matrix-js-sdk 41.8.0 → 41.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (458) hide show
  1. package/CHANGELOG.md +11 -0
  2. package/README.md +1 -1
  3. package/lib/@types/AESEncryptedSecretStoragePayload.js +3 -1
  4. package/lib/@types/IIdentityServerProvider.js +3 -1
  5. package/lib/@types/PushRules.js +7 -7
  6. package/lib/@types/PushRules.js.map +1 -1
  7. package/lib/@types/auth.js +4 -4
  8. package/lib/@types/auth.js.map +1 -1
  9. package/lib/@types/beacon.js +2 -2
  10. package/lib/@types/beacon.js.map +1 -1
  11. package/lib/@types/common.js +3 -1
  12. package/lib/@types/crypto.js +3 -1
  13. package/lib/@types/event.js +20 -20
  14. package/lib/@types/event.js.map +1 -1
  15. package/lib/@types/events.js +3 -1
  16. package/lib/@types/extensible_events.js +6 -6
  17. package/lib/@types/extensible_events.js.map +1 -1
  18. package/lib/@types/global.d.js.map +1 -1
  19. package/lib/@types/json.js +3 -1
  20. package/lib/@types/local_notifications.js +3 -1
  21. package/lib/@types/location.js +4 -4
  22. package/lib/@types/location.js.map +1 -1
  23. package/lib/@types/matrix-sdk-crypto-wasm.d.js +3 -1
  24. package/lib/@types/media.js +3 -1
  25. package/lib/@types/membership.js +1 -1
  26. package/lib/@types/membership.js.map +1 -1
  27. package/lib/@types/partials.js +6 -6
  28. package/lib/@types/partials.js.map +1 -1
  29. package/lib/@types/polls.js +5 -5
  30. package/lib/@types/polls.js.map +1 -1
  31. package/lib/@types/read_receipts.js +2 -2
  32. package/lib/@types/read_receipts.js.map +1 -1
  33. package/lib/@types/registration.js +3 -1
  34. package/lib/@types/requests.js +1 -1
  35. package/lib/@types/requests.js.map +1 -1
  36. package/lib/@types/retention.js +1 -1
  37. package/lib/@types/retention.js.map +1 -1
  38. package/lib/@types/search.js +1 -1
  39. package/lib/@types/search.js.map +1 -1
  40. package/lib/@types/signed.js +3 -1
  41. package/lib/@types/spaces.js +3 -1
  42. package/lib/@types/state_events.js +3 -1
  43. package/lib/@types/synapse.js +3 -1
  44. package/lib/@types/sync.js +1 -1
  45. package/lib/@types/sync.js.map +1 -1
  46. package/lib/@types/threepids.js +1 -1
  47. package/lib/@types/threepids.js.map +1 -1
  48. package/lib/@types/topic.js +1 -1
  49. package/lib/@types/topic.js.map +1 -1
  50. package/lib/@types/uia.js +3 -1
  51. package/lib/NamespacedValue.js +8 -8
  52. package/lib/NamespacedValue.js.map +1 -1
  53. package/lib/ReEmitter.js +9 -16
  54. package/lib/ReEmitter.js.map +1 -1
  55. package/lib/ToDeviceMessageQueue.js +49 -57
  56. package/lib/ToDeviceMessageQueue.js.map +1 -1
  57. package/lib/autodiscovery.js +232 -247
  58. package/lib/autodiscovery.js.map +1 -1
  59. package/lib/base64.js +1 -1
  60. package/lib/base64.js.map +1 -1
  61. package/lib/browser-index.d.ts +2 -2
  62. package/lib/browser-index.d.ts.map +1 -1
  63. package/lib/browser-index.js +5 -5
  64. package/lib/browser-index.js.map +1 -1
  65. package/lib/capabilityPoller.js +19 -22
  66. package/lib/capabilityPoller.js.map +1 -1
  67. package/lib/client.d.ts +2 -8
  68. package/lib/client.d.ts.map +1 -1
  69. package/lib/client.js +2043 -2487
  70. package/lib/client.js.map +1 -1
  71. package/lib/common-crypto/CryptoBackend.js +2 -2
  72. package/lib/common-crypto/CryptoBackend.js.map +1 -1
  73. package/lib/common-crypto/key-passphrase.js.map +1 -1
  74. package/lib/content-helpers.js +43 -48
  75. package/lib/content-helpers.js.map +1 -1
  76. package/lib/content-repo.js +14 -24
  77. package/lib/content-repo.js.map +1 -1
  78. package/lib/crypto/store/base.js +6 -6
  79. package/lib/crypto/store/base.js.map +1 -1
  80. package/lib/crypto/store/indexeddb-crypto-store-backend.js +190 -238
  81. package/lib/crypto/store/indexeddb-crypto-store-backend.js.map +1 -1
  82. package/lib/crypto/store/indexeddb-crypto-store.js +25 -30
  83. package/lib/crypto/store/indexeddb-crypto-store.js.map +1 -1
  84. package/lib/crypto/store/localStorage-crypto-store.js +113 -145
  85. package/lib/crypto/store/localStorage-crypto-store.js.map +1 -1
  86. package/lib/crypto/store/memory-crypto-store.js +74 -105
  87. package/lib/crypto/store/memory-crypto-store.js.map +1 -1
  88. package/lib/crypto-api/CryptoEvent.js +1 -1
  89. package/lib/crypto-api/CryptoEvent.js.map +1 -1
  90. package/lib/crypto-api/CryptoEventHandlerMap.js +3 -1
  91. package/lib/crypto-api/index.d.ts +15 -6
  92. package/lib/crypto-api/index.d.ts.map +1 -1
  93. package/lib/crypto-api/index.js +22 -22
  94. package/lib/crypto-api/index.js.map +1 -1
  95. package/lib/crypto-api/key-passphrase.js +15 -23
  96. package/lib/crypto-api/key-passphrase.js.map +1 -1
  97. package/lib/crypto-api/keybackup.js +3 -1
  98. package/lib/crypto-api/recovery-key.js +11 -12
  99. package/lib/crypto-api/recovery-key.js.map +1 -1
  100. package/lib/crypto-api/verification.js +3 -3
  101. package/lib/crypto-api/verification.js.map +1 -1
  102. package/lib/digest.js +7 -14
  103. package/lib/digest.js.map +1 -1
  104. package/lib/embedded.d.ts.map +1 -1
  105. package/lib/embedded.js +380 -505
  106. package/lib/embedded.js.map +1 -1
  107. package/lib/errors.js +2 -2
  108. package/lib/errors.js.map +1 -1
  109. package/lib/event-mapper.js +10 -12
  110. package/lib/event-mapper.js.map +1 -1
  111. package/lib/extensible_events_v1/ExtensibleEvent.js.map +1 -1
  112. package/lib/extensible_events_v1/InvalidEventError.js.map +1 -1
  113. package/lib/extensible_events_v1/MessageEvent.js +11 -13
  114. package/lib/extensible_events_v1/MessageEvent.js.map +1 -1
  115. package/lib/extensible_events_v1/PollEndEvent.js +3 -4
  116. package/lib/extensible_events_v1/PollEndEvent.js.map +1 -1
  117. package/lib/extensible_events_v1/PollResponseEvent.js +5 -6
  118. package/lib/extensible_events_v1/PollResponseEvent.js.map +1 -1
  119. package/lib/extensible_events_v1/PollStartEvent.js +8 -10
  120. package/lib/extensible_events_v1/PollStartEvent.js.map +1 -1
  121. package/lib/extensible_events_v1/utilities.js.map +1 -1
  122. package/lib/feature.js +18 -31
  123. package/lib/feature.js.map +1 -1
  124. package/lib/filter-component.d.ts.map +1 -1
  125. package/lib/filter-component.js +20 -26
  126. package/lib/filter-component.js.map +1 -1
  127. package/lib/filter.js +14 -17
  128. package/lib/filter.js.map +1 -1
  129. package/lib/http-api/errors.js +28 -43
  130. package/lib/http-api/errors.js.map +1 -1
  131. package/lib/http-api/fetch.js +141 -159
  132. package/lib/http-api/fetch.js.map +1 -1
  133. package/lib/http-api/index.js +17 -20
  134. package/lib/http-api/index.js.map +1 -1
  135. package/lib/http-api/interface.js +1 -1
  136. package/lib/http-api/interface.js.map +1 -1
  137. package/lib/http-api/method.js +1 -1
  138. package/lib/http-api/method.js.map +1 -1
  139. package/lib/http-api/prefix.js +3 -3
  140. package/lib/http-api/prefix.js.map +1 -1
  141. package/lib/http-api/refresh.js +74 -94
  142. package/lib/http-api/refresh.js.map +1 -1
  143. package/lib/http-api/utils.d.ts +1 -1
  144. package/lib/http-api/utils.d.ts.map +1 -1
  145. package/lib/http-api/utils.js +34 -42
  146. package/lib/http-api/utils.js.map +1 -1
  147. package/lib/index.js.map +1 -1
  148. package/lib/indexeddb-helpers.js +3 -3
  149. package/lib/indexeddb-helpers.js.map +1 -1
  150. package/lib/indexeddb-worker.js.map +1 -1
  151. package/lib/interactive-auth.d.ts +5 -5
  152. package/lib/interactive-auth.d.ts.map +1 -1
  153. package/lib/interactive-auth.js +172 -204
  154. package/lib/interactive-auth.js.map +1 -1
  155. package/lib/logger.js +21 -57
  156. package/lib/logger.js.map +1 -1
  157. package/lib/matrix.js +7 -11
  158. package/lib/matrix.js.map +1 -1
  159. package/lib/matrixrtc/CallMembership.js +80 -74
  160. package/lib/matrixrtc/CallMembership.js.map +1 -1
  161. package/lib/matrixrtc/EncryptionManager.js +1 -1
  162. package/lib/matrixrtc/EncryptionManager.js.map +1 -1
  163. package/lib/matrixrtc/IKeyTransport.js +1 -1
  164. package/lib/matrixrtc/IKeyTransport.js.map +1 -1
  165. package/lib/matrixrtc/IMembershipManager.js +1 -1
  166. package/lib/matrixrtc/IMembershipManager.js.map +1 -1
  167. package/lib/matrixrtc/LivekitTransport.d.ts +1 -1
  168. package/lib/matrixrtc/LivekitTransport.js +4 -4
  169. package/lib/matrixrtc/LivekitTransport.js.map +1 -1
  170. package/lib/matrixrtc/MatrixRTCSession.js +137 -187
  171. package/lib/matrixrtc/MatrixRTCSession.js.map +1 -1
  172. package/lib/matrixrtc/MatrixRTCSessionManager.js +36 -41
  173. package/lib/matrixrtc/MatrixRTCSessionManager.js.map +1 -1
  174. package/lib/matrixrtc/MembershipManager.js +332 -378
  175. package/lib/matrixrtc/MembershipManager.js.map +1 -1
  176. package/lib/matrixrtc/MembershipManagerActionScheduler.js +54 -63
  177. package/lib/matrixrtc/MembershipManagerActionScheduler.js.map +1 -1
  178. package/lib/matrixrtc/RTCEncryptionManager.js +119 -143
  179. package/lib/matrixrtc/RTCEncryptionManager.js.map +1 -1
  180. package/lib/matrixrtc/ToDeviceKeyTransport.js +53 -58
  181. package/lib/matrixrtc/ToDeviceKeyTransport.js.map +1 -1
  182. package/lib/matrixrtc/index.js.map +1 -1
  183. package/lib/matrixrtc/membershipData/common.js +1 -1
  184. package/lib/matrixrtc/membershipData/common.js.map +1 -1
  185. package/lib/matrixrtc/membershipData/index.js.map +1 -1
  186. package/lib/matrixrtc/membershipData/rtc.js +15 -23
  187. package/lib/matrixrtc/membershipData/rtc.js.map +1 -1
  188. package/lib/matrixrtc/membershipData/session.js +4 -5
  189. package/lib/matrixrtc/membershipData/session.js.map +1 -1
  190. package/lib/matrixrtc/types.js +4 -6
  191. package/lib/matrixrtc/types.js.map +1 -1
  192. package/lib/matrixrtc/utils.js +4 -11
  193. package/lib/matrixrtc/utils.js.map +1 -1
  194. package/lib/models/MSC3089Branch.js +91 -116
  195. package/lib/models/MSC3089Branch.js.map +1 -1
  196. package/lib/models/MSC3089TreeSpace.js +209 -245
  197. package/lib/models/MSC3089TreeSpace.js.map +1 -1
  198. package/lib/models/ToDeviceMessage.js +3 -1
  199. package/lib/models/beacon.js +14 -13
  200. package/lib/models/beacon.js.map +1 -1
  201. package/lib/models/compare-event-ordering.js +13 -13
  202. package/lib/models/compare-event-ordering.js.map +1 -1
  203. package/lib/models/device.js +3 -3
  204. package/lib/models/device.js.map +1 -1
  205. package/lib/models/event-context.js +5 -8
  206. package/lib/models/event-context.js.map +1 -1
  207. package/lib/models/event-status.js +1 -1
  208. package/lib/models/event-status.js.map +1 -1
  209. package/lib/models/event-timeline-set.js +88 -94
  210. package/lib/models/event-timeline-set.js.map +1 -1
  211. package/lib/models/event-timeline.js +28 -30
  212. package/lib/models/event-timeline.js.map +1 -1
  213. package/lib/models/event.js +182 -226
  214. package/lib/models/event.js.map +1 -1
  215. package/lib/models/invites-ignorer-types.js +4 -4
  216. package/lib/models/invites-ignorer-types.js.map +1 -1
  217. package/lib/models/invites-ignorer.js +159 -179
  218. package/lib/models/invites-ignorer.js.map +1 -1
  219. package/lib/models/poll.js +71 -81
  220. package/lib/models/poll.js.map +1 -1
  221. package/lib/models/profile-keys.js +2 -2
  222. package/lib/models/profile-keys.js.map +1 -1
  223. package/lib/models/read-receipt.js +40 -56
  224. package/lib/models/read-receipt.js.map +1 -1
  225. package/lib/models/related-relations.js.map +1 -1
  226. package/lib/models/relations-container.js +22 -23
  227. package/lib/models/relations-container.js.map +1 -1
  228. package/lib/models/relations.js +133 -159
  229. package/lib/models/relations.js.map +1 -1
  230. package/lib/models/room-member.js +24 -29
  231. package/lib/models/room-member.js.map +1 -1
  232. package/lib/models/room-receipts.js +29 -43
  233. package/lib/models/room-receipts.js.map +1 -1
  234. package/lib/models/room-retention.js +74 -83
  235. package/lib/models/room-retention.js.map +1 -1
  236. package/lib/models/room-state.js +143 -172
  237. package/lib/models/room-state.js.map +1 -1
  238. package/lib/models/room-sticky-events.d.ts +1 -0
  239. package/lib/models/room-sticky-events.d.ts.map +1 -1
  240. package/lib/models/room-sticky-events.js +45 -65
  241. package/lib/models/room-sticky-events.js.map +1 -1
  242. package/lib/models/room-summary.js.map +1 -1
  243. package/lib/models/room.d.ts.map +1 -1
  244. package/lib/models/room.js +765 -909
  245. package/lib/models/room.js.map +1 -1
  246. package/lib/models/search-result.js +5 -5
  247. package/lib/models/search-result.js.map +1 -1
  248. package/lib/models/thread.js +225 -285
  249. package/lib/models/thread.js.map +1 -1
  250. package/lib/models/typed-event-emitter.js +7 -18
  251. package/lib/models/typed-event-emitter.js.map +1 -1
  252. package/lib/models/user.js +8 -8
  253. package/lib/models/user.js.map +1 -1
  254. package/lib/oidc/authorize.js +208 -241
  255. package/lib/oidc/authorize.js.map +1 -1
  256. package/lib/oidc/discovery.js +23 -36
  257. package/lib/oidc/discovery.js.map +1 -1
  258. package/lib/oidc/error.js +1 -1
  259. package/lib/oidc/error.js.map +1 -1
  260. package/lib/oidc/index.js +1 -0
  261. package/lib/oidc/index.js.map +1 -1
  262. package/lib/oidc/register.js +60 -66
  263. package/lib/oidc/register.js.map +1 -1
  264. package/lib/oidc/tokenRefresher.js +77 -91
  265. package/lib/oidc/tokenRefresher.js.map +1 -1
  266. package/lib/oidc/validate.js +18 -18
  267. package/lib/oidc/validate.js.map +1 -1
  268. package/lib/pushprocessor.js +71 -82
  269. package/lib/pushprocessor.js.map +1 -1
  270. package/lib/randomstring.js +9 -9
  271. package/lib/randomstring.js.map +1 -1
  272. package/lib/realtime-callbacks.js +25 -28
  273. package/lib/realtime-callbacks.js.map +1 -1
  274. package/lib/receipt-accumulator.d.ts +2 -0
  275. package/lib/receipt-accumulator.d.ts.map +1 -1
  276. package/lib/receipt-accumulator.js +14 -22
  277. package/lib/receipt-accumulator.js.map +1 -1
  278. package/lib/rendezvous/MSC4108SignInWithQR.js +271 -302
  279. package/lib/rendezvous/MSC4108SignInWithQR.js.map +1 -1
  280. package/lib/rendezvous/RendezvousChannel.js +3 -1
