npm - oidc-spa - Versions diffs - 6.15.1 → 7.0.1 - Mend

oidc-spa 6.15.1 → 7.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

package/README.md +12 -13
package/core/Oidc.d.ts +24 -12
package/core/createOidc.d.ts +15 -30
package/core/createOidc.js +184 -146
package/core/createOidc.js.map +1 -1
package/core/handleOidcCallback.js +2 -29
package/core/handleOidcCallback.js.map +1 -1
package/core/loginOrGoToAuthServer.d.ts +1 -2
package/core/loginOrGoToAuthServer.js +10 -10
package/core/loginOrGoToAuthServer.js.map +1 -1
package/core/loginSilent.d.ts +1 -1
package/core/loginSilent.js +4 -4
package/core/loginSilent.js.map +1 -1
package/core/oidcClientTsUserToTokens.d.ts +1 -2
package/core/oidcClientTsUserToTokens.js +93 -58
package/core/oidcClientTsUserToTokens.js.map +1 -1
package/mock/oidc.d.ts +1 -1
package/mock/oidc.js +29 -19
package/mock/oidc.js.map +1 -1
package/package.json +1 -5
package/react/react.d.ts +9 -14
package/react/react.js +32 -60
package/react/react.js.map +1 -1
package/src/core/Oidc.ts +27 -14
package/src/core/createOidc.ts +189 -149
package/src/core/handleOidcCallback.ts +2 -55
package/src/core/loginOrGoToAuthServer.ts +10 -11
package/src/core/loginSilent.ts +4 -4
package/src/core/oidcClientTsUserToTokens.ts +129 -82
package/src/mock/oidc.ts +16 -6
package/src/react/react.tsx +52 -80
package/src/tools/readExpirationTimeInJwt.ts +4 -5
package/src/tools/startCountdown.ts +4 -5
package/tools/readExpirationTimeInJwt.js +4 -4
package/tools/readExpirationTimeInJwt.js.map +1 -1
package/tools/startCountdown.d.ts +3 -2
package/tools/startCountdown.js +4 -4
package/tools/startCountdown.js.map +1 -1
package/vendor/frontend/oidc-client-ts-and-jwt-decode.js +1 -1
package/core/debug966975.d.ts +0 -7
package/core/debug966975.js +0 -88
package/core/debug966975.js.map +0 -1
package/src/core/debug966975.ts +0 -85

