oidc-spa 8.1.15 → 8.2.1

package/react-spa/types.d.ts

@@ -0,0 +1,279 @@
+import type { ReactNode, ComponentType } from "react";
+import type { Oidc as Oidc_core, OidcInitializationError } from "../core";
+import type { OidcMetadata } from "../core/OidcMetadata";
+export type UseOidc<DecodedIdToken> = {
+    (params?: {
+        assert?: undefined;
+    }): UseOidc.Oidc<DecodedIdToken>;
+    (params: {
+        assert: "user logged in";
+    }): UseOidc.Oidc.LoggedIn<DecodedIdToken>;
+    (params: {
+        assert: "user not logged in";
+    }): UseOidc.Oidc.NotLoggedIn;
+};
+export declare namespace UseOidc {
+    type WithAutoLogin<DecodedIdToken> = (params?: {
+        assert: "user logged in";
+    }) => Oidc.LoggedIn<DecodedIdToken>;
+    type Oidc<DecodedIdToken> = (Oidc.NotLoggedIn & {
+        decodedIdToken?: never;
+        logout?: never;
+        renewTokens?: never;
+        goToAuthServer?: never;
+        backFromAuthServer?: never;
+        isNewBrowserSession?: never;
+    }) | (Oidc.LoggedIn<DecodedIdToken> & {
+        login?: never;
+        initializationError?: never;
+    });
+    namespace Oidc {
+        type Common = {
+            issuerUri: string;
+            clientId: string;
+        };
+        export type NotLoggedIn = Common & {
+            login: (params?: {
+                extraQueryParams?: Record<string, string | undefined>;
+                redirectUrl?: string;
+                transformUrlBeforeRedirect?: (url: string) => string;
+            }) => Promise<never>;
+            autoLogoutState: {
+                shouldDisplayWarning: false;
+            };
+            isUserLoggedIn: false;
+            initializationError: OidcInitializationError | undefined;
+        };
+        export type LoggedIn<DecodedIdToken> = Common & {
+            isUserLoggedIn: true;
+            decodedIdToken: DecodedIdToken;
+            logout: Oidc_core.LoggedIn["logout"];
+            renewTokens: Oidc_core.LoggedIn["renewTokens"];
+            goToAuthServer: Oidc_core.LoggedIn["goToAuthServer"];
+            backFromAuthServer: Oidc_core.LoggedIn["backFromAuthServer"];
+            isNewBrowserSession: boolean;
+            autoLogoutState: {
+                shouldDisplayWarning: true;
+                secondsLeftBeforeAutoLogout: number;
+            } | {
+                shouldDisplayWarning: false;
+            };
+        };
+        export {};
+    }
+}
+export type GetOidc<DecodedIdToken> = {
+    (params?: {
+        assert?: undefined;
+    }): Promise<GetOidc.Oidc<DecodedIdToken>>;
+    (params: {
+        assert: "user logged in";
+    }): Promise<GetOidc.Oidc.LoggedIn<DecodedIdToken>>;
+    (params: {
+        assert: "user not logged in";
+    }): Promise<GetOidc.Oidc.NotLoggedIn>;
+};
+export declare namespace GetOidc {
+    type WithAutoLogin<DecodedIdToken> = (params?: {
+        assert: "user logged in";
+    }) => Promise<Oidc.LoggedIn<DecodedIdToken>>;
+    type Oidc<DecodedIdToken> = (Oidc.NotLoggedIn & {
+        getAccessToken?: never;
+        getDecodedIdToken?: never;
+        logout?: never;
+        renewTokens?: never;
+        goToAuthServer?: never;
+        backFromAuthServer?: never;
+        isNewBrowserSession?: never;
+        subscribeToAutoLogoutState?: never;
+    }) | (Oidc.LoggedIn<DecodedIdToken> & {
+        initializationError?: never;
+        login?: never;
+    });
+    namespace Oidc {
+        type Common = {
+            issuerUri: string;
+            clientId: string;
+        };
+        export type NotLoggedIn = Common & {
+            isUserLoggedIn: false;
+            initializationError: OidcInitializationError | undefined;
+            login: Oidc_core.NotLoggedIn["login"];
+        };
+        export type LoggedIn<DecodedIdToken> = Common & {
+            isUserLoggedIn: true;
+            getAccessToken: () => Promise<string>;
+            getDecodedIdToken: () => DecodedIdToken;
+            logout: Oidc_core.LoggedIn["logout"];
+            renewTokens: Oidc_core.LoggedIn["renewTokens"];
+            goToAuthServer: Oidc_core.LoggedIn["goToAuthServer"];
+            backFromAuthServer: Oidc_core.LoggedIn["backFromAuthServer"];
+            isNewBrowserSession: boolean;
+            subscribeToAutoLogoutState: (next: (autoLogoutState: {
+                shouldDisplayWarning: true;
+                secondsLeftBeforeAutoLogout: number;
+            } | {
+                shouldDisplayWarning: false;
+            }) => void) => {
+                unsubscribeFromAutoLogoutState: () => void;
+            };
+        };
+        export {};
+    }
+}
+export type ParamsOfBootstrap<AutoLogin, DecodedIdToken> = ParamsOfBootstrap.Real<AutoLogin> | ParamsOfBootstrap.Mock<AutoLogin, DecodedIdToken>;
+export declare namespace ParamsOfBootstrap {
+    type Real<AutoLogin> = {
+        implementation: "real";
+        /**
+         * See: https://docs.oidc-spa.dev/v/v8/providers-configuration/provider-configuration
+         */
+        issuerUri: string;
+        /**
+         * See: https://docs.oidc-spa.dev/v/v8/providers-configuration/provider-configuration
+         */
+        clientId: string;
+        /**
+         * Default: 45 second.
+         * It defines how long before the auto logout we should start
+         * displaying an overlay message to the user alerting them
+         * like: "Are you still there? You'll be disconnected in 45...44..."
+         * NOTE: This parameter is only UI related! It does not defines
+         * after how much time of inactivity the user should be auto logged out.
+         * This is a server policy (that can be overwrote by idleSessionLifetimeInSeconds)
+         * See: https://docs.oidc-spa.dev/v/v8/auto-logout
+         */
+        startCountdownSecondsBeforeAutoLogout?: number;
+        /**
+         * This parameter defines after how many seconds of inactivity the user should be