  281. package/lib/rendezvous/RendezvousCode.js +3 -1
  282. package/lib/rendezvous/RendezvousError.js.map +1 -1
  283. package/lib/rendezvous/RendezvousFailureReason.js +2 -2
  284. package/lib/rendezvous/RendezvousFailureReason.js.map +1 -1
  285. package/lib/rendezvous/RendezvousIntent.js +1 -1
  286. package/lib/rendezvous/RendezvousIntent.js.map +1 -1
  287. package/lib/rendezvous/RendezvousTransport.js +3 -1
  288. package/lib/rendezvous/channels/MSC4108SecureChannel.js +123 -147
  289. package/lib/rendezvous/channels/MSC4108SecureChannel.js.map +1 -1
  290. package/lib/rendezvous/index.js +44 -69
  291. package/lib/rendezvous/index.js.map +1 -1
  292. package/lib/rendezvous/transports/MSC4108RendezvousSession.d.ts +1 -1
  293. package/lib/rendezvous/transports/MSC4108RendezvousSession.js +134 -152
  294. package/lib/rendezvous/transports/MSC4108RendezvousSession.js.map +1 -1
  295. package/lib/retentionPolicy.js +6 -9
  296. package/lib/retentionPolicy.js.map +1 -1
  297. package/lib/room-hierarchy.js +52 -60
  298. package/lib/room-hierarchy.js.map +1 -1
  299. package/lib/rust-crypto/CrossSigningIdentity.js +94 -104
  300. package/lib/rust-crypto/CrossSigningIdentity.js.map +1 -1
  301. package/lib/rust-crypto/DehydratedDeviceManager.js +157 -190
  302. package/lib/rust-crypto/DehydratedDeviceManager.js.map +1 -1
  303. package/lib/rust-crypto/KeyClaimManager.js +18 -22
  304. package/lib/rust-crypto/KeyClaimManager.js.map +1 -1
  305. package/lib/rust-crypto/OutgoingRequestProcessor.js +109 -139
  306. package/lib/rust-crypto/OutgoingRequestProcessor.js.map +1 -1
  307. package/lib/rust-crypto/OutgoingRequestsManager.js +66 -80
  308. package/lib/rust-crypto/OutgoingRequestsManager.js.map +1 -1
  309. package/lib/rust-crypto/PerSessionKeyBackupDownloader.d.ts +1 -1
  310. package/lib/rust-crypto/PerSessionKeyBackupDownloader.js +196 -224
  311. package/lib/rust-crypto/PerSessionKeyBackupDownloader.js.map +1 -1
  312. package/lib/rust-crypto/RoomEncryptor.js +127 -143
  313. package/lib/rust-crypto/RoomEncryptor.js.map +1 -1
  314. package/lib/rust-crypto/backup.js +453 -549
  315. package/lib/rust-crypto/backup.js.map +1 -1
  316. package/lib/rust-crypto/constants.js +1 -1
  317. package/lib/rust-crypto/constants.js.map +1 -1
  318. package/lib/rust-crypto/device-converter.js +15 -28
  319. package/lib/rust-crypto/device-converter.js.map +1 -1
  320. package/lib/rust-crypto/index.js +103 -116
  321. package/lib/rust-crypto/index.js.map +1 -1
  322. package/lib/rust-crypto/libolm_migration.js +303 -365
  323. package/lib/rust-crypto/libolm_migration.js.map +1 -1
  324. package/lib/rust-crypto/rust-crypto.d.ts +5 -1
  325. package/lib/rust-crypto/rust-crypto.d.ts.map +1 -1
  326. package/lib/rust-crypto/rust-crypto.js +1067 -1332
  327. package/lib/rust-crypto/rust-crypto.js.map +1 -1
  328. package/lib/rust-crypto/secret-storage.js +12 -25
  329. package/lib/rust-crypto/secret-storage.js.map +1 -1
  330. package/lib/rust-crypto/verification.js +137 -189
  331. package/lib/rust-crypto/verification.js.map +1 -1
  332. package/lib/scheduler.js +44 -19
  333. package/lib/scheduler.js.map +1 -1
  334. package/lib/secret-storage.js +179 -213
  335. package/lib/secret-storage.js.map +1 -1
  336. package/lib/serverCapabilities.js +6 -9
  337. package/lib/serverCapabilities.js.map +1 -1
  338. package/lib/service-types.js +1 -1
  339. package/lib/service-types.js.map +1 -1
  340. package/lib/sliding-sync-sdk.d.ts.map +1 -1
  341. package/lib/sliding-sync-sdk.js +368 -424
  342. package/lib/sliding-sync-sdk.js.map +1 -1
  343. package/lib/sliding-sync.js +135 -171
  344. package/lib/sliding-sync.js.map +1 -1
  345. package/lib/store/index.js +3 -1
  346. package/lib/store/indexeddb-backend.js +3 -1
  347. package/lib/store/indexeddb-local-backend.js +194 -253
  348. package/lib/store/indexeddb-local-backend.js.map +1 -1
  349. package/lib/store/indexeddb-remote-backend.js +33 -63
  350. package/lib/store/indexeddb-remote-backend.js.map +1 -1
  351. package/lib/store/indexeddb-store-worker.js +22 -23
  352. package/lib/store/indexeddb-store-worker.js.map +1 -1
  353. package/lib/store/indexeddb.js +44 -71
  354. package/lib/store/indexeddb.js.map +1 -1
  355. package/lib/store/local-storage-events-emitter.js +2 -2
  356. package/lib/store/local-storage-events-emitter.js.map +1 -1
  357. package/lib/store/memory.js +34 -57
  358. package/lib/store/memory.js.map +1 -1
  359. package/lib/store/stub.js +22 -35
  360. package/lib/store/stub.js.map +1 -1
  361. package/lib/sync-accumulator.js +54 -66
  362. package/lib/sync-accumulator.js.map +1 -1
  363. package/lib/sync.d.ts.map +1 -1
  364. package/lib/sync.js +905 -998
  365. package/lib/sync.js.map +1 -1
  366. package/lib/testing.js +63 -105
  367. package/lib/testing.js.map +1 -1
  368. package/lib/thread-utils.js +1 -4
  369. package/lib/thread-utils.js.map +1 -1
  370. package/lib/timeline-window.js +89 -102
  371. package/lib/timeline-window.js.map +1 -1
  372. package/lib/types.js +1 -1
  373. package/lib/types.js.map +1 -1
  374. package/lib/utils/decryptAESSecretStorageItem.js +14 -25
  375. package/lib/utils/decryptAESSecretStorageItem.js.map +1 -1
  376. package/lib/utils/encryptAESSecretStorageItem.js +27 -38
  377. package/lib/utils/encryptAESSecretStorageItem.js.map +1 -1
  378. package/lib/utils/internal/deriveKeys.js +25 -32
  379. package/lib/utils/internal/deriveKeys.js.map +1 -1
  380. package/lib/utils/roomVersion.js +1 -1
  381. package/lib/utils/roomVersion.js.map +1 -1
  382. package/lib/utils.js +83 -135
  383. package/lib/utils.js.map +1 -1
  384. package/lib/version-support.js +3 -3
  385. package/lib/version-support.js.map +1 -1
  386. package/lib/webrtc/audioContext.js +5 -6
  387. package/lib/webrtc/audioContext.js.map +1 -1
  388. package/lib/webrtc/call.js +1081 -1250
  389. package/lib/webrtc/call.js.map +1 -1
  390. package/lib/webrtc/callEventHandler.js +202 -214
  391. package/lib/webrtc/callEventHandler.js.map +1 -1
  392. package/lib/webrtc/callEventTypes.js +2 -2
  393. package/lib/webrtc/callEventTypes.js.map +1 -1
  394. package/lib/webrtc/callFeed.js +18 -20
  395. package/lib/webrtc/callFeed.js.map +1 -1
  396. package/lib/webrtc/groupCall.js +513 -602
  397. package/lib/webrtc/groupCall.js.map +1 -1
  398. package/lib/webrtc/groupCallEventHandler.js +59 -62
  399. package/lib/webrtc/groupCallEventHandler.js.map +1 -1
  400. package/lib/webrtc/mediaHandler.js +198 -232
  401. package/lib/webrtc/mediaHandler.js.map +1 -1
  402. package/lib/webrtc/stats/callFeedStatsReporter.js +16 -20
  403. package/lib/webrtc/stats/callFeedStatsReporter.js.map +1 -1
  404. package/lib/webrtc/stats/callStatsReportGatherer.js +67 -75
  405. package/lib/webrtc/stats/callStatsReportGatherer.js.map +1 -1
  406. package/lib/webrtc/stats/callStatsReportSummary.js +3 -1
  407. package/lib/webrtc/stats/connectionStats.js.map +1 -1
  408. package/lib/webrtc/stats/connectionStatsBuilder.js +2 -2
  409. package/lib/webrtc/stats/connectionStatsBuilder.js.map +1 -1
  410. package/lib/webrtc/stats/connectionStatsReportBuilder.js +20 -24
  411. package/lib/webrtc/stats/connectionStatsReportBuilder.js.map +1 -1
  412. package/lib/webrtc/stats/groupCallStats.js +6 -8
  413. package/lib/webrtc/stats/groupCallStats.js.map +1 -1
  414. package/lib/webrtc/stats/media/mediaSsrcHandler.js +7 -8
  415. package/lib/webrtc/stats/media/mediaSsrcHandler.js.map +1 -1
  416. package/lib/webrtc/stats/media/mediaTrackHandler.js +7 -9
  417. package/lib/webrtc/stats/media/mediaTrackHandler.js.map +1 -1
  418. package/lib/webrtc/stats/media/mediaTrackStats.js +3 -3
  419. package/lib/webrtc/stats/media/mediaTrackStats.js.map +1 -1
  420. package/lib/webrtc/stats/media/mediaTrackStatsHandler.js +7 -7
  421. package/lib/webrtc/stats/media/mediaTrackStatsHandler.js.map +1 -1
  422. package/lib/webrtc/stats/statsReport.js +1 -1
  423. package/lib/webrtc/stats/statsReport.js.map +1 -1
  424. package/lib/webrtc/stats/statsReportEmitter.js.map +1 -1
  425. package/lib/webrtc/stats/summaryStatsReportGatherer.js +14 -14
  426. package/lib/webrtc/stats/summaryStatsReportGatherer.js.map +1 -1
  427. package/lib/webrtc/stats/trackStatsBuilder.js +32 -34
  428. package/lib/webrtc/stats/trackStatsBuilder.js.map +1 -1
  429. package/lib/webrtc/stats/transportStats.js +3 -1
  430. package/lib/webrtc/stats/transportStatsBuilder.js +9 -9
  431. package/lib/webrtc/stats/transportStatsBuilder.js.map +1 -1
  432. package/lib/webrtc/stats/valueFormatter.js +1 -1
  433. package/lib/webrtc/stats/valueFormatter.js.map +1 -1
  434. package/package.json +18 -33
  435. package/src/@types/global.d.ts +2 -2
  436. package/src/ToDeviceMessageQueue.ts +2 -2
  437. package/src/browser-index.ts +4 -4
  438. package/src/client.ts +15 -20
  439. package/src/crypto-api/index.ts +17 -6
  440. package/src/embedded.ts +4 -6
  441. package/src/filter-component.ts +1 -0
  442. package/src/http-api/utils.ts +1 -1
  443. package/src/interactive-auth.ts +11 -5
  444. package/src/matrixrtc/LivekitTransport.ts +1 -1
  445. package/src/matrixrtc/MatrixRTCSession.ts +1 -1
  446. package/src/models/MSC3089Branch.ts +1 -1
  447. package/src/models/room-sticky-events.ts +1 -0
  448. package/src/models/room.ts +9 -11
  449. package/src/receipt-accumulator.ts +2 -0
  450. package/src/rendezvous/index.ts +1 -1
  451. package/src/rendezvous/transports/MSC4108RendezvousSession.ts +2 -2
  452. package/src/rust-crypto/PerSessionKeyBackupDownloader.ts +1 -1
  453. package/src/rust-crypto/index.ts +6 -6
  454. package/src/rust-crypto/rust-crypto.ts +31 -7
  455. package/src/rust-crypto/verification.ts +1 -1
  456. package/src/sliding-sync-sdk.ts +5 -7
  457. package/src/store/indexeddb-local-backend.ts +3 -3
  458. package/src/sync.ts +6 -8
@@ -1 +1 @@
1
- {"version":3,"file":"authorize.js","names":["Log","OidcClient","SigninResponse","SigninState","WebStorageStateStore","logger","secureRandomString","OidcError","validateBearerTokenResponse","validateIdToken","validateStoredUserState","sha256","encodeUnpaddedBase64Url","OAuthGrantType","sleep","Method","generateScope","deviceId","safeDeviceId","concat","generateCodeChallenge","_ref","_asyncToGenerator","codeVerifier","globalThis","crypto","subtle","warn","hashBuffer","_x","apply","arguments","generateAuthorizationParams","_ref2","redirectUri","scope","state","nonce","generateAuthorizationUrl","_ref4","authorizationUrl","clientId","_ref3","url","URL","searchParams","append","toString","_x2","_x3","_x4","generateOidcAuthorizationUrl","_ref6","_ref5","metadata","homeserverUrl","identityServerUrl","prompt","urlState","loginHint","_ref5$responseMode","responseMode","oidcClient","_objectSpread","client_id","redirect_uri","authority","issuer","response_mode","response_type","stateStore","prefix","store","window","sessionStorage","userState","request","createSigninRequest","url_state","login_hint","_x5","normalizeBearerTokenResponseTokenType","response","id_token","expires_at","refresh_token","access_token","token_type","completeAuthorizationCodeGrant","_ref7","code","length","undefined","reconstructedUrl","location","origin","params","URLSearchParams","search","hash","setLogger","stateString","get","Error","MissingOrInvalidStoredState","signInState","fromStorageString","client","signinResponse","processSigninResponse","href","settings","normalizedTokenResponse","oidcClientSettings","tokenResponse","idTokenClaims","profile","error","errorType","message","Object","values","includes","CodeExchangeFailed","_x6","_x7","startDeviceAuthorization","_ref9","_ref8","body","device_authorization_endpoint","fetch","method","Post","headers","json","_x8","waitForDeviceAuthorization","_ref1","_ref0","_session$interval","session","interval","expiration","Date","now","expires_in","device_code","grant_type","DeviceAuthorization","token_endpoint","ok","errorResponse","_x9"],"sources":["../../src/oidc/authorize.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport {\n type IdTokenClaims,\n Log,\n OidcClient,\n type SigninRequestCreateArgs,\n SigninResponse,\n SigninState,\n WebStorageStateStore,\n} from \"oidc-client-ts\";\n\nimport { logger } from \"../logger.ts\";\nimport { secureRandomString } from \"../randomstring.ts\";\nimport { OidcError } from \"./error.ts\";\nimport {\n type BearerTokenResponse,\n type UserState,\n validateBearerTokenResponse,\n type ValidatedAuthMetadata,\n validateIdToken,\n validateStoredUserState,\n} from \"./validate.ts\";\nimport { sha256 } from \"../digest.ts\";\nimport { encodeUnpaddedBase64Url } from \"../base64.ts\";\nimport { OAuthGrantType } from \"./register.ts\";\nimport { sleep } from \"../utils.ts\";\nimport { Method } from \"../http-api/index.ts\";\n\n// reexport for backwards compatibility\nexport type { BearerTokenResponse };\n\n/**\n * Authorization parameters which are used in the authentication request of an OIDC auth code flow.\n *\n * See https://openid.net/specs/openid-connect-basic-1_0.html#RequestParameters.\n */\nexport type AuthorizationParams = {\n state: string;\n scope: string;\n redirectUri: string;\n codeVerifier: string;\n nonce: string;\n};\n\n/**\n * @experimental\n * Generate the scope used in authorization request with OIDC OP\n * @returns scope\n */\nexport const generateScope = (deviceId?: string): string => {\n const safeDeviceId = deviceId ?? secureRandomString(10);\n return `openid urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:${safeDeviceId}`;\n};\n\n// https://www.rfc-editor.org/rfc/rfc7636\nconst generateCodeChallenge = async (codeVerifier: string): Promise<string> => {\n if (!globalThis.crypto.subtle) {\n // @TODO(kerrya) should this be allowed? configurable?\n logger.warn(\"A secure context is required to generate code challenge. Using plain text code challenge\");\n return codeVerifier;\n }\n\n const hashBuffer = await sha256(codeVerifier);\n return encodeUnpaddedBase64Url(hashBuffer);\n};\n\n/**\n * Generate authorization params to pass to {@link generateAuthorizationUrl}.\n *\n * Used as part of an authorization code OIDC flow: see https://openid.net/specs/openid-connect-basic-1_0.html#CodeFlow.