n    }\n}\n"],"mappings":";;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAAwBA,UAAU,EAAEC,oBAAoB,QAAQ,gBAAgB;AAGhF,SAASC,aAAa,QAAQ,gBAAgB;AAC9C,SAASC,sCAAsC,QAAQ,gBAAgB;AACvE,SAASC,MAAM,QAAQ,cAAc;;AAErC;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,kBAAkB,CAAC;EAWrBC,WAAWA;EACd;AACR;AACA;EACQC,MAAc;EACd;AACR;AACA;EACQC,QAAgB;EAChB;AACR;AACA;EACQC,WAAmB;EACnB;AACR;AACA;EACQC,QAAgB;EAChB;AACR;AACA;AACA;EACyBC,aAA4B,EAC/C;IAAA,KADmBA,aAA4B,GAA5BA,aAA4B;IA/BjD;AACJ;AACA;AACA;AACA;AACA;IALIC,eAAA;IAAAA,eAAA;IAAAA,eAAA;IAiCI,IAAI,CAACC,eAAe,GAAG,IAAI,CAACC,oBAAoB,CAACP,MAAM,EAAEC,QAAQ,EAAEE,QAAQ,EAAED,WAAW,CAAC;EAC7F;EAEcK,oBAAoBA,CAC9BP,MAAc,EACdC,QAAgB,EAChBE,QAAgB,EAChBD,WAAmB,EACN;IAAA,IAAAM,KAAA;IAAA,OAAAC,iBAAA;MACb,IAAI;QACA,IAAMC,MAAM,SAASd,sCAAsC,CAACI,MAAM,CAAC;QAEnE,IAAMW,KAAK,GAAGhB,aAAa,CAACQ,QAAQ,CAAC;QAErCK,KAAI,CAACI,UAAU,GAAG,IAAInB,UAAU,CAAAoB,aAAA,CAAAA,aAAA,KACzBH,MAAM,CAACI,QAAQ;UAClBC,SAAS,EAAEd,QAAQ;UACnBU,KAAK;UACLK,YAAY,EAAEd,WAAW;UACzBe,SAAS,EAAEP,MAAM,CAACI,QAAQ,CAACd,MAAM;UACjCkB,UAAU,EAAE,IAAIxB,oBAAoB,CAAC;YAAEyB,MAAM,EAAE,UAAU;YAAEC,KAAK,EAAEC,MAAM,CAACC;UAAe,CAAC;QAAC,EAC7F,CAAC;MACN,CAAC,CAAC,OAAOC,KAAK,EAAE;QACZ1B,MAAM,CAAC0B,KAAK,CAAC,mCAAmC,EAAEA,KAAK,CAAC;QACxD,MAAM,IAAIC,KAAK,CAAC,mCAAmC,CAAC;MACxD;IAAC;EACL;;EAEA;AACJ;AACA;AACA;AACA;AACA;EACiBC,oBAAoBA,CAACC,YAAoB,EAAyB;IAAA,IAAAC,MAAA;IAAA,OAAAlB,iBAAA;MAC3E,IAAI,CAACkB,MAAI,CAACC,sBAAsB,EAAE;QAC9BD,MAAI,CAACC,sBAAsB,GAAGD,MAAI,CAACE,YAAY,CAACH,YAAY,CAAC;MACjE;MACA,IAAI;QACA,IAAMI,MAAM,SAASH,MAAI,CAACC,sBAAsB;QAChD,OAAOE,MAAM;MACjB,CAAC,SAAS;QACNH,MAAI,CAACC,sBAAsB,GAAGG,SAAS;MAC3C;IAAC;EACL;;EAEA;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;EACiBC,aAAaA,CAACF,MAAsD,EAAiB;IAAA,OAAArB,iBAAA;EAElG,CAAC,CADG;EAGUoB,YAAYA,CAACH,YAAoB,EAAyB;IAAA,IAAAO,MAAA;IAAA,OAAAxB,iBAAA;MACpE,IAAI,CAACwB,MAAI,CAACrB,UAAU,EAAE;QAClB,MAAM,IAAIY,KAAK,CAAC,yDAAyD,CAAC;MAC9E;MAEA,IAAMU,iBAAiB,GAAG;QACtBC,aAAa,EAAET,YAAY;QAC3BU,aAAa,EAAE,MAAM;QACrBC,IAAI,EAAEN,SAAS;QACfO,OAAO,EAAEL,MAAI,CAAC7B;MAClB,CAAC;MAED,IAAMmC,QAAQ,SAASN,MAAI,CAACrB,UAAU,CAAC4B,eAAe,CAAC;QACnDC,KAAK,EAAEP,iBAAiB;QACxBQ,gBAAgB,EAAE;MACtB,CAAC,CAAC;MAEF,IAAMZ,MAAM,GAAG;QACXa,WAAW,EAAEJ,QAAQ,CAACK,YAAY;QAClClB,YAAY,EAAEa,QAAQ,CAACJ;MAC3B,CAAC;MAED,MAAMF,MAAI,CAACD,aAAa,CAACF,MAAM,CAAC;MAEhC,OAAOA,MAAM;IAAC;EAClB;AACJ","ignoreList":[]}
+{"version":3,"file":"tokenRefresher.js","names":["OidcClient","WebStorageStateStore","generateScope","discoverAndValidateOIDCIssuerWellKnown","logger","OidcTokenRefresher","constructor","issuer","clientId","redirectUri","deviceId","idTokenClaims","_defineProperty","oidcClientReady","initialiseOidcClient","_this","_asyncToGenerator","_config$signingKeys","config","scope","oidcClient","metadata","signingKeys","undefined","client_id","redirect_uri","authority","stateStore","prefix","store","window","sessionStorage","error","Error","doRefreshAccessToken","refreshToken","_this2","inflightRefreshRequest","getNewTokens","tokens","persistTokens","_this3","refreshTokenState","refresh_token","session_state","data","profile","response","useRefreshToken","state","timeoutInSeconds","accessToken","access_token"],"sources":["../../src/oidc/tokenRefresher.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { IdTokenClaims, OidcClient, WebStorageStateStore } from \"oidc-client-ts\";\n\nimport { AccessTokens } from \"../http-api/index.ts\";\nimport { generateScope } from \"./authorize.ts\";\nimport { discoverAndValidateOIDCIssuerWellKnown } from \"./discovery.ts\";\nimport { logger } from \"../logger.ts\";\n\n/**\n * @experimental\n * Class responsible for refreshing OIDC access tokens\n *\n * Client implementations will likely want to override {@link persistTokens} to persist tokens after successful refresh\n *\n */\nexport class OidcTokenRefresher {\n    /**\n     * Promise which will complete once the OidcClient has been initialised\n     * and is ready to start refreshing tokens.\n     *\n     * Will reject if the client initialisation fails.\n     */\n    public readonly oidcClientReady!: Promise<void>;\n    private oidcClient!: OidcClient;\n    private inflightRefreshRequest?: Promise<AccessTokens>;\n\n    public constructor(\n        /**\n         * The OIDC issuer as returned by the /auth_issuer API\n         */\n        issuer: string,\n        /**\n         * id of this client as registered with the OP\n         */\n        clientId: string,\n        /**\n         * redirectUri as registered with OP\n         */\n        redirectUri: string,\n        /**\n         * Device ID of current session\n         */\n        deviceId: string,\n        /**\n         * idTokenClaims as returned from authorization grant\n         * used to validate tokens\n         */\n        private readonly idTokenClaims: IdTokenClaims,\n    ) {\n        this.oidcClientReady = this.initialiseOidcClient(issuer, clientId, deviceId, redirectUri);\n    }\n\n    private async initialiseOidcClient(\n        issuer: string,\n        clientId: string,\n        deviceId: string,\n        redirectUri: string,\n    ): Promise<void> {\n        try {\n            const config = await discoverAndValidateOIDCIssuerWellKnown(issuer);\n\n            const scope = generateScope(deviceId);\n\n            this.oidcClient = new OidcClient({\n                metadata: config,\n                signingKeys: config.signingKeys ?? undefined,\n                client_id: clientId,\n                scope,\n                redirect_uri: redirectUri,\n                authority: config.issuer,\n                stateStore: new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage }),\n            });\n        } catch (error) {\n            logger.error(\"Failed to initialise OIDC client.\", error);\n            throw new Error(\"Failed to initialise OIDC client.\");\n        }\n    }\n\n    /**\n     * Attempt token refresh using given refresh token\n     * @param refreshToken - refresh token to use in request with token issuer\n     * @returns tokens - Promise that resolves with new access and refresh tokens\n     * @throws when token refresh fails\n     */\n    public async doRefreshAccessToken(refreshToken: string): Promise<AccessTokens> {\n        if (!this.inflightRefreshRequest) {\n            this.inflightRefreshRequest = this.getNewTokens(refreshToken);\n        }\n        try {\n            const tokens = await this.inflightRefreshRequest;\n            return tokens;\n        } finally {\n            this.inflightRefreshRequest = undefined;\n        }\n    }\n\n    /**\n     * Persist the new tokens, called after tokens are successfully refreshed.\n     *\n     * This function is intended to be overriden by the consumer when persistence is necessary.