npm - oidc-spa - Versions diffs - 7.2.1 → 7.2.2 - Mend

oidc-spa 7.2.1 → 7.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (197) hide show

package/backend.js.map +1 -1
package/core/AuthResponse.js.map +1 -1
package/core/Oidc.js.map +1 -1
package/core/OidcInitializationError.js.map +1 -1
package/core/OidcMetadata.js.map +1 -1
package/core/StateData.js.map +1 -1
package/core/configId.js.map +1 -1
package/core/createOidc.js +1 -1
package/core/createOidc.js.map +1 -1
package/core/diagnostic.js.map +1 -1
package/core/evtIsUserActive.js.map +1 -1
package/core/handleOidcCallback.js.map +1 -1
package/core/iframeMessageProtection.js.map +1 -1
package/core/index.js.map +1 -1
package/core/initialLocationHref.js.map +1 -1
package/core/isNewBrowserSession.js.map +1 -1
package/core/loginOrGoToAuthServer.js.map +1 -1
package/core/loginPropagationToOtherTabs.js.map +1 -1
package/core/loginSilent.js.map +1 -1
package/core/logoutPropagationToOtherTabs.js.map +1 -1
package/core/oidcClientTsUserToTokens.js.map +1 -1
package/core/ongoingLoginOrRefreshProcesses.js.map +1 -1
package/core/persistedAuthState.js.map +1 -1
package/entrypoint.js.map +1 -1
package/esm/core/AuthResponse.js.map +1 -1
package/esm/core/Oidc.js.map +1 -1
package/esm/core/OidcInitializationError.js.map +1 -1
package/esm/core/OidcMetadata.js.map +1 -1
package/esm/core/StateData.js.map +1 -1
package/esm/core/configId.js.map +1 -1
package/esm/core/createOidc.js +1 -1
package/esm/core/createOidc.js.map +1 -1
package/esm/core/diagnostic.js.map +1 -1
package/esm/core/evtIsUserActive.js.map +1 -1
package/esm/core/handleOidcCallback.js.map +1 -1
package/esm/core/iframeMessageProtection.js.map +1 -1
package/esm/core/index.js.map +1 -1
package/esm/core/initialLocationHref.js.map +1 -1
package/esm/core/isNewBrowserSession.js.map +1 -1
package/esm/core/loginOrGoToAuthServer.js.map +1 -1
package/esm/core/loginPropagationToOtherTabs.js.map +1 -1
package/esm/core/loginSilent.js.map +1 -1
package/esm/core/logoutPropagationToOtherTabs.js.map +1 -1
package/esm/core/oidcClientTsUserToTokens.js.map +1 -1
package/esm/core/ongoingLoginOrRefreshProcesses.js.map +1 -1
package/esm/core/persistedAuthState.js.map +1 -1
package/esm/entrypoint.js.map +1 -1
package/esm/index.js.map +1 -1
package/esm/keycloak/index.js.map +1 -1
package/esm/keycloak/isKeycloak.js.map +1 -1
package/esm/keycloak/keycloak-js/Keycloak.js.map +1 -1
package/esm/keycloak/keycloak-js/index.js.map +1 -1
package/esm/keycloak/keycloak-js/types.js.map +1 -1
package/esm/keycloak/keycloakIssuerUriParsed.js.map +1 -1
package/esm/keycloak/keycloakUtils.js.map +1 -1
package/esm/keycloak-js.js.map +1 -1
package/esm/mock/index.js.map +1 -1
package/esm/mock/oidc.js.map +1 -1
package/esm/mock/react.js.map +1 -1
package/esm/react/index.js.map +1 -1
package/esm/react/react.js.map +1 -1
package/esm/tools/Deferred.js.map +1 -1
package/esm/tools/EphemeralSessionStorage.js.map +1 -1
package/esm/tools/Evt.js.map +1 -1
package/esm/tools/StatefulEvt.js.map +1 -1
package/esm/tools/ValueOrAsyncGetter.js.map +1 -1
package/esm/tools/asymmetricEncryption.js.map +1 -1
package/esm/tools/base64.js.map +1 -1
package/esm/tools/createObjectThatThrowsIfAccessed.js.map +1 -1
package/esm/tools/decodeJwt.js.map +1 -1
package/esm/tools/generateUrlSafeRandom.js.map +1 -1
