oidc-spa 6.15.1 → 7.0.0

package/src/core/loginSilent.ts

@@ -27,7 +27,7 @@ export async function loginSilent(params: {
     stateQueryParamValue_instance: string;
     configId: string;
 
-    transformUrlBeforeRedirect_next:
+    transformUrlBeforeRedirect:
         | ((params: { authorizationUrl: string; isSilent: true }) => string)
         | undefined;
 
@@ -42,7 +42,7 @@ export async function loginSilent(params: {
         oidcClientTsUserManager,
         stateQueryParamValue_instance,
         configId,
-        transformUrlBeforeRedirect_next,
+        transformUrlBeforeRedirect,
         getExtraQueryParams,
         getExtraTokenParams,
         autoLogin
@@ -126,10 +126,10 @@ export async function loginSilent(params: {
         }
 
         apply_transform_url: {
-            if (transformUrlBeforeRedirect_next === undefined) {
+            if (transformUrlBeforeRedirect === undefined) {
                 break apply_transform_url;
             }
-            url = transformUrlBeforeRedirect_next({ authorizationUrl: url, isSilent: true });
+            url = transformUrlBeforeRedirect({ authorizationUrl: url, isSilent: true });
         }
 
         return url;

package/src/core/oidcClientTsUserToTokens.ts

@@ -6,7 +6,9 @@ import type { Oidc } from "./Oidc";
 
 export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, unknown>>(params: {
     oidcClientTsUser: OidcClientTsUser;
-    decodedIdTokenSchema?: { parse: (data: unknown) => DecodedIdToken };
+    decodedIdTokenSchema?: {
+        parse: (decodedIdToken_original: Oidc.Tokens.DecodedIdToken_base) => DecodedIdToken;
+    };
     __unsafe_useIdTokenAsAccessToken: boolean;
     decodedIdToken_previous: DecodedIdToken | undefined;
     log: typeof console.log | undefined;
@@ -23,69 +25,29 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
 
     const accessToken = oidcClientTsUser.access_token;
 
-    const accessTokenExpirationTime = (() => {
-        read_from_token_response: {
-            const { expires_at } = oidcClientTsUser;
-
-            if (expires_at === undefined) {
-                break read_from_token_response;
-            }
-
-            return expires_at * 1000;
-        }
-
-        read_from_jwt: {
-            const expirationTime = readExpirationTimeInJwt(accessToken);
-
-            if (expirationTime === undefined) {
-                break read_from_jwt;
-            }
-
-            return expirationTime;
-        }
-
-        assert(false, "Failed to get access token expiration time");
-    })();
-
     const refreshToken = oidcClientTsUser.refresh_token;
 
-    const refreshTokenExpirationTime = (() => {
-        if (refreshToken === undefined) {
-            return undefined;
-        }
-
-        read_from_jwt: {
-            const expirationTime = readExpirationTimeInJwt(refreshToken);
-
-            if (expirationTime === undefined) {
-                break read_from_jwt;
-            }
-
-            return expirationTime;
-        }
-
-        return undefined;
-    })();
-
     const idToken = oidcClientTsUser.id_token;
 
     assert(idToken !== undefined, "No id token provided by the oidc server");
 
+    const decodedIdToken_original = decodeJwt<Oidc.Tokens.DecodedIdToken_base>(idToken);
+
+    if (isFirstInit) {
+        log?.(
+            [
+                `Decoded ID token`,
+                decodedIdTokenSchema === undefined ? "" : " before `decodedIdTokenSchema.parse()`\n",
+                JSON.stringify(decodedIdToken_original, null, 2)
+            ].join("")
+        );
+    }
+
     const decodedIdToken = (() => {
-        let decodedIdToken = decodeJwt(idToken) as DecodedIdToken;
-
-        if (isFirstInit) {
-            log?.(
-                [
-                    `Decoded ID token`,
-                    decodedIdTokenSchema === undefined ? "" : " before `decodedIdTokenSchema.parse()`\n",
-                    JSON.stringify(decodedIdToken, null, 2)
-                ].join("")
-            );
-        }
+        let decodedIdToken: DecodedIdToken;
 
