oidc-spa 7.2.0 → 7.2.2

package/src/tools/Deferred.ts

@@ -0,0 +1,33 @@
+export class Deferred<T> {
+    public readonly pr: Promise<T>;
+
+    /** NOTE: Does not need to be called bound to instance*/
+    public readonly resolve: (value: T) => void;
+    public readonly reject: (error: any) => void;
+
+    constructor() {
+        let resolve!: (value: T) => void;
+        let reject!: (error: any) => void;
+
+        this.pr = new Promise<T>((resolve_, reject_) => {
+            resolve = value => {
+                resolve_(value);
+            };
+
+            reject = error => {
+                reject_(error);
+            };
+        });
+
+        this.resolve = resolve;
+        this.reject = reject;
+    }
+}
+
+export namespace Deferred {
+    export type Unpack<T extends Deferred<any>> = T extends Deferred<infer U> ? U : never;
+}
+
+export class VoidDeferred extends Deferred<undefined> {
+    public declare readonly resolve: () => void;
+}

package/src/tools/EphemeralSessionStorage.ts

@@ -0,0 +1,223 @@
+import { assert, typeGuard, id } from "../vendor/frontend/tsafe";
+
+type SessionStorageItem_Parsed = {
+    __brand: "SessionStorageItem_Parsed-v1";
+    value: string;
+    expiresAtTime: number;
+};
+
+function parseSessionStorageItem(
+    sessionStorageItemValue: string
+): SessionStorageItem_Parsed | undefined {
+    let json: unknown;
+
+    try {
+        json = JSON.parse(sessionStorageItemValue);
+    } catch {
+        return undefined;
+    }
+
+    if (
+        !typeGuard<SessionStorageItem_Parsed>(
+            json,
+            json instanceof Object &&
+                "__brand" in json &&
+                json.__brand === id<SessionStorageItem_Parsed["__brand"]>("SessionStorageItem_Parsed-v1")
+        )
+    ) {
+        return undefined;
+    }
+
+    return json;
+}
+
+type InMemoryItem = {
+    key: string;
+    value: string;
+    removeFromSessionStorage: (() => void) | undefined;
+};
+
+const SESSION_STORAGE_PREFIX = "ephemeral:";
+
+function createStoreInSessionStorageAndScheduleRemovalInMemoryItem(params: {
+    key: string;
+    value: string;
+    remainingTtlMs: number;
+}): InMemoryItem {
+    const { key, value, remainingTtlMs } = params;
+
+    const sessionStorageKey = `${SESSION_STORAGE_PREFIX}${key}`;
+
+    const removeFromSessionStorage = () => {
+        inMemoryItem.removeFromSessionStorage = undefined;
+        clearTimeout(timer);
+        sessionStorage.removeItem(sessionStorageKey);
+    };
+
+    const timer = setTimeout(() => removeFromSessionStorage(), remainingTtlMs);
+
+    const inMemoryItem: InMemoryItem = {
+        key,
+        value,
+        removeFromSessionStorage
+    };
+
+    sessionStorage.removeItem(sessionStorageKey);
+
+    sessionStorage.setItem(
+        sessionStorageKey,
+        JSON.stringify(
+            id<SessionStorageItem_Parsed>({
+                __brand: "SessionStorageItem_Parsed-v1",
+                value,
+                expiresAtTime: Date.now() + remainingTtlMs
+            })
+        )
+    );
+
+    return inMemoryItem;
+}
+
+export type EphemeralSessionStorage = {
+    // `Storage` methods, we don't use the type directly because it has [name: string]: any;
+    readonly length: number;
+    clear(): void;
+    getItem(key: string): string | null;
+    key(index: number): string | null;
+    removeItem(key: string): void;
+    setItem(key: string, value: string): void;
+
+    // Custom method
+    persistCurrentStateAndSubsequentChanges: () => void;
+};
+
+export function createEphemeralSessionStorage(params: {
+    sessionStorageTtlMs: number;
+}): EphemeralSessionStorage {
+    const { sessionStorageTtlMs } = params;
+
+    const inMemoryItems: InMemoryItem[] = [];
+
+    for (let i = 0; i < sessionStorage.length; i++) {
+        const sessionStorageKey = sessionStorage.key(i);
