oidc-spa 8.1.9 → 8.1.11

package/src/core/iframeMessageProtection.ts

@@ -93,15 +93,16 @@ export async function initIframeMessageProtection(params: { stateUrlParamValue:
     }
 
     function startSessionStoragePublicKeyMaliciousWriteDetection() {
-        setSessionStoragePublicKey();
-
         assert(capturedApis !== undefined);
 
-        const { /*alert,*/ setTimeout } = capturedApis;
+        const { alert, setTimeout } = capturedApis;
+
+        sessionStorage.removeItem(sessionStorageKey);
 
         const checkTimeoutCallback = () => {
-            if (sessionStorage.getItem(sessionStorageKey) !== publicKey) {
-                /*
+            const publicKey_inStorage = sessionStorage.getItem(sessionStorageKey);
+
+            if (publicKey_inStorage !== null && publicKey_inStorage !== publicKey) {
                 while (true) {
                     alert(
                         [
@@ -112,7 +113,6 @@ export async function initIframeMessageProtection(params: { stateUrlParamValue:
                         ].join(" ")
                     );
                 }
-                */
             }
             check();
         };
@@ -161,20 +161,19 @@ export async function postEncryptedAuthResponseToParent(params: { authResponse:
 
     parent.postMessage(getReadyMessage({ stateUrlParamValue: authResponse.state }), location.origin);
 
-    const readPublicKey = () =>
-        sessionStorage.getItem(getSessionStorageKey({ stateUrlParamValue: authResponse.state }));
-
     await new Promise<void>(resolve => setTimeout(resolve, 2));
 
-    while (readPublicKey() === null) {
-        await new Promise<void>(resolve => setTimeout(resolve, 2));
-    }
+    let publicKey: string | null;
 
-    await new Promise<void>(resolve => setTimeout(resolve, 7));
+    {
+        let sessionStorageKey = getSessionStorageKey({ stateUrlParamValue: authResponse.state });
 
-    const publicKey = readPublicKey();
+        while ((publicKey = sessionStorage.getItem(sessionStorageKey)) === null) {
+            await new Promise<void>(resolve => setTimeout(resolve, 2));
+        }
+    }
 
-    assert(publicKey !== null, "2293303");
+    await new Promise<void>(resolve => setTimeout(resolve, 7));
 
     const { encryptedMessage: encryptedMessage_withoutPrefix } = await asymmetricEncrypt({
         publicKey,

package/src/core/loginOrGoToAuthServer.ts

@@ -355,9 +355,17 @@ export function createLoginOrGoToAuthServer(params: {
                         return new Promise<never>(() => {});
                     }
 
-                    // NOTE: Here, except error on our understanding there can't be any other
-                    // error.
-                    assert(false, "30442320");
+                    if (error.message.includes("Crypto.subtle is available only in secure contexts")) {
+                        throw new Error(
+                            [
+                                `oidc-spa: ${error.message}.`,
+                                "To fix this error see:",
+                                "https://docs.oidc-spa.dev/v/v8/resources/fixing-crypto.subtle-is-available-only-in-secure-contexts-https"
+                            ].join(" ")
+                        );
+                    }
+
+                    assert(false, "224238482");
                 }
             );
     }

package/src/core/loginSilent.ts

@@ -178,6 +178,11 @@ export async function loginSilent(params: {
 
             window.removeEventListener("message", listener);
 
+            // NOTE: Acknowledge that we're also doing it later but
+            // since there's a aggressive write protection in place
+            // it's good to clear the key ASAP.
+            clearSessionStoragePublicKey();
+
             dEncryptedAuthResponse.resolve(message);
         };
 

package/src/core/oidcClientTsUserToTokens.ts

@@ -9,7 +9,7 @@ import { INFINITY_TIME } from "../tools/INFINITY_TIME";
 export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, unknown>>(params: {
     oidcClientTsUser: OidcClientTsUser;
     decodedIdTokenSchema?: {
-        parse: (decodedIdToken_original: Oidc.Tokens.DecodedIdToken_base) => DecodedIdToken;
+        parse: (decodedIdToken_original: Oidc.Tokens.DecodedIdToken_OidcCoreSpec) => DecodedIdToken;
     };
     __unsafe_useIdTokenAsAccessToken: boolean;
     decodedIdToken_previous: DecodedIdToken | undefined;
@@ -33,7 +33,7 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
 
     assert(idToken !== undefined, "No id token provided by the oidc server");
 
