oidc-spa 8.2.11 → 8.2.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +39 -1
- package/core/createOidc.js +1 -1
- package/core/earlyInit.js +2 -2
- package/core/earlyInit.js.map +1 -1
- package/core/iframeMessageProtection.d.ts +5 -2
- package/core/iframeMessageProtection.js +44 -19
- package/core/iframeMessageProtection.js.map +1 -1
- package/esm/core/createOidc.js +1 -1
- package/esm/core/earlyInit.js +3 -3
- package/esm/core/earlyInit.js.map +1 -1
- package/esm/core/iframeMessageProtection.d.ts +5 -2
- package/esm/core/iframeMessageProtection.js +43 -17
- package/esm/core/iframeMessageProtection.js.map +1 -1
- package/esm/tanstack-start/react/withHandlingOidcPostLoginNavigation.js +13 -2
- package/esm/tanstack-start/react/withHandlingOidcPostLoginNavigation.js.map +1 -1
- package/package.json +1 -1
- package/src/core/earlyInit.ts +5 -7
- package/src/core/iframeMessageProtection.ts +55 -22
- package/src/tanstack-start/react/withHandlingOidcPostLoginNavigation.tsx +13 -2
package/README.md
CHANGED
|
@@ -68,10 +68,48 @@ if (realm_access.roles.includes("realm-admin")) {
|
|
|
68
68
|
}
|
|
69
69
|
```
|
|
70
70
|
|
|
71
|
-
Higher level adapters, example with React
|
|
71
|
+
Higher level adapters, example with React but we also feature similar Angular adapter:
|
|
72
72
|
|
|
73
73
|
<img width="1835" height="942" alt="Image" src="https://github.com/user-attachments/assets/a7a18bbc-998a-459c-8cfa-93b599a45524" />
|
|
74
74
|
|
|
75
|
+
Full Stack Auth solution with [TanStack Start]():
|
|
76
|
+
|
|
77
|
+
```tsx
|
|
78
|
+
import { createServerFn } from "@tanstack/react-start";
|
|
79
|
+
import { enforceLogin, oidcFnMiddleware } from "@/oidc";
|
|
80
|
+
import fs from "node:fs/promises";
|
|
81
|
+
|
|
82
|
+
const getTodos = createServerFn({ method: "GET" })
|
|
83
|
+
.middleware([oidcFnMiddleware({ assert: "user logged in" })])
|
|
84
|
+
.handler(async ({ context: { oidc } }) => {
|
|
85
|
+
const userId = oidc.accessTokenClaims.sub;
|
|
86
|
+
|
|
87
|
+
const json = await fs.readFile(`todos_${userId}.json`, "utf8");
|
|
88
|
+
|
|
89
|
+
return JSON.parse(json);
|
|
90
|
+
});
|
|
91
|
+
|
|
92
|
+
export const Route = createFileRoute("/todos")({
|
|
93
|
+
beforeLoad: enforceLogin,
|
|
94
|
+
loader: () => getTodos(),
|
|
95
|
+
component: RouteComponent
|
|
96
|
+
});
|
|
97
|
+
|
|
98
|
+
function RouteComponent() {
|
|
99
|
+
const todos = Route.useLoaderData();
|
|
100
|
+
|
|
101
|
+
return (
|
|
102
|
+
<ul>
|
|
103
|
+
{todos.map(todo => (
|
|
104
|
+
<li key={todo.id}>
|
|
105
|
+
{todo.isDone && "✅"} {todo.text}
|
|
106
|
+
</li>
|
|
107
|
+
))}
|
|
108
|
+
</ul>
|
|
109
|
+
);
|
|
110
|
+
}
|
|
111
|
+
```
|
|
112
|
+
|
|
75
113
|
## What this is
|
|
76
114
|
|
|
77
115
|
oidc-spa is a framework-agnostic OpenID Connect client for browser-centric web applications implementing the [Authorization Code Flow with PKCE](https://docs.oidc-spa.dev/resources/why-no-client-secret).
|
package/core/createOidc.js
CHANGED
|
@@ -71,7 +71,7 @@ const instancesThatCantUseIframes_1 = require("./instancesThatCantUseIframes");
|
|
|
71
71
|
const desiredPostLoginRedirectUrl_1 = require("./desiredPostLoginRedirectUrl");
|
|
72
72
|
const homeAndRedirectUri_1 = require("./homeAndRedirectUri");
|
|
73
73
|
// NOTE: Replaced at build time
|
|
74
|
-
const VERSION = "8.2.
|
|
74
|
+
const VERSION = "8.2.12";
|
|
75
75
|
const globalContext = {
|
|
76
76
|
prOidcByConfigId: new Map(),
|
|
77
77
|
hasLogoutBeenCalled: (0, id_1.id)(false)
|
package/core/earlyInit.js
CHANGED
|
@@ -19,7 +19,6 @@ function oidcEarlyInit(params) {
|
|
|
19
19
|
if (!isBrowser_1.isBrowser) {
|
|
20
20
|
return { shouldLoadApp: true };
|
|
21
21
|
}
|
|
22
|
-
(0, iframeMessageProtection_1.captureApisForIframeProtection)();
|
|
23
22
|
const { freezeFetch, freezeXMLHttpRequest, freezeWebSocket = false, isPostLoginRedirectManual = false, BASE_URL } = params;
|
|
24
23
|
const { shouldLoadApp } = handleOidcCallback({ isPostLoginRedirectManual });
|
|
25
24
|
if (shouldLoadApp) {
|
|
@@ -55,10 +54,10 @@ function oidcEarlyInit(params) {
|
|
|
55
54
|
value: WebSocket_trusted
|
|
56
55
|
});
|
|
57
56
|
}
|
|
58
|
-
(0, iframeMessageProtection_1.preventSessionStorageSetItemOfPublicKeyByThirdParty)();
|
|
59
57
|
if (BASE_URL !== undefined) {
|
|
60
58
|
(0, BASE_URL_1.setBASE_URL)({ BASE_URL });
|
|
61
59
|
}
|
|
60
|
+
(0, iframeMessageProtection_1.iframeMessageProtection_captureAndLockBuiltins)();
|
|
62
61
|
}
|
|
63
62
|
(0, prShouldLoadApp_1.resolvePrShouldLoadApp)({ shouldLoadApp });
|
|
64
63
|
return { shouldLoadApp };
|
|
@@ -154,6 +153,7 @@ function handleOidcCallback(params) {
|
|
|
154
153
|
})();
|
|
155
154
|
if (isPostLoginRedirectManual) {
|
|
156
155
|
(0, requiredPostHydrationReplaceNavigationUrl_1.setOidcRequiredPostHydrationReplaceNavigationUrl)({ rootRelativeRedirectUrl });
|
|
156
|
+
history.replaceState({}, "", rootRelativeOriginalLocationHref);
|
|
157
157
|
}
|
|
158
158
|
else {
|
|
159
159
|
history.replaceState({}, "", rootRelativeRedirectUrl);
|
package/core/earlyInit.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"earlyInit.js","sourceRoot":"","sources":["../src/core/earlyInit.