matrix-js-sdk 41.5.0 → 41.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (204) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/lib/ReEmitter.js +1 -1
  3. package/lib/ReEmitter.js.map +1 -1
  4. package/lib/ToDeviceMessageQueue.js +2 -2
  5. package/lib/ToDeviceMessageQueue.js.map +1 -1
  6. package/lib/autodiscovery.js +0 -1
  7. package/lib/autodiscovery.js.map +1 -1
  8. package/lib/client.js +112 -165
  9. package/lib/client.js.map +1 -1
  10. package/lib/common-crypto/CryptoBackend.js +0 -2
  11. package/lib/common-crypto/CryptoBackend.js.map +1 -1
  12. package/lib/content-helpers.js +3 -5
  13. package/lib/content-helpers.js.map +1 -1
  14. package/lib/content-repo.js +7 -1
  15. package/lib/content-repo.js.map +1 -1
  16. package/lib/crypto/store/indexeddb-crypto-store-backend.js +9 -11
  17. package/lib/crypto/store/indexeddb-crypto-store-backend.js.map +1 -1
  18. package/lib/crypto/store/indexeddb-crypto-store.js +0 -2
  19. package/lib/crypto/store/indexeddb-crypto-store.js.map +1 -1
  20. package/lib/crypto/store/localStorage-crypto-store.js +11 -9
  21. package/lib/crypto/store/localStorage-crypto-store.js.map +1 -1
  22. package/lib/crypto/store/memory-crypto-store.js +11 -9
  23. package/lib/crypto/store/memory-crypto-store.js.map +1 -1
  24. package/lib/crypto-api/index.js +58 -58
  25. package/lib/crypto-api/index.js.map +1 -1
  26. package/lib/embedded.js +29 -45
  27. package/lib/embedded.js.map +1 -1
  28. package/lib/extensible_events_v1/MessageEvent.js +15 -15
  29. package/lib/extensible_events_v1/MessageEvent.js.map +1 -1
  30. package/lib/extensible_events_v1/PollEndEvent.js +8 -8
  31. package/lib/extensible_events_v1/PollEndEvent.js.map +1 -1
  32. package/lib/extensible_events_v1/PollResponseEvent.js +0 -1
  33. package/lib/extensible_events_v1/PollResponseEvent.js.map +1 -1
  34. package/lib/extensible_events_v1/PollStartEvent.js +28 -28
  35. package/lib/extensible_events_v1/PollStartEvent.js.map +1 -1
  36. package/lib/feature.js +5 -1
  37. package/lib/feature.js.map +1 -1
  38. package/lib/filter-component.js +4 -1
  39. package/lib/filter-component.js.map +1 -1
  40. package/lib/filter.js +1 -3
  41. package/lib/filter.js.map +1 -1
  42. package/lib/http-api/errors.js +20 -16
  43. package/lib/http-api/errors.js.map +1 -1
  44. package/lib/http-api/fetch.js +4 -6
  45. package/lib/http-api/fetch.js.map +1 -1
  46. package/lib/http-api/refresh.js +10 -12
  47. package/lib/http-api/refresh.js.map +1 -1
  48. package/lib/interactive-auth.js +1 -11
  49. package/lib/interactive-auth.js.map +1 -1
  50. package/lib/logger.js +0 -2
  51. package/lib/logger.js.map +1 -1
  52. package/lib/matrixrtc/CallMembership.js +43 -57
  53. package/lib/matrixrtc/CallMembership.js.map +1 -1
  54. package/lib/matrixrtc/MatrixRTCSession.js +19 -24
  55. package/lib/matrixrtc/MatrixRTCSession.js.map +1 -1
  56. package/lib/matrixrtc/MatrixRTCSessionManager.js +2 -3
  57. package/lib/matrixrtc/MatrixRTCSessionManager.js.map +1 -1
  58. package/lib/matrixrtc/MembershipManager.js +23 -30
  59. package/lib/matrixrtc/MembershipManager.js.map +1 -1
  60. package/lib/matrixrtc/MembershipManagerActionScheduler.js +1 -2
  61. package/lib/matrixrtc/MembershipManagerActionScheduler.js.map +1 -1
  62. package/lib/matrixrtc/RTCEncryptionManager.js +8 -11
  63. package/lib/matrixrtc/RTCEncryptionManager.js.map +1 -1
  64. package/lib/matrixrtc/ToDeviceKeyTransport.js +4 -4
  65. package/lib/matrixrtc/ToDeviceKeyTransport.js.map +1 -1
  66. package/lib/matrixrtc/utils.js +7 -1
  67. package/lib/matrixrtc/utils.js.map +1 -1
  68. package/lib/models/MSC3089TreeSpace.js +5 -7
  69. package/lib/models/MSC3089TreeSpace.js.map +1 -1
  70. package/lib/models/beacon.js +5 -11
  71. package/lib/models/beacon.js.map +1 -1
  72. package/lib/models/device.js +0 -7
  73. package/lib/models/device.js.map +1 -1
  74. package/lib/models/event-context.js +1 -2
  75. package/lib/models/event-context.js.map +1 -1
  76. package/lib/models/event-timeline-set.js +16 -26
  77. package/lib/models/event-timeline-set.js.map +1 -1
  78. package/lib/models/event-timeline.js +8 -15
  79. package/lib/models/event-timeline.js.map +1 -1
  80. package/lib/models/event.js +20 -37
  81. package/lib/models/event.js.map +1 -1
  82. package/lib/models/invites-ignorer.js +8 -12
  83. package/lib/models/invites-ignorer.js.map +1 -1
  84. package/lib/models/poll.js +7 -13
  85. package/lib/models/poll.js.map +1 -1
  86. package/lib/models/read-receipt.js +8 -4
  87. package/lib/models/read-receipt.js.map +1 -1
  88. package/lib/models/related-relations.js +0 -2
  89. package/lib/models/related-relations.js.map +1 -1
  90. package/lib/models/relations-container.js +4 -6
  91. package/lib/models/relations-container.js.map +1 -1
  92. package/lib/models/relations.js +7 -10
  93. package/lib/models/relations.js.map +1 -1
  94. package/lib/models/room-member.js +2 -24
  95. package/lib/models/room-member.js.map +1 -1
  96. package/lib/models/room-receipts.js +25 -22
  97. package/lib/models/room-receipts.js.map +1 -1
  98. package/lib/models/room-state.js +2 -2
  99. package/lib/models/room-state.js.map +1 -1
  100. package/lib/models/room-sticky-events.js +20 -5
  101. package/lib/models/room-sticky-events.js.map +1 -1
  102. package/lib/models/room.js +82 -105
  103. package/lib/models/room.js.map +1 -1
  104. package/lib/models/thread.js +12 -57
  105. package/lib/models/thread.js.map +1 -1
  106. package/lib/models/user.js +1 -20
  107. package/lib/models/user.js.map +1 -1
  108. package/lib/oidc/authorize.js +23 -32
  109. package/lib/oidc/authorize.js.map +1 -1
  110. package/lib/oidc/tokenRefresher.js +8 -11
  111. package/lib/oidc/tokenRefresher.js.map +1 -1
  112. package/lib/pushprocessor.js +8 -5
  113. package/lib/pushprocessor.js.map +1 -1
  114. package/lib/receipt-accumulator.js +12 -3
  115. package/lib/receipt-accumulator.js.map +1 -1
  116. package/lib/rendezvous/MSC4108SignInWithQR.d.ts.map +1 -1
  117. package/lib/rendezvous/MSC4108SignInWithQR.js +10 -23
  118. package/lib/rendezvous/MSC4108SignInWithQR.js.map +1 -1
  119. package/lib/rendezvous/channels/MSC4108SecureChannel.js +5 -10
  120. package/lib/rendezvous/channels/MSC4108SecureChannel.js.map +1 -1
  121. package/lib/rendezvous/transports/MSC4108RendezvousSession.js +5 -15
  122. package/lib/rendezvous/transports/MSC4108RendezvousSession.js.map +1 -1
  123. package/lib/room-hierarchy.js +7 -12
  124. package/lib/room-hierarchy.js.map +1 -1
  125. package/lib/rust-crypto/DehydratedDeviceManager.js +2 -3
  126. package/lib/rust-crypto/DehydratedDeviceManager.js.map +1 -1
  127. package/lib/rust-crypto/KeyClaimManager.js +1 -2
  128. package/lib/rust-crypto/KeyClaimManager.js.map +1 -1
  129. package/lib/rust-crypto/OutgoingRequestProcessor.js +11 -4
  130. package/lib/rust-crypto/OutgoingRequestProcessor.js.map +1 -1
  131. package/lib/rust-crypto/OutgoingRequestsManager.js +12 -12
  132. package/lib/rust-crypto/OutgoingRequestsManager.js.map +1 -1
  133. package/lib/rust-crypto/PerSessionKeyBackupDownloader.js +3 -5
  134. package/lib/rust-crypto/PerSessionKeyBackupDownloader.js.map +1 -1
  135. package/lib/rust-crypto/RoomEncryptor.js +6 -6
  136. package/lib/rust-crypto/RoomEncryptor.js.map +1 -1
  137. package/lib/rust-crypto/backup.js +22 -16
  138. package/lib/rust-crypto/backup.js.map +1 -1
  139. package/lib/rust-crypto/device-converter.js +13 -4
  140. package/lib/rust-crypto/device-converter.js.map +1 -1
  141. package/lib/rust-crypto/index.js +1 -3
  142. package/lib/rust-crypto/index.js.map +1 -1
  143. package/lib/rust-crypto/libolm_migration.js +13 -15
  144. package/lib/rust-crypto/libolm_migration.js.map +1 -1
  145. package/lib/rust-crypto/rust-crypto.js +52 -59
  146. package/lib/rust-crypto/rust-crypto.js.map +1 -1
  147. package/lib/rust-crypto/verification.js +10 -10
  148. package/lib/rust-crypto/verification.js.map +1 -1
  149. package/lib/scheduler.js +2 -2
  150. package/lib/scheduler.js.map +1 -1
  151. package/lib/secret-storage.js +16 -10
  152. package/lib/secret-storage.js.map +1 -1
  153. package/lib/serverCapabilities.js +2 -5
  154. package/lib/serverCapabilities.js.map +1 -1
  155. package/lib/sliding-sync-sdk.js +4 -9
  156. package/lib/sliding-sync-sdk.js.map +1 -1
  157. package/lib/sliding-sync.js +4 -9
  158. package/lib/sliding-sync.js.map +1 -1
  159. package/lib/store/indexeddb-local-backend.js +13 -8
  160. package/lib/store/indexeddb-local-backend.js.map +1 -1
  161. package/lib/store/indexeddb-remote-backend.js +6 -7
  162. package/lib/store/indexeddb-remote-backend.js.map +1 -1
  163. package/lib/store/indexeddb-store-worker.js +1 -2
  164. package/lib/store/indexeddb-store-worker.js.map +1 -1
  165. package/lib/store/indexeddb.js +4 -2
  166. package/lib/store/indexeddb.js.map +1 -1
  167. package/lib/store/memory.js +0 -4
  168. package/lib/store/memory.js.map +1 -1
  169. package/lib/sync-accumulator.js +2 -4
  170. package/lib/sync-accumulator.js.map +1 -1
  171. package/lib/sync.js +36 -43
  172. package/lib/sync.js.map +1 -1
  173. package/lib/timeline-window.js +2 -6
  174. package/lib/timeline-window.js.map +1 -1
  175. package/lib/utils/decryptAESSecretStorageItem.js +5 -1
  176. package/lib/utils/decryptAESSecretStorageItem.js.map +1 -1
  177. package/lib/utils/encryptAESSecretStorageItem.js +5 -1
  178. package/lib/utils/encryptAESSecretStorageItem.js.map +1 -1
  179. package/lib/utils.js +35 -20
  180. package/lib/utils.js.map +1 -1
  181. package/lib/webrtc/call.js +13 -45
  182. package/lib/webrtc/call.js.map +1 -1
  183. package/lib/webrtc/callEventHandler.js +0 -5
  184. package/lib/webrtc/callEventHandler.js.map +1 -1
  185. package/lib/webrtc/callFeed.js +0 -15
  186. package/lib/webrtc/callFeed.js.map +1 -1
  187. package/lib/webrtc/groupCall.js +82 -89
  188. package/lib/webrtc/groupCall.js.map +1 -1
  189. package/lib/webrtc/groupCallEventHandler.js +6 -7
  190. package/lib/webrtc/groupCallEventHandler.js.map +1 -1
  191. package/lib/webrtc/mediaHandler.js +8 -15
  192. package/lib/webrtc/mediaHandler.js.map +1 -1
  193. package/lib/webrtc/stats/callStatsReportGatherer.js +2 -5
  194. package/lib/webrtc/stats/callStatsReportGatherer.js.map +1 -1
  195. package/lib/webrtc/stats/connectionStatsReportBuilder.js +5 -1
  196. package/lib/webrtc/stats/connectionStatsReportBuilder.js.map +1 -1
  197. package/lib/webrtc/stats/groupCallStats.js +3 -4
  198. package/lib/webrtc/stats/groupCallStats.js.map +1 -1
  199. package/lib/webrtc/stats/media/mediaTrackStats.js +3 -3
  200. package/lib/webrtc/stats/media/mediaTrackStats.js.map +1 -1
  201. package/lib/webrtc/stats/media/mediaTrackStatsHandler.js +1 -1
  202. package/lib/webrtc/stats/media/mediaTrackStatsHandler.js.map +1 -1
  203. package/package.json +3 -3