\n     *\n     * @param tokens.accessToken - new access token\n     * @param tokens.refreshToken - OPTIONAL new refresh token\n     */\n    public async persistTokens(tokens: { accessToken: string; refreshToken?: string }): Promise<void> {\n        // NOOP\n    }\n\n    private async getNewTokens(refreshToken: string): Promise<AccessTokens> {\n        if (!this.oidcClient) {\n            throw new Error(\"Cannot get new token before OIDC client is initialised.\");\n        }\n\n        const refreshTokenState = {\n            refresh_token: refreshToken,\n            session_state: \"test\",\n            data: undefined,\n            profile: this.idTokenClaims,\n        };\n\n        const response = await this.oidcClient.useRefreshToken({\n            state: refreshTokenState,\n            timeoutInSeconds: 300,\n        });\n\n        const tokens = {\n            accessToken: response.access_token,\n            refreshToken: response.refresh_token,\n        };\n\n        await this.persistTokens(tokens);\n\n        return tokens;\n    }\n}\n"],"mappings":";;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAAwBA,UAAU,EAAEC,oBAAoB,QAAQ,gBAAgB;AAGhF,SAASC,aAAa,QAAQ,gBAAgB;AAC9C,SAASC,sCAAsC,QAAQ,gBAAgB;AACvE,SAASC,MAAM,QAAQ,cAAc;;AAErC;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,kBAAkB,CAAC;EAWrBC,WAAWA;EACd;AACR;AACA;EACQC,MAAc;EACd;AACR;AACA;EACQC,QAAgB;EAChB;AACR;AACA;EACQC,WAAmB;EACnB;AACR;AACA;EACQC,QAAgB;EAChB;AACR;AACA;AACA;EACyBC,aAA4B,EAC/C;IAAA,KADmBA,aAA4B,GAA5BA,aAA4B;IA/BjD;AACJ;AACA;AACA;AACA;AACA;IALIC,eAAA;IAAAA,eAAA;IAAAA,eAAA;IAiCI,IAAI,CAACC,eAAe,GAAG,IAAI,CAACC,oBAAoB,CAACP,MAAM,EAAEC,QAAQ,EAAEE,QAAQ,EAAED,WAAW,CAAC;EAC7F;EAEcK,oBAAoBA,CAC9BP,MAAc,EACdC,QAAgB,EAChBE,QAAgB,EAChBD,WAAmB,EACN;IAAA,IAAAM,KAAA;IAAA,OAAAC,iBAAA;MACb,IAAI;QAAA,IAAAC,mBAAA;QACA,IAAMC,MAAM,SAASf,sCAAsC,CAACI,MAAM,CAAC;QAEnE,IAAMY,KAAK,GAAGjB,aAAa,CAACQ,QAAQ,CAAC;QAErCK,KAAI,CAACK,UAAU,GAAG,IAAIpB,UAAU,CAAC;UAC7BqB,QAAQ,EAAEH,MAAM;UAChBI,WAAW,GAAAL,mBAAA,GAAEC,MAAM,CAACI,WAAW,cAAAL,mBAAA,cAAAA,mBAAA,GAAIM,SAAS;UAC5CC,SAAS,EAAEhB,QAAQ;UACnBW,KAAK;UACLM,YAAY,EAAEhB,WAAW;UACzBiB,SAAS,EAAER,MAAM,CAACX,MAAM;UACxBoB,UAAU,EAAE,IAAI1B,oBAAoB,CAAC;YAAE2B,MAAM,EAAE,UAAU;YAAEC,KAAK,EAAEC,MAAM,CAACC;UAAe,CAAC;QAC7F,CAAC,CAAC;MACN,CAAC,CAAC,OAAOC,KAAK,EAAE;QACZ5B,MAAM,CAAC4B,KAAK,CAAC,mCAAmC,EAAEA,KAAK,CAAC;QACxD,MAAM,IAAIC,KAAK,CAAC,mCAAmC,CAAC;MACxD;IAAC;EACL;;EAEA;AACJ;AACA;AACA;AACA;AACA;EACiBC,oBAAoBA,CAACC,YAAoB,EAAyB;IAAA,IAAAC,MAAA;IAAA,OAAApB,iBAAA;MAC3E,IAAI,CAACoB,MAAI,CAACC,sBAAsB,EAAE;QAC9BD,MAAI,CAACC,sBAAsB,GAAGD,MAAI,CAACE,YAAY,CAACH,YAAY,CAAC;MACjE;MACA,IAAI;QACA,IAAMI,MAAM,SAASH,MAAI,CAACC,sBAAsB;QAChD,OAAOE,MAAM;MACjB,CAAC,SAAS;QACNH,MAAI,CAACC,sBAAsB,GAAGd,SAAS;MAC3C;IAAC;EACL;;EAEA;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;EACiBiB,aAAaA,CAACD,MAAsD,EAAiB;IAAA,OAAAvB,iBAAA;EAElG,CAAC,CADG;EAGUsB,YAAYA,CAACH,YAAoB,EAAyB;IAAA,IAAAM,MAAA;IAAA,OAAAzB,iBAAA;MACpE,IAAI,CAACyB,MAAI,CAACrB,UAAU,EAAE;QAClB,MAAM,IAAIa,KAAK,CAAC,yDAAyD,CAAC;MAC9E;MAEA,IAAMS,iBAAiB,GAAG;QACtBC,aAAa,EAAER,YAAY;QAC3BS,aAAa,EAAE,MAAM;QACrBC,IAAI,EAAEtB,SAAS;QACfuB,OAAO,EAAEL,MAAI,CAAC9B;MAClB,CAAC;MAED,IAAMoC,QAAQ,SAASN,MAAI,CAACrB,UAAU,CAAC4B,eAAe,CAAC;QACnDC,KAAK,EAAEP,iBAAiB;QACxBQ,gBAAgB,EAAE;MACtB,CAAC,CAAC;MAEF,IAAMX,MAAM,GAAG;QACXY,WAAW,EAAEJ,QAAQ,CAACK,YAAY;QAClCjB,YAAY,EAAEY,QAAQ,CAACJ;MAC3B,CAAC;MAED,MAAMF,MAAI,CAACD,aAAa,CAACD,MAAM,CAAC;MAEhC,OAAOA,MAAM;IAAC;EAClB;AACJ","ignoreList":[]}

package/lib/oidc/validate.d.ts

@@ -1,36 +1,22 @@
 import { IdTokenClaims, OidcMetadata, SigninResponse } from "oidc-client-ts";
-export type ValidatedIssuerConfig = {
-    authorizationEndpoint: string;
-    tokenEndpoint: string;
-    registrationEndpoint?: string;
-    accountManagementEndpoint?: string;
-    accountManagementActionsSupported?: string[];
-};
-/**
- * Validates issuer `.well-known/openid-configuration`
- * As defined in RFC5785 https://openid.net/specs/openid-connect-discovery-1_0.html
- * validates that OP is compatible with Element's OIDC flow
- * @param wellKnown - json object
- * @returns valid issuer config
- * @throws Error - when issuer config is not found or is invalid
- */
-export declare const validateOIDCIssuerWellKnown: (wellKnown: unknown) => ValidatedIssuerConfig;
 /**
  * Metadata from OIDC authority discovery
  * With validated properties required in type
  */
-export type ValidatedIssuerMetadata = Partial<OidcMetadata> & Pick<OidcMetadata, "issuer" | "authorization_endpoint" | "token_endpoint" | "registration_endpoint" | "revocation_endpoint" | "response_types_supported" | "grant_types_supported" | "code_challenge_methods_supported" | "device_authorization_endpoint"> & {
+export type ValidatedAuthMetadata = Partial<OidcMetadata> & Pick<OidcMetadata, "issuer" | "authorization_endpoint" | "token_endpoint" | "revocation_endpoint" | "response_types_supported" | "grant_types_supported" | "code_challenge_methods_supported"> & {
     account_management_uri?: string;
     account_management_actions_supported?: string[];
+    prompt_values_supported?: string[];
 };
 /**
- * Wraps validateOIDCIssuerWellKnown in a type assertion
- * that asserts expected properties are present
- * (Typescript assertions cannot be arrow functions)
- * @param metadata - issuer openid-configuration response
- * @throws when metadata validation fails
+ * Validates issuer `.well-known/openid-configuration`
+ * As defined in RFC5785 https://openid.net/specs/openid-connect-discovery-1_0.html
+ * validates that OP is compatible with Element's OIDC flow
+ * @param authMetadata - json object
+ * @returns valid issuer config
+ * @throws Error - when issuer config is not found or is invalid
  */
-export declare function isValidatedIssuerMetadata(metadata: Partial<OidcMetadata>): asserts metadata is ValidatedIssuerMetadata;
+export declare const validateAuthMetadata: (authMetadata: unknown) => ValidatedAuthMetadata;
 export declare const decodeIdToken: (token: string) => IdTokenClaims;
 /**
  * Validate idToken