package/esm/tools/getDownlinkAndRtt.js.map +1 -1
package/esm/tools/getIsOnline.js.map +1 -1
package/esm/tools/getIsValidRemoteJson.js.map +1 -1
package/esm/tools/getPrUserInteraction.js.map +1 -1
package/esm/tools/getUserEnvironmentInfo.js.map +1 -1
package/esm/tools/haveSharedParentDomain.js.map +1 -1
package/esm/tools/isDev.js.map +1 -1
package/esm/tools/parseKeycloakIssuerUri.js.map +1 -1
package/esm/tools/readExpirationTimeInJwt.js.map +1 -1
package/esm/tools/startCountdown.js.map +1 -1
package/esm/tools/subscribeToUserInteraction.js.map +1 -1
package/esm/tools/toFullyQualifiedUrl.js.map +1 -1
package/esm/tools/toHumanReadableDuration.js.map +1 -1
package/esm/tools/urlSearchParams.js.map +1 -1
package/esm/tools/workerTimers.js.map +1 -1
package/index.js.map +1 -1
package/keycloak/index.js.map +1 -1
package/keycloak/isKeycloak.js.map +1 -1
package/keycloak/keycloak-js/Keycloak.js.map +1 -1
package/keycloak/keycloak-js/index.js.map +1 -1
package/keycloak/keycloak-js/types.js.map +1 -1
package/keycloak/keycloakIssuerUriParsed.js.map +1 -1
package/keycloak/keycloakUtils.js.map +1 -1
package/keycloak-js.js.map +1 -1
package/mock/index.js.map +1 -1
package/mock/oidc.js.map +1 -1
package/mock/react.js.map +1 -1
package/package.json +1 -1
package/react/index.js.map +1 -1
package/react/react.js.map +1 -1
package/src/backend.ts +391 -0
package/src/core/AuthResponse.ts +26 -0
package/src/core/Oidc.ts +140 -0
package/src/core/OidcInitializationError.ts +19 -0
package/src/core/OidcMetadata.ts +271 -0
package/src/core/StateData.ts +118 -0
package/src/core/configId.ts +3 -0
package/src/core/createOidc.ts +1576 -0
package/src/core/diagnostic.ts +267 -0
package/src/core/evtIsUserActive.ts +108 -0
package/src/core/handleOidcCallback.ts +321 -0
package/src/core/iframeMessageProtection.ts +100 -0
package/src/core/index.ts +4 -0
package/src/core/initialLocationHref.ts +5 -0
package/src/core/isNewBrowserSession.ts +37 -0
package/src/core/loginOrGoToAuthServer.ts +324 -0
package/src/core/loginPropagationToOtherTabs.ts +51 -0
package/src/core/loginSilent.ts +242 -0
package/src/core/logoutPropagationToOtherTabs.ts +53 -0
package/src/core/oidcClientTsUserToTokens.ts +229 -0
package/src/core/ongoingLoginOrRefreshProcesses.ts +47 -0
package/src/core/persistedAuthState.ts +122 -0
package/src/entrypoint.ts +69 -0
package/src/index.ts +1 -0
package/src/keycloak/index.ts +8 -0
package/src/keycloak/isKeycloak.ts +23 -0
package/src/keycloak/keycloak-js/Keycloak.ts +1097 -0
package/src/keycloak/keycloak-js/index.ts +2 -0
package/src/keycloak/keycloak-js/types.ts +442 -0
package/src/keycloak/keycloakIssuerUriParsed.ts +29 -0
package/src/keycloak/keycloakUtils.ts +90 -0
package/src/keycloak-js.ts +1 -0
package/src/mock/index.ts +1 -0
package/src/mock/oidc.ts +211 -0
package/src/mock/react.tsx +11 -0
package/src/react/index.ts +1 -0
package/src/react/react.tsx +476 -0
package/src/tools/Deferred.ts +33 -0
package/src/tools/EphemeralSessionStorage.ts +223 -0
package/src/tools/Evt.ts +56 -0
package/src/tools/StatefulEvt.ts +38 -0
package/src/tools/ValueOrAsyncGetter.ts +1 -0
package/src/tools/asymmetricEncryption.ts +184 -0
package/src/tools/base64.ts +7 -0
package/src/tools/createObjectThatThrowsIfAccessed.ts +40 -0
