oidc-spa 7.1.10 → 7.2.0-rc.2

package/src/core/Oidc.ts

@@ -1,141 +0,0 @@
-import type { OidcInitializationError } from "./OidcInitializationError";
-
-export declare type Oidc<
-    DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_base
-> = Oidc.LoggedIn<DecodedIdToken> | Oidc.NotLoggedIn;
-
-export declare namespace Oidc {
-    export type Common = {
-        params: {
-            issuerUri: string;
-            clientId: string;
-        };
-    };
-
-    export type NotLoggedIn = Common & {
-        isUserLoggedIn: false;
-        login: (params: {
-            doesCurrentHrefRequiresAuth: boolean;
-            /**
-             * Add extra query parameters to the url before redirecting to the login pages.
-             */
-            extraQueryParams?: Record<string, string | undefined>;
-            /**
-             * Where to redirect after successful login.
-             * Default: window.location.href (here)
-             *
-             * It does not need to include the origin, eg: "/dashboard"
-             */
-            redirectUrl?: string;
-
-            /**
-             * Transform the url before redirecting to the login pages.
-             * Prefer using the extraQueryParams parameter if you're only adding query parameters.
-             */
-            transformUrlBeforeRedirect?: (url: string) => string;
-        }) => Promise<never>;
-        initializationError: OidcInitializationError | undefined;
-    };
-
-    export type LoggedIn<DecodedIdToken extends Record<string, unknown> = Record<string, unknown>> =
-        Common & {
-            isUserLoggedIn: true;
-            renewTokens(params?: {
-                extraTokenParams?: Record<string, string | undefined>;
-            }): Promise<void>;
-            getTokens: () => Promise<Tokens<DecodedIdToken>>;
-            subscribeToTokensChange: (onTokenChange: (tokens: Tokens<DecodedIdToken>) => void) => {
-                unsubscribe: () => void;
-            };
-            getDecodedIdToken: () => DecodedIdToken;
-            logout: (
-                params:
-                    | { redirectTo: "home" | "current page" }
-                    | { redirectTo: "specific url"; url: string }
-            ) => Promise<never>;
-            goToAuthServer: (params: {
-                extraQueryParams?: Record<string, string>;
-                redirectUrl?: string;
-                transformUrlBeforeRedirect?: (url: string) => string;
-            }) => Promise<never>;
-            subscribeToAutoLogoutCountdown: (
-                tickCallback: (params: { secondsLeft: number | undefined }) => void
-            ) => { unsubscribeFromAutoLogoutCountdown: () => void };
-            /**
-             * Defined when authMethod is "back from auth server".
-             * If you called `goToAuthServer` or `login` with extraQueryParams, this object let you know the outcome of the
-             * of the action that was intended.
-             *
-             * For example, on a Keycloak server, if you called `goToAuthServer({ extraQueryParams: { kc_action: "UPDATE_PASSWORD" } })`
-             * you'll get back: `{ extraQueryParams: { kc_action: "UPDATE_PASSWORD" }, result: { kc_action_status: "success" } }` (or "cancelled")
-             */
-            backFromAuthServer:
-                | {
-                      extraQueryParams: Record<string, string>;
-                      result: Record<string, string>;
-                  }
-                | undefined;
-            /**
-             * This is true when the user has just returned from the login pages.
-             * This is also true when the user navigate to your app and was able to be silently signed in because there was still a valid session.
-             * This false however when the use just reload the page.
-             *
-             * This can be used to perform some action related to session initialization
-             * but avoiding doing it repeatedly every time the user reload the page.
-             *
-             * Note that this is referring to the browser session and not the OIDC session
-             * on the server side.