package/lib/oidc/validate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../src/oidc/validate.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAK7E,MAAM,MAAM,qBAAqB,GAAG;IAChC,qBAAqB,EAAE,MAAM,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,iCAAiC,CAAC,EAAE,MAAM,EAAE,CAAC;CAChD,CAAC;AAqCF;;;;;;;GAOG;AACH,eAAO,MAAM,2BAA2B,cAAe,OAAO,KAAG,qBA+BhE,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,uBAAuB,GAAG,OAAO,CAAC,YAAY,CAAC,GACvD,IAAI,CACA,YAAY,EACV,QAAQ,GACR,wBAAwB,GACxB,gBAAgB,GAChB,uBAAuB,GACvB,qBAAqB,GACrB,0BAA0B,GAC1B,uBAAuB,GACvB,kCAAkC,GAClC,+BAA+B,CACpC,GAAG;IAEA,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,oCAAoC,CAAC,EAAE,MAAM,EAAE,CAAC;CACnD,CAAC;AAEN;;;;;;GAMG;AACH,wBAAgB,yBAAyB,CACrC,QAAQ,EAAE,OAAO,CAAC,YAAY,CAAC,GAChC,OAAO,CAAC,QAAQ,IAAI,uBAAuB,CAE7C;AAED,eAAO,MAAM,aAAa,UAAW,MAAM,KAAG,aAO7C,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,eAAe,YACf,MAAM,GAAG,SAAS,UACnB,MAAM,YACJ,MAAM,SACT,MAAM,GAAG,SAAS,KAC1B,IAwCF,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,SAAS,GAAG;IACpB;;OAEG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;CACjB,CAAC;AACF;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,OAAO,GAAG,OAAO,CAAC,SAAS,IAAI,SAAS,CAc1F;AAED;;;;;;GAMG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAC9B,UAAU,EAAE,QAAQ,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,KAAK,mBAAmB,GAAG,cAAc,GACrC,mBAAmB,GAAG;IAClB,UAAU,EAAE,QAAQ,GAAG,QAAQ,CAAC;CACnC,CAAC;AAWN,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,IAAI,mBAAmB,CAItG"}
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../src/oidc/validate.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAK7E;;;GAGG;AACH,MAAM,MAAM,qBAAqB,GAAG,OAAO,CAAC,YAAY,CAAC,GACrD,IAAI,CACA,YAAY,EACV,QAAQ,GACR,wBAAwB,GACxB,gBAAgB,GAChB,qBAAqB,GACrB,0BAA0B,GAC1B,uBAAuB,GACvB,kCAAkC,CACvC,GAAG;IAEA,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,oCAAoC,CAAC,EAAE,MAAM,EAAE,CAAC;IAGhD,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACtC,CAAC;AAqCN;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,iBAAkB,OAAO,KAAG,qBA2B5D,CAAC;AAEF,eAAO,MAAM,aAAa,UAAW,MAAM,KAAG,aAO7C,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,eAAe,YACf,MAAM,GAAG,SAAS,UACnB,MAAM,YACJ,MAAM,SACT,MAAM,GAAG,SAAS,KAC1B,IAyCF,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,SAAS,GAAG;IACpB;;OAEG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;CACjB,CAAC;AACF;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,OAAO,GAAG,OAAO,CAAC,SAAS,IAAI,SAAS,CAc1F;AAED;;;;;;GAMG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAC9B,UAAU,EAAE,QAAQ,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,KAAK,mBAAmB,GAAG,cAAc,GACrC,mBAAmB,GAAG;IAClB,UAAU,EAAE,QAAQ,GAAG,QAAQ,CAAC;CACnC,CAAC;AAWN,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,IAAI,mBAAmB,CAItG"}

package/lib/oidc/validate.js

@@ -17,6 +17,12 @@ limitations under the License.
 import { jwtDecode } from "jwt-decode";
 import { logger } from "../logger.js";
 import { OidcError } from "./error.js";
+
+/**
+ * Metadata from OIDC authority discovery
+ * With validated properties required in type
+ */
+
 var isRecord = value => !!value && typeof value === "object" && !Array.isArray(value);
 var requiredStringProperty = (wellKnown, key) => {
   if (!wellKnown[key] || !optionalStringProperty(wellKnown, key)) {
@@ -52,44 +58,22 @@ var requiredArrayValue = (wellKnown, key, value) => {
  * Validates issuer `.well-known/openid-configuration`
  * As defined in RFC5785 https://openid.net/specs/openid-connect-discovery-1_0.html
  * validates that OP is compatible with Element's OIDC flow
- * @param wellKnown - json object
+ * @param authMetadata - json object
  * @returns valid issuer config
  * @throws Error - when issuer config is not found or is invalid
  */
-export var validateOIDCIssuerWellKnown = wellKnown => {
-  if (!isRecord(wellKnown)) {
+export var validateAuthMetadata = authMetadata => {
+  if (!isRecord(authMetadata)) {
     logger.error("Issuer configuration not found or malformed");
     throw new Error(OidcError.OpSupport);
   }
-  var isInvalid = [requiredStringProperty(wellKnown, "authorization_endpoint"), requiredStringProperty(wellKnown, "token_endpoint"), requiredStringProperty(wellKnown, "revocation_endpoint"), optionalStringProperty(wellKnown, "registration_endpoint"), optionalStringProperty(wellKnown, "account_management_uri"), optionalStringProperty(wellKnown, "device_authorization_endpoint"), optionalStringArrayProperty(wellKnown, "account_management_actions_supported"), requiredArrayValue(wellKnown, "response_types_supported", "code"), requiredArrayValue(wellKnown, "grant_types_supported", "authorization_code"), requiredArrayValue(wellKnown, "code_challenge_methods_supported", "S256")].some(isValid => !isValid);
+  var isInvalid = [requiredStringProperty(authMetadata, "issuer"), requiredStringProperty(authMetadata, "authorization_endpoint"), requiredStringProperty(authMetadata, "token_endpoint"), requiredStringProperty(authMetadata, "revocation_endpoint"), optionalStringProperty(authMetadata, "registration_endpoint"), optionalStringProperty(authMetadata, "account_management_uri"), optionalStringProperty(authMetadata, "device_authorization_endpoint"), optionalStringArrayProperty(authMetadata, "account_management_actions_supported"), requiredArrayValue(authMetadata, "response_types_supported", "code"), requiredArrayValue(authMetadata, "grant_types_supported", "authorization_code"), requiredArrayValue(authMetadata, "code_challenge_methods_supported", "S256"), optionalStringArrayProperty(authMetadata, "prompt_values_supported")].some(isValid => !isValid);
   if (!isInvalid) {
-    return {
-      authorizationEndpoint: wellKnown["authorization_endpoint"],
-      tokenEndpoint: wellKnown["token_endpoint"],
-      registrationEndpoint: wellKnown["registration_endpoint"],
-      accountManagementEndpoint: wellKnown["account_management_uri"],
-      accountManagementActionsSupported: wellKnown["account_management_actions_supported"]
-    };
+    return authMetadata;
   }
   logger.error("Issuer configuration not valid");
   throw new Error(OidcError.OpSupport);
 };
-
-/**
- * Metadata from OIDC authority discovery
- * With validated properties required in type
- */
-
-/**
- * Wraps validateOIDCIssuerWellKnown in a type assertion
- * that asserts expected properties are present
- * (Typescript assertions cannot be arrow functions)
- * @param metadata - issuer openid-configuration response
- * @throws when metadata validation fails
- */
-export function isValidatedIssuerMetadata(metadata) {
-  validateOIDCIssuerWellKnown(metadata);
-}
 export var decodeIdToken = token => {
   try {
     return jwtDecode(token);
@@ -125,7 +109,8 @@ export var validateIdToken = (idToken, issuer, clientId, nonce) => {
      * The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
      * EW: Don't accept tokens with other untrusted audiences
      * */
-    if (claims.aud !== clientId) {
+    var sanitisedAuds = typeof claims.aud === "string" ? [claims.aud] : claims.aud;
+    if (!sanitisedAuds.includes(clientId)) {
       throw new Error("Invalid audience");
     }
 

package/lib/oidc/validate.js.map

@@ -1 +1 @@