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"earlyInit.js","sourceRoot":"","sources":["../src/core/earlyInit.ts"],"names":[],"mappings":";;AAcA,sCAiFC;AAID,0DAaC;AAID,kFAGC;AAvHD,2CAAqE;AACrE,kDAA4D;AAE5D,uEAGmC;AACnC,2GAA+G;AAC/G,yCAAyC;AACzC,uDAA2D;AAC3D,kDAA+C;AAE/C,IAAI,sBAAsB,GAAG,KAAK,CAAC;AAEnC,SAAgB,aAAa,CAAC,MAQ7B;IACG,IAAI,sBAAsB,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC5E,CAAC;IAED,sBAAsB,GAAG,IAAI,CAAC;IAE9B,IAAI,CAAC,qBAAS,EAAE,CAAC;QACb,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,MAAM,EACF,WAAW,EACX,oBAAoB,EACpB,eAAe,GAAG,KAAK,EACvB,yBAAyB,GAAG,KAAK,EACjC,QAAQ,EACX,GAAG,MAAM,CAAC;IAEX,MAAM,EAAE,aAAa,EAAE,GAAG,kBAAkB,CAAC,EAAE,yBAAyB,EAAE,CAAC,CAAC;IAE5E,IAAI,aAAa,EAAE,CAAC;QAChB,IAAI,oBAAoB,EAAE,CAAC;YACvB,MAAM,sBAAsB,GAAG,UAAU,CAAC,cAAc,CAAC;YAEzD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;YAEtC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBAChD,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,sBAAsB;aAChC,CAAC,CAAC;QACP,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YACd,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;YAEvC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAE7B,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,OAAO,EAAE;gBACvC,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,aAAa;aACvB,CAAC,CAAC;QACP,CAAC;QAED,IAAI,eAAe,EAAE,CAAC;YAClB,MAAM,iBAAiB,GAAG,UAAU,CAAC,SAAS,CAAC;YAE/C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAEjC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,WAAW,EAAE;gBAC3C,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;QAED,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YACzB,IAAA,sBAAW,EAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC9B,CAAC;QAED,IAAA,wEAA8C,GAAE,CAAC;IACrD,CAAC;IAED,IAAA,wCAAsB,EAAC,EAAE,aAAa,EAAE,CAAC,CAAC;IAE1C,OAAO,EAAE,aAAa,EAAE,CAAC;AAC7B,CAAC;AAED,IAAI,oBAAoB,GAA6B,SAAS,CAAC;AAE/D,SAAgB,uBAAuB;IAGnC,IAAA,eAAM,EAAC,sBAAsB,EAAE,UAAU,CAAC,CAAC;IAE3C,OAAO,oBAAoB,KAAK,SAAS;QACrC,CAAC,CAAC,EAAE,YAAY,EAAE,SAAS,EAAE;QAC7B,CAAC,CAAC;YACI,YAAY,EAAE,oBAAoB;YAClC,iBAAiB,EAAE,GAAG,EAAE;gBACpB,oBAAoB,GAAG,SAAS,CAAC;YACrC,CAAC;SACJ,CAAC;AACZ,CAAC;AAED,IAAI,gCAAgC,GAAuB,SAAS,CAAC;AAErE,SAAgB,mCAAmC;IAC/C,IAAA,eAAM,EAAC,gCAAgC,KAAK,SAAS,EAAE,QAAQ,CAAC,CAAC;IACjE,OAAO,gCAAgC,CAAC;AAC5C,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA+C;IAGvE,MAAM,EAAE,yBAAyB,EAAE,GAAG,MAAM,CAAC;IAE7C,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAEtD,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,CAAC;YACP,MAAM,kBAAkB,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CACtF,OAAO,CACV,CAAC;YAEF,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,IAAI,CAAC,IAAA,oCAAwB,EAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAW,CAAC;QAC7E,CAAC;QAED,KAAK,EAAE,CAAC;YACJ,MAAM,kBAAkB,GAAG,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAErE,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IAAI,CAAC,IAAA,oCAAwB,EAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IACI,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,IAAI;gBACtD,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,IAAI;gBAC1D,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,KAAK,IAAI,EAC3D,CAAC;gBACC,mFAAmF;gBACnF,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAW,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAW,CAAC;IACpD,CAAC,CAAC,EAAE,CAAC;IAEL,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,CAAC;QAC/C,gCAAgC,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7F,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,gCAAgC,GAAG,eAAe,CAAC,QAAQ,CAAC;IAE5D,MAAM,EAAE,YAAY,EAAE,GAAG,CAAC,GAAG,EAAE;QAC3B,MAAM,YAAY,GAAiB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAEjD,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE;YACvB,QAAQ,sBAAsB,CAAC,YAAY,EAAE,CAAC;gBAC1C,KAAK,UAAU;oBACX,OAAO,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;gBACvE,KAAK,OAAO;oBACR,OAAO,eAAe,CAAC,YAAY,CAAC;gBACxC;oBACI,IAAA,eAAM,EAA+C,KAAK,CAAC,CAAC;YACpE,CAAC;QACL,CAAC,CAAC,EAAE,CAAC;QAEL,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;YACtC,YAAY,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAC9B,CAAC;QAED,IAAA,eAAM,EAAC,YAAY,CAAC,KAAK,KAAK,EAAE,EAAE,QAAQ,CAAC,CAAC;QAE5C,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,SAAS,GAAG,IAAA,wBAAY,EAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;IAE3E,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAC/D,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,QAAQ,SAAS,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,QAAQ;YACT,IAAA,2DAAiC,EAAC,EAAE,YAAY,EAAE,CAAC,CAAC;YACpD,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;QACpC,KAAK,UAAU,CAAC,CAAC,CAAC;YACd,oBAAoB,GAAG,YAAY,CAAC;YAEpC,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE;gBAClC,IAAI,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,YAAY,CAAC,KAAK,KAAK,kBAAkB,EAAE,CAAC;oBAC5E,OAAO,SAAS,CAAC,2CAA2C,CAAC;gBACjE,CAAC;gBACD,OAAO,SAAS,CAAC,uBAAuB,CAAC;YAC7C,CAAC,CAAC,EAAE,CAAC;YAEL,IAAI,yBAAyB,EAAE,CAAC;gBAC5B,IAAA,4FAAgD,EAAC,EAAE,uBAAuB,EAAE,CAAC,CAAC;gBAC9E,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,gCAAgC,CAAC,CAAC;YACnE,CAAC;iBAAM,CAAC;gBACJ,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,uBAAuB,CAAC,CAAC;YAC1D,CAAC;YAED,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QACnC,CAAC;QACD;YACI,IAAA,eAAM,EAAkC,KAAK,CAAC,CAAC;IACvD,CAAC;AACL,CAAC"}
|
|
@@ -1,6 +1,9 @@
|
|
|
1
1
|
import { type AuthResponse } from "./AuthResponse";
|
|
2
|
-
|
|
3
|
-
|
|
2
|
+
/**
|
|
3
|
+
* To call while still in the safe window where no other code
|
|
4
|
+
* has been evaluated and only before we're about to actually start the App.
|
|
5
|
+
*/
|
|
6
|
+
export declare function iframeMessageProtection_captureAndLockBuiltins(): void;
|
|
4
7
|
declare function getIsEncryptedAuthResponse(params: {
|
|
5
8
|
message: unknown;
|
|
6
9
|
stateUrlParamValue: string;
|
|
@@ -1,38 +1,58 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.
|
|
4
|
-
exports.preventSessionStorageSetItemOfPublicKeyByThirdParty = preventSessionStorageSetItemOfPublicKeyByThirdParty;
|
|
3
|
+
exports.iframeMessageProtection_captureAndLockBuiltins = iframeMessageProtection_captureAndLockBuiltins;
|
|
5
4
|
exports.initIframeMessageProtection = initIframeMessageProtection;
|
|
6
5
|
exports.postEncryptedAuthResponseToParent = postEncryptedAuthResponseToParent;
|
|
7
6
|
const assert_1 = require("../tools/tsafe/assert");
|
|
8
7
|
const asymmetricEncryption_1 = require("../tools/asymmetricEncryption");
|
|
9
8
|
let capturedApis = undefined;
|
|
10
|
-
|
|
9
|
+
const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
|
|
10
|
+
const getProtectedTimer_set = new Set();
|
|
11
|
+
/**
|
|
12
|
+
* To call while still in the safe window where no other code
|
|
13
|
+
* has been evaluated and only before we're about to actually start the App.
