oidc-spa 8.1.12 → 8.1.14

package/src/core/createOidc.ts

@@ -1062,6 +1062,27 @@ export async function createOidc_nonMemoized<
         log
     });
 
+    detect_useless_idleSessionLifetimeInSeconds: {
+        if (idleSessionLifetimeInSeconds === undefined) {
+            break detect_useless_idleSessionLifetimeInSeconds;
+        }
+
+        if (currentTokens.refreshTokenExpirationTime === undefined) {
+            break detect_useless_idleSessionLifetimeInSeconds;
+        }
+
+        console.warn(
+            [
+                "oidc-spa: You've specified idleSessionLifetimeInSeconds,",
+                "but your auth server issues a refresh_token with a known expiration time.",
+                "idleSessionLifetimeInSeconds should only be used as a fallback",
+                "for auth servers that don't specify when an inactive session expires.",
+                "The auth server, not your code, is the source of truth.",
+                "See: https://docs.oidc-spa.dev/v/v8/auto-logout"
+            ].join(" ")
+        );
+    }
+
     {
         if (getPersistedAuthState({ configId }) !== undefined) {
             persistAuthState({ configId, state: undefined });
@@ -1558,6 +1579,18 @@ export async function createOidc_nonMemoized<
             return;
         }
 
+        const msBeforeExpiration_idleSessionLifetimeInSeconds =
+            idleSessionLifetimeInSeconds === undefined ? undefined : idleSessionLifetimeInSeconds * 1000;
+
+        const msBeforeExpiration_refreshToken =
+            currentTokens.refreshTokenExpirationTime === undefined
+                ? undefined
+                : currentTokens.refreshTokenExpirationTime - currentTokens.getServerDateNow();
+        const msBeforeExpiration_accessToken =
+            currentTokens.accessTokenExpirationTime - currentTokens.getServerDateNow();
+
+        let isRefreshTokenNeverExpiring = false;
+
         if (
             currentTokens.refreshTokenExpirationTime !== undefined &&
             currentTokens.refreshTokenExpirationTime >= INFINITY_TIME
@@ -1573,74 +1606,117 @@ export async function createOidc_nonMemoized<
             if (warningLines.length > 0) {
                 warningLines.push(
                     ...[
-                        "Misconfiguration: offline_access is for native apps, not SPAs. ",
+                        "Misconfiguration: offline_access is for native apps, not for web apps like yours. ",
                         "You lose SSO and users must log in after every reload."
                     ]
                 );
+                console.warn(`oidc-spa: ${warningLines.join(" ")}`);
+                return;
             }
 
-            const logMessage = [
-                "Refresh token never expires → no need to ping server.",
-                "The backend session will not expire.",
-                ...warningLines
-            ].join(" ");
+            isRefreshTokenNeverExpiring = true;
+        }
 
-            if (warningLines.length > 0) {
-                console.warn(`oidc-spa: ${logMessage}`);
-            } else {
-                log?.(logMessage);
+        const RENEW_MS_BEFORE_EXPIRES = 30_000;
+        const MIN_ACCEPTABLE_MS_BEFORE_EXPIRATION = RENEW_MS_BEFORE_EXPIRES + 15_000;
+
+        detect_session_reached_max_life: {
+            if (msBeforeExpiration_refreshToken === undefined) {
+                break detect_session_reached_max_life;
+            }
+
+            if (msBeforeExpiration_refreshToken > MIN_ACCEPTABLE_MS_BEFORE_EXPIRATION) {
+                break detect_session_reached_max_life;
             }
+
+            console.warn(
+                [
+                    "oidc-spa: The session is nearing its maximum lifetime, and the user will soon need to log in again,",
+                    `or you've configured a refresh_token with a TTL of ${toHumanReadableDuration(
+                        msBeforeExpiration_refreshToken
+                    )}.`,
+                    `If it's the latter, the TTL is too short, it must be at least ${toHumanReadableDuration(
+                        MIN_ACCEPTABLE_MS_BEFORE_EXPIRATION
+                    )} for reliable operation.`,
+                    "Shorter lifetimes can cause unpredictable session expirations and are usually a misconfiguration.",
+                    "\nIn either case, oidc-spa will not ping the auth server to keep the session alive."
+                ].join(" ")
+            );
+
             return;
         }
 