-{"version":3,"file":"validate.js","names":["jwtDecode","logger","OidcError","isRecord","value","Array","isArray","requiredStringProperty","wellKnown","key","optionalStringProperty","error","concat","optionalStringArrayProperty","every","v","requiredArrayValue","array","includes","validateOIDCIssuerWellKnown","Error","OpSupport","isInvalid","some","isValid","authorizationEndpoint","tokenEndpoint","registrationEndpoint","accountManagementEndpoint","accountManagementActionsSupported","isValidatedIssuerMetadata","metadata","decodeIdToken","token","validateIdToken","idToken","issuer","clientId","nonce","claims","iss","aud","undefined","exp","Date","now","InvalidIdToken","validateStoredUserState","userState","MissingOrInvalidStoredState","isValidBearerTokenResponse","response","toLowerCase","validateBearerTokenResponse","InvalidBearerTokenResponse"],"sources":["../../src/oidc/validate.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { jwtDecode } from \"jwt-decode\";\nimport { IdTokenClaims, OidcMetadata, SigninResponse } from \"oidc-client-ts\";\n\nimport { logger } from \"../logger.ts\";\nimport { OidcError } from \"./error.ts\";\n\nexport type ValidatedIssuerConfig = {\n    authorizationEndpoint: string;\n    tokenEndpoint: string;\n    registrationEndpoint?: string;\n    accountManagementEndpoint?: string;\n    accountManagementActionsSupported?: string[];\n};\n\nconst isRecord = (value: unknown): value is Record<string, unknown> =>\n    !!value && typeof value === \"object\" && !Array.isArray(value);\nconst requiredStringProperty = (wellKnown: Record<string, unknown>, key: string): boolean => {\n    if (!wellKnown[key] || !optionalStringProperty(wellKnown, key)) {\n        logger.error(`Missing or invalid property: ${key}`);\n        return false;\n    }\n    return true;\n};\nconst optionalStringProperty = (wellKnown: Record<string, unknown>, key: string): boolean => {\n    if (!!wellKnown[key] && typeof wellKnown[key] !== \"string\") {\n        logger.error(`Invalid property: ${key}`);\n        return false;\n    }\n    return true;\n};\nconst optionalStringArrayProperty = (wellKnown: Record<string, unknown>, key: string): boolean => {\n    if (\n        !!wellKnown[key] &&\n        (!Array.isArray(wellKnown[key]) || !(<unknown[]>wellKnown[key]).every((v) => typeof v === \"string\"))\n    ) {\n        logger.error(`Invalid property: ${key}`);\n        return false;\n    }\n    return true;\n};\nconst requiredArrayValue = (wellKnown: Record<string, unknown>, key: string, value: any): boolean => {\n    const array = wellKnown[key];\n    if (!array || !Array.isArray(array) || !array.includes(value)) {\n        logger.error(`Invalid property: ${key}. ${value} is required.`);\n        return false;\n    }\n    return true;\n};\n\n/**\n * Validates issuer `.well-known/openid-configuration`\n * As defined in RFC5785 https://openid.net/specs/openid-connect-discovery-1_0.html\n * validates that OP is compatible with Element's OIDC flow\n * @param wellKnown - json object\n * @returns valid issuer config\n * @throws Error - when issuer config is not found or is invalid\n */\nexport const validateOIDCIssuerWellKnown = (wellKnown: unknown): ValidatedIssuerConfig => {\n    if (!isRecord(wellKnown)) {\n        logger.error(\"Issuer configuration not found or malformed\");\n        throw new Error(OidcError.OpSupport);\n    }\n\n    const isInvalid = [\n        requiredStringProperty(wellKnown, \"authorization_endpoint\"),\n        requiredStringProperty(wellKnown, \"token_endpoint\"),\n        requiredStringProperty(wellKnown, \"revocation_endpoint\"),\n        optionalStringProperty(wellKnown, \"registration_endpoint\"),\n        optionalStringProperty(wellKnown, \"account_management_uri\"),\n        optionalStringProperty(wellKnown, \"device_authorization_endpoint\"),\n        optionalStringArrayProperty(wellKnown, \"account_management_actions_supported\"),\n        requiredArrayValue(wellKnown, \"response_types_supported\", \"code\"),\n        requiredArrayValue(wellKnown, \"grant_types_supported\", \"authorization_code\"),\n        requiredArrayValue(wellKnown, \"code_challenge_methods_supported\", \"S256\"),\n    ].some((isValid) => !isValid);\n\n    if (!isInvalid) {\n        return {\n            authorizationEndpoint: <string>wellKnown[\"authorization_endpoint\"],\n            tokenEndpoint: <string>wellKnown[\"token_endpoint\"],\n            registrationEndpoint: <string>wellKnown[\"registration_endpoint\"],\n            accountManagementEndpoint: <string>wellKnown[\"account_management_uri\"],\n            accountManagementActionsSupported: <string[]>wellKnown[\"account_management_actions_supported\"],\n        };\n    }\n\n    logger.error(\"Issuer configuration not valid\");\n    throw new Error(OidcError.OpSupport);\n};\n\n/**\n * Metadata from OIDC authority discovery\n * With validated properties required in type\n */\nexport type ValidatedIssuerMetadata = Partial<OidcMetadata> &\n    Pick<\n        OidcMetadata,\n        | \"issuer\"\n        | \"authorization_endpoint\"\n        | \"token_endpoint\"\n        | \"registration_endpoint\"\n        | \"revocation_endpoint\"\n        | \"response_types_supported\"\n        | \"grant_types_supported\"\n        | \"code_challenge_methods_supported\"\n        | \"device_authorization_endpoint\"\n    > & {\n        // MSC2965 extensions to the OIDC spec\n        account_management_uri?: string;\n        account_management_actions_supported?: string[];\n    };\n\n/**\n * Wraps validateOIDCIssuerWellKnown in a type assertion\n * that asserts expected properties are present\n * (Typescript assertions cannot be arrow functions)\n * @param metadata - issuer openid-configuration response\n * @throws when metadata validation fails\n */\nexport function isValidatedIssuerMetadata(\n    metadata: Partial<OidcMetadata>,\n): asserts metadata is ValidatedIssuerMetadata {\n    validateOIDCIssuerWellKnown(metadata);\n}\n\nexport const decodeIdToken = (token: string): IdTokenClaims => {\n    try {\n        return jwtDecode<IdTokenClaims>(token);\n    } catch (error) {\n        logger.error(\"Could not decode id_token\", error);\n        throw error;\n    }\n};\n\n/**\n * Validate idToken\n * https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation\n * @param idToken - id token from token endpoint\n * @param issuer - issuer for the OP as found during discovery\n * @param clientId - this client's id as registered with the OP\n * @param nonce - nonce used in the authentication request\n * @throws when id token is invalid\n */\nexport const validateIdToken = (\n    idToken: string | undefined,\n    issuer: string,\n    clientId: string,\n    nonce: string | undefined,\n): void => {\n    try {\n        if (!idToken) {\n            throw new Error(\"No ID token\");\n        }\n        const claims = decodeIdToken(idToken);\n\n        // The Issuer Identifier for the OpenID Provider MUST exactly match the value of the iss (issuer) Claim.