gameglue 4.0.1 → 4.0.2

package/src/auth.js

@@ -1,255 +1,255 @@
-import { OidcClient } from 'oidc-client-ts';
-import { storage, isCorsError, logCorsHelp } from './utils';
-import jwt_decode from 'jwt-decode';
-
-const DEFAULT_AUTH_URL = 'https://auth.gameglue.gg/realms/GameGlue';
-
-// Track if callback is being processed (prevents double-processing)
-let _callbackPromise = null;
-
-export class GameGlueAuth {
-  constructor(cfg) {
-    const authority = cfg.authUrl || DEFAULT_AUTH_URL;
-    this._oidcSettings = {
-      authority,
-      client_id: cfg.clientId,
-      redirect_uri: removeTrailingSlashes(cfg.redirect_uri || window.location.href),
-      post_logout_redirect_uri: removeTrailingSlashes(window.location.href),
-      response_type: "code",
-      scope: `openid ${(cfg.scopes || []).join(' ')}`,
-      response_mode: "fragment",
-      filterProtocolClaims: true
-    };
-    this._oidcClient = new OidcClient(this._oidcSettings);
-    this._refreshCallback = () => {};
-    this._refreshTimeout = null;
-  }
-
-  /**
-   * Check if user is authenticated.
-   * If OAuth callback params are in URL, processes them first.
-   * Safe to call multiple times - idempotent.
-   * @returns {Promise<boolean>}
-   */
-  async isAuthenticated() {
-    // If callback params present, process them first
-    if (this._hasCallbackParams()) {
-      await this._processCallback();
-    }
-
-    // Check for valid tokens
-    return this._hasValidTokens();
-  }
-
-  /**
-   * Redirect to OAuth login page.
-   * Does not return - navigates away.
-   */
-  login() {
-    this._oidcClient.createSigninRequest({ state: { bar: 15 } }).then((req) => {
-      window.location = req.url;
-    }).catch((err) => {
-      if (isCorsError(err)) {
-        logCorsHelp('Login Request', this._oidcSettings.authority);
-      }
-      console.error('Failed to create signin request:', err);
-    });
-  }
-
-  /**
-   * Log out the user.
-   * Clears local tokens and optionally redirects to Keycloak logout.
-   * @param {Object} options - { redirect?: boolean }
-   */
-  logout(options = {}) {
-    // Clear local tokens
-    storage.remove('gg-auth-token');
-    storage.remove('gg-refresh-token');
-    clearTimeout(this._refreshTimeout);
-
-    // Optionally redirect to Keycloak logout
-    if (options.redirect !== false) {
-      const logoutUrl = `${this._oidcSettings.authority}/protocol/openid-connect/logout?post_logout_redirect_uri=${encodeURIComponent(this._oidcSettings.post_logout_redirect_uri)}`;
-      window.location.href = logoutUrl;
-    }
-  }
-
-  /**
-   * Get the current user's ID.
-   * @throws {Error} if not authenticated
-   * @returns {string}
-   */
-  getUser() {
-    const token = this._getAccessToken();
-    if (!token) {
-      throw new Error('Not authenticated');
-    }
-    const decoded = jwt_decode(token);
-    return decoded.sub;
-  }
-
-  /**
-   * Get the access token for API calls.
-   * @returns {string|null}
-   */
-  getAccessToken() {
-    return this._getAccessToken();
-  }
-
-  /**
-   * Register callback for token refresh events.
-   * @param {Function} callback
-   */
-  onTokenRefreshed(callback) {
-    this._refreshCallback = callback;
-  }
-
-  // ============ Internal Methods ============
-
-  _hasCallbackParams() {
-    return location.hash.includes("state=") &&
-           (location.hash.includes("code=") || location.hash.includes("error="));
-  }
-
-  _clearCallbackUrl() {
-    window.history.replaceState("", document.title, window.location.pathname + window.location.search);
-  }
-
-  async _processCallback() {
-    // If already processing, wait for that to complete
-    if (_callbackPromise) {
-      await _callbackPromise;
-      return;
-    }
-
-    // Start processing
-    _callbackPromise = this._doProcessCallback();
-
-    try {
-      await _callbackPromise;
-    } finally {
-      _callbackPromise = null;
-    }
-  }
-
-  async _doProcessCallback() {
-    try {
-      const response = await this._oidcClient.processSigninResponse(window.location.href);
-
-      if (response.error) {
-        this._clearCallbackUrl();
-        throw new Error(response.error);
-      }
-
-      if (!response.access_token) {
-        this._clearCallbackUrl();
-        throw new Error('No access token received');
-      }
-
-      this._setAccessToken(response.access_token);
-      this._setRefreshToken(response.refresh_token);
-      this._clearCallbackUrl();
-    } catch (err) {