-        const msBeforeExpiration =
-            (currentTokens.refreshTokenExpirationTime ?? currentTokens.accessTokenExpirationTime) -
-            currentTokens.getServerDateNow();
+        let msBeforeExpiration = (() => {
+            if (msBeforeExpiration_refreshToken !== undefined && !isRefreshTokenNeverExpiring) {
+                log?.(
+                    [
+                        toHumanReadableDuration(msBeforeExpiration_refreshToken),
+                        `before expiration of the refresh_token.`,
+                        `Scheduling renewal of the tokens ${toHumanReadableDuration(
+                            RENEW_MS_BEFORE_EXPIRES
+                        )} before expiration as a way to keep the session alive on the OIDC server.`
+                    ].join(" ")
+                );
 
-        const typeOfTheTokenWeGotTheTtlFrom =
-            currentTokens.refreshTokenExpirationTime !== undefined ? "refresh" : "access";
+                return msBeforeExpiration_refreshToken;
+            }
 
-        const RENEW_MS_BEFORE_EXPIRES = 30_000;
+            if (msBeforeExpiration_idleSessionLifetimeInSeconds !== undefined) {
+                if (
+                    msBeforeExpiration_idleSessionLifetimeInSeconds < MIN_ACCEPTABLE_MS_BEFORE_EXPIRATION
+                ) {
+                    throw new Error(
+                        [
+                            `oidc-spa: The configured idleSessionLifetimeInSeconds (${toHumanReadableDuration(
+                                msBeforeExpiration_idleSessionLifetimeInSeconds
+                            )}) is too short.`,
+                            `For reliability, it must be at least ${toHumanReadableDuration(
+                                MIN_ACCEPTABLE_MS_BEFORE_EXPIRATION
+                            )}.`,
+                            "Very short session idle lifetimes are usually a misconfiguration, even for ultra sensitive apps."
+                        ].join(" ")
+                    );
+                }
+
+                log?.(
+                    [
+                        `You've set idleSessionLifetimeInSeconds to ${toHumanReadableDuration(
+                            msBeforeExpiration_idleSessionLifetimeInSeconds
+                        )}.`,
+                        `This means the user session will expire after ${toHumanReadableDuration(
+                            msBeforeExpiration_idleSessionLifetimeInSeconds
+                        )} of inactivity (assuming you're right).`,
+                        `Scheduling token renewal ${toHumanReadableDuration(
+                            RENEW_MS_BEFORE_EXPIRES
+                        )} before expiration to keep the session active on the OIDC server.`
+                    ].join(" ")
+                );
+
+                return msBeforeExpiration_idleSessionLifetimeInSeconds;
+            }
+
+            const msBeforeExpiration =
+                msBeforeExpiration_accessToken > MIN_ACCEPTABLE_MS_BEFORE_EXPIRATION
+                    ? msBeforeExpiration_accessToken
+                    : 3_600_000;
 
-        if (msBeforeExpiration <= RENEW_MS_BEFORE_EXPIRES) {
             log?.(
                 [
-                    "Session keep-alive disabled. We just got fresh tokens",
-                    (() => {
-                        switch (typeOfTheTokenWeGotTheTtlFrom) {
-                            case "refresh":
-                                return [
-                                    " and the refresh token is already about to expires.",
-                                    "This means that we have reached the max session lifespan, we can't keep",
-                                    "the session alive any longer.",
-                                    "(This can also mean that the refresh token was configured with a TTL,",
-                                    "aka the idle session lifespan, too low to make sense)"
-                                ].join(" ");
-                            case "access":
-                                return [
-                                    currentTokens.hasRefreshToken
-                                        ? ", we can't read the expiration time of the refresh token"
-                                        : ", we don't have a refresh token",
-                                    ` and the access token is already about to expire`,
-                                    "we would spam the auth server by constantly renewing the access token in the background",
-                                    "avoiding to do so."
-                                ].join(" ");
-                        }
-                    })()
-                ].join(" ")
+                    "The auth server's idle session timeout is unknown.",
+                    isRefreshTokenNeverExpiring && "(The refresh token never expires)",
+                    `Assuming a default idle session TTL of ${toHumanReadableDuration(
+                        msBeforeExpiration
+                    )}.`,
+                    `Scheduling token renewal ${toHumanReadableDuration(
+                        RENEW_MS_BEFORE_EXPIRES
+                    )} before expiration to keep the session active on the OIDC server.`
+                ]
+                    .filter(line => typeof line === "string")
+                    .join(" ")
             );
-            return;
-        }
 