-             *
-             * If you want to perform an action only when a new OIDC session is created
-             * you can test oidc.isNewBrowserSession && oidc.backFromAuthServer !== undefined
-             */
-            isNewBrowserSession: boolean;
-        };
-
-    export type Tokens<DecodedIdToken extends Record<string, unknown> = Tokens.DecodedIdToken_base> =
-        | Tokens.WithRefreshToken<DecodedIdToken>
-        | Tokens.WithoutRefreshToken<DecodedIdToken>;
-
-    export namespace Tokens {
-        export type Common<DecodedIdToken> = {
-            accessToken: string;
-            accessTokenExpirationTime: number;
-            idToken: string;
-            decodedIdToken: DecodedIdToken;
-            /**
-             * decodedIdToken_original = decodeJwt(idToken);
-             * decodedIdToken = decodedIdTokenSchema.parse(decodedIdToken_original)
-             *
-             * The idea here is that if you have provided a zod schema as `decodedIdTokenSchema`
-             * it will strip out every claim that you haven't specified.
-             * You might even be applying some transformation.
-             *
-             * `decodedIdToken_original` is the actual decoded payload of the  id_token, untransformed.
-             * */
-            decodedIdToken_original: DecodedIdToken_base;
-            /** Read from id_token's JWT, iat claim value, it's a JavaScript timestamp (millisecond epoch) */
-            issuedAtTime: number;
-        };
-
-        export type WithRefreshToken<DecodedIdToken> = Common<DecodedIdToken> & {
-            hasRefreshToken: true;
-            refreshToken: string;
-            refreshTokenExpirationTime: number | undefined;
-        };
-
-        export type WithoutRefreshToken<DecodedIdToken> = Common<DecodedIdToken> & {
-            hasRefreshToken: false;
-            refreshToken?: never;
-            refreshTokenExpirationTime?: never;
-        };
-
-        export type DecodedIdToken_base = {
-            iss: string;
-            sub: string;
-            aud: string | string[];
-            exp: number;
-            iat: number;
-            [claimName: string]: unknown;
-        };
-    }
-}

package/src/core/StateData.ts

@@ -1,118 +0,0 @@
-import { typeGuard, assert } from "../vendor/frontend/tsafe";
-import { generateUrlSafeRandom } from "../tools/generateUrlSafeRandom";
-
-export type StateData = StateData.IFrame | StateData.Redirect;
-
-export namespace StateData {
-    type Common = {
-        configId: string;
-    };
-
-    export type IFrame = Common & {
-        context: "iframe";
-    };
-
-    export type Redirect = Redirect.Login | Redirect.Logout;
-    export namespace Redirect {
-        type Common_Redirect = Common & {
-            context: "redirect";
-            redirectUrl: string;
-            hasBeenProcessedByCallback: boolean;
-        };
-
-        export type Login = Common_Redirect & {
-            action: "login";
-            redirectUrl_consentRequiredCase: string;
-            extraQueryParams: Record<string, string>;
-        };
-
-        export type Logout = Common_Redirect & {
-            action: "logout";
-            sessionId: string | undefined;
-        };
-    }
-}
-
-const STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX = "b2lkYy1zcGEu";
-const RANDOM_STRING_LENGTH = 32 - STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX.length;
-
-export function generateStateQueryParamValue(): string {
-    return `${STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX}${generateUrlSafeRandom({
-        length: RANDOM_STRING_LENGTH
-    })}`;
-}
-
-export function getIsStatQueryParamValue(params: { maybeStateQueryParamValue: string }): boolean {
-    const { maybeStateQueryParamValue } = params;
-
-    return (
-        maybeStateQueryParamValue.startsWith(STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX) &&
-        maybeStateQueryParamValue.length ===
-            STATE_QUERY_PARAM_VALUE_IDENTIFIER_PREFIX.length + RANDOM_STRING_LENGTH
-    );
-}
-
-export const STATE_STORE_KEY_PREFIX = "oidc.";
-
-function getKey(params: { stateQueryParamValue: string }) {