-    const decodedIdToken_original = decodeJwt<Oidc.Tokens.DecodedIdToken_base>(idToken);
+    const decodedIdToken_original = decodeJwt<Oidc.Tokens.DecodedIdToken_OidcCoreSpec>(idToken);
 
     if (isFirstInit) {
         log?.(

package/src/core/requiredPostHydrationReplaceNavigationUrl.ts

@@ -0,0 +1,11 @@
+let rootRelativeRedirectUrl: string | undefined = undefined;
+
+export function getOidcRequiredPostHydrationReplaceNavigationUrl() {
+    return { rootRelativeRedirectUrl };
+}
+
+export function setOidcRequiredPostHydrationReplaceNavigationUrl(params: {
+    rootRelativeRedirectUrl: string;
+}) {
+    rootRelativeRedirectUrl = params.rootRelativeRedirectUrl;
+}

package/src/entrypoint.ts

@@ -1 +1,2 @@
 export { oidcEarlyInit } from "./core/earlyInit";
+export { getOidcRequiredPostHydrationReplaceNavigationUrl } from "./core/requiredPostHydrationReplaceNavigationUrl";

package/src/mock/oidc.ts

@@ -32,7 +32,7 @@ const URL_SEARCH_PARAM_NAME = "isUserLoggedIn";
 const locationHref_moduleEvalTime = location.href;
 
 export async function createMockOidc<
-    DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_base,
+    DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec,
     AutoLogin extends boolean = false
 >(
     params: ParamsOfCreateMockOidc<DecodedIdToken, AutoLogin>
@@ -157,7 +157,7 @@ export async function createMockOidc<
                     }),
                 decodedIdToken_original:
                     mockedTokens.decodedIdToken_original ??
-                    createObjectThatThrowsIfAccessed<Oidc.Tokens.DecodedIdToken_base>({
+                    createObjectThatThrowsIfAccessed<Oidc.Tokens.DecodedIdToken_OidcCoreSpec>({
                         debugMessage: [
                             "You haven't provided a mocked decodedIdToken_original",
                             "See https://docs.oidc-spa.dev/v/v8/mock"

package/src/react/react.tsx

@@ -454,7 +454,7 @@ export function createReactOidc_dependencyInjection<
 
 /** @see: https://docs.oidc-spa.dev/v/v8/usage#react-api */
 export function createReactOidc<
-    DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_base,
+    DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec,
     AutoLogin extends boolean = false
 >(params: ValueOrAsyncGetter<ParamsOfCreateOidc<DecodedIdToken, AutoLogin>>) {
     return createReactOidc_dependencyInjection(params, createOidc);