\n        if (claims.iss !== issuer) {\n            throw new Error(\"Invalid issuer\");\n        }\n        /**\n         * The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience.\n         * The aud (audience) Claim MAY contain an array with more than one element.\n         * The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.\n         * EW: Don't accept tokens with other untrusted audiences\n         * */\n        if (claims.aud !== clientId) {\n            throw new Error(\"Invalid audience\");\n        }\n\n        /**\n         * If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked\n         * to verify that it is the same value as the one that was sent in the Authentication Request.\n         */\n        if (nonce !== undefined && claims.nonce !== nonce) {\n            throw new Error(\"Invalid nonce\");\n        }\n\n        /**\n         * The current time MUST be before the time represented by the exp Claim.\n         *  exp is an epoch timestamp in seconds\n         * */\n        if (!claims.exp || Date.now() > claims.exp * 1000) {\n            throw new Error(\"Invalid expiry\");\n        }\n    } catch (error) {\n        logger.error(\"Invalid ID token\", error);\n        throw new Error(OidcError.InvalidIdToken);\n    }\n};\n\n/**\n * State we ask OidcClient to store when starting oidc authorization flow (in `generateOidcAuthorizationUrl`)\n * so that we can access it on return from the OP and complete login\n */\nexport type UserState = {\n    /**\n     * Remember which server we were trying to login to\n     */\n    homeserverUrl: string;\n    identityServerUrl?: string;\n    /**\n     * Used to validate id token\n     */\n    nonce: string;\n};\n/**\n * Validate stored user state exists and is valid\n * @param userState - userState returned by oidcClient.processSigninResponse\n * @throws when userState is invalid\n */\nexport function validateStoredUserState(userState: unknown): asserts userState is UserState {\n    if (!isRecord(userState)) {\n        logger.error(\"Stored user state not found\");\n        throw new Error(OidcError.MissingOrInvalidStoredState);\n    }\n    const isInvalid = [\n        requiredStringProperty(userState, \"homeserverUrl\"),\n        requiredStringProperty(userState, \"nonce\"),\n        optionalStringProperty(userState, \"identityServerUrl\"),\n    ].some((isValid) => !isValid);\n\n    if (isInvalid) {\n        throw new Error(OidcError.MissingOrInvalidStoredState);\n    }\n}\n\n/**\n * The expected response type from the token endpoint during authorization code flow\n * Normalized to always use capitalized 'Bearer' for token_type\n *\n * See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.4,\n * https://openid.net/specs/openid-connect-basic-1_0.html#TokenOK.\n */\nexport type BearerTokenResponse = {\n    token_type: \"Bearer\";\n    access_token: string;\n    scope: string;\n    refresh_token?: string;\n    expires_in?: number;\n    // from oidc-client-ts\n    expires_at?: number;\n    id_token: string;\n};\n\n/**\n * Make required properties required in type\n */\ntype ValidSignInResponse = SigninResponse &\n    BearerTokenResponse & {\n        token_type: \"Bearer\" | \"bearer\";\n    };\n\nconst isValidBearerTokenResponse = (response: unknown): response is ValidSignInResponse =>\n    isRecord(response) &&\n    requiredStringProperty(response, \"token_type\") &&\n    // token_type is case insensitive, some OPs return `token_type: \"bearer\"`\n    (response[\"token_type\"] as string).toLowerCase() === \"bearer\" &&\n    requiredStringProperty(response, \"access_token\") &&\n    requiredStringProperty(response, \"refresh_token\") &&\n    (!(\"expires_in\" in response) || typeof response[\"expires_in\"] === \"number\");\n\nexport function validateBearerTokenResponse(response: unknown): asserts response is ValidSignInResponse {\n    if (!isValidBearerTokenResponse(response)) {\n        throw new Error(OidcError.InvalidBearerTokenResponse);\n    }\n}\n"],"mappings":"AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,SAAS,QAAQ,YAAY;AAGtC,SAASC,MAAM,QAAQ,cAAc;AACrC,SAASC,SAAS,QAAQ,YAAY;AAUtC,IAAMC,QAAQ,GAAIC,KAAc,IAC5B,CAAC,CAACA,KAAK,IAAI,OAAOA,KAAK,KAAK,QAAQ,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,KAAK,CAAC;AACjE,IAAMG,sBAAsB,GAAGA,CAACC,SAAkC,EAAEC,GAAW,KAAc;EACzF,IAAI,CAACD,SAAS,CAACC,GAAG,CAAC,IAAI,CAACC,sBAAsB,CAACF,SAAS,EAAEC,GAAG,CAAC,EAAE;IAC5DR,MAAM,CAACU,KAAK,iCAAAC,MAAA,CAAiCH,GAAG,CAAE,CAAC;IACnD,OAAO,KAAK;EAChB;EACA,OAAO,IAAI;AACf,CAAC;AACD,IAAMC,sBAAsB,GAAGA,CAACF,SAAkC,EAAEC,GAAW,KAAc;EACzF,IAAI,CAAC,CAACD,SAAS,CAACC,GAAG,CAAC,IAAI,OAAOD,SAAS,CAACC,GAAG,CAAC,KAAK,QAAQ,EAAE;IACxDR,MAAM,CAACU,KAAK,sBAAAC,MAAA,CAAsBH,GAAG,CAAE,CAAC;IACxC,OAAO,KAAK;EAChB;EACA,OAAO,IAAI;AACf,CAAC;AACD,IAAMI,2BAA2B,GAAGA,CAACL,SAAkC,EAAEC,GAAW,KAAc;EAC9F,IACI,CAAC,CAACD,SAAS,CAACC,GAAG,CAAC,KACf,CAACJ,KAAK,CAACC,OAAO,CAACE,SAAS,CAACC,GAAG,CAAC,CAAC,IAAI,CAAaD,SAAS,CAACC,GAAG,CAAC,CAAEK,KAAK,CAAEC,CAAC,IAAK,OAAOA,CAAC,KAAK,QAAQ,CAAC,CAAC,EACtG;IACEd,MAAM,CAACU,KAAK,sBAAAC,MAAA,CAAsBH,GAAG,CAAE,CAAC;IACxC,OAAO,KAAK;EAChB;EACA,OAAO,IAAI;AACf,CAAC;AACD,IAAMO,kBAAkB,GAAGA,CAACR,SAAkC,EAAEC,GAAW,EAAEL,KAAU,KAAc;EACjG,IAAMa,KAAK,GAAGT,SAAS,CAACC,GAAG,CAAC;EAC5B,IAAI,CAACQ,KAAK,IAAI,CAACZ,KAAK,CAACC,OAAO,CAACW,KAAK,CAAC,IAAI,CAACA,KAAK,CAACC,QAAQ,CAACd,KAAK,CAAC,EAAE;IAC3DH,MAAM,CAACU,KAAK,sBAAAC,MAAA,CAAsBH,GAAG,QAAAG,MAAA,CAAKR,KAAK,kBAAe,CAAC;IAC/D,OAAO,KAAK;EAChB;EACA,OAAO,IAAI;AACf,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMe,2BAA2B,GAAIX,SAAkB,IAA4B;EACtF,IAAI,CAACL,QAAQ,CAACK,SAAS,CAAC,EAAE;IACtBP,MAAM,CAACU,KAAK,CAAC,6CAA6C,CAAC;IAC3D,MAAM,IAAIS,KAAK,CAAClB,SAAS,CAACmB,SAAS,CAAC;EACxC;EAEA,IAAMC,SAAS,GAAG,CACdf,sBAAsB,CAACC,SAAS,EAAE,wBAAwB,CAAC,EAC3DD,sBAAsB,CAACC,SAAS,EAAE,gBAAgB,CAAC,EACnDD,sBAAsB,CAACC,SAAS,EAAE,qBAAqB,CAAC,EACxDE,sBAAsB,CAACF,SAAS,EAAE,uBAAuB,CAAC,EAC1DE,sBAAsB,CAACF,SAAS,EAAE,wBAAwB,CAAC,EAC3DE,sBAAsB,CAACF,SAAS,EAAE,+BAA+B,CAAC,EAClEK,2BAA2B,CAACL,SAAS,EAAE,sCAAsC,CAAC,EAC9EQ,kBAAkB,CAACR,SAAS,EAAE,0BAA0B,EAAE,MAAM,CAAC,EACjEQ,kBAAkB,CAACR,SAAS,EAAE,uBAAuB,EAAE,oBAAoB,CAAC,EAC5EQ,kBAAkB,CAACR,SAAS,EAAE,kCAAkC,EAAE,MAAM,CAAC,CAC5E,CAACe,IAAI,CAAEC,OAAO,IAAK,CAACA,OAAO,CAAC;EAE7B,IAAI,CAACF,SAAS,EAAE;IACZ,OAAO;MACHG,qBAAqB,EAAUjB,SAAS,CAAC,wBAAwB,CAAC;MAClEkB,aAAa,EAAUlB,SAAS,CAAC,gBAAgB,CAAC;MAClDmB,oBAAoB,EAAUnB,SAAS,CAAC,uBAAuB,CAAC;MAChEoB,yBAAyB,EAAUpB,SAAS,CAAC,wBAAwB,CAAC;MACtEqB,iCAAiC,EAAYrB,SAAS,CAAC,sCAAsC;IACjG,CAAC;EACL;EAEAP,MAAM,CAACU,KAAK,CAAC,gCAAgC,CAAC;EAC9C,MAAM,IAAIS,KAAK,CAAClB,SAAS,