-    const { stateQueryParamValue } = params;
-
-    return `${STATE_STORE_KEY_PREFIX}${stateQueryParamValue}`;
-}
-
-function getStateStore(params: { stateQueryParamValue: string }): { data: StateData } | undefined {
-    const { stateQueryParamValue } = params;
-
-    const item = localStorage.getItem(getKey({ stateQueryParamValue }));
-
-    if (item === null) {
-        return undefined;
-    }
-
-    const obj = JSON.parse(item);
-
-    assert(
-        typeGuard<{ data: StateData }>(
-            obj,
-            obj instanceof Object && obj.data instanceof Object && typeof obj.data.context === "string"
-        )
-    );
-
-    return obj;
-}
-
-function setStateStore(params: { stateQueryParamValue: string; obj: { data: StateData } }) {
-    const { stateQueryParamValue, obj } = params;
-
-    localStorage.setItem(getKey({ stateQueryParamValue }), JSON.stringify(obj));
-}
-
-export function clearStateStore(params: { stateQueryParamValue: string }) {
-    const { stateQueryParamValue } = params;
-    localStorage.removeItem(getKey({ stateQueryParamValue }));
-}
-
-export function getStateData(params: { stateQueryParamValue: string }): StateData | undefined {
-    const { stateQueryParamValue } = params;
-
-    const stateStore = getStateStore({ stateQueryParamValue });
-
-    if (stateStore === undefined) {
-        return undefined;
-    }
-
-    return stateStore.data;
-}
-
-export function markStateDataAsProcessedByCallback(params: { stateQueryParamValue: string }) {
-    const { stateQueryParamValue } = params;
-
-    const obj = getStateStore({ stateQueryParamValue });
-
-    assert(obj !== undefined, "180465");
-    assert(obj.data.context === "redirect", "649531");
-
-    obj.data.hasBeenProcessedByCallback = true;
-
-    setStateStore({ stateQueryParamValue, obj });
-}

package/src/core/configId.ts

@@ -1,3 +0,0 @@
-export function getConfigId(params: { issuerUri: string; clientId: string }) {
-    return `${params.issuerUri}:${params.clientId}`;
-}

package/src/core/loginSilent.ts

@@ -1,206 +0,0 @@
-import type { UserManager as OidcClientTsUserManager } from "../vendor/frontend/oidc-client-ts-and-jwt-decode";
-import { Deferred } from "../tools/Deferred";
-import { id, assert, noUndefined } from "../vendor/frontend/tsafe";
-import { getStateData, clearStateStore, type StateData } from "./StateData";
-import { getDownlinkAndRtt } from "../tools/getDownlinkAndRtt";
-import { getIsDev } from "../tools/isDev";
-import type { User as OidcClientTsUser } from "../vendor/frontend/oidc-client-ts-and-jwt-decode";
-import { type AuthResponse } from "./AuthResponse";
-import { addOrUpdateSearchParam } from "../tools/urlSearchParams";
-import { initIframeMessageProtection } from "./iframeMessageProtection";
-
-type ResultOfLoginSilent =
-    | {
-          outcome: "got auth response from iframe";
-          authResponse: AuthResponse;
-      }
-    | {
-          outcome: "failure";
-          cause: "timeout" | "can't reach well-known oidc endpoint";
-      }
-    | {
-          outcome: "token refreshed using refresh token";
-          oidcClientTsUser: OidcClientTsUser;
-      };
-
-export async function loginSilent(params: {
-    oidcClientTsUserManager: OidcClientTsUserManager;
-    stateQueryParamValue_instance: string;
-    configId: string;
-
-    transformUrlBeforeRedirect:
-        | ((params: { authorizationUrl: string; isSilent: true }) => string)
-        | undefined;
-
-    getExtraQueryParams:
-        | ((params: { isSilent: true; url: string }) => Record<string, string | undefined>)
-        | undefined;
-
-    getExtraTokenParams: (() => Record<string, string | undefined>) | undefined;
-    autoLogin: boolean;
-}): Promise<ResultOfLoginSilent> {
-    const {
-        oidcClientTsUserManager,
-        stateQueryParamValue_instance,
-        configId,
-        transformUrlBeforeRedirect,
-        getExtraQueryParams,
-        getExtraTokenParams,
-        autoLogin
-    } = params;
-
-    const dResult = new Deferred<ResultOfLoginSilent>();
-
-    const timeoutDelayMs: number = (() => {
-        if (autoLogin) {
-            return 25_000;
-        }
-