         if (decodedIdTokenSchema !== undefined) {
-            decodedIdToken = decodedIdTokenSchema.parse(decodedIdToken);
+            decodedIdToken = decodedIdTokenSchema.parse(decodedIdToken_original);
 
             if (isFirstInit) {
                 log?.(
@@ -95,18 +57,50 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
                     ].join("")
                 );
             }
+        } else {
+            // @ts-expect-error
+            decodedIdToken = decodedIdToken_original;
         }
 
         if (
             decodedIdToken_previous !== undefined &&
             JSON.stringify(decodedIdToken) === JSON.stringify(decodedIdToken_previous)
         ) {
+            // NOTE: For stable ref, prevent re-render for component that would memoize
             return decodedIdToken_previous;
         }
 
         return decodedIdToken;
     })();
 
+    const issuedAtTime = (() => {
+        // NOTE: The id_token is always a JWT as per the protocol.
+        // We don't use Date.now() due to network latency.
+        const id_token_iat = (() => {
+            let iat: number | undefined;
+
+            try {
+                const iat_claimValue = decodedIdToken_original.iat;
+                assert(iat_claimValue === undefined || typeof iat_claimValue === "number");
+                iat = iat_claimValue;
+            } catch {
+                iat = undefined;
+            }
+
+            if (iat === undefined) {
+                return undefined;
+            }
+
+            return iat;
+        })();
+
+        if (id_token_iat === undefined) {
+            return Date.now();
+        }
+
+        return id_token_iat * 1000;
+    })();
+
     const tokens_common: Oidc.Tokens.Common<DecodedIdToken> = {
         ...(__unsafe_useIdTokenAsAccessToken
             ? {
@@ -122,9 +116,50 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
                       return expirationTime;
                   })()
               }
-            : { accessToken, accessTokenExpirationTime }),
+            : {
+                  accessToken,
+                  accessTokenExpirationTime: (() => {
+                      read_from_jwt: {
+                          const expirationTime = readExpirationTimeInJwt(accessToken);
+
+                          if (expirationTime === undefined) {
+                              break read_from_jwt;
+                          }
+
+                          return expirationTime;
+                      }
+
+                      read_from_token_response_expires_at: {
+                          const { expires_at } = oidcClientTsUser.__oidc_spa_tokenResponse;
+
+                          if (expires_at === undefined) {
+                              break read_from_token_response_expires_at;
+                          }
+
+                          assert(typeof expires_at === "number", "2033392");
+
+                          return expires_at * 1000;
+                      }
+
+                      read_from_token_response_expires_in: {
+                          const { expires_in } = oidcClientTsUser.__oidc_spa_tokenResponse;
+
+                          if (expires_in === undefined) {
+                              break read_from_token_response_expires_in;
+                          }
+
+                          assert(typeof expires_in === "number", "203333425");
+
+                          return issuedAtTime + expires_in * 1_000;
+                      }
+
+                      assert(false, "Failed to get access token expiration time");
+                  })()
+              }),
         idToken,
-        decodedIdToken
+        decodedIdToken,
+        decodedIdToken_original,
+        issuedAtTime
     };
 
     const tokens: Oidc.Tokens<DecodedIdToken> =
@@ -137,7 +172,43 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
                   ...tokens_common,
                   hasRefreshToken: true,
                   refreshToken,
-                  refreshTokenExpirationTime
+                  refreshTokenExpirationTime: (() => {
+                      read_from_token_response_expires_at: {
+                          const { refresh_expires_at } = oidcClientTsUser.__oidc_spa_tokenResponse;
+
+                          if (refresh_expires_at === undefined) {
+                              break read_from_token_response_expires_at;
+                          }
+
+                          assert(typeof refresh_expires_at === "number", "2033392");
+
+                          return refresh_expires_at * 1000;
+                      }
+
+                      read_from_token_response_expires_in: {
+                          const { refresh_expires_in } = oidcClientTsUser.__oidc_spa_tokenResponse;
+
+                          if (refresh_expires_in === undefined) {
+                              break read_from_token_response_expires_in;
+                          }
+
+                          assert(typeof refresh_expires_in === "number", "2033425330");
+
+                          return issuedAtTime + refresh_expires_in * 1000;
+                      }
+
+                      read_from_jwt: {
+                          const expirationTime = readExpirationTimeInJwt(refreshToken);
+
+                          if (expirationTime === undefined) {
+                              break read_from_jwt;
+                          }
+
+                          return expirationTime;
+                      }
+
+                      return undefined;
+                  })()
               });
 