package/src/core/handleOidcCallback.ts CHANGED Viewed

@@ -8,7 +8,6 @@ import { assert, id } from "../vendor/frontend/tsafe";
 import type { AuthResponse } from "./AuthResponse";
 import { initialLocationHref } from "./initialLocationHref";
 import { captureFetch } from "./trustedFetch";
-import { debug966975 } from "./debug966975";
 captureFetch();
@@ -16,19 +15,8 @@ const globalContext = {
     previousCall: id<{ isHandled: boolean } | undefined>(undefined)
 };
-debug966975.log(
-    `=================== Evaluating the handleOidcCallback file, isInIframe: ${
-        window.self !== window.top ? "true" : "false"
-    }, location.href: ${initialLocationHref}`
-);
 export function handleOidcCallback(): { isHandled: boolean } {
     if (globalContext.previousCall !== undefined) {
-        debug966975.log(
-            `handleOidcCallback() call, it has been called previously ${JSON.stringify(
-                globalContext.previousCall
-            )}`
-        );
         return globalContext.previousCall;
     }
@@ -36,20 +24,16 @@ export function handleOidcCallback(): { isHandled: boolean } {
 }
 function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
-    debug966975.log(`In handleOidcCallback_nonMemoized()`);
     const location_urlObj = new URL(initialLocationHref);
     const stateQueryParamValue = (() => {
         const stateQueryParamValue = location_urlObj.searchParams.get("state");
         if (stateQueryParamValue === null) {
-            debug966975.log("No state in url");
             return undefined;
         }
         if (!getIsStatQueryParamValue({ maybeStateQueryParamValue: stateQueryParamValue })) {
-            debug966975.log(`State query param value ${stateQueryParamValue} is malformed`);
             return undefined;
         }
@@ -58,9 +42,6 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
             location_urlObj.searchParams.get("response_type") !== null &&
             location_urlObj.searchParams.get("redirect_uri") !== null
         ) {
-            debug966975.log(
-                "NOTE: We are probably in a Keycloakify theme and oidc-spa was loaded by mistake."
-            );
             // NOTE: We are probably in a Keycloakify theme and oidc-spa was loaded by mistake.
             return undefined;
         }
@@ -68,13 +49,9 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
         return stateQueryParamValue;
     })();
-    debug966975.log(`state query param value ${stateQueryParamValue ?? "undefined"}`);
     if (stateQueryParamValue === undefined) {
         const backForwardTracker = readBackForwardTracker();
-        debug966975.log(`backForwardTracker: ${JSON.stringify(backForwardTracker)}`);
         if (backForwardTracker !== undefined) {
             writeBackForwardTracker({
                 backForwardTracker: {
@@ -84,8 +61,6 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
             });
         }
-        debug966975.log("returning isHandled false");
         return { isHandled: false };
     }
@@ -98,8 +73,6 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
     const stateData = getStateData({ stateQueryParamValue });
-    debug966975.log(`stateData: ${JSON.stringify(stateData)}`);
     if (
         stateData === undefined ||
         (stateData.context === "redirect" && stateData.hasBeenProcessedByCallback)
@@ -123,8 +96,6 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
             }
         })();
-        debug966975.log(`historyMethod: ${historyMethod}`);
         writeBackForwardTracker({
             backForwardTracker: {
                 previousHistoryMethod: historyMethod,
@@ -133,8 +104,6 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
         });
         setTimeout(() => {
-            debug966975.log(`(callback 0) Calling window.history.${historyMethod}()`);
             reloadOnBfCacheNavigation();
             window.history[historyMethod]();
@@ -149,8 +118,6 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
             }, 350);
         }, 0);
-        debug966975.log(`returning isHandled: ${isHandled ? "true" : "false"}`);
         return { isHandled };
     }
@@ -162,12 +129,9 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
     assert(authResponse.state !== "", "063965");
-    debug966975.log(`authResponse: ${JSON.stringify(authResponse)}`);
     switch (stateData.context) {
         case "iframe":
             setTimeout(() => {
-                debug966975.log(`(callback 0) posting message to parent`);
                 parent.postMessage(authResponse, location.origin);
             }, 0);
             break;
@@ -187,15 +151,11 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
                     return stateData.redirectUrl;
                 })();
-                debug966975.log(`(callback 0) location.href = "${href}";`);
                 location.href = href;
             }, 0);
             break;
     }
-    debug966975.log(`Returning isHandled: ${isHandled ? "true" : "false"}`);
     return { isHandled };
 }
@@ -229,28 +189,18 @@ export function retrieveRedirectAuthResponseAndStateData(params: {
 }): { authResponse: AuthResponse; stateData: StateData.Redirect } | undefined {
     const { configId } = params;
-    debug966975.log(`>>> In retrieveRedirectAuthResponseAndStateData(${JSON.stringify({ configId })})`);
     const authResponses = readRedirectAuthResponses();
-    debug966975.log(`authResponses: ${JSON.stringify(authResponses)}`);
     let authResponseAndStateData:
         | { authResponse: AuthResponse; stateData: StateData.Redirect }
         | undefined = undefined;
     for (const authResponse of [...authResponses]) {
-        debug966975.log(`authResponse: ${JSON.stringify(authResponse)}`);
         const stateData = getStateData({ stateQueryParamValue: authResponse.state });
-        debug966975.log(`stateDate: ${JSON.stringify(stateData)}`);
-        try {
-            assert(stateData !== undefined, "966975");
-        } catch {
+        if (stateData === undefined) {
+            // NOTE: We do not understand how this can happen but it can.
             authResponses.splice(authResponses.indexOf(authResponse), 1);
-            debug966975.report();
             continue;
         }
@@ -266,12 +216,9 @@ export function retrieveRedirectAuthResponseAndStateData(params: {
     }
     if (authResponseAndStateData !== undefined) {
-        debug966975.log(`writeRedirectAuthResponses(${JSON.stringify({ authResponses })})`);
         writeRedirectAuthResponses({ authResponses });
     }
-    debug966975.log(`Returning ${JSON.stringify({ authResponseAndStateData })} <<<<<<<<<`);
     return authResponseAndStateData;
 }