-        const downlinkAndRtt = getDownlinkAndRtt();
-        const isDev = getIsDev();
-
-        // Base delay is the minimum delay we should wait in any case
-        const BASE_DELAY_MS = isDev ? 9_000 : 7_000;
-
-        if (downlinkAndRtt === undefined) {
-            return BASE_DELAY_MS;
-        }
-
-        const { downlink, rtt } = downlinkAndRtt;
-
-        // Calculate dynamic delay based on RTT and downlink
-        // Add 1 to downlink to avoid division by zero
-        const dynamicDelay = rtt * 2.5 + BASE_DELAY_MS / (downlink + 1);
-
-        return Math.max(BASE_DELAY_MS, dynamicDelay);
-    })();
-
-    const { decodeEncryptedAuth, getIsEncryptedAuthResponse, clearSessionStoragePublicKey } =
-        await initIframeMessageProtection({
-            stateQueryParamValue: stateQueryParamValue_instance
-        });
-
-    const timeout = setTimeout(async () => {
-        dResult.resolve({
-            outcome: "failure",
-            cause: "timeout"
-        });
-    }, timeoutDelayMs);
-
-    const listener = async (event: MessageEvent) => {
-        if (event.origin !== window.location.origin) {
-            return;
-        }
-
-        if (
-            !getIsEncryptedAuthResponse({
-                message: event.data
-            })
-        ) {
-            return;
-        }
-
-        const { authResponse } = await decodeEncryptedAuth({ encryptedAuthResponse: event.data });
-
-        const stateData = getStateData({ stateQueryParamValue: authResponse.state });
-
-        assert(stateData !== undefined, "765645");
-        assert(stateData.context === "iframe", "250711");
-
-        if (stateData.configId !== configId) {
-            return;
-        }
-
-        clearTimeout(timeout);
-
-        window.removeEventListener("message", listener);
-
-        dResult.resolve({
-            outcome: "got auth response from iframe",
-            authResponse
-        });
-    };
-
-    window.addEventListener("message", listener, false);
-
-    const transformUrl_oidcClientTs = (url: string) => {
-        add_extra_query_params: {
-            if (getExtraQueryParams === undefined) {
-                break add_extra_query_params;
-            }
-
-            const extraQueryParams = getExtraQueryParams({ isSilent: true, url });
-
-            for (const [name, value] of Object.entries(extraQueryParams)) {
-                if (value === undefined) {
-                    continue;
-                }
-                url = addOrUpdateSearchParam({ url, name, value, encodeMethod: "www-form" });
-            }
-        }
-
-        apply_transform_url: {
-            if (transformUrlBeforeRedirect === undefined) {
-                break apply_transform_url;
-            }
-            url = transformUrlBeforeRedirect({ authorizationUrl: url, isSilent: true });
-        }
-
-        return url;
-    };
-
-    oidcClientTsUserManager
-        .signinSilent({
-            state: id<StateData.IFrame>({
-                context: "iframe",
-                configId
-            }),
-            silentRequestTimeoutInSeconds: timeoutDelayMs / 1000,
-            extraTokenParams:
-                getExtraTokenParams === undefined ? undefined : noUndefined(getExtraTokenParams()),
-            transformUrl: transformUrl_oidcClientTs
-        })
-        .then(
-            oidcClientTsUser => {
-                assert(oidcClientTsUser !== null, "oidcClientTsUser is not supposed to be null here");
-
-                clearTimeout(timeout);
-
-                dResult.resolve({
-                    outcome: "token refreshed using refresh token",
-                    oidcClientTsUser
-                });
-            },
-            (error: Error) => {
-                if (error.message === "Failed to fetch") {
-                    // NOTE: If we got an error here it means that the fetch to the
-                    // well-known oidc endpoint failed.
-                    // This usually means that the server is down or that the issuerUri
-                    // is not pointing to a valid oidc server.
-                    // It could be a CORS error on the well-known endpoint but it's unlikely.