  204. package/src/rendezvous/MSC4108SignInWithQR.ts +2 -1
package/lib/oidc/authorize.js CHANGED
@@ -72,9 +72,7 @@ var generateCodeChallenge = /*#__PURE__*/function () {
72
72
  * @returns AuthorizationParams
73
73
  */
74
74
  export var generateAuthorizationParams = _ref2 => {
75
- var {
76
- redirectUri
77
- } = _ref2;
75
+ var redirectUri = _ref2.redirectUri;
78
76
  return {
79
77
  scope: generateScope(),
80
78
  redirectUri,
@@ -95,13 +93,11 @@ export var generateAuthorizationParams = _ref2 => {
95
93
  */
96
94
  export var generateAuthorizationUrl = /*#__PURE__*/function () {
97
95
  var _ref4 = _asyncToGenerator(function* (authorizationUrl, clientId, _ref3) {
98
- var {
99
- scope,
100
- redirectUri,
101
- state,
102
- nonce,
103
- codeVerifier
104
- } = _ref3;
96
+ var scope = _ref3.scope,
97
+ redirectUri = _ref3.redirectUri,
98
+ state = _ref3.state,
99
+ nonce = _ref3.nonce,
100
+ codeVerifier = _ref3.codeVerifier;
105
101
  var url = new URL(authorizationUrl);
106
102
  url.searchParams.append("response_mode", "query");
107
103
  url.searchParams.append("response_type", "code");
@@ -139,18 +135,17 @@ export var generateAuthorizationUrl = /*#__PURE__*/function () {
139
135
  */
140
136
  export var generateOidcAuthorizationUrl = /*#__PURE__*/function () {
141
137
  var _ref6 = _asyncToGenerator(function* (_ref5) {
142
- var {
143
- metadata,
144
- redirectUri,
145
- clientId,
146
- homeserverUrl,
147
- identityServerUrl,
148
- nonce,
149
- prompt,
150
- urlState,
151
- loginHint,
152
- responseMode = "query"
153
- } = _ref5;
138
+ var metadata = _ref5.metadata,
139
+ redirectUri = _ref5.redirectUri,
140
+ clientId = _ref5.clientId,
141
+ homeserverUrl = _ref5.homeserverUrl,
142
+ identityServerUrl = _ref5.identityServerUrl,
143
+ nonce = _ref5.nonce,
144
+ prompt = _ref5.prompt,
145
+ urlState = _ref5.urlState,
146
+ loginHint = _ref5.loginHint,
147
+ _ref5$responseMode = _ref5.responseMode,
148
+ responseMode = _ref5$responseMode === void 0 ? "query" : _ref5$responseMode;
154
149
  var scope = generateScope();
155
150
  var oidcClient = new OidcClient(_objectSpread(_objectSpread({}, metadata), {}, {
156
151
  client_id: clientId,
@@ -321,11 +316,9 @@ export var completeAuthorizationCodeGrant = /*#__PURE__*/function () {
321
316
  */
322
317
  export var startDeviceAuthorization = /*#__PURE__*/function () {
323
318
  var _ref9 = _asyncToGenerator(function* (_ref8) {
324
- var {
325
- clientId,
326
- scope,
327
- metadata
328
- } = _ref8;
319
+ var clientId = _ref8.clientId,
320
+ scope = _ref8.scope,
321
+ metadata = _ref8.metadata;
329
322
  var body = new URLSearchParams({
330
323
  client_id: clientId,
331
324
  scope: scope
@@ -360,11 +353,9 @@ export var startDeviceAuthorization = /*#__PURE__*/function () {
360
353
  export var waitForDeviceAuthorization = /*#__PURE__*/function () {
361
354
  var _ref1 = _asyncToGenerator(function* (_ref0) {
362
355
  var _session$interval;
363
- var {
364
- session,
365
- metadata,
366
- clientId
367
- } = _ref0;
356
+ var session = _ref0.session,
357
+ metadata = _ref0.metadata,
358
+ clientId = _ref0.clientId;
368
359
  var interval = ((_session$interval = session.interval) !== null && _session$interval !== void 0 ? _session$interval : 5) * 1000; // poll interval
369
360
  var expiration = Date.now() + session.expires_in * 1000;
370
361
  do {
package/lib/oidc/authorize.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authorize.js","names":["Log","OidcClient","SigninResponse","SigninState","WebStorageStateStore","logger","secureRandomString","OidcError","validateBearerTokenResponse","validateIdToken","validateStoredUserState","sha256","encodeUnpaddedBase64Url","OAuthGrantType","sleep","Method","generateScope","deviceId","safeDeviceId","concat","generateCodeChallenge","_ref","_asyncToGenerator","codeVerifier","globalThis","crypto","subtle","warn","hashBuffer","_x","apply","arguments","generateAuthorizationParams","_ref2","redirectUri","scope","state","nonce","generateAuthorizationUrl","_ref4","authorizationUrl","clientId","_ref3","url","URL","searchParams","append","toString","_x2","_x3","_x4","generateOidcAuthorizationUrl","_ref6","_ref5","metadata","homeserverUrl","identityServerUrl","prompt","urlState","loginHint","responseMode","oidcClient","_objectSpread","client_id","redirect_uri","authority","issuer","response_mode","response_type","stateStore","prefix","store","window","sessionStorage","userState","request","createSigninRequest","url_state","login_hint","_x5","normalizeBearerTokenResponseTokenType","response","id_token","expires_at","refresh_token","access_token","token_type","completeAuthorizationCodeGrant","_ref7","code","length","undefined","reconstructedUrl","location","origin","params","URLSearchParams","search","hash","setLogger","stateString","get","Error","MissingOrInvalidStoredState","signInState","fromStorageString","client","signinResponse","processSigninResponse","href","settings","normalizedTokenResponse","oidcClientSettings","tokenResponse","idTokenClaims","profile","error","errorType","message","Object","values","includes","CodeExchangeFailed","_x6","_x7","startDeviceAuthorization","_ref9","_ref8","body","device_authorization_endpoint","fetch","method","Post","headers","json","_x8","waitForDeviceAuthorization","_ref1","_ref0","_session$interval","session","interval","expiration","Date","now","expires_in","device_code","grant_type","DeviceAuthorization","token_endpoint","ok","errorResponse","_x9"],"sources":["../../src/oidc/authorize.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport {\n type IdTokenClaims,\n Log,\n OidcClient,\n type SigninRequestCreateArgs,\n SigninResponse,\n SigninState,\n WebStorageStateStore,\n} from \"oidc-client-ts\";\n\nimport { logger } from \"../logger.ts\";\nimport { secureRandomString } from \"../randomstring.ts\";\nimport { OidcError } from \"./error.ts\";\nimport {\n type BearerTokenResponse,\n type UserState,\n validateBearerTokenResponse,\n type ValidatedAuthMetadata,\n validateIdToken,\n validateStoredUserState,\n} from \"./validate.ts\";\nimport { sha256 } from \"../digest.ts\";\nimport { encodeUnpaddedBase64Url } from \"../base64.ts\";\nimport { OAuthGrantType } from \"./register.ts\";\nimport { sleep } from \"../utils.ts\";\nimport { Method } from \"../http-api/index.ts\";\n\n// reexport for backwards compatibility\nexport type { BearerTokenResponse };\n\n/**\n * Authorization parameters which are used in the authentication request of an OIDC auth code flow.\n *\n * See https://openid.net/specs/openid-connect-basic-1_0.html#RequestParameters.\n */\nexport type AuthorizationParams = {\n state: string;\n scope: string;\n redirectUri: string;\n codeVerifier: string;\n nonce: string;\n};\n\n/**\n * @experimental\n * Generate the scope used in authorization request with OIDC OP\n * @returns scope\n */\nexport const generateScope = (deviceId?: string): string => {\n const safeDeviceId = deviceId ?? secureRandomString(10);\n return `openid urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:${safeDeviceId}`;\n};\n\n// https://www.rfc-editor.org/rfc/rfc7636\nconst generateCodeChallenge = async (codeVerifier: string): Promise<string> => {\n if (!globalThis.crypto.subtle) {\n // @TODO(kerrya) should this be allowed? configurable?\n logger.warn(\"A secure context is required to generate code challenge. Using plain text code challenge\");\n return codeVerifier;\n }\n\n const hashBuffer = await sha256(codeVerifier);\n return encodeUnpaddedBase64Url(hashBuffer);\n};\n\n/**\n * Generate authorization params to pass to {@link generateAuthorizationUrl}.\n *\n * Used as part of an authorization code OIDC flow: see https://openid.net/specs/openid-connect-basic-1_0.html#CodeFlow.\n *\n * @param redirectUri - absolute url for OP to redirect to after authorization\n * @returns AuthorizationParams\n */\nexport const generateAuthorizationParams = ({ redirectUri }: { redirectUri: string }): AuthorizationParams => ({\n scope: generateScope(),\n redirectUri,\n state: secureRandomString(8),\n nonce: secureRandomString(8),\n codeVerifier: secureRandomString(64), // https://tools.ietf.org/html/rfc7636#section-4.1 length needs to be 43-128 characters\n});\n\n/**\n * @deprecated use generateOidcAuthorizationUrl\n * Generate a URL to attempt authorization with the OP\n * See https://openid.net/specs/openid-connect-basic-1_0.html#CodeRequest\n * @param authorizationUrl - endpoint to attempt authorization with the OP\n * @param clientId - id of this client as registered with the OP\n * @param authorizationParams - params to be used in the url\n * @returns a Promise with the url as a string\n */\nexport const generateAuthorizationUrl = async (\n authorizationUrl: string,\n clientId: string,\n { scope, redirectUri, state, nonce, codeVerifier }: AuthorizationParams,\n): Promise<string> => {\n const url = new URL(authorizationUrl);\n url.searchParams.append(\"response_mode\", \"query\");\n url.searchParams.append(\"response_type\", \"code\");\n url.searchParams.append(\"redirect_uri\", redirectUri);\n url.searchParams.append(\"client_id\", clientId);\n url.searchParams.append(\"state\", state);\n url.searchParams.append(\"scope\", scope);\n url.searchParams.append(\"nonce\", nonce);\n\n url.searchParams.append(\"code_challenge_method\", \"S256\");\n url.searchParams.append(\"code_challenge\", await generateCodeChallenge(codeVerifier));\n\n return url.toString();\n};\n\n/**\n * @experimental\n * Generate a URL to attempt authorization with the OP\n * See https://openid.net/specs/openid-connect-basic-1_0.html#CodeRequest\n * @param metadata - validated metadata from OP discovery\n * @param clientId - this client's id as registered with the OP\n * @param homeserverUrl - used to establish the session on return from the OP\n * @param identityServerUrl - used to establish the session on return from the OP\n * @param nonce - state\n * @param prompt - indicates to the OP which flow the user should see - eg login or registration\n * See https://openid.net/specs/openid-connect-prompt-create-1_0.html#name-prompt-parameter\n * @param urlState - value to append to the opaque state identifier to uniquely identify the callback\n * @param loginHint - value to send as the `login_hint` to the OP, giving a hint about the login identifier the user might use to log in.\n * See {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest OIDC core 3.1.2.1}.\n * @param responseMode - value to send as the `response_mode` to the OP, selecting how auth is passed back during redirect.\n * See {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest OIDC core 3.1.2.1}.