|
|
14
|
+
*/
|
|
15
|
+
function iframeMessageProtection_captureAndLockBuiltins() {
|
|
11
16
|
capturedApis = {
|
|
12
17
|
setItem: Storage.prototype.setItem,
|
|
13
18
|
sessionStorage: window.sessionStorage,
|
|
14
19
|
setTimeout: window.setTimeout,
|
|
20
|
+
clearTimeout: window.clearTimeout,
|
|
15
21
|
alert: window.alert
|
|
16
22
|
};
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
function
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
+
// Ensure, at least from main window we cannot simply write on the public key.
|
|
24
|
+
{
|
|
25
|
+
const setItem_protected = function setItem(key, value) {
|
|
26
|
+
if (key.startsWith(SESSION_STORAGE_PREFIX)) {
|
|
27
|
+
throw new Error("Attack prevented by oidc-spa. You have malicious code running in your system");
|
|
28
|
+
}
|
|
29
|
+
(0, assert_1.assert)(capturedApis !== undefined);
|
|
30
|
+
return capturedApis.setItem.call(this, key, value);
|
|
31
|
+
};
|
|
32
|
+
{
|
|
33
|
+
const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
|
|
34
|
+
(0, assert_1.assert)(pd !== undefined);
|
|
35
|
+
Object.defineProperty(Storage.prototype, "setItem", {
|
|
36
|
+
enumerable: pd.enumerable,
|
|
37
|
+
writable: pd.writable,
|
|
38
|
+
value: setItem_protected
|
|
39
|
+
});
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
window.clearTimeout = function clearTimeout(timer) {
|
|
43
|
+
for (const getProtectedTimer of getProtectedTimer_set) {
|
|
44
|
+
const timer_protected = getProtectedTimer();
|
|
45
|
+
if (timer_protected === undefined) {
|
|
46
|
+
continue;
|
|
47
|
+
}
|
|
48
|
+
if (timer_protected === timer) {
|
|
49
|
+
// Probably an attack but potentially not so avoiding hard crash
|
|
50
|
+
return;
|
|
51
|
+
}
|
|
23
52
|
}
|
|
24
53
|
(0, assert_1.assert)(capturedApis !== undefined);
|
|
25
|
-
|
|
54
|
+
capturedApis.clearTimeout.call(window, timer);
|
|
26
55
|
};
|
|
27
|
-
{
|
|
28
|
-
const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
|
|
29
|
-
(0, assert_1.assert)(pd !== undefined);
|
|
30
|
-
Object.defineProperty(Storage.prototype, "setItem", {
|
|
31
|
-
enumerable: pd.enumerable,
|
|
32
|
-
writable: pd.writable,
|
|
33
|
-
value: setItem_protected
|
|
34
|
-
});
|
|
35
|
-
}
|
|
36
56
|
}
|
|
37
57
|
function getSessionStorageKey(params) {
|
|
38
58
|
const { stateUrlParamValue } = params;
|
|
@@ -57,6 +77,8 @@ async function initIframeMessageProtection(params) {
|
|
|
57
77
|
const { publicKey, privateKey } = await (0, asymmetricEncryption_1.generateKeys)();
|
|
58
78
|
const sessionStorageKey = getSessionStorageKey({ stateUrlParamValue });
|
|
59
79
|
let timer = undefined;
|
|
80
|
+
const getProtectedTimer = () => timer;
|
|
81
|
+
getProtectedTimer_set.add(getProtectedTimer);
|
|
60
82
|
function setSessionStoragePublicKey() {
|
|
61
83
|
(0, assert_1.assert)(capturedApis !== undefined);
|
|
62
84
|
const { setItem } = capturedApis;
|
|
@@ -95,8 +117,11 @@ async function initIframeMessageProtection(params) {
|
|
|
95
117
|
return { authResponse };
|
|
96
118
|
}
|
|
97
119
|
function clearSessionStoragePublicKey() {
|
|
120
|
+
(0, assert_1.assert)(capturedApis !== undefined);
|
|
121
|
+
const { clearTimeout } = capturedApis;
|
|
98
122
|
sessionStorage.removeItem(sessionStorageKey);
|
|
99
123
|
clearTimeout(timer);
|
|
124
|
+
getProtectedTimer_set.delete(getProtectedTimer);
|
|
100
125
|
}
|
|
101
126
|
return {
|
|
102
127
|
getIsReadyToReadPublicKeyMessage,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"iframeMessageProtection.js","sourceRoot":"","sources":["../src/core/iframeMessageProtection.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"iframeMessageProtection.js","sourceRoot":"","sources":["../src/core/iframeMessageProtection.ts"],"names":[],"mappings":";;AAsBA,wGAoDC;AA6BD,kEAsFC;AAED,8EA2BC;AA1ND,kDAA+C;AAC/C,wEAAmG;AAGnG,IAAI,YAAY,GAQE,SAAS,CAAC;AAE5B,MAAM,sBAAsB,GAAG,yCAAyC,CAAC;AAEzE,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAA4B,CAAC;AAElE;;;GAGG;AACH,SAAgB,8CAA8C;IAC1D,YAAY,GAAG;QACX,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,OAAO;QAClC,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,KAAK,EAAE,MAAM,CAAC,KAAK;KACtB,CAAC;IAEF,8EAA8E;IAC9E,CAAC;QACG,MAAM,iBAAiB,GAAG,SAAS,OAAO,CAAY,GAAW,EAAE,KAAa;YAC5E,IAAI,GAAG,CAAC,UAAU,CAAC,sBAAsB,CAAC,EAAE,CAAC;gBACzC,MAAM,IAAI,KAAK,CACX,8EAA8E,CACjF,CAAC;YACN,CAAC;YAED,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;YAEnC,OAAO,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QACvD,CAAC,CAAC;QAEF,CAAC;YACG,MAAM,EAAE,GAAG,MAAM,CAAC,wBAAwB,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YAEzE,IAAA,eAAM,EAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAEzB,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,EAAE;gBAChD,UAAU,EAAE,EAAE,CAAC,UAAU;gBACzB,QAAQ,EAAE,EAAE,CAAC,QAAQ;gBACrB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,MAAM,CAAC,YAAY,GAAG,SAAS,YAAY,CAAC,KAAK;QAC7C,KAAK,MAAM,iBAAiB,IAAI,qBAAqB,EAAE,CAAC;YACpD,MAAM,eAAe,GAAG,iBAAiB,EAAE,CAAC;YAC5C,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;gBAChC,SAAS;YACb,CAAC;YACD,IAAI,eAAe,KAAK,KAAK,EAAE,CAAC;gBAC5B,gEAAgE;gBAChE,OAAO;YACX,CAAC;QACL,CAAC;QAED,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAClD,CAAC,CAAC;AACN,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAsC;IAChE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,OAAO,GAAG,sBAAsB,GAAG,kBAAkB,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,+BAA+B,GAAG,kCAAkC,CAAC;AAE3E,SAAS,0BAA0B,CAAC,MAAwD;IACxF,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAE/C,OAAO,CACH,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,CAAC,UAAU,CAAC,GAAG,+BAA+B,GAAG,kBAAkB,EAAE,CAAC,CAChF,CAAC;AACN,CAAC;AAED,SAAS,eAAe,CAAC,MAAsC;IAC3D,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IACtC,OAAO,oCAAoC,kBAAkB,EAAE,CAAC;AACpE,CAAC;AAED,SAAS,gCAAgC,CAAC,MAAwD;IAC9F,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAC/C,OAAO,OAAO,KAAK,eAAe,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAC/D,CAAC;AAEM,KAAK,UAAU,2BAA2B,CAAC,MAAsC;IACpF,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,IAAA,mCAAY,GAAE,CAAC;IAEvD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAEvE,IAAI,KAAK,GAAuB,SAAS,CAAC;IAE1C,MAAM,iBAAiB,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC;IAEtC,qBAAqB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAE7C,SAAS,0BAA0B;QAC/B,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;QAEjC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAC5E,CAAC;IAED,SAAS,mDAAmD;QACxD,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC;QAE3C,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAE7C,MAAM,oBAAoB,GAAG,GAAG,EAAE;YAC9B,MAAM,mBAAmB,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YAEtE,IAAI,mBAAmB,KAAK,IAAI,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;gBACpE,OAAO,IAAI,EAAE,CAAC;oBACV,KAAK,CACD;wBACI,oBAAoB;wBACpB,sCAAsC;wBACtC,oDAAoD;wBACpD,oCAAoC;qBACvC,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;gBACN,CAAC;YACL,CAAC;YACD,KAAK,EAAE,CAAC;QACZ,CAAC,CAAC;QAEF,SAAS,KAAK;YACV,KAAK,GAAG,UAAU,CAAC,oBAAoB,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;QAED,KAAK,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,UAAU,mBAAmB,CAAC,MAElC;QACG,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,CAAC;QAEzC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,IAAA,wCAAiB,EAAC;YAC1D,gBAAgB,EAAE,qBAAqB,CAAC,KAAK,CACzC,+BAA+B,CAAC,MAAM,GAAG,kBAAkB,CAAC,MAAM,CACrE;YACD,UAAU;SACb,CAAC,CAAC;QAEH,MAAM,YAAY,GAAiB,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAEhE,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC;IAED,SAAS,4BAA4B;QACjC,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QACnC,MAAM,EAAE,YAAY,EAAE,GAAG,YAAY,CAAC;QACtC,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAC7C,YAAY,CAAC,KAAK,CAAC,CAAC;QACpB,qBAAqB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACpD,CAAC;IAED,OAAO;QACH,gCAAgC;QAChC,mDAAmD;QACnD,0BAA0B;QAC1B,0BAA0B;QAC1B,mBAAmB;QACnB,4BAA4B;KAC/B,CAAC;AACN,CAAC;AAEM,KAAK,UAAU,iCAAiC,CAAC,MAAsC;IAC1F,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAEhC,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEjG,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,IAAI,SAAwB,CAAC;IAE7B,CAAC;QACG,IAAI,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;QAEzF,OAAO,CAAC,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACtE,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/D,CAAC;IACL,CAAC;IAED,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,GAAG,MAAM,IAAA,wCAAiB,EAAC;QACjF,SAAS;QACT,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC;KACxC,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,GAAG,+BAA+B,GAAG,YAAY,CAAC,KAAK,GAAG,8BAA8B,EAAE,CAAC;IAEpH,MAAM,CAAC,WAAW,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC"}
|
package/esm/core/createOidc.js
CHANGED
|
@@ -34,7 +34,7 @@ import { evtIsThereMoreThanOneInstanceThatCantUserIframes, notifyNewInstanceThat
|
|
|
34
34
|
import { getDesiredPostLoginRedirectUrl } from "./desiredPostLoginRedirectUrl";
|
|
35
35
|
import { getHomeAndRedirectUri } from "./homeAndRedirectUri";
|
|
36
36
|
// NOTE: Replaced at build time
|
|
37
|
-
const VERSION = "8.2.
|
|
37
|
+
const VERSION = "8.2.12";
|
|
38
38
|
const globalContext = {
|
|
39
39
|
prOidcByConfigId: new Map(),
|
|
40
40
|
hasLogoutBeenCalled: id(false)
|
package/esm/core/earlyInit.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { getStateData, getIsStatQueryParamValue } from "./StateData";
|
|
2
2
|
import { assert } from "../tools/tsafe/assert";
|
|
3
|
-
import {
|
|
3
|
+
import { iframeMessageProtection_captureAndLockBuiltins, postEncryptedAuthResponseToParent } from "./iframeMessageProtection";
|
|
4
4
|
import { setOidcRequiredPostHydrationReplaceNavigationUrl } from "./requiredPostHydrationReplaceNavigationUrl";
|
|
5
5
|
import { setBASE_URL } from "./BASE_URL";
|
|
6
6
|
import { resolvePrShouldLoadApp } from "./prShouldLoadApp";
|
|
@@ -14,7 +14,6 @@ export function oidcEarlyInit(params) {
|
|
|
14
14
|
if (!isBrowser) {
|
|
15
15
|
return { shouldLoadApp: true };
|
|
16
16
|
}
|
|
17
|
-
captureApisForIframeProtection();
|
|
18
17
|
const { freezeFetch, freezeXMLHttpRequest, freezeWebSocket = false, isPostLoginRedirectManual = false, BASE_URL } = params;
|
|
19
18
|
const { shouldLoadApp } = handleOidcCallback({ isPostLoginRedirectManual });
|
|
20
19
|
if (shouldLoadApp) {
|
|
@@ -50,10 +49,10 @@ export function oidcEarlyInit(params) {
|
|
|
50
49
|
value: WebSocket_trusted
|
|
51
50
|
});
|
|
52
51
|
}
|
|
53
|
-
preventSessionStorageSetItemOfPublicKeyByThirdParty();
|
|
54
52
|
if (BASE_URL !== undefined) {
|
|
55
53
|
setBASE_URL({ BASE_URL });
|
|
56
54
|
}
|
|
55
|
+
iframeMessageProtection_captureAndLockBuiltins();
|
|
57
56
|
}
|
|
58
57
|
resolvePrShouldLoadApp({ shouldLoadApp });
|
|
59
58
|
return { shouldLoadApp };
|
|
@@ -149,6 +148,7 @@ function handleOidcCallback(params) {
|
|
|
149
148
|
})();
|
|
150
149
|
if (isPostLoginRedirectManual) {
|
|
151
150
|
setOidcRequiredPostHydrationReplaceNavigationUrl({ rootRelativeRedirectUrl });
|
|
151
|
+
history.replaceState({}, "", rootRelativeOriginalLocationHref);
|
|
152
152
|
}
|
|
153
153
|
else {
|
|
154
154
|
history.replaceState({}, "", rootRelativeRedirectUrl);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"earlyInit.js","sourceRoot":"","sources":["../../src/core/earlyInit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAC;AACrE,OAAO,EAAE,MAAM,EAAe,MAAM,uBAAuB,CAAC;AAE5D,OAAO,EACH,
|
|
1
|
+
