oidc-spa 8.2.12 → 8.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +19 -5
- package/core/createOidc.js +9 -2
- package/core/createOidc.js.map +1 -1
- package/core/earlyInit.d.ts +6 -2
- package/core/earlyInit.js +156 -31
- package/core/earlyInit.js.map +1 -1
- package/core/loginSilent.js +7 -42
- package/core/loginSilent.js.map +1 -1
- package/esm/core/createOidc.js +9 -2
- package/esm/core/createOidc.js.map +1 -1
- package/esm/core/earlyInit.d.ts +6 -2
- package/esm/core/earlyInit.js +155 -31
- package/esm/core/earlyInit.js.map +1 -1
- package/esm/core/loginSilent.js +7 -42
- package/esm/core/loginSilent.js.map +1 -1
- package/esm/tools/Evt.js +18 -10
- package/esm/tools/Evt.js.map +1 -1
- package/package.json +2 -2
- package/src/core/createOidc.ts +8 -1
- package/src/core/earlyInit.ts +205 -40
- package/src/core/loginSilent.ts +18 -79
- package/src/tools/Evt.ts +17 -16
- package/src/vite-plugin/handleClientEntrypoint.ts +4 -6
- package/tools/Evt.js +18 -10
- package/tools/Evt.js.map +1 -1
- package/vite-plugin/handleClientEntrypoint.js +3 -1
- package/vite-plugin/handleClientEntrypoint.js.map +1 -1
- package/core/iframeMessageProtection.d.ts +0 -32
- package/core/iframeMessageProtection.js +0 -154
- package/core/iframeMessageProtection.js.map +0 -1
- package/esm/core/iframeMessageProtection.d.ts +0 -32
- package/esm/core/iframeMessageProtection.js +0 -149
- package/esm/core/iframeMessageProtection.js.map +0 -1
- package/esm/tools/asymmetricEncryption.d.ts +0 -18
- package/esm/tools/asymmetricEncryption.js +0 -85
- package/esm/tools/asymmetricEncryption.js.map +0 -1
- package/src/core/iframeMessageProtection.ts +0 -219
- package/src/tools/asymmetricEncryption.ts +0 -184
- package/tools/asymmetricEncryption.d.ts +0 -18
- package/tools/asymmetricEncryption.js +0 -90
- package/tools/asymmetricEncryption.js.map +0 -1
package/src/tools/Evt.ts
CHANGED
|
@@ -1,5 +1,4 @@
|
|
|
1
1
|
import { Deferred } from "./Deferred";
|
|
2
|
-
import { assert, is } from "../tools/tsafe/assert";
|
|
3
2
|
|
|
4
3
|
export type NonPostableEvt<T> = {
|
|
5
4
|
waitFor: () => Promise<T>;
|
|
@@ -12,40 +11,42 @@ export type Evt<T> = NonPostableEvt<T> & {
|
|
|
12
11
|
};
|
|
13
12
|
|
|
14
13
|
export function createEvt<T>(): Evt<T> {
|
|
15
|
-
const
|
|
16
|
-
const KEY = "event";
|
|
17
|
-
|
|
14
|
+
const listeners: Array<(data: T) => void> = [];
|
|
18
15
|
let postCount = 0;
|
|
19
16
|
|
|
20
17
|
const evt: Evt<T> = {
|
|
21
18
|
subscribe: next => {
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
next(e.detail);
|
|
26
|
-
};
|
|
27
|
-
|
|
28
|
-
eventTarget.addEventListener(KEY, listener);
|
|
29
|
-
|
|
19
|
+
listeners.push(next);
|
|
20
|
+
let isActive = true;
|
|
30
21
|
return {
|
|
31
22
|
unsubscribe: () => {
|
|
32
|
-
|
|
23
|
+
if (!isActive) {
|
|
24
|
+
return;
|
|
25
|
+
}
|
|
26
|
+
isActive = false;
|
|
27
|
+
const i = listeners.indexOf(next);
|
|
28
|
+
if (i >= 0) {
|
|
29
|
+
listeners.splice(i, 1);
|
|
30
|
+
}
|
|
33
31
|
}
|
|
34
32
|
};
|
|
35
33
|
},
|
|
36
34
|
waitFor: () => {
|
|
37
35
|
const d = new Deferred<T>();
|
|
38
|
-
|
|
39
36
|
const { unsubscribe } = evt.subscribe(data => {
|
|
40
37
|
unsubscribe();
|
|
41
38
|
d.resolve(data);
|
|
42
39
|
});
|
|
43
|
-
|
|
44
40
|
return d.pr;
|
|
45
41
|
},
|
|
46
42
|
post: (data: T) => {
|
|
47
43
|
postCount++;
|
|
48
|
-
|
|
44
|
+
const snapshot = listeners.slice();
|
|
45
|
+
for (const l of snapshot) {
|
|
46
|
+
try {
|
|
47
|
+
l(data);
|
|
48
|
+
} catch {}
|
|
49
|
+
}
|
|
49
50
|
},
|
|
50
51
|
get postCount() {
|
|
51
52
|
return postCount;
|
|
@@ -64,12 +64,8 @@ export function createLoadHandleEntrypoint(params: {
|
|
|
64
64
|
|
|
65
65
|
entryResolution.watchFiles.forEach(file => pluginContext.addWatchFile(file));
|
|
66
66
|
|
|
67
|
-
const {
|
|
68
|
-
|
|
69
|
-
freezeXMLHttpRequest = true,
|
|
70
|
-
freezeWebSocket = true,
|
|
71
|
-
...rest
|
|
72
|
-
} = oidcSpaVitePluginParams ?? {};
|
|
67
|
+
const { freezeFetch, freezeXMLHttpRequest, freezeWebSocket, freezePromise, safeMode, ...rest } =
|
|
68
|
+
oidcSpaVitePluginParams ?? {};
|
|
73
69
|
|
|
74
70
|
assert<Equals<typeof rest, {}>>;
|
|
75
71
|
|
|
@@ -81,6 +77,8 @@ export function createLoadHandleEntrypoint(params: {
|
|
|
81
77
|
` freezeFetch: ${freezeFetch},`,
|
|
82
78
|
` freezeXMLHttpRequest: ${freezeXMLHttpRequest},`,
|
|
83
79
|
` freezeWebSocket: ${freezeWebSocket},`,
|
|
80
|
+
` freezePromise: ${freezePromise},`,
|
|
81
|
+
` safeMode: ${safeMode},`,
|
|
84
82
|
` isPostLoginRedirectManual: ${projectType === "tanstack-start"},`,
|
|
85
83
|
` BASE_URL: "${resolvedConfig.base}"`,
|
|
86
84
|
`});`,
|
package/tools/Evt.js
CHANGED
|
@@ -2,21 +2,23 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.createEvt = createEvt;
|
|
4
4
|
const Deferred_1 = require("./Deferred");
|
|
5
|
-
const assert_1 = require("../tools/tsafe/assert");