package/src/core/loginOrGoToAuthServer.ts CHANGED Viewed

@@ -51,8 +51,7 @@ export function getPrSafelyRestoredFromBfCacheAfterLoginBackNavigation() {
 export function createLoginOrGoToAuthServer(params: {
     configId: string;
     oidcClientTsUserManager: OidcClientTsUserManager;
-    transformUrlBeforeRedirect: ((url: string) => string) | undefined;
-    transformUrlBeforeRedirect_next:
+    transformUrlBeforeRedirect:
         | ((params: { authorizationUrl: string; isSilent: boolean }) => string)
         | undefined;
@@ -71,7 +70,6 @@ export function createLoginOrGoToAuthServer(params: {
         oidcClientTsUserManager,
         transformUrlBeforeRedirect,
-        transformUrlBeforeRedirect_next,
         getExtraQueryParams,
         getExtraTokenParams,
@@ -89,7 +87,7 @@ export function createLoginOrGoToAuthServer(params: {
         const {
             redirectUrl: redirectUrl_params,
             extraQueryParams_local,
-            transformUrlBeforeRedirect_local: transformUrl,
+            transformUrlBeforeRedirect_local,
             ...rest
         } = params;
@@ -108,6 +106,8 @@ export function createLoginOrGoToAuthServer(params: {
             globalContext.evtHasLoginBeenCalled.current = true;
             if (document.visibilityState !== "visible") {
+                rest.interaction === "ensure no interaction";
                 const dVisible = new Deferred<void>();
                 const onVisible = () => {
@@ -196,20 +196,19 @@ export function createLoginOrGoToAuthServer(params: {
             (
                 [
                     [
-                        undefined,
-                        transformUrlBeforeRedirect_next === undefined
+                        getExtraQueryParams,
+                        transformUrlBeforeRedirect === undefined
                             ? undefined
                             : (url: string) =>
-                                  transformUrlBeforeRedirect_next({
+                                  transformUrlBeforeRedirect({
                                       isSilent,
                                       authorizationUrl: url
                                   })
                     ],
-                    [getExtraQueryParams, transformUrlBeforeRedirect],
-                    [extraQueryParams_local, transformUrl]
+                    [extraQueryParams_local, transformUrlBeforeRedirect_local]
                 ] as const
-            ).forEach(([extraQueryParamsMaybeGetter, transformUrlBeforeRedirect], i) => {
-                const url_before = i !== 2 ? undefined : url;
+            ).forEach(([extraQueryParamsMaybeGetter, transformUrlBeforeRedirect], i, arr) => {
+                const url_before = i !== arr.length - 1 ? undefined : url;
                 add_extra_query_params: {
                     if (extraQueryParamsMaybeGetter === undefined) {

package/src/core/loginSilent.ts CHANGED Viewed

@@ -27,7 +27,7 @@ export async function loginSilent(params: {
     stateQueryParamValue_instance: string;
     configId: string;
-    transformUrlBeforeRedirect_next:
+    transformUrlBeforeRedirect:
         | ((params: { authorizationUrl: string; isSilent: true }) => string)
         | undefined;
@@ -42,7 +42,7 @@ export async function loginSilent(params: {
         oidcClientTsUserManager,
         stateQueryParamValue_instance,
         configId,
-        transformUrlBeforeRedirect_next,
+        transformUrlBeforeRedirect,
         getExtraQueryParams,
         getExtraTokenParams,
         autoLogin
@@ -126,10 +126,10 @@ export async function loginSilent(params: {
         }
         apply_transform_url: {
-            if (transformUrlBeforeRedirect_next === undefined) {
+            if (transformUrlBeforeRedirect === undefined) {
                 break apply_transform_url;
             }
-            url = transformUrlBeforeRedirect_next({ authorizationUrl: url, isSilent: true });
+            url = transformUrlBeforeRedirect({ authorizationUrl: url, isSilent: true });
         }
         return url;