package/src/tanstack-start/react/accessTokenValidation_rfc9068.ts

@@ -0,0 +1,135 @@
+import type { CreateValidateAndGetAccessTokenClaims, ParamsOfBootstrap } from "./types";
+import type { DecodedAccessToken_RFC9068 as AccessTokenClaims_RFC9068 } from "../../backend";
+import type { ZodSchemaLike } from "../../tools/ZodSchemaLike";
+import { createObjectThatThrowsIfAccessed } from "../../tools/createObjectThatThrowsIfAccessed";
+import { assert, type Equals, is } from "../../tools/tsafe/assert";
+
+export function createCreateValidateAndGetAccessTokenClaims_rfc9068<
+    AccessTokenClaims extends Record<string, unknown>
+>(params: {
+    accessTokenClaimsSchema?: ZodSchemaLike<AccessTokenClaims_RFC9068, AccessTokenClaims>;
+    accessTokenClaims_mock?: AccessTokenClaims;
+    expectedAudience?:
+        | string
+        | ((params: {
+              paramsOfBootstrap: ParamsOfBootstrap<boolean, Record<string, unknown>, AccessTokenClaims>;
+          }) => string);
+}) {
+    const {
+        accessTokenClaimsSchema,
+        accessTokenClaims_mock,
+        expectedAudience: expectedAudienceOrGetter
+    } = params;
+
+    const createValidateAndGetAccessTokenClaims: CreateValidateAndGetAccessTokenClaims<
+        AccessTokenClaims
+    > = ({ paramsOfBootstrap }) => {
+        if (paramsOfBootstrap.implementation === "mock") {
+            return {
+                validateAndGetAccessTokenClaims: async () => {
+                    return {
+                        isValid: true,
+                        accessTokenClaims: (() => {
+                            if (paramsOfBootstrap.accessTokenClaims_mock !== undefined) {
+                                assert(is<AccessTokenClaims>(paramsOfBootstrap.accessTokenClaims_mock));
+                                return paramsOfBootstrap.accessTokenClaims_mock;
+                            }
+
+                            if (accessTokenClaims_mock !== undefined) {
+                                return accessTokenClaims_mock;
+                            }
+
+                            return createObjectThatThrowsIfAccessed<AccessTokenClaims>({
+                                debugMessage: [
+                                    "oidc-spa: You didn't provide any mock for the accessTokenClaims",
+                                    "Either provide a default one by specifying accessTokenClaims_mock",
+                                    "as parameter of .withAccessTokenValidation() or",
+                                    "specify accessTokenClaims_mock when calling bootstrapOidc()"
+                                ].join(" ")
+                            });
+                        })()
+                    };
+                }
+            };
+        }
+        assert<Equals<(typeof paramsOfBootstrap)["implementation"], "real">>;
+
+        const prVerifyAndDecodeAccessToken = (async () => {
+            const { createOidcBackend } = await import("../../backend");
+
+            const { verifyAndDecodeAccessToken } = await createOidcBackend({
+                issuerUri: paramsOfBootstrap.issuerUri,
+                decodedAccessTokenSchema: accessTokenClaimsSchema
+            });
+
+            return verifyAndDecodeAccessToken;
+        })();
+
+        const expectedAudience = (() => {
+            if (expectedAudienceOrGetter === undefined) {
+                return undefined;
+            }
+            if (typeof expectedAudienceOrGetter === "function") {
+                return expectedAudienceOrGetter({ paramsOfBootstrap });
+            }
+            return expectedAudienceOrGetter;
+        })();
+
+        return {
+            validateAndGetAccessTokenClaims: async ({ accessToken }) => {
+                const verifyAndDecodeAccessToken = await prVerifyAndDecodeAccessToken;
+
+                const {
+                    isValid,
+                    errorCase,
+                    errorMessage,
+                    decodedAccessToken,
+                    decodedAccessToken_original
+                } = await verifyAndDecodeAccessToken({ accessToken });
+
+                if (!isValid) {
+                    return {
+                        isValid: false,
+                        errorMessage: `${errorCase}: ${errorMessage}`,
+                        wwwAuthenticateHeaderErrorDescription: (() => {
+                            switch (errorCase) {
+                                case "does not respect schema":
+                                    return "The access token is malformed or missing required claims";
+                                case "expired":
+                                    return "The access token expired";
+                                case "invalid signature":
+                                    return "The access token signature is invalid";
+                            }
+                        })()
+                    };
+                }
+
+                if (expectedAudience !== undefined) {
+                    const aud_array =
+                        typeof decodedAccessToken_original.aud === "string"
+                            ? [decodedAccessToken_original.aud]
+                            : decodedAccessToken_original.aud;
+
+                    if (!aud_array.includes(expectedAudience)) {
+                        return {
+                            isValid: false,
+                            errorMessage: [
+                                "Access token is not for the expected audience.",
+                                `Got aud claim: ${JSON.stringify(decodedAccessToken_original.aud)}`,
+                                `Expected: ${expectedAudience}`
+                            ].join(" "),
+                            wwwAuthenticateHeaderErrorDescription: "The access token audience is invalid"
+                        };
+                    }
+                }
+
+                return {
+                    isValid: true,
+                    accessTokenClaims: decodedAccessToken
+                };
+            }
+        };
+    };
+
+    return { createValidateAndGetAccessTokenClaims };
+}