package/src/tools/decodeJwt.ts +95 -0
package/src/tools/generateUrlSafeRandom.ts +26 -0
package/src/tools/getDownlinkAndRtt.ts +22 -0
package/src/tools/getIsOnline.ts +20 -0
package/src/tools/getIsValidRemoteJson.ts +18 -0
package/src/tools/getPrUserInteraction.ts +27 -0
package/src/tools/getUserEnvironmentInfo.ts +42 -0
package/src/tools/haveSharedParentDomain.ts +13 -0
package/src/tools/isDev.ts +30 -0
package/src/tools/parseKeycloakIssuerUri.ts +49 -0
package/src/tools/readExpirationTimeInJwt.ts +16 -0
package/src/tools/startCountdown.ts +36 -0
package/src/tools/subscribeToUserInteraction.ts +33 -0
package/src/tools/toFullyQualifiedUrl.ts +58 -0
package/src/tools/toHumanReadableDuration.ts +21 -0
package/src/tools/urlSearchParams.ts +130 -0
package/src/tools/workerTimers.ts +57 -0
package/src/vendor/backend/evt.ts +2 -0
package/src/vendor/backend/jsonwebtoken.ts +1 -0
package/src/vendor/backend/node-fetch.ts +2 -0
package/src/vendor/backend/node-jose.ts +1 -0
package/src/vendor/backend/tsafe.ts +5 -0
package/src/vendor/backend/zod.ts +1 -0
package/src/vendor/frontend/oidc-client-ts.ts +1 -0
package/src/vendor/frontend/tsafe.ts +6 -0
package/src/vendor/frontend/worker-timers.ts +2 -0
package/tools/Deferred.js.map +1 -1
package/tools/EphemeralSessionStorage.js.map +1 -1
package/tools/Evt.js.map +1 -1
package/tools/StatefulEvt.js.map +1 -1
package/tools/ValueOrAsyncGetter.js.map +1 -1
package/tools/asymmetricEncryption.js.map +1 -1
package/tools/base64.js.map +1 -1
package/tools/createObjectThatThrowsIfAccessed.js.map +1 -1
package/tools/decodeJwt.js.map +1 -1
package/tools/generateUrlSafeRandom.js.map +1 -1
package/tools/getDownlinkAndRtt.js.map +1 -1
package/tools/getIsOnline.js.map +1 -1
package/tools/getIsValidRemoteJson.js.map +1 -1
package/tools/getPrUserInteraction.js.map +1 -1
package/tools/getUserEnvironmentInfo.js.map +1 -1
package/tools/haveSharedParentDomain.js.map +1 -1
package/tools/isDev.js.map +1 -1
package/tools/parseKeycloakIssuerUri.js.map +1 -1
package/tools/readExpirationTimeInJwt.js.map +1 -1
package/tools/startCountdown.js.map +1 -1
package/tools/subscribeToUserInteraction.js.map +1 -1
package/tools/toFullyQualifiedUrl.js.map +1 -1
package/tools/toHumanReadableDuration.js.map +1 -1
package/tools/urlSearchParams.js.map +1 -1
package/tools/workerTimers.js.map +1 -1

package/src/core/loginSilent.ts ADDED Viewed

@@ -0,0 +1,242 @@
+import type {
+    UserManager as OidcClientTsUserManager,
+    User as OidcClientTsUser
+} from "../vendor/frontend/oidc-client-ts";
+import { Deferred } from "../tools/Deferred";
+import { id, assert, noUndefined } from "../vendor/frontend/tsafe";
+import { getStateData, clearStateStore, type StateData } from "./StateData";
+import { getDownlinkAndRtt } from "../tools/getDownlinkAndRtt";
+import { getIsDev } from "../tools/isDev";
+import { type AuthResponse } from "./AuthResponse";
+import { addOrUpdateSearchParam } from "../tools/urlSearchParams";
+import { initIframeMessageProtection } from "./iframeMessageProtection";
+type ResultOfLoginSilent =
+    | {
+          outcome: "got auth response from iframe";
+          authResponse: AuthResponse;
+      }
+    | {
+          outcome: "failure";
+          cause: "timeout" | "can't reach well-known oidc endpoint";
+      }
