oidc-spa 8.1.10 → 8.1.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/backend.d.ts +27 -6
- package/backend.js +124 -139
- package/backend.js.map +1 -1
- package/core/Oidc.d.ts +28 -4
- package/core/createOidc.d.ts +12 -3
- package/core/createOidc.js +1 -1
- package/core/createOidc.js.map +1 -1
- package/core/earlyInit.d.ts +1 -0
- package/core/earlyInit.js +11 -4
- package/core/earlyInit.js.map +1 -1
- package/core/loginOrGoToAuthServer.js +8 -3
- package/core/loginOrGoToAuthServer.js.map +1 -1
- package/core/oidcClientTsUserToTokens.d.ts +1 -1
- package/core/oidcClientTsUserToTokens.js.map +1 -1
- package/core/requiredPostHydrationReplaceNavigationUrl.d.ts +6 -0
- package/core/requiredPostHydrationReplaceNavigationUrl.js +12 -0
- package/core/requiredPostHydrationReplaceNavigationUrl.js.map +1 -0
- package/entrypoint.d.ts +1 -0
- package/entrypoint.js +3 -1
- package/entrypoint.js.map +1 -1
- package/esm/angular.d.ts +14 -4
- package/esm/angular.js +155 -10
- package/esm/angular.js.map +1 -1
- package/esm/backend.d.ts +48 -0
- package/esm/backend.js +259 -0
- package/esm/backend.js.map +1 -0
- package/esm/core/Oidc.d.ts +28 -4
- package/esm/core/createOidc.d.ts +12 -3
- package/esm/core/createOidc.js +1 -1
- package/esm/core/createOidc.js.map +1 -1
- package/esm/core/earlyInit.d.ts +1 -0
- package/esm/core/earlyInit.js +11 -4
- package/esm/core/earlyInit.js.map +1 -1
- package/esm/core/loginOrGoToAuthServer.js +8 -3
- package/esm/core/loginOrGoToAuthServer.js.map +1 -1
- package/esm/core/oidcClientTsUserToTokens.d.ts +1 -1
- package/esm/core/oidcClientTsUserToTokens.js.map +1 -1
- package/esm/core/requiredPostHydrationReplaceNavigationUrl.d.ts +6 -0
- package/esm/core/requiredPostHydrationReplaceNavigationUrl.js +8 -0
- package/esm/core/requiredPostHydrationReplaceNavigationUrl.js.map +1 -0
- package/esm/entrypoint.d.ts +1 -0
- package/esm/entrypoint.js +1 -0
- package/esm/entrypoint.js.map +1 -1
- package/esm/mock/oidc.d.ts +1 -1
- package/esm/mock/oidc.js.map +1 -1
- package/esm/react/react.d.ts +1 -1
- package/esm/tanstack-start/react/accessTokenValidation_rfc9068.d.ts +12 -0
- package/esm/tanstack-start/react/accessTokenValidation_rfc9068.js +95 -0
- package/esm/tanstack-start/react/accessTokenValidation_rfc9068.js.map +1 -0
- package/esm/tanstack-start/react/apiBuilder.d.ts +27 -0
- package/esm/tanstack-start/react/apiBuilder.js +58 -0
- package/esm/tanstack-start/react/apiBuilder.js.map +1 -0
- package/esm/tanstack-start/react/createOidcSpaApi.d.ts +9 -0
- package/esm/tanstack-start/react/createOidcSpaApi.js +678 -0
- package/esm/tanstack-start/react/createOidcSpaApi.js.map +1 -0
- package/esm/tanstack-start/react/index.d.ts +3 -0
- package/esm/tanstack-start/react/index.js +4 -0
- package/esm/tanstack-start/react/index.js.map +1 -0
- package/esm/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/UnifiedClientRetryForSsrLoadersError.d.ts +4 -0
- package/esm/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/UnifiedClientRetryForSsrLoadersError.js +8 -0
- package/esm/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/UnifiedClientRetryForSsrLoadersError.js.map +1 -0
- package/esm/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/enableUnifiedClientRetryForSsrLoaders.d.ts +4 -0
- package/esm/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/enableUnifiedClientRetryForSsrLoaders.js +76 -0
- package/esm/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/enableUnifiedClientRetryForSsrLoaders.js.map +1 -0
- package/esm/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/entrypoint.d.ts +1 -0
- package/esm/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/entrypoint.js +11 -0
- package/esm/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/entrypoint.js.map +1 -0
- package/esm/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/index.d.ts +2 -0
- package/esm/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/index.js +3 -0
- package/esm/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/index.js.map +1 -0
- package/esm/tanstack-start/react/types.d.ts +355 -0
- package/esm/tanstack-start/react/types.js +2 -0
- package/esm/tanstack-start/react/types.js.map +1 -0
- package/esm/tanstack-start/react/withHandlingOidcPostLoginNavigation.d.ts +2 -0
- package/esm/tanstack-start/react/withHandlingOidcPostLoginNavigation.js +25 -0
- package/esm/tanstack-start/react/withHandlingOidcPostLoginNavigation.js.map +1 -0
- package/esm/tools/GetterOrDirectValue.d.ts +1 -0
- package/esm/tools/GetterOrDirectValue.js +2 -0
- package/esm/tools/GetterOrDirectValue.js.map +1 -0
- package/esm/tools/ZodSchemaLike.d.ts +3 -0
- package/esm/tools/ZodSchemaLike.js +2 -0
- package/esm/tools/ZodSchemaLike.js.map +1 -0
- package/esm/tools/inferIsViteDev.d.ts +1 -0
- package/esm/tools/inferIsViteDev.js +6 -0
- package/esm/tools/inferIsViteDev.js.map +1 -0
- package/esm/tools/infer_import_meta_env_BASE_URL.d.ts +1 -0
- package/esm/tools/infer_import_meta_env_BASE_URL.js +15 -0
- package/esm/tools/infer_import_meta_env_BASE_URL.js.map +1 -0
- package/esm/tools/tsafe/uncapitalize.d.ts +2 -0
- package/esm/tools/tsafe/uncapitalize.js +5 -0
- package/esm/tools/tsafe/uncapitalize.js.map +1 -0
- package/esm/vendor/backend/evt.d.ts +2 -0