package/src/tanstack-start/react/apiBuilder.ts

@@ -0,0 +1,151 @@
+import type { OidcSpaApi, CreateValidateAndGetAccessTokenClaims, ParamsOfBootstrap } from "./types";
+import type { Oidc as Oidc_core } from "../../core";
+import { assert, type Equals } from "../../tools/tsafe/assert";
+import type { ZodSchemaLike } from "../../tools/ZodSchemaLike";
+import type { DecodedAccessToken_RFC9068 as AccessTokenClaims_RFC9068 } from "../../backend";
+import { createCreateValidateAndGetAccessTokenClaims_rfc9068 } from "./accessTokenValidation_rfc9068";
+import { createOidcSpaApi } from "./createOidcSpaApi";
+
+export type OidcSpaApiBuilder<
+    AutoLogin extends boolean = false,
+    DecodedIdToken extends Record<string, unknown> = Oidc_core.Tokens.DecodedIdToken_OidcCoreSpec,
+    AccessTokenClaims extends Record<string, unknown> | undefined = undefined,
+    ExcludedMethod extends
+        | "withAutoLogin"
+        | "withExpectedDecodedIdTokenShape"
+        | "withAccessTokenValidation"
+        | "finalize" = never
+> = Omit<
+    {
+        withAutoLogin: () => OidcSpaApiBuilder<
+            true,
+            DecodedIdToken,
+            AccessTokenClaims,
+            ExcludedMethod | "withAutoLogin"
+        >;
+        withExpectedDecodedIdTokenShape: <DecodedIdToken extends Record<string, unknown>>(params: {
+            decodedIdTokenSchema: ZodSchemaLike<
+                Oidc_core.Tokens.DecodedIdToken_OidcCoreSpec,
+                DecodedIdToken
+            >;
+            decodedIdToken_mock?: NoInfer<DecodedIdToken>;
+        }) => OidcSpaApiBuilder<
+            AutoLogin,
+            DecodedIdToken,
+            AccessTokenClaims,
+            ExcludedMethod | "withExpectedDecodedIdTokenShape"
+        >;
+        withAccessTokenValidation: {
+            <AccessTokenClaims extends Record<string, unknown> = AccessTokenClaims_RFC9068>(params: {
+                type: "RFC 9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens";
+                accessTokenClaimsSchema?: ZodSchemaLike<AccessTokenClaims_RFC9068, AccessTokenClaims>;
+                accessTokenClaims_mock?: NoInfer<AccessTokenClaims>;
+
+                expectedAudience?:
+                    | string
+                    | ((params: {
+                          paramsOfBootstrap: ParamsOfBootstrap<
+                              boolean,
+                              Record<string, unknown>,
+                              AccessTokenClaims
+                          >;
+                      }) => string);
+            }): OidcSpaApiBuilder<
+                AutoLogin,
+                DecodedIdToken,
+                AccessTokenClaims,
+                ExcludedMethod | "withAccessTokenValidation"
+            >;
+            <AccessTokenClaims extends Record<string, unknown>>(params: {
+                type: "custom";
+                createValidateAndGetAccessTokenClaims: CreateValidateAndGetAccessTokenClaims<AccessTokenClaims>;
+            }): OidcSpaApiBuilder<
+                AutoLogin,
+                DecodedIdToken,
+                AccessTokenClaims,
+                ExcludedMethod | "withAccessTokenValidation"
+            >;
+        };
+
+        finalize: () => OidcSpaApi<AutoLogin, DecodedIdToken, AccessTokenClaims>;
+    },
+    ExcludedMethod
+>;
+
+function createOidcSpaApiBuilder<
+    AutoLogin extends boolean = false,
+    DecodedIdToken extends Record<string, unknown> = Oidc_core.Tokens.DecodedIdToken_OidcCoreSpec,
+    AccessTokenClaims extends Record<string, unknown> | undefined = undefined
+>(params: {