+    | {
+          outcome: "token refreshed using refresh token";
+          oidcClientTsUser: OidcClientTsUser;
+      };
+export async function loginSilent(params: {
+    oidcClientTsUserManager: OidcClientTsUserManager;
+    stateUrlParamValue_instance: string;
+    configId: string;
+    transformUrlBeforeRedirect:
+        | ((params: { authorizationUrl: string; isSilent: true }) => string)
+        | undefined;
+    getExtraQueryParams:
+        | ((params: { isSilent: true; url: string }) => Record<string, string | undefined>)
+        | undefined;
+    getExtraTokenParams: (() => Record<string, string | undefined>) | undefined;
+    autoLogin: boolean;
+}): Promise<ResultOfLoginSilent> {
+    const {
+        oidcClientTsUserManager,
+        stateUrlParamValue_instance,
+        configId,
+        transformUrlBeforeRedirect,
+        getExtraQueryParams,
+        getExtraTokenParams,
+        autoLogin
+    } = params;
+    const dResult = new Deferred<ResultOfLoginSilent>();
+    const timeoutDelayMs: number = (() => {
+        const isDev = getIsDev();
+        const downlinkAndRtt = getDownlinkAndRtt();
+        // Base delay is the minimum delay we should wait in any case
+        const BASE_DELAY_MS = isDev ? 9_000 : autoLogin ? 25_000 : 7_000;
+        if (downlinkAndRtt === undefined) {
+            return BASE_DELAY_MS;
+        }
+        const { downlink, rtt } = downlinkAndRtt;
+        // Calculate dynamic delay based on RTT and downlink
+        // Add 1 to downlink to avoid division by zero
+        const dynamicDelay = rtt * 2.5 + BASE_DELAY_MS / (downlink + 1);
+        return Math.max(BASE_DELAY_MS, dynamicDelay);
+    })();
+    const { decodeEncryptedAuth, getIsEncryptedAuthResponse, clearSessionStoragePublicKey } =
+        await initIframeMessageProtection({
+            stateUrlParamValue: stateUrlParamValue_instance
+        });
+    let clearTimeouts: (params: { wasSuccess: boolean }) => void;
+    {
+        let hasLoggedWarningMessage = false;
+        const timeouts = [
+            setTimeout(() => {
+                dResult.resolve({
+                    outcome: "failure",
+                    cause: "timeout"
+                });
+            }, timeoutDelayMs),
+            setTimeout(() => {
+                console.warn(
+                    [
+                        "oidc-spa: Session restoration is taking longer than expected.",
+                        "This likely indicates a misconfiguration.",
+                        `Waiting ${Math.floor(
+                            timeoutDelayMs / 1_000
+                        )} seconds before running diagnostics.`,
+                        "Once the timeout expires, helpful debugging information will be printed to the console."
+                    ].join(" ")
+                );
+                hasLoggedWarningMessage = true;
+            }, 2_000)
+        ];
+        clearTimeouts = ({ wasSuccess }) => {
+            timeouts.forEach(clearTimeout);
+            if (wasSuccess && hasLoggedWarningMessage) {
+                console.log(
+                    [
+                        "oidc-spa: Never mind, the auth server was just slow to respond.",
+                        "You can safely ignore the previous warning."