- package/esm/vendor/backend/evt.js +3286 -0
- package/esm/vendor/backend/jose.d.ts +1 -0
- package/esm/vendor/backend/jose.js +3546 -0
- package/esm/vendor/backend/tsafe.d.ts +5 -0
- package/esm/vendor/backend/tsafe.js +68 -0
- package/esm/vendor/backend/zod.d.ts +1 -0
- package/esm/vendor/backend/zod.js +4023 -0
- package/esm/vendor/frontend/worker-timers.js +261 -1
- package/mock/oidc.d.ts +1 -1
- package/mock/oidc.js.map +1 -1
- package/package.json +40 -4
- package/react/react.d.ts +1 -1
- package/src/angular.ts +224 -9
- package/src/backend.ts +201 -166
- package/src/core/Oidc.ts +41 -11
- package/src/core/createOidc.ts +12 -3
- package/src/core/earlyInit.ts +19 -4
- package/src/core/loginOrGoToAuthServer.ts +11 -3
- package/src/core/oidcClientTsUserToTokens.ts +2 -2
- package/src/core/requiredPostHydrationReplaceNavigationUrl.ts +11 -0
- package/src/entrypoint.ts +1 -0
- package/src/mock/oidc.ts +2 -2
- package/src/react/react.tsx +1 -1
- package/src/tanstack-start/react/accessTokenValidation_rfc9068.ts +135 -0
- package/src/tanstack-start/react/apiBuilder.ts +151 -0
- package/src/tanstack-start/react/createOidcSpaApi.tsx +1009 -0
- package/src/tanstack-start/react/index.ts +5 -0
- package/src/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/UnifiedClientRetryForSsrLoadersError.ts +8 -0
- package/src/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/enableUnifiedClientRetryForSsrLoaders.tsx +110 -0
- package/src/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/entrypoint.ts +13 -0
- package/src/tanstack-start/react/rfcUnifiedClientRetryForSsrLoaders/index.ts +2 -0
- package/src/tanstack-start/react/types.tsx +415 -0
- package/src/tanstack-start/react/withHandlingOidcPostLoginNavigation.tsx +35 -0
- package/src/tools/GetterOrDirectValue.ts +1 -0
- package/src/tools/ZodSchemaLike.ts +3 -0
- package/src/tools/getThisCodebaseRootDirPath_cjs.ts +19 -0
- package/src/tools/inferIsViteDev.ts +6 -0
- package/src/tools/infer_import_meta_env_BASE_URL.ts +19 -0
- package/src/tools/tsafe/uncapitalize.ts +4 -0
- package/src/vendor/backend/jose.ts +1 -0
- package/src/vendor/build-runtime/babel.ts +6 -0
- package/src/vendor/build-runtime/magic-string.ts +3 -0
- package/src/vite-plugin/detectProjectType.ts +20 -0
- package/src/vite-plugin/excludeModuleExportFromOptimizedDeps.ts +20 -0
- package/src/vite-plugin/handleClientEntrypoint.ts +260 -0
- package/src/vite-plugin/index.ts +1 -0
- package/src/vite-plugin/transformCreateFileRoute.ts +240 -0
- package/src/vite-plugin/vite-plugin.ts +54 -0
- package/tools/GetterOrDirectValue.d.ts +1 -0
- package/tools/GetterOrDirectValue.js +3 -0
- package/tools/GetterOrDirectValue.js.map +1 -0
- package/tools/ZodSchemaLike.d.ts +3 -0
- package/tools/ZodSchemaLike.js +3 -0
- package/tools/ZodSchemaLike.js.map +1 -0
- package/tools/getThisCodebaseRootDirPath_cjs.d.ts +2 -0
- package/tools/getThisCodebaseRootDirPath_cjs.js +53 -0
- package/tools/getThisCodebaseRootDirPath_cjs.js.map +1 -0
- package/tools/tsafe/uncapitalize.d.ts +2 -0
- package/tools/tsafe/uncapitalize.js +8 -0
- package/tools/tsafe/uncapitalize.js.map +1 -0
- package/vendor/backend/jose.d.ts +1 -0
- package/vendor/backend/jose.js +3 -0
- package/vendor/build-runtime/babel.d.ts +6 -0
- package/vendor/build-runtime/babel.js +3 -0
- package/vendor/build-runtime/magic-string.d.ts +2 -0
- package/vendor/build-runtime/magic-string.js +2 -0
- package/vendor/frontend/oidc-client-ts.js +0 -2
- package/vite-plugin/detectProjectType.d.ts +10 -0
- package/vite-plugin/detectProjectType.js +15 -0
- package/vite-plugin/detectProjectType.js.map +1 -0
- package/vite-plugin/excludeModuleExportFromOptimizedDeps.d.ts +4 -0
- package/vite-plugin/excludeModuleExportFromOptimizedDeps.js +50 -0
- package/vite-plugin/excludeModuleExportFromOptimizedDeps.js.map +1 -0
- package/vite-plugin/handleClientEntrypoint.d.ts +10 -0
- package/vite-plugin/handleClientEntrypoint.js +211 -0
- package/vite-plugin/handleClientEntrypoint.js.map +1 -0
- package/vite-plugin/index.d.ts +1 -0
- package/vite-plugin/index.js +6 -0
- package/vite-plugin/index.js.map +1 -0
- package/vite-plugin/transformCreateFileRoute.d.ts +10 -0
- package/vite-plugin/transformCreateFileRoute.js +173 -0
- package/vite-plugin/transformCreateFileRoute.js.map +1 -0
- package/vite-plugin/vite-plugin.d.ts +5 -0
- package/vite-plugin/vite-plugin.js +46 -0
- package/vite-plugin/vite-plugin.js.map +1 -0
- package/src/vendor/backend/jsonwebtoken.ts +0 -1
- package/src/vendor/backend/node-fetch.ts +0 -2
- package/src/vendor/backend/node-jose.ts +0 -1
- package/vendor/backend/jsonwebtoken.d.ts +0 -1
- package/vendor/backend/jsonwebtoken.js +0 -3
- package/vendor/backend/node-fetch.d.ts +0 -2
- package/vendor/backend/node-fetch.js +0 -2
- package/vendor/backend/node-jose.d.ts +0 -1
- package/vendor/backend/node-jose.js +0 -3
package/backend.d.ts
CHANGED
|
@@ -1,19 +1,39 @@
|
|
|
1
|
-
|
|
1
|
+
import type { ZodSchemaLike } from "./tools/ZodSchemaLike";
|
|
2
|
+
/**
|
|
3
|
+
* Claims defined by RFC 9068: "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
|
|
4
|
+
* https://datatracker.ietf.org/doc/html/rfc9068
|
|
5
|
+
*
|
|
6
|
+
* These tokens are intended for consumption by resource servers.