-        log?.(
-            [
-                toHumanReadableDuration(msBeforeExpiration),
-                `before expiration of the ${typeOfTheTokenWeGotTheTtlFrom} token.`,
-                `Scheduling renewal ${toHumanReadableDuration(
-                    RENEW_MS_BEFORE_EXPIRES
-                )} before expiration to keep the session alive on the OIDC server.`
-            ].join(" ")
-        );
+            return msBeforeExpiration;
+        })();
 
         const timer = setTimeout(
             async () => {
@@ -1670,7 +1746,7 @@ export async function createOidc_nonMemoized<
                 }
 
                 log?.(
-                    `Renewing the tokens now as the ${typeOfTheTokenWeGotTheTtlFrom} token will expire in ${toHumanReadableDuration(
+                    `Renewing the tokens now as otherwise the session will be terminated by the auth server in ${toHumanReadableDuration(
                         RENEW_MS_BEFORE_EXPIRES
                     )}`
                 );
@@ -1695,19 +1771,22 @@ export async function createOidc_nonMemoized<
 
     auto_logout: {
         const getCurrentRefreshTokenTtlInSeconds = () => {
-            if (idleSessionLifetimeInSeconds !== undefined) {
+            if (currentTokens.refreshTokenExpirationTime === undefined) {
                 return idleSessionLifetimeInSeconds;
             }
 
-            if (currentTokens.refreshTokenExpirationTime === undefined) {
-                return undefined;
+            if (currentTokens.refreshTokenExpirationTime >= INFINITY_TIME) {
+                return idleSessionLifetimeInSeconds ?? 0;
             }
 
-            if (currentTokens.refreshTokenExpirationTime >= INFINITY_TIME) {
-                return 0;
+            const ttlInSeconds =
+                (currentTokens.refreshTokenExpirationTime - currentTokens.issuedAtTime) / 1000;
+
+            if (idleSessionLifetimeInSeconds !== undefined) {
+                return Math.min(idleSessionLifetimeInSeconds, ttlInSeconds);
             }
 
-            return (currentTokens.refreshTokenExpirationTime - currentTokens.issuedAtTime) / 1000;
+            return ttlInSeconds;
         };
 
         if (getCurrentRefreshTokenTtlInSeconds() === 0) {

package/src/tanstack-start/react/accessTokenValidation_rfc9068.ts

@@ -9,16 +9,15 @@ export function createCreateValidateAndGetAccessTokenClaims_rfc9068<
 >(params: {
     accessTokenClaimsSchema?: ZodSchemaLike<AccessTokenClaims_RFC9068, AccessTokenClaims>;
     accessTokenClaims_mock?: AccessTokenClaims;
-    expectedAudience?:
-        | string
-        | ((params: {
-              paramsOfBootstrap: ParamsOfBootstrap<boolean, Record<string, unknown>, AccessTokenClaims>;
-          }) => string);
+    expectedAudience?: (params: {
+        paramsOfBootstrap: ParamsOfBootstrap.Real<boolean>;
+        process: { env: Record<string, string> };
+    }) => string;
 }) {
     const {
         accessTokenClaimsSchema,
         accessTokenClaims_mock,
-        expectedAudience: expectedAudienceOrGetter
+        expectedAudience: expectedAudienceGetter
     } = params;
 
     const createValidateAndGetAccessTokenClaims: CreateValidateAndGetAccessTokenClaims<
@@ -66,13 +65,56 @@ export function createCreateValidateAndGetAccessTokenClaims_rfc9068<
         })();
 