\n *\n * @param redirectUri - absolute url for OP to redirect to after authorization\n * @returns AuthorizationParams\n */\nexport const generateAuthorizationParams = ({ redirectUri }: { redirectUri: string }): AuthorizationParams => ({\n scope: generateScope(),\n redirectUri,\n state: secureRandomString(8),\n nonce: secureRandomString(8),\n codeVerifier: secureRandomString(64), // https://tools.ietf.org/html/rfc7636#section-4.1 length needs to be 43-128 characters\n});\n\n/**\n * @deprecated use generateOidcAuthorizationUrl\n * Generate a URL to attempt authorization with the OP\n * See https://openid.net/specs/openid-connect-basic-1_0.html#CodeRequest\n * @param authorizationUrl - endpoint to attempt authorization with the OP\n * @param clientId - id of this client as registered with the OP\n * @param authorizationParams - params to be used in the url\n * @returns a Promise with the url as a string\n */\nexport const generateAuthorizationUrl = async (\n authorizationUrl: string,\n clientId: string,\n { scope, redirectUri, state, nonce, codeVerifier }: AuthorizationParams,\n): Promise<string> => {\n const url = new URL(authorizationUrl);\n url.searchParams.append(\"response_mode\", \"query\");\n url.searchParams.append(\"response_type\", \"code\");\n url.searchParams.append(\"redirect_uri\", redirectUri);\n url.searchParams.append(\"client_id\", clientId);\n url.searchParams.append(\"state\", state);\n url.searchParams.append(\"scope\", scope);\n url.searchParams.append(\"nonce\", nonce);\n\n url.searchParams.append(\"code_challenge_method\", \"S256\");\n url.searchParams.append(\"code_challenge\", await generateCodeChallenge(codeVerifier));\n\n return url.toString();\n};\n\n/**\n * @experimental\n * Generate a URL to attempt authorization with the OP\n * See https://openid.net/specs/openid-connect-basic-1_0.html#CodeRequest\n * @param metadata - validated metadata from OP discovery\n * @param clientId - this client's id as registered with the OP\n * @param homeserverUrl - used to establish the session on return from the OP\n * @param identityServerUrl - used to establish the session on return from the OP\n * @param nonce - state\n * @param prompt - indicates to the OP which flow the user should see - eg login or registration\n * See https://openid.net/specs/openid-connect-prompt-create-1_0.html#name-prompt-parameter\n * @param urlState - value to append to the opaque state identifier to uniquely identify the callback\n * @param loginHint - value to send as the `login_hint` to the OP, giving a hint about the login identifier the user might use to log in.\n * See {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest OIDC core 3.1.2.1}.\n * @param responseMode - value to send as the `response_mode` to the OP, selecting how auth is passed back during redirect.\n * See {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest OIDC core 3.1.2.1}.\n * @returns a Promise with the url as a string\n */\nexport const generateOidcAuthorizationUrl = async ({\n metadata,\n redirectUri,\n clientId,\n homeserverUrl,\n identityServerUrl,\n nonce,\n prompt,\n urlState,\n loginHint,\n responseMode = \"query\",\n}: {\n clientId: string;\n metadata: ValidatedAuthMetadata;\n homeserverUrl: string;\n identityServerUrl?: string;\n redirectUri: string;\n nonce: string;\n prompt?: string;\n urlState?: string;\n loginHint?: string;\n responseMode?: SigninRequestCreateArgs[\"response_mode\"];\n}): Promise<string> => {\n const scope = generateScope();\n const oidcClient = new OidcClient({\n ...metadata,\n client_id: clientId,\n redirect_uri: redirectUri,\n authority: metadata.issuer,\n response_mode: responseMode,\n response_type: \"code\",\n scope,\n stateStore: new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage }),\n });\n const userState: UserState = { homeserverUrl, nonce, identityServerUrl };\n const request = await oidcClient.createSigninRequest({\n state: userState,\n nonce,\n prompt,\n url_state: urlState,\n login_hint: loginHint,\n });\n\n return request.url;\n};\n\n/**\n * Normalize token_type to use capital case to make consuming the token response easier\n * token_type is case insensitive, and it is spec-compliant for OPs to return token_type: \"bearer\"\n * Later, when used in auth headers it is case sensitive and must be Bearer\n * See: https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.4\n *\n * @param response - validated token response\n * @returns response with token_type set to 'Bearer'\n */\nconst normalizeBearerTokenResponseTokenType = (response: SigninResponse): BearerTokenResponse =>\n ({\n id_token: response.id_token,\n scope: response.scope,\n expires_at: response.expires_at,\n refresh_token: response.refresh_token,\n access_token: response.access_token,\n token_type: \"Bearer\",\n }) as BearerTokenResponse;\n\n/**\n * @experimental\n * Attempt to exchange authorization code for bearer token.\n *\n * Takes the authorization code returned by the OpenID Provider via the authorization URL, and makes a\n * request to the Token Endpoint, to obtain the access token, refresh token, etc.\n *\n * @param code - authorization code as returned by OP during authorization\n * @param state - authorization state param as returned by OP during authorization\n * @param responseMode - the response mode used for authentication\n * @returns valid bearer token response\n * @throws An `Error` with `message` set to an entry in {@link OidcError},\n * when the request fails, or the returned token response is invalid.\n */\nexport const completeAuthorizationCodeGrant = async (\n code: string,\n state: string,\n responseMode: SigninRequestCreateArgs[\"response_mode\"] = \"query\",\n): Promise<{\n oidcClientSettings: { clientId: string; issuer: string };\n tokenResponse: BearerTokenResponse;\n homeserverUrl: string;\n idTokenClaims: IdTokenClaims;\n identityServerUrl?: string;\n}> => {\n /**\n * Element Web strips and changes the url on starting the app\n * Use the code and state from query params to rebuild a url\n * so that oidc-client can parse it\n */\n const reconstructedUrl = new URL(window.location.origin);\n\n const params = new URLSearchParams({ code, state });\n if (responseMode === \"query\") {\n reconstructedUrl.search = params.toString();\n } else {\n reconstructedUrl.hash = `#${params.toString()}`;\n }\n\n // set oidc-client to use our logger\n Log.setLogger(logger);\n try {\n const response = new SigninResponse(params);\n\n const stateStore = new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage });\n\n // retrieve the state we put in storage at the start of oidc auth flow\n const stateString = await stateStore.get(response.state!);\n if (!stateString) {\n throw new Error(OidcError.MissingOrInvalidStoredState);\n }\n\n // hydrate the sign in state and create a client\n // the stored sign in state includes oidc configuration we set at the start of the oidc login flow\n const signInState = await SigninState.fromStorageString(stateString);\n const client = new OidcClient({ ...signInState, stateStore });\n\n // validate the code and state, and attempt to swap the code for tokens\n const signinResponse = await client.processSigninResponse(reconstructedUrl.href);\n\n // extra values we stored at the start of the login flow\n // used to complete login in the client\n const userState = signinResponse.userState;\n validateStoredUserState(userState);\n\n // throws when response is invalid\n validateBearerTokenResponse(signinResponse);\n if (signinResponse.id_token) {\n // The token is not yet in the Matrix spec so consider it optional\n // throws when token is invalid\n validateIdToken(\n signinResponse.id_token,\n client.settings.authority,\n client.settings.client_id,\n userState.nonce,\n );\n }\n const normalizedTokenResponse = normalizeBearerTokenResponseTokenType(signinResponse);\n\n return {\n oidcClientSettings: {\n clientId: client.settings.client_id,\n issuer: client.settings.authority,\n },\n tokenResponse: normalizedTokenResponse,\n homeserverUrl: userState.homeserverUrl,\n identityServerUrl: userState.identityServerUrl,\n idTokenClaims: signinResponse.profile,\n };\n } catch (error) {\n logger.error(\"Oidc login failed\", error);\n const errorType = (error as Error).message;\n\n // rethrow errors that we recognise\n if (Object.values(OidcError).includes(errorType as any)) {\n throw error;\n }\n throw new Error(OidcError.CodeExchangeFailed);\n }\n};\n\n/**\n * Response from the OIDC token endpoint when exchanging a token for grant_type device_code.\n */\nexport interface DeviceAccessTokenResponse {\n id_token?: string;\n access_token: string;\n token_type: string;\n refresh_token?: string;\n scope?: string;\n expires_in?: number;\n session_state?: string;\n}\n\n/**\n * Error from the OIDC token endpoint when exchanging a token for grant_type device_code.\n */\nexport interface DeviceAccessTokenError {\n error: string;\n error_description?: string;\n error_uri?: string;\n session_state?: string;\n}\n\n/**\n * Response from the OIDC device authorization endpoint.\n */\nexport interface DeviceAuthorizationResponse {\n device_code: string;\n user_code: string;\n verification_uri: string;\n verification_uri_complete?: string;\n expires_in: number;\n interval?: number;\n}\n\n/**\n * Begin OIDC device authorization flow.\n * @param options - The device authorization parameters.\n * @param options.clientId - the client ID returned from client registration.\n * @param options.scope - the scope to request for authorization.\n * @param options.metadata - the validated OIDC metadata for the Identity Provider.\n * @returns a promise that resolves to a device access token response,\n * or an error response if the user denies authorization or the device code expires.\n */\nexport const startDeviceAuthorization = async ({\n clientId,\n scope,\n metadata,\n}: {\n clientId: string;\n scope: string;\n metadata: ValidatedAuthMetadata;\n}): Promise<DeviceAuthorizationResponse> => {\n const body = new URLSearchParams({ client_id: clientId, scope: scope }).toString();\n\n const url = metadata.device_authorization_endpoint;\n if (!url) {\n throw new Error(\"No device_authorization_endpoint given\");\n }\n\n const response = await fetch(url, {\n method: Method.Post,\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body,\n });\n\n return (await response.json()) as DeviceAuthorizationResponse;\n};\n\n/**\n * Polls the OIDC token endpoint until we get a device access token response, or encounter an unrecoverable error.\n * @param options - The device authorization parameters.\n * @param options.session - The session returned from a previous call to {@link startDeviceAuthorization}.\n * @param options.metadata - The validated OIDC metadata for the Identity Provider.\n * @param options.clientId - The client ID returned from client registration.\n * @returns a promise that resolves to a device access token response,\n * or an error response if the user denies authorization or the device code expires.\n */\nexport const waitForDeviceAuthorization = async ({\n session,\n metadata,\n clientId,\n}: {\n session: DeviceAuthorizationResponse;\n metadata: ValidatedAuthMetadata;\n clientId: string;\n}): Promise<DeviceAccessTokenResponse | DeviceAccessTokenError> => {\n let interval = (session.interval ?? 5) * 1000; // poll interval\n const expiration = Date.now() + session.expires_in * 1000;\n do {\n const body = new URLSearchParams({\n device_code: session.device_code,\n grant_type: OAuthGrantType.DeviceAuthorization,\n client_id: clientId,\n }).toString();\n const response = await fetch(metadata.token_endpoint, {\n method: Method.Post,\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body,\n });\n\n if (response.ok) {\n return (await response.json()) as DeviceAccessTokenResponse;\n }\n const errorResponse = (await response.json()) as DeviceAccessTokenError;\n switch (errorResponse.error) {\n case \"authorization_pending\":\n break;\n case \"slow_down\":\n interval += 5000;\n break;\n case \"access_denied\":\n case \"expired_token\":\n return errorResponse;\n }\n await sleep(interval);\n } while (Date.now() < expiration);\n return { error: \"expired\" };\n};\n"],"mappings":";;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAEIA,GAAG,EACHC,UAAU,EAEVC,cAAc,EACdC,WAAW,EACXC,oBAAoB,QACjB,gBAAgB;AAEvB,SAASC,MAAM,QAAQ,cAAc;AACrC,SAASC,kBAAkB,QAAQ,oBAAoB;AACvD,SAASC,SAAS,QAAQ,YAAY;AACtC,SAGIC,2BAA2B,EAE3BC,eAAe,EACfC,uBAAuB,QACpB,eAAe;AACtB,SAASC,MAAM,QAAQ,cAAc;AACrC,SAASC,uBAAuB,QAAQ,cAAc;AACtD,SAASC,cAAc,QAAQ,eAAe;AAC9C,SAASC,KAAK,QAAQ,aAAa;AACnC,SAASC,MAAM,QAAQ,sBAAsB;;AAE7C;;AAGA;AACA;AACA;AACA;AACA;;AASA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,aAAa,GAAIC,QAAiB,IAAa;EACxD,IAAMC,YAAY,GAAGD,QAAQ,aAARA,QAAQ,cAARA,QAAQ,GAAIX,kBAAkB,CAAC,EAAE,CAAC;EACvD,wGAAAa,MAAA,CAAwGD,YAAY;AACxH,CAAC;;AAED;AACA,IAAME,qBAAqB;EAAA,IAAAC,IAAA,GAAAC,iBAAA,CAAG,WAAOC,YAAoB,EAAsB;IAC3E,IAAI,CAACC,UAAU,CAACC,MAAM,CAACC,MAAM,EAAE;MAC3B;MACArB,MAAM,CAACsB,IAAI,CAAC,0FAA0F,CAAC;MACvG,OAAOJ,YAAY;IACvB;IAEA,IAAMK,UAAU,SAASjB,MAAM,CAACY,YAAY,CAAC;IAC7C,OAAOX,uBAAuB,CAACgB,UAAU,CAAC;EAC9C,CAAC;EAAA,gBATKR,qBAAqBA,CAAAS,EAAA;IAAA,OAAAR,IAAA,CAAAS,KAAA,OAAAC,SAAA;EAAA;AAAA,GAS1B;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,2BAA2B,GAAGC,KAAA;EAAA,IAAGC,WAAW,GAAAD,KAAA,CAAXC,WAAW;EAAA,OAAsD;IAC3GC,KAAK,EAAEnB,aAAa,CAAC,CAAC;IACtBkB,WAAW;IACXE,KAAK,EAAE9B,kBAAkB,CAAC,CAAC,CAAC;IAC5B+B,KAAK,EAAE/B,kBAAkB,CAAC,CAAC,CAAC;IAC5BiB,YAAY,EAAEjB,kBAAkB,CAAC,EAAE,CAAC,CAAE;EAC1C,CAAC;AAAA,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMgC,wBAAwB;EAAA,IAAAC,KAAA,GAAAjB,iBAAA,CAAG,WACpCkB,gBAAwB,EACxBC,QAAgB,EAAAC,KAAA,EAEE;IAAA,IADhBP,KAAK,GAAAO,KAAA,CAALP,KAAK;MAAED,WAAW,GAAAQ,KAAA,CAAXR,WAAW;MAAEE,KAAK,GAAAM,KAAA,CAALN,KAAK;MAAEC,KAAK,GAAAK,KAAA,CAALL,KAAK;MAAEd,YAAY,GAAAmB,KAAA,CAAZnB,YAAY;IAEhD,IAAMoB,GAAG,GAAG,IAAIC,GAAG,CAACJ,gBAAgB,CAAC;IACrCG,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,eAAe,EAAE,OAAO,CAAC;IACjDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC;IAChDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,cAAc,EAAEZ,WAAW,CAAC;IACpDS,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,WAAW,EAAEL,QAAQ,CAAC;IAC9CE,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAEV,KAAK,CAAC;IACvCO,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAEX,KAAK,CAAC;IACvCQ,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAET,KAAK,CAAC;IAEvCM,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC;IACxDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,gBAAgB,QAAQ1B,qBAAqB,CAACG,YAAY,CAAC,CAAC;IAEpF,OAAOoB,GAAG,CAACI,QAAQ,CAAC,CAAC;EACzB,CAAC;EAAA,gBAlBYT,wBAAwBA,CAAAU,GAAA,EAAAC,GAAA,EAAAC,GAAA;IAAA,OAAAX,KAAA,CAAAT,KAAA,OAAAC,SAAA;EAAA;AAAA,GAkBpC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMoB,4BAA4B;EAAA,IAAAC,KAAA,GAAA9B,iBAAA,CAAG,WAAA+B,KAAA,EAsBrB;IAAA,IArBnBC,QAAQ,GAAAD,KAAA,CAARC,QAAQ;MACRpB,WAAW,GAAAmB,KAAA,CAAXnB,WAAW;MACXO,QAAQ,GAAAY,KAAA,CAARZ,QAAQ;MACRc,aAAa,GAAAF,KAAA,CAAbE,aAAa;MACbC,iBAAiB,GAAAH,KAAA,CAAjBG,iBAAiB;MACjBnB,KAAK,GAAAgB,KAAA,CAALhB,KAAK;MACLoB,MAAM,GAAAJ,KAAA,CAANI,MAAM;MACNC,QAAQ,GAAAL,KAAA,CAARK,QAAQ;MACRC,SAAS,GAAAN,KAAA,CAATM,SAAS;MAAAC,kBAAA,GAAAP,KAAA,CACTQ,YAAY;MAAZA,YAAY,GAAAD,kBAAA,cAAG,OAAO,GAAAA,kBAAA;IAatB,IAAMzB,KAAK,GAAGnB,aAAa,CAAC,CAAC;IAC7B,IAAM8C,UAAU,GAAG,IAAI7D,UAAU,CAAA8D,aAAA,CAAAA,aAAA,KAC1BT,QAAQ;MACXU,SAAS,EAAEvB,QAAQ;MACnBwB,YAAY,EAAE/B,WAAW;MACzBgC,SAAS,EAAEZ,QAAQ,CAACa,MAAM;MAC1BC,aAAa,EAAEP,YAAY;MAC3BQ,aAAa,EAAE,MAAM;MACrBlC,KAAK;MACLmC,UAAU,EAAE,IAAIlE,oBAAoB,CAAC;QAAEmE,MAAM,EAAE,UAAU;QAAEC,KAAK,EAAEC,MAAM,CAACC;MAAe,CAAC;IAAC,EAC7F,CAAC;IACF,IAAMC,SAAoB,GAAG;MAAEpB,aAAa;MAAElB,KAAK;MAAEmB;IAAkB,CAAC;IACxE,IAAMoB,OAAO,SAASd,UAAU,CAACe,mBAAmB,CAAC;MACjDzC,KAAK,EAAEuC,SAAS;MAChBtC,KAAK;MACLoB,MAAM;MACNqB,SAAS,EAAEpB,QAAQ;MACnBqB,UAAU,EAAEpB;IAChB,CAAC,CAAC;IAEF,OAAOiB,OAAO,CAACjC,GAAG;EACtB,CAAC;EAAA,gBA5CYQ,4BAA4BA,CAAA6B,GAAA;IAAA,OAAA5B,KAAA,CAAAtB,KAAA,OAAAC,SAAA;EAAA;AAAA,GA4CxC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAMkD,qCAAqC,GAAIC,QAAwB,KAClE;EACGC,QAAQ,EAAED,QAAQ,CAACC,QAAQ;EAC3BhD,KAAK,EAAE+C,QAAQ,CAAC/C,KAAK;EACrBiD,UAAU,EAAEF,QAAQ,CAACE,UAAU;EAC/BC,aAAa,EAAEH,QAAQ,CAACG,aAAa;EACrCC,YAAY,EAAEJ,QAAQ,CAACI,YAAY;EACnCC,UAAU,EAAE;AAChB,CAAC,CAAwB;;AAE7B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,8BAA8B;EAAA,IAAAC,KAAA,GAAAnE,iBAAA,CAAG,WAC1CoE,IAAY,EACZtD,KAAa,EAQX;IAAA,IAPFyB,YAAsD,GAAA9B,SAAA,CAAA4D,MAAA,QAAA5D,SAAA,QAAA6D,SAAA,GAAA7D,SAAA,MAAG,OAAO;IAQhE;AACJ;AACA;AACA;AACA;IACI,IAAM8D,gBAAgB,GAAG,IAAIjD,GAAG,CAAC6B,MAAM,CAACqB,QAAQ,CAACC,MAAM,CAAC;IAExD,IAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;MAAEP,IAAI;MAAEtD;IAAM,CAAC,CAAC;IACnD,IAAIyB,YAAY,KAAK,OAAO,EAAE;MAC1BgC,gBAAgB,CAACK,MAAM,GAAGF,MAAM,CAACjD,QAAQ,CAAC,CAAC;IAC/C,CAAC,MAAM;MACH8C,gBAAgB,CAACM,IAAI,OAAAhF,MAAA,CAAO6E,MAAM,CAACjD,QAAQ,CAAC,CAAC,CAAE;IACnD;;IAEA;IACA/C,GAAG,CAACoG,SAAS,CAAC/F,MAAM,CAAC;IACrB,IAAI;MACA,IAAM6E,QAAQ,GAAG,IAAIhF,cAAc,CAAC8F,MAAM,CAAC;MAE3C,IAAM1B,UAAU,GAAG,IAAIlE,oBAAoB,CAAC;QAAEmE,MAAM,EAAE,UAAU;QAAEC,KAAK,EAAEC,MAAM,CAACC;MAAe,CAAC,CAAC;;MAEjG;MACA,IAAM2B,WAAW,SAAS/B,UAAU,CAACgC,GAAG,CAACpB,QAAQ,CAAC9C,KAAM,CAAC;MACzD,IAAI,CAACiE,WAAW,EAAE;QACd,MAAM,IAAIE,KAAK,CAAChG,SAAS,CAACiG,2BAA2B,CAAC;MAC1D;;MAEA;MACA;MACA,IAAMC,WAAW,SAAStG,WAAW,CAACuG,iBAAiB,CAACL,WAAW,CAAC;MACpE,IAAMM,MAAM,GAAG,IAAI1G,UAAU,CAAA8D,aAAA,CAAAA,aAAA,KAAM0C,WAAW;QAAEnC;MAAU,EAAE,CAAC;;MAE7D;MACA,IAAMsC,cAAc,SAASD,MAAM,CAACE,qBAAqB,CAAChB,gBAAgB,CAACiB,IAAI,CAAC;;MAEhF;MACA;MACA,IAAMnC,SAAS,GAAGiC,cAAc,CAACjC,SAAS;MAC1CjE,uBAAuB,CAACiE,SAAS,CAAC;;MAElC;MACAnE,2BAA2B,CAACoG,cAAc,CAAC;MAC3C,IAAIA,cAAc,CAACzB,QAAQ,EAAE;QACzB;QACA;QACA1E,eAAe,CACXmG,cAAc,CAACzB,QAAQ,EACvBwB,MAAM,CAACI,QAAQ,CAAC7C,SAAS,EACzByC,MAAM,CAACI,QAAQ,CAAC/C,SAAS,EACzBW,SAAS,CAACtC,KACd,CAAC;MACL;MACA,IAAM2E,uBAAuB,GAAG/B,qCAAqC,CAAC2B,cAAc,CAAC;MAErF,OAAO;QACHK,kBAAkB,EAAE;UAChBxE,QAAQ,EAAEkE,MAAM,CAACI,QAAQ,CAAC/C,SAAS;UACnCG,MAAM,EAAEwC,MAAM,CAACI,QAAQ,CAAC7C;QAC5B,CAAC;QACDgD,aAAa,EAAEF,uBAAuB;QACtCzD,aAAa,EAAEoB,SAAS,CAACpB,aAAa;QACtCC,iBAAiB,EAAEmB,SAAS,CAACnB,iBAAiB;QAC9C2D,aAAa,EAAEP,cAAc,CAACQ;MAClC,CAAC;IACL,CAAC,CAAC,OAAOC,KAAK,EAAE;MACZhH,MAAM,CAACgH,KAAK,CAAC,mBAAmB,EAAEA,KAAK,CAAC;MACxC,IAAMC,SAAS,GAAID,KAAK,CAAWE,OAAO;;MAE1C;MACA,IAAIC,MAAM,CAACC,MAAM,CAAClH,SAAS,CAAC,CAACmH,QAAQ,CAACJ,SAAgB,CAAC,EAAE;QACrD,MAAMD,KAAK;MACf;MACA,MAAM,IAAId,KAAK,CAAChG,SAAS,CAACoH,kBAAkB,CAAC;IACjD;EACJ,CAAC;EAAA,gBArFYnC,8BAA8BA,CAAAoC,GAAA,EAAAC,GAAA;IAAA,OAAApC,KAAA,CAAA3D,KAAA,OAAAC,SAAA;EAAA;AAAA,GAqF1C;;AAED;AACA;AACA;;AAWA;AACA;AACA;;AAQA;AACA;AACA;;AAUA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAM+F,wBAAwB;EAAA,IAAAC,KAAA,GAAAzG,iBAAA,CAAG,WAAA0G,KAAA,EAQI;IAAA,IAPxCvF,QAAQ,GAAAuF,KAAA,CAARvF,QAAQ;MACRN,KAAK,GAAA6F,KAAA,CAAL7F,KAAK;MACLmB,QAAQ,GAAA0E,KAAA,CAAR1E,QAAQ;IAMR,IAAM2E,IAAI,GAAG,IAAIhC,eAAe,CAAC;MAAEjC,SAAS,EAAEvB,QAAQ;MAAEN,KAAK,EAAEA;IAAM,CAAC,CAAC,CAACY,QAAQ,CAAC,CAAC;IAElF,IAAMJ,GAAG,GAAGW,QAAQ,CAAC4E,6BAA6B;IAClD,IAAI,CAACvF,GAAG,EAAE;MACN,MAAM,IAAI4D,KAAK,CAAC,wCAAwC,CAAC;IAC7D;IAEA,IAAMrB,QAAQ,SAASiD,KAAK,CAACxF,GAAG,EAAE;MAC9ByF,MAAM,EAAErH,MAAM,CAACsH,IAAI;MACnBC,OAAO,EAAE;QACL,cAAc,EAAE;MACpB,CAAC;MACDL;IACJ,CAAC,CAAC;IAEF,aAAc/C,QAAQ,CAACqD,IAAI,CAAC,CAAC;EACjC,CAAC;EAAA,gBAzBYT,wBAAwBA,CAAAU,GAAA;IAAA,OAAAT,KAAA,CAAAjG,KAAA,OAAAC,SAAA;EAAA;AAAA,GAyBpC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAM0G,0BAA0B;EAAA,IAAAC,KAAA,GAAApH,iBAAA,CAAG,WAAAqH,KAAA,EAQyB;IAAA,IAAAC,iBAAA;IAAA,IAP/DC,OAAO,GAAAF,KAAA,CAAPE,OAAO;MACPvF,QAAQ,GAAAqF,KAAA,CAARrF,QAAQ;MACRb,QAAQ,GAAAkG,KAAA,CAARlG,QAAQ;IAMR,IAAIqG,QAAQ,GAAG,EAAAF,iBAAA,GAACC,OAAO,CAACC,QAAQ,cAAAF,iBAAA,cAAAA,iBAAA,GAAI,CAAC,IAAI,IAAI,CAAC,CAAC;IAC/C,IAAMG,UAAU,GAAGC,IAAI,CAACC,GAAG,CAAC,CAAC,GAAGJ,OAAO,CAACK,UAAU,GAAG,IAAI;IACzD,GAAG;MACC,IAAMjB,IAAI,GAAG,IAAIhC,eAAe,CAAC;QAC7BkD,WAAW,EAAEN,OAAO,CAACM,WAAW;QAChCC,UAAU,EAAEvI,cAAc,CAACwI,mBAAmB;QAC9CrF,SAAS,EAAEvB;MACf,CAAC,CAAC,CAACM,QAAQ,CAAC,CAAC;MACb,IAAMmC,QAAQ,SAASiD,KAAK,CAAC7E,QAAQ,CAACgG,cAAc,EAAE;QAClDlB,MAAM,EAAErH,MAAM,CAACsH,IAAI;QACnBC,OAAO,EAAE;UAAE,cAAc,EAAE;QAAoC,CAAC;QAChEL;MACJ,CAAC,CAAC;MAEF,IAAI/C,QAAQ,CAACqE,EAAE,EAAE;QACb,aAAcrE,QAAQ,CAACqD,IAAI,CAAC,CAAC;MACjC;MACA,IAAMiB,aAAa,SAAUtE,QAAQ,CAACqD,IAAI,CAAC,CAA4B;MACvE,QAAQiB,aAAa,CAACnC,KAAK;QACvB,KAAK,uBAAuB;UACxB;QACJ,KAAK,WAAW;UACZyB,QAAQ,IAAI,IAAI;UAChB;QACJ,KAAK,eAAe;QACpB,KAAK,eAAe;UAChB,OAAOU,aAAa;MAC5B;MACA,MAAM1I,KAAK,CAACgI,QAAQ,CAAC;IACzB,CAAC,QAAQE,IAAI,CAACC,GAAG,CAAC,CAAC,GAAGF,UAAU;IAChC,OAAO;MAAE1B,KAAK,EAAE;IAAU,CAAC;EAC/B,CAAC;EAAA,gBAxCYoB,0BAA0BA,CAAAgB,GAAA;IAAA,OAAAf,KAAA,CAAA5G,KAAA,OAAAC,SAAA;EAAA;AAAA,GAwCtC","ignoreList":[]}
1
+ {"version":3,"file":"authorize.js","names":[],"sources":["../../src/oidc/authorize.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport {\n type IdTokenClaims,\n Log,\n OidcClient,\n type SigninRequestCreateArgs,\n SigninResponse,\n SigninState,\n WebStorageStateStore,\n} from \"oidc-client-ts\";\n\nimport { logger } from \"../logger.ts\";\nimport { secureRandomString } from \"../randomstring.ts\";\nimport { OidcError } from \"./error.ts\";\nimport {\n type BearerTokenResponse,\n type UserState,\n validateBearerTokenResponse,\n type ValidatedAuthMetadata,\n validateIdToken,\n validateStoredUserState,\n} from \"./validate.ts\";\nimport { sha256 } from \"../digest.ts\";\nimport { encodeUnpaddedBase64Url } from \"../base64.ts\";\nimport { OAuthGrantType } from \"./register.ts\";\nimport { sleep } from \"../utils.ts\";\nimport { Method } from \"../http-api/index.ts\";\n\n// reexport for backwards compatibility\nexport type { BearerTokenResponse };\n\n/**\n * Authorization parameters which are used in the authentication request of an OIDC auth code flow.\n *\n * See https://openid.net/specs/openid-connect-basic-1_0.html#RequestParameters.\n */\nexport type AuthorizationParams = {\n state: string;\n scope: string;\n redirectUri: string;\n codeVerifier: string;\n nonce: string;\n};\n\n/**\n * @experimental\n * Generate the scope used in authorization request with OIDC OP\n * @returns scope\n */\nexport const generateScope = (deviceId?: string): string => {\n const safeDeviceId = deviceId ?? secureRandomString(10);\n return `openid urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:${safeDeviceId}`;\n};\n\n// https://www.rfc-editor.org/rfc/rfc7636\nconst generateCodeChallenge = async (codeVerifier: string): Promise<string> => {\n if (!globalThis.crypto.subtle) {\n // @TODO(kerrya) should this be allowed? configurable?\n logger.warn(\"A secure context is required to generate code challenge. Using plain text code challenge\");\n return codeVerifier;\n }\n\n const hashBuffer = await sha256(codeVerifier);\n return encodeUnpaddedBase64Url(hashBuffer);\n};\n\n/**\n * Generate authorization params to pass to {@link generateAuthorizationUrl}.\n *\n * Used as part of an authorization code OIDC flow: see https://openid.net/specs/openid-connect-basic-1_0.html#CodeFlow.\n *\n * @param redirectUri - absolute url for OP to redirect to after authorization\n * @returns AuthorizationParams\n */\nexport const generateAuthorizationParams = ({ redirectUri }: { redirectUri: string }): AuthorizationParams => ({\n scope: generateScope(),\n redirectUri,\n state: secureRandomString(8),\n nonce: secureRandomString(8),\n codeVerifier: secureRandomString(64), // https://tools.ietf.org/html/rfc7636#section-4.1 length needs to be 43-128 characters\n});\n\n/**\n * @deprecated use generateOidcAuthorizationUrl\n * Generate a URL to attempt authorization with the OP\n * See https://openid.net/specs/openid-connect-basic-1_0.html#CodeRequest\n * @param authorizationUrl - endpoint to attempt authorization with the OP\n * @param clientId - id of this client as registered with the OP\n * @param authorizationParams - params to be used in the url\n * @returns a Promise with the url as a string\n */\nexport const generateAuthorizationUrl = async (\n authorizationUrl: string,\n clientId: string,\n { scope, redirectUri, state, nonce, codeVerifier }: AuthorizationParams,\n): Promise<string> => {\n const url = new URL(authorizationUrl);\n url.searchParams.append(\"response_mode\", \"query\");\n url.searchParams.append(\"response_type\", \"code\");\n url.searchParams.append(\"redirect_uri\", redirectUri);\n url.searchParams.append(\"client_id\", clientId);\n url.searchParams.append(\"state\", state);\n url.searchParams.append(\"scope\", scope);\n url.searchParams.append(\"nonce\", nonce);\n\n url.searchParams.append(\"code_challenge_method\", \"S256\");\n url.searchParams.append(\"code_challenge\", await generateCodeChallenge(codeVerifier));\n\n return url.toString();\n};\n\n/**\n * @experimental\n * Generate a URL to attempt authorization with the OP\n * See https://openid.net/specs/openid-connect-basic-1_0.html#CodeRequest\n * @param metadata - validated metadata from OP discovery\n * @param clientId - this client's id as registered with the OP\n * @param homeserverUrl - used to establish the session on return from the OP\n * @param identityServerUrl - used to establish the session on return from the OP\n * @param nonce - state\n * @param prompt - indicates to the OP which flow the user should see - eg login or registration\n * See https://openid.net/specs/openid-connect-prompt-create-1_0.html#name-prompt-parameter\n * @param urlState - value to append to the opaque state identifier to uniquely identify the callback\n * @param loginHint - value to send as the `login_hint` to the OP, giving a hint about the login identifier the user might use to log in.\n * See {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest OIDC core 3.1.2.1}.\n * @param responseMode - value to send as the `response_mode` to the OP, selecting how auth is passed back during redirect.\n * See {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest OIDC core 3.1.2.1}.\n * @returns a Promise with the url as a string\n */\nexport const generateOidcAuthorizationUrl = async ({\n metadata,\n redirectUri,\n clientId,\n homeserverUrl,\n identityServerUrl,\n nonce,\n prompt,\n urlState,\n loginHint,\n responseMode = \"query\",\n}: {\n clientId: string;\n metadata: ValidatedAuthMetadata;\n homeserverUrl: string;\n identityServerUrl?: string;\n redirectUri: string;\n nonce: string;\n prompt?: string;\n urlState?: string;\n loginHint?: string;\n responseMode?: SigninRequestCreateArgs[\"response_mode\"];\n}): Promise<string> => {\n const scope = generateScope();\n const oidcClient = new OidcClient({\n ...metadata,\n client_id: clientId,\n redirect_uri: redirectUri,\n authority: metadata.issuer,\n response_mode: responseMode,\n response_type: \"code\",\n scope,\n stateStore: new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage }),\n });\n const userState: UserState = { homeserverUrl, nonce, identityServerUrl };\n const request = await oidcClient.createSigninRequest({\n state: userState,\n nonce,\n prompt,\n url_state: urlState,\n login_hint: loginHint,\n });\n\n return request.url;\n};\n\n/**\n * Normalize token_type to use capital case to make consuming the token response easier\n * token_type is case insensitive, and it is spec-compliant for OPs to return token_type: \"bearer\"\n * Later, when used in auth headers it is case sensitive and must be Bearer\n * See: https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.4\n *\n * @param response - validated token response\n * @returns response with token_type set to 'Bearer'\n */\nconst normalizeBearerTokenResponseTokenType = (response: SigninResponse): BearerTokenResponse =>\n ({\n id_token: response.id_token,\n scope: response.scope,\n expires_at: response.expires_at,\n refresh_token: response.refresh_token,\n access_token: response.access_token,\n token_type: \"Bearer\",\n }) as BearerTokenResponse;\n\n/**\n * @experimental\n * Attempt to exchange authorization code for bearer token.\n *\n * Takes the authorization code returned by the OpenID Provider via the authorization URL, and makes a\n * request to the Token Endpoint, to obtain the access token, refresh token, etc.\n *\n * @param code - authorization code as returned by OP during authorization\n * @param state - authorization state param as returned by OP during authorization\n * @param responseMode - the response mode used for authentication\n * @returns valid bearer token response\n * @throws An `Error` with `message` set to an entry in {@link OidcError},\n * when the request fails, or the returned token response is invalid.