+                    ].join(" ")
+                );
+            }
+        };
+    }
+    const listener = async (event: MessageEvent) => {
+        if (event.origin !== window.location.origin) {
+            return;
+        }
+        if (
+            !getIsEncryptedAuthResponse({
+                message: event.data
+            })
+        ) {
+            return;
+        }
+        const { authResponse } = await decodeEncryptedAuth({ encryptedAuthResponse: event.data });
+        const stateData = getStateData({ stateUrlParamValue: authResponse.state });
+        assert(stateData !== undefined, "765645");
+        assert(stateData.context === "iframe", "250711");
+        if (stateData.configId !== configId) {
+            return;
+        }
+        clearTimeouts({ wasSuccess: true });
+        window.removeEventListener("message", listener);
+        dResult.resolve({
+            outcome: "got auth response from iframe",
+            authResponse
+        });
+    };
+    window.addEventListener("message", listener, false);
+    const transformUrl_oidcClientTs = (url: string) => {
+        add_extra_query_params: {
+            if (getExtraQueryParams === undefined) {
+                break add_extra_query_params;
+            }
+            const extraQueryParams = getExtraQueryParams({ isSilent: true, url });
+            for (const [name, value] of Object.entries(extraQueryParams)) {
+                if (value === undefined) {
+                    continue;
+                }
+                url = addOrUpdateSearchParam({ url, name, value, encodeMethod: "www-form" });
+            }
+        }
+        apply_transform_url: {
+            if (transformUrlBeforeRedirect === undefined) {
+                break apply_transform_url;
+            }
+            url = transformUrlBeforeRedirect({ authorizationUrl: url, isSilent: true });
+        }
+        return url;
+    };
+    oidcClientTsUserManager
+        .signinSilent({
+            state: id<StateData.IFrame>({
+                context: "iframe",
+                configId
+            }),
+            silentRequestTimeoutInSeconds: timeoutDelayMs / 1000,
+            extraTokenParams:
+                getExtraTokenParams === undefined ? undefined : noUndefined(getExtraTokenParams()),
+            transformUrl: transformUrl_oidcClientTs
+        })
+        .then(
+            oidcClientTsUser => {
+                assert(oidcClientTsUser !== null, "oidcClientTsUser is not supposed to be null here");
+                clearTimeouts({ wasSuccess: true });
+                window.removeEventListener("message", listener);
+                dResult.resolve({
+                    outcome: "token refreshed using refresh token",
+                    oidcClientTsUser
+                });
+            },
+            (error: Error) => {
+                if (error.message === "Failed to fetch") {
+                    // NOTE: If we got an error here it means that the fetch to the
+                    // well-known oidc endpoint failed.
+                    // This usually means that the server is down or that the issuerUri
+                    // is not pointing to a valid oidc server.
+                    // It could be a CORS error on the well-known endpoint but it's unlikely.
+                    // NOTE: This error should happen well before we displayed
+                    // the warning notifying that something is probably misconfigured.
+                    // wasSuccess shouldn't really be a required parameter but we do it
+                    // for peace of mind.
+                    clearTimeouts({ wasSuccess: false });
+                    dResult.resolve({
+                        outcome: "failure",
+                        cause: "can't reach well-known oidc endpoint"
+                    });
+                    return;
+                }
+                // NOTE: Here, except error on our understanding there can't be any other
+                // error than timeout so we fail silently and let the timeout expire.
+            }
+        );
+    dResult.pr.then(result => {
+        clearSessionStoragePublicKey();
+        if (result.outcome === "failure") {
+            clearStateStore({ stateUrlParamValue: stateUrlParamValue_instance });
+        }
+    });
+    return dResult.pr;
+}

package/src/core/logoutPropagationToOtherTabs.ts ADDED Viewed