\n * @returns a Promise with the url as a string\n */\nexport const generateOidcAuthorizationUrl = async ({\n metadata,\n redirectUri,\n clientId,\n homeserverUrl,\n identityServerUrl,\n nonce,\n prompt,\n urlState,\n loginHint,\n responseMode = \"query\",\n}: {\n clientId: string;\n metadata: ValidatedAuthMetadata;\n homeserverUrl: string;\n identityServerUrl?: string;\n redirectUri: string;\n nonce: string;\n prompt?: string;\n urlState?: string;\n loginHint?: string;\n responseMode?: SigninRequestCreateArgs[\"response_mode\"];\n}): Promise<string> => {\n const scope = generateScope();\n const oidcClient = new OidcClient({\n ...metadata,\n client_id: clientId,\n redirect_uri: redirectUri,\n authority: metadata.issuer,\n response_mode: responseMode,\n response_type: \"code\",\n scope,\n stateStore: new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage }),\n });\n const userState: UserState = { homeserverUrl, nonce, identityServerUrl };\n const request = await oidcClient.createSigninRequest({\n state: userState,\n nonce,\n prompt,\n url_state: urlState,\n login_hint: loginHint,\n });\n\n return request.url;\n};\n\n/**\n * Normalize token_type to use capital case to make consuming the token response easier\n * token_type is case insensitive, and it is spec-compliant for OPs to return token_type: \"bearer\"\n * Later, when used in auth headers it is case sensitive and must be Bearer\n * See: https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.4\n *\n * @param response - validated token response\n * @returns response with token_type set to 'Bearer'\n */\nconst normalizeBearerTokenResponseTokenType = (response: SigninResponse): BearerTokenResponse =>\n ({\n id_token: response.id_token,\n scope: response.scope,\n expires_at: response.expires_at,\n refresh_token: response.refresh_token,\n access_token: response.access_token,\n token_type: \"Bearer\",\n }) as BearerTokenResponse;\n\n/**\n * @experimental\n * Attempt to exchange authorization code for bearer token.\n *\n * Takes the authorization code returned by the OpenID Provider via the authorization URL, and makes a\n * request to the Token Endpoint, to obtain the access token, refresh token, etc.\n *\n * @param code - authorization code as returned by OP during authorization\n * @param state - authorization state param as returned by OP during authorization\n * @param responseMode - the response mode used for authentication\n * @returns valid bearer token response\n * @throws An `Error` with `message` set to an entry in {@link OidcError},\n * when the request fails, or the returned token response is invalid.\n */\nexport const completeAuthorizationCodeGrant = async (\n code: string,\n state: string,\n responseMode: SigninRequestCreateArgs[\"response_mode\"] = \"query\",\n): Promise<{\n oidcClientSettings: { clientId: string; issuer: string };\n tokenResponse: BearerTokenResponse;\n homeserverUrl: string;\n idTokenClaims: IdTokenClaims;\n identityServerUrl?: string;\n}> => {\n /**\n * Element Web strips and changes the url on starting the app\n * Use the code and state from query params to rebuild a url\n * so that oidc-client can parse it\n */\n const reconstructedUrl = new URL(window.location.origin);\n\n const params = new URLSearchParams({ code, state });\n if (responseMode === \"query\") {\n reconstructedUrl.search = params.toString();\n } else {\n reconstructedUrl.hash = `#${params.toString()}`;\n }\n\n // set oidc-client to use our logger\n Log.setLogger(logger);\n try {\n const response = new SigninResponse(params);\n\n const stateStore = new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage });\n\n // retrieve the state we put in storage at the start of oidc auth flow\n const stateString = await stateStore.get(response.state!);\n if (!stateString) {\n throw new Error(OidcError.MissingOrInvalidStoredState);\n }\n\n // hydrate the sign in state and create a client\n // the stored sign in state includes oidc configuration we set at the start of the oidc login flow\n const signInState = await SigninState.fromStorageString(stateString);\n const client = new OidcClient({ ...signInState, stateStore });\n\n // validate the code and state, and attempt to swap the code for tokens\n const signinResponse = await client.processSigninResponse(reconstructedUrl.href);\n\n // extra values we stored at the start of the login flow\n // used to complete login in the client\n const userState = signinResponse.userState;\n validateStoredUserState(userState);\n\n // throws when response is invalid\n validateBearerTokenResponse(signinResponse);\n if (signinResponse.id_token) {\n // The token is not yet in the Matrix spec so consider it optional\n // throws when token is invalid\n validateIdToken(\n signinResponse.id_token,\n client.settings.authority,\n client.settings.client_id,\n userState.nonce,\n );\n }\n const normalizedTokenResponse = normalizeBearerTokenResponseTokenType(signinResponse);\n\n return {\n oidcClientSettings: {\n clientId: client.settings.client_id,\n issuer: client.settings.authority,\n },\n tokenResponse: normalizedTokenResponse,\n homeserverUrl: userState.homeserverUrl,\n identityServerUrl: userState.identityServerUrl,\n idTokenClaims: signinResponse.profile,\n };\n } catch (error) {\n logger.error(\"Oidc login failed\", error);\n const errorType = (error as Error).message;\n\n // rethrow errors that we recognise\n if (Object.values(OidcError).includes(errorType as any)) {\n throw error;\n }\n throw new Error(OidcError.CodeExchangeFailed);\n }\n};\n\n/**\n * Response from the OIDC token endpoint when exchanging a token for grant_type device_code.\n */\nexport interface DeviceAccessTokenResponse {\n id_token?: string;\n access_token: string;\n token_type: string;\n refresh_token?: string;\n scope?: string;\n expires_in?: number;\n session_state?: string;\n}\n\n/**\n * Error from the OIDC token endpoint when exchanging a token for grant_type device_code.\n */\nexport interface DeviceAccessTokenError {\n error: string;\n error_description?: string;\n error_uri?: string;\n session_state?: string;\n}\n\n/**\n * Response from the OIDC device authorization endpoint.\n */\nexport interface DeviceAuthorizationResponse {\n device_code: string;\n user_code: string;\n verification_uri: string;\n verification_uri_complete?: string;\n expires_in: number;\n interval?: number;\n}\n\n/**\n * Begin OIDC device authorization flow.\n * @param options - The device authorization parameters.\n * @param options.clientId - the client ID returned from client registration.\n * @param options.scope - the scope to request for authorization.\n * @param options.metadata - the validated OIDC metadata for the Identity Provider.\n * @returns a promise that resolves to a device access token response,\n * or an error response if the user denies authorization or the device code expires.\n */\nexport const startDeviceAuthorization = async ({\n clientId,\n scope,\n metadata,\n}: {\n clientId: string;\n scope: string;\n metadata: ValidatedAuthMetadata;\n}): Promise<DeviceAuthorizationResponse> => {\n const body = new URLSearchParams({ client_id: clientId, scope: scope }).toString();\n\n const url = metadata.device_authorization_endpoint;\n if (!url) {\n throw new Error(\"No device_authorization_endpoint given\");\n }\n\n const response = await fetch(url, {\n method: Method.Post,\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body,\n });\n\n return (await response.json()) as DeviceAuthorizationResponse;\n};\n\n/**\n * Polls the OIDC token endpoint until we get a device access token response, or encounter an unrecoverable error.\n * @param options - The device authorization parameters.\n * @param options.session - The session returned from a previous call to {@link startDeviceAuthorization}.\n * @param options.metadata - The validated OIDC metadata for the Identity Provider.\n * @param options.clientId - The client ID returned from client registration.\n * @returns a promise that resolves to a device access token response,\n * or an error response if the user denies authorization or the device code expires.\n */\nexport const waitForDeviceAuthorization = async ({\n session,\n metadata,\n clientId,\n}: {\n session: DeviceAuthorizationResponse;\n metadata: ValidatedAuthMetadata;\n clientId: string;\n}): Promise<DeviceAccessTokenResponse | DeviceAccessTokenError> => {\n let interval = (session.interval ?? 5) * 1000; // poll interval\n const expiration = Date.now() + session.expires_in * 1000;\n do {\n const body = new URLSearchParams({\n device_code: session.device_code,\n grant_type: OAuthGrantType.DeviceAuthorization,\n client_id: clientId,\n }).toString();\n const response = await fetch(metadata.token_endpoint, {\n method: Method.Post,\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body,\n });\n\n if (response.ok) {\n return (await response.json()) as DeviceAccessTokenResponse;\n }\n const errorResponse = (await response.json()) as DeviceAccessTokenError;\n switch (errorResponse.error) {\n case \"authorization_pending\":\n break;\n case \"slow_down\":\n interval += 5000;\n break;\n case \"access_denied\":\n case \"expired_token\":\n return errorResponse;\n }\n await sleep(interval);\n } while (Date.now() < expiration);\n return { error: \"expired\" };\n};\n"],"mappings":";;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAEIA,GAAG,EACHC,UAAU,EAEVC,cAAc,EACdC,WAAW,EACXC,oBAAoB,QACjB,gBAAgB;AAEvB,SAASC,MAAM,QAAQ,cAAc;AACrC,SAASC,kBAAkB,QAAQ,oBAAoB;AACvD,SAASC,SAAS,QAAQ,YAAY;AACtC,SAGIC,2BAA2B,EAE3BC,eAAe,EACfC,uBAAuB,QACpB,eAAe;AACtB,SAASC,MAAM,QAAQ,cAAc;AACrC,SAASC,uBAAuB,QAAQ,cAAc;AACtD,SAASC,cAAc,QAAQ,eAAe;AAC9C,SAASC,KAAK,QAAQ,aAAa;AACnC,SAASC,MAAM,QAAQ,sBAAsB;;AAE7C;;AAGA;AACA;AACA;AACA;AACA;;AASA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,aAAa,GAAIC,QAAiB,IAAa;EACxD,IAAMC,YAAY,GAAGD,QAAQ,aAARA,QAAQ,cAARA,QAAQ,GAAIX,kBAAkB,CAAC,EAAE,CAAC;EACvD,wGAAAa,MAAA,CAAwGD,YAAY;AACxH,CAAC;;AAED;AACA,IAAME,qBAAqB;EAAA,IAAAC,IAAA,GAAAC,iBAAA,CAAG,WAAOC,YAAoB,EAAsB;IAC3E,IAAI,CAACC,UAAU,CAACC,MAAM,CAACC,MAAM,EAAE;MAC3B;MACArB,MAAM,CAACsB,IAAI,CAAC,0FAA0F,CAAC;MACvG,OAAOJ,YAAY;IACvB;IAEA,IAAMK,UAAU,SAASjB,MAAM,CAACY,YAAY,CAAC;IAC7C,OAAOX,uBAAuB,CAACgB,UAAU,CAAC;EAC9C,CAAC;EAAA,gBATKR,qBAAqBA,CAAAS,EAAA;IAAA,OAAAR,IAAA,CAAAS,KAAA,OAAAC,SAAA;EAAA;AAAA,GAS1B;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,2BAA2B,GAAGC,KAAA;EAAA,IAAC;IAAEC;EAAqC,CAAC,GAAAD,KAAA;EAAA,OAA2B;IAC3GE,KAAK,EAAEnB,aAAa,CAAC,CAAC;IACtBkB,WAAW;IACXE,KAAK,EAAE9B,kBAAkB,CAAC,CAAC,CAAC;IAC5B+B,KAAK,EAAE/B,kBAAkB,CAAC,CAAC,CAAC;IAC5BiB,YAAY,EAAEjB,kBAAkB,CAAC,EAAE,CAAC,CAAE;EAC1C,CAAC;AAAA,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMgC,wBAAwB;EAAA,IAAAC,KAAA,GAAAjB,iBAAA,CAAG,WACpCkB,gBAAwB,EACxBC,QAAgB,EAAAC,KAAA,EAEE;IAAA,IADlB;MAAEP,KAAK;MAAED,WAAW;MAAEE,KAAK;MAAEC,KAAK;MAAEd;IAAkC,CAAC,GAAAmB,KAAA;IAEvE,IAAMC,GAAG,GAAG,IAAIC,GAAG,CAACJ,gBAAgB,CAAC;IACrCG,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,eAAe,EAAE,OAAO,CAAC;IACjDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC;IAChDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,cAAc,EAAEZ,WAAW,CAAC;IACpDS,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,WAAW,EAAEL,QAAQ,CAAC;IAC9CE,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAEV,KAAK,CAAC;IACvCO,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAEX,KAAK,CAAC;IACvCQ,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAET,KAAK,CAAC;IAEvCM,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC;IACxDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,gBAAgB,QAAQ1B,qBAAqB,CAACG,YAAY,CAAC,CAAC;IAEpF,OAAOoB,GAAG,CAACI,QAAQ,CAAC,CAAC;EACzB,CAAC;EAAA,gBAlBYT,wBAAwBA,CAAAU,GAAA,EAAAC,GAAA,EAAAC,GAAA;IAAA,OAAAX,KAAA,CAAAT,KAAA,OAAAC,SAAA;EAAA;AAAA,GAkBpC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMoB,4BAA4B;EAAA,IAAAC,KAAA,GAAA9B,iBAAA,CAAG,WAAA+B,KAAA,EAsBrB;IAAA,IAtB4B;MAC/CC,QAAQ;MACRpB,WAAW;MACXO,QAAQ;MACRc,aAAa;MACbC,iBAAiB;MACjBnB,KAAK;MACLoB,MAAM;MACNC,QAAQ;MACRC,SAAS;MACTC,YAAY,GAAG;IAYnB,CAAC,GAAAP,KAAA;IACG,IAAMlB,KAAK,GAAGnB,aAAa,CAAC,CAAC;IAC7B,IAAM6C,UAAU,GAAG,IAAI5D,UAAU,CAAA6D,aAAA,CAAAA,aAAA,KAC1BR,QAAQ;MACXS,SAAS,EAAEtB,QAAQ;MACnBuB,YAAY,EAAE9B,WAAW;MACzB+B,SAAS,EAAEX,QAAQ,CAACY,MAAM;MAC1BC,aAAa,EAAEP,YAAY;MAC3BQ,aAAa,EAAE,MAAM;MACrBjC,KAAK;MACLkC,UAAU,EAAE,IAAIjE,oBAAoB,CAAC;QAAEkE,MAAM,EAAE,UAAU;QAAEC,KAAK,EAAEC,MAAM,CAACC;MAAe,CAAC;IAAC,EAC7F,CAAC;IACF,IAAMC,SAAoB,GAAG;MAAEnB,aAAa;MAAElB,KAAK;MAAEmB;IAAkB,CAAC;IACxE,IAAMmB,OAAO,SAASd,UAAU,CAACe,mBAAmB,CAAC;MACjDxC,KAAK,EAAEsC,SAAS;MAChBrC,KAAK;MACLoB,MAAM;MACNoB,SAAS,EAAEnB,QAAQ;MACnBoB,UAAU,EAAEnB;IAChB,CAAC,CAAC;IAEF,OAAOgB,OAAO,CAAChC,GAAG;EACtB,CAAC;EAAA,gBA5CYQ,4BAA4BA,CAAA4B,GAAA;IAAA,OAAA3B,KAAA,CAAAtB,KAAA,OAAAC,SAAA;EAAA;AAAA,GA4CxC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAMiD,qCAAqC,GAAIC,QAAwB,KAClE;EACGC,QAAQ,EAAED,QAAQ,CAACC,QAAQ;EAC3B/C,KAAK,EAAE8C,QAAQ,CAAC9C,KAAK;EACrBgD,UAAU,EAAEF,QAAQ,CAACE,UAAU;EAC/BC,aAAa,EAAEH,QAAQ,CAACG,aAAa;EACrCC,YAAY,EAAEJ,QAAQ,CAACI,YAAY;EACnCC,UAAU,EAAE;AAChB,CAAC,CAAwB;;AAE7B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,8BAA8B;EAAA,IAAAC,KAAA,GAAAlE,iBAAA,CAAG,WAC1CmE,IAAY,EACZrD,KAAa,EAQX;IAAA,IAPFwB,YAAsD,GAAA7B,SAAA,CAAA2D,MAAA,QAAA3D,SAAA,QAAA4D,SAAA,GAAA5D,SAAA,MAAG,OAAO;IAQhE;AACJ;AACA;AACA;AACA;IACI,IAAM6D,gBAAgB,GAAG,IAAIhD,GAAG,CAAC4B,MAAM,CAACqB,QAAQ,CAACC,MAAM,CAAC;IAExD,IAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;MAAEP,IAAI;MAAErD;IAAM,CAAC,CAAC;IACnD,IAAIwB,YAAY,KAAK,OAAO,EAAE;MAC1BgC,gBAAgB,CAACK,MAAM,GAAGF,MAAM,CAAChD,QAAQ,CAAC,CAAC;IAC/C,CAAC,MAAM;MACH6C,gBAAgB,CAACM,IAAI,OAAA/E,MAAA,CAAO4E,MAAM,CAAChD,QAAQ,CAAC,CAAC,CAAE;IACnD;;IAEA;IACA/C,GAAG,CAACmG,SAAS,CAAC9F,MAAM,CAAC;IACrB,IAAI;MACA,IAAM4E,QAAQ,GAAG,IAAI/E,cAAc,CAAC6F,MAAM,CAAC;MAE3C,IAAM1B,UAAU,GAAG,IAAIjE,oBAAoB,CAAC;QAAEkE,MAAM,EAAE,UAAU;QAAEC,KAAK,EAAEC,MAAM,CAACC;MAAe,CAAC,CAAC;;MAEjG;MACA,IAAM2B,WAAW,SAAS/B,UAAU,CAACgC,GAAG,CAACpB,QAAQ,CAAC7C,KAAM,CAAC;MACzD,IAAI,CAACgE,WAAW,EAAE;QACd,MAAM,IAAIE,KAAK,CAAC/F,SAAS,CAACgG,2BAA2B,CAAC;MAC1D;;MAEA;MACA;MACA,IAAMC,WAAW,SAASrG,WAAW,CAACsG,iBAAiB,CAACL,WAAW,CAAC;MACpE,IAAMM,MAAM,GAAG,IAAIzG,UAAU,CAAA6D,aAAA,CAAAA,aAAA,KAAM0C,WAAW;QAAEnC;MAAU,EAAE,CAAC;;MAE7D;MACA,IAAMsC,cAAc,SAASD,MAAM,CAACE,qBAAqB,CAAChB,gBAAgB,CAACiB,IAAI,CAAC;;MAEhF;MACA;MACA,IAAMnC,SAAS,GAAGiC,cAAc,CAACjC,SAAS;MAC1ChE,uBAAuB,CAACgE,SAAS,CAAC;;MAElC;MACAlE,2BAA2B,CAACmG,cAAc,CAAC;MAC3C,IAAIA,cAAc,CAACzB,QAAQ,EAAE;QACzB;QACA;QACAzE,eAAe,CACXkG,cAAc,CAACzB,QAAQ,EACvBwB,MAAM,CAACI,QAAQ,CAAC7C,SAAS,EACzByC,MAAM,CAACI,QAAQ,CAAC/C,SAAS,EACzBW,SAAS,CAACrC,KACd,CAAC;MACL;MACA,IAAM0E,uBAAuB,GAAG/B,qCAAqC,CAAC2B,cAAc,CAAC;MAErF,OAAO;QACHK,kBAAkB,EAAE;UAChBvE,QAAQ,EAAEiE,MAAM,CAACI,QAAQ,CAAC/C,SAAS;UACnCG,MAAM,EAAEwC,MAAM,CAACI,QAAQ,CAAC7C;QAC5B,CAAC;QACDgD,aAAa,EAAEF,uBAAuB;QACtCxD,aAAa,EAAEmB,SAAS,CAACnB,aAAa;QACtCC,iBAAiB,EAAEkB,SAAS,CAAClB,iBAAiB;QAC9C0D,aAAa,EAAEP,cAAc,CAACQ;MAClC,CAAC;IACL,CAAC,CAAC,OAAOC,KAAK,EAAE;MACZ/G,MAAM,CAAC+G,KAAK,CAAC,mBAAmB,EAAEA,KAAK,CAAC;MACxC,IAAMC,SAAS,GAAID,KAAK,CAAWE,OAAO;;MAE1C;MACA,IAAIC,MAAM,CAACC,MAAM,CAACjH,SAAS,CAAC,CAACkH,QAAQ,CAACJ,SAAgB,CAAC,EAAE;QACrD,MAAMD,KAAK;MACf;MACA,MAAM,IAAId,KAAK,CAAC/F,SAAS,CAACmH,kBAAkB,CAAC;IACjD;EACJ,CAAC;EAAA,gBArFYnC,8BAA8BA,CAAAoC,GAAA,EAAAC,GAAA;IAAA,OAAApC,KAAA,CAAA1D,KAAA,OAAAC,SAAA;EAAA;AAAA,GAqF1C;;AAED;AACA;AACA;;AAWA;AACA;AACA;;AAQA;AACA;AACA;;AAUA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAM8F,wBAAwB;EAAA,IAAAC,KAAA,GAAAxG,iBAAA,CAAG,WAAAyG,KAAA,EAQI;IAAA,IARG;MAC3CtF,QAAQ;MACRN,KAAK;MACLmB;IAKJ,CAAC,GAAAyE,KAAA;IACG,IAAMC,IAAI,GAAG,IAAIhC,eAAe,CAAC;MAAEjC,SAAS,EAAEtB,QAAQ;MAAEN,KAAK,EAAEA;IAAM,CAAC,CAAC,CAACY,QAAQ,CAAC,CAAC;IAElF,IAAMJ,GAAG,GAAGW,QAAQ,CAAC2E,6BAA6B;IAClD,IAAI,CAACtF,GAAG,EAAE;MACN,MAAM,IAAI2D,KAAK,CAAC,wCAAwC,CAAC;IAC7D;IAEA,IAAMrB,QAAQ,SAASiD,KAAK,CAACvF,GAAG,EAAE;MAC9BwF,MAAM,EAAEpH,MAAM,CAACqH,IAAI;MACnBC,OAAO,EAAE;QACL,cAAc,EAAE;MACpB,CAAC;MACDL;IACJ,CAAC,CAAC;IAEF,aAAc/C,QAAQ,CAACqD,IAAI,CAAC,CAAC;EACjC,CAAC;EAAA,gBAzBYT,wBAAwBA,CAAAU,GAAA;IAAA,OAAAT,KAAA,CAAAhG,KAAA,OAAAC,SAAA;EAAA;AAAA,GAyBpC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMyG,0BAA0B;EAAA,IAAAC,KAAA,GAAAnH,iBAAA,CAAG,WAAAoH,KAAA,EAQyB;IAAA,IAAAC,iBAAA;IAAA,IARlB;MAC7CC,OAAO;MACPtF,QAAQ;MACRb;IAKJ,CAAC,GAAAiG,KAAA;IACG,IAAIG,QAAQ,GAAG,EAAAF,iBAAA,GAACC,OAAO,CAACC,QAAQ,cAAAF,iBAAA,cAAAA,iBAAA,GAAI,CAAC,IAAI,IAAI,CAAC,CAAC;IAC/C,IAAMG,UAAU,GAAGC,IAAI,CAACC,GAAG,CAAC,CAAC,GAAGJ,OAAO,CAACK,UAAU,GAAG,IAAI;IACzD,GAAG;MACC,IAAMjB,IAAI,GAAG,IAAIhC,eAAe,CAAC;QAC7BkD,WAAW,EAAEN,OAAO,CAACM,WAAW;QAChCC,UAAU,EAAEtI,cAAc,CAACuI,mBAAmB;QAC9CrF,SAAS,EAAEtB;MACf,CAAC,CAAC,CAACM,QAAQ,CAAC,CAAC;MACb,IAAMkC,QAAQ,SAASiD,KAAK,CAAC5E,QAAQ,CAAC+F,cAAc,EAAE;QAClDlB,MAAM,EAAEpH,MAAM,CAACqH,IAAI;QACnBC,OAAO,EAAE;UAAE,cAAc,EAAE;QAAoC,CAAC;QAChEL;MACJ,CAAC,CAAC;MAEF,IAAI/C,QAAQ,CAACqE,EAAE,EAAE;QACb,aAAcrE,QAAQ,CAACqD,IAAI,CAAC,CAAC;MACjC;MACA,IAAMiB,aAAa,SAAUtE,QAAQ,CAACqD,IAAI,CAAC,CAA4B;MACvE,QAAQiB,aAAa,CAACnC,KAAK;QACvB,KAAK,uBAAuB;UACxB;QACJ,KAAK,WAAW;UACZyB,QAAQ,IAAI,IAAI;UAChB;QACJ,KAAK,eAAe;QACpB,KAAK,eAAe;UAChB,OAAOU,aAAa;MAC5B;MACA,MAAMzI,KAAK,CAAC+H,QAAQ,CAAC;IACzB,CAAC,QAAQE,IAAI,CAACC,GAAG,CAAC,CAAC,GAAGF,UAAU;IAChC,OAAO;MAAE1B,KAAK,EAAE;IAAU,CAAC;EAC/B,CAAC;EAAA,gBAxCYoB,0BAA0BA,CAAAgB,GAAA;IAAA,OAAAf,KAAA,CAAA3G,KAAA,OAAAC,SAAA;EAAA;AAAA,GAwCtC","ignoreList":[]}
1
+ {"version":3,"file":"authorize.js","names":["Log","OidcClient","SigninResponse","SigninState","WebStorageStateStore","logger","secureRandomString","OidcError","validateBearerTokenResponse","validateIdToken","validateStoredUserState","sha256","encodeUnpaddedBase64Url","OAuthGrantType","sleep","Method","generateScope","deviceId","safeDeviceId","concat","generateCodeChallenge","_ref","_asyncToGenerator","codeVerifier","globalThis","crypto","subtle","warn","hashBuffer","_x","apply","arguments","generateAuthorizationParams","_ref2","redirectUri","scope","state","nonce","generateAuthorizationUrl","_ref4","authorizationUrl","clientId","_ref3","url","URL","searchParams","append","toString","_x2","_x3","_x4","generateOidcAuthorizationUrl","_ref6","_ref5","metadata","homeserverUrl","identityServerUrl","prompt","urlState","loginHint","_ref5$responseMode","responseMode","oidcClient","_objectSpread","client_id","redirect_uri","authority","issuer","response_mode","response_type","stateStore","prefix","store","window","sessionStorage","userState","request","createSigninRequest","url_state","login_hint","_x5","normalizeBearerTokenResponseTokenType","response","id_token","expires_at","refresh_token","access_token","token_type","completeAuthorizationCodeGrant","_ref7","code","length","undefined","reconstructedUrl","location","origin","params","URLSearchParams","search","hash","setLogger","stateString","get","Error","MissingOrInvalidStoredState","signInState","fromStorageString","client","signinResponse","processSigninResponse","href","settings","normalizedTokenResponse","oidcClientSettings","tokenResponse","idTokenClaims","profile","error","errorType","message","Object","values","includes","CodeExchangeFailed","_x6","_x7","startDeviceAuthorization","_ref9","_ref8","body","device_authorization_endpoint","fetch","method","Post","headers","json","_x8","waitForDeviceAuthorization","_ref1","_ref0","_session$interval","session","interval","expiration","Date","now","expires_in","device_code","grant_type","DeviceAuthorization","token_endpoint","ok","errorResponse","_x9"],"sources":["../../src/oidc/authorize.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport {\n type IdTokenClaims,\n Log,\n OidcClient,\n type SigninRequestCreateArgs,\n SigninResponse,\n SigninState,\n WebStorageStateStore,\n} from \"oidc-client-ts\";\n\nimport { logger } from \"../logger.ts\";\nimport { secureRandomString } from \"../randomstring.ts\";\nimport { OidcError } from \"./error.ts\";\nimport {\n type BearerTokenResponse,\n type UserState,\n validateBearerTokenResponse,\n type ValidatedAuthMetadata,\n validateIdToken,\n validateStoredUserState,\n} from \"./validate.ts\";\nimport { sha256 } from \"../digest.ts\";\nimport { encodeUnpaddedBase64Url } from \"../base64.ts\";\nimport { OAuthGrantType } from \"./register.ts\";\nimport { sleep } from \"../utils.ts\";\nimport { Method } from \"../http-api/index.ts\";\n\n// reexport for backwards compatibility\nexport type { BearerTokenResponse };\n\n/**\n * Authorization parameters which are used in the authentication request of an OIDC auth code flow.\n *\n * See https://openid.net/specs/openid-connect-basic-1_0.html#RequestParameters.\n */\nexport type AuthorizationParams = {\n state: string;\n scope: string;\n redirectUri: string;\n codeVerifier: string;\n nonce: string;\n};\n\n/**\n * @experimental\n * Generate the scope used in authorization request with OIDC OP\n * @returns scope\n */\nexport const generateScope = (deviceId?: string): string => {\n const safeDeviceId = deviceId ?? secureRandomString(10);\n return `openid urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:${safeDeviceId}`;\n};\n\n// https://www.rfc-editor.org/rfc/rfc7636\nconst generateCodeChallenge = async (codeVerifier: string): Promise<string> => {\n if (!globalThis.crypto.subtle) {\n // @TODO(kerrya) should this be allowed? configurable?\n logger.warn(\"A secure context is required to generate code challenge. Using plain text code challenge\");\n return codeVerifier;\n }\n\n const hashBuffer = await sha256(codeVerifier);\n return encodeUnpaddedBase64Url(hashBuffer);\n};\n\n/**\n * Generate authorization params to pass to {@link generateAuthorizationUrl}.\n *\n * Used as part of an authorization code OIDC flow: see https://openid.net/specs/openid-connect-basic-1_0.html#CodeFlow.