+        assert(sessionStorageKey !== null, "470498");
+
+        if (!sessionStorageKey.startsWith(SESSION_STORAGE_PREFIX)) {
+            continue;
+        }
+
+        const sessionStorageItem = sessionStorage.getItem(sessionStorageKey);
+
+        assert(sessionStorageItem !== null, "846771");
+
+        const sessionStorageItem_parsed = parseSessionStorageItem(sessionStorageItem);
+
+        if (sessionStorageItem_parsed === undefined) {
+            continue;
+        }
+
+        const remainingTtlMs = sessionStorageItem_parsed.expiresAtTime - Date.now();
+
+        sessionStorage.removeItem(sessionStorageKey);
+
+        if (remainingTtlMs <= 0) {
+            continue;
+        }
+
+        inMemoryItems.push({
+            key: sessionStorageKey.slice(SESSION_STORAGE_PREFIX.length),
+            value: sessionStorageItem_parsed.value,
+            removeFromSessionStorage: undefined
+        });
+    }
+
+    let isPersistenceEnabled = false;
+
+    const storage: EphemeralSessionStorage = {
+        persistCurrentStateAndSubsequentChanges: () => {
+            isPersistenceEnabled = true;
+
+            for (let i = 0; i < storage.length; i++) {
+                const key = storage.key(i);
+                assert(key !== null, "803385");
+
+                const value = storage.getItem(key);
+
+                assert(value !== null, "777098");
+
+                storage.setItem(key, value);
+            }
+        },
+        get length() {
+            return inMemoryItems.length;
+        },
+        key: index => {
+            const inMemoryItem = inMemoryItems[index];
+
+            if (inMemoryItem === undefined) {
+                return null;
+            }
+
+            return inMemoryItem.key;
+        },
+        removeItem: key => {
+            const inMemoryItem = inMemoryItems.find(item => item.key === key);
+
+            if (inMemoryItem === undefined) {
+                return;
+            }
+
+            inMemoryItem.removeFromSessionStorage?.();
+
+            const index = inMemoryItems.indexOf(inMemoryItem);
+
+            inMemoryItems.splice(index, 1);
+        },
+        clear: () => {
+            for (let i = 0; i < storage.length; i++) {
+                const key = storage.key(i);
+                assert(key !== null, "290875");
+                storage.removeItem(key);
+            }
+        },
+        getItem: key => {
+            const inMemoryItem = inMemoryItems.find(item => item.key === key);
+            if (inMemoryItem === undefined) {
+                return null;
+            }
+            return inMemoryItem.value;
+        },
+        setItem: (key, value) => {
+            let existingInMemoryItemIndex: number | undefined = undefined;
+
+            {
+                const inMemoryItem = inMemoryItems.find(item => item.key === key);
+
+                if (inMemoryItem !== undefined) {
+                    inMemoryItem.removeFromSessionStorage?.();
+                    existingInMemoryItemIndex = inMemoryItems.indexOf(inMemoryItem);
+                }
+            }
+
+            const inMemoryItem_new = isPersistenceEnabled
+                ? createStoreInSessionStorageAndScheduleRemovalInMemoryItem({
+                      key,
+                      value,
+                      remainingTtlMs: sessionStorageTtlMs
+                  })
+                : id<InMemoryItem>({
+                      key,
+                      value,
+                      removeFromSessionStorage: undefined
+                  });
+
+            if (existingInMemoryItemIndex !== undefined) {
+                inMemoryItems[existingInMemoryItemIndex] = inMemoryItem_new;
+            } else {
+                inMemoryItems.push(inMemoryItem_new);
+            }
+        }
+    };
+
+    return storage;
+}