+         * logged out automatically.
+         *
+         * WARNING: It should be configured on the identity server side
+         * as it's the authoritative source for security policies and not the client.
+         * If you don't provide this parameter it will be inferred from the refresh token expiration time.
+         * Some provider however don't issue a refresh token or do not correctly set the
+         * expiration time. This parameter enable you to hard code the value to compensate
+         * the shortcoming of your auth server.
+         * */
+        idleSessionLifetimeInSeconds?: number;
+        /**
+         * The scopes being requested from the OIDC/OAuth2 provider (default: `["profile"]`
+         * (the scope "openid" is added automatically as it's mandatory)
+         **/
+        scopes?: string[];
+        /**
+         * Transform the url (authorization endpoint) before redirecting to the login pages.
+         *
+         * The isSilent parameter is true when the redirect is initiated in the background iframe for silent signin.
+         * This can be used to omit ui related query parameters (like `ui_locales`).
+         */
+        transformUrlBeforeRedirect?: (params: {
+            authorizationUrl: string;
+            isSilent: boolean;
+        }) => string;
+        /**
+         * Extra query params to be added to the authorization endpoint url before redirecting or silent signing in.
+         * You can provide a function that returns those extra query params, it will be called
+         * when login() is called.
+         *
+         * Example: extraQueryParams: ()=> ({ ui_locales: "fr" })
+         *
+         * This parameter can also be passed to login() directly.
+         */
+        extraQueryParams?: Record<string, string | undefined> | ((params: {
+            isSilent: boolean;
+            url: string;
+        }) => Record<string, string | undefined>);
+        /**
+         * Extra body params to be added to the /token POST request.
+         *
+         * It will be used when for the initial request, whenever the token is getting refreshed and if you call `renewTokens()`.
+         * You can also provide this parameter directly to the `renewTokens()` method.
+         *
+         * It can be either a string to string record or a function that returns a string to string record.
+         *
+         * Example: extraTokenParams: ()=> ({ selectedCustomer: "xxx" })
+         *          extraTokenParams: { selectedCustomer: "xxx" }
+         */
+        extraTokenParams?: Record<string, string | undefined> | (() => Record<string, string | undefined>);
+        /**
+         * Default: false
+         *
+         * See: https://docs.oidc-spa.dev/v/v8/resources/iframe-related-issues
+         */
+        noIframe?: boolean;
+        debugLogs?: boolean;
+        /**
+         * WARNING: This option exists solely as a workaround
+         * for limitations in the Google OAuth API.
+         * See: https://docs.oidc-spa.dev/providers-configuration/google-oauth
+         *
+         * Do not use this for other providers.
+         * If you think you need a client secret in a SPA, you are likely
+         * trying to use a confidential (private) client in the browser,
+         * which is insecure and not supported.
+         */
+        __unsafe_clientSecret?: string;
+        /**
+         * This option should only be used as a last resort.
+         *
+         * If your OIDC provider is correctly configured, this should not be necessary.
+         *
+         * The metadata is normally retrieved automatically from:
+         * `${issuerUri}/.well-known/openid-configuration`
+         *
+         * Use this only if that endpoint is not accessible (e.g. due to missing CORS headers
+         * or non-standard deployments), and you cannot fix the server-side configuration.
+         */
+        __metadata?: Partial<OidcMetadata>;
+        /**
+         *  WARNING: Setting this to true is a workaround for provider
+         *  like Google OAuth that don't support JWT access token.
+         *  Use at your own risk, this is a hack.
+         */
+        __unsafe_useIdTokenAsAccessToken?: boolean;
+        /**
+         * Let's you override the params passed to
+         * (if you weren't able to provide it)
+         */
+        BASE_URL?: string;
+    } & (AutoLogin extends true ? {} : {});
+    type Mock<AutoLogin, DecodedIdToken> = {
+        implementation: "mock";
+        issuerUri_mock?: string;
+        clientId_mock?: string;
+        decodedIdToken_mock?: DecodedIdToken;
+        /**
+         * Let's you override the params passed to
+         * (if you weren't able to provide it)
+         */
+        BASE_URL?: string;
+    } & (AutoLogin extends true ? {
+        isUserInitiallyLoggedIn?: true;
+    } : {
+        isUserInitiallyLoggedIn: boolean;
+    });
+}
+export type OidcSpaApi<AutoLogin, DecodedIdToken> = {
+    bootstrapOidc: (params: ParamsOfBootstrap<AutoLogin, DecodedIdToken>) => void;
+    useOidc: AutoLogin extends true ? UseOidc.WithAutoLogin<DecodedIdToken> : UseOidc<DecodedIdToken>;
+    getOidc: AutoLogin extends true ? GetOidc.WithAutoLogin<DecodedIdToken> : GetOidc<DecodedIdToken>;
+} & (AutoLogin extends true ? {
+    OidcInitializationErrorGate: (props: {
+        errorComponent: ComponentType<{
+            oidcInitializationError: OidcInitializationError;
+        }>;
+        children: ReactNode;
+    }) => ReactNode;
+} : {
+    enforceLogin: (loaderContext: {
+        request?: {
+            url?: string;
+        };
+        cause?: "preload" | string;
+        location?: {
+            href?: string;
+        };
+    }) => Promise<void | never>;
+    withLoginEnforced: <Props extends Record<string, unknown>>(component: ComponentType<Props>) => (props: Props) => ReactNode;
+});