\n */\nexport const completeAuthorizationCodeGrant = async (\n code: string,\n state: string,\n responseMode: SigninRequestCreateArgs[\"response_mode\"] = \"query\",\n): Promise<{\n oidcClientSettings: { clientId: string; issuer: string };\n tokenResponse: BearerTokenResponse;\n homeserverUrl: string;\n idTokenClaims: IdTokenClaims;\n identityServerUrl?: string;\n}> => {\n /**\n * Element Web strips and changes the url on starting the app\n * Use the code and state from query params to rebuild a url\n * so that oidc-client can parse it\n */\n const reconstructedUrl = new URL(window.location.origin);\n\n const params = new URLSearchParams({ code, state });\n if (responseMode === \"query\") {\n reconstructedUrl.search = params.toString();\n } else {\n reconstructedUrl.hash = `#${params.toString()}`;\n }\n\n // set oidc-client to use our logger\n Log.setLogger(logger);\n try {\n const response = new SigninResponse(params);\n\n const stateStore = new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage });\n\n // retrieve the state we put in storage at the start of oidc auth flow\n const stateString = await stateStore.get(response.state!);\n if (!stateString) {\n throw new Error(OidcError.MissingOrInvalidStoredState);\n }\n\n // hydrate the sign in state and create a client\n // the stored sign in state includes oidc configuration we set at the start of the oidc login flow\n const signInState = await SigninState.fromStorageString(stateString);\n const client = new OidcClient({ ...signInState, stateStore });\n\n // validate the code and state, and attempt to swap the code for tokens\n const signinResponse = await client.processSigninResponse(reconstructedUrl.href);\n\n // extra values we stored at the start of the login flow\n // used to complete login in the client\n const userState = signinResponse.userState;\n validateStoredUserState(userState);\n\n // throws when response is invalid\n validateBearerTokenResponse(signinResponse);\n if (signinResponse.id_token) {\n // The token is not yet in the Matrix spec so consider it optional\n // throws when token is invalid\n validateIdToken(\n signinResponse.id_token,\n client.settings.authority,\n client.settings.client_id,\n userState.nonce,\n );\n }\n const normalizedTokenResponse = normalizeBearerTokenResponseTokenType(signinResponse);\n\n return {\n oidcClientSettings: {\n clientId: client.settings.client_id,\n issuer: client.settings.authority,\n },\n tokenResponse: normalizedTokenResponse,\n homeserverUrl: userState.homeserverUrl,\n identityServerUrl: userState.identityServerUrl,\n idTokenClaims: signinResponse.profile,\n };\n } catch (error) {\n logger.error(\"Oidc login failed\", error);\n const errorType = (error as Error).message;\n\n // rethrow errors that we recognise\n if (Object.values(OidcError).includes(errorType as any)) {\n throw error;\n }\n throw new Error(OidcError.CodeExchangeFailed);\n }\n};\n\n/**\n * Response from the OIDC token endpoint when exchanging a token for grant_type device_code.\n */\nexport interface DeviceAccessTokenResponse {\n id_token?: string;\n access_token: string;\n token_type: string;\n refresh_token?: string;\n scope?: string;\n expires_in?: number;\n session_state?: string;\n}\n\n/**\n * Error from the OIDC token endpoint when exchanging a token for grant_type device_code.\n */\nexport interface DeviceAccessTokenError {\n error: string;\n error_description?: string;\n error_uri?: string;\n session_state?: string;\n}\n\n/**\n * Response from the OIDC device authorization endpoint.\n */\nexport interface DeviceAuthorizationResponse {\n device_code: string;\n user_code: string;\n verification_uri: string;\n verification_uri_complete?: string;\n expires_in: number;\n interval?: number;\n}\n\n/**\n * Begin OIDC device authorization flow.\n * @param options - The device authorization parameters.\n * @param options.clientId - the client ID returned from client registration.\n * @param options.scope - the scope to request for authorization.\n * @param options.metadata - the validated OIDC metadata for the Identity Provider.\n * @returns a promise that resolves to a device access token response,\n * or an error response if the user denies authorization or the device code expires.\n */\nexport const startDeviceAuthorization = async ({\n clientId,\n scope,\n metadata,\n}: {\n clientId: string;\n scope: string;\n metadata: ValidatedAuthMetadata;\n}): Promise<DeviceAuthorizationResponse> => {\n const body = new URLSearchParams({ client_id: clientId, scope: scope }).toString();\n\n const url = metadata.device_authorization_endpoint;\n if (!url) {\n throw new Error(\"No device_authorization_endpoint given\");\n }\n\n const response = await fetch(url, {\n method: Method.Post,\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body,\n });\n\n return (await response.json()) as DeviceAuthorizationResponse;\n};\n\n/**\n * Polls the OIDC token endpoint until we get a device access token response, or encounter an unrecoverable error.\n * @param options - The device authorization parameters.\n * @param options.session - The session returned from a previous call to {@link startDeviceAuthorization}.\n * @param options.metadata - The validated OIDC metadata for the Identity Provider.\n * @param options.clientId - The client ID returned from client registration.\n * @returns a promise that resolves to a device access token response,\n * or an error response if the user denies authorization or the device code expires.\n */\nexport const waitForDeviceAuthorization = async ({\n session,\n metadata,\n clientId,\n}: {\n session: DeviceAuthorizationResponse;\n metadata: ValidatedAuthMetadata;\n clientId: string;\n}): Promise<DeviceAccessTokenResponse | DeviceAccessTokenError> => {\n let interval = (session.interval ?? 5) * 1000; // poll interval\n const expiration = Date.now() + session.expires_in * 1000;\n do {\n const body = new URLSearchParams({\n device_code: session.device_code,\n grant_type: OAuthGrantType.DeviceAuthorization,\n client_id: clientId,\n }).toString();\n const response = await fetch(metadata.token_endpoint, {\n method: Method.Post,\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body,\n });\n\n if (response.ok) {\n return (await response.json()) as DeviceAccessTokenResponse;\n }\n const errorResponse = (await response.json()) as DeviceAccessTokenError;\n switch (errorResponse.error) {\n case \"authorization_pending\":\n break;\n case \"slow_down\":\n interval += 5000;\n break;\n case \"access_denied\":\n case \"expired_token\":\n return errorResponse;\n }\n await sleep(interval);\n } while (Date.now() < expiration);\n return { error: \"expired\" };\n};\n"],"mappings":";AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAEI,GAAG,EACH,UAAU,EAEV,cAAc,EACd,WAAW,EACX,oBAAoB,QACjB,gBAAgB;AAEvB,SAAS,MAAM,QAAQ,cAAc;AACrC,SAAS,kBAAkB,QAAQ,oBAAoB;AACvD,SAAS,SAAS,QAAQ,YAAY;AACtC,SAGI,2BAA2B,EAE3B,eAAe,EACf,uBAAuB,QACpB,eAAe;AACtB,SAAS,MAAM,QAAQ,cAAc;AACrC,SAAS,uBAAuB,QAAQ,cAAc;AACtD,SAAS,cAAc,QAAQ,eAAe;AAC9C,SAAS,KAAK,QAAQ,aAAa;AACnC,SAAS,MAAM,QAAQ,sBAAsB;;AAE7C;;AAGA;AACA;AACA;AACA;AACA;;AASA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM,aAAa,GAAI,QAAiB,IAAa;EACxD,MAAM,YAAY,GAAG,QAAQ,IAAI,kBAAkB,CAAC,EAAE,CAAC;EACvD,OAAO,iGAAiG,YAAY,EAAE;AAC1H,CAAC;;AAED;AACA,MAAM,qBAAqB,GAAG,MAAO,YAAoB,IAAsB;EAC3E,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE;IAC3B;IACA,MAAM,CAAC,IAAI,CAAC,0FAA0F,CAAC;IACvG,OAAO,YAAY;EACvB;EAEA,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC;EAC7C,OAAO,uBAAuB,CAAC,UAAU,CAAC;AAC9C,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM,2BAA2B,GAAG,CAAC;EAAE;AAAqC,CAAC,MAA2B;EAC3G,KAAK,EAAE,aAAa,CAAC,CAAC;EACtB,WAAW;EACX,KAAK,EAAE,kBAAkB,CAAC,CAAC,CAAC;EAC5B,KAAK,EAAE,kBAAkB,CAAC,CAAC,CAAC;EAC5B,YAAY,EAAE,kBAAkB,CAAC,EAAE,CAAC,CAAE;AAC1C,CAAC,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM,wBAAwB,GAAG,OACpC,gBAAwB,EACxB,QAAgB,EAChB;EAAE,KAAK;EAAE,WAAW;EAAE,KAAK;EAAE,KAAK;EAAE;AAAkC,CAAC,KACrD;EAClB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,gBAAgB,CAAC;EACrC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,EAAE,OAAO,CAAC;EACjD,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC;EAChD,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,cAAc,EAAE,WAAW,CAAC;EACpD,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC;EAC9C,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC;EACvC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC;EACvC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC;EAEvC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC;EACxD,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,gBAAgB,EAAE,MAAM,qBAAqB,CAAC,YAAY,CAAC,CAAC;EAEpF,OAAO,GAAG,CAAC,QAAQ,CAAC,CAAC;AACzB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM,4BAA4B,GAAG,OAAO;EAC/C,QAAQ;EACR,WAAW;EACX,QAAQ;EACR,aAAa;EACb,iBAAiB;EACjB,KAAK;EACL,MAAM;EACN,QAAQ;EACR,SAAS;EACT,YAAY,GAAG;AAYnB,CAAC,KAAsB;EACnB,MAAM,KAAK,GAAG,aAAa,CAAC,CAAC;EAC7B,MAAM,UAAU,GAAG,IAAI,UAAU,iCAC1B,QAAQ;IACX,SAAS,EAAE,QAAQ;IACnB,YAAY,EAAE,WAAW;IACzB,SAAS,EAAE,QAAQ,CAAC,MAAM;IAC1B,aAAa,EAAE,YAAY;IAC3B,aAAa,EAAE,MAAM;IACrB,KAAK;IACL,UAAU,EAAE,IAAI,oBAAoB,CAAC;MAAE,MAAM,EAAE,UAAU;MAAE,KAAK,EAAE,MAAM,CAAC;IAAe,CAAC;EAAC,EAC7F,CAAC;EACF,MAAM,SAAoB,GAAG;IAAE,aAAa;IAAE,KAAK;IAAE;EAAkB,CAAC;EACxE,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,mBAAmB,CAAC;IACjD,KAAK,EAAE,SAAS;IAChB,KAAK;IACL,MAAM;IACN,SAAS,EAAE,QAAQ;IACnB,UAAU,EAAE;EAChB,CAAC,CAAC;EAEF,OAAO,OAAO,CAAC,GAAG;AACtB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAM,qCAAqC,GAAI,QAAwB,KAClE;EACG,QAAQ,EAAE,QAAQ,CAAC,QAAQ;EAC3B,KAAK,EAAE,QAAQ,CAAC,KAAK;EACrB,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,aAAa,EAAE,QAAQ,CAAC,aAAa;EACrC,YAAY,EAAE,QAAQ,CAAC,YAAY;EACnC,UAAU,EAAE;AAChB,CAAC,CAAwB;;AAE7B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM,8BAA8B,GAAG,OAC1C,IAAY,EACZ,KAAa,EACb,YAAsD,GAAG,OAAO,KAO9D;EACF;AACJ;AACA;AACA;AACA;EACI,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;EAExD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;IAAE,IAAI;IAAE;EAAM,CAAC,CAAC;EACnD,IAAI,YAAY,KAAK,OAAO,EAAE;IAC1B,gBAAgB,CAAC,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;EAC/C,CAAC,MAAM;IACH,gBAAgB,CAAC,IAAI,GAAG,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE;EACnD;;EAEA;EACA,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC;EACrB,IAAI;IACA,MAAM,QAAQ,GAAG,IAAI,cAAc,CAAC,MAAM,CAAC;IAE3C,MAAM,UAAU,GAAG,IAAI,oBAAoB,CAAC;MAAE,MAAM,EAAE,UAAU;MAAE,KAAK,EAAE,MAAM,CAAC;IAAe,CAAC,CAAC;;IAEjG;IACA,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAM,CAAC;IACzD,IAAI,CAAC,WAAW,EAAE;MACd,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,2BAA2B,CAAC;IAC1D;;IAEA;IACA;IACA,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,iBAAiB,CAAC,WAAW,CAAC;IACpE,MAAM,MAAM,GAAG,IAAI,UAAU,iCAAM,WAAW;MAAE;IAAU,EAAE,CAAC;;IAE7D;IACA,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,gBAAgB,CAAC,IAAI,CAAC;;IAEhF;IACA;IACA,MAAM,SAAS,GAAG,cAAc,CAAC,SAAS;IAC1C,uBAAuB,CAAC,SAAS,CAAC;;IAElC;IACA,2BAA2B,CAAC,cAAc,CAAC;IAC3C,IAAI,cAAc,CAAC,QAAQ,EAAE;MACzB;MACA;MACA,eAAe,CACX,cAAc,CAAC,QAAQ,EACvB,MAAM,CAAC,QAAQ,CAAC,SAAS,EACzB,MAAM,CAAC,QAAQ,CAAC,SAAS,EACzB,SAAS,CAAC,KACd,CAAC;IACL;IACA,MAAM,uBAAuB,GAAG,qCAAqC,CAAC,cAAc,CAAC;IAErF,OAAO;MACH,kBAAkB,EAAE;QAChB,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,SAAS;QACnC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC;MAC5B,CAAC;MACD,aAAa,EAAE,uBAAuB;MACtC,aAAa,EAAE,SAAS,CAAC,aAAa;MACtC,iBAAiB,EAAE,SAAS,CAAC,iBAAiB;MAC9C,aAAa,EAAE,cAAc,CAAC;IAClC,CAAC;EACL,CAAC,CAAC,OAAO,KAAK,EAAE;IACZ,MAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE,KAAK,CAAC;IACxC,MAAM,SAAS,GAAI,KAAK,CAAW,OAAO;;IAE1C;IACA,IAAI,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,SAAgB,CAAC,EAAE;MACrD,MAAM,KAAK;IACf;IACA,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,kBAAkB,CAAC;EACjD;AACJ,CAAC;;AAED;AACA;AACA;;AAWA;AACA;AACA;;AAQA;AACA;AACA;;AAUA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM,wBAAwB,GAAG,OAAO;EAC3C,QAAQ;EACR,KAAK;EACL;AAKJ,CAAC,KAA2C;EACxC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;IAAE,SAAS,EAAE,QAAQ;IAAE,KAAK,EAAE;EAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;EAElF,MAAM,GAAG,GAAG,QAAQ,CAAC,6BAA6B;EAClD,IAAI,CAAC,GAAG,EAAE;IACN,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC;EAC7D;EAEA,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;IAC9B,MAAM,EAAE,MAAM,CAAC,IAAI;IACnB,OAAO,EAAE;MACL,cAAc,EAAE;IACpB,CAAC;IACD;EACJ,CAAC,CAAC;EAEF,OAAQ,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;AACjC,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM,0BAA0B,GAAG,OAAO;EAC7C,OAAO;EACP,QAAQ;EACR;AAKJ,CAAC,KAAkE;EAC/D,IAAI,QAAQ,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC;EAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI;EACzD,GAAG;IACC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;MAC7B,WAAW,EAAE,OAAO,CAAC,WAAW;MAChC,UAAU,EAAE,cAAc,CAAC,mBAAmB;MAC9C,SAAS,EAAE;IACf,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IACb,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,cAAc,EAAE;MAClD,MAAM,EAAE,MAAM,CAAC,IAAI;MACnB,OAAO,EAAE;QAAE,cAAc,EAAE;MAAoC,CAAC;MAChE;IACJ,CAAC,CAAC;IAEF,IAAI,QAAQ,CAAC,EAAE,EAAE;MACb,OAAQ,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;IACjC;IACA,MAAM,aAAa,GAAI,MAAM,QAAQ,CAAC,IAAI,CAAC,CAA4B;IACvE,QAAQ,aAAa,CAAC,KAAK;MACvB,KAAK,uBAAuB;QACxB;MACJ,KAAK,WAAW;QACZ,QAAQ,IAAI,IAAI;QAChB;MACJ,KAAK,eAAe;MACpB,KAAK,eAAe;QAChB,OAAO,aAAa;IAC5B;IACA,MAAM,KAAK,CAAC,QAAQ,CAAC;EACzB,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,UAAU;EAChC,OAAO;IAAE,KAAK,EAAE;EAAU,CAAC;AAC/B,CAAC","ignoreList":[]}
@@ -1,7 +1,4 @@
1
- import _defineProperty from "@babel/runtime/helpers/defineProperty";
2
- import _asyncToGenerator from "@babel/runtime/helpers/asyncToGenerator";
3
- function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
4
- function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
1
+ import _objectSpread from "@babel/runtime/helpers/objectSpread2";
5
2
  /*
6
3
  Copyright 2023 The Matrix.org Foundation C.I.C.
