oidc-spa 8.2.12 → 8.3.1

package/esm/core/iframeMessageProtection.js

@@ -1,149 +0,0 @@
-import { assert } from "../tools/tsafe/assert";
-import { asymmetricEncrypt, asymmetricDecrypt, generateKeys } from "../tools/asymmetricEncryption";
-let capturedApis = undefined;
-const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
-const getProtectedTimer_set = new Set();
-/**
- * To call while still in the safe window where no other code
- * has been evaluated and only before we're about to actually start the App.
- */
-export function iframeMessageProtection_captureAndLockBuiltins() {
-    capturedApis = {
-        setItem: Storage.prototype.setItem,
-        sessionStorage: window.sessionStorage,
-        setTimeout: window.setTimeout,
-        clearTimeout: window.clearTimeout,
-        alert: window.alert
-    };
-    // Ensure, at least from main window we cannot simply write on the public key.
-    {
-        const setItem_protected = function setItem(key, value) {
-            if (key.startsWith(SESSION_STORAGE_PREFIX)) {
-                throw new Error("Attack prevented by oidc-spa. You have malicious code running in your system");
-            }
-            assert(capturedApis !== undefined);
-            return capturedApis.setItem.call(this, key, value);
-        };
-        {
-            const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
-            assert(pd !== undefined);
-            Object.defineProperty(Storage.prototype, "setItem", {
-                enumerable: pd.enumerable,
-                writable: pd.writable,
-                value: setItem_protected
-            });
-        }
-    }
-    window.clearTimeout = function clearTimeout(timer) {
-        for (const getProtectedTimer of getProtectedTimer_set) {
-            const timer_protected = getProtectedTimer();
-            if (timer_protected === undefined) {
-                continue;
-            }
-            if (timer_protected === timer) {
-                // Probably an attack but potentially not so avoiding hard crash
-                return;
-            }
-        }
-        assert(capturedApis !== undefined);
-        capturedApis.clearTimeout.call(window, timer);
-    };
-}
-function getSessionStorageKey(params) {
-    const { stateUrlParamValue } = params;
-    return `${SESSION_STORAGE_PREFIX}${stateUrlParamValue}`;
-}
-const ENCRYPTED_AUTH_RESPONSES_PREFIX = "oidc-spa_encrypted_authResponse_";
-function getIsEncryptedAuthResponse(params) {
-    const { message, stateUrlParamValue } = params;
-    return (typeof message === "string" &&
-        message.startsWith(`${ENCRYPTED_AUTH_RESPONSES_PREFIX}${stateUrlParamValue}`));
-}
-function getReadyMessage(params) {
-    const { stateUrlParamValue } = params;
-    return `oidc-spa_ready_to_read_publicKey_${stateUrlParamValue}`;
-}
-function getIsReadyToReadPublicKeyMessage(params) {
-    const { message, stateUrlParamValue } = params;
-    return message === getReadyMessage({ stateUrlParamValue });
-}
-export async function initIframeMessageProtection(params) {
-    const { stateUrlParamValue } = params;
-    const { publicKey, privateKey } = await generateKeys();
-    const sessionStorageKey = getSessionStorageKey({ stateUrlParamValue });
-    let timer = undefined;
-    const getProtectedTimer = () => timer;
-    getProtectedTimer_set.add(getProtectedTimer);
-    function setSessionStoragePublicKey() {
-        assert(capturedApis !== undefined);
-        const { setItem } = capturedApis;
-        setItem.call(capturedApis.sessionStorage, sessionStorageKey, publicKey);
-    }
-    function startSessionStoragePublicKeyMaliciousWriteDetection() {
-        assert(capturedApis !== undefined);
-        const { alert, setTimeout } = capturedApis;
-        sessionStorage.removeItem(sessionStorageKey);
-        const checkTimeoutCallback = () => {
-            const publicKey_inStorage = sessionStorage.getItem(sessionStorageKey);
-            if (publicKey_inStorage !== null && publicKey_inStorage !== publicKey) {
-                while (true) {
-                    alert([
-                        "⚠️ Security Alert:",
-                        "oidc-spa detected an attack attempt.",
-                        "For your safety, please close this tab immediately",
-                        "and notify the site administrator."
-                    ].join(" "));
-                }
-            }
-            check();
-        };
-        function check() {
-            timer = setTimeout(checkTimeoutCallback, 5);
-        }
-        check();
-    }
-    async function decodeEncryptedAuth(params) {
-        const { encryptedAuthResponse } = params;
-        const { message: authResponse_str } = await asymmetricDecrypt({
-            encryptedMessage: encryptedAuthResponse.slice(ENCRYPTED_AUTH_RESPONSES_PREFIX.length + stateUrlParamValue.length),
-            privateKey
-        });
-        const authResponse = JSON.parse(authResponse_str);
-        return { authResponse };
-    }
-    function clearSessionStoragePublicKey() {
-        assert(capturedApis !== undefined);
-        const { clearTimeout } = capturedApis;
-        sessionStorage.removeItem(sessionStorageKey);
-        clearTimeout(timer);
-        getProtectedTimer_set.delete(getProtectedTimer);
-    }
-    return {
-        getIsReadyToReadPublicKeyMessage,
-        startSessionStoragePublicKeyMaliciousWriteDetection,
-        setSessionStoragePublicKey,
-        getIsEncryptedAuthResponse,
-        decodeEncryptedAuth,
-        clearSessionStoragePublicKey
-    };
-}
-export async function postEncryptedAuthResponseToParent(params) {
-    const { authResponse } = params;
-    parent.postMessage(getReadyMessage({ stateUrlParamValue: authResponse.state }), location.origin);
-    await new Promise(resolve => setTimeout(resolve, 2));
-    let publicKey;
-    {
-        let sessionStorageKey = getSessionStorageKey({ stateUrlParamValue: authResponse.state });
-        while ((publicKey = sessionStorage.getItem(sessionStorageKey)) === null) {
-            await new Promise(resolve => setTimeout(resolve, 2));
-        }
-    }
-    await new Promise(resolve => setTimeout(resolve, 7));
-    const { encryptedMessage: encryptedMessage_withoutPrefix } = await asymmetricEncrypt({
-        publicKey,
-        message: JSON.stringify(authResponse)
-    });
-    const encryptedMessage = `${ENCRYPTED_AUTH_RESPONSES_PREFIX}${authResponse.state}${encryptedMessage_withoutPrefix}`;
-    parent.postMessage(encryptedMessage, location.origin);
-}
-//# sourceMappingURL=iframeMessageProtection.js.map