{"version":3,"file":"earlyInit.js","sourceRoot":"","sources":["../../src/core/earlyInit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAC;AACrE,OAAO,EAAE,MAAM,EAAe,MAAM,uBAAuB,CAAC;AAE5D,OAAO,EACH,8CAA8C,EAC9C,iCAAiC,EACpC,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,gDAAgD,EAAE,MAAM,6CAA6C,CAAC;AAC/G,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C,IAAI,sBAAsB,GAAG,KAAK,CAAC;AAEnC,MAAM,UAAU,aAAa,CAAC,MAQ7B;IACG,IAAI,sBAAsB,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC5E,CAAC;IAED,sBAAsB,GAAG,IAAI,CAAC;IAE9B,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,MAAM,EACF,WAAW,EACX,oBAAoB,EACpB,eAAe,GAAG,KAAK,EACvB,yBAAyB,GAAG,KAAK,EACjC,QAAQ,EACX,GAAG,MAAM,CAAC;IAEX,MAAM,EAAE,aAAa,EAAE,GAAG,kBAAkB,CAAC,EAAE,yBAAyB,EAAE,CAAC,CAAC;IAE5E,IAAI,aAAa,EAAE,CAAC;QAChB,IAAI,oBAAoB,EAAE,CAAC;YACvB,MAAM,sBAAsB,GAAG,UAAU,CAAC,cAAc,CAAC;YAEzD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;YAEtC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBAChD,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,sBAAsB;aAChC,CAAC,CAAC;QACP,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YACd,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;YAEvC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAE7B,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,OAAO,EAAE;gBACvC,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,aAAa;aACvB,CAAC,CAAC;QACP,CAAC;QAED,IAAI,eAAe,EAAE,CAAC;YAClB,MAAM,iBAAiB,GAAG,UAAU,CAAC,SAAS,CAAC;YAE/C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAEjC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,WAAW,EAAE;gBAC3C,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;QAED,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YACzB,WAAW,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC9B,CAAC;QAED,8CAA8C,EAAE,CAAC;IACrD,CAAC;IAED,sBAAsB,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC;IAE1C,OAAO,EAAE,aAAa,EAAE,CAAC;AAC7B,CAAC;AAED,IAAI,oBAAoB,GAA6B,SAAS,CAAC;AAE/D,MAAM,UAAU,uBAAuB;IAGnC,MAAM,CAAC,sBAAsB,EAAE,UAAU,CAAC,CAAC;IAE3C,OAAO,oBAAoB,KAAK,SAAS;QACrC,CAAC,CAAC,EAAE,YAAY,EAAE,SAAS,EAAE;QAC7B,CAAC,CAAC;YACI,YAAY,EAAE,oBAAoB;YAClC,iBAAiB,EAAE,GAAG,EAAE;gBACpB,oBAAoB,GAAG,SAAS,CAAC;YACrC,CAAC;SACJ,CAAC;AACZ,CAAC;AAED,IAAI,gCAAgC,GAAuB,SAAS,CAAC;AAErE,MAAM,UAAU,mCAAmC;IAC/C,MAAM,CAAC,gCAAgC,KAAK,SAAS,EAAE,QAAQ,CAAC,CAAC;IACjE,OAAO,gCAAgC,CAAC;AAC5C,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA+C;IAGvE,MAAM,EAAE,yBAAyB,EAAE,GAAG,MAAM,CAAC;IAE7C,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAEtD,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,CAAC;YACP,MAAM,kBAAkB,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CACtF,OAAO,CACV,CAAC;YAEF,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,IAAI,CAAC,wBAAwB,CAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAW,CAAC;QAC7E,CAAC;QAED,KAAK,EAAE,CAAC;YACJ,MAAM,kBAAkB,GAAG,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAErE,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IAAI,CAAC,wBAAwB,CAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IACI,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,IAAI;gBACtD,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,IAAI;gBAC1D,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,KAAK,IAAI,EAC3D,CAAC;gBACC,mFAAmF;gBACnF,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAW,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAW,CAAC;IACpD,CAAC,CAAC,EAAE,CAAC;IAEL,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,CAAC;QAC/C,gCAAgC,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7F,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,gCAAgC,GAAG,eAAe,CAAC,QAAQ,CAAC;IAE5D,MAAM,EAAE,YAAY,EAAE,GAAG,CAAC,GAAG,EAAE;QAC3B,MAAM,YAAY,GAAiB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAEjD,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE;YACvB,QAAQ,sBAAsB,CAAC,YAAY,EAAE,CAAC;gBAC1C,KAAK,UAAU;oBACX,OAAO,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;gBACvE,KAAK,OAAO;oBACR,OAAO,eAAe,CAAC,YAAY,CAAC;gBACxC;oBACI,MAAM,CAA+C,KAAK,CAAC,CAAC;YACpE,CAAC;QACL,CAAC,CAAC,EAAE,CAAC;QAEL,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;YACtC,YAAY,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAC9B,CAAC;QAED,MAAM,CAAC,YAAY,CAAC,KAAK,KAAK,EAAE,EAAE,QAAQ,CAAC,CAAC;QAE5C,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,SAAS,GAAG,YAAY,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;IAE3E,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAC/D,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,QAAQ,SAAS,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,QAAQ;YACT,iCAAiC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC;YACpD,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;QACpC,KAAK,UAAU,CAAC,CAAC,CAAC;YACd,oBAAoB,GAAG,YAAY,CAAC;YAEpC,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE;gBAClC,IAAI,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,YAAY,CAAC,KAAK,KAAK,kBAAkB,EAAE,CAAC;oBAC5E,OAAO,SAAS,CAAC,2CAA2C,CAAC;gBACjE,CAAC;gBACD,OAAO,SAAS,CAAC,uBAAuB,CAAC;YAC7C,CAAC,CAAC,EAAE,CAAC;YAEL,IAAI,yBAAyB,EAAE,CAAC;gBAC5B,gDAAgD,CAAC,EAAE,uBAAuB,EAAE,CAAC,CAAC;gBAC9E,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,gCAAgC,CAAC,CAAC;YACnE,CAAC;iBAAM,CAAC;gBACJ,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,uBAAuB,CAAC,CAAC;YAC1D,CAAC;YAED,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QACnC,CAAC;QACD;YACI,MAAM,CAAkC,KAAK,CAAC,CAAC;IACvD,CAAC;AACL,CAAC"}
|
|
@@ -1,6 +1,9 @@
|
|
|
1
1
|
import { type AuthResponse } from "./AuthResponse";
|
|
2
|
-
|
|
3
|
-
|
|
2
|
+
/**
|
|
3
|
+
* To call while still in the safe window where no other code
|
|
4
|
+
* has been evaluated and only before we're about to actually start the App.
|
|
5
|
+
*/
|
|
6
|
+
export declare function iframeMessageProtection_captureAndLockBuiltins(): void;
|
|
4
7
|
declare function getIsEncryptedAuthResponse(params: {
|
|
5
8
|
message: unknown;
|
|
6
9
|
stateUrlParamValue: string;
|
|
@@ -1,32 +1,53 @@
|
|
|
1
1
|
import { assert } from "../tools/tsafe/assert";
|
|
2
2
|
import { asymmetricEncrypt, asymmetricDecrypt, generateKeys } from "../tools/asymmetricEncryption";
|
|
3
3
|
let capturedApis = undefined;
|
|
4
|
-
|
|
4
|
+
const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
|
|
5
|
+
const getProtectedTimer_set = new Set();
|
|
6
|
+
/**
|
|
7
|
+
* To call while still in the safe window where no other code
|
|
8
|
+
* has been evaluated and only before we're about to actually start the App.
|
|
9
|
+
*/
|
|
10
|
+
export function iframeMessageProtection_captureAndLockBuiltins() {
|
|
5
11
|
capturedApis = {
|
|
6
12
|
setItem: Storage.prototype.setItem,
|
|
7
13
|
sessionStorage: window.sessionStorage,
|
|
8
14
|
setTimeout: window.setTimeout,
|
|
15
|
+
clearTimeout: window.clearTimeout,
|
|
9
16
|
alert: window.alert
|
|
10
17
|
};
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
18
|
+
// Ensure, at least from main window we cannot simply write on the public key.