|
|
7
|
+
*/
|
|
8
|
+
export type DecodedAccessToken_RFC9068 = {
|
|
9
|
+
iss: string;
|
|
10
|
+
sub: string;
|
|
11
|
+
aud: string | string[];
|
|
12
|
+
exp: number;
|
|
13
|
+
iat: number;
|
|
14
|
+
client_id?: string;
|
|
15
|
+
scope?: string;
|
|
16
|
+
jti?: string;
|
|
17
|
+
nbf?: number;
|
|
18
|
+
auth_time?: number;
|
|
19
|
+
cnf?: Record<string, unknown>;
|
|
20
|
+
[key: string]: unknown;
|
|
21
|
+
};
|
|
22
|
+
export type ParamsOfCreateOidcBackend<DecodedAccessToken> = {
|
|
2
23
|
issuerUri: string;
|
|
3
|
-
decodedAccessTokenSchema?:
|
|
4
|
-
parse: (data: unknown) => DecodedAccessToken;
|
|
5
|
-
};
|
|
24
|
+
decodedAccessTokenSchema?: ZodSchemaLike<DecodedAccessToken_RFC9068, DecodedAccessToken>;
|
|
6
25
|
};
|
|
7
26
|
export type OidcBackend<DecodedAccessToken extends Record<string, unknown>> = {
|
|
8
27
|
verifyAndDecodeAccessToken(params: {
|
|
9
28
|
accessToken: string;
|
|
10
|
-
}): ResultOfAccessTokenVerify<DecodedAccessToken
|
|
29
|
+
}): Promise<ResultOfAccessTokenVerify<DecodedAccessToken>>;
|
|
11
30
|
};
|
|
12
31
|
export type ResultOfAccessTokenVerify<DecodedAccessToken> = ResultOfAccessTokenVerify.Valid<DecodedAccessToken> | ResultOfAccessTokenVerify.Invalid;
|
|
13
32
|
export declare namespace ResultOfAccessTokenVerify {
|
|
14
33
|
type Valid<DecodedAccessToken> = {
|
|
15
34
|
isValid: true;
|
|
16
35
|
decodedAccessToken: DecodedAccessToken;
|
|
36
|
+
decodedAccessToken_original: DecodedAccessToken_RFC9068;
|
|
17
37
|
errorCase?: never;
|
|
18
38
|
errorMessage?: never;
|
|
19
39
|
};
|
|
@@ -22,6 +42,7 @@ export declare namespace ResultOfAccessTokenVerify {
|
|
|
22
42
|
errorCase: "expired" | "invalid signature" | "does not respect schema";
|
|
23
43
|
errorMessage: string;
|
|
24
44
|
decodedAccessToken?: never;
|
|
45
|
+
decodedAccessToken_original?: never;
|
|
25
46
|
};
|
|
26
47
|
}
|
|
27
|
-
export declare function createOidcBackend<DecodedAccessToken extends Record<string, unknown
|
|
48
|
+
export declare function createOidcBackend<DecodedAccessToken extends Record<string, unknown> = DecodedAccessToken_RFC9068>(params: ParamsOfCreateOidcBackend<DecodedAccessToken>): Promise<OidcBackend<DecodedAccessToken>>;
|
package/backend.js
CHANGED
|
@@ -1,51 +1,34 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
-
if (k2 === undefined) k2 = k;
|
|
4
|
-
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
-
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
-
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
-
}
|
|
8
|
-
Object.defineProperty(o, k2, desc);
|
|
9
|
-
}) : (function(o, m, k, k2) {
|
|
10
|
-
if (k2 === undefined) k2 = k;
|
|
11
|
-
o[k2] = m[k];
|
|
12
|
-
}));
|
|
13
|
-
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
-
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
-
}) : function(o, v) {
|
|
16
|
-
o["default"] = v;
|
|
17
|
-
});
|
|
18
|
-
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
-
var ownKeys = function(o) {
|
|
20
|
-
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
-
var ar = [];
|
|
22
|
-
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
-
return ar;
|
|
24
|
-
};
|
|
25
|
-
return ownKeys(o);
|
|
26
|
-
};
|
|
27
|
-
return function (mod) {
|
|
28
|
-
if (mod && mod.__esModule) return mod;
|
|
29
|
-
var result = {};
|
|
30
|
-
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
-
__setModuleDefault(result, mod);
|
|
32
|
-
return result;
|
|
33
|
-
};
|
|
34
|
-
})();
|
|
35
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
3
|
exports.createOidcBackend = createOidcBackend;
|
|
37
|
-
const node_fetch_1 = require("./vendor/backend/node-fetch");
|
|
38
4
|
const tsafe_1 = require("./vendor/backend/tsafe");
|
|
39
|
-
const
|
|
40
|
-
const jwt = __importStar(require("./vendor/backend/jsonwebtoken"));
|
|
5
|
+
const jose_1 = require("./vendor/backend/jose");
|
|
41
6
|
const zod_1 = require("./vendor/backend/zod");
|
|
42
7
|
const evt_1 = require("./vendor/backend/evt");
|
|
43
|
-
const
|
|
8
|
+
const zDecodedAccessToken_RFC9068 = (() => {
|
|
9
|
+
const zTargetType = zod_1.z
|
|
10
|
+
.object({
|
|
11
|
+
iss: zod_1.z.string(),
|
|
12
|
+
sub: zod_1.z.string(),
|
|
13
|
+
aud: zod_1.z.union([zod_1.z.string(), zod_1.z.array(zod_1.z.string())]),
|
|
14
|
+
exp: zod_1.z.number(),
|
|
15
|
+
iat: zod_1.z.number(),
|
|
16
|
+