|
|
6
5
|
function createEvt() {
|
|
7
|
-
const
|
|
8
|
-
const KEY = "event";
|
|
6
|
+
const listeners = [];
|
|
9
7
|
let postCount = 0;
|
|
10
8
|
const evt = {
|
|
11
9
|
subscribe: next => {
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
next(e.detail);
|
|
15
|
-
};
|
|
16
|
-
eventTarget.addEventListener(KEY, listener);
|
|
10
|
+
listeners.push(next);
|
|
11
|
+
let isActive = true;
|
|
17
12
|
return {
|
|
18
13
|
unsubscribe: () => {
|
|
19
|
-
|
|
14
|
+
if (!isActive) {
|
|
15
|
+
return;
|
|
16
|
+
}
|
|
17
|
+
isActive = false;
|
|
18
|
+
const i = listeners.indexOf(next);
|
|
19
|
+
if (i >= 0) {
|
|
20
|
+
listeners.splice(i, 1);
|
|
21
|
+
}
|
|
20
22
|
}
|
|
21
23
|
};
|
|
22
24
|
},
|
|
@@ -30,7 +32,13 @@ function createEvt() {
|
|
|
30
32
|
},
|
|
31
33
|
post: (data) => {
|
|
32
34
|
postCount++;
|
|
33
|
-
|
|
35
|
+
const snapshot = listeners.slice();
|
|
36
|
+
for (const l of snapshot) {
|
|
37
|
+
try {
|
|
38
|
+
l(data);
|
|
39
|
+
}
|
|
40
|
+
catch { }
|
|
41
|
+
}
|
|
34
42
|
},
|
|
35
43
|
get postCount() {
|
|
36
44
|
return postCount;
|
package/tools/Evt.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"Evt.js","sourceRoot":"","sources":["../src/tools/Evt.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"Evt.js","sourceRoot":"","sources":["../src/tools/Evt.ts"],"names":[],"mappings":";;AAYA,8BA4CC;AAxDD,yCAAsC;AAYtC,SAAgB,SAAS;IACrB,MAAM,SAAS,GAA6B,EAAE,CAAC;IAC/C,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,MAAM,GAAG,GAAW;QAChB,SAAS,EAAE,IAAI,CAAC,EAAE;YACd,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrB,IAAI,QAAQ,GAAG,IAAI,CAAC;YACpB,OAAO;gBACH,WAAW,EAAE,GAAG,EAAE;oBACd,IAAI,CAAC,QAAQ,EAAE,CAAC;wBACZ,OAAO;oBACX,CAAC;oBACD,QAAQ,GAAG,KAAK,CAAC;oBACjB,MAAM,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;oBAClC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACT,SAAS,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;oBAC3B,CAAC;gBACL,CAAC;aACJ,CAAC;QACN,CAAC;QACD,OAAO,EAAE,GAAG,EAAE;YACV,MAAM,CAAC,GAAG,IAAI,mBAAQ,EAAK,CAAC;YAC5B,MAAM,EAAE,WAAW,EAAE,GAAG,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;gBACzC,WAAW,EAAE,CAAC;gBACd,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACpB,CAAC,CAAC,CAAC;YACH,OAAO,CAAC,CAAC,EAAE,CAAC;QAChB,CAAC;QACD,IAAI,EAAE,CAAC,IAAO,EAAE,EAAE;YACd,SAAS,EAAE,CAAC;YACZ,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,EAAE,CAAC;YACnC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACvB,IAAI,CAAC;oBACD,CAAC,CAAC,IAAI,CAAC,CAAC;gBACZ,CAAC;gBAAC,MAAM,CAAC,CAAA,CAAC;YACd,CAAC;QACL,CAAC;QACD,IAAI,SAAS;YACT,OAAO,SAAS,CAAC;QACrB,CAAC;KACJ,CAAC;IAEF,OAAO,GAAG,CAAC;AACf,CAAC"}
|
|
@@ -70,7 +70,7 @@ function createLoadHandleEntrypoint(params) {
|
|
|
70
70
|
return loadOriginalModule(entryResolution, pluginContext);
|
|
71
71
|
}
|
|
72
72
|
entryResolution.watchFiles.forEach(file => pluginContext.addWatchFile(file));
|
|
73
|
-
const { freezeFetch
|
|
73
|
+
const { freezeFetch, freezeXMLHttpRequest, freezeWebSocket, freezePromise, safeMode, ...rest } = oidcSpaVitePluginParams ?? {};
|
|
74
74
|
assert_1.assert;
|
|
75
75
|
const stubSourceCache = [
|
|
76
76
|
`import { oidcEarlyInit } from "oidc-spa/entrypoint";`,
|
|
@@ -80,6 +80,8 @@ function createLoadHandleEntrypoint(params) {
|
|
|
80
80
|
` freezeFetch: ${freezeFetch},`,
|
|
81
81
|
` freezeXMLHttpRequest: ${freezeXMLHttpRequest},`,
|
|
82
82
|
` freezeWebSocket: ${freezeWebSocket},`,
|
|
83
|
+
` freezePromise: ${freezePromise},`,
|
|
84
|
+
` safeMode: ${safeMode},`,
|
|
83
85
|
` isPostLoginRedirectManual: ${projectType === "tanstack-start"},`,
|
|
84
86
|
` BASE_URL: "${resolvedConfig.base}"`,
|
|
85
87
|
`});`,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"handleClientEntrypoint.js","sourceRoot":"","sources":["../src/vite-plugin/handleClientEntrypoint.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BA,
|
|
1
|
+
{"version":3,"file":"handleClientEntrypoint.js","sourceRoot":"","sources":["../src/vite-plugin/handleClientEntrypoint.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BA,gEAqEC;AAjGD,qCAAqC;AACrC,qCAAyC;AACzC,gDAAkC;AAClC,uCAAyC;AACzC,+BAAqC;AACrC,kDAA+C;AAU/C,MAAM,oBAAoB,GAAG,mBAAmB,CAAC;AAEjD,MAAM,wBAAwB,GAAG,CAAC,cAAc,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,CAAC,CAAC;AAEhG,MAAM,6BAA6B,GAAG;IAClC,kBAAkB;IAClB,iBAAiB;IACjB,kBAAkB;IAClB,iBAAiB;CACpB,CAAC;AAEF,MAAM,yBAAyB,GAAG,CAAC,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;AAEzF,SAAgB,0BAA0B,CAAC,MAI1C;IACG,MAAM,EAAE,uBAAuB,EAAE,cAAc,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;IAExE,MAAM,eAAe,GAAG,sBAAsB,CAAC;QAC3C,MAAM,EAAE,cAAc;QACtB,WAAW;KACd,CAAC,CAAC;IAEH,KAAK,UAAU,oBAAoB,CAAC,MAGnC;QACG,MAAM,EAAE,EAAE,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC;QACrC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,qBAAqB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