-
-                    clearTimeout(timeout);
-
-                    dResult.resolve({
-                        outcome: "failure",
-                        cause: "can't reach well-known oidc endpoint"
-                    });
-
-                    return;
-                }
-
-                // NOTE: Here, except error on our understanding there can't be any other
-                // error than timeout so we fail silently and let the timeout expire.
-            }
-        );
-
-    dResult.pr.then(result => {
-        clearSessionStoragePublicKey();
-
-        if (result.outcome === "failure") {
-            clearStateStore({ stateQueryParamValue: stateQueryParamValue_instance });
-        }
-    });
-
-    return dResult.pr;
-}

package/src/core/oidcClientTsUserToTokens.ts

@@ -1,229 +0,0 @@
-import type { User as OidcClientTsUser } from "../vendor/frontend/oidc-client-ts-and-jwt-decode";
-import { assert, id } from "../vendor/frontend/tsafe";
-import { readExpirationTimeInJwt } from "../tools/readExpirationTimeInJwt";
-import { decodeJwt } from "../tools/decodeJwt";
-import type { Oidc } from "./Oidc";
-
-export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, unknown>>(params: {
-    oidcClientTsUser: OidcClientTsUser;
-    decodedIdTokenSchema?: {
-        parse: (decodedIdToken_original: Oidc.Tokens.DecodedIdToken_base) => DecodedIdToken;
-    };
-    __unsafe_useIdTokenAsAccessToken: boolean;
-    decodedIdToken_previous: DecodedIdToken | undefined;
-    log: typeof console.log | undefined;
-}): Oidc.Tokens<DecodedIdToken> {
-    const {
-        oidcClientTsUser,
-        decodedIdTokenSchema,
-        __unsafe_useIdTokenAsAccessToken,
-        decodedIdToken_previous,
-        log
-    } = params;
-
-    const isFirstInit = decodedIdToken_previous === undefined;
-
-    const accessToken = oidcClientTsUser.access_token;
-
-    const refreshToken = oidcClientTsUser.refresh_token;
-
-    const idToken = oidcClientTsUser.id_token;
-
-    assert(idToken !== undefined, "No id token provided by the oidc server");
-
-    const decodedIdToken_original = decodeJwt<Oidc.Tokens.DecodedIdToken_base>(idToken);
-
-    if (isFirstInit) {
-        log?.(
-            [
-                `Decoded ID token`,
-                decodedIdTokenSchema === undefined ? "" : " before `decodedIdTokenSchema.parse()`\n",
-                JSON.stringify(decodedIdToken_original, null, 2)
-            ].join("")
-        );
-    }
-
-    const decodedIdToken = (() => {
-        let decodedIdToken: DecodedIdToken;
-
-        if (decodedIdTokenSchema !== undefined) {
-            decodedIdToken = decodedIdTokenSchema.parse(decodedIdToken_original);
-
-            if (isFirstInit) {
-                log?.(
-                    [
-                        "Decoded ID token after `decodedIdTokenSchema.parse()`\n",
-                        JSON.stringify(decodedIdToken, null, 2)
-                    ].join("")
-                );
-            }
-        } else {
-            // @ts-expect-error
-            decodedIdToken = decodedIdToken_original;
-        }
-
-        if (
-            decodedIdToken_previous !== undefined &&
-            JSON.stringify(decodedIdToken) === JSON.stringify(decodedIdToken_previous)
-        ) {
-            // NOTE: For stable ref, prevent re-render for component that would memoize
-            return decodedIdToken_previous;
-        }
-
-        return decodedIdToken;
-    })();
-
-    const issuedAtTime = (() => {
-        // NOTE: The id_token is always a JWT as per the protocol.
-        // We don't use Date.now() due to network latency.