@@ -0,0 +1,53 @@
+import { assert, is } from "../vendor/frontend/tsafe";
+import { Deferred } from "../tools/Deferred";
+const globalContext = {
+    appInstanceId: Math.random().toString(36).slice(2)
+};
+type Message = {
+    appInstanceId: string;
+    configId: string;
+};
+function getChannelName(params: { sessionIdOrConfigId: string }) {
+    const { sessionIdOrConfigId } = params;
+    return `oidc-spa:logout-propagation:${sessionIdOrConfigId}`;
+}
+export function notifyOtherTabsOfLogout(params: { configId: string; sessionId: string | undefined }) {
+    const { configId, sessionId } = params;
+    const message: Message = {
+        configId,
+        appInstanceId: globalContext.appInstanceId
+    };
+    new BroadcastChannel(getChannelName({ sessionIdOrConfigId: sessionId ?? configId })).postMessage(
+        message
+    );
+}
+export function getPrOtherTabLogout(params: { sessionId: string | undefined; configId: string }) {
+    const { sessionId, configId } = params;
+    const dOtherTabLogout = new Deferred<void>();
+    const channel = new BroadcastChannel(getChannelName({ sessionIdOrConfigId: sessionId ?? configId }));
+    channel.onmessage = ({ data: message }) => {
+        assert(is<Message>(message));
+        if (message.appInstanceId === globalContext.appInstanceId) {
+            return;
+        }
+        channel.close();
+        dOtherTabLogout.resolve();
+    };
+    const prOtherTabLogout = dOtherTabLogout.pr;
+    return { prOtherTabLogout };
+}

package/src/core/oidcClientTsUserToTokens.ts ADDED Viewed

@@ -0,0 +1,229 @@
+import type { User as OidcClientTsUser } from "../vendor/frontend/oidc-client-ts";
+import { assert, id } from "../vendor/frontend/tsafe";
+import { readExpirationTimeInJwt } from "../tools/readExpirationTimeInJwt";
+import { decodeJwt } from "../tools/decodeJwt";
+import type { Oidc } from "./Oidc";
+export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, unknown>>(params: {
+    oidcClientTsUser: OidcClientTsUser;
+    decodedIdTokenSchema?: {
+        parse: (decodedIdToken_original: Oidc.Tokens.DecodedIdToken_base) => DecodedIdToken;
+    };
+    __unsafe_useIdTokenAsAccessToken: boolean;
+    decodedIdToken_previous: DecodedIdToken | undefined;
+    log: typeof console.log | undefined;
+}): Oidc.Tokens<DecodedIdToken> {
+    const {
+        oidcClientTsUser,
+        decodedIdTokenSchema,
+        __unsafe_useIdTokenAsAccessToken,
+        decodedIdToken_previous,
+        log
+    } = params;
+    const isFirstInit = decodedIdToken_previous === undefined;
+    const accessToken = oidcClientTsUser.access_token;
+    const refreshToken = oidcClientTsUser.refresh_token;
+    const idToken = oidcClientTsUser.id_token;
+    assert(idToken !== undefined, "No id token provided by the oidc server");
+    const decodedIdToken_original = decodeJwt<Oidc.Tokens.DecodedIdToken_base>(idToken);
+    if (isFirstInit) {
+        log?.(
+            [
+                `Decoded ID token`,
+                decodedIdTokenSchema === undefined ? "" : " before `decodedIdTokenSchema.parse()`\n",
+                JSON.stringify(decodedIdToken_original, null, 2)
+            ].join("")
+        );
+    }
+    const decodedIdToken = (() => {
+        let decodedIdToken: DecodedIdToken;
+        if (decodedIdTokenSchema !== undefined) {
+            decodedIdToken = decodedIdTokenSchema.parse(decodedIdToken_original);
+            if (isFirstInit) {
+                log?.(
+                    [
+                        "Decoded ID token after `decodedIdTokenSchema.parse()`\n",
+                        JSON.stringify(decodedIdToken, null, 2)
+                    ].join("")
+                );
+            }
+        } else {
+            // @ts-expect-error
+            decodedIdToken = decodedIdToken_original;
+        }
+        if (
+            decodedIdToken_previous !== undefined &&
+            JSON.stringify(decodedIdToken) === JSON.stringify(decodedIdToken_previous)
+        ) {
+            // NOTE: For stable ref, prevent re-render for component that would memoize
+            return decodedIdToken_previous;
+        }
+        return decodedIdToken;
+    })();
+    const issuedAtTime = (() => {
+        // NOTE: The id_token is always a JWT as per the protocol.
+        // We don't use Date.now() due to network latency.