;QAC5D,IAAI,CAAC,qBAAqB,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,IAAI,qBAAqB,KAAK,eAAe,CAAC,cAAc,EAAE,CAAC;YAC3D,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,MAAM,iBAAiB,GAAG,WAAW,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAEpF,IAAI,iBAAiB,EAAE,CAAC;YACpB,OAAO,kBAAkB,CAAC,eAAe,EAAE,aAAa,CAAC,CAAC;QAC9D,CAAC;QAED,eAAe,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QAE7E,MAAM,EAAE,WAAW,EAAE,oBAAoB,EAAE,eAAe,EAAE,aAAa,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,GAC1F,uBAAuB,IAAI,EAAE,CAAC;QAElC,eAA+B,CAAC;QAEhC,MAAM,eAAe,GAAG;YACpB,sDAAsD;YACtD,WAAW,KAAK,gBAAgB;gBAC5B,4JAA4J;YAChK,2CAA2C;YAC3C,oBAAoB,WAAW,GAAG;YAClC,6BAA6B,oBAAoB,GAAG;YACpD,wBAAwB,eAAe,GAAG;YAC1C,sBAAsB,aAAa,GAAG;YACtC,iBAAiB,QAAQ,GAAG;YAC5B,kCAAkC,WAAW,KAAK,gBAAgB,GAAG;YACrE,kBAAkB,cAAc,CAAC,IAAI,GAAG;YACxC,KAAK;YACL,EAAE;YACF,oBAAoB;YACpB,WAAW,KAAK,gBAAgB;gBAC5B,oEAAoE;YACxE,iBAAiB,IAAI,CAAC,QAAQ,CAC1B,eAAe,CAAC,YAAY,CAC/B,IAAI,oBAAoB,UAAU;YACnC,GAAG;SACN;aACI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC;aACxC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEhB,OAAO,eAAe,CAAC;IAC3B,CAAC;IAED,OAAO,oBAAoB,CAAC;AAChC,CAAC;AAED,SAAS,sBAAsB,CAAC,EAC5B,MAAM,EACN,WAAW,EAId;IACG,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;IAEzB,QAAQ,WAAW,EAAE,CAAC;QAClB,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACpB,MAAM,SAAS,GAAG,gBAAgB,CAAC;gBAC/B,IAAI;gBACJ,cAAc,EAAE,CAAC,KAAK,CAAC;gBACvB,SAAS,EAAE,yBAAyB;aACvC,CAAC,CAAC;YAEH,MAAM,SAAS,GACX,SAAS;gBACT,kBAAkB,CAAC,uBAAuB,EAAE;oBACxC,MAAM;oBACN,QAAQ;oBACR,eAAe;oBACf,YAAY;iBACf,CAAC,CAAC;YAEP,MAAM,UAAU,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAEhD,MAAM,UAAU,GAAoB;gBAChC,YAAY,EAAE,SAAS;gBACvB,cAAc,EAAE,UAAU;gBAC1B,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE;aAC3C,CAAC;YAEF,OAAO,UAAU,CAAC;QACtB,CAAC;QAED,KAAK,wBAAwB,CAAC,CAAC,CAAC;YAC5B,MAAM,SAAS,GAAG,gBAAgB,CAAC;gBAC/B,IAAI;gBACJ,cAAc,EAAE,CAAC,KAAK,CAAC;gBACvB,SAAS,EAAE,6BAA6B;aAC3C,CAAC,CAAC;YAEH,MAAM,SAAS,GACX,SAAS;gBACT,kBAAkB,CAAC,mBAAmB,EAAE;oBACpC,MAAM;oBACN,QAAQ;oBACR,UAAU;oBACV,kBAAkB;iBACrB,CAAC,CAAC;YAEP,MAAM,UAAU,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAEhD,MAAM,UAAU,GAAoB;gBAChC,YAAY,EAAE,SAAS;gBACvB,cAAc,EAAE,UAAU;gBAC1B,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE;aAC3C,CAAC;YAEF,OAAO,UAAU,CAAC;QACtB,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACX,MAAM,SAAS,GAAG,gBAAgB,CAAC;gBAC/B,IAAI;gBACJ,cAAc,EAAE,CAAC,GAAG,CAAC;gBACrB,SAAS,EAAE,wBAAwB;aACtC,CAAC,CAAC;YAEH,IAAA,eAAM,EAAC,SAAS,KAAK,SAAS,CAAC,CAAC;YAEhC,MAAM,UAAU,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAEhD,MAAM,UAAU,GAAoB;gBAChC,YAAY,EAAE,SAAS;gBACvB,cAAc,EAAE,UAAU;gBAC1B,UAAU,EAAE,CAAC,SAAS,CAAC;aAC1B,CAAC;YAEF,OAAO,UAAU,CAAC;QACtB,CAAC;QAED;YACI,IAAA,eAAM,EAAoC,KAAK,CAAC,CAAC;IACzD,CAAC;AACL,CAAC;AAED,SAAS,kBAAkB,CACvB,KAAsB,EACtB,OAA2C;IAE3C,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;IAC7D,OAAO,kBAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,gBAAgB,CAAC,EACtB,IAAI,EACJ,cAAc,EACd,SAAS,EAKZ;IACG,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;QACxC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;YAC7D,IAAI,IAAA,oBAAU,EAAC,SAAS,CAAC,EAAE,CAAC;gBACxB,OAAO,SAAS,CAAC;YACrB,CAAC;QACL,CAAC;IACL,CAAC;IACD,OAAO,SAAS,CAAC;AACrB,CAAC;AAED,SAAS,kBAAkB,CAAC,WAAmB,EAAE,QAAkB;IAC/D,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,WAAW,eAAe,CAAC,CAAC;IAC/D,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,GAAG,QAAQ,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAgB;IACvC,OAAO,IAAA,oBAAa,EAAC,QAAQ,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,OAAO,CAAC,EAAU;IACvB,MAAM,UAAU,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;QACpB,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,IAAI,eAAe,EAAE,EAAE,CAAC;IAC5D,CAAC;IAED,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IACzC,MAAM,WAAW,GAAG,EAAE,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC;IAC7C,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,eAAe,CAAC,WAAW,CAAC,EAAE,CAAC;AAC7E,CAAC;AAED,SAAS,oBAAoB,CAAC,EAAU;IACpC,IAAI,WAAW,GAAG,EAAE,CAAC;IAErB,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,WAAW,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,WAAW,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,WAAW,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACpD,CAAC;SAAM,IAAI,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3C,WAAW,GAAG,IAAA,wBAAa,EAAC,WAAW,CAAC,CAAC;IAC7C,CAAC;IAED,IAAI,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9D,OAAO,IAAA,oBAAa,EAAC,WAAW,CAAC,CAAC;IACtC,CAAC;IAED,OAAO,IAAA,oBAAa,EAAC,WAAW,CAAC,CAAC;AACtC,CAAC"}
|
|
@@ -1,32 +0,0 @@
|
|
|
1
|
-
import { type AuthResponse } from "./AuthResponse";
|
|
2
|
-
/**
|
|
3
|
-
* To call while still in the safe window where no other code
|
|
4
|
-
* has been evaluated and only before we're about to actually start the App.