\n *\n * @param redirectUri - absolute url for OP to redirect to after authorization\n * @returns AuthorizationParams\n */\nexport const generateAuthorizationParams = ({ redirectUri }: { redirectUri: string }): AuthorizationParams => ({\n scope: generateScope(),\n redirectUri,\n state: secureRandomString(8),\n nonce: secureRandomString(8),\n codeVerifier: secureRandomString(64), // https://tools.ietf.org/html/rfc7636#section-4.1 length needs to be 43-128 characters\n});\n\n/**\n * @deprecated use generateOidcAuthorizationUrl\n * Generate a URL to attempt authorization with the OP\n * See https://openid.net/specs/openid-connect-basic-1_0.html#CodeRequest\n * @param authorizationUrl - endpoint to attempt authorization with the OP\n * @param clientId - id of this client as registered with the OP\n * @param authorizationParams - params to be used in the url\n * @returns a Promise with the url as a string\n */\nexport const generateAuthorizationUrl = async (\n authorizationUrl: string,\n clientId: string,\n { scope, redirectUri, state, nonce, codeVerifier }: AuthorizationParams,\n): Promise<string> => {\n const url = new URL(authorizationUrl);\n url.searchParams.append(\"response_mode\", \"query\");\n url.searchParams.append(\"response_type\", \"code\");\n url.searchParams.append(\"redirect_uri\", redirectUri);\n url.searchParams.append(\"client_id\", clientId);\n url.searchParams.append(\"state\", state);\n url.searchParams.append(\"scope\", scope);\n url.searchParams.append(\"nonce\", nonce);\n\n url.searchParams.append(\"code_challenge_method\", \"S256\");\n url.searchParams.append(\"code_challenge\", await generateCodeChallenge(codeVerifier));\n\n return url.toString();\n};\n\n/**\n * @experimental\n * Generate a URL to attempt authorization with the OP\n * See https://openid.net/specs/openid-connect-basic-1_0.html#CodeRequest\n * @param metadata - validated metadata from OP discovery\n * @param clientId - this client's id as registered with the OP\n * @param homeserverUrl - used to establish the session on return from the OP\n * @param identityServerUrl - used to establish the session on return from the OP\n * @param nonce - state\n * @param prompt - indicates to the OP which flow the user should see - eg login or registration\n * See https://openid.net/specs/openid-connect-prompt-create-1_0.html#name-prompt-parameter\n * @param urlState - value to append to the opaque state identifier to uniquely identify the callback\n * @param loginHint - value to send as the `login_hint` to the OP, giving a hint about the login identifier the user might use to log in.\n * See {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest OIDC core 3.1.2.1}.\n * @param responseMode - value to send as the `response_mode` to the OP, selecting how auth is passed back during redirect.\n * See {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest OIDC core 3.1.2.1}.\n * @returns a Promise with the url as a string\n */\nexport const generateOidcAuthorizationUrl = async ({\n metadata,\n redirectUri,\n clientId,\n homeserverUrl,\n identityServerUrl,\n nonce,\n prompt,\n urlState,\n loginHint,\n responseMode = \"query\",\n}: {\n clientId: string;\n metadata: ValidatedAuthMetadata;\n homeserverUrl: string;\n identityServerUrl?: string;\n redirectUri: string;\n nonce: string;\n prompt?: string;\n urlState?: string;\n loginHint?: string;\n responseMode?: SigninRequestCreateArgs[\"response_mode\"];\n}): Promise<string> => {\n const scope = generateScope();\n const oidcClient = new OidcClient({\n ...metadata,\n client_id: clientId,\n redirect_uri: redirectUri,\n authority: metadata.issuer,\n response_mode: responseMode,\n response_type: \"code\",\n scope,\n stateStore: new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage }),\n });\n const userState: UserState = { homeserverUrl, nonce, identityServerUrl };\n const request = await oidcClient.createSigninRequest({\n state: userState,\n nonce,\n prompt,\n url_state: urlState,\n login_hint: loginHint,\n });\n\n return request.url;\n};\n\n/**\n * Normalize token_type to use capital case to make consuming the token response easier\n * token_type is case insensitive, and it is spec-compliant for OPs to return token_type: \"bearer\"\n * Later, when used in auth headers it is case sensitive and must be Bearer\n * See: https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.4\n *\n * @param response - validated token response\n * @returns response with token_type set to 'Bearer'\n */\nconst normalizeBearerTokenResponseTokenType = (response: SigninResponse): BearerTokenResponse =>\n ({\n id_token: response.id_token,\n scope: response.scope,\n expires_at: response.expires_at,\n refresh_token: response.refresh_token,\n access_token: response.access_token,\n token_type: \"Bearer\",\n }) as BearerTokenResponse;\n\n/**\n * @experimental\n * Attempt to exchange authorization code for bearer token.\n *\n * Takes the authorization code returned by the OpenID Provider via the authorization URL, and makes a\n * request to the Token Endpoint, to obtain the access token, refresh token, etc.\n *\n * @param code - authorization code as returned by OP during authorization\n * @param state - authorization state param as returned by OP during authorization\n * @param responseMode - the response mode used for authentication\n * @returns valid bearer token response\n * @throws An `Error` with `message` set to an entry in {@link OidcError},\n * when the request fails, or the returned token response is invalid.\n */\nexport const completeAuthorizationCodeGrant = async (\n code: string,\n state: string,\n responseMode: SigninRequestCreateArgs[\"response_mode\"] = \"query\",\n): Promise<{\n oidcClientSettings: { clientId: string; issuer: string };\n tokenResponse: BearerTokenResponse;\n homeserverUrl: string;\n idTokenClaims: IdTokenClaims;\n identityServerUrl?: string;\n}> => {\n /**\n * Element Web strips and changes the url on starting the app\n * Use the code and state from query params to rebuild a url\n * so that oidc-client can parse it\n */\n const reconstructedUrl = new URL(window.location.origin);\n\n const params = new URLSearchParams({ code, state });\n if (responseMode === \"query\") {\n reconstructedUrl.search = params.toString();\n } else {\n reconstructedUrl.hash = `#${params.toString()}`;\n }\n\n // set oidc-client to use our logger\n Log.setLogger(logger);\n try {\n const response = new SigninResponse(params);\n\n const stateStore = new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage });\n\n // retrieve the state we put in storage at the start of oidc auth flow\n const stateString = await stateStore.get(response.state!);\n if (!stateString) {\n throw new Error(OidcError.MissingOrInvalidStoredState);\n }\n\n // hydrate the sign in state and create a client\n // the stored sign in state includes oidc configuration we set at the start of the oidc login flow\n const signInState = await SigninState.fromStorageString(stateString);\n const client = new OidcClient({ ...signInState, stateStore });\n\n // validate the code and state, and attempt to swap the code for tokens\n const signinResponse = await client.processSigninResponse(reconstructedUrl.href);\n\n // extra values we stored at the start of the login flow\n // used to complete login in the client\n const userState = signinResponse.userState;\n validateStoredUserState(userState);\n\n // throws when response is invalid\n validateBearerTokenResponse(signinResponse);\n if (signinResponse.id_token) {\n // The token is not yet in the Matrix spec so consider it optional\n // throws when token is invalid\n validateIdToken(\n signinResponse.id_token,\n client.settings.authority,\n client.settings.client_id,\n userState.nonce,\n );\n }\n const normalizedTokenResponse = normalizeBearerTokenResponseTokenType(signinResponse);\n\n return {\n oidcClientSettings: {\n clientId: client.settings.client_id,\n issuer: client.settings.authority,\n },\n tokenResponse: normalizedTokenResponse,\n homeserverUrl: userState.homeserverUrl,\n identityServerUrl: userState.identityServerUrl,\n idTokenClaims: signinResponse.profile,\n };\n } catch (error) {\n logger.error(\"Oidc login failed\", error);\n const errorType = (error as Error).message;\n\n // rethrow errors that we recognise\n if (Object.values(OidcError).includes(errorType as any)) {\n throw error;\n }\n throw new Error(OidcError.CodeExchangeFailed);\n }\n};\n\n/**\n * Response from the OIDC token endpoint when exchanging a token for grant_type device_code.\n */\nexport interface DeviceAccessTokenResponse {\n id_token?: string;\n access_token: string;\n token_type: string;\n refresh_token?: string;\n scope?: string;\n expires_in?: number;\n session_state?: string;\n}\n\n/**\n * Error from the OIDC token endpoint when exchanging a token for grant_type device_code.\n */\nexport interface DeviceAccessTokenError {\n error: string;\n error_description?: string;\n error_uri?: string;\n session_state?: string;\n}\n\n/**\n * Response from the OIDC device authorization endpoint.\n */\nexport interface DeviceAuthorizationResponse {\n device_code: string;\n user_code: string;\n verification_uri: string;\n verification_uri_complete?: string;\n expires_in: number;\n interval?: number;\n}\n\n/**\n * Begin OIDC device authorization flow.\n * @param options - The device authorization parameters.\n * @param options.clientId - the client ID returned from client registration.\n * @param options.scope - the scope to request for authorization.\n * @param options.metadata - the validated OIDC metadata for the Identity Provider.\n * @returns a promise that resolves to a device access token response,\n * or an error response if the user denies authorization or the device code expires.\n */\nexport const startDeviceAuthorization = async ({\n clientId,\n scope,\n metadata,\n}: {\n clientId: string;\n scope: string;\n metadata: ValidatedAuthMetadata;\n}): Promise<DeviceAuthorizationResponse> => {\n const body = new URLSearchParams({ client_id: clientId, scope: scope }).toString();\n\n const url = metadata.device_authorization_endpoint;\n if (!url) {\n throw new Error(\"No device_authorization_endpoint given\");\n }\n\n const response = await fetch(url, {\n method: Method.Post,\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body,\n });\n\n return (await response.json()) as DeviceAuthorizationResponse;\n};\n\n/**\n * Polls the OIDC token endpoint until we get a device access token response, or encounter an unrecoverable error.\n * @param options - The device authorization parameters.\n * @param options.session - The session returned from a previous call to {@link startDeviceAuthorization}.\n * @param options.metadata - The validated OIDC metadata for the Identity Provider.\n * @param options.clientId - The client ID returned from client registration.\n * @returns a promise that resolves to a device access token response,\n * or an error response if the user denies authorization or the device code expires.