+        const id_token_iat = (() => {
+            let iat: number | undefined;
+            try {
+                const iat_claimValue = decodedIdToken_original.iat;
+                assert(iat_claimValue === undefined || typeof iat_claimValue === "number");
+                iat = iat_claimValue;
+            } catch {
+                iat = undefined;
+            }
+            if (iat === undefined) {
+                return undefined;
+            }
+            return iat;
+        })();
+        if (id_token_iat === undefined) {
+            return Date.now();
+        }
+        return id_token_iat * 1000;
+    })();
+    const tokens_common: Oidc.Tokens.Common<DecodedIdToken> = {
+        ...(__unsafe_useIdTokenAsAccessToken
+            ? {
+                  accessToken: idToken,
+                  accessTokenExpirationTime: (() => {
+                      const expirationTime = readExpirationTimeInJwt(idToken);
+                      assert(
+                          expirationTime !== undefined,
+                          "Failed to get id token expiration time while trying to substitute the access token by the id token"
+                      );
+                      return expirationTime;
+                  })()
+              }
+            : {
+                  accessToken,
+                  accessTokenExpirationTime: (() => {
+                      read_from_jwt: {
+                          const expirationTime = readExpirationTimeInJwt(accessToken);
+                          if (expirationTime === undefined) {
+                              break read_from_jwt;
+                          }
+                          return expirationTime;
+                      }
+                      read_from_token_response_expires_at: {
+                          const { expires_at } = oidcClientTsUser.__oidc_spa_tokenResponse;
+                          if (expires_at === undefined) {
+                              break read_from_token_response_expires_at;
+                          }
+                          assert(typeof expires_at === "number", "2033392");
+                          return expires_at * 1000;
+                      }
+                      read_from_token_response_expires_in: {
+                          const { expires_in } = oidcClientTsUser.__oidc_spa_tokenResponse;
+                          if (expires_in === undefined) {
+                              break read_from_token_response_expires_in;
+                          }
+                          assert(typeof expires_in === "number", "203333425");
+                          return issuedAtTime + expires_in * 1_000;
+                      }
+                      assert(false, "Failed to get access token expiration time");
+                  })()
+              }),
+        idToken,
+        decodedIdToken,
+        decodedIdToken_original,
+        issuedAtTime
+    };
+    const tokens: Oidc.Tokens<DecodedIdToken> =
+        refreshToken === undefined
+            ? id<Oidc.Tokens.WithoutRefreshToken<DecodedIdToken>>({
+                  ...tokens_common,
+                  hasRefreshToken: false
+              })
+            : id<Oidc.Tokens.WithRefreshToken<DecodedIdToken>>({
+                  ...tokens_common,
+                  hasRefreshToken: true,
+                  refreshToken,
+                  refreshTokenExpirationTime: (() => {
+                      read_from_token_response_expires_at: {
+                          const { refresh_expires_at } = oidcClientTsUser.__oidc_spa_tokenResponse;
+                          if (refresh_expires_at === undefined) {
+                              break read_from_token_response_expires_at;
+                          }
+                          assert(typeof refresh_expires_at === "number", "2033392");
+                          return refresh_expires_at * 1000;
+                      }
+                      read_from_token_response_expires_in: {
+                          const { refresh_expires_in } = oidcClientTsUser.__oidc_spa_tokenResponse;
+                          if (refresh_expires_in === undefined) {
+                              break read_from_token_response_expires_in;
+                          }
+                          assert(typeof refresh_expires_in === "number", "2033425330");
+                          return issuedAtTime + refresh_expires_in * 1000;
+                      }
+                      read_from_jwt: {
+                          const expirationTime = readExpirationTimeInJwt(refreshToken);
+                          if (expirationTime === undefined) {
+                              break read_from_jwt;
+                          }
+                          return expirationTime;
+                      }
+                      return undefined;
+                  })()
+              });
+    if (
+        isFirstInit &&
+        tokens.hasRefreshToken &&
+        tokens.refreshTokenExpirationTime !== undefined &&
+        tokens.refreshTokenExpirationTime < tokens.accessTokenExpirationTime
+    ) {
+        console.warn(
+            [
+                "The OIDC refresh token expirationTime is shorter than the one of the access token.",
+                "This is very unusual and probably a misconfiguration."