CAACmB,SAAS,CAAC;AACxC,CAAC;;AAED;AACA;AACA;AACA;;AAmBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASS,yBAAyBA,CACrCC,QAA+B,EACY;EAC3CZ,2BAA2B,CAACY,QAAQ,CAAC;AACzC;AAEA,OAAO,IAAMC,aAAa,GAAIC,KAAa,IAAoB;EAC3D,IAAI;IACA,OAAOjC,SAAS,CAAgBiC,KAAK,CAAC;EAC1C,CAAC,CAAC,OAAOtB,KAAK,EAAE;IACZV,MAAM,CAACU,KAAK,CAAC,2BAA2B,EAAEA,KAAK,CAAC;IAChD,MAAMA,KAAK;EACf;AACJ,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMuB,eAAe,GAAGA,CAC3BC,OAA2B,EAC3BC,MAAc,EACdC,QAAgB,EAChBC,KAAyB,KAClB;EACP,IAAI;IACA,IAAI,CAACH,OAAO,EAAE;MACV,MAAM,IAAIf,KAAK,CAAC,aAAa,CAAC;IAClC;IACA,IAAMmB,MAAM,GAAGP,aAAa,CAACG,OAAO,CAAC;;IAErC;IACA,IAAII,MAAM,CAACC,GAAG,KAAKJ,MAAM,EAAE;MACvB,MAAM,IAAIhB,KAAK,CAAC,gBAAgB,CAAC;IACrC;IACA;AACR;AACA;AACA;AACA;AACA;IACQ,IAAImB,MAAM,CAACE,GAAG,KAAKJ,QAAQ,EAAE;MACzB,MAAM,IAAIjB,KAAK,CAAC,kBAAkB,CAAC;IACvC;;IAEA;AACR;AACA;AACA;IACQ,IAAIkB,KAAK,KAAKI,SAAS,IAAIH,MAAM,CAACD,KAAK,KAAKA,KAAK,EAAE;MAC/C,MAAM,IAAIlB,KAAK,CAAC,eAAe,CAAC;IACpC;;IAEA;AACR;AACA;AACA;IACQ,IAAI,CAACmB,MAAM,CAACI,GAAG,IAAIC,IAAI,CAACC,GAAG,CAAC,CAAC,GAAGN,MAAM,CAACI,GAAG,GAAG,IAAI,EAAE;MAC/C,MAAM,IAAIvB,KAAK,CAAC,gBAAgB,CAAC;IACrC;EACJ,CAAC,CAAC,OAAOT,KAAK,EAAE;IACZV,MAAM,CAACU,KAAK,CAAC,kBAAkB,EAAEA,KAAK,CAAC;IACvC,MAAM,IAAIS,KAAK,CAAClB,SAAS,CAAC4C,cAAc,CAAC;EAC7C;AACJ,CAAC;;AAED;AACA;AACA;AACA;;AAYA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASC,uBAAuBA,CAACC,SAAkB,EAAkC;EACxF,IAAI,CAAC7C,QAAQ,CAAC6C,SAAS,CAAC,EAAE;IACtB/C,MAAM,CAACU,KAAK,CAAC,6BAA6B,CAAC;IAC3C,MAAM,IAAIS,KAAK,CAAClB,SAAS,CAAC+C,2BAA2B,CAAC;EAC1D;EACA,IAAM3B,SAAS,GAAG,CACdf,sBAAsB,CAACyC,SAAS,EAAE,eAAe,CAAC,EAClDzC,sBAAsB,CAACyC,SAAS,EAAE,OAAO,CAAC,EAC1CtC,sBAAsB,CAACsC,SAAS,EAAE,mBAAmB,CAAC,CACzD,CAACzB,IAAI,CAAEC,OAAO,IAAK,CAACA,OAAO,CAAC;EAE7B,IAAIF,SAAS,EAAE;IACX,MAAM,IAAIF,KAAK,CAAClB,SAAS,CAAC+C,2BAA2B,CAAC;EAC1D;AACJ;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;;AAYA;AACA;AACA;;AAMA,IAAMC,0BAA0B,GAAIC,QAAiB,IACjDhD,QAAQ,CAACgD,QAAQ,CAAC,IAClB5C,sBAAsB,CAAC4C,QAAQ,EAAE,YAAY,CAAC;AAC9C;AACCA,QAAQ,CAAC,YAAY,CAAC,CAAYC,WAAW,CAAC,CAAC,KAAK,QAAQ,IAC7D7C,sBAAsB,CAAC4C,QAAQ,EAAE,cAAc,CAAC,IAChD5C,sBAAsB,CAAC4C,QAAQ,EAAE,eAAe,CAAC,KAChD,EAAE,YAAY,IAAIA,QAAQ,CAAC,IAAI,OAAOA,QAAQ,CAAC,YAAY,CAAC,KAAK,QAAQ,CAAC;AAE/E,OAAO,SAASE,2BAA2BA,CAACF,QAAiB,EAA2C;EACpG,IAAI,CAACD,0BAA0B,CAACC,QAAQ,CAAC,EAAE;IACvC,MAAM,IAAI/B,KAAK,CAAClB,SAAS,CAACoD,0BAA0B,CAAC;EACzD;AACJ","ignoreList":[]}
+{"version":3,"file":"validate.js","names":["jwtDecode","logger","OidcError","isRecord","value","Array","isArray","requiredStringProperty","wellKnown","key","optionalStringProperty","error","concat","optionalStringArrayProperty","every","v","requiredArrayValue","array","includes","validateAuthMetadata","authMetadata","Error","OpSupport","isInvalid","some","isValid","decodeIdToken","token","validateIdToken","idToken","issuer","clientId","nonce","claims","iss","sanitisedAuds","aud","undefined","exp","Date","now","InvalidIdToken","validateStoredUserState","userState","MissingOrInvalidStoredState","isValidBearerTokenResponse","response","toLowerCase","validateBearerTokenResponse","InvalidBearerTokenResponse"],"sources":["../../src/oidc/validate.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { jwtDecode } from \"jwt-decode\";\nimport { IdTokenClaims, OidcMetadata, SigninResponse } from \"oidc-client-ts\";\n\nimport { logger } from \"../logger.ts\";\nimport { OidcError } from \"./error.ts\";\n\n/**\n * Metadata from OIDC authority discovery\n * With validated properties required in type\n */\nexport type ValidatedAuthMetadata = Partial<OidcMetadata> &\n    Pick<\n        OidcMetadata,\n        | \"issuer\"\n        | \"authorization_endpoint\"\n        | \"token_endpoint\"\n        | \"revocation_endpoint\"\n        | \"response_types_supported\"\n        | \"grant_types_supported\"\n        | \"code_challenge_methods_supported\"\n    > & {\n        // MSC2965 extensions to the OIDC spec\n        account_management_uri?: string;\n        account_management_actions_supported?: string[];\n        // The OidcMetadata type from oidc-client-ts does not include `prompt_values_supported`\n        // even though it is part of the OIDC spec\n        prompt_values_supported?: string[];\n    };\n\nconst isRecord = (value: unknown): value is Record<string, unknown> =>\n    !!value && typeof value === \"object\" && !Array.isArray(value);\nconst requiredStringProperty = (wellKnown: Record<string, unknown>, key: string): boolean => {\n    if (!wellKnown[key] || !optionalStringProperty(wellKnown, key)) {\n        logger.error(`Missing or invalid property: ${key}`);\n        return false;\n    }\n    return true;\n};\nconst optionalStringProperty = (wellKnown: Record<string, unknown>, key: string): boolean => {\n    if (!!wellKnown[key] && typeof wellKnown[key] !== \"string\") {\n        logger.error(`Invalid property: ${key}`);\n        return false;\n    }\n    return true;\n};\nconst optionalStringArrayProperty = (wellKnown: Record<string, unknown>, key: string): boolean => {\n    if (\n        !!wellKnown[key] &&\n        (!Array.isArray(wellKnown[key]) || !(<unknown[]>wellKnown[key]).every((v) => typeof v === \"string\"))\n    ) {\n        logger.error(`Invalid property: ${key}`);\n        return false;\n    }\n    return true;\n};\nconst requiredArrayValue = (wellKnown: Record<string, unknown>, key: string, value: any): boolean => {\n    const array = wellKnown[key];\n    if (!array || !Array.isArray(array) || !array.includes(value)) {\n        logger.error(`Invalid property: ${key}. ${value} is required.`);\n        return false;\n    }\n    return true;\n};\n\n/**\n * Validates issuer `.well-known/openid-configuration`\n * As defined in RFC5785 https://openid.net/specs/openid-connect-discovery-1_0.html\n * validates that OP is compatible with Element's OIDC flow\n * @param authMetadata - json object\n * @returns valid issuer config\n * @throws Error - when issuer config is not found or is invalid\n */\nexport const validateAuthMetadata = (authMetadata: unknown): ValidatedAuthMetadata => {\n    if (!isRecord(authMetadata)) {\n        logger.error(\"Issuer configuration not found or malformed\");\n        throw new Error(OidcError.OpSupport);\n    }\n\n    const isInvalid = [\n        requiredStringProperty(authMetadata, \"issuer\"),\n        requiredStringProperty(authMetadata, \"authorization_endpoint\"),\n        requiredStringProperty(authMetadata, \"token_endpoint\"),\n        requiredStringProperty(authMetadata, \"revocation_endpoint\"),\n        optionalStringProperty(authMetadata, \"registration_endpoint\"),\n        optionalStringProperty(authMetadata, \"account_management_uri\"),\n        