package/src/core/oidcClientTsUserToTokens.ts CHANGED Viewed

@@ -6,7 +6,9 @@ import type { Oidc } from "./Oidc";
 export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, unknown>>(params: {
     oidcClientTsUser: OidcClientTsUser;
-    decodedIdTokenSchema?: { parse: (data: unknown) => DecodedIdToken };
+    decodedIdTokenSchema?: {
+        parse: (decodedIdToken_original: Oidc.Tokens.DecodedIdToken_base) => DecodedIdToken;
+    };
     __unsafe_useIdTokenAsAccessToken: boolean;
     decodedIdToken_previous: DecodedIdToken | undefined;
     log: typeof console.log | undefined;
@@ -23,69 +25,29 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
     const accessToken = oidcClientTsUser.access_token;
-    const accessTokenExpirationTime = (() => {
-        read_from_token_response: {
-            const { expires_at } = oidcClientTsUser;
-            if (expires_at === undefined) {
-                break read_from_token_response;
-            }
-            return expires_at * 1000;
-        }
-        read_from_jwt: {
-            const expirationTime = readExpirationTimeInJwt(accessToken);
-            if (expirationTime === undefined) {
-                break read_from_jwt;
-            }
-            return expirationTime;
-        }
-        assert(false, "Failed to get access token expiration time");
-    })();
     const refreshToken = oidcClientTsUser.refresh_token;
-    const refreshTokenExpirationTime = (() => {
-        if (refreshToken === undefined) {
-            return undefined;
-        }
-        read_from_jwt: {
-            const expirationTime = readExpirationTimeInJwt(refreshToken);
-            if (expirationTime === undefined) {
-                break read_from_jwt;
-            }
-            return expirationTime;
-        }
-        return undefined;
-    })();
     const idToken = oidcClientTsUser.id_token;
     assert(idToken !== undefined, "No id token provided by the oidc server");
+    const decodedIdToken_original = decodeJwt<Oidc.Tokens.DecodedIdToken_base>(idToken);
+    if (isFirstInit) {
+        log?.(
+            [
+                `Decoded ID token`,
+                decodedIdTokenSchema === undefined ? "" : " before `decodedIdTokenSchema.parse()`\n",
+                JSON.stringify(decodedIdToken_original, null, 2)
+            ].join("")
+        );
+    }
     const decodedIdToken = (() => {
-        let decodedIdToken = decodeJwt(idToken) as DecodedIdToken;
-        if (isFirstInit) {
-            log?.(
-                [
-                    `Decoded ID token`,
-                    decodedIdTokenSchema === undefined ? "" : " before `decodedIdTokenSchema.parse()`\n",
-                    JSON.stringify(decodedIdToken, null, 2)
-                ].join("")
-            );
-        }
+        let decodedIdToken: DecodedIdToken;
         if (decodedIdTokenSchema !== undefined) {
-            decodedIdToken = decodedIdTokenSchema.parse(decodedIdToken);
+            decodedIdToken = decodedIdTokenSchema.parse(decodedIdToken_original);
             if (isFirstInit) {
                 log?.(
@@ -95,18 +57,50 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
                     ].join("")
                 );
             }
+        } else {
+            // @ts-expect-error
+            decodedIdToken = decodedIdToken_original;
         }
         if (
             decodedIdToken_previous !== undefined &&
             JSON.stringify(decodedIdToken) === JSON.stringify(decodedIdToken_previous)
         ) {
+            // NOTE: For stable ref, prevent re-render for component that would memoize
             return decodedIdToken_previous;
         }
         return decodedIdToken;
     })();
+    const issuedAtTime = (() => {
+        // NOTE: The id_token is always a JWT as per the protocol.
+        // We don't use Date.now() due to network latency.
+        const id_token_iat = (() => {
+            let iat: number | undefined;
+            try {
+                const iat_claimValue = decodedIdToken_original.iat;
+                assert(iat_claimValue === undefined || typeof iat_claimValue === "number");
+                iat = iat_claimValue;
+            } catch {
+                iat = undefined;
+            }
+            if (iat === undefined) {
+                return undefined;
+            }
+            return iat;
+        })();
+        if (id_token_iat === undefined) {
+            return Date.now();
+        }
+        return id_token_iat * 1000;
+    })();
     const tokens_common: Oidc.Tokens.Common<DecodedIdToken> = {
         ...(__unsafe_useIdTokenAsAccessToken
             ? {
@@ -122,9 +116,50 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
                       return expirationTime;
                   })()
               }
-            : { accessToken, accessTokenExpirationTime }),
+            : {
+                  accessToken,
+                  accessTokenExpirationTime: (() => {
+                      read_from_jwt: {
+                          const expirationTime = readExpirationTimeInJwt(accessToken);
+                          if (expirationTime === undefined) {
+                              break read_from_jwt;
+                          }
+                          return expirationTime;
+                      }
+                      read_from_token_response_expires_at: {
+                          const { expires_at } = oidcClientTsUser.__oidc_spa_tokenResponse;
+                          if (expires_at === undefined) {
+                              break read_from_token_response_expires_at;
+                          }
+                          assert(typeof expires_at === "number", "2033392");
+                          return expires_at * 1000;
+                      }
+                      read_from_token_response_expires_in: {
+                          const { expires_in } = oidcClientTsUser.__oidc_spa_tokenResponse;
+                          if (expires_in === undefined) {
+                              break read_from_token_response_expires_in;
+                          }
+                          assert(typeof expires_in === "number", "203333425");
+                          return issuedAtTime + expires_in * 1_000;
+                      }
+                      assert(false, "Failed to get access token expiration time");
+                  })()
+              }),
         idToken,
-        decodedIdToken
+        decodedIdToken,
+        decodedIdToken_original,
+        issuedAtTime
     };
     const tokens: Oidc.Tokens<DecodedIdToken> =
@@ -137,7 +172,43 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
                   ...tokens_common,
                   hasRefreshToken: true,
                   refreshToken,
-                  refreshTokenExpirationTime
+                  refreshTokenExpirationTime: (() => {
+                      read_from_token_response_expires_at: {
+                          const { refresh_expires_at } = oidcClientTsUser.__oidc_spa_tokenResponse;
+                          if (refresh_expires_at === undefined) {
+                              break read_from_token_response_expires_at;
+                          }
+                          assert(typeof refresh_expires_at === "number", "2033392");
+                          return refresh_expires_at * 1000;
+                      }
+                      read_from_token_response_expires_in: {
+                          const { refresh_expires_in } = oidcClientTsUser.__oidc_spa_tokenResponse;
+                          if (refresh_expires_in === undefined) {
+                              break read_from_token_response_expires_in;
+                          }
+                          assert(typeof refresh_expires_in === "number", "2033425330");
+                          return issuedAtTime + refresh_expires_in * 1000;
+                      }
+                      read_from_jwt: {
+                          const expirationTime = readExpirationTimeInJwt(refreshToken);
+                          if (expirationTime === undefined) {
+                              break read_from_jwt;
+                          }
+                          return expirationTime;
+                      }
+                      return undefined;
+                  })()
               });
     if (
@@ -156,27 +227,3 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
     return tokens;
 }
-export function getMsBeforeExpiration(tokens: Oidc.Tokens): number {
-    // NOTE: In general the access token is supposed to have a shorter
-    // lifespan than the refresh token but we don't want to make any
-    // assumption here.
-    const tokenExpirationTime = Math.min(
-        tokens.accessTokenExpirationTime,
-        tokens.refreshTokenExpirationTime ?? Number.POSITIVE_INFINITY
-    );
-    const msBeforeExpiration = Math.min(
-        tokenExpirationTime - Date.now(),
-        // NOTE: We want to make sure we do not overflow the setTimeout
-        // that must be a 32 bit unsigned integer.
-        // This can happen if the tokenExpirationTime is more than 24.8 days in the future.
-        Math.pow(2, 31) - 1
-    );
-    if (msBeforeExpiration < 0) {
-        return 0;
-    }
-    return msBeforeExpiration;
-}

