oidc-spa 8.1.7-rc.1 → 8.1.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/core/createOidc.js +1 -1
- package/core/earlyInit.js +6 -3
- package/core/earlyInit.js.map +1 -1
- package/core/iframeMessageProtection.d.ts +16 -8
- package/core/iframeMessageProtection.js +76 -37
- package/core/iframeMessageProtection.js.map +1 -1
- package/core/loginSilent.js +28 -10
- package/core/loginSilent.js.map +1 -1
- package/esm/core/createOidc.js +1 -1
- package/esm/core/earlyInit.js +7 -4
- package/esm/core/earlyInit.js.map +1 -1
- package/esm/core/iframeMessageProtection.d.ts +16 -8
- package/esm/core/iframeMessageProtection.js +74 -36
- package/esm/core/iframeMessageProtection.js.map +1 -1
- package/esm/core/loginSilent.js +28 -10
- package/esm/core/loginSilent.js.map +1 -1
- package/esm/tools/isBrowser.d.ts +1 -0
- package/esm/tools/isBrowser.js +4 -0
- package/esm/tools/isBrowser.js.map +1 -0
- package/package.json +1 -1
- package/src/core/earlyInit.ts +10 -4
- package/src/core/iframeMessageProtection.ts +103 -52
- package/src/core/loginSilent.ts +50 -14
- package/src/tools/isBrowser.ts +4 -0
- package/tools/isBrowser.d.ts +1 -0
- package/tools/isBrowser.js +7 -0
- package/tools/isBrowser.js.map +1 -0
package/core/createOidc.js
CHANGED
|
@@ -65,7 +65,7 @@ const isKeycloak_1 = require("../keycloak/isKeycloak");
|
|
|
65
65
|
const INFINITY_TIME_1 = require("../tools/INFINITY_TIME");
|
|
66
66
|
const getIsValidRemoteJson_1 = require("../tools/getIsValidRemoteJson");
|
|
67
67
|
// NOTE: Replaced at build time
|
|
68
|
-
const VERSION = "8.1.
|
|
68
|
+
const VERSION = "8.1.8";
|
|
69
69
|
const globalContext = {
|
|
70
70
|
prOidcByConfigId: new Map(),
|
|
71
71
|
hasLogoutBeenCalled: (0, id_1.id)(false),
|
package/core/earlyInit.js
CHANGED
|
@@ -6,12 +6,17 @@ exports.getRootRelativeOriginalLocationHref = getRootRelativeOriginalLocationHre
|
|
|
6
6
|
const StateData_1 = require("./StateData");
|
|
7
7
|
const assert_1 = require("../tools/tsafe/assert");
|
|
8
8
|
const iframeMessageProtection_1 = require("./iframeMessageProtection");
|
|
9
|
+
const isBrowser_1 = require("../tools/isBrowser");
|
|
9
10
|
let hasEarlyInitBeenCalled = false;
|
|
10
11
|
function oidcEarlyInit(params) {
|
|
11
12
|
if (hasEarlyInitBeenCalled) {
|
|
12
13
|
throw new Error("oidc-spa: oidcEarlyInit() Should be called only once");
|
|
13
14
|
}
|
|
14
15
|
hasEarlyInitBeenCalled = true;
|
|
16
|
+
if (!isBrowser_1.isBrowser) {
|
|
17
|
+
return { shouldLoadApp: true };
|
|
18
|
+
}
|
|
19
|
+
(0, iframeMessageProtection_1.captureApisForIframeProtection)();
|
|
15
20
|
const { freezeFetch, freezeXMLHttpRequest, freezeWebSocket = false } = params ?? {};
|
|
16
21
|
const { shouldLoadApp } = handleOidcCallback();
|
|
17
22
|
if (shouldLoadApp) {
|
|
@@ -135,9 +140,7 @@ function handleOidcCallback() {
|
|
|
135
140
|
}
|
|
136
141
|
switch (stateData.context) {
|
|
137
142
|
case "iframe":
|
|
138
|
-
(0, iframeMessageProtection_1.
|
|
139
|
-
authResponse
|
|
140
|
-
}).then(({ encryptedMessage }) => parent.postMessage(encryptedMessage, location.origin));
|
|
143
|
+
(0, iframeMessageProtection_1.postEncryptedAuthResponseToParent)({ authResponse });
|
|
141
144
|
return { shouldLoadApp: false };
|
|
142
145
|
case "redirect": {
|
|
143
146
|
redirectAuthResponse = authResponse;
|
package/core/earlyInit.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"earlyInit.js","sourceRoot":"","sources":["../src/core/earlyInit.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"earlyInit.js","sourceRoot":"","sources":["../src/core/earlyInit.ts"],"names":[],"mappings":";;AAYA,sCAqEC;AAID,0DAoBC;AAID,kFAGC;AAhHD,2CAAqE;AACrE,kDAA4D;AAE5D,uEAImC;AACnC,kDAA+C;AAE/C,IAAI,sBAAsB,GAAG,KAAK,CAAC;AAEnC,SAAgB,aAAa,CAAC,MAM7B;IACG,IAAI,sBAAsB,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC5E,CAAC;IAED,sBAAsB,GAAG,IAAI,CAAC;IAE9B,IAAI,CAAC,qBAAS,EAAE,CAAC;QACb,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,IAAA,wDAA8B,GAAE,CAAC;IAEjC,MAAM,EAAE,WAAW,EAAE,oBAAoB,EAAE,eAAe,GAAG,KAAK,EAAE,GAAG,MAAM,IAAI,EAAE,CAAC;IAEpF,MAAM,EAAE,aAAa,EAAE,GAAG,kBAAkB,EAAE,CAAC;IAE/C,IAAI,aAAa,EAAE,CAAC;QAChB,IAAI,oBAAoB,EAAE,CAAC;YACvB,MAAM,sBAAsB,GAAG,UAAU,CAAC,cAAc,CAAC;YAEzD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;YAEtC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBAChD,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,sBAAsB;aAChC,CAAC,CAAC;QACP,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YACd,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;YAEvC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAE7B,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,OAAO,EAAE;gBACvC,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,aAAa;aACvB,CAAC,CAAC;QACP,CAAC;QAED,IAAI,eAAe,EAAE,CAAC;YAClB,MAAM,iBAAiB,GAAG,UAAU,CAAC,SAAS,CAAC;YAE/C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAEjC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,WAAW,EAAE;gBAC3C,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;QAED,IAAA,6EAAmD,GAAE,CAAC;IAC1D,CAAC;IAED,OAAO,EAAE,aAAa,EAAE,CAAC;AAC7B,CAAC;AAED,IAAI,oBAAoB,GAA6B,SAAS,CAAC;AAE/D,SAAgB,uBAAuB;IAGnC,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACX;YACI,uBAAuB;YACvB,gCAAgC;YAChC,oEAAoE;SACvE,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;IACN,CAAC;IACD,OAAO,oBAAoB,KAAK,SAAS;QACrC,CAAC,CAAC,EAAE,YAAY,EAAE,SAAS,EAAE;QAC7B,CAAC,CAAC;YACI,YAAY,EAAE,oBAAoB;YAClC,iBAAiB,EAAE,GAAG,EAAE;gBACpB,oBAAoB,GAAG,SAAS,CAAC;YACrC,CAAC;SACJ,CAAC;AACZ,CAAC;AAED,IAAI,gCAAgC,GAAuB,SAAS,CAAC;AAErE,SAAgB,mCAAmC;IAC/C,IAAA,eAAM,EAAC,gCAAgC,KAAK,SAAS,EAAE,QAAQ,CAAC,CAAC;IACjE,OAAO,gCAAgC,CAAC;AAC5C,CAAC;AAED,SAAS,kBAAkB;IACvB,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAEtD,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,CAAC;YACP,MAAM,kBAAkB,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CACtF,OAAO,CACV,CAAC;YAEF,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,IAAI,CAAC,IAAA,oCAAwB,EAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAW,CAAC;QAC7E,CAAC;QAED,KAAK,EAAE,CAAC;YACJ,MAAM,kBAAkB,GAAG,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAErE,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IAAI,CAAC,IAAA,oCAAwB,EAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IACI,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,IAAI;gBACtD,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,IAAI;gBAC1D,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,KAAK,IAAI,EAC3D,CAAC;gBACC,mFAAmF;gBACnF,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAW,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAW,CAAC;IACpD,CAAC,CAAC,EAAE,CAAC;IAEL,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,CAAC;QAC/C,gCAAgC,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7F,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,gCAAgC,GAAG,eAAe,CAAC,QAAQ,CAAC;IAE5D,MAAM,EAAE,YAAY,EAAE,GAAG,CAAC,GAAG,EAAE;QAC3B,MAAM,YAAY,GAAiB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAEjD,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE;YACvB,QAAQ,sBAAsB,CAAC,YAAY,EAAE,CAAC;gBAC1C,KAAK,UAAU;oBACX,OAAO,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;gBACvE,KAAK,OAAO;oBACR,OAAO,eAAe,CAAC,YAAY,CAAC;gBACxC;oBACI,IAAA,eAAM,EAA+C,KAAK,CAAC,CAAC;YACpE,CAAC;QACL,CAAC,CAAC,EAAE,CAAC;QAEL,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;YACtC,YAAY,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAC9B,CAAC;QAED,IAAA,eAAM,EAAC,YAAY,CAAC,KAAK,KAAK,EAAE,EAAE,QAAQ,CAAC,CAAC;QAE5C,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,SAAS,GAAG,IAAA,wBAAY,EAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;IAE3E,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAC/D,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,QAAQ,SAAS,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,QAAQ;YACT,IAAA,2DAAiC,EAAC,EAAE,YAAY,EAAE,CAAC,CAAC;YACpD,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;QACpC,KAAK,UAAU,CAAC,CAAC,CAAC;YACd,oBAAoB,GAAG,YAAY,CAAC;YAEpC,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE;gBAClC,IAAI,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,YAAY,CAAC,KAAK,KAAK,kBAAkB,EAAE,CAAC;oBAC5E,OAAO,SAAS,CAAC,2CAA2C,CAAC;gBACjE,CAAC;gBACD,OAAO,SAAS,CAAC,uBAAuB,CAAC;YAC7C,CAAC,CAAC,EAAE,CAAC;YAEL,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,uBAAuB,CAAC,CAAC;YAEtD,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QACnC,CAAC;QACD;YACI,IAAA,eAAM,EAAkC,KAAK,CAAC,CAAC;IACvD,CAAC;AACL,CAAC"}
|
|
@@ -1,12 +1,21 @@
|
|
|
1
1
|
import { type AuthResponse } from "./AuthResponse";
|
|
2
|
+
export declare function captureApisForIframeProtection(): void;
|
|
2
3
|
export declare function preventSessionStorageSetItemOfPublicKeyByThirdParty(): void;
|
|
4
|
+
declare function getIsEncryptedAuthResponse(params: {
|
|
5
|
+
message: unknown;
|
|
6
|
+
stateUrlParamValue: string;
|
|
7
|
+
}): boolean;
|
|
8
|
+
declare function getIsReadyToReadPublicKeyMessage(params: {
|
|
9
|
+
message: unknown;
|
|
10
|
+
stateUrlParamValue: string;
|
|
11
|
+
}): boolean;
|
|
3
12
|
export declare function initIframeMessageProtection(params: {
|
|
4
13
|
stateUrlParamValue: string;
|
|
5
|
-
log: typeof console.log | undefined;
|
|
6
14
|
}): Promise<{
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
15
|
+
getIsReadyToReadPublicKeyMessage: typeof getIsReadyToReadPublicKeyMessage;
|
|
16
|
+
startSessionStoragePublicKeyMaliciousWriteDetection: () => void;
|
|
17
|
+
setSessionStoragePublicKey: () => void;
|
|
18
|
+
getIsEncryptedAuthResponse: typeof getIsEncryptedAuthResponse;
|
|
10
19
|
decodeEncryptedAuth: (params: {
|
|
11
20
|
encryptedAuthResponse: string;
|
|
12
21
|
}) => Promise<{
|
|
@@ -14,8 +23,7 @@ export declare function initIframeMessageProtection(params: {
|
|
|
14
23
|
}>;
|
|
15
24
|
clearSessionStoragePublicKey: () => void;
|
|
16
25
|
}>;
|
|
17
|
-
export declare function
|
|
26
|
+
export declare function postEncryptedAuthResponseToParent(params: {
|
|
18
27
|
authResponse: AuthResponse;
|
|
19
|
-
}): Promise<
|
|
20
|
-
|
|
21
|
-
}>;
|
|
28
|
+
}): Promise<void>;
|
|
29
|
+
export {};
|
|
@@ -1,19 +1,28 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.captureApisForIframeProtection = captureApisForIframeProtection;
|
|
3
4
|
exports.preventSessionStorageSetItemOfPublicKeyByThirdParty = preventSessionStorageSetItemOfPublicKeyByThirdParty;
|
|
4
5
|
exports.initIframeMessageProtection = initIframeMessageProtection;
|
|
5
|
-
exports.