\n */\nexport const waitForDeviceAuthorization = async ({\n session,\n metadata,\n clientId,\n}: {\n session: DeviceAuthorizationResponse;\n metadata: ValidatedAuthMetadata;\n clientId: string;\n}): Promise<DeviceAccessTokenResponse | DeviceAccessTokenError> => {\n let interval = (session.interval ?? 5) * 1000; // poll interval\n const expiration = Date.now() + session.expires_in * 1000;\n do {\n const body = new URLSearchParams({\n device_code: session.device_code,\n grant_type: OAuthGrantType.DeviceAuthorization,\n client_id: clientId,\n }).toString();\n const response = await fetch(metadata.token_endpoint, {\n method: Method.Post,\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body,\n });\n\n if (response.ok) {\n return (await response.json()) as DeviceAccessTokenResponse;\n }\n const errorResponse = (await response.json()) as DeviceAccessTokenError;\n switch (errorResponse.error) {\n case \"authorization_pending\":\n break;\n case \"slow_down\":\n interval += 5000;\n break;\n case \"access_denied\":\n case \"expired_token\":\n return errorResponse;\n }\n await sleep(interval);\n } while (Date.now() < expiration);\n return { error: \"expired\" };\n};\n"],"mappings":";;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAEIA,GAAG,EACHC,UAAU,EAEVC,cAAc,EACdC,WAAW,EACXC,oBAAoB,QACjB,gBAAgB;AAEvB,SAASC,MAAM,QAAQ,cAAc;AACrC,SAASC,kBAAkB,QAAQ,oBAAoB;AACvD,SAASC,SAAS,QAAQ,YAAY;AACtC,SAGIC,2BAA2B,EAE3BC,eAAe,EACfC,uBAAuB,QACpB,eAAe;AACtB,SAASC,MAAM,QAAQ,cAAc;AACrC,SAASC,uBAAuB,QAAQ,cAAc;AACtD,SAASC,cAAc,QAAQ,eAAe;AAC9C,SAASC,KAAK,QAAQ,aAAa;AACnC,SAASC,MAAM,QAAQ,sBAAsB;;AAE7C;;AAGA;AACA;AACA;AACA;AACA;;AASA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,aAAa,GAAIC,QAAiB,IAAa;EACxD,IAAMC,YAAY,GAAGD,QAAQ,aAARA,QAAQ,cAARA,QAAQ,GAAIX,kBAAkB,CAAC,EAAE,CAAC;EACvD,wGAAAa,MAAA,CAAwGD,YAAY;AACxH,CAAC;;AAED;AACA,IAAME,qBAAqB;EAAA,IAAAC,IAAA,GAAAC,iBAAA,CAAG,WAAOC,YAAoB,EAAsB;IAC3E,IAAI,CAACC,UAAU,CAACC,MAAM,CAACC,MAAM,EAAE;MAC3B;MACArB,MAAM,CAACsB,IAAI,CAAC,0FAA0F,CAAC;MACvG,OAAOJ,YAAY;IACvB;IAEA,IAAMK,UAAU,SAASjB,MAAM,CAACY,YAAY,CAAC;IAC7C,OAAOX,uBAAuB,CAACgB,UAAU,CAAC;EAC9C,CAAC;EAAA,gBATKR,qBAAqBA,CAAAS,EAAA;IAAA,OAAAR,IAAA,CAAAS,KAAA,OAAAC,SAAA;EAAA;AAAA,GAS1B;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,2BAA2B,GAAGC,KAAA;EAAA,IAAGC,WAAW,GAAAD,KAAA,CAAXC,WAAW;EAAA,OAAsD;IAC3GC,KAAK,EAAEnB,aAAa,CAAC,CAAC;IACtBkB,WAAW;IACXE,KAAK,EAAE9B,kBAAkB,CAAC,CAAC,CAAC;IAC5B+B,KAAK,EAAE/B,kBAAkB,CAAC,CAAC,CAAC;IAC5BiB,YAAY,EAAEjB,kBAAkB,CAAC,EAAE,CAAC,CAAE;EAC1C,CAAC;AAAA,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMgC,wBAAwB;EAAA,IAAAC,KAAA,GAAAjB,iBAAA,CAAG,WACpCkB,gBAAwB,EACxBC,QAAgB,EAAAC,KAAA,EAEE;IAAA,IADhBP,KAAK,GAAAO,KAAA,CAALP,KAAK;MAAED,WAAW,GAAAQ,KAAA,CAAXR,WAAW;MAAEE,KAAK,GAAAM,KAAA,CAALN,KAAK;MAAEC,KAAK,GAAAK,KAAA,CAALL,KAAK;MAAEd,YAAY,GAAAmB,KAAA,CAAZnB,YAAY;IAEhD,IAAMoB,GAAG,GAAG,IAAIC,GAAG,CAACJ,gBAAgB,CAAC;IACrCG,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,eAAe,EAAE,OAAO,CAAC;IACjDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC;IAChDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,cAAc,EAAEZ,WAAW,CAAC;IACpDS,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,WAAW,EAAEL,QAAQ,CAAC;IAC9CE,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAEV,KAAK,CAAC;IACvCO,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAEX,KAAK,CAAC;IACvCQ,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAET,KAAK,CAAC;IAEvCM,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC;IACxDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,gBAAgB,QAAQ1B,qBAAqB,CAACG,YAAY,CAAC,CAAC;IAEpF,OAAOoB,GAAG,CAACI,QAAQ,CAAC,CAAC;EACzB,CAAC;EAAA,gBAlBYT,wBAAwBA,CAAAU,GAAA,EAAAC,GAAA,EAAAC,GAAA;IAAA,OAAAX,KAAA,CAAAT,KAAA,OAAAC,SAAA;EAAA;AAAA,GAkBpC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMoB,4BAA4B;EAAA,IAAAC,KAAA,GAAA9B,iBAAA,CAAG,WAAA+B,KAAA,EAsBrB;IAAA,IArBnBC,QAAQ,GAAAD,KAAA,CAARC,QAAQ;MACRpB,WAAW,GAAAmB,KAAA,CAAXnB,WAAW;MACXO,QAAQ,GAAAY,KAAA,CAARZ,QAAQ;MACRc,aAAa,GAAAF,KAAA,CAAbE,aAAa;MACbC,iBAAiB,GAAAH,KAAA,CAAjBG,iBAAiB;MACjBnB,KAAK,GAAAgB,KAAA,CAALhB,KAAK;MACLoB,MAAM,GAAAJ,KAAA,CAANI,MAAM;MACNC,QAAQ,GAAAL,KAAA,CAARK,QAAQ;MACRC,SAAS,GAAAN,KAAA,CAATM,SAAS;MAAAC,kBAAA,GAAAP,KAAA,CACTQ,YAAY;MAAZA,YAAY,GAAAD,kBAAA,cAAG,OAAO,GAAAA,kBAAA;IAatB,IAAMzB,KAAK,GAAGnB,aAAa,CAAC,CAAC;IAC7B,IAAM8C,UAAU,GAAG,IAAI7D,UAAU,CAAA8D,aAAA,CAAAA,aAAA,KAC1BT,QAAQ;MACXU,SAAS,EAAEvB,QAAQ;MACnBwB,YAAY,EAAE/B,WAAW;MACzBgC,SAAS,EAAEZ,QAAQ,CAACa,MAAM;MAC1BC,aAAa,EAAEP,YAAY;MAC3BQ,aAAa,EAAE,MAAM;MACrBlC,KAAK;MACLmC,UAAU,EAAE,IAAIlE,oBAAoB,CAAC;QAAEmE,MAAM,EAAE,UAAU;QAAEC,KAAK,EAAEC,MAAM,CAACC;MAAe,CAAC;IAAC,EAC7F,CAAC;IACF,IAAMC,SAAoB,GAAG;MAAEpB,aAAa;MAAElB,KAAK;MAAEmB;IAAkB,CAAC;IACxE,IAAMoB,OAAO,SAASd,UAAU,CAACe,mBAAmB,CAAC;MACjDzC,KAAK,EAAEuC,SAAS;MAChBtC,KAAK;MACLoB,MAAM;MACNqB,SAAS,EAAEpB,QAAQ;MACnBqB,UAAU,EAAEpB;IAChB,CAAC,CAAC;IAEF,OAAOiB,OAAO,CAACjC,GAAG;EACtB,CAAC;EAAA,gBA5CYQ,4BAA4BA,CAAA6B,GAAA;IAAA,OAAA5B,KAAA,CAAAtB,KAAA,OAAAC,SAAA;EAAA;AAAA,GA4CxC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAMkD,qCAAqC,GAAIC,QAAwB,KAClE;EACGC,QAAQ,EAAED,QAAQ,CAACC,QAAQ;EAC3BhD,KAAK,EAAE+C,QAAQ,CAAC/C,KAAK;EACrBiD,UAAU,EAAEF,QAAQ,CAACE,UAAU;EAC/BC,aAAa,EAAEH,QAAQ,CAACG,aAAa;EACrCC,YAAY,EAAEJ,QAAQ,CAACI,YAAY;EACnCC,UAAU,EAAE;AAChB,CAAC,CAAwB;;AAE7B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,8BAA8B;EAAA,IAAAC,KAAA,GAAAnE,iBAAA,CAAG,WAC1CoE,IAAY,EACZtD,KAAa,EAQX;IAAA,IAPFyB,YAAsD,GAAA9B,SAAA,CAAA4D,MAAA,QAAA5D,SAAA,QAAA6D,SAAA,GAAA7D,SAAA,MAAG,OAAO;IAQhE;AACJ;AACA;AACA;AACA;IACI,IAAM8D,gBAAgB,GAAG,IAAIjD,GAAG,CAAC6B,MAAM,CAACqB,QAAQ,CAACC,MAAM,CAAC;IAExD,IAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;MAAEP,IAAI;MAAEtD;IAAM,CAAC,CAAC;IACnD,IAAIyB,YAAY,KAAK,OAAO,EAAE;MAC1BgC,gBAAgB,CAACK,MAAM,GAAGF,MAAM,CAACjD,QAAQ,CAAC,CAAC;IAC/C,CAAC,MAAM;MACH8C,gBAAgB,CAACM,IAAI,OAAAhF,MAAA,CAAO6E,MAAM,CAACjD,QAAQ,CAAC,CAAC,CAAE;IACnD;;IAEA;IACA/C,GAAG,CAACoG,SAAS,CAAC/F,MAAM,CAAC;IACrB,IAAI;MACA,IAAM6E,QAAQ,GAAG,IAAIhF,cAAc,CAAC8F,MAAM,CAAC;MAE3C,IAAM1B,UAAU,GAAG,IAAIlE,oBAAoB,CAAC;QAAEmE,MAAM,EAAE,UAAU;QAAEC,KAAK,EAAEC,MAAM,CAACC;MAAe,CAAC,CAAC;;MAEjG;MACA,IAAM2B,WAAW,SAAS/B,UAAU,CAACgC,GAAG,CAACpB,QAAQ,CAAC9C,KAAM,CAAC;MACzD,IAAI,CAACiE,WAAW,EAAE;QACd,MAAM,IAAIE,KAAK,CAAChG,SAAS,CAACiG,2BAA2B,CAAC;MAC1D;;MAEA;MACA;MACA,IAAMC,WAAW,SAAStG,WAAW,CAACuG,iBAAiB,CAACL,WAAW,CAAC;MACpE,IAAMM,MAAM,GAAG,IAAI1G,UAAU,CAAA8D,aAAA,CAAAA,aAAA,KAAM0C,WAAW;QAAEnC;MAAU,EAAE,CAAC;;MAE7D;MACA,IAAMsC,cAAc,SAASD,MAAM,CAACE,qBAAqB,CAAChB,gBAAgB,CAACiB,IAAI,CAAC;;MAEhF;MACA;MACA,IAAMnC,SAAS,GAAGiC,cAAc,CAACjC,SAAS;MAC1CjE,uBAAuB,CAACiE,SAAS,CAAC;;MAElC;MACAnE,2BAA2B,CAACoG,cAAc,CAAC;MAC3C,IAAIA,cAAc,CAACzB,QAAQ,EAAE;QACzB;QACA;QACA1E,eAAe,CACXmG,cAAc,CAACzB,QAAQ,EACvBwB,MAAM,CAACI,QAAQ,CAAC7C,SAAS,EACzByC,MAAM,CAACI,QAAQ,CAAC/C,SAAS,EACzBW,SAAS,CAACtC,KACd,CAAC;MACL;MACA,IAAM2E,uBAAuB,GAAG/B,qCAAqC,CAAC2B,cAAc,CAAC;MAErF,OAAO;QACHK,kBAAkB,EAAE;UAChBxE,QAAQ,EAAEkE,MAAM,CAACI,QAAQ,CAAC/C,SAAS;UACnCG,MAAM,EAAEwC,MAAM,CAACI,QAAQ,CAAC7C;QAC5B,CAAC;QACDgD,aAAa,EAAEF,uBAAuB;QACtCzD,aAAa,EAAEoB,SAAS,CAACpB,aAAa;QACtCC,iBAAiB,EAAEmB,SAAS,CAACnB,iBAAiB;QAC9C2D,aAAa,EAAEP,cAAc,CAACQ;MAClC,CAAC;IACL,CAAC,CAAC,OAAOC,KAAK,EAAE;MACZhH,MAAM,CAACgH,KAAK,CAAC,mBAAmB,EAAEA,KAAK,CAAC;MACxC,IAAMC,SAAS,GAAID,KAAK,CAAWE,OAAO;;MAE1C;MACA,IAAIC,MAAM,CAACC,MAAM,CAAClH,SAAS,CAAC,CAACmH,QAAQ,CAACJ,SAAgB,CAAC,EAAE;QACrD,MAAMD,KAAK;MACf;MACA,MAAM,IAAId,KAAK,CAAChG,SAAS,CAACoH,kBAAkB,CAAC;IACjD;EACJ,CAAC;EAAA,gBArFYnC,8BAA8BA,CAAAoC,GAAA,EAAAC,GAAA;IAAA,OAAApC,KAAA,CAAA3D,KAAA,OAAAC,SAAA;EAAA;AAAA,GAqF1C;;AAED;AACA;AACA;;AAWA;AACA;AACA;;AAQA;AACA;AACA;;AAUA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAM+F,wBAAwB;EAAA,IAAAC,KAAA,GAAAzG,iBAAA,CAAG,WAAA0G,KAAA,EAQI;IAAA,IAPxCvF,QAAQ,GAAAuF,KAAA,CAARvF,QAAQ;MACRN,KAAK,GAAA6F,KAAA,CAAL7F,KAAK;MACLmB,QAAQ,GAAA0E,KAAA,CAAR1E,QAAQ;IAMR,IAAM2E,IAAI,GAAG,IAAIhC,eAAe,CAAC;MAAEjC,SAAS,EAAEvB,QAAQ;MAAEN,KAAK,EAAEA;IAAM,CAAC,CAAC,CAACY,QAAQ,CAAC,CAAC;IAElF,IAAMJ,GAAG,GAAGW,QAAQ,CAAC4E,6BAA6B;IAClD,IAAI,CAACvF,GAAG,EAAE;MACN,MAAM,IAAI4D,KAAK,CAAC,wCAAwC,CAAC;IAC7D;IAEA,IAAMrB,QAAQ,SAASiD,KAAK,CAACxF,GAAG,EAAE;MAC9ByF,MAAM,EAAErH,MAAM,CAACsH,IAAI;MACnBC,OAAO,EAAE;QACL,cAAc,EAAE;MACpB,CAAC;MACDL;IACJ,CAAC,CAAC;IAEF,aAAc/C,QAAQ,CAACqD,IAAI,CAAC,CAAC;EACjC,CAAC;EAAA,gBAzBYT,wBAAwBA,CAAAU,GAAA;IAAA,OAAAT,KAAA,CAAAjG,KAAA,OAAAC,SAAA;EAAA;AAAA,GAyBpC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAM0G,0BAA0B;EAAA,IAAAC,KAAA,GAAApH,iBAAA,CAAG,WAAAqH,KAAA,EAQyB;IAAA,IAAAC,iBAAA;IAAA,IAP/DC,OAAO,GAAAF,KAAA,CAAPE,OAAO;MACPvF,QAAQ,GAAAqF,KAAA,CAARrF,QAAQ;MACRb,QAAQ,GAAAkG,KAAA,CAARlG,QAAQ;IAMR,IAAIqG,QAAQ,GAAG,EAAAF,iBAAA,GAACC,OAAO,CAACC,QAAQ,cAAAF,iBAAA,cAAAA,iBAAA,GAAI,CAAC,IAAI,IAAI,CAAC,CAAC;IAC/C,IAAMG,UAAU,GAAGC,IAAI,CAACC,GAAG,CAAC,CAAC,GAAGJ,OAAO,CAACK,UAAU,GAAG,IAAI;IACzD,GAAG;MACC,IAAMjB,IAAI,GAAG,IAAIhC,eAAe,CAAC;QAC7BkD,WAAW,EAAEN,OAAO,CAACM,WAAW;QAChCC,UAAU,EAAEvI,cAAc,CAACwI,mBAAmB;QAC9CrF,SAAS,EAAEvB;MACf,CAAC,CAAC,CAACM,QAAQ,CAAC,CAAC;MACb,IAAMmC,QAAQ,SAASiD,KAAK,CAAC7E,QAAQ,CAACgG,cAAc,EAAE;QAClDlB,MAAM,EAAErH,MAAM,CAACsH,IAAI;QACnBC,OAAO,EAAE;UAAE,cAAc,EAAE;QAAoC,CAAC;QAChEL;MACJ,CAAC,CAAC;MAEF,IAAI/C,QAAQ,CAACqE,EAAE,EAAE;QACb,aAAcrE,QAAQ,CAACqD,IAAI,CAAC,CAAC;MACjC;MACA,IAAMiB,aAAa,SAAUtE,QAAQ,CAACqD,IAAI,CAAC,CAA4B;MACvE,QAAQiB,aAAa,CAACnC,KAAK;QACvB,KAAK,uBAAuB;UACxB;QACJ,KAAK,WAAW;UACZyB,QAAQ,IAAI,IAAI;UAChB;QACJ,KAAK,eAAe;QACpB,KAAK,eAAe;UAChB,OAAOU,aAAa;MAC5B;MACA,MAAM1I,KAAK,CAACgI,QAAQ,CAAC;IACzB,CAAC,QAAQE,IAAI,CAACC,GAAG,CAAC,CAAC,GAAGF,UAAU;IAChC,OAAO;MAAE1B,KAAK,EAAE;IAAU,CAAC;EAC/B,CAAC;EAAA,gBAxCYoB,0BAA0BA,CAAAgB,GAAA;IAAA,OAAAf,KAAA,CAAA5G,KAAA,OAAAC,SAAA;EAAA;AAAA,GAwCtC","ignoreList":[]}
package/lib/oidc/tokenRefresher.js CHANGED
@@ -1,5 +1,4 @@
1
1
  import _asyncToGenerator from "@babel/runtime/helpers/asyncToGenerator";
2
- import _defineProperty from "@babel/runtime/helpers/defineProperty";
3
2
  /*
4
3
  Copyright 2023 The Matrix.org Foundation C.I.C.
5
4
 
@@ -30,6 +29,14 @@ import { logger } from "../logger.js";
30
29
  *
31
30
  */
32
31
  export class OidcTokenRefresher {
32
+ /**
33
+ * This is now just a resolved promise and will be removed in a future version.
34
+ * Initialisation is done lazily at token refresh time.
35
+ * @deprecated Consumers no longer need to wait for this promise.
36
+ */
37
+
38
+ // If there is a initialisation attempt in progress, we keep track of it here.
39
+
33
40
  constructor(
34
41
  /**
35
42
  * The OIDC issuer as returned by the /auth_issuer API
@@ -57,16 +64,6 @@ export class OidcTokenRefresher {
57
64
  this.redirectUri = redirectUri;
58
65
  this.deviceId = deviceId;
59
66
  this.idTokenClaims = idTokenClaims;
60
- /**
61
- * This is now just a resolved promise and will be removed in a future version.
62
- * Initialisation is done lazily at token refresh time.
63
- * @deprecated Consumers no longer need to wait for this promise.
64
- */
65
- _defineProperty(this, "oidcClientReady", void 0);
66
- // If there is a initialisation attempt in progress, we keep track of it here.