|
|
5
|
-
*/
|
|
6
|
-
export declare function iframeMessageProtection_captureAndLockBuiltins(): void;
|
|
7
|
-
declare function getIsEncryptedAuthResponse(params: {
|
|
8
|
-
message: unknown;
|
|
9
|
-
stateUrlParamValue: string;
|
|
10
|
-
}): boolean;
|
|
11
|
-
declare function getIsReadyToReadPublicKeyMessage(params: {
|
|
12
|
-
message: unknown;
|
|
13
|
-
stateUrlParamValue: string;
|
|
14
|
-
}): boolean;
|
|
15
|
-
export declare function initIframeMessageProtection(params: {
|
|
16
|
-
stateUrlParamValue: string;
|
|
17
|
-
}): Promise<{
|
|
18
|
-
getIsReadyToReadPublicKeyMessage: typeof getIsReadyToReadPublicKeyMessage;
|
|
19
|
-
startSessionStoragePublicKeyMaliciousWriteDetection: () => void;
|
|
20
|
-
setSessionStoragePublicKey: () => void;
|
|
21
|
-
getIsEncryptedAuthResponse: typeof getIsEncryptedAuthResponse;
|
|
22
|
-
decodeEncryptedAuth: (params: {
|
|
23
|
-
encryptedAuthResponse: string;
|
|
24
|
-
}) => Promise<{
|
|
25
|
-
authResponse: AuthResponse;
|
|
26
|
-
}>;
|
|
27
|
-
clearSessionStoragePublicKey: () => void;
|
|
28
|
-
}>;
|
|
29
|
-
export declare function postEncryptedAuthResponseToParent(params: {
|
|
30
|
-
authResponse: AuthResponse;
|
|
31
|
-
}): Promise<void>;
|
|
32
|
-
export {};
|
|
@@ -1,154 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.iframeMessageProtection_captureAndLockBuiltins = iframeMessageProtection_captureAndLockBuiltins;
|
|
4
|
-
exports.initIframeMessageProtection = initIframeMessageProtection;
|
|
5
|
-
exports.postEncryptedAuthResponseToParent = postEncryptedAuthResponseToParent;
|
|
6
|
-
const assert_1 = require("../tools/tsafe/assert");
|
|
7
|
-
const asymmetricEncryption_1 = require("../tools/asymmetricEncryption");
|
|
8
|
-
let capturedApis = undefined;
|
|
9
|
-
const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
|
|
10
|
-
const getProtectedTimer_set = new Set();
|
|
11
|
-
/**
|
|
12
|
-
* To call while still in the safe window where no other code
|
|
13
|
-
* has been evaluated and only before we're about to actually start the App.
|
|
14
|
-
*/
|
|
15
|
-
function iframeMessageProtection_captureAndLockBuiltins() {
|
|
16
|
-
capturedApis = {
|
|
17
|
-
setItem: Storage.prototype.setItem,
|
|
18
|
-
sessionStorage: window.sessionStorage,
|
|
19
|
-
setTimeout: window.setTimeout,
|
|
20
|
-
clearTimeout: window.clearTimeout,
|
|
21
|
-
alert: window.alert
|
|
22
|
-
};
|
|
23
|
-
// Ensure, at least from main window we cannot simply write on the public key.
|
|
24
|
-
{
|
|
25
|
-
const setItem_protected = function setItem(key, value) {
|
|
26
|
-
if (key.startsWith(SESSION_STORAGE_PREFIX)) {
|
|
27
|
-
throw new Error("Attack prevented by oidc-spa. You have malicious code running in your system");
|
|
28
|
-
}
|
|
29
|
-
(0, assert_1.assert)(capturedApis !== undefined);
|
|
30
|
-
return capturedApis.setItem.call(this, key, value);
|
|
31
|
-
};
|
|
32
|
-
{
|
|
33
|
-
const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
|
|
34
|
-
(0, assert_1.assert)(pd !== undefined);
|
|
35
|
-
Object.defineProperty(Storage.prototype, "setItem", {
|
|
36
|
-
enumerable: pd.enumerable,
|
|
37
|
-
writable: pd.writable,
|
|
38
|
-
value: setItem_protected
|
|
39
|
-
});
|
|
40
|
-
}
|
|
41
|
-
}
|
|
42
|
-
window.clearTimeout = function clearTimeout(timer) {
|
|
43
|
-
for (const getProtectedTimer of getProtectedTimer_set) {
|
|
44
|
-
const timer_protected = getProtectedTimer();
|
|
45
|
-
if (timer_protected === undefined) {
|
|
46
|
-
continue;
|
|
47
|
-
}
|
|
48
|
-
if (timer_protected === timer) {
|
|
49
|
-
// Probably an attack but potentially not so avoiding hard crash
|
|
50
|
-
return;
|
|
51
|
-
}
|
|
52
|
-
}
|
|
53
|
-
(0, assert_1.assert)(capturedApis !== undefined);
|
|
54
|
-
capturedApis.clearTimeout.call(window, timer);
|
|
55
|
-
};
|
|
56
|
-
}
|
|
57
|
-
function getSessionStorageKey(params) {
|
|
58
|
-
const { stateUrlParamValue } = params;
|
|
59
|
-
return `${SESSION_STORAGE_PREFIX}${stateUrlParamValue}`;
|
|
60
|
-
}
|
|
61
|
-
const ENCRYPTED_AUTH_RESPONSES_PREFIX = "oidc-spa_encrypted_authResponse_";
|
|
62
|
-
function getIsEncryptedAuthResponse(params) {
|
|
63
|
-
const { message, stateUrlParamValue } = params;
|
|
64
|
-
return (typeof message === "string" &&
|
|
65
|
-
message.startsWith(`${ENCRYPTED_AUTH_RESPONSES_PREFIX}${stateUrlParamValue}`));
|
|
66
|
-
}
|
|
67
|
-
function getReadyMessage(params) {
|
|
68
|
-
const { stateUrlParamValue } = params;
|
|
69
|
-
return `oidc-spa_ready_to_read_publicKey_${stateUrlParamValue}`;
|
|
70
|
-
}
|
|
71
|
-
function getIsReadyToReadPublicKeyMessage(params) {
|
|
72
|
-
const { message, stateUrlParamValue } = params;
|
|
73
|
-
return message === getReadyMessage({ stateUrlParamValue });
|
|
74
|
-
}
|
|
75
|
-
async function initIframeMessageProtection(params) {
|
|
76
|
-
const { stateUrlParamValue } = params;
|
|
77
|
-
const { publicKey, privateKey } = await (0, asymmetricEncryption_1.generateKeys)();
|
|
78
|
-
const sessionStorageKey = getSessionStorageKey({ stateUrlParamValue });
|
|
79
|
-
let timer = undefined;
|
|
80
|
-
const getProtectedTimer = () => timer;
|
|
81
|
-
getProtectedTimer_set.add(getProtectedTimer);
|
|
82
|
-
function setSessionStoragePublicKey() {
|
|
83
|
-
(0, assert_1.assert)(capturedApis !== undefined);
|
|
84
|
-
const { setItem } = capturedApis;
|
|
85
|
-
setItem.call(capturedApis.sessionStorage, sessionStorageKey, publicKey);
|
|
86
|
-
}
|
|
87
|
-
function startSessionStoragePublicKeyMaliciousWriteDetection() {
|
|
88
|
-
(0, assert_1.assert)(capturedApis !== undefined);
|
|
89
|
-
const { alert, setTimeout } = capturedApis;
|
|
90
|
-
sessionStorage.removeItem(sessionStorageKey);
|
|
91
|
-
const checkTimeoutCallback = () => {
|
|
92
|
-
const publicKey_inStorage = sessionStorage.getItem(sessionStorageKey);
|
|
93
|
-
if (publicKey_inStorage !== null && publicKey_inStorage !== publicKey) {
|
|
94
|
-
while (true) {
|
|
95
|
-
alert([
|
|
96
|
-
"⚠️ Security Alert:",
|
|
97
|
-
"oidc-spa detected an attack attempt.",
|
|
98
|
-
"For your safety, please close this tab immediately",
|
|
99
|
-
"and notify the site administrator."