7
4
 
@@ -33,20 +30,15 @@ import { Method, timeoutSignal } from "../http-api/index.js";
33
30
  * @throws when delegated auth config is invalid or unreachable
34
31
  * @deprecated in favour of {@link MatrixClient#getAuthMetadata}
35
32
  */
36
- export var discoverAndValidateOIDCIssuerWellKnown = /*#__PURE__*/function () {
37
- var _ref = _asyncToGenerator(function* (issuer) {
38
- var issuerOpenIdConfigUrl = new URL(".well-known/openid-configuration", issuer);
39
- var issuerWellKnownResponse = yield fetch(issuerOpenIdConfigUrl, {
40
- method: Method.Get,
41
- signal: timeoutSignal(5000)
42
- });
43
- var issuerWellKnown = yield issuerWellKnownResponse.json();
44
- return validateAuthMetadataAndKeys(issuerWellKnown);
33
+ export const discoverAndValidateOIDCIssuerWellKnown = async issuer => {
34
+ const issuerOpenIdConfigUrl = new URL(".well-known/openid-configuration", issuer);
35
+ const issuerWellKnownResponse = await fetch(issuerOpenIdConfigUrl, {
36
+ method: Method.Get,
37
+ signal: timeoutSignal(5000)
45
38
  });
46
- return function discoverAndValidateOIDCIssuerWellKnown(_x) {
47
- return _ref.apply(this, arguments);
48
- };
49
- }();
39
+ const issuerWellKnown = await issuerWellKnownResponse.json();
40
+ return validateAuthMetadataAndKeys(issuerWellKnown);
41
+ };
50
42
 
51
43
  /**
52
44
  * @experimental
@@ -54,25 +46,20 @@ export var discoverAndValidateOIDCIssuerWellKnown = /*#__PURE__*/function () {
54
46
  * @param authMetadata - the authentication metadata to validate
55
47
  * @returns validated authentication metadata and signing keys
56
48
  */
57
- export var validateAuthMetadataAndKeys = /*#__PURE__*/function () {
58
- var _ref2 = _asyncToGenerator(function* (authMetadata) {
59
- var validatedIssuerConfig = validateAuthMetadata(authMetadata);
49
+ export const validateAuthMetadataAndKeys = async authMetadata => {
50
+ const validatedIssuerConfig = validateAuthMetadata(authMetadata);
60
51
 
61
- // create a temporary settings store, so we can use metadata service for discovery
62
- var settings = new OidcClientSettingsStore({
63
- authority: validatedIssuerConfig.issuer,
64
- metadata: validatedIssuerConfig,
65
- redirect_uri: "",
66
- // Not known yet, this is here to make the type checker happy
67
- client_id: "" // Not known yet, this is here to make the type checker happy
68
- });
69
- var metadataService = new MetadataService(settings);
70
- return _objectSpread(_objectSpread({}, validatedIssuerConfig), {}, {
71
- signingKeys: validatedIssuerConfig.jwks_uri ? yield metadataService.getSigningKeys() : null
72
- });
52
+ // create a temporary settings store, so we can use metadata service for discovery
53
+ const settings = new OidcClientSettingsStore({
54
+ authority: validatedIssuerConfig.issuer,
55
+ metadata: validatedIssuerConfig,
56
+ redirect_uri: "",
57
+ // Not known yet, this is here to make the type checker happy
58
+ client_id: "" // Not known yet, this is here to make the type checker happy
73
59
  });
74
- return function validateAuthMetadataAndKeys(_x2) {
75
- return _ref2.apply(this, arguments);
76
- };
77
- }();
60
+ const metadataService = new MetadataService(settings);
61
+ return _objectSpread(_objectSpread({}, validatedIssuerConfig), {}, {
62
+ signingKeys: validatedIssuerConfig.jwks_uri ? await metadataService.getSigningKeys() : null
63
+ });
64
+ };
78
65
  //# sourceMappingURL=discovery.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"discovery.js","names":["MetadataService","OidcClientSettingsStore","validateAuthMetadata","Method","timeoutSignal","discoverAndValidateOIDCIssuerWellKnown","_ref","_asyncToGenerator","issuer","issuerOpenIdConfigUrl","URL","issuerWellKnownResponse","fetch","method","Get","signal","issuerWellKnown","json","validateAuthMetadataAndKeys","_x","apply","arguments","_ref2","authMetadata","validatedIssuerConfig","settings","authority","metadata","redirect_uri","client_id","metadataService","_objectSpread","signingKeys","jwks_uri","getSigningKeys","_x2"],"sources":["../../src/oidc/discovery.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { MetadataService, OidcClientSettingsStore } from \"oidc-client-ts\";\n\nimport { validateAuthMetadata } from \"./validate.ts\";\nimport { Method, timeoutSignal } from \"../http-api/index.ts\";\nimport { type OidcClientConfig } from \"./index.ts\";\n\n/**\n * @experimental\n * Discover and validate delegated auth configuration\n * - delegated auth issuer openid-configuration is reachable\n * - delegated auth issuer openid-configuration is configured correctly for us\n * Fetches https://oidc-issuer.example.com/.well-known/openid-configuration and other files linked therein.\n * When successful, validated metadata is returned\n * @param issuer - the OIDC issuer as returned by the /auth_issuer API\n * @returns validated authentication metadata and optionally signing keys\n * @throws when delegated auth config is invalid or unreachable\n * @deprecated in favour of {@link MatrixClient#getAuthMetadata}\n */\nexport const discoverAndValidateOIDCIssuerWellKnown = async (issuer: string): Promise<OidcClientConfig> => {\n const issuerOpenIdConfigUrl = new URL(\".well-known/openid-configuration\", issuer);\n const issuerWellKnownResponse = await fetch(issuerOpenIdConfigUrl, {\n method: Method.Get,\n signal: timeoutSignal(5000),\n });\n const issuerWellKnown = await issuerWellKnownResponse.json();\n return validateAuthMetadataAndKeys(issuerWellKnown);\n};\n\n/**\n * @experimental\n * Validate the authentication metadata and fetch the signing keys from the jwks_uri in the metadata\n * @param authMetadata - the authentication metadata to validate\n * @returns validated authentication metadata and signing keys\n */\nexport const validateAuthMetadataAndKeys = async (authMetadata: unknown): Promise<OidcClientConfig> => {\n const validatedIssuerConfig = validateAuthMetadata(authMetadata);\n\n // create a temporary settings store, so we can use metadata service for discovery\n const settings = new OidcClientSettingsStore({\n authority: validatedIssuerConfig.issuer,\n metadata: validatedIssuerConfig,\n redirect_uri: \"\", // Not known yet, this is here to make the type checker happy\n client_id: \"\", // Not known yet, this is here to make the type checker happy\n });\n const metadataService = new MetadataService(settings);\n\n return {\n ...validatedIssuerConfig,\n signingKeys: validatedIssuerConfig.jwks_uri ? await metadataService.getSigningKeys() : null,\n };\n};\n"],"mappings":";;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,eAAe,EAAEC,uBAAuB,QAAQ,gBAAgB;AAEzE,SAASC,oBAAoB,QAAQ,eAAe;AACpD,SAASC,MAAM,EAAEC,aAAa,QAAQ,sBAAsB;AAG5D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,sCAAsC;EAAA,IAAAC,IAAA,GAAAC,iBAAA,CAAG,WAAOC,MAAc,EAAgC;IACvG,IAAMC,qBAAqB,GAAG,IAAIC,GAAG,CAAC,kCAAkC,EAAEF,MAAM,CAAC;IACjF,IAAMG,uBAAuB,SAASC,KAAK,CAACH,qBAAqB,EAAE;MAC/DI,MAAM,EAAEV,MAAM,CAACW,GAAG;MAClBC,MAAM,EAAEX,aAAa,CAAC,IAAI;IAC9B,CAAC,CAAC;IACF,IAAMY,eAAe,SAASL,uBAAuB,CAACM,IAAI,CAAC,CAAC;IAC5D,OAAOC,2BAA2B,CAACF,eAAe,CAAC;EACvD,CAAC;EAAA,gBARYX,sCAAsCA,CAAAc,EAAA;IAAA,OAAAb,IAAA,CAAAc,KAAA,OAAAC,SAAA;EAAA;AAAA,GAQlD;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMH,2BAA2B;EAAA,IAAAI,KAAA,GAAAf,iBAAA,CAAG,WAAOgB,YAAqB,EAAgC;IACnG,IAAMC,qBAAqB,GAAGtB,oBAAoB,CAACqB,YAAY,CAAC;;IAEhE;IACA,IAAME,QAAQ,GAAG,IAAIxB,uBAAuB,CAAC;MACzCyB,SAAS,EAAEF,qBAAqB,CAAChB,MAAM;MACvCmB,QAAQ,EAAEH,qBAAqB;MAC/BI,YAAY,EAAE,EAAE;MAAE;MAClBC,SAAS,EAAE,EAAE,CAAE;IACnB,CAAC,CAAC;IACF,IAAMC,eAAe,GAAG,IAAI9B,eAAe,CAACyB,QAAQ,CAAC;IAErD,OAAAM,aAAA,CAAAA,aAAA,KACOP,qBAAqB;MACxBQ,WAAW,EAAER,qBAAqB,CAACS,QAAQ,SAASH,eAAe,CAACI,cAAc,CAAC,CAAC,GAAG;IAAI;EAEnG,CAAC;EAAA,gBAhBYhB,2BAA2BA,CAAAiB,GAAA;IAAA,OAAAb,KAAA,CAAAF,KAAA,OAAAC,SAAA;EAAA;AAAA,GAgBvC","ignoreList":[]}
1
+ {"version":3,"file":"discovery.js","names":[],"sources":["../../src/oidc/discovery.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { MetadataService, OidcClientSettingsStore } from \"oidc-client-ts\";\n\nimport { validateAuthMetadata } from \"./validate.ts\";\nimport { Method, timeoutSignal } from \"../http-api/index.ts\";\nimport { type OidcClientConfig } from \"./index.ts\";\n\n/**\n * @experimental\n * Discover and validate delegated auth configuration\n * - delegated auth issuer openid-configuration is reachable\n * - delegated auth issuer openid-configuration is configured correctly for us\n * Fetches https://oidc-issuer.example.com/.well-known/openid-configuration and other files linked therein.\n * When successful, validated metadata is returned\n * @param issuer - the OIDC issuer as returned by the /auth_issuer API\n * @returns validated authentication metadata and optionally signing keys\n * @throws when delegated auth config is invalid or unreachable\n * @deprecated in favour of {@link MatrixClient#getAuthMetadata}\n */\nexport const discoverAndValidateOIDCIssuerWellKnown = async (issuer: string): Promise<OidcClientConfig> => {\n const issuerOpenIdConfigUrl = new URL(\".well-known/openid-configuration\", issuer);\n const issuerWellKnownResponse = await fetch(issuerOpenIdConfigUrl, {\n method: Method.Get,\n signal: timeoutSignal(5000),\n });\n const issuerWellKnown = await issuerWellKnownResponse.json();\n return validateAuthMetadataAndKeys(issuerWellKnown);\n};\n\n/**\n * @experimental\n * Validate the authentication metadata and fetch the signing keys from the jwks_uri in the metadata\n * @param authMetadata - the authentication metadata to validate\n * @returns validated authentication metadata and signing keys\n */\nexport const validateAuthMetadataAndKeys = async (authMetadata: unknown): Promise<OidcClientConfig> => {\n const validatedIssuerConfig = validateAuthMetadata(authMetadata);\n\n // create a temporary settings store, so we can use metadata service for discovery\n const settings = new OidcClientSettingsStore({\n authority: validatedIssuerConfig.issuer,\n metadata: validatedIssuerConfig,\n redirect_uri: \"\", // Not known yet, this is here to make the type checker happy\n client_id: \"\", // Not known yet, this is here to make the type checker happy\n });\n const metadataService = new MetadataService(settings);\n\n return {\n ...validatedIssuerConfig,\n signingKeys: validatedIssuerConfig.jwks_uri ? await metadataService.getSigningKeys() : null,\n };\n};\n"],"mappings":";AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAAS,eAAe,EAAE,uBAAuB,QAAQ,gBAAgB;AAEzE,SAAS,oBAAoB,QAAQ,eAAe;AACpD,SAAS,MAAM,EAAE,aAAa,QAAQ,sBAAsB;AAG5D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM,sCAAsC,GAAG,MAAO,MAAc,IAAgC;EACvG,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,kCAAkC,EAAE,MAAM,CAAC;EACjF,MAAM,uBAAuB,GAAG,MAAM,KAAK,CAAC,qBAAqB,EAAE;IAC/D,MAAM,EAAE,MAAM,CAAC,GAAG;IAClB,MAAM,EAAE,aAAa,CAAC,IAAI;EAC9B,CAAC,CAAC;EACF,MAAM,eAAe,GAAG,MAAM,uBAAuB,CAAC,IAAI,CAAC,CAAC;EAC5D,OAAO,2BAA2B,CAAC,eAAe,CAAC;AACvD,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM,2BAA2B,GAAG,MAAO,YAAqB,IAAgC;EACnG,MAAM,qBAAqB,GAAG,oBAAoB,CAAC,YAAY,CAAC;;EAEhE;EACA,MAAM,QAAQ,GAAG,IAAI,uBAAuB,CAAC;IACzC,SAAS,EAAE,qBAAqB,CAAC,MAAM;IACvC,QAAQ,EAAE,qBAAqB;IAC/B,YAAY,EAAE,EAAE;IAAE;IAClB,SAAS,EAAE,EAAE,CAAE;EACnB,CAAC,CAAC;EACF,MAAM,eAAe,GAAG,IAAI,eAAe,CAAC,QAAQ,CAAC;EAErD,uCACO,qBAAqB;IACxB,WAAW,EAAE,qBAAqB,CAAC,QAAQ,GAAG,MAAM,eAAe,CAAC,cAAc,CAAC,CAAC,GAAG;EAAI;AAEnG,CAAC","ignoreList":[]}
package/lib/oidc/error.js CHANGED
@@ -18,7 +18,7 @@ limitations under the License.
18
18
  * Errors expected to be encountered during OIDC discovery, client registration, and authentication.
19
19
  * Not intended to be displayed directly to the user.
20
20
  */
21
- export var OidcError = /*#__PURE__*/function (OidcError) {
21
+ export let OidcError = /*#__PURE__*/function (OidcError) {
22
22
  OidcError["NotSupported"] = "OIDC authentication not supported";
23
23
  OidcError["Misconfigured"] = "OIDC is misconfigured";
24
24
  OidcError["General"] = "Something went wrong with OIDC discovery";
@@ -1 +1 @@
1
- {"version":3,"file":"error.js","names":["OidcError"],"sources":["../../src/oidc/error.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\n/**\n * Errors expected to be encountered during OIDC discovery, client registration, and authentication.\n * Not intended to be displayed directly to the user.\n */\nexport enum OidcError {\n NotSupported = \"OIDC authentication not supported\",\n Misconfigured = \"OIDC is misconfigured\",\n General = \"Something went wrong with OIDC discovery\",\n OpSupport = \"Configured OIDC OP does not support required functions\",\n DynamicRegistrationNotSupported = \"Dynamic registration not supported\",\n DynamicRegistrationFailed = \"Dynamic registration failed\",\n DynamicRegistrationInvalid = \"Dynamic registration invalid response\",\n CodeExchangeFailed = \"Failed to exchange code for token\",\n InvalidBearerTokenResponse = \"Invalid bearer token response\",\n InvalidIdToken = \"Invalid ID token\",\n MissingOrInvalidStoredState = \"State required to finish logging in is not found in storage.\",\n}\n"],"mappings":"AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AACA;AACA;AACA;AACA,WAAYA,SAAS,0BAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAAA,OAATA,SAAS;AAAA","ignoreList":[]}
1
+ {"version":3,"file":"error.js","names":[],"sources":["../../src/oidc/error.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\n/**\n * Errors expected to be encountered during OIDC discovery, client registration, and authentication.\n * Not intended to be displayed directly to the user.\n */\nexport enum OidcError {\n NotSupported = \"OIDC authentication not supported\",\n Misconfigured = \"OIDC is misconfigured\",\n General = \"Something went wrong with OIDC discovery\",\n OpSupport = \"Configured OIDC OP does not support required functions\",\n DynamicRegistrationNotSupported = \"Dynamic registration not supported\",\n DynamicRegistrationFailed = \"Dynamic registration failed\",\n DynamicRegistrationInvalid = \"Dynamic registration invalid response\",\n CodeExchangeFailed = \"Failed to exchange code for token\",\n InvalidBearerTokenResponse = \"Invalid bearer token response\",\n InvalidIdToken = \"Invalid ID token\",\n MissingOrInvalidStoredState = \"State required to finish logging in is not found in storage.\",\n}\n"],"mappings":"AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AACA;AACA;AACA;AACA,WAAY,SAAS,0BAAT,SAAS;EAAT,SAAS;EAAT,SAAS;EAAT,SAAS;EAAT,SAAS;EAAT,SAAS;EAAT,SAAS;EAAT,SAAS;EAAT,SAAS;EAAT,SAAS;EAAT,SAAS;EAAT,SAAS;EAAA,OAAT,SAAS;AAAA","ignoreList":[]}
package/lib/oidc/index.js CHANGED
@@ -26,4 +26,5 @@ export * from "./validate.js";
26
26
  * Contains metadata and signing keys from the issuer's well-known (https://oidc-issuer.example.com/.well-known/openid-configuration).