client_id: zod_1.z.string().optional(),
|
|
17
|
+
scope: zod_1.z.string().optional(),
|
|
18
|
+
jti: zod_1.z.string().optional(),
|
|
19
|
+
nbf: zod_1.z.number().optional(),
|
|
20
|
+
auth_time: zod_1.z.number().optional(),
|
|
21
|
+
cnf: zod_1.z.record(zod_1.z.unknown()).optional()
|
|
22
|
+
})
|
|
23
|
+
.catchall(zod_1.z.unknown());
|
|
24
|
+
tsafe_1.assert;
|
|
25
|
+
return (0, tsafe_1.id)(zTargetType);
|
|
26
|
+
})();
|
|
44
27
|
async function createOidcBackend(params) {
|
|
45
|
-
const { issuerUri, decodedAccessTokenSchema
|
|
28
|
+
const { issuerUri, decodedAccessTokenSchema } = params;
|
|
46
29
|
let publicSigningKeys = await fetchPublicSigningKeys({ issuerUri });
|
|
47
30
|
const evtInvalidSignature = evt_1.Evt.create();
|
|
48
|
-
evtInvalidSignature.pipe((0,
|
|
31
|
+
evtInvalidSignature.pipe((0, evt_1.throttleTime)(3600000)).attach(async () => {
|
|
49
32
|
const publicSigningKeys_new = await (async function callee(count) {
|
|
50
33
|
let wrap;
|
|
51
34
|
try {
|
|
@@ -69,122 +52,123 @@ async function createOidcBackend(params) {
|
|
|
69
52
|
publicSigningKeys = publicSigningKeys_new;
|
|
70
53
|
});
|
|
71
54
|
return {
|
|
72
|
-
verifyAndDecodeAccessToken: ({ accessToken }) => {
|
|
55
|
+
verifyAndDecodeAccessToken: async ({ accessToken }) => {
|
|
73
56
|
let kid;
|
|
74
57
|
let alg;
|
|
75
58
|
{
|
|
76
|
-
|
|
77
|
-
let jwtHeader;
|
|
59
|
+
let header;
|
|
78
60
|
try {
|
|
79
|
-
|
|
61
|
+
header = (0, jose_1.decodeProtectedHeader)(accessToken);
|
|
80
62
|
}
|
|
81
63
|
catch {
|
|
82
64
|
return {
|
|
83
65
|
isValid: false,
|
|
84
66
|
errorCase: "invalid signature",
|
|
85
|
-
errorMessage: "Failed to decode the JWT header
|
|
67
|
+
errorMessage: "Failed to decode the JWT header"
|
|
86
68
|
};
|
|
87
69
|
}
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
decodedHeader = JSON.parse(jwtHeader);
|
|
91
|
-
}
|
|
92
|
-
catch {
|
|
70
|
+
const { kid: kidFromHeader, alg: algFromHeader } = header;
|
|
71
|
+
if (typeof kidFromHeader !== "string" || kidFromHeader.length === 0) {
|
|
93
72
|
return {
|
|
94
73
|
isValid: false,
|
|
95
74
|
errorCase: "invalid signature",
|
|
96
|
-
errorMessage: "
|
|
75
|
+
errorMessage: "The decoded JWT header does not have a kid property"
|
|
97
76
|
};
|
|
98
77
|
}
|
|
99
|
-
|
|
100
|
-
kid: zod_1.z.string(),
|
|
101
|
-
alg: zod_1.z.string()
|
|
102
|
-
});
|
|
103
|
-
(0, tsafe_1.assert)();
|
|
104
|
-
try {
|
|
105
|
-
zDecodedHeader.parse(decodedHeader);
|
|
106
|
-
}
|
|
107
|
-
catch {
|
|
78
|
+
if (typeof algFromHeader !== "string") {
|
|
108
79
|
return {
|
|
109
80
|
isValid: false,
|
|
110
81
|
errorCase: "invalid signature",
|
|
111
|
-
errorMessage: "The decoded JWT header does not
|
|
82
|
+
errorMessage: "The decoded JWT header does not specify an algorithm"
|
|
112
83
|
};
|
|
113
84
|
}
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
errorCase: "invalid signature",
|
|
132
|
-
errorMessage: `Unsupported or too week algorithm ${decodedHeader.alg}`
|
|
133
|
-
};
|
|
134
|
-
}
|
|
85
|
+
const supportedAlgs = [
|
|
86
|
+
"RS256",
|
|
87
|
+
"RS384",
|
|
88
|
+
"RS512",
|
|
89
|
+
"ES256",
|
|
90
|
+
"ES384",
|
|
91
|
+
"ES512",
|
|
92
|
+
"PS256",
|
|
93
|
+
"PS384",
|
|
94
|
+
"PS512"
|
|
95
|
+
];
|
|
96
|
+
if (!(0, tsafe_1.isAmong)(supportedAlgs, algFromHeader)) {
|
|
97
|
+
return {
|
|
98
|
+
isValid: false,
|
|
99
|
+
errorCase: "invalid signature",
|
|
100
|
+
errorMessage: `Unsupported or too weak algorithm ${algFromHeader}`
|
|
101
|
+
};
|
|
135
102
|
}
|
|
136
|
-
kid =
|
|
137
|
-
alg =
|
|
103
|
+
kid = kidFromHeader;
|
|
104
|
+
alg = algFromHeader;
|
|
138
105
|
}
|
|
139
|
-
|
|
140
|
-
if (publicSigningKey === undefined) {
|
|
106
|
+
if (!publicSigningKeys.kidSet.has(kid)) {
|
|
141
107
|
return {
|
|
142
108
|
isValid: false,
|
|
143
109
|
errorCase: "invalid signature",
|
|
144
110
|
errorMessage: `No public signing key found with kid ${kid}`
|
|
145
111
|
};
|
|
146
112
|
}
|
|
147
|
-
let
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
errorMessage: err.message
|
|
158
|
-
});
|
|
159
|
-
return;
|
|
160
|
-
}
|
|
161
|
-
evtInvalidSignature.post();
|
|
162
|
-
result = (0, tsafe_1.id)({
|
|
113
|
+
let payload;
|
|
114
|
+
try {
|
|
115
|
+
const verification = await (0, jose_1.jwtVerify)(accessToken, publicSigningKeys.keyResolver, {
|