-      // If we failed but tokens exist (another call succeeded), that's fine
-      if (this._hasValidTokens()) {
-        this._clearCallbackUrl();
-        return;
-      }
-      this._clearCallbackUrl();
-      throw err;
-    }
-  }
-
-  _hasValidTokens() {
-    const token = this._getAccessToken();
-    if (!token) {
-      return false;
-    }
-
-    try {
-      const decoded = jwt_decode(token);
-      const expirationDate = new Date(decoded.exp * 1000);
-      return expirationDate > new Date();
-    } catch {
-      return false;
-    }
-  }
-
-  _getAccessToken() {
-    const token = storage.get('gg-auth-token');
-    if (token) {
-      this._setTokenRefreshTimeout(token);
-    }
-    return token || undefined;
-  }
-
-  _setAccessToken(token) {
-    this._setTokenRefreshTimeout(token);
-    return storage.set('gg-auth-token', token);
-  }
-
-  _setRefreshToken(token) {
-    return storage.set('gg-refresh-token', token);
-  }
-
-  _getRefreshToken() {
-    return storage.get('gg-refresh-token');
-  }
-
-  _setTokenRefreshTimeout(token) {
-    if (!token) return;
-
-    clearTimeout(this._refreshTimeout);
-
-    try {
-      const timeUntilExp = (jwt_decode(token).exp * 1000) - Date.now() - 5000;
-      if (timeUntilExp > 0) {
-        this._refreshTimeout = setTimeout(() => {
-          this._attemptRefresh();
-        }, timeUntilExp);
-      }
-    } catch {
-      // Invalid token, ignore
-    }
-  }
-
-  async _attemptRefresh() {
-    const url = `${this._oidcSettings.authority}/protocol/openid-connect/token`;
-    const client_id = this._oidcSettings.client_id;
-    const refresh_token = this._getRefreshToken();
-    const grant_type = 'refresh_token';
-
-    try {
-      const response = await fetch(url, {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/x-www-form-urlencoded'
-        },
-        body: new URLSearchParams({
-          client_id,
-          grant_type,
-          refresh_token
-        })
-      });
-
-      if (response.status === 200) {
-        const resObj = await response.json();
-        this._setAccessToken(resObj.access_token);
-        this._setRefreshToken(resObj.refresh_token);
-        this._refreshCallback(resObj.access_token);
-      }
-    } catch (e) {
-      if (isCorsError(e)) {
-        logCorsHelp('Token Refresh', url);
-      }
-      console.error('Token refresh failed:', e);
-    }
-  }
-}
-
-function removeTrailingSlashes(url) {
-  if (url.endsWith('/')) {
-    return url.replace(/\/+$/, '');
-  }
-  return url;
-}
+import { OidcClient } from 'oidc-client-ts';
+import { storage, isCorsError, logCorsHelp } from './utils';
+import jwt_decode from 'jwt-decode';
+
+const DEFAULT_AUTH_URL = 'https://auth.gameglue.gg/realms/GameGlue';
+
+// Track if callback is being processed (prevents double-processing)
+let _callbackPromise = null;
+
+export class GameGlueAuth {
+  constructor(cfg) {
+    const authority = cfg.authUrl || DEFAULT_AUTH_URL;
+    this._oidcSettings = {
+      authority,
+      client_id: cfg.clientId,
+      redirect_uri: removeTrailingSlashes(cfg.redirect_uri || window.location.href),
+      post_logout_redirect_uri: removeTrailingSlashes(window.location.href),
+      response_type: "code",
+      scope: `openid ${(cfg.scopes || []).join(' ')}`,
+      response_mode: "fragment",
+      filterProtocolClaims: true
+    };
+    this._oidcClient = new OidcClient(this._oidcSettings);
+    this._refreshCallback = () => {};
+    this._refreshTimeout = null;
+  }
+
+  /**
+   * Check if user is authenticated.
+   * If OAuth callback params are in URL, processes them first.
+   * Safe to call multiple times - idempotent.
+   * @returns {Promise<boolean>}
+   */
+  async isAuthenticated() {
+    // If callback params present, process them first
+    if (this._hasCallbackParams()) {
+      await this._processCallback();
+    }
+
+    // Check for valid tokens
+    return this._hasValidTokens();
+  }
+
+  /**
+   * Redirect to OAuth login page.
+   * Does not return - navigates away.
+   */
+  login() {
+    this._oidcClient.createSigninRequest({ state: { bar: 15 } }).then((req) => {
+      window.location = req.url;
+    }).catch((err) => {
+      if (isCorsError(err)) {
+        logCorsHelp('Login Request', this._oidcSettings.authority);
+      }
+      console.error('Failed to create signin request:', err);
+    });
+  }
+
+  /**
+   * Log out the user.
+   * Clears local tokens and optionally redirects to Keycloak logout.