27
27
  */
28
28
  export {};
29
+ export {};
29
30
  //# sourceMappingURL=index.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","names":[],"sources":["../../src/oidc/index.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport type { SigningKey } from \"oidc-client-ts\";\nimport { type ValidatedAuthMetadata } from \"./validate.ts\";\n\nexport * from \"./authorize.ts\";\nexport * from \"./discovery.ts\";\nexport * from \"./error.ts\";\nexport * from \"./register.ts\";\nexport * from \"./tokenRefresher.ts\";\nexport * from \"./validate.ts\";\n\n/**\n * Validated config for native OIDC authentication, as returned by {@link discoverAndValidateOIDCIssuerWellKnown}.\n * Contains metadata and signing keys from the issuer's well-known (https://oidc-issuer.example.com/.well-known/openid-configuration).\n */\nexport interface OidcClientConfig extends ValidatedAuthMetadata {\n signingKeys: SigningKey[] | null;\n}\n"],"mappings":"AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAKA,cAAc,gBAAgB;AAC9B,cAAc,gBAAgB;AAC9B,cAAc,YAAY;AAC1B,cAAc,eAAe;AAC7B,cAAc,qBAAqB;AACnC,cAAc,eAAe;;AAE7B;AACA;AACA;AACA;AAHA","ignoreList":[]}
1
+ {"version":3,"file":"index.js","names":[],"sources":["../../src/oidc/index.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport type { SigningKey } from \"oidc-client-ts\";\nimport { type ValidatedAuthMetadata } from \"./validate.ts\";\n\nexport * from \"./authorize.ts\";\nexport * from \"./discovery.ts\";\nexport * from \"./error.ts\";\nexport * from \"./register.ts\";\nexport * from \"./tokenRefresher.ts\";\nexport * from \"./validate.ts\";\n\n/**\n * Validated config for native OIDC authentication, as returned by {@link discoverAndValidateOIDCIssuerWellKnown}.\n * Contains metadata and signing keys from the issuer's well-known (https://oidc-issuer.example.com/.well-known/openid-configuration).\n */\nexport interface OidcClientConfig extends ValidatedAuthMetadata {\n signingKeys: SigningKey[] | null;\n}\n"],"mappings":"AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAKA,cAAc,gBAAgB;AAC9B,cAAc,gBAAgB;AAC9B,cAAc,YAAY;AAC1B,cAAc,eAAe;AAC7B,cAAc,qBAAqB;AACnC,cAAc,eAAe;;AAE7B;AACA;AACA;AACA;AAHA;AAAA","ignoreList":[]}
@@ -1,4 +1,3 @@
1
- import _asyncToGenerator from "@babel/runtime/helpers/asyncToGenerator";
2
1
  /*
3
2
  Copyright 2023 The Matrix.org Foundation C.I.C.
4
3
 
@@ -30,7 +29,7 @@ import { logger } from "../logger.js";
30
29
  /**
31
30
  * The OAuth 2.0 grant types that are defined for Matrix in https://spec.matrix.org/v1.17/client-server-api/#grant-types
32
31
  */
33
- export var OAuthGrantType = /*#__PURE__*/function (OAuthGrantType) {
32
+ export let OAuthGrantType = /*#__PURE__*/function (OAuthGrantType) {
34
33
  /**
35
34
  * See https://spec.matrix.org/v1.17/client-server-api/#authorization-code-grant
36
35
  */
@@ -55,14 +54,14 @@ export var OAuthGrantType = /*#__PURE__*/function (OAuthGrantType) {
55
54
  *
56
55
  * @deprecated use `OAuthGrantType.DeviceAuthorization` instead
57
56
  */
58
- export var DEVICE_CODE_SCOPE = OAuthGrantType.DeviceAuthorization;
57
+ export const DEVICE_CODE_SCOPE = OAuthGrantType.DeviceAuthorization;
59
58
 
60
59
  // Check that URIs have a common base, as per the MSC2966 definition
61
- var urlHasCommonBase = (base, urlStr) => {
60
+ const urlHasCommonBase = (base, urlStr) => {
62
61
  if (!urlStr) return false;
63
- var url = new URL(urlStr);
62
+ const url = new URL(urlStr);
64
63
  if (url.protocol !== base.protocol) return false;
65
- if (url.hostname !== base.hostname && !url.hostname.endsWith(".".concat(base.hostname))) return false;
64
+ if (url.hostname !== base.hostname && !url.hostname.endsWith(`.${base.hostname}`)) return false;
66
65
  return true;
67
66
  };
68
67
 
@@ -74,67 +73,62 @@ var urlHasCommonBase = (base, urlStr) => {
74
73
  * @returns Promise<string> resolved with registered clientId
75
74
  * @throws when registration is not supported, on failed request or invalid response
76
75
  */
77
- export var registerOidcClient = /*#__PURE__*/function () {
78
- var _ref = _asyncToGenerator(function* (delegatedAuthConfig, clientMetadata) {
79
- if (!delegatedAuthConfig.registration_endpoint) {
80
- throw new Error(OidcError.DynamicRegistrationNotSupported);
81
- }
82
- var grantTypes = [OAuthGrantType.AuthorizationCode, OAuthGrantType.RefreshToken];
83
- if (grantTypes.some(scope => !delegatedAuthConfig.grant_types_supported.includes(scope))) {
84
- throw new Error(OidcError.DynamicRegistrationNotSupported);
85
- }
76
+ export const registerOidcClient = async (delegatedAuthConfig, clientMetadata) => {
77
+ if (!delegatedAuthConfig.registration_endpoint) {
78
+ throw new Error(OidcError.DynamicRegistrationNotSupported);
79
+ }
80
+ const grantTypes = [OAuthGrantType.AuthorizationCode, OAuthGrantType.RefreshToken];
81
+ if (grantTypes.some(scope => !delegatedAuthConfig.grant_types_supported.includes(scope))) {
82
+ throw new Error(OidcError.DynamicRegistrationNotSupported);
83
+ }
86
84
 
87
- // ask for device authorization grant if supported
88
- if (delegatedAuthConfig.grant_types_supported.includes(OAuthGrantType.DeviceAuthorization)) {
89
- grantTypes.push(OAuthGrantType.DeviceAuthorization);
90
- }
91
- var commonBase = new URL(clientMetadata.clientUri);
85
+ // ask for device authorization grant if supported
86
+ if (delegatedAuthConfig.grant_types_supported.includes(OAuthGrantType.DeviceAuthorization)) {
87
+ grantTypes.push(OAuthGrantType.DeviceAuthorization);
88
+ }
89
+ const commonBase = new URL(clientMetadata.clientUri);
92
90
 
93
- // https://openid.net/specs/openid-connect-registration-1_0.html
94
- var metadata = {
95
- client_name: clientMetadata.clientName,
96
- client_uri: clientMetadata.clientUri,
97
- response_types: ["code"],
98
- grant_types: grantTypes,
99
- redirect_uris: clientMetadata.redirectUris,
100
- id_token_signed_response_alg: "RS256",
101
- token_endpoint_auth_method: "none",
102
- application_type: clientMetadata.applicationType,
103
- contacts: clientMetadata.contacts,
104
- logo_uri: urlHasCommonBase(commonBase, clientMetadata.logoUri) ? clientMetadata.logoUri : undefined,
105
- policy_uri: urlHasCommonBase(commonBase, clientMetadata.policyUri) ? clientMetadata.policyUri : undefined,
106
- tos_uri: urlHasCommonBase(commonBase, clientMetadata.tosUri) ? clientMetadata.tosUri : undefined
107
- };
108
- var headers = {
109
- "Accept": "application/json",
110
- "Content-Type": "application/json"
111
- };
112
- try {
113
- var response = yield fetch(delegatedAuthConfig.registration_endpoint, {
114
- method: Method.Post,
115
- headers,
116
- body: JSON.stringify(metadata)
117
- });
118
- if (response.status >= 400) {
119
- throw new Error(OidcError.DynamicRegistrationFailed);
120
- }
121
- var body = yield response.json();
122
- var clientId = body["client_id"];
123
- if (!clientId || typeof clientId !== "string") {
124
- throw new Error(OidcError.DynamicRegistrationInvalid);
125
- }
126
- return clientId;
127
- } catch (error) {
128
- if (Object.values(OidcError).includes(error.message)) {
129
- throw error;
130
- } else {
131
- logger.error("Dynamic registration request failed", error);
132
- throw new Error(OidcError.DynamicRegistrationFailed);
133
- }
134
- }
135
- });
136
- return function registerOidcClient(_x, _x2) {
137
- return _ref.apply(this, arguments);
91
+ // https://openid.net/specs/openid-connect-registration-1_0.html
92
+ const metadata = {
93
+ client_name: clientMetadata.clientName,
94
+ client_uri: clientMetadata.clientUri,
95
+ response_types: ["code"],
96
+ grant_types: grantTypes,
97
+ redirect_uris: clientMetadata.redirectUris,
98
+ id_token_signed_response_alg: "RS256",
99
+ token_endpoint_auth_method: "none",
100
+ application_type: clientMetadata.applicationType,
101
+ contacts: clientMetadata.contacts,
102
+ logo_uri: urlHasCommonBase(commonBase, clientMetadata.logoUri) ? clientMetadata.logoUri : undefined,
103
+ policy_uri: urlHasCommonBase(commonBase, clientMetadata.policyUri) ? clientMetadata.policyUri : undefined,
104
+ tos_uri: urlHasCommonBase(commonBase, clientMetadata.tosUri) ? clientMetadata.tosUri : undefined
105
+ };
106
+ const headers = {
107
+ "Accept": "application/json",
108
+ "Content-Type": "application/json"
138
109
  };
139
- }();
110
+ try {
111
+ const response = await fetch(delegatedAuthConfig.registration_endpoint, {
112
+ method: Method.Post,
113
+ headers,
114
+ body: JSON.stringify(metadata)
115
+ });
116
+ if (response.status >= 400) {
117
+ throw new Error(OidcError.DynamicRegistrationFailed);
118
+ }
119
+ const body = await response.json();
120
+ const clientId = body["client_id"];
121
+ if (!clientId || typeof clientId !== "string") {
122
+ throw new Error(OidcError.DynamicRegistrationInvalid);
123
+ }
124
+ return clientId;
125
+ } catch (error) {
126
+ if (Object.values(OidcError).includes(error.message)) {
127
+ throw error;
128
+ } else {
129
+ logger.error("Dynamic registration request failed", error);
130
+ throw new Error(OidcError.DynamicRegistrationFailed);
131
+ }
132
+ }
133
+ };
140
134
  //# sourceMappingURL=register.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"register.js","names":["OidcError","Method","logger","OAuthGrantType","DEVICE_CODE_SCOPE","DeviceAuthorization","urlHasCommonBase","base","urlStr","url","URL","protocol","hostname","endsWith","concat","registerOidcClient","_ref","_asyncToGenerator","delegatedAuthConfig","clientMetadata","registration_endpoint","Error","DynamicRegistrationNotSupported","grantTypes","AuthorizationCode","RefreshToken","some","scope","grant_types_supported","includes","push","commonBase","clientUri","metadata","client_name","clientName","client_uri","response_types","grant_types","redirect_uris","redirectUris","id_token_signed_response_alg","token_endpoint_auth_method","application_type","applicationType","contacts","logo_uri","logoUri","undefined","policy_uri","policyUri","tos_uri","tosUri","headers","response","fetch","method","Post","body","JSON","stringify","status","DynamicRegistrationFailed","json","clientId","DynamicRegistrationInvalid","error","Object","values","message","_x","_x2","apply","arguments"],"sources":["../../src/oidc/register.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { type OidcClientConfig } from \"./index.ts\";\nimport { OidcError } from \"./error.ts\";\nimport { Method } from \"../http-api/index.ts\";\nimport { logger } from \"../logger.ts\";\nimport { type NonEmptyArray } from \"../@types/common.ts\";\n\n/**\n * Client metadata passed to registration endpoint\n */\nexport type OidcRegistrationClientMetadata = {\n clientName: OidcRegistrationRequestBody[\"client_name\"];\n clientUri: OidcRegistrationRequestBody[\"client_uri\"];\n logoUri?: OidcRegistrationRequestBody[\"logo_uri\"];\n applicationType: OidcRegistrationRequestBody[\"application_type\"];\n redirectUris: OidcRegistrationRequestBody[\"redirect_uris\"];\n contacts: OidcRegistrationRequestBody[\"contacts\"];\n tosUri: OidcRegistrationRequestBody[\"tos_uri\"];\n policyUri: OidcRegistrationRequestBody[\"policy_uri\"];\n};\n\n/**\n * Request body for dynamic registration as defined by https://github.com/matrix-org/matrix-spec-proposals/pull/2966\n */\ninterface OidcRegistrationRequestBody {\n client_name?: string;\n client_uri: string;\n logo_uri?: string;\n contacts?: string[];\n tos_uri?: string;\n policy_uri?: string;\n redirect_uris?: NonEmptyArray<string>;\n response_types?: NonEmptyArray<string>;\n grant_types?: NonEmptyArray<string>;\n id_token_signed_response_alg?: string;\n token_endpoint_auth_method: string;\n application_type: \"web\" | \"native\";\n}\n\n/**\n * The OAuth 2.0 grant types that are defined for Matrix in https://spec.matrix.org/v1.17/client-server-api/#grant-types\n */\nexport enum OAuthGrantType {\n /**\n * See https://spec.matrix.org/v1.17/client-server-api/#authorization-code-grant\n */\n AuthorizationCode = \"authorization_code\",\n /**\n * https://spec.matrix.org/v1.17/client-server-api/#refresh-token-grant\n */\n RefreshToken = \"refresh_token\",\n /**\n * The OAuth 2.0 Device Authorization Grant type identifier as per\n * https://www.rfc-editor.org/rfc/rfc8628.html#section-7.2 from\n * [MSC4341](https://github.com/matrix-org/matrix-spec-proposals/pull/4341).\n *\n * @experimental Note that this is UNSTABLE and may have breaking changes without notice.\n */\n DeviceAuthorization = \"urn:ietf:params:oauth:grant-type:device_code\",\n}\n\n/**\n * The name \"scope\" is a misnomer here as it is actually a \"grant type\".\n *\n * @deprecated use `OAuthGrantType.DeviceAuthorization` instead\n */\nexport const DEVICE_CODE_SCOPE: string = OAuthGrantType.DeviceAuthorization;\n\n// Check that URIs have a common base, as per the MSC2966 definition\nconst urlHasCommonBase = (base: URL, urlStr?: string): boolean => {\n if (!urlStr) return false;\n const url = new URL(urlStr);\n if (url.protocol !== base.protocol) return false;\n if (url.hostname !== base.hostname && !url.hostname.endsWith(`.${base.hostname}`)) return false;\n return true;\n};\n\n/**\n * Attempts dynamic registration against the configured registration endpoint.\n * Will ignore any URIs that do not use client_uri as a common base as per the spec.