|
116
|
+
algorithms: [alg]
|
|
117
|
+
});
|
|
118
|
+
payload = verification.payload;
|
|
119
|
+
}
|
|
120
|
+
catch (error) {
|
|
121
|
+
if (error instanceof jose_1.errors.JWTExpired) {
|
|
122
|
+
return (0, tsafe_1.id)({
|
|
163
123
|
isValid: false,
|
|
164
|
-
errorCase: "
|
|
165
|
-
errorMessage:
|
|
124
|
+
errorCase: "expired",
|
|
125
|
+
errorMessage: error.message
|
|
166
126
|
});
|
|
167
|
-
return;
|
|
168
127
|
}
|
|
169
|
-
|
|
128
|
+
evtInvalidSignature.post();
|
|
129
|
+
return (0, tsafe_1.id)({
|
|
130
|
+
isValid: false,
|
|
131
|
+
errorCase: "invalid signature",
|
|
132
|
+
errorMessage: error instanceof Error ? error.message : String(error)
|
|
133
|
+
});
|
|
134
|
+
}
|
|
135
|
+
const decodedAccessToken_unknown = payload;
|
|
136
|
+
try {
|
|
137
|
+
zDecodedAccessToken_RFC9068.parse(decodedAccessToken_unknown);
|
|
138
|
+
}
|
|
139
|
+
catch (error) {
|
|
140
|
+
return (0, tsafe_1.id)({
|
|
141
|
+
isValid: false,
|
|
142
|
+
errorCase: "does not respect schema",
|
|
143
|
+
errorMessage: [
|
|
144
|
+
`The decoded access token does not satisfies`,
|
|
145
|
+
`the shape mandated by RFC9068: ${String(error)}`
|
|
146
|
+
].join(" ")
|
|
147
|
+
});
|
|
148
|
+
}
|
|
149
|
+
(0, tsafe_1.assert)((0, tsafe_1.is)(decodedAccessToken_unknown));
|
|
150
|
+
const decodedAccessToken_original = decodedAccessToken_unknown;
|
|
151
|
+
let decodedAccessToken;
|
|
152
|
+
if (decodedAccessTokenSchema === undefined) {
|
|
153
|
+
decodedAccessToken = decodedAccessToken_original;
|
|
154
|
+
}
|
|
155
|
+
else {
|
|
170
156
|
try {
|
|
171
|
-
decodedAccessToken = decodedAccessTokenSchema.parse(
|
|
157
|
+
decodedAccessToken = decodedAccessTokenSchema.parse(decodedAccessToken_original);
|
|
172
158
|
}
|
|
173
159
|
catch (error) {
|
|
174
|
-
|
|
160
|
+
return (0, tsafe_1.id)({
|
|
175
161
|
isValid: false,
|
|
176
162
|
errorCase: "does not respect schema",
|
|
177
163
|
errorMessage: String(error)
|
|
178
164
|
});
|
|
179
|
-
return;
|
|
180
165
|
}
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
166
|
+
}
|
|
167
|
+
return (0, tsafe_1.id)({
|
|
168
|
+
isValid: true,
|
|
169
|
+
decodedAccessToken,
|
|
170
|
+
decodedAccessToken_original
|
|
185
171
|
});
|
|
186
|
-
(0, tsafe_1.assert)(result !== undefined, "0522e6");
|
|
187
|
-
return result;
|
|
188
172
|
}
|
|
189
173
|
};
|
|
190
174
|
}
|
|
@@ -192,7 +176,7 @@ async function fetchPublicSigningKeys(params) {
|
|
|
192
176
|
const { issuerUri } = params;
|
|
193
177
|
const { jwks_uri } = await (async () => {
|
|
194
178
|
const url = `${issuerUri.replace(/\/$/, "")}/.well-known/openid-configuration`;
|
|
195
|
-
const response = await
|
|
179
|
+
const response = await fetch(url);
|
|
196
180
|
if (!response.ok) {
|
|
197
181
|
throw new Error(`Failed to fetch openid configuration of the issuerUri: ${issuerUri} (${url}): ${response.statusText}`);
|
|
198
182
|
}
|
|
@@ -220,7 +204,7 @@ async function fetchPublicSigningKeys(params) {
|
|
|
220
204
|
return { jwks_uri };
|
|
221
205
|
})();
|
|
222
206
|
const { jwks } = await (async () => {
|
|
223
|
-
const response = await
|
|
207
|
+
const response = await fetch(jwks_uri);
|
|
224
208
|
if (!response.ok) {
|
|
225
209
|
throw new Error(`Failed to fetch public key and algorithm from ${jwks_uri}: ${response.statusText}`);
|
|
226
210
|
}
|
|
@@ -236,9 +220,8 @@ async function fetchPublicSigningKeys(params) {
|
|
|
236
220
|
keys: zod_1.z.array(zod_1.z.object({
|
|
237
221
|
kid: zod_1.z.string(),
|
|
238
222
|
kty: zod_1.z.string(),
|
|
239
|
-
|
|
240
|
-
|
|
241
|
-
use: zod_1.z.string()
|
|
223
|
+
use: zod_1.z.string().optional(),
|
|
224
|
+
alg: zod_1.z.string().optional()
|
|
242
225
|
}))
|
|
243
226
|
});
|
|
244
227
|
(0, tsafe_1.assert)();
|
|
@@ -252,26 +235,28 @@ async function fetchPublicSigningKeys(params) {
|
|
|
252
235
|
}
|
|
253
236
|
return { jwks };
|
|
254
237
|
})();
|
|
255
|
-
const
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
return undefined;
|
|
238
|
+
//const signatureKeys = jwks.keys.filter((key): key is JWKS["keys"][number] & { kid: string } => {
|
|
239
|
+
const signatureKeys = jwks.keys.filter(key => {
|
|
240
|
+
if (typeof key.kid !== "string" || key.kid.length === 0) {
|
|
241
|
+
return false;
|
|
260
242
|
}
|
|
261
|
-
(
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
.