|
|
6
|
+
exports.postEncryptedAuthResponseToParent = postEncryptedAuthResponseToParent;
|
|
6
7
|
const assert_1 = require("../tools/tsafe/assert");
|
|
7
8
|
const asymmetricEncryption_1 = require("../tools/asymmetricEncryption");
|
|
8
|
-
|
|
9
|
-
|
|
9
|
+
let capturedApis = undefined;
|
|
10
|
+
function captureApisForIframeProtection() {
|
|
11
|
+
capturedApis = {
|
|
12
|
+
setItem: Storage.prototype.setItem,
|
|
13
|
+
sessionStorage: window.sessionStorage,
|
|
14
|
+
setTimeout: window.setTimeout,
|
|
15
|
+
alert: window.alert
|
|
16
|
+
};
|
|
17
|
+
}
|
|
10
18
|
const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
|
|
11
19
|
function preventSessionStorageSetItemOfPublicKeyByThirdParty() {
|
|
12
20
|
const setItem_protected = function setItem(key, value) {
|
|
13
21
|
if (key.startsWith(SESSION_STORAGE_PREFIX)) {
|
|
14
22
|
throw new Error("Attack prevented by oidc-spa. You have malicious code running in your system");
|
|
15
23
|
}
|
|
16
|
-
|
|
24
|
+
(0, assert_1.assert)(capturedApis !== undefined);
|
|
25
|
+
return capturedApis.setItem.call(this, key, value);
|
|
17
26
|
};
|
|
18
27
|
{
|
|
19
28
|
const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
|
|
@@ -25,64 +34,94 @@ function preventSessionStorageSetItemOfPublicKeyByThirdParty() {
|
|
|
25
34
|
});
|
|
26
35
|
}
|
|
27
36
|
}
|
|
28
|
-
const ENCRYPTED_AUTH_RESPONSES_PREFIX = "oidc-spa_encrypted_authResponse_";
|
|
29
37
|
function getSessionStorageKey(params) {
|
|
30
38
|
const { stateUrlParamValue } = params;
|
|
31
39
|
return `${SESSION_STORAGE_PREFIX}${stateUrlParamValue}`;
|
|
32
40
|
}
|
|
41
|
+
const ENCRYPTED_AUTH_RESPONSES_PREFIX = "oidc-spa_encrypted_authResponse_";
|
|
42
|
+
function getIsEncryptedAuthResponse(params) {
|
|
43
|
+
const { message, stateUrlParamValue } = params;
|
|
44
|
+
return (typeof message === "string" &&
|
|
45
|
+
message.startsWith(`${ENCRYPTED_AUTH_RESPONSES_PREFIX}${stateUrlParamValue}`));
|
|
46
|
+
}
|
|
47
|
+
function getReadyMessage(params) {
|
|
48
|
+
const { stateUrlParamValue } = params;
|
|
49
|
+
return `oidc-spa_ready_to_read_publicKey_${stateUrlParamValue}`;
|
|
50
|
+
}
|
|
51
|
+
function getIsReadyToReadPublicKeyMessage(params) {
|
|
52
|
+
const { message, stateUrlParamValue } = params;
|
|
53
|
+
return message === getReadyMessage({ stateUrlParamValue });
|
|
54
|
+
}
|
|
33
55
|
async function initIframeMessageProtection(params) {
|
|
34
|
-
const { stateUrlParamValue
|
|
56
|
+
const { stateUrlParamValue } = params;
|
|
35
57
|
const { publicKey, privateKey } = await (0, asymmetricEncryption_1.generateKeys)();
|
|
36
58
|
const sessionStorageKey = getSessionStorageKey({ stateUrlParamValue });
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
59
|
+
let timer = undefined;
|
|
60
|
+
function setSessionStoragePublicKey() {
|
|
61
|
+
(0, assert_1.assert)(capturedApis !== undefined);
|
|
62
|
+
const { setItem } = capturedApis;
|
|
63
|
+
setItem.call(capturedApis.sessionStorage, sessionStorageKey, publicKey);
|
|
64
|
+
}
|
|
65
|
+
function startSessionStoragePublicKeyMaliciousWriteDetection() {
|
|
66
|
+
setSessionStoragePublicKey();
|
|
67
|
+
(0, assert_1.assert)(capturedApis !== undefined);
|
|
68
|
+
const { alert, setTimeout } = capturedApis;
|
|
69
|
+
const checkTimeoutCallback = () => {
|
|
70
|
+
if (sessionStorage.getItem(sessionStorageKey) !== publicKey) {
|
|
71
|
+
while (true) {
|
|
72
|
+
alert([
|
|
73
|
+
"⚠️ Security Alert:",
|
|
74
|
+
"oidc-spa detected an attack attempt.",
|
|
75
|
+
"For your safety, please close this tab immediately",
|
|
76
|
+
"and notify the site administrator."
|
|
77
|
+
].join(" "));
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
check();
|
|
81
|
+
};
|
|
82
|
+
function check() {
|
|
83
|
+
timer = setTimeout(checkTimeoutCallback, 5);
|
|
84
|
+
}
|
|
85
|
+
check();
|
|
43
86
|
}
|
|
44
87
|
async function decodeEncryptedAuth(params) {
|
|
45
88
|
const { encryptedAuthResponse } = params;
|
|
46
89
|
const { message: authResponse_str } = await (0, asymmetricEncryption_1.asymmetricDecrypt)({
|
|
47
|
-
encryptedMessage: encryptedAuthResponse.slice(ENCRYPTED_AUTH_RESPONSES_PREFIX.length),
|
|
90
|
+
encryptedMessage: encryptedAuthResponse.slice(ENCRYPTED_AUTH_RESPONSES_PREFIX.length + stateUrlParamValue.length),
|
|
48
91
|
privateKey
|
|
49
92
|
});
|
|
50
93
|
const authResponse = JSON.parse(authResponse_str);
|
|
51
94
|
return { authResponse };
|
|
52
95
|
}
|
|
53
96
|
function clearSessionStoragePublicKey() {
|
|
54
|
-
log?.(`Clearing session storage public key at ${sessionStorageKey}`);
|
|
55
97
|
sessionStorage.removeItem(sessionStorageKey);
|
|
56
|
-
|
|
98
|
+
clearTimeout(timer);
|
|
57
99
|
}
|
|
58
|
-
return {
|
|
100
|
+
return {
|
|
101
|
+
getIsReadyToReadPublicKeyMessage,
|
|
102
|
+
startSessionStoragePublicKeyMaliciousWriteDetection,
|
|
103
|
+
setSessionStoragePublicKey,
|
|
104
|
+
getIsEncryptedAuthResponse,
|
|
105
|
+
decodeEncryptedAuth,
|
|
106
|
+
clearSessionStoragePublicKey
|
|
107
|
+
};
|
|
59
108
|
}
|
|
60
|
-
async function
|
|
109
|
+
async function postEncryptedAuthResponseToParent(params) {
|
|
61
110
|
const { authResponse } = params;
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
{
|
|
68
|
-
const publicKey = sessionStorage.getItem(`${getSessionStorageKey({ stateUrlParamValue: authResponse.state })}_alt`);
|
|
69
|
-
console.log(`====> PublicKey_alt_1: ${publicKey}`);
|
|
70
|
-
}
|
|
71
|
-
{
|
|
72
|
-
const publicKey = sessionStorage_original.getItem(`${getSessionStorageKey({ stateUrlParamValue: authResponse.state })}_alt`);
|
|
73
|
-
console.log(`====> PublicKey_alt_2: ${publicKey}`);
|
|
74
|
-
}
|
|
75
|
-
{
|
|
76
|
-
const publicKey = sessionStorage_original.getItem(getSessionStorageKey({ stateUrlParamValue: authResponse.state }));
|
|
77
|
-
console.log(`====> PublicKey_3: ${publicKey}`);
|
|
78
|
-
}
|
|
79
|
-
throw error;
|
|
111
|
+
parent.postMessage(getReadyMessage({ stateUrlParamValue: authResponse.state }), location.origin);
|
|
112
|
+
const readPublicKey = () => sessionStorage.getItem(getSessionStorageKey({ stateUrlParamValue: authResponse.state }));
|
|
113
|
+
await new Promise(resolve => setTimeout(resolve, 2));
|
|
114
|
+
while (readPublicKey() === null) {
|
|
115
|
+
await new Promise(resolve => setTimeout(resolve, 2));
|
|
80
116
|
}
|
|
117
|
+
await new Promise(resolve => setTimeout(resolve, 7));
|
|
118
|
+
const publicKey = readPublicKey();
|
|
119
|
+
(0, assert_1.assert)(publicKey !== null, "2293303");
|
|
81
120
|
const { encryptedMessage: encryptedMessage_withoutPrefix } = await (0, asymmetricEncryption_1.asymmetricEncrypt)({
|
|
82
121
|
publicKey,
|
|
83
122
|
message: JSON.stringify(authResponse)
|
|
84
123
|
});
|
|
85
|
-
const encryptedMessage = `${ENCRYPTED_AUTH_RESPONSES_PREFIX}${encryptedMessage_withoutPrefix}`;
|
|
86
|
-
|
|
124
|
+
const encryptedMessage = `${ENCRYPTED_AUTH_RESPONSES_PREFIX}${authResponse.state}${encryptedMessage_withoutPrefix}`;
|
|
125
|
+
parent.postMessage(encryptedMessage, location.origin);
|
|
87
126
|
}
|
|
88
127
|
//# sourceMappingURL=iframeMessageProtection.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"iframeMessageProtection.js","sourceRoot":"","sources":["../src/core/iframeMessageProtection.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"iframeMessageProtection.js","sourceRoot":"","sources":["../src/core/iframeMessageProtection.ts"],"names":[],"mappings":";;AAaA,wEAOC;AAID,kHAwBC;AA6BD,kEA6EC;AAED,8EA4BC;AAxLD,kDAA+C;AAC/C,wEAAmG;AAGnG,IAAI,YAAY,GAOE,SAAS,CAAC;AAE5B,SAAgB,8BAA8B;IAC1C,YAAY,GAAG;QACX,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,OAAO;QAClC,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,KAAK,EAAE,MAAM,CAAC,KAAK;KACtB,CAAC;AACN,CAAC;AAED,MAAM,sBAAsB,GAAG,yCAAyC,CAAC;AAEzE,SAAgB,mDAAmD;IAC/D,MAAM,iBAAiB,GAAG,SAAS,OAAO,CAAY,GAAW,EAAE,KAAa;QAC5E,IAAI,GAAG,CAAC,UAAU,CAAC,sBAAsB,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CACX,8EAA8E,CACjF,CAAC;QACN,CAAC;QAED,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,OAAO,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IACvD,CAAC,CAAC;IAEF,CAAC;QACG,MAAM,EAAE,GAAG,MAAM,CAAC,wBAAwB,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAEzE,IAAA,eAAM,EAAC,EAAE,KAAK,SAAS,CAAC,CAAC;QAEzB,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,EAAE;YAChD,UAAU,EAAE,EAAE,CAAC,UAAU;YACzB,QAAQ,EAAE,EAAE,CAAC,QAAQ;YACrB,KAAK,EAAE,iBAAiB;SAC3B,CAAC,CAAC;IACP,CAAC;AACL,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAsC;IAChE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,OAAO,GAAG,sBAAsB,GAAG,kBAAkB,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,+BAA+B,GAAG,kCAAkC,CAAC;AAE3E,SAAS,0BAA0B,CAAC,MAAwD;IACxF,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAE/C,OAAO,CACH,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,CAAC,UAAU,CAAC,GAAG,+BAA+B,GAAG,kBAAkB,EAAE,CAAC,CAChF,CAAC;AACN,CAAC;AAED,SAAS,eAAe,CAAC,MAAsC;IAC3D,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IACtC,OAAO,oCAAoC,kBAAkB,EAAE,CAAC;AACpE,CAAC;AAED,SAAS,gCAAgC,CAAC,MAAwD;IAC9F,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAC/C,OAAO,OAAO,KAAK,eAAe,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAC/D,CAAC;AAEM,KAAK,UAAU,2BAA2B,CAAC,MAAsC;IACpF,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,IAAA,mCAAY,GAAE,CAAC;IAEvD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAEvE,IAAI,KAAK,GAAuB,SAAS,CAAC;IAE1C,SAAS,0BAA0B;QAC/B,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;QAEjC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAC5E,CAAC;IAED,SAAS,mDAAmD;QACxD,0BAA0B,EAAE,CAAC;QAE7B,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC;QAE3C,MAAM,oBAAoB,GAAG,GAAG,EAAE;YAC9B,IAAI,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,KAAK,SAAS,EAAE,CAAC;gBAC1D,OAAO,IAAI,EAAE,CAAC;oBACV,KAAK,CACD;wBACI,oBAAoB;wBACpB,sCAAsC;wBACtC,oDAAoD;wBACpD,oCAAoC;qBACvC,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;gBACN,CAAC;YACL,CAAC;YACD,KAAK,EAAE,CAAC;QACZ,CAAC,CAAC;QAEF,SAAS,KAAK;YACV,KAAK,GAAG,UAAU,CAAC,oBAAoB,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;QAED,KAAK,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,UAAU,mBAAmB,CAAC,MAElC;QACG,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,CAAC;QAEzC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,IAAA,wCAAiB,EAAC;YAC1D,gBAAgB,EAAE,qBAAqB,CAAC,KAAK,CACzC,+BAA+B,CAAC,MAAM,GAAG,kBAAkB,CAAC,MAAM,CACrE;YACD,UAAU;SACb,CAAC,CAAC;QAEH,MAAM,YAAY,GAAiB,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAEhE,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC;IAED,SAAS,4BAA4B;QACjC,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAC7C,YAAY,CAAC,KAAK,CAAC,CAAC;IACxB,CAAC;IAED,OAAO;QACH,gCAAgC;QAChC,mDAAmD;QACnD,0BAA0B;QAC1B,0BAA0B;QAC1B,mBAAmB;QACnB,4BAA4B;KAC/B,CAAC;AACN,CAAC;AAEM,KAAK,UAAU,iCAAiC,CAAC,MAAsC;IAC1F,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAEhC,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEjG,MAAM,aAAa,GAAG,GAAG,EAAE,CACvB,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAE7F,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,OAAO,aAAa,EAAE,KAAK,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;IAElC,IAAA,eAAM,EAAC,SAAS,KAAK,IAAI,EAAE,SAAS,CAAC,CAAC;IAEtC,MAAM,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,GAAG,MAAM,IAAA,wCAAiB,EAAC;QACjF,SAAS;QACT,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC;KACxC,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,GAAG,+BAA+B,GAAG,YAAY,CAAC,KAAK,GAAG,8BAA8B,EAAE,CAAC;IAEpH,MAAM,CAAC,WAAW,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC"}
|
package/core/loginSilent.js
CHANGED
|
@@ -36,9 +36,8 @@ async function loginSilent(params) {
|
|
|
36
36
|
const dynamicDelay = rtt * 2.5 + BASE_DELAY_MS / (downlink + 1);
|
|
37
37
|
return Math.max(BASE_DELAY_MS, dynamicDelay);
|
|
38
38
|
})();
|
|
39
|
-
const { decodeEncryptedAuth, getIsEncryptedAuthResponse, clearSessionStoragePublicKey } = await (0, iframeMessageProtection_1.initIframeMessageProtection)({
|
|
40
|
-
stateUrlParamValue: stateUrlParamValue_instance
|
|
41
|
-
log
|
|
39
|
+
const { getIsReadyToReadPublicKeyMessage, startSessionStoragePublicKeyMaliciousWriteDetection, setSessionStoragePublicKey, decodeEncryptedAuth, getIsEncryptedAuthResponse, clearSessionStoragePublicKey } = await (0, iframeMessageProtection_1.initIframeMessageProtection)({
|
|
40
|
+
stateUrlParamValue: stateUrlParamValue_instance
|
|
42
41
|
});
|
|
43
42
|
let clearTimeouts;
|
|
44
43
|
{
|
|
@@ -70,24 +69,42 @@ async function loginSilent(params) {
|
|
|
70
69
|
}
|
|
71
70
|
};
|
|
72
71
|
}
|
|
73
|
-
|
|
72
|
+
let listener;
|
|
73
|
+
listener = async (event) => {
|
|
74
74
|
if (event.origin !== window.location.origin) {
|
|
75
75
|
return;
|
|
76
76
|
}
|
|
77
|
-
if (!
|
|
77
|
+
if (!getIsReadyToReadPublicKeyMessage({
|
|
78
|
+
stateUrlParamValue: stateUrlParamValue_instance,
|
|
78
79
|
message: event.data
|
|
79
80
|
})) {
|
|
80
81
|
return;
|
|
81
82
|
}
|
|
82
|
-
|
|
83
|
+
window.removeEventListener("message", listener, false);
|
|
84
|
+
setSessionStoragePublicKey();
|
|
85
|
+
const dEncryptedAuthResponse = new Deferred_1.Deferred();
|
|
86
|
+
listener = event => {
|
|
87
|
+
if (event.origin !== window.location.origin) {
|
|
88
|
+
return;
|
|
89
|
+
}
|
|
90
|
+
const message = event.data;
|
|
91
|
+
if (!getIsEncryptedAuthResponse({
|
|
92
|
+
stateUrlParamValue: stateUrlParamValue_instance,
|
|
93
|
+
message
|
|
94
|
+
})) {
|
|
95
|
+
return;
|
|
96
|
+
}
|
|
97
|
+
window.removeEventListener("message", listener);
|
|
98
|
+
dEncryptedAuthResponse.resolve(message);
|
|
99
|
+
};
|
|
100
|
+
window.addEventListener("message", listener, false);
|
|
101
|
+
const encryptedAuthResponse = await dEncryptedAuthResponse.pr;
|
|
102
|
+
const { authResponse } = await decodeEncryptedAuth({ encryptedAuthResponse });
|
|
83
103
|
const stateData = (0, StateData_1.getStateData)({ stateUrlParamValue: authResponse.state });
|
|
84
104
|
(0, assert_1.assert)(stateData !== undefined, "765645");
|
|
85
105
|
(0, assert_1.assert)(stateData.context === "iframe", "250711");
|
|
86
|
-
|
|
87
|
-
return;
|
|
88
|
-
}
|
|
106
|
+
(0, assert_1.assert)(stateData.configId === configId, "4922732");
|
|
89
107
|
clearTimeouts({ wasSuccess: true });
|
|
90
|
-
window.removeEventListener("message", listener);
|
|
91
108
|
dResult.resolve({
|
|
92
109
|
outcome: "got auth response from iframe",
|
|
93
110
|
authResponse
|
|
@@ -115,6 +132,7 @@ async function loginSilent(params) {
|
|
|
115
132
|
}
|
|
116
133
|
return url;
|
|
117
134
|
};
|
|
135
|
+
startSessionStoragePublicKeyMaliciousWriteDetection();
|
|
118
136
|
oidcClientTsUserManager
|
|
119
137
|
.signinSilent({
|
|
120
138
|
state: (0, id_1.id)({
|
package/core/loginSilent.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"loginSilent.js","sourceRoot":"","sources":["../src/core/loginSilent.ts"],"names":[],"mappings":";;AA8BA,
|
|
1
|
+
{"version":3,"file":"loginSilent.js","sourceRoot":"","sources":["../src/core/loginSilent.ts"],"names":[],"mappings":";;AA8BA,kCAsQC;AAhSD,gDAA6C;AAC7C,kDAA+C;AAC/C,0CAAuC;AACvC,4DAAyD;AACzD,2CAA4E;AAC5E,kEAA+D;AAC/D,0CAA0C;AAE1C,8DAAkE;AAClE,uEAAwE;AACxE,sDAAmD;AAgB5C,KAAK,UAAU,WAAW,CAAC,MAgBjC;IACG,MAAM,EACF,uBAAuB,EACvB,2BAA2B,EAC3B,QAAQ,EACR,0BAA0B,EAC1B,mBAAmB,EACnB,mBAAmB,EACnB,SAAS,EACT,GAAG,EACN,GAAG,MAAM,CAAC;IAEX,kBAAkB,EAAE,CAAC;QACjB,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,IAAA,yBAAW,GAAE,CAAC;QAC7C,IAAI,QAAQ,EAAE,CAAC;YACX,MAAM,kBAAkB,CAAC;QAC7B,CAAC;QACD,GAAG,EAAE,CAAC,wFAAwF,CAAC,CAAC;QAChG,MAAM,QAAQ,CAAC;IACnB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,mBAAQ,EAAuB,CAAC;IAEpD,MAAM,cAAc,GAAW,CAAC,GAAG,EAAE;QACjC,MAAM,KAAK,GAAG,IAAA,gBAAQ,GAAE,CAAC;QAEzB,MAAM,cAAc,GAAG,IAAA,qCAAiB,GAAE,CAAC;QAE3C,6DAA6D;QAC7D,MAAM,aAAa,GAAG,KAAK,CAAC,CAAC,CAAC,IAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAM,CAAC,CAAC,CAAC,IAAK,CAAC;QAEjE,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YAC/B,OAAO,aAAa,CAAC;QACzB,CAAC;QAED,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,cAAc,CAAC;QAEzC,oDAAoD;QACpD,8CAA8C;QAC9C,MAAM,YAAY,GAAG,GAAG,GAAG,GAAG,GAAG,aAAa,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;QAEhE,OAAO,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IACjD,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,EACF,gCAAgC,EAChC,mDAAmD,EACnD,0BAA0B,EAC1B,mBAAmB,EACnB,0BAA0B,EAC1B,4BAA4B,EAC/B,GAAG,MAAM,IAAA,qDAA2B,EAAC;QAClC,kBAAkB,EAAE,2BAA2B;KAClD,CAAC,CAAC;IAEH,IAAI,aAAwD,CAAC;IAC7D,CAAC;QACG,IAAI,uBAAuB,GAAG,KAAK,CAAC;QAEpC,MAAM,QAAQ,GAAG;YACb,UAAU,CAAC,GAAG,EAAE;gBACZ,OAAO,CAAC,OAAO,CAAC;oBACZ,OAAO,EAAE,SAAS;oBAClB,KAAK,EAAE,SAAS;iBACnB,CAAC,CAAC;YACP,CAAC,EAAE,cAAc,CAAC;YAClB,UAAU,CAAC,GAAG,EAAE;gBACZ,OAAO,CAAC,IAAI,CACR;oBACI,+DAA+D;oBAC/D,2CAA2C;oBAC3C,WAAW,IAAI,CAAC,KAAK,CACjB,cAAc,GAAG,IAAK,CACzB,sCAAsC;oBACvC,yFAAyF;iBAC5F,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;gBACF,uBAAuB,GAAG,IAAI,CAAC;YACnC,CAAC,EAAE,IAAK,CAAC;SACZ,CAAC;QAEF,aAAa,GAAG,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE;YAC/B,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAC/B,IAAI,UAAU,IAAI,uBAAuB,EAAE,CAAC;gBACxC,OAAO,CAAC,GAAG,CACP;oBACI,iEAAiE;oBACjE,6CAA6C;iBAChD,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;YACN,CAAC;QACL,CAAC,CAAC;IACN,CAAC;IAED,IAAI,QAAuC,CAAC;IAE5C,QAAQ,GAAG,KAAK,EAAE,KAAmB,EAAE,EAAE;QACrC,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC1C,OAAO;QACX,CAAC;QAED,IACI,CAAC,gCAAgC,CAAC;YAC9B,kBAAkB,EAAE,2BAA2B;YAC/C,OAAO,EAAE,KAAK,CAAC,IAAI;SACtB,CAAC,EACJ,CAAC;YACC,OAAO;QACX,CAAC;QAED,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAEvD,0BAA0B,EAAE,CAAC;QAE7B,MAAM,sBAAsB,GAAG,IAAI,mBAAQ,EAAU,CAAC;QAEtD,QAAQ,GAAG,KAAK,CAAC,EAAE;YACf,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAC1C,OAAO;YACX,CAAC;YAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC;YAE3B,IACI,CAAC,0BAA0B,CAAC;gBACxB,kBAAkB,EAAE,2BAA2B;gBAC/C,OAAO;aACV,CAAC,EACJ,CAAC;gBACC,OAAO;YACX,CAAC;YAED,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAEhD,sBAAsB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5C,CAAC,CAAC;QAEF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAEpD,MAAM,qBAAqB,GAAG,MAAM,sBAAsB,CAAC,EAAE,CAAC;QAE9D,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,mBAAmB,CAAC,EAAE,qBAAqB,EAAE,CAAC,CAAC;QAE9E,MAAM,SAAS,GAAG,IAAA,wBAAY,EAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;QAE3E,IAAA,eAAM,EAAC,SAAS,KAAK,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAA,eAAM,EAAC,SAAS,CAAC,OAAO,KAAK,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACjD,IAAA,eAAM,EAAC,SAAS,CAAC,QAAQ,KAAK,QAAQ,EAAE,SAAS,CAAC,CAAC;QAEnD,aAAa,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;QAEpC,OAAO,CAAC,OAAO,CAAC;YACZ,OAAO,EAAE,+BAA+B;YACxC,YAAY;SACf,CAAC,CAAC;IACP,CAAC,CAAC;IAEF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IAEpD,MAAM,yBAAyB,GAAG,CAAC,GAAW,EAAE,EAAE;QAC9C,sBAAsB,EAAE,CAAC;YACrB,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;gBACpC,MAAM,sBAAsB,CAAC;YACjC,CAAC;YAED,MAAM,gBAAgB,GAAG,mBAAmB,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;YAEtE,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAC3D,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;oBACtB,SAAS;gBACb,CAAC;gBACD,GAAG,GAAG,IAAA,wCAAsB,EAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC,CAAC;YACjF,CAAC;QACL,CAAC;QAED,mBAAmB,EAAE,CAAC;YAClB,IAAI,0BAA0B,KAAK,SAAS,EAAE,CAAC;gBAC3C,MAAM,mBAAmB,CAAC;YAC9B,CAAC;YACD,GAAG,GAAG,0BAA0B,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QAChF,CAAC;QAED,OAAO,GAAG,CAAC;IACf,CAAC,CAAC;IAEF,mDAAmD,EAAE,CAAC;IAEtD,uBAAuB;SAClB,YAAY,CAAC;QACV,KAAK,EAAE,IAAA,OAAE,EAAmB;YACxB,OAAO,EAAE,QAAQ;YACjB,QAAQ;SACX,CAAC;QACF,6BAA6B,EAAE,cAAc,GAAG,IAAI;QACpD,gBAAgB,EACZ,mBAAmB,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAA,yBAAW,EAAC,mBAAmB,EAAE,CAAC;QACtF,YAAY,EAAE,yBAAyB;KAC1C,CAAC;SACD,IAAI,CACD,gBAAgB,CAAC,EAAE;QACf,IAAA,eAAM,EAAC,gBAAgB,KAAK,IAAI,EAAE,kDAAkD,CAAC,CAAC;QAEtF,aAAa,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;QACpC,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAEhD,OAAO,CAAC,OAAO,CAAC;YACZ,OAAO,EAAE,qCAAqC;YAC9C,gBAAgB;SACnB,CAAC,CAAC;IACP,CAAC,EACD,CAAC,KAAY,EAAE,EAAE;QACb,IAAI,KAAK,CAAC,OAAO,KAAK,iBAAiB,EAAE,CAAC;YACtC,+DAA+D;YAC/D,mCAAmC;YACnC,mEAAmE;YACnE,0CAA0C;YAC1C,yEAAyE;YAEzE,0DAA0D;YAC1D,kEAAkE;YAClE,mEAAmE;YACnE,qBAAqB;YACrB,aAAa,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAC;YAErC,OAAO,CAAC,OAAO,CAAC;gBACZ,OAAO,EAAE,SAAS;gBAClB,KAAK,EAAE,sCAAsC;aAChD,CAAC,CAAC;YAEH,OAAO;QACX,CAAC;QAED,yEAAyE;QACzE,qEAAqE;IACzE,CAAC,CACJ,CAAC;IAEN,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;QACrB,4BAA4B,EAAE,CAAC;QAE/B,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YAC/B,IAAA,2BAAe,EAAC,EAAE,kBAAkB,EAAE,2BAA2B,EAAE,CAAC,CAAC;QACzE,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC,EAAE,CAAC;AACtB,CAAC"}
|
package/esm/core/createOidc.js
CHANGED
|
@@ -28,7 +28,7 @@ import { isKeycloak } from "../keycloak/isKeycloak";
|
|
|
28
28
|
import { INFINITY_TIME } from "../tools/INFINITY_TIME";
|
|
29
29
|
import { getIsValidRemoteJson } from "../tools/getIsValidRemoteJson";
|
|
30
30
|
// NOTE: Replaced at build time
|
|
31
|
-
const VERSION = "8.1.
|
|
31
|
+
const VERSION = "8.1.8";
|
|
32
32
|
const globalContext = {
|
|
33
33
|
prOidcByConfigId: new Map(),
|
|
34
34
|
hasLogoutBeenCalled: id(false),
|
package/esm/core/earlyInit.js
CHANGED
|
@@ -1,12 +1,17 @@
|
|
|
1
1
|
import { getStateData, getIsStatQueryParamValue } from "./StateData";
|
|
2
2
|
import { assert } from "../tools/tsafe/assert";
|
|
3
|
-
import {
|
|
3
|
+
import { captureApisForIframeProtection, postEncryptedAuthResponseToParent, preventSessionStorageSetItemOfPublicKeyByThirdParty } from "./iframeMessageProtection";
|
|
4
|
+
import { isBrowser } from "../tools/isBrowser";
|
|
4
5
|
let hasEarlyInitBeenCalled = false;
|
|
5
6
|
export function oidcEarlyInit(params) {
|
|
6
7
|
if (hasEarlyInitBeenCalled) {
|
|
7
8
|
throw new Error("oidc-spa: oidcEarlyInit() Should be called only once");
|
|
8
9
|
}
|
|
9
10
|
hasEarlyInitBeenCalled = true;
|
|
11
|
+
if (!isBrowser) {
|
|
12
|
+
return { shouldLoadApp: true };
|
|
13
|
+
}
|
|
14
|
+
captureApisForIframeProtection();
|
|
10
15
|
const { freezeFetch, freezeXMLHttpRequest, freezeWebSocket = false } = params ?? {};
|
|
11
16
|
const { shouldLoadApp } = handleOidcCallback();
|
|
12
17
|
if (shouldLoadApp) {
|
|
@@ -130,9 +135,7 @@ function handleOidcCallback() {
|
|
|
130
135
|
}
|
|
131
136
|
switch (stateData.context) {
|
|
132
137
|
case "iframe":
|
|
133
|
-
|
|
134
|
-
authResponse
|
|
135
|
-
}).then(({ encryptedMessage }) => parent.postMessage(encryptedMessage, location.origin));
|
|
138
|
+
postEncryptedAuthResponseToParent({ authResponse });
|
|
136
139
|
return { shouldLoadApp: false };
|
|
137
140
|
case "redirect": {
|
|
138
141
|
redirectAuthResponse = authResponse;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"earlyInit.js","sourceRoot":"","sources":["../../src/core/earlyInit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAC;AACrE,OAAO,EAAE,MAAM,EAAe,MAAM,uBAAuB,CAAC;AAE5D,OAAO,EACH,
|
|
1
|
+
{"version":3,"file":"earlyInit.js","sourceRoot":"","sources":["../../src/core/earlyInit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAC;AACrE,OAAO,EAAE,MAAM,EAAe,MAAM,uBAAuB,CAAC;AAE5D,OAAO,EACH,8BAA8B,EAC9B,iCAAiC,EACjC,mDAAmD,EACtD,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C,IAAI,sBAAsB,GAAG,KAAK,CAAC;AAEnC,MAAM,UAAU,aAAa,CAAC,MAM7B;IACG,IAAI,sBAAsB,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC5E,CAAC;IAED,sBAAsB,GAAG,IAAI,CAAC;IAE9B,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,8BAA8B,EAAE,CAAC;IAEjC,MAAM,EAAE,WAAW,EAAE,oBAAoB,EAAE,eAAe,GAAG,KAAK,EAAE,GAAG,MAAM,IAAI,EAAE,CAAC;IAEpF,MAAM,EAAE,aAAa,EAAE,GAAG,kBAAkB,EAAE,CAAC;IAE/C,IAAI,aAAa,EAAE,CAAC;QAChB,IAAI,oBAAoB,EAAE,CAAC;YACvB,MAAM,sBAAsB,GAAG,UAAU,CAAC,cAAc,CAAC;YAEzD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;YAEtC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBAChD,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,sBAAsB;aAChC,CAAC,CAAC;QACP,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YACd,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;YAEvC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAE7B,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,OAAO,EAAE;gBACvC,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,aAAa;aACvB,CAAC,CAAC;QACP,CAAC;QAED,IAAI,eAAe,EAAE,CAAC;YAClB,MAAM,iBAAiB,GAAG,UAAU,CAAC,SAAS,CAAC;YAE/C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAEjC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,WAAW,EAAE;gBAC3C,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;QAED,mDAAmD,EAAE,CAAC;IAC1D,CAAC;IAED,OAAO,EAAE,aAAa,EAAE,CAAC;AAC7B,CAAC;AAED,IAAI,oBAAoB,GAA6B,SAAS,CAAC;AAE/D,MAAM,UAAU,uBAAuB;IAGnC,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACX;YACI,uBAAuB;YACvB,gCAAgC;YAChC,oEAAoE;SACvE,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;IACN,CAAC;IACD,OAAO,oBAAoB,KAAK,SAAS;QACrC,CAAC,CAAC,EAAE,YAAY,EAAE,SAAS,EAAE;QAC7B,CAAC,CAAC;YACI,YAAY,EAAE,oBAAoB;YAClC,iBAAiB,EAAE,GAAG,EAAE;gBACpB,oBAAoB,GAAG,SAAS,CAAC;YACrC,CAAC;SACJ,CAAC;AACZ,CAAC;AAED,IAAI,gCAAgC,GAAuB,SAAS,CAAC;AAErE,MAAM,UAAU,mCAAmC;IAC/C,MAAM,CAAC,gCAAgC,KAAK,SAAS,EAAE,QAAQ,CAAC,CAAC;IACjE,OAAO,gCAAgC,CAAC;AAC5C,CAAC;AAED,SAAS,kBAAkB;IACvB,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAEtD,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,CAAC;YACP,MAAM,kBAAkB,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CACtF,OAAO,CACV,CAAC;YAEF,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,IAAI,CAAC,wBAAwB,CAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAW,CAAC;QAC7E,CAAC;QAED,KAAK,EAAE,CAAC;YACJ,MAAM,kBAAkB,GAAG,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAErE,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IAAI,CAAC,wBAAwB,CAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IACI,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,IAAI;gBACtD,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,IAAI;gBAC1D,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,KAAK,IAAI,EAC3D,CAAC;gBACC,mFAAmF;gBACnF,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAW,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAW,CAAC;IACpD,CAAC,CAAC,EAAE,CAAC;IAEL,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,CAAC;QAC/C,gCAAgC,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7F,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,gCAAgC,GAAG,eAAe,CAAC,QAAQ,CAAC;IAE5D,MAAM,EAAE,YAAY,EAAE,GAAG,CAAC,GAAG,EAAE;QAC3B,MAAM,YAAY,GAAiB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAEjD,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE;YACvB,QAAQ,sBAAsB,CAAC,YAAY,EAAE,CAAC;gBAC1C,KAAK,UAAU;oBACX,OAAO,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;gBACvE,KAAK,OAAO;oBACR,OAAO,eAAe,CAAC,YAAY,CAAC;gBACxC;oBACI,MAAM,CAA+C,KAAK,CAAC,CAAC;YACpE,CAAC;QACL,CAAC,CAAC,EAAE,CAAC;QAEL,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;YACtC,YAAY,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAC9B,CAAC;QAED,MAAM,CAAC,YAAY,CAAC,KAAK,KAAK,EAAE,EAAE,QAAQ,CAAC,CAAC;QAE5C,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,SAAS,GAAG,YAAY,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;IAE3E,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAC/D,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,QAAQ,SAAS,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,QAAQ;YACT,iCAAiC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC;YACpD,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;QACpC,KAAK,UAAU,CAAC,CAAC,CAAC;YACd,oBAAoB,GAAG,YAAY,CAAC;YAEpC,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE;gBAClC,IAAI,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,YAAY,CAAC,KAAK,KAAK,kBAAkB,EAAE,CAAC;oBAC5E,OAAO,SAAS,CAAC,2CAA2C,CAAC;gBACjE,CAAC;gBACD,OAAO,SAAS,CAAC,uBAAuB,CAAC;YAC7C,CAAC,CAAC,EAAE,CAAC;YAEL,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,uBAAuB,CAAC,CAAC;YAEtD,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QACnC,CAAC;QACD;YACI,MAAM,CAAkC,KAAK,CAAC,CAAC;IACvD,CAAC;AACL,CAAC"}
|
|
@@ -1,12 +1,21 @@
|
|
|
1
1
|
import { type AuthResponse } from "./AuthResponse";
|
|
2
|
+
export declare function captureApisForIframeProtection(): void;
|
|
2
3
|
export declare function preventSessionStorageSetItemOfPublicKeyByThirdParty(): void;
|
|
4
|
+
declare function getIsEncryptedAuthResponse(params: {
|
|
5
|
+
message: unknown;
|
|
6
|
+
stateUrlParamValue: string;
|
|
7
|
+
}): boolean;
|
|
8
|
+
declare function getIsReadyToReadPublicKeyMessage(params: {
|
|
9
|
+
message: unknown;
|
|
10
|
+
stateUrlParamValue: string;
|
|
11
|
+
}): boolean;
|
|
3
12
|
export declare function initIframeMessageProtection(params: {
|
|
4
13
|
stateUrlParamValue: string;
|
|
5
|
-
log: typeof console.log | undefined;
|
|
6
14
|
}): Promise<{
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
15
|
+
getIsReadyToReadPublicKeyMessage: typeof getIsReadyToReadPublicKeyMessage;
|
|
16
|
+
startSessionStoragePublicKeyMaliciousWriteDetection: () => void;