|
|
19
|
+
{
|
|
20
|
+
const setItem_protected = function setItem(key, value) {
|
|
21
|
+
if (key.startsWith(SESSION_STORAGE_PREFIX)) {
|
|
22
|
+
throw new Error("Attack prevented by oidc-spa. You have malicious code running in your system");
|
|
23
|
+
}
|
|
24
|
+
assert(capturedApis !== undefined);
|
|
25
|
+
return capturedApis.setItem.call(this, key, value);
|
|
26
|
+
};
|
|
27
|
+
{
|
|
28
|
+
const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
|
|
29
|
+
assert(pd !== undefined);
|
|
30
|
+
Object.defineProperty(Storage.prototype, "setItem", {
|
|
31
|
+
enumerable: pd.enumerable,
|
|
32
|
+
writable: pd.writable,
|
|
33
|
+
value: setItem_protected
|
|
34
|
+
});
|
|
35
|
+
}
|
|
36
|
+
}
|
|
37
|
+
window.clearTimeout = function clearTimeout(timer) {
|
|
38
|
+
for (const getProtectedTimer of getProtectedTimer_set) {
|
|
39
|
+
const timer_protected = getProtectedTimer();
|
|
40
|
+
if (timer_protected === undefined) {
|
|
41
|
+
continue;
|
|
42
|
+
}
|
|
43
|
+
if (timer_protected === timer) {
|
|
44
|
+
// Probably an attack but potentially not so avoiding hard crash
|
|
45
|
+
return;
|
|
46
|
+
}
|
|
17
47
|
}
|
|
18
48
|
assert(capturedApis !== undefined);
|
|
19
|
-
|
|
49
|
+
capturedApis.clearTimeout.call(window, timer);
|
|
20
50
|
};
|
|
21
|
-
{
|
|
22
|
-
const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
|
|
23
|
-
assert(pd !== undefined);
|
|
24
|
-
Object.defineProperty(Storage.prototype, "setItem", {
|
|
25
|
-
enumerable: pd.enumerable,
|
|
26
|
-
writable: pd.writable,
|
|
27
|
-
value: setItem_protected
|
|
28
|
-
});
|
|
29
|
-
}
|
|
30
51
|
}
|
|
31
52
|
function getSessionStorageKey(params) {
|
|
32
53
|
const { stateUrlParamValue } = params;
|
|
@@ -51,6 +72,8 @@ export async function initIframeMessageProtection(params) {
|
|
|
51
72
|
const { publicKey, privateKey } = await generateKeys();
|
|
52
73
|
const sessionStorageKey = getSessionStorageKey({ stateUrlParamValue });
|
|
53
74
|
let timer = undefined;
|
|
75
|
+
const getProtectedTimer = () => timer;
|
|
76
|
+
getProtectedTimer_set.add(getProtectedTimer);
|
|
54
77
|
function setSessionStoragePublicKey() {
|
|
55
78
|
assert(capturedApis !== undefined);
|
|
56
79
|
const { setItem } = capturedApis;
|
|
@@ -89,8 +112,11 @@ export async function initIframeMessageProtection(params) {
|
|
|
89
112
|
return { authResponse };
|
|
90
113
|
}
|
|
91
114
|
function clearSessionStoragePublicKey() {
|
|
115
|
+
assert(capturedApis !== undefined);
|
|
116
|
+
const { clearTimeout } = capturedApis;
|
|
92
117
|
sessionStorage.removeItem(sessionStorageKey);
|
|
93
118
|
clearTimeout(timer);
|
|
119
|
+
getProtectedTimer_set.delete(getProtectedTimer);
|
|
94
120
|
}
|
|
95
121
|
return {
|
|
96
122
|
getIsReadyToReadPublicKeyMessage,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"iframeMessageProtection.js","sourceRoot":"","sources":["../../src/core/iframeMessageProtection.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAGnG,IAAI,YAAY,
|
|
1
|
+
{"version":3,"file":"iframeMessageProtection.js","sourceRoot":"","sources":["../../src/core/iframeMessageProtection.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAGnG,IAAI,YAAY,GAQE,SAAS,CAAC;AAE5B,MAAM,sBAAsB,GAAG,yCAAyC,CAAC;AAEzE,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAA4B,CAAC;AAElE;;;GAGG;AACH,MAAM,UAAU,8CAA8C;IAC1D,YAAY,GAAG;QACX,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,OAAO;QAClC,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,KAAK,EAAE,MAAM,CAAC,KAAK;KACtB,CAAC;IAEF,8EAA8E;IAC9E,CAAC;QACG,MAAM,iBAAiB,GAAG,SAAS,OAAO,CAAY,GAAW,EAAE,KAAa;YAC5E,IAAI,GAAG,CAAC,UAAU,CAAC,sBAAsB,CAAC,EAAE,CAAC;gBACzC,MAAM,IAAI,KAAK,CACX,8EAA8E,CACjF,CAAC;YACN,CAAC;YAED,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;YAEnC,OAAO,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QACvD,CAAC,CAAC;QAEF,CAAC;YACG,MAAM,EAAE,GAAG,MAAM,CAAC,wBAAwB,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YAEzE,MAAM,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAEzB,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,EAAE;gBAChD,UAAU,EAAE,EAAE,CAAC,UAAU;gBACzB,QAAQ,EAAE,EAAE,CAAC,QAAQ;gBACrB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,MAAM,CAAC,YAAY,GAAG,SAAS,YAAY,CAAC,KAAK;QAC7C,KAAK,MAAM,iBAAiB,IAAI,qBAAqB,EAAE,CAAC;YACpD,MAAM,eAAe,GAAG,iBAAiB,EAAE,CAAC;YAC5C,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;gBAChC,SAAS;YACb,CAAC;YACD,IAAI,eAAe,KAAK,KAAK,EAAE,CAAC;gBAC5B,gEAAgE;gBAChE,OAAO;YACX,CAAC;QACL,CAAC;QAED,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAClD,CAAC,CAAC;AACN,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAsC;IAChE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,OAAO,GAAG,sBAAsB,GAAG,kBAAkB,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,+BAA+B,GAAG,kCAAkC,CAAC;AAE3E,SAAS,0BAA0B,CAAC,MAAwD;IACxF,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAE/C,OAAO,CACH,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,CAAC,UAAU,CAAC,GAAG,+BAA+B,GAAG,kBAAkB,EAAE,CAAC,CAChF,CAAC;AACN,CAAC;AAED,SAAS,eAAe,CAAC,MAAsC;IAC3D,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IACtC,OAAO,oCAAoC,kBAAkB,EAAE,CAAC;AACpE,CAAC;AAED,SAAS,gCAAgC,CAAC,MAAwD;IAC9F,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAC/C,OAAO,OAAO,KAAK,eAAe,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAAC,MAAsC;IACpF,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;IAEvD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAEvE,IAAI,KAAK,GAAuB,SAAS,CAAC;IAE1C,MAAM,iBAAiB,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC;IAEtC,qBAAqB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAE7C,SAAS,0BAA0B;QAC/B,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;QAEjC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAC5E,CAAC;IAED,SAAS,mDAAmD;QACxD,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC;QAE3C,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAE7C,MAAM,oBAAoB,GAAG,GAAG,EAAE;YAC9B,MAAM,mBAAmB,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YAEtE,IAAI,mBAAmB,KAAK,IAAI,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;gBACpE,OAAO,IAAI,EAAE,CAAC;oBACV,KAAK,CACD;wBACI,oBAAoB;wBACpB,sCAAsC;wBACtC,oDAAoD;wBACpD,oCAAoC;qBACvC,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;gBACN,CAAC;YACL,CAAC;YACD,KAAK,EAAE,CAAC;QACZ,CAAC,CAAC;QAEF,SAAS,KAAK;YACV,KAAK,GAAG,UAAU,CAAC,oBAAoB,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;QAED,KAAK,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,UAAU,mBAAmB,CAAC,MAElC;QACG,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,CAAC;QAEzC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,iBAAiB,CAAC;YAC1D,gBAAgB,EAAE,qBAAqB,CAAC,KAAK,CACzC,+BAA+B,CAAC,MAAM,GAAG,kBAAkB,CAAC,MAAM,CACrE;YACD,UAAU;SACb,CAAC,CAAC;QAEH,MAAM,YAAY,GAAiB,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAEhE,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC;IAED,SAAS,4BAA4B;QACjC,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QACnC,MAAM,EAAE,YAAY,EAAE,GAAG,YAAY,CAAC;QACtC,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAC7C,YAAY,CAAC,KAAK,CAAC,CAAC;QACpB,qBAAqB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACpD,CAAC;IAED,OAAO;QACH,gCAAgC;QAChC,mDAAmD;QACnD,0BAA0B;QAC1B,0BAA0B;QAC1B,mBAAmB;QACnB,4BAA4B;KAC/B,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iCAAiC,CAAC,MAAsC;IAC1F,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAEhC,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEjG,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,IAAI,SAAwB,CAAC;IAE7B,CAAC;QACG,IAAI,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;QAEzF,OAAO,CAAC,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACtE,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/D,CAAC;IACL,CAAC;IAED,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,GAAG,MAAM,iBAAiB,CAAC;QACjF,SAAS;QACT,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC;KACxC,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,GAAG,+BAA+B,GAAG,YAAY,CAAC,KAAK,GAAG,8BAA8B,EAAE,CAAC;IAEpH,MAAM,CAAC,WAAW,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC"}
|
|
@@ -14,8 +14,19 @@ export function withHandlingOidcPostLoginNavigation(Component) {
|
|
|
14
14
|
if (rootRelativeRedirectUrl === undefined) {
|
|
15
15
|
return;
|
|
16
16
|
}
|
|
17
|
-
|
|
18
|
-
|
|
17
|
+
// Defer navigation to the next paint to avoid hydration mismatches.
|
|
18
|
+
// A double rAF schedules after hydration/paint without arbitrary timeouts.
|
|
19
|
+
requestAnimationFrame(() => {
|
|
20
|
+
requestAnimationFrame(() => {
|
|
21
|
+
if (rootRelativeRedirectUrl !== undefined) {
|
|
22
|
+
router.navigate({
|
|
23
|
+
to: rootRelativeRedirectUrl,
|
|
24
|
+
replace: true
|
|
25
|
+
});
|
|
26
|
+
rootRelativeRedirectUrl = undefined;
|
|
27
|
+
}
|
|
28
|
+
});
|
|
29
|
+
});
|
|
19
30
|
}, []);
|
|
20
31
|
return _jsx(Component, { ...props });
|
|
21
32
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"withHandlingOidcPostLoginNavigation.js","sourceRoot":"","sources":["../../../src/tanstack-start/react/withHandlingOidcPostLoginNavigation.tsx"],"names":[],"mappings":";AAAA,OAAO,EAA+B,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/D,OAAO,EAAE,gDAAgD,EAAE,MAAM,sDAAsD,CAAC;AACxH,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD,MAAM,UAAU,mCAAmC,CAC/C,SAA+B;IAE/B,IAAI,EAAE,uBAAuB,EAAE,GAAG,gDAAgD,EAAE,CAAC;IAErF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;QACxC,mBAAmB;QACnB,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,SAAS,4CAA4C,CAAC,KAAY;QAC9D,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAE3B,SAAS,CAAC,GAAG,EAAE;YACX,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBACxC,OAAO;YACX,CAAC;YAED,MAAM,CAAC,QAAQ,CAAC,EAAE,EAAE,
|
|
1
|
+
{"version":3,"file":"withHandlingOidcPostLoginNavigation.js","sourceRoot":"","sources":["../../../src/tanstack-start/react/withHandlingOidcPostLoginNavigation.tsx"],"names":[],"mappings":";AAAA,OAAO,EAA+B,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/D,OAAO,EAAE,gDAAgD,EAAE,MAAM,sDAAsD,CAAC;AACxH,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD,MAAM,UAAU,mCAAmC,CAC/C,SAA+B;IAE/B,IAAI,EAAE,uBAAuB,EAAE,GAAG,gDAAgD,EAAE,CAAC;IAErF,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;QACxC,mBAAmB;QACnB,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,SAAS,4CAA4C,CAAC,KAAY;QAC9D,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAE3B,SAAS,CAAC,GAAG,EAAE;YACX,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;gBACxC,OAAO;YACX,CAAC;YAED,oEAAoE;YACpE,2EAA2E;YAC3E,qBAAqB,CAAC,GAAG,EAAE;gBACvB,qBAAqB,CAAC,GAAG,EAAE;oBACvB,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;wBACxC,MAAM,CAAC,QAAQ,CAAC;4BACZ,EAAE,EAAE,uBAAuB;4BAC3B,OAAO,EAAE,IAAI;yBAChB,CAAC,CAAC;wBACH,uBAAuB,GAAG,SAAS,CAAC;oBACxC,CAAC;gBACL,CAAC,CAAC,CAAC;YACP,CAAC,CAAC,CAAC;QACP,CAAC,EAAE,EAAE,CAAC,CAAC;QAEP,OAAO,KAAC,SAAS,OAAK,KAAK,GAAI,CAAC;IACpC,CAAC;IAED,4CAA4C,CAAC,WAAW,GAAG,GACvD,SAAS,CAAC,WAAW,IAAI,SAAS,CAAC,IAAI,IAAI,WAC/C,qCAAqC,CAAC;IAEtC,OAAO,4CAA4C,CAAC;AACxD,CAAC"}
|
package/package.json
CHANGED
package/src/core/earlyInit.ts
CHANGED
|
@@ -2,9 +2,8 @@ import { getStateData, getIsStatQueryParamValue } from "./StateData";
|
|
|
2
2
|
import { assert, type Equals } from "../tools/tsafe/assert";
|
|
3
3
|
import type { AuthResponse } from "./AuthResponse";
|
|
4
4
|
import {
|
|
5
|
-
|
|
6
|
-
postEncryptedAuthResponseToParent
|
|
7
|
-
preventSessionStorageSetItemOfPublicKeyByThirdParty
|
|
5
|
+
iframeMessageProtection_captureAndLockBuiltins,
|
|
6
|
+
postEncryptedAuthResponseToParent
|
|
8
7
|
} from "./iframeMessageProtection";
|
|
9
8
|
import { setOidcRequiredPostHydrationReplaceNavigationUrl } from "./requiredPostHydrationReplaceNavigationUrl";