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
275
|
-
return
|
|
243
|
+
if (key.use !== undefined && key.use !== "sig") {
|
|
244
|
+
return false;
|
|
245
|
+
}
|
|
246
|
+
const supportedKty = ["RSA", "EC"];
|
|
247
|
+
if (!supportedKty.includes(key.kty)) {
|
|
248
|
+
return false;
|
|
249
|
+
}
|
|
250
|
+
return true;
|
|
251
|
+
});
|
|
252
|
+
(0, tsafe_1.assert)(signatureKeys.length !== 0, `No public signing key found at ${jwks_uri}, ${JSON.stringify(jwks, null, 2)}`);
|
|
253
|
+
const kidSet = new Set(signatureKeys.map(({ kid }) => kid));
|
|
254
|
+
const keyResolver = (0, jose_1.createLocalJWKSet)({
|
|
255
|
+
keys: signatureKeys
|
|
256
|
+
});
|
|
257
|
+
return {
|
|
258
|
+
keyResolver,
|
|
259
|
+
kidSet
|
|
260
|
+
};
|
|
276
261
|
}
|
|
277
262
|
//# sourceMappingURL=backend.js.map
|
package/backend.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"backend.js","sourceRoot":"","sources":["./src/backend.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"backend.js","sourceRoot":"","sources":["./src/backend.ts"],"names":[],"mappings":";;AAoGA,8CAyLC;AA7RD,kDAA8E;AAC9E,gDAM+B;AAC/B,8CAAyC;AACzC,8CAAyD;AA6BzD,MAAM,2BAA2B,GAAG,CAAC,GAAG,EAAE;IAGtC,MAAM,WAAW,GAAG,OAAC;SAChB,MAAM,CAAC;QACJ,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,GAAG,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAC/C,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAChC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC5B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAChC,GAAG,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;KACxC,CAAC;SACD,QAAQ,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IAI3B,cAAwC,CAAC;IAEzC,OAAO,IAAA,UAAE,EAAwB,WAAW,CAAC,CAAC;AAClD,CAAC,CAAC,EAAE,CAAC;AAsCE,KAAK,UAAU,iBAAiB,CAErC,MAAqD;IACnD,MAAM,EAAE,SAAS,EAAE,wBAAwB,EAAE,GAAG,MAAM,CAAC;IAEvD,IAAI,iBAAiB,GAAG,MAAM,sBAAsB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;IAEpE,MAAM,mBAAmB,GAAG,SAAG,CAAC,MAAM,EAAQ,CAAC;IAE/C,mBAAmB,CAAC,IAAI,CAAC,IAAA,kBAAY,EAAC,OAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE;QAC/D,MAAM,qBAAqB,GAAG,MAAM,CAAC,KAAK,UAAU,MAAM,CACtD,KAAa;YAEb,IAAI,IAAmC,CAAC;YAExC,IAAI,CAAC;gBACD,IAAI,GAAG,MAAM,sBAAsB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;YACvD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;oBACd,OAAO,CAAC,IAAI,CACR,4DAA4D,KAAK,GAAG,CAAC,WAAW,CACnF,CAAC;oBAEF,OAAO,SAAS,CAAC;gBACrB,CAAC;gBAED,MAAM,OAAO,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;gBAE1C,OAAO,CAAC,IAAI,CACR,uDAAuD,MAAM,CACzD,KAAK,CACR,iBAAiB,OAAO,IAAI,CAChC,CAAC;gBAEF,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;gBAE3D,OAAO,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAC7B,CAAC;YAED,OAAO,IAAI,CAAC;QAChB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEN,IAAI,qBAAqB,KAAK,SAAS,EAAE,CAAC;YACtC,OAAO;QACX,CAAC;QAED,iBAAiB,GAAG,qBAAqB,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,OAAO;QACH,0BAA0B,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE;YAClD,IAAI,GAAW,CAAC;YAChB,IAAI,GAAW,CAAC;YAEhB,CAAC;gBACG,IAAI,MAAgD,CAAC;gBAErD,IAAI,CAAC;oBACD,MAAM,GAAG,IAAA,4BAAqB,EAAC,WAAW,CAAC,CAAC;gBAChD,CAAC;gBAAC,MAAM,CAAC;oBACL,OAAO;wBACH,OAAO,EAAE,KAAK;wBACd,SAAS,EAAE,mBAAmB;wBAC9B,YAAY,EAAE,iCAAiC;qBAClD,CAAC;gBACN,CAAC;gBAED,MAAM,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC;gBAE1D,IAAI,OAAO,aAAa,KAAK,QAAQ,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAClE,OAAO;wBACH,OAAO,EAAE,KAAK;wBACd,SAAS,EAAE,mBAAmB;wBAC9B,YAAY,EAAE,qDAAqD;qBACtE,CAAC;gBACN,CAAC;gBAED,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;oBACpC,OAAO;wBACH,OAAO,EAAE,KAAK;wBACd,SAAS,EAAE,mBAAmB;wBAC9B,YAAY,EAAE,sDAAsD;qBACvE,CAAC;gBACN,CAAC;gBAED,MAAM,aAAa,GAAG;oBAClB,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;oBACP,OAAO;iBACD,CAAC;gBAEX,IAAI,CAAC,IAAA,eAAO,EAAC,aAAa,EAAE,aAA+C,CAAC,EAAE,CAAC;oBAC3E,OAAO;wBACH,OAAO,EAAE,KAAK;wBACd,SAAS,EAAE,mBAAmB;wBAC9B,YAAY,EAAE,qCAAqC,aAAa,EAAE;qBACrE,CAAC;gBACN,CAAC;gBAED,GAAG,GAAG,aAAa,CAAC;gBACpB,GAAG,GAAG,aAAa,CAAC;YACxB,CAAC;YAED,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrC,OAAO;oBACH,OAAO,EAAE,KAAK;oBACd,SAAS,EAAE,mBAAmB;oBAC9B,YAAY,EAAE,wCAAwC,GAAG,EAAE;iBAC9D,CAAC;YACN,CAAC;YAED,IAAI,OAAmB,CAAC;YAExB,IAAI,CAAC;gBACD,MAAM,YAAY,GAAG,MAAM,IAAA,gBAAS,EAAC,WAAW,EAAE,iBAAiB,CAAC,WAAW,EAAE;oBAC7E,UAAU,EAAE,CAAC,GAAG,CAAC;iBACpB,CAAC,CAAC;gBAEH,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC;YACnC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,IAAI,KAAK,YAAY,aAAM,CAAC,UAAU,EAAE,CAAC;oBACrC,OAAO,IAAA,UAAE,EAAoC;wBACzC,OAAO,EAAE,KAAK;wBACd,SAAS,EAAE,SAAS;wBACpB,YAAY,EAAE,KAAK,CAAC,OAAO;qBAC9B,CAAC,CAAC;gBACP,CAAC;gBAED,mBAAmB,CAAC,IAAI,EAAE,CAAC;gBAE3B,OAAO,IAAA,UAAE,EAAoC;oBACzC,OAAO,EAAE,KAAK;oBACd,SAAS,EAAE,mBAAmB;oBAC9B,YAAY,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBACvE,CAAC,CAAC;YACP,CAAC;YAED,MAAM,0BAA0B,GAAG,OAAkB,CAAC;YAEtD,IAAI,CAAC;gBACD,2BAA2B,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;YAClE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,OAAO,IAAA,UAAE,