package/react-spa/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/react-spa/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/react-spa/types.tsx"],"names":[],"mappings":""}

package/src/angular.ts

@@ -150,7 +150,7 @@ export type ParamsOfProvide = {
 assert<
     Equals<
         Omit<ParamsOfProvide, "autoLogoutWarningDurationSeconds">,
-        Omit<ParamsOfCreateOidc<any, boolean>, "homeUrl" | "decodedIdTokenSchema">
+        Omit<ParamsOfCreateOidc<any, boolean>, "homeUrl" | "BASE_URL" | "decodedIdTokenSchema">
     >
 >;
 

package/src/core/BASE_URL.ts

@@ -0,0 +1,9 @@
+let BASE_URL: string | undefined = undefined;
+
+export function getBASE_URL() {
+    return BASE_URL;
+}
+
+export function setBASE_URL(params: { BASE_URL: string }) {
+    BASE_URL = params.BASE_URL;
+}

package/src/core/OidcMetadata.ts

@@ -1,5 +1,6 @@
 import { type OidcMetadata as OidcClientTsOidcMetadata } from "../vendor/frontend/oidc-client-ts";
 import { assert, type Equals } from "../tools/tsafe/assert";
+import { getIsLikelyDevServer } from "../tools/isLikelyDevServer";
 
 /**
  * OpenID Providers have metadata describing their configuration.
@@ -269,3 +270,77 @@ export type OidcMetadata = {
 };
 
 assert<Equals<OidcMetadata, OidcClientTsOidcMetadata>>;
+
+export const WELL_KNOWN_PATH = "/.well-known/openid-configuration";
+
+function getSessionStorageKey(params: { issuerUri: string }) {
+    const { issuerUri } = params;
+
+    return `oidc-spa:openid-configuration:${issuerUri}`;
+}
+
+function readSessionStorage(params: { issuerUri: string }) {
+    const { issuerUri } = params;
+
+    const value = sessionStorage.getItem(getSessionStorageKey({ issuerUri }));
+
+    if (value === null) {
+        return undefined;
+    }
+
+    return JSON.parse(value) as Partial<OidcClientTsOidcMetadata>;
+}
+
+function setSessionStorage(params: { issuerUri: string; oidcMetadata: Partial<OidcMetadata> }): void {
+    const { issuerUri, oidcMetadata } = params;
+
+    sessionStorage.setItem(getSessionStorageKey({ issuerUri }), JSON.stringify(oidcMetadata));
+}
+
+export async function fetchOidcMetadata(params: { issuerUri: string }) {
+    const { issuerUri } = params;
+
+    from_cache: {
+        const oidcMetadata = readSessionStorage({ issuerUri });
+
+        if (oidcMetadata === undefined) {
+            break from_cache;
+        }
+
+        return oidcMetadata;
+    }
+
+    let oidcMetadata: Partial<OidcMetadata>;
+
+    try {
+        const response = await fetch(`${issuerUri}${WELL_KNOWN_PATH}`, {
+            headers: {
+                Accept: "application/jwk-set+json, application/json"
+            }
+        });
+
+        if (!response.ok) {
+            throw new Error();
+        }
+
+        const obj = await response.json();
+
+        {
+            const { authorization_endpoint } = obj;
+
+            if (typeof authorization_endpoint !== "string") {
+                throw new Error();
+            }
+        }
+
+        oidcMetadata = obj;
+    } catch {
+        return undefined;
+    }
+
+    if (!getIsLikelyDevServer()) {
+        setSessionStorage({ issuerUri, oidcMetadata });
+    }
+
+    return oidcMetadata;
+}