+   * @param {Object} options - { redirect?: boolean }
+   */
+  logout(options = {}) {
+    // Clear local tokens
+    storage.remove('gg-auth-token');
+    storage.remove('gg-refresh-token');
+    clearTimeout(this._refreshTimeout);
+
+    // Optionally redirect to Keycloak logout
+    if (options.redirect !== false) {
+      const logoutUrl = `${this._oidcSettings.authority}/protocol/openid-connect/logout?post_logout_redirect_uri=${encodeURIComponent(this._oidcSettings.post_logout_redirect_uri)}`;
+      window.location.href = logoutUrl;
+    }
+  }
+
+  /**
+   * Get the current user's ID.
+   * @throws {Error} if not authenticated
+   * @returns {string}
+   */
+  getUser() {
+    const token = this._getAccessToken();
+    if (!token) {
+      throw new Error('Not authenticated');
+    }
+    const decoded = jwt_decode(token);
+    return decoded.sub;
+  }
+
+  /**
+   * Get the access token for API calls.
+   * @returns {string|null}
+   */
+  getAccessToken() {
+    return this._getAccessToken();
+  }
+
+  /**
+   * Register callback for token refresh events.
+   * @param {Function} callback
+   */
+  onTokenRefreshed(callback) {
+    this._refreshCallback = callback;
+  }
+
+  // ============ Internal Methods ============
+
+  _hasCallbackParams() {
+    return location.hash.includes("state=") &&
+           (location.hash.includes("code=") || location.hash.includes("error="));
+  }
+
+  _clearCallbackUrl() {
+    window.history.replaceState("", document.title, window.location.pathname + window.location.search);
+  }
+
+  async _processCallback() {
+    // If already processing, wait for that to complete
+    if (_callbackPromise) {
+      await _callbackPromise;
+      return;
+    }
+
+    // Start processing
+    _callbackPromise = this._doProcessCallback();
+
+    try {
+      await _callbackPromise;
+    } finally {
+      _callbackPromise = null;
+    }
+  }
+
+  async _doProcessCallback() {
+    try {
+      const response = await this._oidcClient.processSigninResponse(window.location.href);
+
+      if (response.error) {
+        this._clearCallbackUrl();
+        throw new Error(response.error);
+      }
+
+      if (!response.access_token) {
+        this._clearCallbackUrl();
+        throw new Error('No access token received');
+      }
+
+      this._setAccessToken(response.access_token);
+      this._setRefreshToken(response.refresh_token);
+      this._clearCallbackUrl();
+    } catch (err) {
+      // If we failed but tokens exist (another call succeeded), that's fine
+      if (this._hasValidTokens()) {
+        this._clearCallbackUrl();
+        return;
+      }
+      this._clearCallbackUrl();
+      throw err;
+    }
+  }
+
+  _hasValidTokens() {
+    const token = this._getAccessToken();
+    if (!token) {
+      return false;
+    }
+
+    try {
+      const decoded = jwt_decode(token);
+      const expirationDate = new Date(decoded.exp * 1000);
+      return expirationDate > new Date();
+    } catch {
+      return false;
+    }
+  }
+
+  _getAccessToken() {
+    const token = storage.get('gg-auth-token');
+    if (token) {
+      this._setTokenRefreshTimeout(token);
+    }
+    return token || undefined;
+  }
+
+  _setAccessToken(token) {
+    this._setTokenRefreshTimeout(token);
+    return storage.set('gg-auth-token', token);
+  }
+
+  _setRefreshToken(token) {
+    return storage.set('gg-refresh-token', token);
+  }
+
+  _getRefreshToken() {
+    return storage.get('gg-refresh-token');
+  }
+
+  _setTokenRefreshTimeout(token) {
+    if (!token) return;
+
+    clearTimeout(this._refreshTimeout);
+
+    try {
+      const timeUntilExp = (jwt_decode(token).exp * 1000) - Date.now() - 5000;
+      if (timeUntilExp > 0) {
+        this._refreshTimeout = setTimeout(() => {
+          this._attemptRefresh();
+        }, timeUntilExp);
+      }
+    } catch {
+      // Invalid token, ignore
+    }
+  }
+
+  async _attemptRefresh() {
+    const url = `${this._oidcSettings.authority}/protocol/openid-connect/token`;
+    const client_id = this._oidcSettings.client_id;
+    const refresh_token = this._getRefreshToken();
+    const grant_type = 'refresh_token';
+
+    try {
+      const response = await fetch(url, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded'
+        },
+        body: new URLSearchParams({
+          client_id,
+          grant_type,
+          refresh_token
+        })
+      });
+
+      if (response.status === 200) {
+        const resObj = await response.json();
+        this._setAccessToken(resObj.access_token);
+        this._setRefreshToken(resObj.refresh_token);
+        this._refreshCallback(resObj.access_token);
+      }
+    } catch (e) {
+      if (isCorsError(e)) {
+        logCorsHelp('Token Refresh', url);
+      }
+      console.error('Token refresh failed:', e);
+    }
+  }
+}
+
+function removeTrailingSlashes(url) {
+  if (url.endsWith('/')) {
+    return url.replace(/\/+$/, '');
+  }
+  return url;
+}