package/src/mock/oidc.ts CHANGED Viewed

@@ -29,7 +29,7 @@ export type ParamsOfCreateMockOidc<
 const URL_SEARCH_PARAM_NAME = "isUserLoggedIn";
 export async function createMockOidc<
-    DecodedIdToken extends Record<string, unknown> = Record<string, unknown>,
+    DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_base,
     AutoLogin extends boolean = false
 >(
     params: ParamsOfCreateMockOidc<DecodedIdToken, AutoLogin>
@@ -130,7 +130,7 @@ export async function createMockOidc<
         ...common,
         isUserLoggedIn: true,
         renewTokens: async () => {},
-        getTokens: (() => {
+        ...(() => {
             const tokens_common: Oidc.Tokens.Common<DecodedIdToken> = {
                 accessToken: mockedTokens.accessToken ?? "mocked-access-token",
                 accessTokenExpirationTime: mockedTokens.accessTokenExpirationTime ?? Infinity,
@@ -142,7 +142,16 @@ export async function createMockOidc<
                             "You haven't provided a mocked decodedIdToken",
                             "See https://docs.oidc-spa.dev/v/v6/mock"
                         ].join("\n")
-                    })
+                    }),
+                decodedIdToken_original:
+                    mockedTokens.decodedIdToken_original ??
+                    createObjectThatThrowsIfAccessed<Oidc.Tokens.DecodedIdToken_base>({
+                        debugMessage: [
+                            "You haven't provided a mocked decodedIdToken_original",
+                            "See https://docs.oidc-spa.dev/v/v6/mock"
+                        ].join("\n")
+                    }),
+                issuedAtTime: Date.now()
             };
             const tokens: Oidc.Tokens<DecodedIdToken> =
@@ -158,10 +167,11 @@ export async function createMockOidc<
                           hasRefreshToken: false
                       });
-            return () => tokens;
+            return {
+                getTokens: () => Promise.resolve(tokens),
+                getDecodedIdToken: () => tokens_common.decodedIdToken
+            };
         })(),
-        getTokens_next: () => Promise.resolve(oidc.getTokens()),
-        getDecodedIdToken: () => oidc.getTokens().decodedIdToken,
         subscribeToTokensChange: () => ({
             unsubscribe: () => {}
         }),