|
|
10
9
|
import { setBASE_URL } from "./BASE_URL";
|
|
@@ -32,8 +31,6 @@ export function oidcEarlyInit(params: {
|
|
|
32
31
|
return { shouldLoadApp: true };
|
|
33
32
|
}
|
|
34
33
|
|
|
35
|
-
captureApisForIframeProtection();
|
|
36
|
-
|
|
37
34
|
const {
|
|
38
35
|
freezeFetch,
|
|
39
36
|
freezeXMLHttpRequest,
|
|
@@ -86,11 +83,11 @@ export function oidcEarlyInit(params: {
|
|
|
86
83
|
});
|
|
87
84
|
}
|
|
88
85
|
|
|
89
|
-
preventSessionStorageSetItemOfPublicKeyByThirdParty();
|
|
90
|
-
|
|
91
86
|
if (BASE_URL !== undefined) {
|
|
92
87
|
setBASE_URL({ BASE_URL });
|
|
93
88
|
}
|
|
89
|
+
|
|
90
|
+
iframeMessageProtection_captureAndLockBuiltins();
|
|
94
91
|
}
|
|
95
92
|
|
|
96
93
|
resolvePrShouldLoadApp({ shouldLoadApp });
|
|
@@ -225,6 +222,7 @@ function handleOidcCallback(params: { isPostLoginRedirectManual?: boolean }): {
|
|
|
225
222
|
|
|
226
223
|
if (isPostLoginRedirectManual) {
|
|
227
224
|
setOidcRequiredPostHydrationReplaceNavigationUrl({ rootRelativeRedirectUrl });
|
|
225
|
+
history.replaceState({}, "", rootRelativeOriginalLocationHref);
|
|
228
226
|
} else {
|
|
229
227
|
history.replaceState({}, "", rootRelativeRedirectUrl);
|
|
230
228
|
}
|
|
@@ -7,45 +7,71 @@ let capturedApis:
|
|
|
7
7
|
setItem: typeof localStorage.setItem;
|
|
8
8
|
sessionStorage: typeof window.sessionStorage;
|
|
9
9
|
setTimeout: typeof window.setTimeout;
|
|
10
|
+
clearTimeout: typeof window.clearTimeout;
|
|
10
11
|
alert: typeof window.alert;
|
|
11
12
|
}
|
|
12
13
|
| undefined = undefined;
|
|
13
14
|
|
|
14
|
-
|
|
15
|
+
const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
|
|
16
|
+
|
|
17
|
+
const getProtectedTimer_set = new Set<() => number | undefined>();
|
|
18
|
+
|
|
19
|
+
/**
|
|
20
|
+
* To call while still in the safe window where no other code
|
|
21
|
+
* has been evaluated and only before we're about to actually start the App.
|
|
22
|
+
*/
|
|
23
|
+
export function iframeMessageProtection_captureAndLockBuiltins() {
|
|
15
24
|
capturedApis = {
|
|
16
25
|
setItem: Storage.prototype.setItem,
|
|
17
26
|
sessionStorage: window.sessionStorage,
|
|
18
27
|
setTimeout: window.setTimeout,
|
|
28
|
+
clearTimeout: window.clearTimeout,
|
|
19
29
|
alert: window.alert
|
|
20
30
|
};
|
|
21
|
-
}
|
|
22
31
|
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
}
|
|
32
|
+
// Ensure, at least from main window we cannot simply write on the public key.
|
|
33
|
+
{
|
|
34
|
+
const setItem_protected = function setItem(this: any, key: string, value: string): void {
|
|
35
|
+
if (key.startsWith(SESSION_STORAGE_PREFIX)) {
|
|
36
|
+
throw new Error(
|
|
37
|
+
"Attack prevented by oidc-spa. You have malicious code running in your system"
|
|
38
|
+
);
|
|
39
|
+
}
|
|
32
40
|
|
|
33
|
-
|
|
41
|
+
assert(capturedApis !== undefined);
|
|
34
42
|
|
|
35
|
-
|
|
36
|
-
|
|
43
|
+
return capturedApis.setItem.call(this, key, value);
|
|
44
|
+
};
|
|
37
45
|
|
|
38
|
-
|
|
39
|
-
|
|
46
|
+
{
|
|
47
|
+
const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
|
|
40
48
|
|
|
41
|
-
|
|
49
|
+
assert(pd !== undefined);
|
|
42
50
|
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
51
|
+
Object.defineProperty(Storage.prototype, "setItem", {
|
|
52
|
+
enumerable: pd.enumerable,
|
|
53
|
+
writable: pd.writable,
|
|
54
|
+
value: setItem_protected
|
|
55
|
+
});
|
|
56
|
+
}
|
|
48
57
|
}
|
|
58
|
+
|
|
59
|
+
window.clearTimeout = function clearTimeout(timer) {
|
|
60
|
+
for (const getProtectedTimer of getProtectedTimer_set) {
|
|
61
|
+
const timer_protected = getProtectedTimer();
|
|
62
|
+
if (timer_protected === undefined) {
|
|
63
|
+
continue;
|
|
64
|
+
}
|
|
65
|
+
if (timer_protected === timer) {
|
|
66
|
+
// Probably an attack but potentially not so avoiding hard crash
|
|
67
|
+
return;
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
assert(capturedApis !== undefined);
|
|
72
|
+
|
|
73
|
+
capturedApis.clearTimeout.call(window, timer);
|
|
74
|
+
};
|
|
49
75
|
}
|
|
50
76
|
|
|
51
77
|
function getSessionStorageKey(params: { stateUrlParamValue: string }) {
|
|
@@ -84,6 +110,10 @@ export async function initIframeMessageProtection(params: { stateUrlParamValue:
|
|
|
84
110
|
|
|
85
111
|
let timer: number | undefined = undefined;
|
|
86
112
|
|
|
113
|
+
const getProtectedTimer = () => timer;
|
|
114
|
+
|
|
115
|
+
getProtectedTimer_set.add(getProtectedTimer);
|
|
116
|
+
|
|
87
117
|
function setSessionStoragePublicKey() {
|
|
88
118
|
assert(capturedApis !== undefined);
|
|
89
119
|
|
|
@@ -142,8 +172,11 @@ export async function initIframeMessageProtection(params: { stateUrlParamValue:
|
|
|
142
172
|
}
|
|
143
173
|
|
|
144
174
|
function clearSessionStoragePublicKey() {
|
|
175
|
+
assert(capturedApis !== undefined);
|
|
176
|
+
const { clearTimeout } = capturedApis;
|
|
145
177
|
sessionStorage.removeItem(sessionStorageKey);
|
|
146
178
|
clearTimeout(timer);
|
|
179
|
+
getProtectedTimer_set.delete(getProtectedTimer);
|
|
147
180
|
}
|
|
148
181
|
|
|
149
182
|
return {
|
|
@@ -20,8 +20,19 @@ export function withHandlingOidcPostLoginNavigation<Props extends Record<string,
|
|
|
20
20
|
return;
|
|
21
21
|
}
|
|
22
22
|
|
|
23
|
-
|
|
24
|
-
|
|
23
|
+
// Defer navigation to the next paint to avoid hydration mismatches.
|
|
24
|
+
// A double rAF schedules after hydration/paint without arbitrary timeouts.
|
|
25
|
+
requestAnimationFrame(() => {
|
|
26
|
+
requestAnimationFrame(() => {
|
|
27
|
+
if (rootRelativeRedirectUrl !== undefined) {
|
|
28
|
+
router.navigate({
|
|
29
|
+
to: rootRelativeRedirectUrl,
|
|
30
|
+
replace: true
|
|
31
|
+
});
|
|
32
|
+
rootRelativeRedirectUrl = undefined;
|
|
33
|
+
}
|
|
34
|
+
});
|
|
35
|
+
});
|
|
25
36
|
}, []);
|
|
26
37
|
|
|
27
38
|
return <Component {...props} />;
|