-        const id_token_iat = (() => {
-            let iat: number | undefined;
-
-            try {
-                const iat_claimValue = decodedIdToken_original.iat;
-                assert(iat_claimValue === undefined || typeof iat_claimValue === "number");
-                iat = iat_claimValue;
-            } catch {
-                iat = undefined;
-            }
-
-            if (iat === undefined) {
-                return undefined;
-            }
-
-            return iat;
-        })();
-
-        if (id_token_iat === undefined) {
-            return Date.now();
-        }
-
-        return id_token_iat * 1000;
-    })();
-
-    const tokens_common: Oidc.Tokens.Common<DecodedIdToken> = {
-        ...(__unsafe_useIdTokenAsAccessToken
-            ? {
-                  accessToken: idToken,
-                  accessTokenExpirationTime: (() => {
-                      const expirationTime = readExpirationTimeInJwt(idToken);
-
-                      assert(
-                          expirationTime !== undefined,
-                          "Failed to get id token expiration time while trying to substitute the access token by the id token"
-                      );
-
-                      return expirationTime;
-                  })()
-              }
-            : {
-                  accessToken,
-                  accessTokenExpirationTime: (() => {
-                      read_from_jwt: {
-                          const expirationTime = readExpirationTimeInJwt(accessToken);
-
-                          if (expirationTime === undefined) {
-                              break read_from_jwt;
-                          }
-
-                          return expirationTime;
-                      }
-
-                      read_from_token_response_expires_at: {
-                          const { expires_at } = oidcClientTsUser.__oidc_spa_tokenResponse;
-
-                          if (expires_at === undefined) {
-                              break read_from_token_response_expires_at;
-                          }
-
-                          assert(typeof expires_at === "number", "2033392");
-
-                          return expires_at * 1000;
-                      }
-
-                      read_from_token_response_expires_in: {
-                          const { expires_in } = oidcClientTsUser.__oidc_spa_tokenResponse;
-
-                          if (expires_in === undefined) {
-                              break read_from_token_response_expires_in;
-                          }
-
-                          assert(typeof expires_in === "number", "203333425");
-
-                          return issuedAtTime + expires_in * 1_000;
-                      }
-
-                      assert(false, "Failed to get access token expiration time");
-                  })()
-              }),
-        idToken,
-        decodedIdToken,
-        decodedIdToken_original,
-        issuedAtTime
-    };
-
-    const tokens: Oidc.Tokens<DecodedIdToken> =
-        refreshToken === undefined
-            ? id<Oidc.Tokens.WithoutRefreshToken<DecodedIdToken>>({
-                  ...tokens_common,
-                  hasRefreshToken: false
-              })
-            : id<Oidc.Tokens.WithRefreshToken<DecodedIdToken>>({
-                  ...tokens_common,
-                  hasRefreshToken: true,
-                  refreshToken,
-                  refreshTokenExpirationTime: (() => {
-                      read_from_token_response_expires_at: {
-                          const { refresh_expires_at } = oidcClientTsUser.__oidc_spa_tokenResponse;
-
-                          if (refresh_expires_at === undefined) {
-                              break read_from_token_response_expires_at;
-                          }
-
-                          assert(typeof refresh_expires_at === "number", "2033392");
-
-                          return refresh_expires_at * 1000;
-                      }
-
-                      read_from_token_response_expires_in: {
-                          const { refresh_expires_in } = oidcClientTsUser.__oidc_spa_tokenResponse;
-
-                          if (refresh_expires_in === undefined) {
-                              break read_from_token_response_expires_in;
-                          }
-
-                          assert(typeof refresh_expires_in === "number", "2033425330");
-
-                          return issuedAtTime + refresh_expires_in * 1000;
-                      }
-
-                      read_from_jwt: {
-                          const expirationTime = readExpirationTimeInJwt(refreshToken);
-
-                          if (expirationTime === undefined) {
-                              break read_from_jwt;
-                          }
-
-                          return expirationTime;
-                      }
-
-                      return undefined;
-                  })()
-              });
-
-    if (
-        isFirstInit &&
-        tokens.hasRefreshToken &&
-        tokens.refreshTokenExpirationTime !== undefined &&
-        tokens.refreshTokenExpirationTime < tokens.accessTokenExpirationTime
-    ) {
-        console.warn(
-            [
-                "The OIDC refresh token expirationTime is shorter than the one of the access token.",
-                "This is very unusual and probably a misconfiguration."
-            ].join(" ")
-        );
-    }
-
-    return tokens;
-}