     if (
@@ -156,27 +227,3 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
 
     return tokens;
 }
-
-export function getMsBeforeExpiration(tokens: Oidc.Tokens): number {
-    // NOTE: In general the access token is supposed to have a shorter
-    // lifespan than the refresh token but we don't want to make any
-    // assumption here.
-    const tokenExpirationTime = Math.min(
-        tokens.accessTokenExpirationTime,
-        tokens.refreshTokenExpirationTime ?? Number.POSITIVE_INFINITY
-    );
-
-    const msBeforeExpiration = Math.min(
-        tokenExpirationTime - Date.now(),
-        // NOTE: We want to make sure we do not overflow the setTimeout
-        // that must be a 32 bit unsigned integer.
-        // This can happen if the tokenExpirationTime is more than 24.8 days in the future.
-        Math.pow(2, 31) - 1
-    );
-
-    if (msBeforeExpiration < 0) {
-        return 0;
-    }
-
-    return msBeforeExpiration;
-}

package/src/mock/oidc.ts

@@ -29,7 +29,7 @@ export type ParamsOfCreateMockOidc<
 const URL_SEARCH_PARAM_NAME = "isUserLoggedIn";
 
 export async function createMockOidc<
-    DecodedIdToken extends Record<string, unknown> = Record<string, unknown>,
+    DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_base,
     AutoLogin extends boolean = false
 >(
     params: ParamsOfCreateMockOidc<DecodedIdToken, AutoLogin>
@@ -130,7 +130,7 @@ export async function createMockOidc<
         ...common,
         isUserLoggedIn: true,
         renewTokens: async () => {},
-        getTokens: (() => {
+        ...(() => {
             const tokens_common: Oidc.Tokens.Common<DecodedIdToken> = {
                 accessToken: mockedTokens.accessToken ?? "mocked-access-token",
                 accessTokenExpirationTime: mockedTokens.accessTokenExpirationTime ?? Infinity,
@@ -142,7 +142,16 @@ export async function createMockOidc<
                             "You haven't provided a mocked decodedIdToken",
                             "See https://docs.oidc-spa.dev/v/v6/mock"
                         ].join("\n")
-                    })
+                    }),
+                decodedIdToken_original:
+                    mockedTokens.decodedIdToken_original ??
+                    createObjectThatThrowsIfAccessed<Oidc.Tokens.DecodedIdToken_base>({
+                        debugMessage: [
+                            "You haven't provided a mocked decodedIdToken_original",
+                            "See https://docs.oidc-spa.dev/v/v6/mock"
+                        ].join("\n")
+                    }),
+                issuedAtTime: Date.now()
             };
 
             const tokens: Oidc.Tokens<DecodedIdToken> =
@@ -158,10 +167,11 @@ export async function createMockOidc<
                           hasRefreshToken: false
                       });
 
-            return () => tokens;
+            return {
+                getTokens: () => Promise.resolve(tokens),
+                getDecodedIdToken: () => tokens_common.decodedIdToken
+            };
         })(),
-        getTokens_next: () => Promise.resolve(oidc.getTokens()),
-        getDecodedIdToken: () => oidc.getTokens().decodedIdToken,
         subscribeToTokensChange: () => ({
             unsubscribe: () => {}
         }),

package/src/react/react.tsx

@@ -3,8 +3,6 @@ import {
     useState,
     createContext,
     useContext,
-    useReducer,
-    useRef,
     type ReactNode,
     type ComponentType,
     type FC,
@@ -33,10 +31,7 @@ export namespace OidcReact {
         }) => Promise<never>;
         initializationError: OidcInitializationError | undefined;
 