EAAoC;oBACzC,OAAO,EAAE,KAAK;oBACd,SAAS,EAAE,yBAAyB;oBACpC,YAAY,EAAE;wBACV,6CAA6C;wBAC7C,kCAAkC,MAAM,CAAC,KAAK,CAAC,EAAE;qBACpD,CAAC,IAAI,CAAC,GAAG,CAAC;iBACd,CAAC,CAAC;YACP,CAAC;YAED,IAAA,cAAM,EAAC,IAAA,UAAE,EAA6B,0BAA0B,CAAC,CAAC,CAAC;YAEnE,MAAM,2BAA2B,GAAG,0BAA0B,CAAC;YAE/D,IAAI,kBAAsC,CAAC;YAE3C,IAAI,wBAAwB,KAAK,SAAS,EAAE,CAAC;gBACzC,kBAAkB,GAAG,2BAA4D,CAAC;YACtF,CAAC;iBAAM,CAAC;gBACJ,IAAI,CAAC;oBACD,kBAAkB,GAAG,wBAAwB,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;gBACrF,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACb,OAAO,IAAA,UAAE,EAAoC;wBACzC,OAAO,EAAE,KAAK;wBACd,SAAS,EAAE,yBAAyB;wBACpC,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC;qBAC9B,CAAC,CAAC;gBACP,CAAC;YACL,CAAC;YAED,OAAO,IAAA,UAAE,EAAsD;gBAC3D,OAAO,EAAE,IAAI;gBACb,kBAAkB;gBAClB,2BAA2B;aAC9B,CAAC,CAAC;QACP,CAAC;KACJ,CAAC;AACN,CAAC;AAOD,KAAK,UAAU,sBAAsB,CAAC,MAA6B;IAC/D,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE;QACnC,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,mCAAmC,CAAC;QAE/E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;QAElC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACX,0DAA0D,SAAS,KAAK,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CACzG,CAAC;QACN,CAAC;QAED,IAAI,IAAa,CAAC;QAElB,IAAI,CAAC;YACD,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACjC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,6BAA6B,GAAG,KAAK,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC1E,CAAC;QAED,CAAC;YAKG,MAAM,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;gBACrC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;aACvB,CAAC,CAAC;YAEH,IAAA,cAAM,GAA2E,CAAC;YAElF,IAAI,CAAC;gBACD,uBAAuB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxC,CAAC;YAAC,MAAM,CAAC;gBACL,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,oCAAoC,CAAC,CAAC;YAChE,CAAC;YAED,IAAA,cAAM,EAAC,IAAA,UAAE,EAAyB,IAAI,CAAC,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;QAE1B,OAAO,EAAE,QAAQ,EAAE,CAAC;IACxB,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE;QAC/B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,CAAC;QAEvC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACX,iDAAiD,QAAQ,KAAK,QAAQ,CAAC,UAAU,EAAE,CACtF,CAAC;QACN,CAAC;QAED,IAAI,IAAa,CAAC;QAElB,IAAI,CAAC;YACD,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACjC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,KAAK,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC/E,CAAC;QAED,CAAC;YAUG,MAAM,KAAK,GAAG,OAAC,CAAC,MAAM,CAAC;gBACnB,IAAI,EAAE,OAAC,CAAC,KAAK,CACT,OAAC,CAAC,MAAM,CAAC;oBACL,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;oBACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;oBACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;oBAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;iBAC7B,CAAC,CACL;aACJ,CAAC,CAAC;YAEH,IAAA,cAAM,GAAuC,CAAC;YAE9C,IAAI,CAAC;gBACD,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;YAAC,MAAM,CAAC;gBACL,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,mCAAmC,CAAC,CAAC;YACpE,CAAC;YAED,IAAA,cAAM,EAAC,IAAA,UAAE,EAAO,IAAI,CAAC,CAAC,CAAC;QAC3B,CAAC;QAED,OAAO,EAAE,IAAI,EAAE,CAAC;IACpB,CAAC,CAAC,EAAE,CAAC;IAEL,kGAAkG;IAClG,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;QACzC,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtD,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;YAC7C,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,IAAI,CAAU,CAAC;QAE5C,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAoC,CAAC,EAAE,CAAC;YACnE,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,OAAO,IAAI,CAAC;IAChB,CAAC,CAAC,CAAC;IAEH,IAAA,cAAM,EACF,aAAa,CAAC,MAAM,KAAK,CAAC,EAC1B,kCAAkC,QAAQ,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CACjF,CAAC;IAEF,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAE5D,MAAM,WAAW,GAAG,IAAA,wBAAiB,EAAC;QAClC,IAAI,EAAE,aAAa;KACtB,CAAC,CAAC;IAEH,OAAO;QACH,WAAW;QACX,MAAM;KACT,CAAC;AACN,CAAC"}
|
package/core/Oidc.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import type { OidcInitializationError } from "./OidcInitializationError";
|
|
2
|
-
export declare type Oidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.
|
|
2
|
+
export declare type Oidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec> = Oidc.LoggedIn<DecodedIdToken> | Oidc.NotLoggedIn;
|
|
3
3
|
export declare namespace Oidc {
|
|
4
4
|
type Common = {
|
|
5
5
|
params: {
|
|
@@ -83,7 +83,7 @@ export declare namespace Oidc {
|
|
|
83
83
|
*/
|
|
84
84
|
isNewBrowserSession: boolean;
|
|
85
85
|
};
|
|
86
|
-
type Tokens<DecodedIdToken extends Record<string, unknown> = Tokens.
|
|
86
|
+
type Tokens<DecodedIdToken extends Record<string, unknown> = Tokens.DecodedIdToken_OidcCoreSpec> = Tokens.WithRefreshToken<DecodedIdToken> | Tokens.WithoutRefreshToken<DecodedIdToken>;
|
|
87
87
|
namespace Tokens {
|
|
88
88
|
type Common<DecodedIdToken> = {
|
|
89
89
|
accessToken: string;
|
|
@@ -101,7 +101,7 @@ export declare namespace Oidc {
|
|
|
101
101
|
*
|
|
102
102
|
* `decodedIdToken_original` is the actual decoded payload of the id_token, untransformed.