+            ].join(" ")
+        );
+    }
+    return tokens;
+}

package/src/core/ongoingLoginOrRefreshProcesses.ts ADDED Viewed

@@ -0,0 +1,47 @@
+import { Deferred } from "../tools/Deferred";
+import { assert, id } from "../vendor/frontend/tsafe";
+const globalContext = {
+    prDone_arr: id<Promise<void>[]>([]),
+    prUnlock: id<Promise<void>>(Promise.resolve())
+};
+export async function startLoginOrRefreshProcess(): Promise<{
+    completeLoginOrRefreshProcess: () => void;
+}> {
+    await globalContext.prUnlock;
+    const dDone = new Deferred<void>();
+    const { prDone_arr } = globalContext;
+    prDone_arr.push(dDone.pr);
+    function completeLoginOrRefreshProcess() {
+        const index = prDone_arr.indexOf(dDone.pr);
+        assert(index !== -1, "104044");
+        prDone_arr.splice(index, 1);
+        dDone.resolve();
+    }
+    return { completeLoginOrRefreshProcess };
+}
+export async function waitForAllOtherOngoingLoginOrRefreshProcessesToComplete(params: {
+    prUnlock: Promise<void>;
+}): Promise<void> {
+    const { prUnlock } = params;
+    const prUnlock_current = globalContext.prUnlock;
+    globalContext.prUnlock = (async () => {
+        await prUnlock_current;
+        await prUnlock;
+    })();
+    await Promise.all(globalContext.prDone_arr);
+}

package/src/core/persistedAuthState.ts ADDED Viewed

@@ -0,0 +1,122 @@
+import { typeGuard, id } from "../vendor/frontend/tsafe";
+function getKey(params: { configId: string }) {
+    const { configId } = params;
+    return `oidc-spa:auth-state:${configId}`;
+}
+type PersistedAuthState = PersistedAuthState.LoggedIn | PersistedAuthState.ExplicitlyLoggedOut;
+namespace PersistedAuthState {
+    type Common = {
+        __brand: "PersistedAuthState-v1";
+    };
+    export type LoggedIn = Common & {
+        stateDescription: "logged in";
+        untilTime: number | undefined;
+    };
+    export type ExplicitlyLoggedOut = Common & {
+        stateDescription: "explicitly logged out";
+    };
+}
+export function persistAuthState(params: {
+    configId: string;
+    state:
+        | {
+              stateDescription: "logged in";
+              idleSessionLifetimeInSeconds: number | undefined;
+              refreshTokenExpirationTime: number | undefined;
+          }
+        | {
+              stateDescription: "explicitly logged out";
+          }
+        | undefined;
+}) {
+    const { configId, state } = params;
+    const key = getKey({ configId });
+    if (state === undefined) {
+        localStorage.removeItem(key);
+        return;
+    }
+    localStorage.setItem(
+        key,
+        JSON.stringify(
+            id<PersistedAuthState>(
+                (() => {
+                    switch (state.stateDescription) {
+                        case "logged in":
+                            return id<PersistedAuthState.LoggedIn>({
+                                __brand: "PersistedAuthState-v1",
+                                stateDescription: "logged in",
+                                untilTime: (() => {
+                                    const { idleSessionLifetimeInSeconds, refreshTokenExpirationTime } =
+                                        state;
+                                    if (idleSessionLifetimeInSeconds !== undefined) {
+                                        return Date.now() + idleSessionLifetimeInSeconds * 1000;
+                                    }
+                                    return refreshTokenExpirationTime;
+                                })()
+                            });
+                        case "explicitly logged out":
+                            return id<PersistedAuthState.ExplicitlyLoggedOut>({
+                                __brand: "PersistedAuthState-v1",
+                                stateDescription: "explicitly logged out"
+                            });
+                    }
+                })()
+            )
+        )
+    );
+}
+export function getPersistedAuthState(params: {
+    configId: string;
+}): PersistedAuthState["stateDescription"] | undefined {
+    const { configId } = params;
+    const key = getKey({ configId });
+    const value = localStorage.getItem(key);
+    if (value === null) {
+        return undefined;
+    }
+    let state: unknown;
+    try {
+        state = JSON.parse(value);
+    } catch {
+        localStorage.removeItem(key);
+        return undefined;
+    }
+    if (
+        !typeGuard<PersistedAuthState>(
+            state,
+            state instanceof Object &&
+                "__brand" in state &&
+                state.__brand === id<PersistedAuthState["__brand"]>("PersistedAuthState-v1")
+        )
+    ) {
+        localStorage.removeItem(key);
+        return undefined;
+    }
+    if (state.stateDescription === "logged in") {
+        if (state.untilTime !== undefined && state.untilTime <= Date.now()) {
+            localStorage.removeItem(key);
+            return undefined;
+        }
+    }
+    return state.stateDescription;
+}