-        /** @deprecated: Use `const { decodedIdToken, tokens} = useOidc();` */
-        oidcTokens?: never;
         decodedIdToken?: never;
-        tokens?: never;
         logout?: never;
         subscribeToAutoLogoutCountdown?: never;
         goToAuthServer?: never;
@@ -46,10 +41,7 @@ export namespace OidcReact {
 
     export type LoggedIn<DecodedIdToken extends Record<string, unknown>> = Common & {
         isUserLoggedIn: true;
-        /** @deprecated: Use `const { decodedIdToken, tokens} = useOidc();` */
-        oidcTokens: Oidc.Tokens<DecodedIdToken>;
         decodedIdToken: DecodedIdToken;
-        tokens: Oidc.Tokens<DecodedIdToken> | undefined;
         logout: Oidc.LoggedIn["logout"];
         renewTokens: Oidc.LoggedIn["renewTokens"];
         subscribeToAutoLogoutCountdown: (
@@ -259,62 +251,22 @@ export function createOidcReactApi_dependencyInjection<
             }
         }
 
-        const [, forceUpdate] = useReducer(() => [], []);
-        // TODO: Remove in next major version
-        useEffect(() => {
-            if (!oidc.isUserLoggedIn) {
-                return;
-            }
-
-            const { unsubscribe } = oidc.subscribeToTokensChange(forceUpdate);
-
-            return unsubscribe;
-        }, [oidc]);
-
-        const tokensState_ref = useRef<{
-            isConsumerReadingTokens: boolean;
-            tokens: Oidc.Tokens<DecodedIdToken> | undefined;
-        }>({
-            isConsumerReadingTokens: false,
-            tokens: undefined
-        });
+        const [, reRenderIfDecodedIdTokenChanged] = useState(
+            !oidc.isUserLoggedIn ? undefined : oidc.getDecodedIdToken()
+        );
 
         useEffect(() => {
             if (!oidc.isUserLoggedIn) {
                 return;
             }
 
-            const updateTokens = (tokens: Oidc.Tokens<DecodedIdToken>) => {
-                if (tokens === tokensState_ref.current.tokens) {
-                    return;
-                }
-
-                const tokenState = tokensState_ref.current;
-
-                tokenState.tokens = tokens;
-
-                if (tokenState.isConsumerReadingTokens) {
-                    forceUpdate();
-                }
-            };
+            const { unsubscribe } = oidc.subscribeToTokensChange(() =>
+                reRenderIfDecodedIdTokenChanged(oidc.getDecodedIdToken())
+            );
 
-            let isActive = true;
+            reRenderIfDecodedIdTokenChanged(oidc.getDecodedIdToken());
 
-            oidc.getTokens_next().then(tokens => {
-                if (!isActive) {
-                    return;
-                }
-                updateTokens(tokens);
-            });
-
-            const { unsubscribe } = oidc.subscribeToTokensChange(tokens => {
-                updateTokens(tokens);
-            });
-
-            return () => {
-                isActive = false;
-                unsubscribe();
-            };
+            return unsubscribe;
         }, []);
 
         const common: OidcReact.Common = {
@@ -334,13 +286,7 @@ export function createOidcReactApi_dependencyInjection<
         const oidcReact: OidcReact.LoggedIn<DecodedIdToken> = {
             ...common,
             isUserLoggedIn: true,
-            oidcTokens: oidc.getTokens(),
             decodedIdToken: oidc.getDecodedIdToken(),
-            get tokens() {
-                const tokensState = tokensState_ref.current;
-                tokensState.isConsumerReadingTokens = true;
-                return tokensState.tokens;
-            },
             logout: oidc.logout,
             renewTokens: oidc.renewTokens,
             subscribeToAutoLogoutCountdown: oidc.subscribeToAutoLogoutCountdown,
@@ -422,17 +368,10 @@ export function createOidcReactApi_dependencyInjection<
         return oidc;
     });
 
-    async function getOidc(): Promise<Oidc<DecodedIdToken>> {
+    function getOidc(): Promise<Oidc<DecodedIdToken>> {
         dReadyToCreate.resolve();
 