package/src/tools/Evt.ts

@@ -0,0 +1,56 @@
+import { Deferred } from "./Deferred";
+import { assert, is } from "../vendor/frontend/tsafe";
+
+export type NonPostableEvt<T> = {
+    waitFor: () => Promise<T>;
+    subscribe: (next: (data: T) => void) => { unsubscribe: () => void };
+    postCount: number;
+};
+
+export type Evt<T> = NonPostableEvt<T> & {
+    post: (data: T) => void;
+};
+
+export function createEvt<T>(): Evt<T> {
+    const eventTarget = new EventTarget();
+    const KEY = "event";
+
+    let postCount = 0;
+
+    const evt: Evt<T> = {
+        subscribe: next => {
+            const listener = (e: Event) => {
+                assert(is<CustomEvent<T>>(e));
+
+                next(e.detail);
+            };
+
+            eventTarget.addEventListener(KEY, listener);
+
+            return {
+                unsubscribe: () => {
+                    eventTarget.removeEventListener(KEY, listener);
+                }
+            };
+        },
+        waitFor: () => {
+            const d = new Deferred<T>();
+
+            const { unsubscribe } = evt.subscribe(data => {
+                unsubscribe();
+                d.resolve(data);
+            });
+
+            return d.pr;
+        },
+        post: (data: T) => {
+            postCount++;
+            eventTarget.dispatchEvent(new CustomEvent(KEY, { detail: data }));
+        },
+        get postCount() {
+            return postCount;
+        }
+    };
+
+    return evt;
+}

package/src/tools/StatefulEvt.ts

@@ -0,0 +1,38 @@
+export type StatefulEvt<T> = {
+    current: T;
+    subscribe: (next: (data: T) => void) => Subscription;
+};
+
+export type StatefulReadonlyEvt<T> = {
+    readonly current: T;
+    subscribe: (next: (data: T) => void) => Subscription;
+};
+
+export type Subscription = {
+    unsubscribe: () => void;
+};
+
+export function createStatefulEvt<T>(getInitialValue: () => T): StatefulEvt<T> {
+    let nextFunctions: ((data: T) => void)[] = [];
+
+    let wrappedState: [T] | undefined = undefined;
+
+    return {
+        get current() {
+            if (wrappedState === undefined) {
+                wrappedState = [getInitialValue()];
+            }
+            return wrappedState[0];
+        },
+        set current(data: T) {
+            wrappedState = [data];
+
+            nextFunctions.forEach(next => next(data));
+        },
+        subscribe: (next: (data: T) => void) => {
+            nextFunctions.push(next);
+
+            return { unsubscribe: () => nextFunctions.splice(nextFunctions.indexOf(next), 1) };
+        }
+    };
+}

package/src/tools/ValueOrAsyncGetter.ts

@@ -0,0 +1 @@
+export type ValueOrAsyncGetter<T> = T | (() => Promise<T>);