67
- _defineProperty(this, "initPromise", void 0);
68
- _defineProperty(this, "oidcClient", void 0);
69
- _defineProperty(this, "inflightRefreshRequest", void 0);
70
67
  this.oidcClientReady = Promise.resolve();
71
68
  }
72
69
 
package/lib/oidc/tokenRefresher.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"tokenRefresher.js","names":["OidcClient","WebStorageStateStore","ErrorResponse","TokenRefreshLogoutError","generateScope","discoverAndValidateOIDCIssuerWellKnown","logger","OidcTokenRefresher","constructor","issuer","clientId","redirectUri","deviceId","idTokenClaims","_defineProperty","oidcClientReady","Promise","resolve","ensureInit","_this","_asyncToGenerator","oidcClient","initPromise","initialiseOidcClient","undefined","_this2","_config$signingKeys","config","scope","metadata","signingKeys","client_id","redirect_uri","authority","stateStore","prefix","store","window","sessionStorage","error","Error","doRefreshAccessToken","refreshToken","_this3","inflightRefreshRequest","getNewTokens","tokens","e","persistTokens","_this4","refreshTokenState","refresh_token","session_state","data","profile","requestStart","Date","now","response","useRefreshToken","state","timeoutInSeconds","accessToken","access_token","expiry","expires_in"],"sources":["../../src/oidc/tokenRefresher.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { type IdTokenClaims, OidcClient, WebStorageStateStore, ErrorResponse } from \"oidc-client-ts\";\n\nimport { type AccessTokens, TokenRefreshLogoutError } from \"../http-api/index.ts\";\nimport { generateScope } from \"./authorize.ts\";\nimport { discoverAndValidateOIDCIssuerWellKnown } from \"./discovery.ts\";\nimport { logger } from \"../logger.ts\";\n\n/**\n * @experimental\n * Class responsible for refreshing OIDC access tokens\n *\n * Client implementations will likely want to override {@link persistTokens} to persist tokens after successful refresh\n *\n */\nexport class OidcTokenRefresher {\n /**\n * This is now just a resolved promise and will be removed in a future version.\n * Initialisation is done lazily at token refresh time.\n * @deprecated Consumers no longer need to wait for this promise.\n */\n public readonly oidcClientReady!: Promise<void>;\n\n // If there is a initialisation attempt in progress, we keep track of it here.\n private initPromise?: Promise<void>;\n\n private oidcClient!: OidcClient;\n private inflightRefreshRequest?: Promise<AccessTokens>;\n\n public constructor(\n /**\n * The OIDC issuer as returned by the /auth_issuer API\n */\n private issuer: string,\n /**\n * id of this client as registered with the OP\n */\n private clientId: string,\n /**\n * redirectUri as registered with OP\n */\n private redirectUri: string,\n /**\n * Device ID of current session\n */\n protected deviceId: string,\n /**\n * idTokenClaims as returned from authorization grant\n * used to validate tokens\n */\n private readonly idTokenClaims: IdTokenClaims,\n ) {\n this.oidcClientReady = Promise.resolve();\n }\n\n /**\n * Ensures that the client is initialised.\n * @returns Promise that resolves when initialisation is complete\n * @throws if initialisation fails\n */\n private async ensureInit(): Promise<void> {\n if (!this.oidcClient) {\n if (this.initPromise) {\n return this.initPromise;\n }\n\n this.initPromise = this.initialiseOidcClient(this.issuer, this.clientId, this.deviceId, this.redirectUri);\n try {\n await this.initPromise;\n } finally {\n this.initPromise = undefined;\n }\n }\n }\n\n private async initialiseOidcClient(\n issuer: string,\n clientId: string,\n deviceId: string,\n redirectUri: string,\n ): Promise<void> {\n try {\n const config = await discoverAndValidateOIDCIssuerWellKnown(issuer);\n\n const scope = generateScope(deviceId);\n\n this.oidcClient = new OidcClient({\n metadata: config,\n signingKeys: config.signingKeys ?? undefined,\n client_id: clientId,\n scope,\n redirect_uri: redirectUri,\n authority: config.issuer,\n stateStore: new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage }),\n });\n } catch (error) {\n logger.error(\"Failed to initialise OIDC client.\", error);\n throw new Error(\"Failed to initialise OIDC client.\");\n }\n }\n\n /**\n * Attempt token refresh using given refresh token\n * @param refreshToken - refresh token to use in request with token issuer\n * @returns tokens - Promise that resolves with new access and refresh tokens\n * @throws when token refresh fails\n */\n public async doRefreshAccessToken(refreshToken: string): Promise<AccessTokens> {\n await this.ensureInit();\n\n if (!this.inflightRefreshRequest) {\n this.inflightRefreshRequest = this.getNewTokens(refreshToken);\n }\n try {\n const tokens = await this.inflightRefreshRequest;\n return tokens;\n } catch (e) {\n // If we encounter an OIDC error then signal that it should cause a logout by upgrading it to a TokenRefreshLogoutError\n if (e instanceof ErrorResponse) {\n throw new TokenRefreshLogoutError(e);\n }\n throw e;\n } finally {\n this.inflightRefreshRequest = undefined;\n }\n }\n\n /**\n * Persist the new tokens, called after tokens are successfully refreshed.\n *\n * This function is intended to be overriden by the consumer when persistence is necessary.\n *\n * @param tokens.accessToken - new access token\n * @param tokens.refreshToken - OPTIONAL new refresh token\n */\n protected async persistTokens(tokens: { accessToken: string; refreshToken?: string }): Promise<void> {\n // NOOP\n }\n\n private async getNewTokens(refreshToken: string): Promise<AccessTokens> {\n if (!this.oidcClient) {\n throw new Error(\"Cannot get new token before OIDC client is initialised.\");\n }\n\n const refreshTokenState = {\n refresh_token: refreshToken,\n session_state: \"test\",\n data: undefined,\n profile: this.idTokenClaims,\n };\n\n const requestStart = Date.now();\n const response = await this.oidcClient.useRefreshToken({\n state: refreshTokenState,\n timeoutInSeconds: 300,\n });\n\n const tokens = {\n accessToken: response.access_token,\n refreshToken: response.refresh_token,\n // We use the request start time to calculate the expiry time as we don't know when the server received our request\n expiry: response.expires_in ? new Date(requestStart + response.expires_in * 1000) : undefined,\n } satisfies AccessTokens;\n\n await this.persistTokens(tokens);\n\n return tokens;\n }\n}\n"],"mappings":";;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAA6BA,UAAU,EAAEC,oBAAoB,EAAEC,aAAa,QAAQ,gBAAgB;AAEpG,SAA4BC,uBAAuB,QAAQ,sBAAsB;AACjF,SAASC,aAAa,QAAQ,gBAAgB;AAC9C,SAASC,sCAAsC,QAAQ,gBAAgB;AACvE,SAASC,MAAM,QAAQ,cAAc;;AAErC;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,kBAAkB,CAAC;EAcrBC,WAAWA;EACd;AACR;AACA;EACgBC,MAAc;EACtB;AACR;AACA;EACgBC,QAAgB;EACxB;AACR;AACA;EACgBC,WAAmB;EAC3B;AACR;AACA;EACkBC,QAAgB;EAC1B;AACR;AACA;AACA;EACyBC,aAA4B,EAC/C;IAAA,KAlBUJ,MAAc,GAAdA,MAAc;IAAA,KAIdC,QAAgB,GAAhBA,QAAgB;IAAA,KAIhBC,WAAmB,GAAnBA,WAAmB;IAAA,KAIjBC,QAAgB,GAAhBA,QAAgB;IAAA,KAKTC,aAA4B,GAA5BA,aAA4B;IAlCjD;AACJ;AACA;AACA;AACA;IAJIC,eAAA;IAOA;IAAAA,eAAA;IAAAA,eAAA;IAAAA,eAAA;IA6BI,IAAI,CAACC,eAAe,GAAGC,OAAO,CAACC,OAAO,CAAC,CAAC;EAC5C;;EAEA;AACJ;AACA;AACA;AACA;EACkBC,UAAUA,CAAA,EAAkB;IAAA,IAAAC,KAAA;IAAA,OAAAC,iBAAA;MACtC,IAAI,CAACD,KAAI,CAACE,UAAU,EAAE;QAClB,IAAIF,KAAI,CAACG,WAAW,EAAE;UAClB,OAAOH,KAAI,CAACG,WAAW;QAC3B;QAEAH,KAAI,CAACG,WAAW,GAAGH,KAAI,CAACI,oBAAoB,CAACJ,KAAI,CAACV,MAAM,EAAEU,KAAI,CAACT,QAAQ,EAAES,KAAI,CAACP,QAAQ,EAAEO,KAAI,CAACR,WAAW,CAAC;QACzG,IAAI;UACA,MAAMQ,KAAI,CAACG,WAAW;QAC1B,CAAC,SAAS;UACNH,KAAI,CAACG,WAAW,GAAGE,SAAS;QAChC;MACJ;IAAC;EACL;EAEcD,oBAAoBA,CAC9Bd,MAAc,EACdC,QAAgB,EAChBE,QAAgB,EAChBD,WAAmB,EACN;IAAA,IAAAc,MAAA;IAAA,OAAAL,iBAAA;MACb,IAAI;QAAA,IAAAM,mBAAA;QACA,IAAMC,MAAM,SAAStB,sCAAsC,CAACI,MAAM,CAAC;QAEnE,IAAMmB,KAAK,GAAGxB,aAAa,CAACQ,QAAQ,CAAC;QAErCa,MAAI,CAACJ,UAAU,GAAG,IAAIrB,UAAU,CAAC;UAC7B6B,QAAQ,EAAEF,MAAM;UAChBG,WAAW,GAAAJ,mBAAA,GAAEC,MAAM,CAACG,WAAW,cAAAJ,mBAAA,cAAAA,mBAAA,GAAIF,SAAS;UAC5CO,SAAS,EAAErB,QAAQ;UACnBkB,KAAK;UACLI,YAAY,EAAErB,WAAW;UACzBsB,SAAS,EAAEN,MAAM,CAAClB,MAAM;UACxByB,UAAU,EAAE,IAAIjC,oBAAoB,CAAC;YAAEkC,MAAM,EAAE,UAAU;YAAEC,KAAK,EAAEC,MAAM,CAACC;UAAe,CAAC;QAC7F,CAAC,CAAC;MACN,CAAC,CAAC,OAAOC,KAAK,EAAE;QACZjC,MAAM,CAACiC,KAAK,CAAC,mCAAmC,EAAEA,KAAK,CAAC;QACxD,MAAM,IAAIC,KAAK,CAAC,mCAAmC,CAAC;MACxD;IAAC;EACL;;EAEA;AACJ;AACA;AACA;AACA;AACA;EACiBC,oBAAoBA,CAACC,YAAoB,EAAyB;IAAA,IAAAC,MAAA;IAAA,OAAAvB,iBAAA;MAC3E,MAAMuB,MAAI,CAACzB,UAAU,CAAC,CAAC;MAEvB,IAAI,CAACyB,MAAI,CAACC,sBAAsB,EAAE;QAC9BD,MAAI,CAACC,sBAAsB,GAAGD,MAAI,CAACE,YAAY,CAACH,YAAY,CAAC;MACjE;MACA,IAAI;QACA,IAAMI,MAAM,SAASH,MAAI,CAACC,sBAAsB;QAChD,OAAOE,MAAM;MACjB,CAAC,CAAC,OAAOC,CAAC,EAAE;QACR;QACA,IAAIA,CAAC,YAAY7C,aAAa,EAAE;UAC5B,MAAM,IAAIC,uBAAuB,CAAC4C,CAAC,CAAC;QACxC;QACA,MAAMA,CAAC;MACX,CAAC,SAAS;QACNJ,MAAI,CAACC,sBAAsB,GAAGpB,SAAS;MAC3C;IAAC;EACL;;EAEA;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;EACoBwB,aAAaA,CAACF,MAAsD,EAAiB;IAAA,OAAA1B,iBAAA;EAErG,CAAC,CADG;EAGUyB,YAAYA,CAACH,YAAoB,EAAyB;IAAA,IAAAO,MAAA;IAAA,OAAA7B,iBAAA;MACpE,IAAI,CAAC6B,MAAI,CAAC5B,UAAU,EAAE;QAClB,MAAM,IAAImB,KAAK,CAAC,yDAAyD,CAAC;MAC9E;MAEA,IAAMU,iBAAiB,GAAG;QACtBC,aAAa,EAAET,YAAY;QAC3BU,aAAa,EAAE,MAAM;QACrBC,IAAI,EAAE7B,SAAS;QACf8B,OAAO,EAAEL,MAAI,CAACpC;MAClB,CAAC;MAED,IAAM0C,YAAY,GAAGC,IAAI,CAACC,GAAG,CAAC,CAAC;MAC/B,IAAMC,QAAQ,SAAST,MAAI,CAAC5B,UAAU,CAACsC,eAAe,CAAC;QACnDC,KAAK,EAAEV,iBAAiB;QACxBW,gBAAgB,EAAE;MACtB,CAAC,CAAC;MAEF,IAAMf,MAAM,GAAG;QACXgB,WAAW,EAAEJ,QAAQ,CAACK,YAAY;QAClCrB,YAAY,EAAEgB,QAAQ,CAACP,aAAa;QACpC;QACAa,MAAM,EAAEN,QAAQ,CAACO,UAAU,GAAG,IAAIT,IAAI,CAACD,YAAY,GAAGG,QAAQ,CAACO,UAAU,GAAG,IAAI,CAAC,GAAGzC;MACxF,CAAwB;MAExB,MAAMyB,MAAI,CAACD,aAAa,CAACF,MAAM,CAAC;MAEhC,OAAOA,MAAM;IAAC;EAClB;AACJ","ignoreList":[]}
1