-        // TODO: Directly return oidc in next major version
-        const oidc = await prOidc;
-
-        if (oidc.isUserLoggedIn) {
-            await oidc.getTokens_next();
-        }
-
-        return oidc;
+        return prOidc;
     }
 
     const oidcReact: OidcReactApi<DecodedIdToken, false> = {
@@ -449,7 +388,7 @@ export function createOidcReactApi_dependencyInjection<
 
 /** @see: https://docs.oidc-spa.dev/v/v6/usage#react-api */
 export function createReactOidc<
-    DecodedIdToken extends Record<string, unknown> = Record<string, unknown>,
+    DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_base,
     AutoLogin extends boolean = false
 >(params: ValueOrAsyncGetter<ParamsOfCreateOidc<DecodedIdToken, AutoLogin>>) {
     return createOidcReactApi_dependencyInjection(params, createOidc);

package/src/tools/readExpirationTimeInJwt.ts

@@ -3,15 +3,14 @@ import { assert } from "../vendor/frontend/tsafe";
 
 // Return undefined if token provided wasn't a JWT or if it hasn't an exp claim number
 export function readExpirationTimeInJwt(token: string): number | undefined {
-    let expirationTime: number;
+    let exp: number;
 
     try {
-        expirationTime = decodeJwt<{ exp: number }>(token).exp * 1000;
-
-        assert(typeof expirationTime === "number" && !isNaN(expirationTime));
+        exp = decodeJwt<{ exp: number }>(token).exp;
+        assert(typeof exp === "number");
     } catch {
         return undefined;
     }
 
-    return expirationTime;
+    return exp * 1000;
 }

package/tools/readExpirationTimeInJwt.js

@@ -5,14 +5,14 @@ var decodeJwt_1 = require("./decodeJwt");
 var tsafe_1 = require("../vendor/frontend/tsafe");
 // Return undefined if token provided wasn't a JWT or if it hasn't an exp claim number
 function readExpirationTimeInJwt(token) {
-    var expirationTime;
+    var exp;
     try {
-        expirationTime = (0, decodeJwt_1.decodeJwt)(token).exp * 1000;
-        (0, tsafe_1.assert)(typeof expirationTime === "number" && !isNaN(expirationTime));
+        exp = (0, decodeJwt_1.decodeJwt)(token).exp;
+        (0, tsafe_1.assert)(typeof exp === "number");
     }
     catch (_a) {
         return undefined;
     }
-    return expirationTime;
+    return exp * 1000;
 }
 //# sourceMappingURL=readExpirationTimeInJwt.js.map

package/tools/readExpirationTimeInJwt.js.map

@@ -1 +1 @@
-{"version":3,"file":"readExpirationTimeInJwt.js","sourceRoot":"","sources":["../src/tools/readExpirationTimeInJwt.ts"],"names":[],"mappings":";;AAIA,0DAYC;AAhBD,yCAAwC;AACxC,kDAAkD;AAElD,sFAAsF;AACtF,SAAgB,uBAAuB,CAAC,KAAa;IACjD,IAAI,cAAsB,CAAC;IAE3B,IAAI,CAAC;QACD,cAAc,GAAG,IAAA,qBAAS,EAAkB,KAAK,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC;QAE9D,IAAA,cAAM,EAAC,OAAO,cAAc,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC;IACzE,CAAC;IAAC,WAAM,CAAC;QACL,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,OAAO,cAAc,CAAC;AAC1B,CAAC"}
+{"version":3,"file":"readExpirationTimeInJwt.js","sourceRoot":"","sources":["../src/tools/readExpirationTimeInJwt.ts"],"names":[],"mappings":";;AAIA,0DAWC;AAfD,yCAAwC;AACxC,kDAAkD;AAElD,sFAAsF;AACtF,SAAgB,uBAAuB,CAAC,KAAa;IACjD,IAAI,GAAW,CAAC;IAEhB,IAAI,CAAC;QACD,GAAG,GAAG,IAAA,qBAAS,EAAkB,KAAK,CAAC,CAAC,GAAG,CAAC;QAC5C,IAAA,cAAM,EAAC,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC;IACpC,CAAC;IAAC,WAAM,CAAC;QACL,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,OAAO,GAAG,GAAG,IAAI,CAAC;AACtB,CAAC"}