|
|
17
|
+
setSessionStoragePublicKey: () => void;
|
|
18
|
+
getIsEncryptedAuthResponse: typeof getIsEncryptedAuthResponse;
|
|
10
19
|
decodeEncryptedAuth: (params: {
|
|
11
20
|
encryptedAuthResponse: string;
|
|
12
21
|
}) => Promise<{
|
|
@@ -14,8 +23,7 @@ export declare function initIframeMessageProtection(params: {
|
|
|
14
23
|
}>;
|
|
15
24
|
clearSessionStoragePublicKey: () => void;
|
|
16
25
|
}>;
|
|
17
|
-
export declare function
|
|
26
|
+
export declare function postEncryptedAuthResponseToParent(params: {
|
|
18
27
|
authResponse: AuthResponse;
|
|
19
|
-
}): Promise<
|
|
20
|
-
|
|
21
|
-
}>;
|
|
28
|
+
}): Promise<void>;
|
|
29
|
+
export {};
|
|
@@ -1,14 +1,22 @@
|
|
|
1
1
|
import { assert } from "../tools/tsafe/assert";
|
|
2
2
|
import { asymmetricEncrypt, asymmetricDecrypt, generateKeys } from "../tools/asymmetricEncryption";
|
|
3
|
-
|
|
4
|
-
|
|
3
|
+
let capturedApis = undefined;
|
|
4
|
+
export function captureApisForIframeProtection() {
|
|
5
|
+
capturedApis = {
|
|
6
|
+
setItem: Storage.prototype.setItem,
|
|
7
|
+
sessionStorage: window.sessionStorage,
|
|
8
|
+
setTimeout: window.setTimeout,
|
|
9
|
+
alert: window.alert
|
|
10
|
+
};
|
|
11
|
+
}
|
|
5
12
|
const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
|
|
6
13
|
export function preventSessionStorageSetItemOfPublicKeyByThirdParty() {
|
|
7
14
|
const setItem_protected = function setItem(key, value) {
|
|
8
15
|
if (key.startsWith(SESSION_STORAGE_PREFIX)) {
|
|
9
16
|
throw new Error("Attack prevented by oidc-spa. You have malicious code running in your system");
|
|
10
17
|
}
|
|
11
|
-
|
|
18
|
+
assert(capturedApis !== undefined);
|
|
19
|
+
return capturedApis.setItem.call(this, key, value);
|
|
12
20
|
};
|
|
13
21
|
{
|
|
14
22
|
const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
|
|
@@ -20,64 +28,94 @@ export function preventSessionStorageSetItemOfPublicKeyByThirdParty() {
|
|
|
20
28
|
});
|
|
21
29
|
}
|
|
22
30
|
}
|
|
23
|
-
const ENCRYPTED_AUTH_RESPONSES_PREFIX = "oidc-spa_encrypted_authResponse_";
|
|
24
31
|
function getSessionStorageKey(params) {
|
|
25
32
|
const { stateUrlParamValue } = params;
|
|
26
33
|
return `${SESSION_STORAGE_PREFIX}${stateUrlParamValue}`;
|
|
27
34
|
}
|
|
35
|
+
const ENCRYPTED_AUTH_RESPONSES_PREFIX = "oidc-spa_encrypted_authResponse_";
|
|
36
|
+
function getIsEncryptedAuthResponse(params) {
|
|
37
|
+
const { message, stateUrlParamValue } = params;
|
|
38
|
+
return (typeof message === "string" &&
|
|
39
|
+
message.startsWith(`${ENCRYPTED_AUTH_RESPONSES_PREFIX}${stateUrlParamValue}`));
|
|
40
|
+
}
|
|
41
|
+
function getReadyMessage(params) {
|
|
42
|
+
const { stateUrlParamValue } = params;
|
|
43
|
+
return `oidc-spa_ready_to_read_publicKey_${stateUrlParamValue}`;
|
|
44
|
+
}
|
|
45
|
+
function getIsReadyToReadPublicKeyMessage(params) {
|
|
46
|
+
const { message, stateUrlParamValue } = params;
|
|
47
|
+
return message === getReadyMessage({ stateUrlParamValue });
|
|
48
|
+
}
|
|
28
49
|
export async function initIframeMessageProtection(params) {
|
|
29
|
-
const { stateUrlParamValue
|
|
50
|
+
const { stateUrlParamValue } = params;
|
|
30
51
|
const { publicKey, privateKey } = await generateKeys();
|
|
31
52
|
const sessionStorageKey = getSessionStorageKey({ stateUrlParamValue });
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
53
|
+
let timer = undefined;
|
|
54
|
+
function setSessionStoragePublicKey() {
|
|
55
|
+
assert(capturedApis !== undefined);
|
|
56
|
+
const { setItem } = capturedApis;
|
|
57
|
+
setItem.call(capturedApis.sessionStorage, sessionStorageKey, publicKey);
|
|
58
|
+
}
|
|
59
|
+
function startSessionStoragePublicKeyMaliciousWriteDetection() {
|
|
60
|
+
setSessionStoragePublicKey();
|
|
61
|
+
assert(capturedApis !== undefined);
|
|
62
|
+
const { alert, setTimeout } = capturedApis;
|
|
63
|
+
const checkTimeoutCallback = () => {
|
|
64
|
+
if (sessionStorage.getItem(sessionStorageKey) !== publicKey) {
|
|
65
|
+
while (true) {
|
|
66
|
+
alert([
|
|
67
|
+
"⚠️ Security Alert:",
|
|
68
|
+
"oidc-spa detected an attack attempt.",
|
|
69
|
+
"For your safety, please close this tab immediately",
|
|
70
|
+
"and notify the site administrator."
|
|
71
|
+
].join(" "));
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
check();
|
|
75
|
+
};
|
|
76
|
+
function check() {
|
|
77
|
+
timer = setTimeout(checkTimeoutCallback, 5);
|
|
78
|
+
}
|
|
79
|
+
check();
|
|
38
80
|
}
|
|
39
81
|
async function decodeEncryptedAuth(params) {
|
|
40
82
|
const { encryptedAuthResponse } = params;
|
|
41
83
|
const { message: authResponse_str } = await asymmetricDecrypt({
|
|
42
|
-
encryptedMessage: encryptedAuthResponse.slice(ENCRYPTED_AUTH_RESPONSES_PREFIX.length),
|
|
84
|
+
encryptedMessage: encryptedAuthResponse.slice(ENCRYPTED_AUTH_RESPONSES_PREFIX.length + stateUrlParamValue.length),
|
|
43
85
|
privateKey
|
|
44
86
|
});
|
|
45
87
|
const authResponse = JSON.parse(authResponse_str);
|
|
46
88
|
return { authResponse };
|
|
47
89
|
}
|
|
48
90
|
function clearSessionStoragePublicKey() {
|
|
49
|
-
log?.(`Clearing session storage public key at ${sessionStorageKey}`);
|
|
50
91
|
sessionStorage.removeItem(sessionStorageKey);
|
|
51
|
-
|
|
92
|
+
clearTimeout(timer);
|
|
52
93
|
}
|
|
53
|
-
return {
|
|
94
|
+
return {
|
|
95
|
+
getIsReadyToReadPublicKeyMessage,
|
|
96
|
+
startSessionStoragePublicKeyMaliciousWriteDetection,
|
|
97
|
+
setSessionStoragePublicKey,
|
|
98
|
+
getIsEncryptedAuthResponse,
|
|
99
|
+
decodeEncryptedAuth,
|
|
100
|
+
clearSessionStoragePublicKey
|
|
101
|
+
};
|
|
54
102
|
}
|
|
55
|
-
export async function
|
|
103
|
+
export async function postEncryptedAuthResponseToParent(params) {
|
|
56
104
|
const { authResponse } = params;
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
{
|
|
63
|
-
const publicKey = sessionStorage.getItem(`${getSessionStorageKey({ stateUrlParamValue: authResponse.state })}_alt`);
|
|
64
|
-
console.log(`====> PublicKey_alt_1: ${publicKey}`);
|
|
65
|
-
}
|
|
66
|
-
{
|
|
67
|
-
const publicKey = sessionStorage_original.getItem(`${getSessionStorageKey({ stateUrlParamValue: authResponse.state })}_alt`);
|
|
68
|
-
console.log(`====> PublicKey_alt_2: ${publicKey}`);
|
|
69
|
-
}
|
|
70
|
-
{
|
|
71
|
-
const publicKey = sessionStorage_original.getItem(getSessionStorageKey({ stateUrlParamValue: authResponse.state }));
|
|
72
|
-
console.log(`====> PublicKey_3: ${publicKey}`);
|
|
73
|
-
}
|
|
74
|
-
throw error;
|
|
105
|
+
parent.postMessage(getReadyMessage({ stateUrlParamValue: authResponse.state }), location.origin);
|
|
106
|
+
const readPublicKey = () => sessionStorage.getItem(getSessionStorageKey({ stateUrlParamValue: authResponse.state }));
|
|
107
|
+
await new Promise(resolve => setTimeout(resolve, 2));
|
|
108
|
+
while (readPublicKey() === null) {
|
|
109
|
+
await new Promise(resolve => setTimeout(resolve, 2));
|
|
75
110
|
}
|
|
111
|
+
await new Promise(resolve => setTimeout(resolve, 7));
|
|
112
|
+
const publicKey = readPublicKey();
|
|
113
|
+
assert(publicKey !== null, "2293303");
|
|
76
114
|
const { encryptedMessage: encryptedMessage_withoutPrefix } = await asymmetricEncrypt({
|
|
77
115
|
publicKey,
|
|
78
116
|
message: JSON.stringify(authResponse)
|
|
79
117
|
});
|
|
80
|
-
const encryptedMessage = `${ENCRYPTED_AUTH_RESPONSES_PREFIX}${encryptedMessage_withoutPrefix}`;
|
|
81
|
-
|
|
118
|
+
const encryptedMessage = `${ENCRYPTED_AUTH_RESPONSES_PREFIX}${authResponse.state}${encryptedMessage_withoutPrefix}`;
|
|
119
|
+
parent.postMessage(encryptedMessage, location.origin);
|
|
82
120
|
}
|
|
83
121
|
//# sourceMappingURL=iframeMessageProtection.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"iframeMessageProtection.js","sourceRoot":"","sources":["../../src/core/iframeMessageProtection.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAGnG,MAAM,YAAY,GAAG,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC;
|
|
1
|
+
{"version":3,"file":"iframeMessageProtection.js","sourceRoot":"","sources":["../../src/core/iframeMessageProtection.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAGnG,IAAI,YAAY,GAOE,SAAS,CAAC;AAE5B,MAAM,UAAU,8BAA8B;IAC1C,YAAY,GAAG;QACX,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,OAAO;QAClC,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,KAAK,EAAE,MAAM,CAAC,KAAK;KACtB,CAAC;AACN,CAAC;AAED,MAAM,sBAAsB,GAAG,yCAAyC,CAAC;AAEzE,MAAM,UAAU,mDAAmD;IAC/D,MAAM,iBAAiB,GAAG,SAAS,OAAO,CAAY,GAAW,EAAE,KAAa;QAC5E,IAAI,GAAG,CAAC,UAAU,CAAC,sBAAsB,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CACX,8EAA8E,CACjF,CAAC;QACN,CAAC;QAED,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,OAAO,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IACvD,CAAC,CAAC;IAEF,CAAC;QACG,MAAM,EAAE,GAAG,MAAM,CAAC,wBAAwB,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAEzE,MAAM,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;QAEzB,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,EAAE;YAChD,UAAU,EAAE,EAAE,CAAC,UAAU;YACzB,QAAQ,EAAE,EAAE,CAAC,QAAQ;YACrB,KAAK,EAAE,iBAAiB;SAC3B,CAAC,CAAC;IACP,CAAC;AACL,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAsC;IAChE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,OAAO,GAAG,sBAAsB,GAAG,kBAAkB,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,+BAA+B,GAAG,kCAAkC,CAAC;AAE3E,SAAS,0BAA0B,CAAC,MAAwD;IACxF,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAE/C,OAAO,CACH,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,CAAC,UAAU,CAAC,GAAG,+BAA+B,GAAG,kBAAkB,EAAE,CAAC,CAChF,CAAC;AACN,CAAC;AAED,SAAS,eAAe,CAAC,MAAsC;IAC3D,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IACtC,OAAO,oCAAoC,kBAAkB,EAAE,CAAC;AACpE,CAAC;AAED,SAAS,gCAAgC,CAAC,MAAwD;IAC9F,