         const expectedAudience = (() => {
-            if (expectedAudienceOrGetter === undefined) {
+            if (expectedAudienceGetter === undefined) {
                 return undefined;
             }
-            if (typeof expectedAudienceOrGetter === "function") {
-                return expectedAudienceOrGetter({ paramsOfBootstrap });
+
+            const missingEnvNames = new Set<string>();
+
+            const env_proxy = new Proxy<Record<string, string>>(
+                {},
+                {
+                    get: (...[, envName]) => {
+                        assert(typeof envName === "string");
+
+                        const value = process.env[envName];
+
+                        if (value === undefined) {
+                            missingEnvNames.add(envName);
+                            return "";
+                        }
+
+                        return value;
+                    },
+                    has: (...[, envName]) => {
+                        assert(typeof envName === "string");
+                        return true;
+                    }
+                }
+            );
+
+            const expectedAudience = expectedAudienceGetter?.({
+                paramsOfBootstrap,
+                process: { env: env_proxy }
+            });
+
+            if (!expectedAudience) {
+                throw new Error(
+                    [
+                        "oidc-spa: The expectedAudience() you provided returned empty.",
+                        "If you specified the expectedAudience in withAccessTokenValidation",
+                        "it's probably and error.",
+                        missingEnvNames.size !== 0 &&
+                            `Did you forget to set the env var: ${Array.from(missingEnvNames).join(
+                                ", "
+                            )} ?`
+                    ]
+                        .filter(line => typeof line === "string")
+                        .join(" ")
+                );
             }
-            return expectedAudienceOrGetter;
+
+            return expectedAudience;
         })();
 
         return {

package/src/tanstack-start/react/apiBuilder.ts

@@ -41,15 +41,10 @@ export type OidcSpaApiBuilder<
                 accessTokenClaimsSchema?: ZodSchemaLike<AccessTokenClaims_RFC9068, AccessTokenClaims>;
                 accessTokenClaims_mock?: NoInfer<AccessTokenClaims>;
 
-                expectedAudience?:
-                    | string
-                    | ((params: {
-                          paramsOfBootstrap: ParamsOfBootstrap<
-                              boolean,
-                              Record<string, unknown>,
-                              AccessTokenClaims
-                          >;
-                      }) => string);
+                expectedAudience?: (params: {
+                    paramsOfBootstrap: ParamsOfBootstrap.Real<boolean>;
+                    process: { env: Record<string, string> };
+                }) => string;
             }): OidcSpaApiBuilder<
                 AutoLogin,
                 DecodedIdToken,

package/src/tanstack-start/react/createOidcSpaApi.tsx

@@ -663,7 +663,9 @@ export function createOidcSpaApi<
                                 noIframe: paramsOfBootstrap.noIframe,
                                 debugLogs: paramsOfBootstrap.debugLogs,
                                 __unsafe_clientSecret: paramsOfBootstrap.__unsafe_clientSecret,
-                                __metadata: paramsOfBootstrap.__metadata
+                                __metadata: paramsOfBootstrap.__metadata,
+                                __unsafe_useIdTokenAsAccessToken:
+                                    paramsOfBootstrap.__unsafe_useIdTokenAsAccessToken
                             });
                         } catch (error) {
                             if (!(error instanceof OidcInitializationError)) {

package/src/tanstack-start/react/types.tsx

@@ -22,7 +22,7 @@ export type CreateOidcComponent<DecodedIdToken> = <
 export namespace CreateOidcComponent {
     export type WithAutoLogin<DecodedIdToken> = <Props>(params: {
         pendingComponent?: (params: NoInfer<Props>) => ReactNode;
-        component: (props: Props) => ReactNode;
+        component: (props: Props) => any;
     }) => ((props: Props) => ReactNode) & {
         useOidc: () => Oidc.LoggedIn<DecodedIdToken>;
     };
@@ -338,6 +338,13 @@ export namespace ParamsOfBootstrap {
          * or non-standard deployments), and you cannot fix the server-side configuration.
          */
         __metadata?: Partial<OidcMetadata>;
+
+        /**
+         *  WARNING: Setting this to true is a workaround for provider
+         *  like Google OAuth that don't support JWT access token.
+         *  Use at your own risk, this is a hack.
+         */
+        __unsafe_useIdTokenAsAccessToken?: boolean;
     } & (AutoLogin extends true ? {} : {});
 
     export type Mock<AutoLogin, DecodedIdToken, AccessTokenClaims> = {