package/src/tools/asymmetricEncryption.ts

@@ -0,0 +1,184 @@
+type AsymmetricKeys = {
+    publicKey: string; // base64-encoded JSON export of CryptoKey
+    privateKey: string; // base64-encoded JSON export of CryptoKey
+};
+
+const INFO_LABEL = "oidc-spa/tools/asymmetricEncryption";
+
+export async function generateKeys(): Promise<AsymmetricKeys> {
+    const keyPair = await crypto.subtle.generateKey(
+        {
+            name: "ECDH",
+            namedCurve: "P-256"
+        },
+        true,
+        ["deriveKey", "deriveBits"]
+    );
+
+    const publicKeyRaw = await crypto.subtle.exportKey("jwk", keyPair.publicKey);
+    const privateKeyRaw = await crypto.subtle.exportKey("jwk", keyPair.privateKey);
+
+    return {
+        publicKey: btoa(JSON.stringify(publicKeyRaw)),
+        privateKey: btoa(JSON.stringify(privateKeyRaw))
+    };
+}
+
+export async function asymmetricEncrypt(params: {
+    publicKey: string;
+    message: string;
+}): Promise<{ encryptedMessage: string }> {
+    const { publicKey, message } = params;
+
+    const importedPublicKey = await crypto.subtle.importKey(
+        "jwk",
+        JSON.parse(atob(publicKey)),
+        {
+            name: "ECDH",
+            namedCurve: "P-256"
+        },
+        false,
+        []
+    );
+
+    const ephemeralKeyPair = await crypto.subtle.generateKey(
+        {
+            name: "ECDH",
+            namedCurve: "P-256"
+        },
+        true,
+        ["deriveKey", "deriveBits"]
+    );
+
+    const sharedSecret = await crypto.subtle.deriveBits(
+        {
+            name: "ECDH",
+            public: importedPublicKey
+        },
+        ephemeralKeyPair.privateKey,
+        256
+    );
+
+    const salt = crypto.getRandomValues(new Uint8Array(16));
+    const infoBytes = new TextEncoder().encode(INFO_LABEL);
+
+    const hkdfKey = await crypto.subtle.importKey("raw", sharedSecret, "HKDF", false, ["deriveKey"]);
+
+    const derivedKey = await crypto.subtle.deriveKey(
+        {
+            name: "HKDF",
+            hash: "SHA-256",
+            salt,
+            info: infoBytes
+        },
+        hkdfKey,
+        { name: "AES-GCM", length: 256 },
+        false,
+        ["encrypt"]
+    );
+
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const encodedMessage = new TextEncoder().encode(message);
+
+    const ciphertext = await crypto.subtle.encrypt(
+        {
+            name: "AES-GCM",
+            iv
+        },
+        derivedKey,
+        encodedMessage
+    );
+
+    const ephemeralPubKeyRaw = await crypto.subtle.exportKey("jwk", ephemeralKeyPair.publicKey);
+
+    const payload = {
+        ephemeralPubKey: ephemeralPubKeyRaw,
+        iv: Array.from(iv),
+        salt: Array.from(salt),
+        ciphertext: Array.from(new Uint8Array(ciphertext))
+    };
+
+    return {
+        encryptedMessage: btoa(JSON.stringify(payload))
+    };
+}
+
+export async function asymmetricDecrypt(params: {
+    privateKey: string;
+    encryptedMessage: string;
+}): Promise<{ message: string }> {
+    const { privateKey, encryptedMessage } = params;
+
+    const {
+        ephemeralPubKey,
+        iv,
+        salt,
+        ciphertext
+    }: {
+        ephemeralPubKey: JsonWebKey;
+        iv: number[];
+        salt: number[];
+        ciphertext: number[];
+    } = JSON.parse(atob(encryptedMessage));
+
+    const importedPrivateKey = await crypto.subtle.importKey(
+        "jwk",
+        JSON.parse(atob(privateKey)),
+        {
+            name: "ECDH",
+            namedCurve: "P-256"
+        },
+        false,
+        ["deriveKey", "deriveBits"]
+    );
+
+    const importedEphemeralPubKey = await crypto.subtle.importKey(
+        "jwk",
+        ephemeralPubKey,
+        {
+            name: "ECDH",
+            namedCurve: "P-256"
+        },
+        false,
+        []
+    );
+
+    const sharedSecret = await crypto.subtle.deriveBits(
+        {
+            name: "ECDH",
+            public: importedEphemeralPubKey
+        },
+        importedPrivateKey,
+        256
+    );
+
+    const infoBytes = new TextEncoder().encode(INFO_LABEL);
+
+    const hkdfKey = await crypto.subtle.importKey("raw", sharedSecret, "HKDF", false, ["deriveKey"]);
+
+    const derivedKey = await crypto.subtle.deriveKey(
+        {
+            name: "HKDF",
+            hash: "SHA-256",
+            salt: new Uint8Array(salt),
+            info: infoBytes
+        },
+        hkdfKey,
+        { name: "AES-GCM", length: 256 },
+        false,
+        ["decrypt"]
+    );
+
+    const decryptedBuffer = await crypto.subtle.decrypt(
+        {
+            name: "AES-GCM",
+            iv: new Uint8Array(iv)
+        },
+        derivedKey,
+        new Uint8Array(ciphertext)
+    );
+
+    return {
+        message: new TextDecoder().decode(decryptedBuffer)
+    };
+}

package/src/tools/base64.ts

@@ -0,0 +1,7 @@
+export function decodeBase64(encoded: string): string {
+    return new TextDecoder().decode(Uint8Array.from(atob(encoded), c => c.charCodeAt(0)));
+}
+
+export function encodeBase64(decoded: string): string {
+    return btoa(new TextEncoder().encode(decoded).reduce((acc, c) => acc + String.fromCharCode(c), ""));
+}

package/src/tools/createObjectThatThrowsIfAccessed.ts

@@ -0,0 +1,40 @@
+const keyIsTrapped = "isTrapped_zSskDe9d";
+
+export class AccessError extends Error {
+    constructor(message: string) {
+        super(message);
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}
+
+export function createObjectThatThrowsIfAccessed<T extends object>(params?: {
+    debugMessage?: string;
+    isPropertyWhitelisted?: (prop: string | number | symbol) => boolean;
+}): T {
+    const { debugMessage = "", isPropertyWhitelisted = () => false } = params ?? {};
+
+    const get: NonNullable<ProxyHandler<T>["get"]> = (...args) => {
+        const [, prop] = args;
+
+        if (isPropertyWhitelisted(prop)) {
+            return Reflect.get(...args);
+        }
+
+        if (prop === keyIsTrapped) {
+            return true;
+        }
+
+        throw new AccessError(`Cannot access ${String(prop)} yet ${debugMessage}`);
+    };
+
+    const trappedObject = new Proxy<T>({} as any, {
+        get,
+        set: get
+    });
+
+    return trappedObject;
+}
+
+export function isObjectThatThrowIfAccessed(obj: object) {
+    return (obj as any)[keyIsTrapped] === true;
+}