\n * @param delegatedAuthConfig - Auth config from {@link discoverAndValidateOIDCIssuerWellKnown}\n * @param clientMetadata - The metadata for the client which to register\n * @returns Promise<string> resolved with registered clientId\n * @throws when registration is not supported, on failed request or invalid response\n */\nexport const registerOidcClient = async (\n delegatedAuthConfig: OidcClientConfig,\n clientMetadata: OidcRegistrationClientMetadata,\n): Promise<string> => {\n if (!delegatedAuthConfig.registration_endpoint) {\n throw new Error(OidcError.DynamicRegistrationNotSupported);\n }\n\n const grantTypes: NonEmptyArray<string> = [OAuthGrantType.AuthorizationCode, OAuthGrantType.RefreshToken];\n if (grantTypes.some((scope) => !delegatedAuthConfig.grant_types_supported.includes(scope))) {\n throw new Error(OidcError.DynamicRegistrationNotSupported);\n }\n\n // ask for device authorization grant if supported\n if (delegatedAuthConfig.grant_types_supported.includes(OAuthGrantType.DeviceAuthorization)) {\n grantTypes.push(OAuthGrantType.DeviceAuthorization);\n }\n\n const commonBase = new URL(clientMetadata.clientUri);\n\n // https://openid.net/specs/openid-connect-registration-1_0.html\n const metadata: OidcRegistrationRequestBody = {\n client_name: clientMetadata.clientName,\n client_uri: clientMetadata.clientUri,\n response_types: [\"code\"],\n grant_types: grantTypes,\n redirect_uris: clientMetadata.redirectUris,\n id_token_signed_response_alg: \"RS256\",\n token_endpoint_auth_method: \"none\",\n application_type: clientMetadata.applicationType,\n contacts: clientMetadata.contacts,\n logo_uri: urlHasCommonBase(commonBase, clientMetadata.logoUri) ? clientMetadata.logoUri : undefined,\n policy_uri: urlHasCommonBase(commonBase, clientMetadata.policyUri) ? clientMetadata.policyUri : undefined,\n tos_uri: urlHasCommonBase(commonBase, clientMetadata.tosUri) ? clientMetadata.tosUri : undefined,\n };\n\n const headers = {\n \"Accept\": \"application/json\",\n \"Content-Type\": \"application/json\",\n };\n\n try {\n const response = await fetch(delegatedAuthConfig.registration_endpoint, {\n method: Method.Post,\n headers,\n body: JSON.stringify(metadata),\n });\n\n if (response.status >= 400) {\n throw new Error(OidcError.DynamicRegistrationFailed);\n }\n\n const body = await response.json();\n const clientId = body[\"client_id\"];\n if (!clientId || typeof clientId !== \"string\") {\n throw new Error(OidcError.DynamicRegistrationInvalid);\n }\n\n return clientId;\n } catch (error) {\n if (Object.values(OidcError).includes((error as Error).message as OidcError)) {\n throw error;\n } else {\n logger.error(\"Dynamic registration request failed\", error);\n throw new Error(OidcError.DynamicRegistrationFailed);\n }\n }\n};\n"],"mappings":";AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAGA,SAASA,SAAS,QAAQ,YAAY;AACtC,SAASC,MAAM,QAAQ,sBAAsB;AAC7C,SAASC,MAAM,QAAQ,cAAc;;AAGrC;AACA;AACA;;AAYA;AACA;AACA;;AAgBA;AACA;AACA;AACA,WAAYC,cAAc,0BAAdA,cAAc;EACtB;AACJ;AACA;EAHYA,cAAc;EAKtB;AACJ;AACA;EAPYA,cAAc;EAStB;AACJ;AACA;AACA;AACA;AACA;AACA;EAfYA,cAAc;EAAA,OAAdA,cAAc;AAAA;;AAmB1B;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,iBAAyB,GAAGD,cAAc,CAACE,mBAAmB;;AAE3E;AACA,IAAMC,gBAAgB,GAAGA,CAACC,IAAS,EAAEC,MAAe,KAAc;EAC9D,IAAI,CAACA,MAAM,EAAE,OAAO,KAAK;EACzB,IAAMC,GAAG,GAAG,IAAIC,GAAG,CAACF,MAAM,CAAC;EAC3B,IAAIC,GAAG,CAACE,QAAQ,KAAKJ,IAAI,CAACI,QAAQ,EAAE,OAAO,KAAK;EAChD,IAAIF,GAAG,CAACG,QAAQ,KAAKL,IAAI,CAACK,QAAQ,IAAI,CAACH,GAAG,CAACG,QAAQ,CAACC,QAAQ,KAAAC,MAAA,CAAKP,IAAI,CAACK,QAAQ,CAAE,CAAC,EAAE,OAAO,KAAK;EAC/F,OAAO,IAAI;AACf,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMG,kBAAkB;EAAA,IAAAC,IAAA,GAAAC,iBAAA,CAAG,WAC9BC,mBAAqC,EACrCC,cAA8C,EAC5B;IAClB,IAAI,CAACD,mBAAmB,CAACE,qBAAqB,EAAE;MAC5C,MAAM,IAAIC,KAAK,CAACrB,SAAS,CAACsB,+BAA+B,CAAC;IAC9D;IAEA,IAAMC,UAAiC,GAAG,CAACpB,cAAc,CAACqB,iBAAiB,EAAErB,cAAc,CAACsB,YAAY,CAAC;IACzG,IAAIF,UAAU,CAACG,IAAI,CAAEC,KAAK,IAAK,CAACT,mBAAmB,CAACU,qBAAqB,CAACC,QAAQ,CAACF,KAAK,CAAC,CAAC,EAAE;MACxF,MAAM,IAAIN,KAAK,CAACrB,SAAS,CAACsB,+BAA+B,CAAC;IAC9D;;IAEA;IACA,IAAIJ,mBAAmB,CAACU,qBAAqB,CAACC,QAAQ,CAAC1B,cAAc,CAACE,mBAAmB,CAAC,EAAE;MACxFkB,UAAU,CAACO,IAAI,CAAC3B,cAAc,CAACE,mBAAmB,CAAC;IACvD;IAEA,IAAM0B,UAAU,GAAG,IAAIrB,GAAG,CAACS,cAAc,CAACa,SAAS,CAAC;;IAEpD;IACA,IAAMC,QAAqC,GAAG;MAC1CC,WAAW,EAAEf,cAAc,CAACgB,UAAU;MACtCC,UAAU,EAAEjB,cAAc,CAACa,SAAS;MACpCK,cAAc,EAAE,CAAC,MAAM,CAAC;MACxBC,WAAW,EAAEf,UAAU;MACvBgB,aAAa,EAAEpB,cAAc,CAACqB,YAAY;MAC1CC,4BAA4B,EAAE,OAAO;MACrCC,0BAA0B,EAAE,MAAM;MAClCC,gBAAgB,EAAExB,cAAc,CAACyB,eAAe;MAChDC,QAAQ,EAAE1B,cAAc,CAAC0B,QAAQ;MACjCC,QAAQ,EAAExC,gBAAgB,CAACyB,UAAU,EAAEZ,cAAc,CAAC4B,OAAO,CAAC,GAAG5B,cAAc,CAAC4B,OAAO,GAAGC,SAAS;MACnGC,UAAU,EAAE3C,gBAAgB,CAACyB,UAAU,EAAEZ,cAAc,CAAC+B,SAAS,CAAC,GAAG/B,cAAc,CAAC+B,SAAS,GAAGF,SAAS;MACzGG,OAAO,EAAE7C,gBAAgB,CAACyB,UAAU,EAAEZ,cAAc,CAACiC,MAAM,CAAC,GAAGjC,cAAc,CAACiC,MAAM,GAAGJ;IAC3F,CAAC;IAED,IAAMK,OAAO,GAAG;MACZ,QAAQ,EAAE,kBAAkB;MAC5B,cAAc,EAAE;IACpB,CAAC;IAED,IAAI;MACA,IAAMC,QAAQ,SAASC,KAAK,CAACrC,mBAAmB,CAACE,qBAAqB,EAAE;QACpEoC,MAAM,EAAEvD,MAAM,CAACwD,IAAI;QACnBJ,OAAO;QACPK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC3B,QAAQ;MACjC,CAAC,CAAC;MAEF,IAAIqB,QAAQ,CAACO,MAAM,IAAI,GAAG,EAAE;QACxB,MAAM,IAAIxC,KAAK,CAACrB,SAAS,CAAC8D,yBAAyB,CAAC;MACxD;MAEA,IAAMJ,IAAI,SAASJ,QAAQ,CAACS,IAAI,CAAC,CAAC;MAClC,IAAMC,QAAQ,GAAGN,IAAI,CAAC,WAAW,CAAC;MAClC,IAAI,CAACM,QAAQ,IAAI,OAAOA,QAAQ,KAAK,QAAQ,EAAE;QAC3C,MAAM,IAAI3C,KAAK,CAACrB,SAAS,CAACiE,0BAA0B,CAAC;MACzD;MAEA,OAAOD,QAAQ;IACnB,CAAC,CAAC,OAAOE,KAAK,EAAE;MACZ,IAAIC,MAAM,CAACC,MAAM,CAACpE,SAAS,CAAC,CAAC6B,QAAQ,CAAEqC,KAAK,CAAWG,OAAoB,CAAC,EAAE;QAC1E,MAAMH,KAAK;MACf,CAAC,MAAM;QACHhE,MAAM,CAACgE,KAAK,CAAC,qCAAqC,EAAEA,KAAK,CAAC;QAC1D,MAAM,IAAI7C,KAAK,CAACrB,SAAS,CAAC8D,yBAAyB,CAAC;MACxD;IACJ;EACJ,CAAC;EAAA,gBAnEY/C,kBAAkBA,CAAAuD,EAAA,EAAAC,GAAA;IAAA,OAAAvD,IAAA,CAAAwD,KAAA,OAAAC,SAAA;EAAA;AAAA,GAmE9B","ignoreList":[]}
1
+ {"version":3,"file":"register.js","names":[],"sources":["../../src/oidc/register.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { type OidcClientConfig } from \"./index.ts\";\nimport { OidcError } from \"./error.ts\";\nimport { Method } from \"../http-api/index.ts\";\nimport { logger } from \"../logger.ts\";\nimport { type NonEmptyArray } from \"../@types/common.ts\";\n\n/**\n * Client metadata passed to registration endpoint\n */\nexport type OidcRegistrationClientMetadata = {\n clientName: OidcRegistrationRequestBody[\"client_name\"];\n clientUri: OidcRegistrationRequestBody[\"client_uri\"];\n logoUri?: OidcRegistrationRequestBody[\"logo_uri\"];\n applicationType: OidcRegistrationRequestBody[\"application_type\"];\n redirectUris: OidcRegistrationRequestBody[\"redirect_uris\"];\n contacts: OidcRegistrationRequestBody[\"contacts\"];\n tosUri: OidcRegistrationRequestBody[\"tos_uri\"];\n policyUri: OidcRegistrationRequestBody[\"policy_uri\"];\n};\n\n/**\n * Request body for dynamic registration as defined by https://github.com/matrix-org/matrix-spec-proposals/pull/2966\n */\ninterface OidcRegistrationRequestBody {\n client_name?: string;\n client_uri: string;\n logo_uri?: string;\n contacts?: string[];\n tos_uri?: string;\n policy_uri?: string;\n redirect_uris?: NonEmptyArray<string>;\n response_types?: NonEmptyArray<string>;\n grant_types?: NonEmptyArray<string>;\n id_token_signed_response_alg?: string;\n token_endpoint_auth_method: string;\n application_type: \"web\" | \"native\";\n}\n\n/**\n * The OAuth 2.0 grant types that are defined for Matrix in https://spec.matrix.org/v1.17/client-server-api/#grant-types\n */\nexport enum OAuthGrantType {\n /**\n * See https://spec.matrix.org/v1.17/client-server-api/#authorization-code-grant\n */\n AuthorizationCode = \"authorization_code\",\n /**\n * https://spec.matrix.org/v1.17/client-server-api/#refresh-token-grant\n */\n RefreshToken = \"refresh_token\",\n /**\n * The OAuth 2.0 Device Authorization Grant type identifier as per\n * https://www.rfc-editor.org/rfc/rfc8628.html#section-7.2 from\n * [MSC4341](https://github.com/matrix-org/matrix-spec-proposals/pull/4341).\n *\n * @experimental Note that this is UNSTABLE and may have breaking changes without notice.\n */\n DeviceAuthorization = \"urn:ietf:params:oauth:grant-type:device_code\",\n}\n\n/**\n * The name \"scope\" is a misnomer here as it is actually a \"grant type\".\n *\n * @deprecated use `OAuthGrantType.DeviceAuthorization` instead\n */\nexport const DEVICE_CODE_SCOPE: string = OAuthGrantType.DeviceAuthorization;\n\n// Check that URIs have a common base, as per the MSC2966 definition\nconst urlHasCommonBase = (base: URL, urlStr?: string): boolean => {\n if (!urlStr) return false;\n const url = new URL(urlStr);\n if (url.protocol !== base.protocol) return false;\n if (url.hostname !== base.hostname && !url.hostname.endsWith(`.${base.hostname}`)) return false;\n return true;\n};\n\n/**\n * Attempts dynamic registration against the configured registration endpoint.\n * Will ignore any URIs that do not use client_uri as a common base as per the spec.\n * @param delegatedAuthConfig - Auth config from {@link discoverAndValidateOIDCIssuerWellKnown}\n * @param clientMetadata - The metadata for the client which to register\n * @returns Promise<string> resolved with registered clientId\n * @throws when registration is not supported, on failed request or invalid response\n */\nexport const registerOidcClient = async (\n delegatedAuthConfig: OidcClientConfig,\n clientMetadata: OidcRegistrationClientMetadata,\n): Promise<string> => {\n if (!delegatedAuthConfig.registration_endpoint) {\n throw new Error(OidcError.DynamicRegistrationNotSupported);\n }\n\n const grantTypes: NonEmptyArray<string> = [OAuthGrantType.AuthorizationCode, OAuthGrantType.RefreshToken];\n if (grantTypes.some((scope) => !delegatedAuthConfig.grant_types_supported.includes(scope))) {\n throw new Error(OidcError.DynamicRegistrationNotSupported);\n }\n\n // ask for device authorization grant if supported\n if (delegatedAuthConfig.grant_types_supported.includes(OAuthGrantType.DeviceAuthorization)) {\n grantTypes.push(OAuthGrantType.DeviceAuthorization);\n }\n\n const commonBase = new URL(clientMetadata.clientUri);\n\n // https://openid.net/specs/openid-connect-registration-1_0.html\n const metadata: OidcRegistrationRequestBody = {\n client_name: clientMetadata.clientName,\n client_uri: clientMetadata.clientUri,\n response_types: [\"code\"],\n grant_types: grantTypes,\n redirect_uris: clientMetadata.redirectUris,\n id_token_signed_response_alg: \"RS256\",\n token_endpoint_auth_method: \"none\",\n application_type: clientMetadata.applicationType,\n contacts: clientMetadata.contacts,\n logo_uri: urlHasCommonBase(commonBase, clientMetadata.logoUri) ? clientMetadata.logoUri : undefined,\n policy_uri: urlHasCommonBase(commonBase, clientMetadata.policyUri) ? clientMetadata.policyUri : undefined,\n tos_uri: urlHasCommonBase(commonBase, clientMetadata.tosUri) ? clientMetadata.tosUri : undefined,\n };\n\n const headers = {\n \"Accept\": \"application/json\",\n \"Content-Type\": \"application/json\",\n };\n\n try {\n const response = await fetch(delegatedAuthConfig.registration_endpoint, {\n method: Method.Post,\n headers,\n body: JSON.stringify(metadata),\n });\n\n if (response.status >= 400) {\n throw new Error(OidcError.DynamicRegistrationFailed);\n }\n\n const body = await response.json();\n const clientId = body[\"client_id\"];\n if (!clientId || typeof clientId !== \"string\") {\n throw new Error(OidcError.DynamicRegistrationInvalid);\n }\n\n return clientId;\n } catch (error) {\n if (Object.values(OidcError).includes((error as Error).message as OidcError)) {\n throw error;\n } else {\n logger.error(\"Dynamic registration request failed\", error);\n throw new Error(OidcError.DynamicRegistrationFailed);\n }\n }\n};\n"],"mappings":"AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAGA,SAAS,SAAS,QAAQ,YAAY;AACtC,SAAS,MAAM,QAAQ,sBAAsB;AAC7C,SAAS,MAAM,QAAQ,cAAc;;AAGrC;AACA;AACA;;AAYA;AACA;AACA;;AAgBA;AACA;AACA;AACA,WAAY,cAAc,0BAAd,cAAc;EACtB;AACJ;AACA;EAHY,cAAc;EAKtB;AACJ;AACA;EAPY,cAAc;EAStB;AACJ;AACA;AACA;AACA;AACA;AACA;EAfY,cAAc;EAAA,OAAd,cAAc;AAAA;;AAmB1B;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM,iBAAyB,GAAG,cAAc,CAAC,mBAAmB;;AAE3E;AACA,MAAM,gBAAgB,GAAG,CAAC,IAAS,EAAE,MAAe,KAAc;EAC9D,IAAI,CAAC,MAAM,EAAE,OAAO,KAAK;EACzB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC;EAC3B,IAAI,GAAG,CAAC,QAAQ,KAAK,IAAI,CAAC,QAAQ,EAAE,OAAO,KAAK;EAChD,IAAI,GAAG,CAAC,QAAQ,KAAK,IAAI,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC,EAAE,OAAO,KAAK;EAC/F,OAAO,IAAI;AACf,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM,kBAAkB,GAAG,OAC9B,mBAAqC,EACrC,cAA8C,KAC5B;EAClB,IAAI,CAAC,mBAAmB,CAAC,qBAAqB,EAAE;IAC5C,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,+BAA+B,CAAC;EAC9D;EAEA,MAAM,UAAiC,GAAG,CAAC,cAAc,CAAC,iBAAiB,EAAE,cAAc,CAAC,YAAY,CAAC;EACzG,IAAI,UAAU,CAAC,IAAI,CAAE,KAAK,IAAK,CAAC,mBAAmB,CAAC,qBAAqB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE;IACxF,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,+BAA+B,CAAC;EAC9D;;EAEA;EACA,IAAI,mBAAmB,CAAC,qBAAqB,CAAC,QAAQ,CAAC,cAAc,CAAC,mBAAmB,CAAC,EAAE;IACxF,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,mBAAmB,CAAC;EACvD;EAEA,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,SAAS,CAAC;;EAEpD;EACA,MAAM,QAAqC,GAAG;IAC1C,WAAW,EAAE,cAAc,CAAC,UAAU;IACtC,UAAU,EAAE,cAAc,CAAC,SAAS;IACpC,cAAc,EAAE,CAAC,MAAM,CAAC;IACxB,WAAW,EAAE,UAAU;IACvB,aAAa,EAAE,cAAc,CAAC,YAAY;IAC1C,4BAA4B,EAAE,OAAO;IACrC,0BAA0B,EAAE,MAAM;IAClC,gBAAgB,EAAE,cAAc,CAAC,eAAe;IAChD,QAAQ,EAAE,cAAc,CAAC,QAAQ;IACjC,QAAQ,EAAE,gBAAgB,CAAC,UAAU,EAAE,cAAc,CAAC,OAAO,CAAC,GAAG,cAAc,CAAC,OAAO,GAAG,SAAS;IACnG,UAAU,EAAE,gBAAgB,CAAC,UAAU,EAAE,cAAc,CAAC,SAAS,CAAC,GAAG,cAAc,CAAC,SAAS,GAAG,SAAS;IACzG,OAAO,EAAE,gBAAgB,CAAC,UAAU,EAAE,cAAc,CAAC,MAAM,CAAC,GAAG,cAAc,CAAC,MAAM,GAAG;EAC3F,CAAC;EAED,MAAM,OAAO,GAAG;IACZ,QAAQ,EAAE,kBAAkB;IAC5B,cAAc,EAAE;EACpB,CAAC;EAED,IAAI;IACA,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,mBAAmB,CAAC,qBAAqB,EAAE;MACpE,MAAM,EAAE,MAAM,CAAC,IAAI;MACnB,OAAO;MACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ;IACjC,CAAC,CAAC;IAEF,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,EAAE;MACxB,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,yBAAyB,CAAC;IACxD;IAEA,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC;IAClC,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE;MAC3C,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,0BAA0B,CAAC;IACzD;IAEA,OAAO,QAAQ;EACnB,CAAC,CAAC,OAAO,KAAK,EAAE;IACZ,IAAI,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAE,KAAK,CAAW,OAAoB,CAAC,EAAE;MAC1E,MAAM,KAAK;IACf,CAAC,MAAM;MACH,MAAM,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC;MAC1D,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,yBAAyB,CAAC;IACxD;EACJ;AACJ,CAAC","ignoreList":[]}