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAC/C,OAAO,OAAO,KAAK,eAAe,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAAC,MAAsC;IACpF,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;IAEvD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAEvE,IAAI,KAAK,GAAuB,SAAS,CAAC;IAE1C,SAAS,0BAA0B;QAC/B,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;QAEjC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAC5E,CAAC;IAED,SAAS,mDAAmD;QACxD,0BAA0B,EAAE,CAAC;QAE7B,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC;QAE3C,MAAM,oBAAoB,GAAG,GAAG,EAAE;YAC9B,IAAI,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,KAAK,SAAS,EAAE,CAAC;gBAC1D,OAAO,IAAI,EAAE,CAAC;oBACV,KAAK,CACD;wBACI,oBAAoB;wBACpB,sCAAsC;wBACtC,oDAAoD;wBACpD,oCAAoC;qBACvC,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;gBACN,CAAC;YACL,CAAC;YACD,KAAK,EAAE,CAAC;QACZ,CAAC,CAAC;QAEF,SAAS,KAAK;YACV,KAAK,GAAG,UAAU,CAAC,oBAAoB,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;QAED,KAAK,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,UAAU,mBAAmB,CAAC,MAElC;QACG,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,CAAC;QAEzC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,iBAAiB,CAAC;YAC1D,gBAAgB,EAAE,qBAAqB,CAAC,KAAK,CACzC,+BAA+B,CAAC,MAAM,GAAG,kBAAkB,CAAC,MAAM,CACrE;YACD,UAAU;SACb,CAAC,CAAC;QAEH,MAAM,YAAY,GAAiB,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAEhE,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC;IAED,SAAS,4BAA4B;QACjC,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAC7C,YAAY,CAAC,KAAK,CAAC,CAAC;IACxB,CAAC;IAED,OAAO;QACH,gCAAgC;QAChC,mDAAmD;QACnD,0BAA0B;QAC1B,0BAA0B;QAC1B,mBAAmB;QACnB,4BAA4B;KAC/B,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iCAAiC,CAAC,MAAsC;IAC1F,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAEhC,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEjG,MAAM,aAAa,GAAG,GAAG,EAAE,CACvB,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAE7F,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,OAAO,aAAa,EAAE,KAAK,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;IAElC,MAAM,CAAC,SAAS,KAAK,IAAI,EAAE,SAAS,CAAC,CAAC;IAEtC,MAAM,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,GAAG,MAAM,iBAAiB,CAAC;QACjF,SAAS;QACT,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC;KACxC,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,GAAG,+BAA+B,GAAG,YAAY,CAAC,KAAK,GAAG,8BAA8B,EAAE,CAAC;IAEpH,MAAM,CAAC,WAAW,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC"}
|
package/esm/core/loginSilent.js
CHANGED
|
@@ -33,9 +33,8 @@ export async function loginSilent(params) {
|
|
|
33
33
|
const dynamicDelay = rtt * 2.5 + BASE_DELAY_MS / (downlink + 1);
|
|
34
34
|
return Math.max(BASE_DELAY_MS, dynamicDelay);
|
|
35
35
|
})();
|
|
36
|
-
const { decodeEncryptedAuth, getIsEncryptedAuthResponse, clearSessionStoragePublicKey } = await initIframeMessageProtection({
|
|
37
|
-
stateUrlParamValue: stateUrlParamValue_instance
|
|
38
|
-
log
|
|
36
|
+
const { getIsReadyToReadPublicKeyMessage, startSessionStoragePublicKeyMaliciousWriteDetection, setSessionStoragePublicKey, decodeEncryptedAuth, getIsEncryptedAuthResponse, clearSessionStoragePublicKey } = await initIframeMessageProtection({
|
|
37
|
+
stateUrlParamValue: stateUrlParamValue_instance
|
|
39
38
|
});
|
|
40
39
|
let clearTimeouts;
|
|
41
40
|
{
|
|
@@ -67,24 +66,42 @@ export async function loginSilent(params) {
|
|
|
67
66
|
}
|
|
68
67
|
};
|
|
69
68
|
}
|
|
70
|
-
|
|
69
|
+
let listener;
|
|
70
|
+
listener = async (event) => {
|
|
71
71
|
if (event.origin !== window.location.origin) {
|
|
72
72
|
return;
|
|
73
73
|
}
|
|
74
|
-
if (!
|
|
74
|
+
if (!getIsReadyToReadPublicKeyMessage({
|
|
75
|
+
stateUrlParamValue: stateUrlParamValue_instance,
|
|
75
76
|
message: event.data
|
|
76
77
|
})) {
|
|
77
78
|
return;
|
|
78
79
|
}
|
|
79
|
-
|
|
80
|
+
window.removeEventListener("message", listener, false);
|
|
81
|
+
setSessionStoragePublicKey();
|
|
82
|
+
const dEncryptedAuthResponse = new Deferred();
|
|
83
|
+
listener = event => {
|
|
84
|
+
if (event.origin !== window.location.origin) {
|
|
85
|
+
return;
|
|
86
|
+
}
|
|
87
|
+
const message = event.data;
|
|
88
|
+
if (!getIsEncryptedAuthResponse({
|
|
89
|
+
stateUrlParamValue: stateUrlParamValue_instance,
|
|
90
|
+
message
|
|
91
|
+
})) {
|
|
92
|
+
return;
|
|
93
|
+
}
|
|
94
|
+
window.removeEventListener("message", listener);
|
|
95
|
+
dEncryptedAuthResponse.resolve(message);
|
|
96
|
+
};
|
|
97
|
+
window.addEventListener("message", listener, false);
|
|
98
|
+
const encryptedAuthResponse = await dEncryptedAuthResponse.pr;
|
|
99
|
+
const { authResponse } = await decodeEncryptedAuth({ encryptedAuthResponse });
|
|
80
100
|
const stateData = getStateData({ stateUrlParamValue: authResponse.state });
|
|
81
101
|
assert(stateData !== undefined, "765645");
|
|
82
102
|
assert(stateData.context === "iframe", "250711");
|
|
83
|
-
|
|
84
|
-
return;
|
|
85
|
-
}
|
|
103
|
+
assert(stateData.configId === configId, "4922732");
|
|
86
104
|
clearTimeouts({ wasSuccess: true });
|
|
87
|
-
window.removeEventListener("message", listener);
|
|
88
105
|
dResult.resolve({
|
|
89
106
|
outcome: "got auth response from iframe",
|
|
90
107
|
authResponse
|
|
@@ -112,6 +129,7 @@ export async function loginSilent(params) {
|
|
|
112
129
|
}
|
|
113
130
|
return url;
|
|
114
131
|
};
|
|
132
|
+
startSessionStoragePublicKeyMaliciousWriteDetection();
|
|
115
133
|
oidcClientTsUserManager
|
|
116
134
|
.signinSilent({
|
|
117
135
|
state: id({
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"loginSilent.js","sourceRoot":"","sources":["../../src/core/loginSilent.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,EAAE,EAAE,MAAM,mBAAmB,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,eAAe,EAAkB,MAAM,aAAa,CAAC;AAC5E,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAE1C,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,2BAA2B,EAAE,MAAM,2BAA2B,CAAC;AACxE,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAgBnD,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,MAgBjC;IACG,MAAM,EACF,uBAAuB,EACvB,2BAA2B,EAC3B,QAAQ,EACR,0BAA0B,EAC1B,mBAAmB,EACnB,mBAAmB,EACnB,SAAS,EACT,GAAG,EACN,GAAG,MAAM,CAAC;IAEX,kBAAkB,EAAE,CAAC;QACjB,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,WAAW,EAAE,CAAC;QAC7C,IAAI,QAAQ,EAAE,CAAC;YACX,MAAM,kBAAkB,CAAC;QAC7B,CAAC;QACD,GAAG,EAAE,CAAC,wFAAwF,CAAC,CAAC;QAChG,MAAM,QAAQ,CAAC;IACnB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,QAAQ,EAAuB,CAAC;IAEpD,MAAM,cAAc,GAAW,CAAC,GAAG,EAAE;QACjC,MAAM,KAAK,GAAG,QAAQ,EAAE,CAAC;QAEzB,MAAM,cAAc,GAAG,iBAAiB,EAAE,CAAC;QAE3C,6DAA6D;QAC7D,MAAM,aAAa,GAAG,KAAK,CAAC,CAAC,CAAC,IAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAM,CAAC,CAAC,CAAC,IAAK,CAAC;QAEjE,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YAC/B,OAAO,aAAa,CAAC;QACzB,CAAC;QAED,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,cAAc,CAAC;QAEzC,oDAAoD;QACpD,8CAA8C;QAC9C,MAAM,YAAY,GAAG,GAAG,GAAG,GAAG,GAAG,aAAa,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;QAEhE,OAAO,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IACjD,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,
|
|
1
|
+
{"version":3,"file":"loginSilent.js","sourceRoot":"","sources":["../../src/core/loginSilent.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,EAAE,EAAE,MAAM,mBAAmB,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,eAAe,EAAkB,MAAM,aAAa,CAAC;AAC5E,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAE1C,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,2BAA2B,EAAE,MAAM,2BAA2B,CAAC;AACxE,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAgBnD,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,MAgBjC;IACG,MAAM,EACF,uBAAuB,EACvB,2BAA2B,EAC3B,QAAQ,EACR,0BAA0B,EAC1B,mBAAmB,EACnB,mBAAmB,EACnB,SAAS,EACT,GAAG,EACN,GAAG,MAAM,CAAC;IAEX,kBAAkB,EAAE,CAAC;QACjB,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,WAAW,EAAE,CAAC;QAC7C,IAAI,QAAQ,EAAE,CAAC;YACX,MAAM,kBAAkB,CAAC;QAC7B,CAAC;QACD,GAAG,EAAE,CAAC,wFAAwF,CAAC,CAAC;QAChG,MAAM,QAAQ,CAAC;IACnB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,QAAQ,EAAuB,CAAC;IAEpD,MAAM,cAAc,GAAW,CAAC,GAAG,EAAE;QACjC,MAAM,KAAK,GAAG,QAAQ,EAAE,CAAC;QAEzB,MAAM,cAAc,GAAG,iBAAiB,EAAE,CAAC;QAE3C,6DAA6D;QAC7D,MAAM,aAAa,GAAG,KAAK,CAAC,CAAC,CAAC,IAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAM,CAAC,CAAC,CAAC,IAAK,CAAC;QAEjE,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YAC/B,OAAO,aAAa,CAAC;QACzB,CAAC;QAED,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,cAAc,CAAC;QAEzC,oDAAoD;QACpD,8CAA8C;QAC9C,MAAM,YAAY,GAAG,GAAG,GAAG,GAAG,GAAG,aAAa,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;QAEhE,OAAO,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IACjD,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,EACF,gCAAgC,EAChC,mDAAmD,EACnD,0BAA0B,EAC1B,mBAAmB,EACnB,0BAA0B,EAC1B,4BAA4B,EAC/B,GAAG,MAAM,2BAA2B,CAAC;QAClC,kBAAkB,EAAE,2BAA2B;KAClD,CAAC,CAAC;IAEH,IAAI,aAAwD,CAAC;IAC7D,CAAC;QACG,IAAI,uBAAuB,GAAG,KAAK,CAAC;QAEpC,MAAM,QAAQ,GAAG;YACb,UAAU,CAAC,GAAG,EAAE;gBACZ,OAAO,CAAC,OAAO,CAAC;oBACZ,OAAO,EAAE,SAAS;oBAClB,KAAK,EAAE,SAAS;iBACnB,CAAC,CAAC;YACP,CAAC,EAAE,cAAc,CAAC;YAClB,UAAU,CAAC,GAAG,EAAE;gBACZ,OAAO,CAAC,IAAI,CACR;oBACI,+DAA+D;oBAC/D,2CAA2C;oBAC3C,WAAW,IAAI,CAAC,KAAK,CACjB,cAAc,GAAG,IAAK,CACzB,sCAAsC;oBACvC,yFAAyF;iBAC5F,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;gBACF,uBAAuB,GAAG,IAAI,CAAC;YACnC,CAAC,EAAE,IAAK,CAAC;SACZ,CAAC;QAEF,aAAa,GAAG,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE;YAC/B,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAC/B,IAAI,UAAU,IAAI,uBAAuB,EAAE,CAAC;gBACxC,OAAO,CAAC,GAAG,CACP;oBACI,iEAAiE;oBACjE,6CAA6C;iBAChD,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;YACN,CAAC;QACL,CAAC,CAAC;IACN,CAAC;IAED,IAAI,QAAuC,CAAC;IAE5C,QAAQ,GAAG,KAAK,EAAE,KAAmB,EAAE,EAAE;QACrC,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC1C,OAAO;QACX,CAAC;QAED,IACI,CAAC,gCAAgC,CAAC;YAC9B,kBAAkB,EAAE,2BAA2B;YAC/C,OAAO,EAAE,KAAK,CAAC,IAAI;SACtB,CAAC,EACJ,CAAC;YACC,OAAO;QACX,CAAC;QAED,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAEvD,0BAA0B,EAAE,CAAC;QAE7B,MAAM,sBAAsB,GAAG,IAAI,QAAQ,EAAU,CAAC;QAEtD,QAAQ,GAAG,KAAK,CAAC,EAAE;YACf,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAC1C,OAAO;YACX,CAAC;YAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC;YAE3B,IACI,CAAC,0BAA0B,CAAC;gBACxB,kBAAkB,EAAE,2BAA2B;gBAC/C,OAAO;aACV,CAAC,EACJ,CAAC;gBACC,OAAO;YACX,CAAC;YAED,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAEhD,sBAAsB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5C,CAAC,CAAC;QAEF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAEpD,MAAM,qBAAqB,GAAG,MAAM,sBAAsB,CAAC,EAAE,CAAC;QAE9D,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,mBAAmB,CAAC,EAAE,qBAAqB,EAAE,CAAC,CAAC;QAE9E,MAAM,SAAS,GAAG,YAAY,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;QAE3E,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,SAAS,CAAC,OAAO,KAAK,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACjD,MAAM,CAAC,SAAS,CAAC,QAAQ,KAAK,QAAQ,EAAE,SAAS,CAAC,CAAC;QAEnD,aAAa,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;QAEpC,OAAO,CAAC,OAAO,CAAC;YACZ,OAAO,EAAE,+BAA+B;YACxC,YAAY;SACf,CAAC,CAAC;IACP,CAAC,CAAC;IAEF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IAEpD,MAAM,yBAAyB,GAAG,CAAC,GAAW,EAAE,EAAE;QAC9C,sBAAsB,EAAE,CAAC;YACrB,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;gBACpC,MAAM,sBAAsB,CAAC;YACjC,CAAC;YAED,MAAM,gBAAgB,GAAG,mBAAmB,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;YAEtE,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAC3D,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;oBACtB,SAAS;gBACb,CAAC;gBACD,GAAG,GAAG,sBAAsB,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC,CAAC;YACjF,CAAC;QACL,CAAC;QAED,mBAAmB,EAAE,CAAC;YAClB,IAAI,0BAA0B,KAAK,SAAS,EAAE,CAAC;gBAC3C,MAAM,mBAAmB,CAAC;YAC9B,CAAC;YACD,GAAG,GAAG,0BAA0B,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QAChF,CAAC;QAED,OAAO,GAAG,CAAC;IACf,CAAC,CAAC;IAEF,mDAAmD,EAAE,CAAC;IAEtD,uBAAuB;SAClB,YAAY,CAAC;QACV,KAAK,EAAE,EAAE,CAAmB;YACxB,OAAO,EAAE,QAAQ;YACjB,QAAQ;SACX,CAAC;QACF,6BAA6B,EAAE,cAAc,GAAG,IAAI;QACpD,gBAAgB,EACZ,mBAAmB,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,mBAAmB,EAAE,CAAC;QACtF,YAAY,EAAE,yBAAyB;KAC1C,CAAC;SACD,IAAI,CACD,gBAAgB,CAAC,EAAE;QACf,MAAM,CAAC,gBAAgB,KAAK,IAAI,EAAE,kDAAkD,CAAC,CAAC;QAEtF,aAAa,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;QACpC,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAEhD,OAAO,CAAC,OAAO,CAAC;YACZ,OAAO,EAAE,qCAAqC;YAC9C,gBAAgB;SACnB,CAAC,CAAC;IACP,CAAC,EACD,CAAC,KAAY,EAAE,EAAE;QACb,IAAI,KAAK,CAAC,OAAO,KAAK,iBAAiB,EAAE,CAAC;YACtC,+DAA+D;YAC/D,mCAAmC;YACnC,mEAAmE;YACnE,0CAA0C;YAC1C,yEAAyE;YAEzE,0DAA0D;YAC1D,kEAAkE;YAClE,mEAAmE;YACnE,qBAAqB;YACrB,aAAa,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAC;YAErC,OAAO,CAAC,OAAO,CAAC;gBACZ,OAAO,EAAE,SAAS;gBAClB,KAAK,EAAE,sCAAsC;aAChD,CAAC,CAAC;YAEH,OAAO;QACX,CAAC;QAED,yEAAyE;QACzE,qEAAqE;IACzE,CAAC,CACJ,CAAC;IAEN,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;QACrB,4BAA4B,EAAE,CAAC;QAE/B,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YAC/B,eAAe,CAAC,EAAE,kBAAkB,EAAE,2BAA2B,EAAE,CAAC,CAAC;QACzE,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC,EAAE,CAAC;AACtB,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export declare const isBrowser: boolean;
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"isBrowser.js","sourceRoot":"","sources":["../../src/tools/isBrowser.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,SAAS,GAClB,OAAO,MAAM,KAAK,WAAW;IAC7B,OAAO,MAAM,CAAC,QAAQ,KAAK,WAAW;IACtC,OAAO,SAAS,KAAK,WAAW,CAAC"}
|
package/package.json
CHANGED
package/src/core/earlyInit.ts
CHANGED
|
@@ -2,9 +2,11 @@ import { getStateData, getIsStatQueryParamValue } from "./StateData";
|
|
|
2
2
|
import { assert, type Equals } from "../tools/tsafe/assert";
|
|
3
3
|
import type { AuthResponse } from "./AuthResponse";
|
|
4
4
|
import {
|
|
5
|
-
|
|
5
|
+
captureApisForIframeProtection,
|
|
6
|
+
postEncryptedAuthResponseToParent,
|
|
6
7
|
preventSessionStorageSetItemOfPublicKeyByThirdParty
|
|
7
8
|
} from "./iframeMessageProtection";
|
|
9
|
+
import { isBrowser } from "../tools/isBrowser";
|
|
8
10
|
|
|
9
11
|
let hasEarlyInitBeenCalled = false;
|
|
10
12
|
|
|
@@ -21,6 +23,12 @@ export function oidcEarlyInit(params: {
|
|
|
21
23
|
|
|
22
24
|
hasEarlyInitBeenCalled = true;
|
|
23
25
|
|
|
26
|
+
if (!isBrowser) {
|
|
27
|
+
return { shouldLoadApp: true };
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
captureApisForIframeProtection();
|
|
31
|
+
|
|
24
32
|
const { freezeFetch, freezeXMLHttpRequest, freezeWebSocket = false } = params ?? {};
|
|
25
33
|
|
|
26
34
|
const { shouldLoadApp } = handleOidcCallback();
|
|
@@ -189,9 +197,7 @@ function handleOidcCallback(): { shouldLoadApp: boolean } {
|
|
|
189
197
|
|
|
190
198
|
switch (stateData.context) {
|
|
191
199
|
case "iframe":
|
|
192
|
-
|
|
193
|
-
authResponse
|
|
194
|
-
}).then(({ encryptedMessage }) => parent.postMessage(encryptedMessage, location.origin));
|
|
200
|
+
postEncryptedAuthResponseToParent({ authResponse });
|
|
195
201
|
return { shouldLoadApp: false };
|
|
196
202
|
case "redirect": {
|
|
197
203
|
redirectAuthResponse = authResponse;
|
|
@@ -2,8 +2,23 @@ import { assert } from "../tools/tsafe/assert";
|
|
|
2
2
|
import { asymmetricEncrypt, asymmetricDecrypt, generateKeys } from "../tools/asymmetricEncryption";
|
|
3
3
|
import { type AuthResponse } from "./AuthResponse";
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
|
|
5
|
+
let capturedApis:
|
|
6
|
+
| {
|
|
7
|
+
setItem: typeof localStorage.setItem;
|
|
8
|
+
sessionStorage: typeof window.sessionStorage;
|
|
9
|
+
setTimeout: typeof window.setTimeout;
|
|
10
|
+
alert: typeof window.alert;
|
|
11
|
+
}
|
|
12
|
+
| undefined = undefined;
|
|
13
|
+
|
|
14
|
+
export function captureApisForIframeProtection() {
|
|
15
|
+
capturedApis = {
|
|
16
|
+
setItem: Storage.prototype.setItem,
|
|
17
|
+
sessionStorage: window.sessionStorage,
|
|
18
|
+
setTimeout: window.setTimeout,
|
|
19
|
+
alert: window.alert
|
|
20
|
+
};
|
|
21
|
+
}
|
|
7
22
|
|
|
8
23
|
const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
|
|
9
24
|
|
|
@@ -15,7 +30,9 @@ export function preventSessionStorageSetItemOfPublicKeyByThirdParty() {
|
|
|
15
30
|
);
|
|
16
31
|
}
|
|
17
32
|
|
|
18
|
-
|
|
33
|
+
assert(capturedApis !== undefined);
|
|
34
|
+
|
|
35
|
+
return capturedApis.setItem.call(this, key, value);
|
|
19
36
|
};
|
|
20
37
|
|
|
21
38
|
{
|
|
@@ -31,35 +48,78 @@ export function preventSessionStorageSetItemOfPublicKeyByThirdParty() {
|
|
|
31
48
|
}
|
|
32
49
|
}
|
|
33
50
|
|
|
34
|
-
const ENCRYPTED_AUTH_RESPONSES_PREFIX = "oidc-spa_encrypted_authResponse_";
|
|
35
|
-
|
|
36
51
|
function getSessionStorageKey(params: { stateUrlParamValue: string }) {
|
|
37
52
|
const { stateUrlParamValue } = params;
|
|
38
53
|
|
|
39
54
|
return `${SESSION_STORAGE_PREFIX}${stateUrlParamValue}`;
|
|
40
55
|
}
|
|
41
56
|
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
}
|
|
46
|
-
|
|
57
|
+
const ENCRYPTED_AUTH_RESPONSES_PREFIX = "oidc-spa_encrypted_authResponse_";
|
|
58
|
+
|
|
59
|
+
function getIsEncryptedAuthResponse(params: { message: unknown; stateUrlParamValue: string }): boolean {
|
|
60
|
+
const { message, stateUrlParamValue } = params;
|
|
61
|
+
|
|
62
|
+
return (
|
|
63
|
+
typeof message === "string" &&
|
|
64
|
+
message.startsWith(`${ENCRYPTED_AUTH_RESPONSES_PREFIX}${stateUrlParamValue}`)
|
|
65
|
+
);
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
function getReadyMessage(params: { stateUrlParamValue: string }) {
|
|
69
|
+
const { stateUrlParamValue } = params;
|
|
70
|
+
return `oidc-spa_ready_to_read_publicKey_${stateUrlParamValue}`;
|
|
71
|
+
}
|
|
72
|
+
|
|
73
|
+
function getIsReadyToReadPublicKeyMessage(params: { message: unknown; stateUrlParamValue: string }) {
|
|
74
|
+
const { message, stateUrlParamValue } = params;
|
|
75
|
+
return message === getReadyMessage({ stateUrlParamValue });
|
|
76
|
+
}
|
|
77
|
+
|
|
78
|
+
export async function initIframeMessageProtection(params: { stateUrlParamValue: string }) {
|
|
79
|
+
const { stateUrlParamValue } = params;
|
|
47
80
|
|
|
48
81
|
const { publicKey, privateKey } = await generateKeys();
|
|
49
82
|
|
|
50
83
|
const sessionStorageKey = getSessionStorageKey({ stateUrlParamValue });
|
|
51
84
|
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
)
|
|
85
|
+
let timer: number | undefined = undefined;
|
|
86
|
+
|
|
87
|
+
function setSessionStoragePublicKey() {
|
|
88
|
+
assert(capturedApis !== undefined);
|
|
55
89
|
|
|
56
|
-
|
|
57
|
-
|
|
90
|
+
const { setItem } = capturedApis;
|
|
91
|
+
|
|
92
|
+
setItem.call(capturedApis.sessionStorage, sessionStorageKey, publicKey);
|
|
93
|
+
}
|
|
58
94
|
|
|
59
|
-
function
|
|
60
|
-
|
|
95
|
+
function startSessionStoragePublicKeyMaliciousWriteDetection() {
|
|
96
|
+
setSessionStoragePublicKey();
|
|
97
|
+
|
|
98
|
+
assert(capturedApis !== undefined);
|
|
99
|
+
|
|
100
|
+
const { alert, setTimeout } = capturedApis;
|
|
101
|
+
|
|
102
|
+
const checkTimeoutCallback = () => {
|
|
103
|
+
if (sessionStorage.getItem(sessionStorageKey) !== publicKey) {
|
|
104
|
+
while (true) {
|
|
105
|
+
alert(
|
|
106
|
+
[
|
|
107
|
+
"⚠️ Security Alert:",
|
|
108
|
+
"oidc-spa detected an attack attempt.",
|
|
109
|
+
"For your safety, please close this tab immediately",
|
|
110
|
+
"and notify the site administrator."