package/src/tools/decodeJwt.ts

@@ -0,0 +1,95 @@
+// Copy pasted jwt-decode v4.0.0
+
+export interface JwtDecodeOptions {
+    header?: boolean;
+}
+
+export interface JwtHeader {
+    typ?: string;
+    alg?: string;
+    kid?: string;
+}
+
+export interface JwtPayload {
+    iss?: string;
+    sub?: string;
+    aud?: string[] | string;
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+}
+
+export class InvalidTokenError extends Error {}
+
+InvalidTokenError.prototype.name = "InvalidTokenError";
+
+function b64DecodeUnicode(str: string) {
+    return decodeURIComponent(
+        atob(str).replace(/(.)/g, (_m, p) => {
+            let code = (p as string).charCodeAt(0).toString(16).toUpperCase();
+            if (code.length < 2) {
+                code = "0" + code;
+            }
+            return "%" + code;
+        })
+    );
+}
+
+function base64UrlDecode(str: string) {
+    let output = str.replace(/-/g, "+").replace(/_/g, "/");
+    switch (output.length % 4) {
+        case 0:
+            break;
+        case 2:
+            output += "==";
+            break;
+        case 3:
+            output += "=";
+            break;
+        default:
+            throw new Error("base64 string is not of the correct length");
+    }
+
+    try {
+        return b64DecodeUnicode(output);
+    } catch (err) {
+        return atob(output);
+    }
+}
+
+function jwtDecode<T = JwtHeader>(token: string, options: JwtDecodeOptions & { header: true }): T;
+function jwtDecode<T = JwtPayload>(token: string, options?: JwtDecodeOptions): T;
+function jwtDecode<T = JwtHeader | JwtPayload>(token: string, options?: JwtDecodeOptions): T {
+    if (typeof token !== "string") {
+        throw new InvalidTokenError("Invalid token specified: must be a string");
+    }
+
+    options ||= {};
+
+    const pos = options.header === true ? 0 : 1;
+    const part = token.split(".")[pos];
+
+    if (typeof part !== "string") {
+        throw new InvalidTokenError(`Invalid token specified: missing part #${pos + 1}`);
+    }
+
+    let decoded: string;
+    try {
+        decoded = base64UrlDecode(part);
+    } catch (e) {
+        throw new InvalidTokenError(
+            `Invalid token specified: invalid base64 for part #${pos + 1} (${(e as Error).message})`
+        );
+    }
+
+    try {
+        return JSON.parse(decoded) as T;
+    } catch (e) {
+        throw new InvalidTokenError(
+            `Invalid token specified: invalid json for part #${pos + 1} (${(e as Error).message})`
+        );
+    }
+}
+
+export const decodeJwt = jwtDecode;

package/src/tools/generateUrlSafeRandom.ts

@@ -0,0 +1,26 @@
+export function generateUrlSafeRandom(params: { length: number }): string {
+    const { length } = params;
+
+    // Compute required byte length before encoding
+    const byteLength = Math.ceil((length * 3) / 4);
+
+    const crypto = window.crypto || (window as any).msCrypto;
+    const array = new Uint8Array(byteLength);
+    crypto.getRandomValues(array);
+
+    // Encode and apply Base64URL transformations
+    let base64url = btoa(String.fromCharCode(...array))
+        .replace(/\+/g, "-") // Base64URL encoding
+        .replace(/\//g, "_")
+        .replace(/=+$/, ""); // Remove padding
+
+    // Trim or regenerate if too short
+    if (base64url.length > length) {
+        return base64url.substring(0, length);
+    } else if (base64url.length < length) {
+        // If trimming removes too much, recursively generate more
+        return base64url + generateUrlSafeRandom({ length: length - base64url.length });
+    }
+
+    return base64url;
+}