|
|
100
|
-
].join(" "));
|
|
101
|
-
}
|
|
102
|
-
}
|
|
103
|
-
check();
|
|
104
|
-
};
|
|
105
|
-
function check() {
|
|
106
|
-
timer = setTimeout(checkTimeoutCallback, 5);
|
|
107
|
-
}
|
|
108
|
-
check();
|
|
109
|
-
}
|
|
110
|
-
async function decodeEncryptedAuth(params) {
|
|
111
|
-
const { encryptedAuthResponse } = params;
|
|
112
|
-
const { message: authResponse_str } = await (0, asymmetricEncryption_1.asymmetricDecrypt)({
|
|
113
|
-
encryptedMessage: encryptedAuthResponse.slice(ENCRYPTED_AUTH_RESPONSES_PREFIX.length + stateUrlParamValue.length),
|
|
114
|
-
privateKey
|
|
115
|
-
});
|
|
116
|
-
const authResponse = JSON.parse(authResponse_str);
|
|
117
|
-
return { authResponse };
|
|
118
|
-
}
|
|
119
|
-
function clearSessionStoragePublicKey() {
|
|
120
|
-
(0, assert_1.assert)(capturedApis !== undefined);
|
|
121
|
-
const { clearTimeout } = capturedApis;
|
|
122
|
-
sessionStorage.removeItem(sessionStorageKey);
|
|
123
|
-
clearTimeout(timer);
|
|
124
|
-
getProtectedTimer_set.delete(getProtectedTimer);
|
|
125
|
-
}
|
|
126
|
-
return {
|
|
127
|
-
getIsReadyToReadPublicKeyMessage,
|
|
128
|
-
startSessionStoragePublicKeyMaliciousWriteDetection,
|
|
129
|
-
setSessionStoragePublicKey,
|
|
130
|
-
getIsEncryptedAuthResponse,
|
|
131
|
-
decodeEncryptedAuth,
|
|
132
|
-
clearSessionStoragePublicKey
|
|
133
|
-
};
|
|
134
|
-
}
|
|
135
|
-
async function postEncryptedAuthResponseToParent(params) {
|
|
136
|
-
const { authResponse } = params;
|
|
137
|
-
parent.postMessage(getReadyMessage({ stateUrlParamValue: authResponse.state }), location.origin);
|
|
138
|
-
await new Promise(resolve => setTimeout(resolve, 2));
|
|
139
|
-
let publicKey;
|
|
140
|
-
{
|
|
141
|
-
let sessionStorageKey = getSessionStorageKey({ stateUrlParamValue: authResponse.state });
|
|
142
|
-
while ((publicKey = sessionStorage.getItem(sessionStorageKey)) === null) {
|
|
143
|
-
await new Promise(resolve => setTimeout(resolve, 2));
|
|
144
|
-
}
|
|
145
|
-
}
|
|
146
|
-
await new Promise(resolve => setTimeout(resolve, 7));
|
|
147
|
-
const { encryptedMessage: encryptedMessage_withoutPrefix } = await (0, asymmetricEncryption_1.asymmetricEncrypt)({
|
|
148
|
-
publicKey,
|
|
149
|
-
message: JSON.stringify(authResponse)
|
|
150
|
-
});
|
|
151
|
-
const encryptedMessage = `${ENCRYPTED_AUTH_RESPONSES_PREFIX}${authResponse.state}${encryptedMessage_withoutPrefix}`;
|
|
152
|
-
parent.postMessage(encryptedMessage, location.origin);
|
|
153
|
-
}
|
|
154
|
-
//# sourceMappingURL=iframeMessageProtection.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"iframeMessageProtection.js","sourceRoot":"","sources":["../src/core/iframeMessageProtection.ts"],"names":[],"mappings":";;AAsBA,wGAoDC;AA6BD,kEAsFC;AAED,8EA2BC;AA1ND,kDAA+C;AAC/C,wEAAmG;AAGnG,IAAI,YAAY,GAQE,SAAS,CAAC;AAE5B,MAAM,sBAAsB,GAAG,yCAAyC,CAAC;AAEzE,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAA4B,CAAC;AAElE;;;GAGG;AACH,SAAgB,8CAA8C;IAC1D,YAAY,GAAG;QACX,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,OAAO;QAClC,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,KAAK,EAAE,MAAM,CAAC,KAAK;KACtB,CAAC;IAEF,8EAA8E;IAC9E,CAAC;QACG,MAAM,iBAAiB,GAAG,SAAS,OAAO,CAAY,GAAW,EAAE,KAAa;YAC5E,IAAI,GAAG,CAAC,UAAU,CAAC,sBAAsB,CAAC,EAAE,CAAC;gBACzC,MAAM,IAAI,KAAK,CACX,8EAA8E,CACjF,CAAC;YACN,CAAC;YAED,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;YAEnC,OAAO,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QACvD,CAAC,CAAC;QAEF,CAAC;YACG,MAAM,EAAE,GAAG,MAAM,CAAC,wBAAwB,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YAEzE,IAAA,eAAM,EAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAEzB,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,EAAE;gBAChD,UAAU,EAAE,EAAE,CAAC,UAAU;gBACzB,QAAQ,EAAE,EAAE,CAAC,QAAQ;gBACrB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,MAAM,CAAC,YAAY,GAAG,SAAS,YAAY,CAAC,KAAK;QAC7C,KAAK,MAAM,iBAAiB,IAAI,qBAAqB,EAAE,CAAC;YACpD,MAAM,eAAe,GAAG,iBAAiB,EAAE,CAAC;YAC5C,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;gBAChC,SAAS;YACb,CAAC;YACD,IAAI,eAAe,KAAK,KAAK,EAAE,CAAC;gBAC5B,gEAAgE;gBAChE,OAAO;YACX,CAAC;QACL,CAAC;QAED,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAClD,CAAC,CAAC;AACN,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAsC;IAChE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,OAAO,GAAG,sBAAsB,GAAG,kBAAkB,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,+BAA+B,GAAG,kCAAkC,CAAC;AAE3E,SAAS,0BAA0B,CAAC,MAAwD;IACxF,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAE/C,OAAO,CACH,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,CAAC,UAAU,CAAC,GAAG,+BAA+B,GAAG,kBAAkB,EAAE,CAAC,CAChF,CAAC;AACN,CAAC;AAED,SAAS,eAAe,CAAC,MAAsC;IAC3D,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IACtC,OAAO,oCAAoC,kBAAkB,EAAE,CAAC;AACpE,CAAC;AAED,SAAS,gCAAgC,CAAC,MAAwD;IAC9F,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAC/C,OAAO,OAAO,KAAK,eAAe,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAC/D,CAAC;AAEM,KAAK,UAAU,2BAA2B,CAAC,MAAsC;IACpF,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,IAAA,mCAAY,GAAE,CAAC;IAEvD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAEvE,IAAI,KAAK,GAAuB,SAAS,CAAC;IAE1C,MAAM,iBAAiB,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC;IAEtC,qBAAqB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAE7C,SAAS,0BAA0B;QAC/B,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;QAEjC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAC5E,CAAC;IAED,SAAS,mDAAmD;QACxD,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC;QAE3C,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAE7C,MAAM,oBAAoB,GAAG,GAAG,EAAE;YAC9B,MAAM,mBAAmB,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YAEtE,IAAI,mBAAmB,KAAK,IAAI,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;gBACpE,OAAO,IAAI,EAAE,CAAC;oBACV,KAAK,CACD;wBACI,oBAAoB;wBACpB,sCAAsC;wBACtC,oDAAoD;wBACpD,oCAAoC;qBACvC,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;gBACN,CAAC;YACL,CAAC;YACD,KAAK,EAAE,CAAC;QACZ,CAAC,CAAC;QAEF,SAAS,KAAK;YACV,KAAK,GAAG,UAAU,CAAC,oBAAoB,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;QAED,KAAK,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,UAAU,mBAAmB,CAAC,MAElC;QACG,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,CAAC;QAEzC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,IAAA,wCAAiB,EAAC;YAC1D,gBAAgB,EAAE,qBAAqB,CAAC,KAAK,CACzC,+BAA+B,CAAC,MAAM,GAAG,kBAAkB,CAAC,MAAM,CACrE;YACD,UAAU;SACb,CAAC,CAAC;QAEH,MAAM,YAAY,GAAiB,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAEhE,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC;IAED,SAAS,4BAA4B;QACjC,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QACnC,MAAM,EAAE,YAAY,EAAE,GAAG,YAAY,CAAC;QACtC,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAC7C,YAAY,CAAC,KAAK,CAAC,CAAC;QACpB,qBAAqB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACpD,CAAC;IAED,OAAO;QACH,gCAAgC;QAChC,mDAAmD;QACnD,0BAA0B;QAC1B,0BAA0B;QAC1B,mBAAmB;QACnB,4BAA4B;KAC/B,CAAC;AACN,CAAC;AAEM,KAAK,UAAU,iCAAiC,CAAC,MAAsC;IAC1F,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAEhC,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEjG,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,IAAI,SAAwB,CAAC;IAE7B,CAAC;QACG,IAAI,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;QAEzF,OAAO,CAAC,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACtE,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/D,CAAC;IACL,CAAC;IAED,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,GAAG,MAAM,IAAA,wCAAiB,EAAC;QACjF,SAAS;QACT,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC;KACxC,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,GAAG,+BAA+B,GAAG,YAAY,CAAC,KAAK,GAAG,8BAA8B,EAAE,CAAC;IAEpH,MAAM,CAAC,WAAW,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC"}
|
|
@@ -1,32 +0,0 @@
|
|
|
1
|
-
import { type AuthResponse } from "./AuthResponse";
|
|
2
|
-
/**
|
|
3
|
-
* To call while still in the safe window where no other code
|
|
4
|
-
* has been evaluated and only before we're about to actually start the App.
|
|
5
|
-
*/
|
|
6
|
-
export declare function iframeMessageProtection_captureAndLockBuiltins(): void;
|
|
7
|
-
declare function getIsEncryptedAuthResponse(params: {
|
|
8
|
-
message: unknown;
|
|
9
|
-
stateUrlParamValue: string;
|
|
10
|
-
}): boolean;
|
|
11
|
-
declare function getIsReadyToReadPublicKeyMessage(params: {
|
|
12
|
-
message: unknown;
|
|
13
|
-
stateUrlParamValue: string;
|
|
14
|
-
}): boolean;
|
|
15
|
-
export declare function initIframeMessageProtection(params: {
|
|
16
|
-
stateUrlParamValue: string;
|
|
17
|
-
}): Promise<{
|
|
18
|
-
getIsReadyToReadPublicKeyMessage: typeof getIsReadyToReadPublicKeyMessage;
|
|
19
|
-
startSessionStoragePublicKeyMaliciousWriteDetection: () => void;
|
|
20
|
-
setSessionStoragePublicKey: () => void;
|
|
21
|
-
getIsEncryptedAuthResponse: typeof getIsEncryptedAuthResponse;
|
|
22
|
-
decodeEncryptedAuth: (params: {
|
|
23
|
-
encryptedAuthResponse: string;
|
|
24
|
-
}) => Promise<{
|
|
25
|
-
authResponse: AuthResponse;
|
|
26
|
-
}>;
|
|
27
|
-
clearSessionStoragePublicKey: () => void;
|
|
28
|
-
}>;
|
|
29
|
-
export declare function postEncryptedAuthResponseToParent(params: {
|
|
30
|
-
authResponse: AuthResponse;
|
|
31
|
-
}): Promise<void>;
|
|
32
|
-
export {};
|
|
@@ -1,149 +0,0 @@
|
|
|
1
|
-
import { assert } from "../tools/tsafe/assert";
|
|
2
|
-
import { asymmetricEncrypt, asymmetricDecrypt, generateKeys } from "../tools/asymmetricEncryption";
|
|
3
|
-
let capturedApis = undefined;
|
|
4
|
-
const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
|
|
5
|
-
const getProtectedTimer_set = new Set();
|
|
6
|
-
/**
|
|
7
|
-
* To call while still in the safe window where no other code
|
|
8
|
-
* has been evaluated and only before we're about to actually start the App.
|
|
9
|
-
*/
|
|
10
|
-
export function iframeMessageProtection_captureAndLockBuiltins() {
|
|
11
|
-
capturedApis = {
|
|
12
|
-
setItem: Storage.prototype.setItem,
|
|
13
|
-
sessionStorage: window.sessionStorage,
|
|
14
|
-
setTimeout: window.setTimeout,
|
|
15
|
-
clearTimeout: window.clearTimeout,
|
|
16
|
-
alert: window.alert
|
|
17
|
-
};
|
|
18
|
-
// Ensure, at least from main window we cannot simply write on the public key.