|
|
111
|
+
].join(" ")
|
|
112
|
+
);
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
check();
|
|
116
|
+
};
|
|
117
|
+
|
|
118
|
+
function check() {
|
|
119
|
+
timer = setTimeout(checkTimeoutCallback, 5);
|
|
120
|
+
}
|
|
61
121
|
|
|
62
|
-
|
|
122
|
+
check();
|
|
63
123
|
}
|
|
64
124
|
|
|
65
125
|
async function decodeEncryptedAuth(params: {
|
|
@@ -68,7 +128,9 @@ export async function initIframeMessageProtection(params: {
|
|
|
68
128
|
const { encryptedAuthResponse } = params;
|
|
69
129
|
|
|
70
130
|
const { message: authResponse_str } = await asymmetricDecrypt({
|
|
71
|
-
encryptedMessage: encryptedAuthResponse.slice(
|
|
131
|
+
encryptedMessage: encryptedAuthResponse.slice(
|
|
132
|
+
ENCRYPTED_AUTH_RESPONSES_PREFIX.length + stateUrlParamValue.length
|
|
133
|
+
),
|
|
72
134
|
privateKey
|
|
73
135
|
});
|
|
74
136
|
|
|
@@ -78,57 +140,46 @@ export async function initIframeMessageProtection(params: {
|
|
|
78
140
|
}
|
|
79
141
|
|
|
80
142
|
function clearSessionStoragePublicKey() {
|
|
81
|
-
log?.(`Clearing session storage public key at ${sessionStorageKey}`);
|
|
82
143
|
sessionStorage.removeItem(sessionStorageKey);
|
|
83
|
-
|
|
144
|
+
clearTimeout(timer);
|
|
84
145
|
}
|
|
85
146
|
|
|
86
|
-
return {
|
|
147
|
+
return {
|
|
148
|
+
getIsReadyToReadPublicKeyMessage,
|
|
149
|
+
startSessionStoragePublicKeyMaliciousWriteDetection,
|
|
150
|
+
setSessionStoragePublicKey,
|
|
151
|
+
getIsEncryptedAuthResponse,
|
|
152
|
+
decodeEncryptedAuth,
|
|
153
|
+
clearSessionStoragePublicKey
|
|
154
|
+
};
|
|
87
155
|
}
|
|
88
156
|
|
|
89
|
-
export async function
|
|
157
|
+
export async function postEncryptedAuthResponseToParent(params: { authResponse: AuthResponse }) {
|
|
90
158
|
const { authResponse } = params;
|
|
91
159
|
|
|
92
|
-
|
|
93
|
-
getSessionStorageKey({ stateUrlParamValue: authResponse.state })
|
|
94
|
-
);
|
|
95
|
-
|
|
96
|
-
try {
|
|
97
|
-
assert(publicKey !== null, `2293302 no publicKey for state ${authResponse.state}`);
|
|
98
|
-
} catch (error) {
|
|
99
|
-
{
|
|
100
|
-
const publicKey = sessionStorage.getItem(
|
|
101
|
-
`${getSessionStorageKey({ stateUrlParamValue: authResponse.state })}_alt`
|
|
102
|
-
);
|
|
160
|
+
parent.postMessage(getReadyMessage({ stateUrlParamValue: authResponse.state }), location.origin);
|
|
103
161
|
|
|
104
|
-
|
|
105
|
-
}
|
|
162
|
+
const readPublicKey = () =>
|
|
163
|
+
sessionStorage.getItem(getSessionStorageKey({ stateUrlParamValue: authResponse.state }));
|
|
106
164
|
|
|
107
|
-
|
|
108
|
-
const publicKey = sessionStorage_original.getItem(
|
|
109
|
-
`${getSessionStorageKey({ stateUrlParamValue: authResponse.state })}_alt`
|
|
110
|
-
);
|
|
165
|
+
await new Promise<void>(resolve => setTimeout(resolve, 2));
|
|
111
166
|
|
|
112
|
-
|
|
113
|
-
|
|
167
|
+
while (readPublicKey() === null) {
|
|
168
|
+
await new Promise<void>(resolve => setTimeout(resolve, 2));
|
|
169
|
+
}
|
|
114
170
|
|
|
115
|
-
|
|
116
|
-
const publicKey = sessionStorage_original.getItem(
|
|
117
|
-
getSessionStorageKey({ stateUrlParamValue: authResponse.state })
|
|
118
|
-
);
|
|
171
|
+
await new Promise<void>(resolve => setTimeout(resolve, 7));
|
|
119
172
|
|
|
120
|
-
|
|
121
|
-
}
|
|
173
|
+
const publicKey = readPublicKey();
|
|
122
174
|
|
|
123
|
-
|
|
124
|
-
}
|
|
175
|
+
assert(publicKey !== null, "2293303");
|
|
125
176
|
|
|
126
177
|
const { encryptedMessage: encryptedMessage_withoutPrefix } = await asymmetricEncrypt({
|
|
127
178
|
publicKey,
|
|
128
179
|
message: JSON.stringify(authResponse)
|
|
129
180
|
});
|
|
130
181
|
|
|
131
|
-
const encryptedMessage = `${ENCRYPTED_AUTH_RESPONSES_PREFIX}${encryptedMessage_withoutPrefix}`;
|
|
182
|
+
const encryptedMessage = `${ENCRYPTED_AUTH_RESPONSES_PREFIX}${authResponse.state}${encryptedMessage_withoutPrefix}`;
|
|
132
183
|
|
|
133
|
-
|
|
184
|
+
parent.postMessage(encryptedMessage, location.origin);
|
|
134
185
|
}
|
package/src/core/loginSilent.ts
CHANGED
|
@@ -88,11 +88,16 @@ export async function loginSilent(params: {
|
|
|
88
88
|
return Math.max(BASE_DELAY_MS, dynamicDelay);
|
|
89
89
|
})();
|
|
90
90
|
|
|
91
|
-
const {
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
91
|
+
const {
|
|
92
|
+
getIsReadyToReadPublicKeyMessage,
|
|
93
|
+
startSessionStoragePublicKeyMaliciousWriteDetection,
|
|
94
|
+
setSessionStoragePublicKey,
|
|
95
|
+
decodeEncryptedAuth,
|
|
96
|
+
getIsEncryptedAuthResponse,
|
|
97
|
+
clearSessionStoragePublicKey
|
|
98
|
+
} = await initIframeMessageProtection({
|
|
99
|
+
stateUrlParamValue: stateUrlParamValue_instance
|
|
100
|
+
});
|
|
96
101
|
|
|
97
102
|
let clearTimeouts: (params: { wasSuccess: boolean }) => void;
|
|
98
103
|
{
|
|
@@ -133,34 +138,63 @@ export async function loginSilent(params: {
|
|
|
133
138
|
};
|
|
134
139
|
}
|
|
135
140
|
|
|
136
|
-
|
|
141
|
+
let listener: (event: MessageEvent) => void;
|
|
142
|
+
|
|
143
|
+
listener = async (event: MessageEvent) => {
|
|
137
144
|
if (event.origin !== window.location.origin) {
|
|
138
145
|
return;
|
|
139
146
|
}
|
|
140
147
|
|
|
141
148
|
if (
|
|
142
|
-
!
|
|
149
|
+
!getIsReadyToReadPublicKeyMessage({
|
|
150
|
+
stateUrlParamValue: stateUrlParamValue_instance,
|
|
143
151
|
message: event.data
|
|
144
152
|
})
|
|
145
153
|
) {
|
|
146
154
|
return;
|
|
147
155
|
}
|
|
148
156
|
|
|
149
|
-
|
|
157
|
+
window.removeEventListener("message", listener, false);
|
|
158
|
+
|
|
159
|
+
setSessionStoragePublicKey();
|
|
160
|
+
|
|
161
|
+
const dEncryptedAuthResponse = new Deferred<string>();
|
|
162
|
+
|
|
163
|
+
listener = event => {
|
|
164
|
+
if (event.origin !== window.location.origin) {
|
|
165
|
+
return;
|
|
166
|
+
}
|
|
167
|
+
|
|
168
|
+
const message = event.data;
|
|
169
|
+
|
|
170
|
+
if (
|
|
171
|
+
!getIsEncryptedAuthResponse({
|
|
172
|
+
stateUrlParamValue: stateUrlParamValue_instance,
|
|
173
|
+
message
|
|
174
|
+
})
|
|
175
|
+
) {
|
|
176
|
+
return;
|
|
177
|
+
}
|
|
178
|
+
|
|
179
|
+
window.removeEventListener("message", listener);
|
|
180
|
+
|
|
181
|
+
dEncryptedAuthResponse.resolve(message);
|
|
182
|
+
};
|
|
183
|
+
|
|
184
|
+
window.addEventListener("message", listener, false);
|
|
185
|
+
|
|
186
|
+
const encryptedAuthResponse = await dEncryptedAuthResponse.pr;
|
|
187
|
+
|
|
188
|
+
const { authResponse } = await decodeEncryptedAuth({ encryptedAuthResponse });
|
|
150
189
|
|
|
151
190
|
const stateData = getStateData({ stateUrlParamValue: authResponse.state });
|
|
152
191
|
|
|
153
192
|
assert(stateData !== undefined, "765645");
|
|
154
193
|
assert(stateData.context === "iframe", "250711");
|
|
155
|
-
|
|
156
|
-
if (stateData.configId !== configId) {
|
|
157
|
-
return;
|
|
158
|
-
}
|
|
194
|
+
assert(stateData.configId === configId, "4922732");
|
|
159
195
|
|
|
160
196
|
clearTimeouts({ wasSuccess: true });
|
|
161
197
|
|
|
162
|
-
window.removeEventListener("message", listener);
|
|
163
|
-
|
|
164
198
|
dResult.resolve({
|
|
165
199
|
outcome: "got auth response from iframe",
|
|
166
200
|
authResponse
|
|
@@ -195,6 +229,8 @@ export async function loginSilent(params: {
|
|
|
195
229
|
return url;
|
|
196
230
|
};
|
|
197
231
|
|
|
232
|
+
startSessionStoragePublicKeyMaliciousWriteDetection();
|
|
233
|
+
|
|
198
234
|
oidcClientTsUserManager
|
|
199
235
|
.signinSilent({
|
|
200
236
|
state: id<StateData.IFrame>({
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export declare const isBrowser: boolean;
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.isBrowser = void 0;
|
|
4
|
+
exports.isBrowser = typeof window !== "undefined" &&
|
|
5
|
+
typeof window.document !== "undefined" &&
|
|
6
|
+
typeof navigator !== "undefined";
|
|
7
|
+
//# sourceMappingURL=isBrowser.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"isBrowser.js","sourceRoot":"","sources":["../src/tools/isBrowser.ts"],"names":[],"mappings":";;;AAAa,QAAA,SAAS,GAClB,OAAO,MAAM,KAAK,WAAW;IAC7B,OAAO,MAAM,CAAC,QAAQ,KAAK,WAAW;IACtC,OAAO,SAAS,KAAK,WAAW,CAAC"}
|