+ {"version":3,"file":"tokenRefresher.js","names":["OidcClient","WebStorageStateStore","ErrorResponse","TokenRefreshLogoutError","generateScope","discoverAndValidateOIDCIssuerWellKnown","logger","OidcTokenRefresher","constructor","issuer","clientId","redirectUri","deviceId","idTokenClaims","oidcClientReady","Promise","resolve","ensureInit","_this","_asyncToGenerator","oidcClient","initPromise","initialiseOidcClient","undefined","_this2","_config$signingKeys","config","scope","metadata","signingKeys","client_id","redirect_uri","authority","stateStore","prefix","store","window","sessionStorage","error","Error","doRefreshAccessToken","refreshToken","_this3","inflightRefreshRequest","getNewTokens","tokens","e","persistTokens","_this4","refreshTokenState","refresh_token","session_state","data","profile","requestStart","Date","now","response","useRefreshToken","state","timeoutInSeconds","accessToken","access_token","expiry","expires_in"],"sources":["../../src/oidc/tokenRefresher.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { type IdTokenClaims, OidcClient, WebStorageStateStore, ErrorResponse } from \"oidc-client-ts\";\n\nimport { type AccessTokens, TokenRefreshLogoutError } from \"../http-api/index.ts\";\nimport { generateScope } from \"./authorize.ts\";\nimport { discoverAndValidateOIDCIssuerWellKnown } from \"./discovery.ts\";\nimport { logger } from \"../logger.ts\";\n\n/**\n * @experimental\n * Class responsible for refreshing OIDC access tokens\n *\n * Client implementations will likely want to override {@link persistTokens} to persist tokens after successful refresh\n *\n */\nexport class OidcTokenRefresher {\n /**\n * This is now just a resolved promise and will be removed in a future version.\n * Initialisation is done lazily at token refresh time.\n * @deprecated Consumers no longer need to wait for this promise.\n */\n public readonly oidcClientReady!: Promise<void>;\n\n // If there is a initialisation attempt in progress, we keep track of it here.\n private initPromise?: Promise<void>;\n\n private oidcClient!: OidcClient;\n private inflightRefreshRequest?: Promise<AccessTokens>;\n\n public constructor(\n /**\n * The OIDC issuer as returned by the /auth_issuer API\n */\n private issuer: string,\n /**\n * id of this client as registered with the OP\n */\n private clientId: string,\n /**\n * redirectUri as registered with OP\n */\n private redirectUri: string,\n /**\n * Device ID of current session\n */\n protected deviceId: string,\n /**\n * idTokenClaims as returned from authorization grant\n * used to validate tokens\n */\n private readonly idTokenClaims: IdTokenClaims,\n ) {\n this.oidcClientReady = Promise.resolve();\n }\n\n /**\n * Ensures that the client is initialised.\n * @returns Promise that resolves when initialisation is complete\n * @throws if initialisation fails\n */\n private async ensureInit(): Promise<void> {\n if (!this.oidcClient) {\n if (this.initPromise) {\n return this.initPromise;\n }\n\n this.initPromise = this.initialiseOidcClient(this.issuer, this.clientId, this.deviceId, this.redirectUri);\n try {\n await this.initPromise;\n } finally {\n this.initPromise = undefined;\n }\n }\n }\n\n private async initialiseOidcClient(\n issuer: string,\n clientId: string,\n deviceId: string,\n redirectUri: string,\n ): Promise<void> {\n try {\n const config = await discoverAndValidateOIDCIssuerWellKnown(issuer);\n\n const scope = generateScope(deviceId);\n\n this.oidcClient = new OidcClient({\n metadata: config,\n signingKeys: config.signingKeys ?? undefined,\n client_id: clientId,\n scope,\n redirect_uri: redirectUri,\n authority: config.issuer,\n stateStore: new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage }),\n });\n } catch (error) {\n logger.error(\"Failed to initialise OIDC client.\", error);\n throw new Error(\"Failed to initialise OIDC client.\");\n }\n }\n\n /**\n * Attempt token refresh using given refresh token\n * @param refreshToken - refresh token to use in request with token issuer\n * @returns tokens - Promise that resolves with new access and refresh tokens\n * @throws when token refresh fails\n */\n public async doRefreshAccessToken(refreshToken: string): Promise<AccessTokens> {\n await this.ensureInit();\n\n if (!this.inflightRefreshRequest) {\n this.inflightRefreshRequest = this.getNewTokens(refreshToken);\n }\n try {\n const tokens = await this.inflightRefreshRequest;\n return tokens;\n } catch (e) {\n // If we encounter an OIDC error then signal that it should cause a logout by upgrading it to a TokenRefreshLogoutError\n if (e instanceof ErrorResponse) {\n throw new TokenRefreshLogoutError(e);\n }\n throw e;\n } finally {\n this.inflightRefreshRequest = undefined;\n }\n }\n\n /**\n * Persist the new tokens, called after tokens are successfully refreshed.\n *\n * This function is intended to be overriden by the consumer when persistence is necessary.\n *\n * @param tokens.accessToken - new access token\n * @param tokens.refreshToken - OPTIONAL new refresh token\n */\n protected async persistTokens(tokens: { accessToken: string; refreshToken?: string }): Promise<void> {\n // NOOP\n }\n\n private async getNewTokens(refreshToken: string): Promise<AccessTokens> {\n if (!this.oidcClient) {\n throw new Error(\"Cannot get new token before OIDC client is initialised.\");\n }\n\n const refreshTokenState = {\n refresh_token: refreshToken,\n session_state: \"test\",\n data: undefined,\n profile: this.idTokenClaims,\n };\n\n const requestStart = Date.now();\n const response = await this.oidcClient.useRefreshToken({\n state: refreshTokenState,\n timeoutInSeconds: 300,\n });\n\n const tokens = {\n accessToken: response.access_token,\n refreshToken: response.refresh_token,\n // We use the request start time to calculate the expiry time as we don't know when the server received our request\n expiry: response.expires_in ? new Date(requestStart + response.expires_in * 1000) : undefined,\n } satisfies AccessTokens;\n\n await this.persistTokens(tokens);\n\n return tokens;\n }\n}\n"],"mappings":";AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAA6BA,UAAU,EAAEC,oBAAoB,EAAEC,aAAa,QAAQ,gBAAgB;AAEpG,SAA4BC,uBAAuB,QAAQ,sBAAsB;AACjF,SAASC,aAAa,QAAQ,gBAAgB;AAC9C,SAASC,sCAAsC,QAAQ,gBAAgB;AACvE,SAASC,MAAM,QAAQ,cAAc;;AAErC;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,kBAAkB,CAAC;EAC5B;AACJ;AACA;AACA;AACA;;EAGI;;EAMOC,WAAWA;EACd;AACR;AACA;EACgBC,MAAc;EACtB;AACR;AACA;EACgBC,QAAgB;EACxB;AACR;AACA;EACgBC,WAAmB;EAC3B;AACR;AACA;EACkBC,QAAgB;EAC1B;AACR;AACA;AACA;EACyBC,aAA4B,EAC/C;IAAA,KAlBUJ,MAAc,GAAdA,MAAc;IAAA,KAIdC,QAAgB,GAAhBA,QAAgB;IAAA,KAIhBC,WAAmB,GAAnBA,WAAmB;IAAA,KAIjBC,QAAgB,GAAhBA,QAAgB;IAAA,KAKTC,aAA4B,GAA5BA,aAA4B;IAE7C,IAAI,CAACC,eAAe,GAAGC,OAAO,CAACC,OAAO,CAAC,CAAC;EAC5C;;EAEA;AACJ;AACA;AACA;AACA;EACkBC,UAAUA,CAAA,EAAkB;IAAA,IAAAC,KAAA;IAAA,OAAAC,iBAAA;MACtC,IAAI,CAACD,KAAI,CAACE,UAAU,EAAE;QAClB,IAAIF,KAAI,CAACG,WAAW,EAAE;UAClB,OAAOH,KAAI,CAACG,WAAW;QAC3B;QAEAH,KAAI,CAACG,WAAW,GAAGH,KAAI,CAACI,oBAAoB,CAACJ,KAAI,CAACT,MAAM,EAAES,KAAI,CAACR,QAAQ,EAAEQ,KAAI,CAACN,QAAQ,EAAEM,KAAI,CAACP,WAAW,CAAC;QACzG,IAAI;UACA,MAAMO,KAAI,CAACG,WAAW;QAC1B,CAAC,SAAS;UACNH,KAAI,CAACG,WAAW,GAAGE,SAAS;QAChC;MACJ;IAAC;EACL;EAEcD,oBAAoBA,CAC9Bb,MAAc,EACdC,QAAgB,EAChBE,QAAgB,EAChBD,WAAmB,EACN;IAAA,IAAAa,MAAA;IAAA,OAAAL,iBAAA;MACb,IAAI;QAAA,IAAAM,mBAAA;QACA,IAAMC,MAAM,SAASrB,sCAAsC,CAACI,MAAM,CAAC;QAEnE,IAAMkB,KAAK,GAAGvB,aAAa,CAACQ,QAAQ,CAAC;QAErCY,MAAI,CAACJ,UAAU,GAAG,IAAIpB,UAAU,CAAC;UAC7B4B,QAAQ,EAAEF,MAAM;UAChBG,WAAW,GAAAJ,mBAAA,GAAEC,MAAM,CAACG,WAAW,cAAAJ,mBAAA,cAAAA,mBAAA,GAAIF,SAAS;UAC5CO,SAAS,EAAEpB,QAAQ;UACnBiB,KAAK;UACLI,YAAY,EAAEpB,WAAW;UACzBqB,SAAS,EAAEN,MAAM,CAACjB,MAAM;UACxBwB,UAAU,EAAE,IAAIhC,oBAAoB,CAAC;YAAEiC,MAAM,EAAE,UAAU;YAAEC,KAAK,EAAEC,MAAM,CAACC;UAAe,CAAC;QAC7F,CAAC,CAAC;MACN,CAAC,CAAC,OAAOC,KAAK,EAAE;QACZhC,MAAM,CAACgC,KAAK,CAAC,mCAAmC,EAAEA,KAAK,CAAC;QACxD,MAAM,IAAIC,KAAK,CAAC,mCAAmC,CAAC;MACxD;IAAC;EACL;;EAEA;AACJ;AACA;AACA;AACA;AACA;EACiBC,oBAAoBA,CAACC,YAAoB,EAAyB;IAAA,IAAAC,MAAA;IAAA,OAAAvB,iBAAA;MAC3E,MAAMuB,MAAI,CAACzB,UAAU,CAAC,CAAC;MAEvB,IAAI,CAACyB,MAAI,CAACC,sBAAsB,EAAE;QAC9BD,MAAI,CAACC,sBAAsB,GAAGD,MAAI,CAACE,YAAY,CAACH,YAAY,CAAC;MACjE;MACA,IAAI;QACA,IAAMI,MAAM,SAASH,MAAI,CAACC,sBAAsB;QAChD,OAAOE,MAAM;MACjB,CAAC,CAAC,OAAOC,CAAC,EAAE;QACR;QACA,IAAIA,CAAC,YAAY5C,aAAa,EAAE;UAC5B,MAAM,IAAIC,uBAAuB,CAAC2C,CAAC,CAAC;QACxC;QACA,MAAMA,CAAC;MACX,CAAC,SAAS;QACNJ,MAAI,CAACC,sBAAsB,GAAGpB,SAAS;MAC3C;IAAC;EACL;;EAEA;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;EACoBwB,aAAaA,CAACF,MAAsD,EAAiB;IAAA,OAAA1B,iBAAA;EAErG,CAAC,CADG;EAGUyB,YAAYA,CAACH,YAAoB,EAAyB;IAAA,IAAAO,MAAA;IAAA,OAAA7B,iBAAA;MACpE,IAAI,CAAC6B,MAAI,CAAC5B,UAAU,EAAE;QAClB,MAAM,IAAImB,KAAK,CAAC,yDAAyD,CAAC;MAC9E;MAEA,IAAMU,iBAAiB,GAAG;QACtBC,aAAa,EAAET,YAAY;QAC3BU,aAAa,EAAE,MAAM;QACrBC,IAAI,EAAE7B,SAAS;QACf8B,OAAO,EAAEL,MAAI,CAACnC;MAClB,CAAC;MAED,IAAMyC,YAAY,GAAGC,IAAI,CAACC,GAAG,CAAC,CAAC;MAC/B,IAAMC,QAAQ,SAAST,MAAI,CAAC5B,UAAU,CAACsC,eAAe,CAAC;QACnDC,KAAK,EAAEV,iBAAiB;QACxBW,gBAAgB,EAAE;MACtB,CAAC,CAAC;MAEF,IAAMf,MAAM,GAAG;QACXgB,WAAW,EAAEJ,QAAQ,CAACK,YAAY;QAClCrB,YAAY,EAAEgB,QAAQ,CAACP,aAAa;QACpC;QACAa,MAAM,EAAEN,QAAQ,CAACO,UAAU,GAAG,IAAIT,IAAI,CAACD,YAAY,GAAGG,QAAQ,CAACO,UAAU,GAAG,IAAI,CAAC,GAAGzC;MACxF,CAAwB;MAExB,MAAMyB,MAAI,CAACD,aAAa,CAACF,MAAM,CAAC;MAEhC,OAAOA,MAAM;IAAC;EAClB;AACJ","ignoreList":[]}
package/lib/pushprocessor.js CHANGED
@@ -1,3 +1,4 @@
1
+ import _slicedToArray from "@babel/runtime/helpers/slicedToArray";
1
2
  import _defineProperty from "@babel/runtime/helpers/defineProperty";
2
3
  function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
3
4
  function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
@@ -160,12 +161,12 @@ export class PushProcessor {
160
161
  * @param client - The Matrix client object to use
161
162
  */
162
163
  constructor(client) {
163
- this.client = client;
164
164
  /**
165
165
  * Maps the original key from the push rules to a list of property names
166
166
  * after unescaping.
167
167
  */
168
168
  _defineProperty(this, "parsedKeys", new Map());
169
+ this.client = client;
169
170
  }
170
171
  /**
171
172
  * Convert a list of actions into a object with the actions as keys and their values
@@ -233,7 +234,10 @@ export class PushProcessor {
233
234
  static getPushRuleGlobRegex(pattern) {
234
235
  var alignToWordBoundary = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : false;
235
236
  var flags = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : "i";
236
- var [prefix, suffix] = alignToWordBoundary ? ["(?<=^|\\W)", "(?=\\W|$)"] : ["^", "$"];
237
+ var _ref = alignToWordBoundary ? ["(?<=^|\\W)", "(?=\\W|$)"] : ["^", "$"],
238
+ _ref2 = _slicedToArray(_ref, 2),
239
+ prefix = _ref2[0],
240
+ suffix = _ref2[1];
237
241
  var cacheKey = "".concat(alignToWordBoundary, "-").concat(flags, "-").concat(pattern);
238
242
  if (!PushProcessor.cachedGlobToRegex[cacheKey]) {
239
243
  PushProcessor.cachedGlobToRegex[cacheKey] = new RegExp(prefix + "(" + globToRegexp(pattern) + ")" + suffix, flags);
@@ -653,9 +657,8 @@ export class PushProcessor {
653
657
  * Get the user's push actions for the given event
654
658
  */
655
659
  actionsForEvent(ev) {
656
- var {
657
- actions
658
- } = this.pushActionsForEventAndRulesets(ev, this.client.pushRules);
660
+ var _this$pushActionsForE = this.pushActionsForEventAndRulesets(ev, this.client.pushRules),
661
+ actions = _this$pushActionsForE.actions;
659
662
  return actions || {};
660
663
  }
661
664
  actionsAndRuleForEvent(ev) {