|
|
103
103
|
* */
|
|
104
|
-
decodedIdToken_original:
|
|
104
|
+
decodedIdToken_original: DecodedIdToken_OidcCoreSpec;
|
|
105
105
|
/** Millisecond epoch in the server's time, read from id_token's JWT, iat claim value */
|
|
106
106
|
issuedAtTime: number;
|
|
107
107
|
/** To use instead of Date.now() if you ever need to tell if a token is expired or not */
|
|
@@ -117,12 +117,36 @@ export declare namespace Oidc {
|
|
|
117
117
|
refreshToken?: never;
|
|
118
118
|
refreshTokenExpirationTime?: never;
|
|
119
119
|
};
|
|
120
|
-
type
|
|
120
|
+
type DecodedIdToken_OidcCoreSpec = {
|
|
121
121
|
iss: string;
|
|
122
122
|
sub: string;
|
|
123
123
|
aud: string | string[];
|
|
124
124
|
exp: number;
|
|
125
125
|
iat: number;
|
|
126
|
+
auth_time?: number;
|
|
127
|
+
nonce?: string;
|
|
128
|
+
acr?: string;
|
|
129
|
+
amr?: string[];
|
|
130
|
+
azp?: string;
|
|
131
|
+
name?: string;
|
|
132
|
+
given_name?: string;
|
|
133
|
+
family_name?: string;
|
|
134
|
+
middle_name?: string;
|
|
135
|
+
nickname?: string;
|
|
136
|
+
preferred_username?: string;
|
|
137
|
+
profile?: string;
|
|
138
|
+
picture?: string;
|
|
139
|
+
website?: string;
|
|
140
|
+
email?: string;
|
|
141
|
+
email_verified?: boolean;
|
|
142
|
+
gender?: string;
|
|
143
|
+
birthdate?: string;
|
|
144
|
+
zoneinfo?: string;
|
|
145
|
+
locale?: string;
|
|
146
|
+
phone_number?: string;
|
|
147
|
+
phone_number_verified?: boolean;
|
|
148
|
+
address?: Record<string, unknown>;
|
|
149
|
+
updated_at?: number;
|
|
126
150
|
[claimName: string]: unknown;
|
|
127
151
|
};
|
|
128
152
|
}
|
package/core/createOidc.d.ts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import type { OidcMetadata } from "./OidcMetadata";
|
|
2
2
|
import type { Oidc } from "./Oidc";
|
|
3
|
-
export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.
|
|
3
|
+
export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec, AutoLogin extends boolean = false> = {
|
|
4
4
|
/**
|
|
5
5
|
* What should you put in this parameter?
|
|
6
6
|
* - Vite project: `BASE_URL: import.meta.env.BASE_URL`
|
|
@@ -8,7 +8,13 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
|
|
|
8
8
|
* - Other: `BASE_URL: "/"` (Usually, or `/dashboard` if your app is not at the root of the domain)
|
|
9
9
|
*/
|
|
10
10
|
homeUrl: string;
|
|
11
|
+
/**
|
|
12
|
+
* See: https://docs.oidc-spa.dev/v/v8/providers-configuration/provider-configuration
|
|
13
|
+
*/
|
|
11
14
|
issuerUri: string;
|
|
15
|
+
/**
|
|
16
|
+
* See: https://docs.oidc-spa.dev/v/v8/providers-configuration/provider-configuration
|
|
17
|
+
*/
|
|
12
18
|
clientId: string;
|
|
13
19
|
/**
|
|
14
20
|
* The scopes being requested from the OIDC/OAuth2 provider (default: `["profile"]`
|
|
@@ -64,7 +70,7 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
|
|
|
64
70
|
*/
|
|
65
71
|
postLoginRedirectUrl?: string;
|
|
66
72
|
decodedIdTokenSchema?: {
|
|
67
|
-
parse: (decodedIdToken_original: Oidc.Tokens.
|
|
73
|
+
parse: (decodedIdToken_original: Oidc.Tokens.DecodedIdToken_OidcCoreSpec) => DecodedIdToken;
|
|
68
74
|
};
|
|
69
75
|
/**
|
|
70
76
|
* This parameter defines after how many seconds of inactivity the user should be
|
|
@@ -73,6 +79,9 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
|
|
|
73
79
|
* WARNING: It should be configured on the identity server side
|
|
74
80
|
* as it's the authoritative source for security policies and not the client.
|
|
75
81
|
* If you don't provide this parameter it will be inferred from the refresh token expiration time.
|
|
82
|
+
* Some provider however don't issue a refresh token or do not correctly set the
|
|
83
|
+
* expiration time. This parameter enable you to hard code the value to compensate
|
|
84
|
+
* the shortcoming of your auth server.
|
|
76
85
|
* */
|
|
77
86
|
idleSessionLifetimeInSeconds?: number;
|
|
78
87
|
/**
|
|
@@ -122,7 +131,7 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
|
|
|
122
131
|
__metadata?: Partial<OidcMetadata>;
|
|
123
132
|
};
|
|
124
133
|
/** @see: https://docs.oidc-spa.dev/v/v8/usage */
|
|
125
|
-
export declare function createOidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.
|
|
134
|
+
export declare function createOidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec, AutoLogin extends boolean = false>(params: ParamsOfCreateOidc<DecodedIdToken, AutoLogin>): Promise<AutoLogin extends true ? Oidc.LoggedIn<DecodedIdToken> : Oidc<DecodedIdToken>>;
|
|
126
135
|
export declare function createOidc_nonMemoized<DecodedIdToken extends Record<string, unknown>, AutoLogin extends boolean>(params: Omit<ParamsOfCreateOidc<DecodedIdToken, AutoLogin>, "issuerUri" | "clientId" | "scopes" | "debugLogs">, preProcessedParams: {
|
|
127
136
|
issuerUri: string;
|
|
128
137
|
clientId: string;
|
package/core/createOidc.js
CHANGED
|
@@ -65,7 +65,7 @@ const isKeycloak_1 = require("../keycloak/isKeycloak");
|
|
|
65
65
|
const INFINITY_TIME_1 = require("../tools/INFINITY_TIME");
|
|
66
66
|
const getIsValidRemoteJson_1 = require("../tools/getIsValidRemoteJson");
|
|
67
67
|
// NOTE: Replaced at build time
|
|
68
|
-
const VERSION = "8.1.
|
|
68
|
+
const VERSION = "8.1.11";
|
|
69
69
|
const globalContext = {
|
|
70
70
|
prOidcByConfigId: new Map(),
|
|
71
71
|
hasLogoutBeenCalled: (0, id_1.id)(false),
|