|
|
19
|
-
{
|
|
20
|
-
const setItem_protected = function setItem(key, value) {
|
|
21
|
-
if (key.startsWith(SESSION_STORAGE_PREFIX)) {
|
|
22
|
-
throw new Error("Attack prevented by oidc-spa. You have malicious code running in your system");
|
|
23
|
-
}
|
|
24
|
-
assert(capturedApis !== undefined);
|
|
25
|
-
return capturedApis.setItem.call(this, key, value);
|
|
26
|
-
};
|
|
27
|
-
{
|
|
28
|
-
const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
|
|
29
|
-
assert(pd !== undefined);
|
|
30
|
-
Object.defineProperty(Storage.prototype, "setItem", {
|
|
31
|
-
enumerable: pd.enumerable,
|
|
32
|
-
writable: pd.writable,
|
|
33
|
-
value: setItem_protected
|
|
34
|
-
});
|
|
35
|
-
}
|
|
36
|
-
}
|
|
37
|
-
window.clearTimeout = function clearTimeout(timer) {
|
|
38
|
-
for (const getProtectedTimer of getProtectedTimer_set) {
|
|
39
|
-
const timer_protected = getProtectedTimer();
|
|
40
|
-
if (timer_protected === undefined) {
|
|
41
|
-
continue;
|
|
42
|
-
}
|
|
43
|
-
if (timer_protected === timer) {
|
|
44
|
-
// Probably an attack but potentially not so avoiding hard crash
|
|
45
|
-
return;
|
|
46
|
-
}
|
|
47
|
-
}
|
|
48
|
-
assert(capturedApis !== undefined);
|
|
49
|
-
capturedApis.clearTimeout.call(window, timer);
|
|
50
|
-
};
|
|
51
|
-
}
|
|
52
|
-
function getSessionStorageKey(params) {
|
|
53
|
-
const { stateUrlParamValue } = params;
|
|
54
|
-
return `${SESSION_STORAGE_PREFIX}${stateUrlParamValue}`;
|
|
55
|
-
}
|
|
56
|
-
const ENCRYPTED_AUTH_RESPONSES_PREFIX = "oidc-spa_encrypted_authResponse_";
|
|
57
|
-
function getIsEncryptedAuthResponse(params) {
|
|
58
|
-
const { message, stateUrlParamValue } = params;
|
|
59
|
-
return (typeof message === "string" &&
|
|
60
|
-
message.startsWith(`${ENCRYPTED_AUTH_RESPONSES_PREFIX}${stateUrlParamValue}`));
|
|
61
|
-
}
|
|
62
|
-
function getReadyMessage(params) {
|
|
63
|
-
const { stateUrlParamValue } = params;
|
|
64
|
-
return `oidc-spa_ready_to_read_publicKey_${stateUrlParamValue}`;
|
|
65
|
-
}
|
|
66
|
-
function getIsReadyToReadPublicKeyMessage(params) {
|
|
67
|
-
const { message, stateUrlParamValue } = params;
|
|
68
|
-
return message === getReadyMessage({ stateUrlParamValue });
|
|
69
|
-
}
|
|
70
|
-
export async function initIframeMessageProtection(params) {
|
|
71
|
-
const { stateUrlParamValue } = params;
|
|
72
|
-
const { publicKey, privateKey } = await generateKeys();
|
|
73
|
-
const sessionStorageKey = getSessionStorageKey({ stateUrlParamValue });
|
|
74
|
-
let timer = undefined;
|
|
75
|
-
const getProtectedTimer = () => timer;
|
|
76
|
-
getProtectedTimer_set.add(getProtectedTimer);
|
|
77
|
-
function setSessionStoragePublicKey() {
|
|
78
|
-
assert(capturedApis !== undefined);
|
|
79
|
-
const { setItem } = capturedApis;
|
|
80
|
-
setItem.call(capturedApis.sessionStorage, sessionStorageKey, publicKey);
|
|
81
|
-
}
|
|
82
|
-
function startSessionStoragePublicKeyMaliciousWriteDetection() {
|
|
83
|
-
assert(capturedApis !== undefined);
|
|
84
|
-
const { alert, setTimeout } = capturedApis;
|
|
85
|
-
sessionStorage.removeItem(sessionStorageKey);
|
|
86
|
-
const checkTimeoutCallback = () => {
|
|
87
|
-
const publicKey_inStorage = sessionStorage.getItem(sessionStorageKey);
|
|
88
|
-
if (publicKey_inStorage !== null && publicKey_inStorage !== publicKey) {
|
|
89
|
-
while (true) {
|
|
90
|
-
alert([
|
|
91
|
-
"⚠️ Security Alert:",
|
|
92
|
-
"oidc-spa detected an attack attempt.",
|
|
93
|
-
"For your safety, please close this tab immediately",
|
|
94
|
-
"and notify the site administrator."
|
|
95
|
-
].join(" "));
|
|
96
|
-
}
|
|
97
|
-
}
|
|
98
|
-
check();
|
|
99
|
-
};
|
|
100
|
-
function check() {
|
|
101
|
-
timer = setTimeout(checkTimeoutCallback, 5);
|
|
102
|
-
}
|
|
103
|
-
check();
|
|
104
|
-
}
|
|
105
|
-
async function decodeEncryptedAuth(params) {
|
|
106
|
-
const { encryptedAuthResponse } = params;
|
|
107
|
-
const { message: authResponse_str } = await asymmetricDecrypt({
|
|
108
|
-
encryptedMessage: encryptedAuthResponse.slice(ENCRYPTED_AUTH_RESPONSES_PREFIX.length + stateUrlParamValue.length),
|
|
109
|
-
privateKey
|
|
110
|
-
});
|
|
111
|
-
const authResponse = JSON.parse(authResponse_str);
|
|
112
|
-
return { authResponse };
|
|
113
|
-
}
|
|
114
|
-
function clearSessionStoragePublicKey() {
|
|
115
|
-
assert(capturedApis !== undefined);
|
|
116
|
-
const { clearTimeout } = capturedApis;
|
|
117
|
-
sessionStorage.removeItem(sessionStorageKey);
|
|
118
|
-
clearTimeout(timer);
|
|
119
|
-
getProtectedTimer_set.delete(getProtectedTimer);
|
|
120
|
-
}
|
|
121
|
-
return {
|
|
122
|
-
getIsReadyToReadPublicKeyMessage,
|
|
123
|
-
startSessionStoragePublicKeyMaliciousWriteDetection,
|
|
124
|
-
setSessionStoragePublicKey,
|
|
125
|
-
getIsEncryptedAuthResponse,
|
|
126
|
-
decodeEncryptedAuth,
|
|
127
|
-
clearSessionStoragePublicKey
|
|
128
|
-
};
|
|
129
|
-
}
|
|
130
|
-
export async function postEncryptedAuthResponseToParent(params) {
|
|
131
|
-
const { authResponse } = params;
|
|
132
|
-
parent.postMessage(getReadyMessage({ stateUrlParamValue: authResponse.state }), location.origin);
|
|
133
|
-
await new Promise(resolve => setTimeout(resolve, 2));
|
|
134
|
-
let publicKey;
|
|
135
|
-
{
|
|
136
|
-
let sessionStorageKey = getSessionStorageKey({ stateUrlParamValue: authResponse.state });
|
|
137
|
-
while ((publicKey = sessionStorage.getItem(sessionStorageKey)) === null) {
|
|
138
|
-
await new Promise(resolve => setTimeout(resolve, 2));
|
|
139
|
-
}
|
|
140
|
-
}
|
|
141
|
-
await new Promise(resolve => setTimeout(resolve, 7));
|
|
142
|
-
const { encryptedMessage: encryptedMessage_withoutPrefix } = await asymmetricEncrypt({
|
|
143
|
-
publicKey,
|
|
144
|
-
message: JSON.stringify(authResponse)
|
|
145
|
-
});
|
|
146
|
-
const encryptedMessage = `${ENCRYPTED_AUTH_RESPONSES_PREFIX}${authResponse.state}${encryptedMessage_withoutPrefix}`;