optionalStringProperty(authMetadata, \"device_authorization_endpoint\"),\n        optionalStringArrayProperty(authMetadata, \"account_management_actions_supported\"),\n        requiredArrayValue(authMetadata, \"response_types_supported\", \"code\"),\n        requiredArrayValue(authMetadata, \"grant_types_supported\", \"authorization_code\"),\n        requiredArrayValue(authMetadata, \"code_challenge_methods_supported\", \"S256\"),\n        optionalStringArrayProperty(authMetadata, \"prompt_values_supported\"),\n    ].some((isValid) => !isValid);\n\n    if (!isInvalid) {\n        return authMetadata as ValidatedAuthMetadata;\n    }\n\n    logger.error(\"Issuer configuration not valid\");\n    throw new Error(OidcError.OpSupport);\n};\n\nexport const decodeIdToken = (token: string): IdTokenClaims => {\n    try {\n        return jwtDecode<IdTokenClaims>(token);\n    } catch (error) {\n        logger.error(\"Could not decode id_token\", error);\n        throw error;\n    }\n};\n\n/**\n * Validate idToken\n * https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation\n * @param idToken - id token from token endpoint\n * @param issuer - issuer for the OP as found during discovery\n * @param clientId - this client's id as registered with the OP\n * @param nonce - nonce used in the authentication request\n * @throws when id token is invalid\n */\nexport const validateIdToken = (\n    idToken: string | undefined,\n    issuer: string,\n    clientId: string,\n    nonce: string | undefined,\n): void => {\n    try {\n        if (!idToken) {\n            throw new Error(\"No ID token\");\n        }\n        const claims = decodeIdToken(idToken);\n\n        // The Issuer Identifier for the OpenID Provider MUST exactly match the value of the iss (issuer) Claim.\n        if (claims.iss !== issuer) {\n            throw new Error(\"Invalid issuer\");\n        }\n        /**\n         * The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience.\n         * The aud (audience) Claim MAY contain an array with more than one element.\n         * The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.\n         * EW: Don't accept tokens with other untrusted audiences\n         * */\n        const sanitisedAuds = typeof claims.aud === \"string\" ? [claims.aud] : claims.aud;\n        if (!sanitisedAuds.includes(clientId)) {\n            throw new Error(\"Invalid audience\");\n        }\n\n        /**\n         * If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked\n         * to verify that it is the same value as the one that was sent in the Authentication Request.\n         */\n        if (nonce !== undefined && claims.nonce !== nonce) {\n            throw new Error(\"Invalid nonce\");\n        }\n\n        /**\n         * The current time MUST be before the time represented by the exp Claim.\n         *  exp is an epoch timestamp in seconds\n         * */\n        if (!claims.exp || Date.now() > claims.exp * 1000) {\n            throw new Error(\"Invalid expiry\");\n        }\n    } catch (error) {\n        logger.error(\"Invalid ID token\", error);\n        throw new Error(OidcError.InvalidIdToken);\n    }\n};\n\n/**\n * State we ask OidcClient to store when starting oidc authorization flow (in `generateOidcAuthorizationUrl`)\n * so that we can access it on return from the OP and complete login\n */\nexport type UserState = {\n    /**\n     * Remember which server we were trying to login to\n     */\n    homeserverUrl: string;\n    identityServerUrl?: string;\n    /**\n     * Used to validate id token\n     */\n    nonce: string;\n};\n/**\n * Validate stored user state exists and is valid\n * @param userState - userState returned by oidcClient.processSigninResponse\n * @throws when userState is invalid\n */\nexport function validateStoredUserState(userState: unknown): asserts userState is UserState {\n    if (!isRecord(userState)) {\n        logger.error(\"Stored user state not found\");\n        throw new Error(OidcError.MissingOrInvalidStoredState);\n    }\n    const isInvalid = [\n        requiredStringProperty(userState, \"homeserverUrl\"),\n        requiredStringProperty(userState, \"nonce\"),\n        optionalStringProperty(userState, \"identityServerUrl\"),\n    ].some((isValid) => !isValid);\n\n    if (isInvalid) {\n        throw new Error(OidcError.MissingOrInvalidStoredState);\n    }\n}\n\n/**\n * The expected response type from the token endpoint during authorization code flow\n * Normalized to always use capitalized 'Bearer' for token_type\n *\n * See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.4,\n * https://openid.net/specs/openid-connect-basic-1_0.html#TokenOK.\n */\nexport type BearerTokenResponse = {\n    token_type: \"Bearer\";\n    access_token: string;\n    scope: string;\n    refresh_token?: string;\n    expires_in?: number;\n    // from oidc-client-ts\n    expires_at?: number;\n    id_token: string;\n};\n\n/**\n * Make required properties required in type\n */\ntype ValidSignInResponse = SigninResponse &\n    BearerTokenResponse & {\n        token_type: \"Bearer\" | \"bearer\";\n    };\n\nconst isValidBearerTokenResponse = (response: unknown): response is ValidSignInResponse =>\n    isRecord(response) &&\n    requiredStringProperty(response, \"token_type\") &&\n    // token_type is case insensitive, some OPs return `token_type: \"bearer\"`\n    (response[\"token_type\"] as string).toLowerCase() === \"bearer\" &&\n    requiredStringProperty(response, \"access_token\") &&\n    requiredStringProperty(response, \"refresh_token\") &&\n    (!(\"expires_in\" in response) || typeof response[\"expires_in\"] === \"number\");\n\nexport function validateBearerTokenResponse(response: unknown): asserts response is ValidSignInResponse {\n    if (!isValidBearerTokenResponse(response)) {\n        throw new Error(OidcError.InvalidBearerTokenResponse);\n    }\n}\n"],"mappings":"AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,SAAS,QAAQ,YAAY;AAGtC,SAASC,MAAM,QAAQ,cAAc;AACrC,SAASC,SAAS,QAAQ,YAAY;;AAEtC;AACA;AACA;AACA;;AAoBA,IAAMC,QAAQ,GAAIC,KAAc,IAC5B,CAAC,CAACA,KAAK,IAAI,OAAOA,KAAK,KAAK,QAAQ,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,KAAK,CAAC;AACjE,IAAMG,sBAAsB,GAAGA,CAACC,SAAkC,EAAEC,GAAW,KAAc;EACzF,IAAI,CAACD,SAAS,CAACC,GAAG,CAAC,IAAI,CAACC,sBAAsB,CAACF,SAAS,EAAEC,GAAG,CAAC,EAAE;IAC5DR,MAAM,CAACU,KAAK,iCAAAC,MAAA,CAAiCH,GAAG,CAAE,CAAC;IACnD,OAAO,KAAK;EAChB;EACA,OAAO,IAAI;AACf,CAAC;AACD,IAAMC,sBAAsB,GAAGA,CAACF,SAAkC,EAAEC,GAAW,KAAc;EACzF,IAAI,CAAC,CAACD,SAAS,CAACC,GAAG,CAAC,IAAI,OAAOD,SAAS,CAACC,GAAG,CAAC,KAAK,QAAQ,EAAE;IACxDR,MAAM,CAACU,KAAK,sBAAAC,MAAA,CAAsBH,GAAG,CAAE,CAAC;IACxC,OAAO,KAAK;EAChB;EACA,OAAO,IAAI;AACf,CAAC;AACD,IAAMI,2BAA2B,GAAGA,CAACL,SAAkC,EAAEC,GAAW,KAAc;EAC9F,IACI,CAAC,CAACD,SAAS,CAACC,GAAG,CAAC,KACf,CAACJ,KAAK,CAACC,OAAO,CAACE,SAAS,CAACC,GAAG,CAAC,CAAC,IAAI,CAAaD,SAAS,CAACC,GAAG,CAAC,CAAEK,KAAK,CAAEC,CAAC,IAAK,OAAOA,CAAC,KAAK,QAAQ,CAAC,CAAC,EACtG;IACEd,MAAM,CAACU,KAAK,sBAAAC,MAAA,CAAsBH,GAAG,CAAE,CAAC;IACxC,OAAO,KAAK;EAChB;EACA,OAAO,IAAI;AACf,CAAC;AACD,IAAMO,kBAAkB,GAAGA,CAACR,SAAkC,EAAEC,GAAW,EAAEL,KAAU,KAAc;EACjG,IAAMa,KAAK,GAAGT,SAAS,CAACC,GAAG,CAAC;EAC5B,IAAI,CAACQ,KAAK,IAAI,CAACZ,KAAK,CAACC,OAAO,CAACW,KAAK,CAAC,IAAI,CAACA,KAAK,CAACC,QAAQ,CAACd,KAAK,CAAC,EAAE;IAC3DH,MAAM,CAACU,KAAK,sBAAAC,MAAA,CAAsBH,GAAG,QAAAG,MAAA,CAAKR,KAAK,kBAAe,CAAC;IAC/D,OAAO,KAAK;EAChB;EACA,OAAO,IAAI;AACf,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMe,oBAAoB,GAAIC,YAAqB,IAA4B;EAClF,IAAI,CAACjB,QAAQ,CAACiB,YAAY,CAAC,EAAE;IACzBnB,MAAM,CAACU,KAAK,CAAC,6CAA6C,CAAC;IAC3D,MAAM,IAAIU,KAAK,CAACnB,SAAS,CAACoB,SAAS,CAAC;EACxC;EAEA,IAAMC,SAAS,GAAG,CACdhB,sBAAsB,CAACa,YAAY,EAAE,QAAQ,CAAC,EAC9Cb,sBAAsB,CAACa,YAAY,EAAE,wBAAwB,CAAC,EAC9Db,sBAAsB,CAACa,YAAY,EAAE,gBAAgB,CAAC,EACtDb,sBAAsB,CAACa,YAAY,EAAE,qBAAqB,CAAC,EAC3DV,sBAAsB,CAACU,YAAY,EAAE,uBAAuB,CAAC,EAC7DV,sBAAsB,CAACU,YAAY,EAAE,wBAAwB,CAAC,EAC9DV,sBAAsB,CAACU,YAAY,EAAE,+BAA+B,CAAC,EACrEP,2BAA2B,CAACO,YAAY,EAAE,sCAAsC,CAAC,EACjFJ,kBAAkB,CAACI,YAAY,EAAE,0BAA0B,EAAE,MAAM,CAAC,EACpEJ,kBAAkB,CAACI,YAAY,EAAE,uBAAuB,EAAE,oBAAoB,CAAC,EAC/EJ,kBAAkB,CAACI,YAAY,EAAE,kCAAkC,EAAE,MAAM,CAAC,EAC5EP,2BAA2B,CAACO,YAAY,EAAE,yBAAyB,CAAC,CACvE,CAACI,IAAI,CAAEC,OAAO,IAAK,CAACA,OAAO,CAAC;EAE7B,IAAI,CAACF,SAAS,EAAE;IACZ,OAAOH,YAAY;EACvB;EAEAnB,MAAM,CAACU,KAAK,CAAC,gCAAgC,CAAC;EAC9C,MAAM,IAAIU,KAAK,CAACnB,SAAS,CAACoB,SAAS,CAAC;AACxC,CAAC;AAED,OAAO,IAAMI,aAAa,GAAIC,KAAa,IAAoB;EAC3D,IAAI;IACA,OAAO3B,SAAS,CAAgB2B,KAAK,CAAC;EAC1C,CAAC,CAAC,OAAOhB,KAAK,EAAE;IACZV,MAAM,CAACU,KAAK,CAAC,2BAA2B,EAAEA,KAAK,CAAC;IAChD,MAAMA,KAAK;EACf;AACJ,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMiB,eAAe,GAAGA,CAC3BC,OAA2B,EAC3BC,MAAc,EACdC,QAAgB,EAChBC,KAAyB,KAClB;EACP,IAAI;IACA,IAAI,CAACH,OAAO,EAAE;MACV,MAAM,IAAIR,KAAK,CAAC,aAAa,CAAC;IAClC;IACA,IAAMY,MAAM,GAAGP,aAAa,CAACG,OAAO,CAAC;;IAErC;IACA,IAAII,MAAM,CAACC,GAAG,KAAKJ,MAAM,EAAE;MACvB,MAAM,IAAIT,KAAK,CAAC,gBAAgB,CAAC;IACrC;IACA;AACR;AACA;AACA;AACA;AACA;IACQ,IAAMc,aAAa,GAAG,OAAOF,MAAM,CAACG,GAAG,KAAK,QAAQ,GAAG,CAACH,MAAM,CAACG,GAAG,CAAC,GAAGH,MAAM,CAACG,GAAG;IAChF,IAAI,CAACD,aAAa,CAACjB,QAAQ,CAACa,QAAQ,CAAC,EAAE;MACnC,MAAM,IAAIV,KAAK,CAAC,kBAAkB,CAAC;IACvC;;IAEA;AACR;AACA;AACA;IACQ,IAAIW,KAAK,KAAKK,SAAS,IAAIJ,MAAM,CAACD,KAAK,KAAKA,KAAK,EAAE;MAC/C,MAAM,IAAIX,KAAK,CAAC,eAAe,CAAC;IACpC;;IAEA;AACR;AACA;AACA;IACQ,IAAI,CAACY,MAAM,CAACK,GAAG,IAAIC,IAAI,CAACC,GAAG,CAAC,CAAC,GAAGP,MAAM,CAACK,GAAG,GAAG,IAAI,EAAE;MAC/C,MAAM,IAAIjB,KAAK,CAAC,gBAAgB,CAAC;IACrC;EACJ,CAAC,CAAC,OAAOV,KAAK,EAAE;IACZV,MAAM,CAACU,KAAK,CAAC,kBAAkB,EAAEA,KAAK,CAAC;IACvC,MAAM,IAAIU,KAAK,CAACnB,SAAS,CAACuC,cAAc,CAAC;EAC7C;AACJ,CAAC;;AAED;AACA;AACA;AACA;;AAYA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASC,uBAAuBA,CAACC,SAAkB,EAAkC;EACxF,IAAI,CAACxC,QAAQ,CAACwC,SAAS,CAAC,EAAE;IACtB1C,MAAM,CAACU,KAAK,CAAC,6BAA6B,CAAC;IAC3C,MAAM,IAAIU,KAAK,CAACnB,SAAS,CAAC0C,2BAA2B,CAAC;EAC1D;EACA,IAAMrB,SAAS,GAAG,CACdhB,sBAAsB,CAACoC,SAAS,EAAE,eAAe,CAAC,EAClDpC,sBAAsB,CAACoC,SAAS,EAAE,OAAO,CAAC,EAC1CjC,sBAAsB,CAACiC,SAAS,EAAE,mBAAmB,CAAC,CACzD,CAACnB,IAAI,CAAEC,OAAO,IAAK,CAACA,OAAO,CAAC;EAE7B,IAAIF,SAAS,EAAE;IACX,MAAM,IAAIF,KAAK,CAACnB,SAAS,CAAC0C,2BAA2B,CAAC;EAC1D;AACJ;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;;AAYA;AACA;AACA;;AAMA,IAAMC,0BAA0B,GAAIC,QAAiB,IACjD3C,QAAQ,CAAC2C,QAAQ,CAAC,IAClBvC,sBAAsB,CAACuC,QAAQ,EAAE,YAAY,CAAC;AAC9C;AACCA,QAAQ,CAAC,YAAY,CAAC,CAAYC,WAAW,CAAC,CAAC,KAAK,QAAQ,IAC7DxC,sBAAsB,CAACuC,QAAQ,EAAE,cAAc,CAAC,IAChDvC,sBAAsB,CAACuC,QAAQ,EAAE,eAAe,CAAC,KAChD,EAAE,YAAY,IAAIA,QAAQ,CAAC,IAAI,OAAOA,QAAQ,CAAC,YAAY,CAAC,KAAK,QAAQ,CAAC;AAE/E,OAAO,SAASE,2BAA2BA,CAACF,QAAiB,EAA2C;EACpG,IAAI,CAACD,0BAA0B,CAACC,QAAQ,CAAC,EAAE;IACvC,MAAM,IAAIzB,KAAK,CAACnB,SAAS,CAAC+C,0BAA0B,CAAC;EACzD;AACJ","ignoreList":[]}

package/lib/randomstring.d.ts

@@ -1,5 +1,32 @@
+/**
+ * String representing the lowercase latin alphabet for use in {@link secureRandomStringFrom}
+ * (can be combined with other such exports or other characters by appending strings)
+ */
+export declare const LOWERCASE = "abcdefghijklmnopqrstuvwxyz";
+/**
+ * String representing the uppercase latin alphabet for use in secureRandomStringFrom
+ * (can be combined with other such exports or other characters by appending strings)
+ */
+export declare const UPPERCASE = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+/**
+ * String representing the arabic numerals for use in secureRandomStringFrom
+ * (can be combined with other such exports or other characters by appending strings)
+ */
+export declare const DIGITS = "0123456789";
 export declare function secureRandomBase64Url(len: number): string;
-export declare function randomString(len: number): string;
-export declare function randomLowercaseString(len: number): string;
-export declare function randomUppercaseString(len: number): string;
+/**
+ * Generates a random string of uppercase and lowercase letters plus digits using a
+ * cryptographically secure random number generator.
+ * @param len The length of the string to generate
+ * @returns Random string of uppercase and lowercase letters plus digits of length `len`
+ */
+export declare function secureRandomString(len: number): string;
+/**
+ * Generate a cryptographically secure random string using characters given.
+ *
+ * @param len - The length of the string to generate (must be positive and less than 32768).
+ * @param chars - The characters to use in the random string (between 2 and 256 characters long).
+ * @returns Random string of characters of length `len`.
+ */
+export declare function secureRandomStringFrom(len: number, chars: string): string;
 //# sourceMappingURL=randomstring.d.ts.map

package/lib/randomstring.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"randomstring.d.ts","sourceRoot":"","sources":["../src/randomstring.ts"],"names":[],"mappings":"AAuBA,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAKzD;AAED,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEhD;AAED,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEzD;AAED,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEzD"}
+{"version":3,"file":"randomstring.d.ts","sourceRoot":"","sources":["../src/randomstring.ts"],"names":[],"mappings":"AAmBA;;;GAGG;AACH,eAAO,MAAM,SAAS,+BAA+B,CAAC;AAEtD;;;GAGG;AACH,eAAO,MAAM,SAAS,+BAA+B,CAAC;AAEtD;;;GAGG;AACH,eAAO,MAAM,MAAM,eAAe,CAAC;AAEnC,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAKzD;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEtD;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAmCzE"}