+    autoLogin: AutoLogin;
+    decodedIdTokenSchema:
+        | ZodSchemaLike<Oidc_core.Tokens.DecodedIdToken_OidcCoreSpec, DecodedIdToken>
+        | undefined;
+    decodedIdToken_mock: DecodedIdToken | undefined;
+    createValidateAndGetAccessTokenClaims:
+        | CreateValidateAndGetAccessTokenClaims<AccessTokenClaims>
+        | undefined;
+}): OidcSpaApiBuilder<AutoLogin, DecodedIdToken, AccessTokenClaims> {
+    return {
+        withAutoLogin: () =>
+            createOidcSpaApiBuilder({
+                autoLogin: true,
+                decodedIdTokenSchema: params.decodedIdTokenSchema,
+                decodedIdToken_mock: params.decodedIdToken_mock,
+                createValidateAndGetAccessTokenClaims: params.createValidateAndGetAccessTokenClaims
+            }),
+        withExpectedDecodedIdTokenShape: ({ decodedIdTokenSchema, decodedIdToken_mock }) =>
+            createOidcSpaApiBuilder({
+                autoLogin: params.autoLogin,
+                decodedIdTokenSchema,
+                decodedIdToken_mock: decodedIdToken_mock,
+                createValidateAndGetAccessTokenClaims: params.createValidateAndGetAccessTokenClaims
+            }),
+        withAccessTokenValidation: params_scope =>
+            createOidcSpaApiBuilder({
+                autoLogin: params.autoLogin,
+                decodedIdTokenSchema: params.decodedIdTokenSchema,
+                decodedIdToken_mock: params.decodedIdToken_mock,
+                createValidateAndGetAccessTokenClaims: ((): any => {
+                    switch (params_scope.type) {
+                        case "RFC 9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens": {
+                            const { accessTokenClaimsSchema, accessTokenClaims_mock, expectedAudience } =
+                                params_scope;
+
+                            const { createValidateAndGetAccessTokenClaims } =
+                                createCreateValidateAndGetAccessTokenClaims_rfc9068<
+                                    Exclude<AccessTokenClaims, undefined>
+                                >({
+                                    // @ts-expect-error
+                                    accessTokenClaims_mock,
+                                    // @ts-expect-error
+                                    accessTokenClaimsSchema,
+                                    expectedAudience
+                                });
+                            return createValidateAndGetAccessTokenClaims;
+                        }
+                        case "custom": {
+                            const { createValidateAndGetAccessTokenClaims } = params_scope;
+                            return createValidateAndGetAccessTokenClaims;
+                        }
+                        default:
+                            assert<Equals<typeof params_scope, never>>(false);
+                    }
+                })()
+            }),
+        finalize: () =>
+            createOidcSpaApi<AutoLogin, DecodedIdToken, AccessTokenClaims>({
+                autoLogin: params.autoLogin,
+                decodedIdTokenSchema: params.decodedIdTokenSchema,
+                decodedIdToken_mock: params.decodedIdToken_mock,
+                createValidateAndGetAccessTokenClaims: params.createValidateAndGetAccessTokenClaims
+            })
+    };
+}
+
+export const oidcSpaApiBuilder = createOidcSpaApiBuilder({
+    autoLogin: false,
+    createValidateAndGetAccessTokenClaims: undefined,
+    decodedIdToken_mock: undefined,
+    decodedIdTokenSchema: undefined
+});