|
|
147
|
-
parent.postMessage(encryptedMessage, location.origin);
|
|
148
|
-
}
|
|
149
|
-
//# sourceMappingURL=iframeMessageProtection.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"iframeMessageProtection.js","sourceRoot":"","sources":["../../src/core/iframeMessageProtection.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAGnG,IAAI,YAAY,GAQE,SAAS,CAAC;AAE5B,MAAM,sBAAsB,GAAG,yCAAyC,CAAC;AAEzE,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAA4B,CAAC;AAElE;;;GAGG;AACH,MAAM,UAAU,8CAA8C;IAC1D,YAAY,GAAG;QACX,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,OAAO;QAClC,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,KAAK,EAAE,MAAM,CAAC,KAAK;KACtB,CAAC;IAEF,8EAA8E;IAC9E,CAAC;QACG,MAAM,iBAAiB,GAAG,SAAS,OAAO,CAAY,GAAW,EAAE,KAAa;YAC5E,IAAI,GAAG,CAAC,UAAU,CAAC,sBAAsB,CAAC,EAAE,CAAC;gBACzC,MAAM,IAAI,KAAK,CACX,8EAA8E,CACjF,CAAC;YACN,CAAC;YAED,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;YAEnC,OAAO,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QACvD,CAAC,CAAC;QAEF,CAAC;YACG,MAAM,EAAE,GAAG,MAAM,CAAC,wBAAwB,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YAEzE,MAAM,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAEzB,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,EAAE;gBAChD,UAAU,EAAE,EAAE,CAAC,UAAU;gBACzB,QAAQ,EAAE,EAAE,CAAC,QAAQ;gBACrB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,MAAM,CAAC,YAAY,GAAG,SAAS,YAAY,CAAC,KAAK;QAC7C,KAAK,MAAM,iBAAiB,IAAI,qBAAqB,EAAE,CAAC;YACpD,MAAM,eAAe,GAAG,iBAAiB,EAAE,CAAC;YAC5C,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;gBAChC,SAAS;YACb,CAAC;YACD,IAAI,eAAe,KAAK,KAAK,EAAE,CAAC;gBAC5B,gEAAgE;gBAChE,OAAO;YACX,CAAC;QACL,CAAC;QAED,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAClD,CAAC,CAAC;AACN,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAsC;IAChE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,OAAO,GAAG,sBAAsB,GAAG,kBAAkB,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,+BAA+B,GAAG,kCAAkC,CAAC;AAE3E,SAAS,0BAA0B,CAAC,MAAwD;IACxF,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAE/C,OAAO,CACH,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,CAAC,UAAU,CAAC,GAAG,+BAA+B,GAAG,kBAAkB,EAAE,CAAC,CAChF,CAAC;AACN,CAAC;AAED,SAAS,eAAe,CAAC,MAAsC;IAC3D,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IACtC,OAAO,oCAAoC,kBAAkB,EAAE,CAAC;AACpE,CAAC;AAED,SAAS,gCAAgC,CAAC,MAAwD;IAC9F,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAC/C,OAAO,OAAO,KAAK,eAAe,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAAC,MAAsC;IACpF,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;IAEvD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAEvE,IAAI,KAAK,GAAuB,SAAS,CAAC;IAE1C,MAAM,iBAAiB,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC;IAEtC,qBAAqB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAE7C,SAAS,0BAA0B;QAC/B,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;QAEjC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAC5E,CAAC;IAED,SAAS,mDAAmD;QACxD,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC;QAE3C,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAE7C,MAAM,oBAAoB,GAAG,GAAG,EAAE;YAC9B,MAAM,mBAAmB,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YAEtE,IAAI,mBAAmB,KAAK,IAAI,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;gBACpE,OAAO,IAAI,EAAE,CAAC;oBACV,KAAK,CACD;wBACI,oBAAoB;wBACpB,sCAAsC;wBACtC,oDAAoD;wBACpD,oCAAoC;qBACvC,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;gBACN,CAAC;YACL,CAAC;YACD,KAAK,EAAE,CAAC;QACZ,CAAC,CAAC;QAEF,SAAS,KAAK;YACV,KAAK,GAAG,UAAU,CAAC,oBAAoB,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;QAED,KAAK,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,UAAU,mBAAmB,CAAC,MAElC;QACG,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,CAAC;QAEzC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,iBAAiB,CAAC;YAC1D,gBAAgB,EAAE,qBAAqB,CAAC,KAAK,CACzC,+BAA+B,CAAC,MAAM,GAAG,kBAAkB,CAAC,MAAM,CACrE;YACD,UAAU;SACb,CAAC,CAAC;QAEH,MAAM,YAAY,GAAiB,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAEhE,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC;IAED,SAAS,4BAA4B;QACjC,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QACnC,MAAM,EAAE,YAAY,EAAE,GAAG,YAAY,CAAC;QACtC,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAC7C,YAAY,CAAC,KAAK,CAAC,CAAC;QACpB,qBAAqB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACpD,CAAC;IAED,OAAO;QACH,gCAAgC;QAChC,mDAAmD;QACnD,0BAA0B;QAC1B,0BAA0B;QAC1B,mBAAmB;QACnB,4BAA4B;KAC/B,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iCAAiC,CAAC,MAAsC;IAC1F,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAEhC,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEjG,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,IAAI,SAAwB,CAAC;IAE7B,CAAC;QACG,IAAI,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;QAEzF,OAAO,CAAC,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACtE,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/D,CAAC;IACL,CAAC;IAED,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,GAAG,MAAM,iBAAiB,CAAC;QACjF,SAAS;QACT,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC;KACxC,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,GAAG,+BAA+B,GAAG,YAAY,CAAC,KAAK,GAAG,8BAA8B,EAAE,CAAC;IAEpH,MAAM,CAAC,WAAW,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC"}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
type AsymmetricKeys = {
|
|
2
|
-
publicKey: string;
|
|
3
|
-
privateKey: string;
|
|
4
|
-
};
|
|
5
|
-
export declare function generateKeys(): Promise<AsymmetricKeys>;
|
|
6
|
-
export declare function asymmetricEncrypt(params: {
|
|
7
|
-
publicKey: string;
|
|
8
|
-
message: string;
|
|
9
|
-
}): Promise<{
|
|
10
|
-
encryptedMessage: string;
|
|
11
|
-
}>;
|
|
12
|
-
export declare function asymmetricDecrypt(params: {
|
|
13
|
-
privateKey: string;
|
|
14
|
-
encryptedMessage: string;
|
|
15
|
-
}): Promise<{
|
|
16
|
-
message: string;
|
|
17
|
-
}>;
|
|
18
|
-
export {};
|