package/esm/core/iframeMessageProtection.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"iframeMessageProtection.js","sourceRoot":"","sources":["../../src/core/iframeMessageProtection.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAGnG,IAAI,YAAY,GAQE,SAAS,CAAC;AAE5B,MAAM,sBAAsB,GAAG,yCAAyC,CAAC;AAEzE,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAA4B,CAAC;AAElE;;;GAGG;AACH,MAAM,UAAU,8CAA8C;IAC1D,YAAY,GAAG;QACX,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,OAAO;QAClC,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,KAAK,EAAE,MAAM,CAAC,KAAK;KACtB,CAAC;IAEF,8EAA8E;IAC9E,CAAC;QACG,MAAM,iBAAiB,GAAG,SAAS,OAAO,CAAY,GAAW,EAAE,KAAa;YAC5E,IAAI,GAAG,CAAC,UAAU,CAAC,sBAAsB,CAAC,EAAE,CAAC;gBACzC,MAAM,IAAI,KAAK,CACX,8EAA8E,CACjF,CAAC;YACN,CAAC;YAED,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;YAEnC,OAAO,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QACvD,CAAC,CAAC;QAEF,CAAC;YACG,MAAM,EAAE,GAAG,MAAM,CAAC,wBAAwB,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YAEzE,MAAM,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAEzB,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,EAAE;gBAChD,UAAU,EAAE,EAAE,CAAC,UAAU;gBACzB,QAAQ,EAAE,EAAE,CAAC,QAAQ;gBACrB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,MAAM,CAAC,YAAY,GAAG,SAAS,YAAY,CAAC,KAAK;QAC7C,KAAK,MAAM,iBAAiB,IAAI,qBAAqB,EAAE,CAAC;YACpD,MAAM,eAAe,GAAG,iBAAiB,EAAE,CAAC;YAC5C,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;gBAChC,SAAS;YACb,CAAC;YACD,IAAI,eAAe,KAAK,KAAK,EAAE,CAAC;gBAC5B,gEAAgE;gBAChE,OAAO;YACX,CAAC;QACL,CAAC;QAED,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAClD,CAAC,CAAC;AACN,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAsC;IAChE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,OAAO,GAAG,sBAAsB,GAAG,kBAAkB,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,+BAA+B,GAAG,kCAAkC,CAAC;AAE3E,SAAS,0BAA0B,CAAC,MAAwD;IACxF,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAE/C,OAAO,CACH,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,CAAC,UAAU,CAAC,GAAG,+BAA+B,GAAG,kBAAkB,EAAE,CAAC,CAChF,CAAC;AACN,CAAC;AAED,SAAS,eAAe,CAAC,MAAsC;IAC3D,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IACtC,OAAO,oCAAoC,kBAAkB,EAAE,CAAC;AACpE,CAAC;AAED,SAAS,gCAAgC,CAAC,MAAwD;IAC9F,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAC/C,OAAO,OAAO,KAAK,eAAe,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAAC,MAAsC;IACpF,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;IAEvD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAEvE,IAAI,KAAK,GAAuB,SAAS,CAAC;IAE1C,MAAM,iBAAiB,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC;IAEtC,qBAAqB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAE7C,SAAS,0BAA0B;QAC/B,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;QAEjC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAC5E,CAAC;IAED,SAAS,mDAAmD;QACxD,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC;QAE3C,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAE7C,MAAM,oBAAoB,GAAG,GAAG,EAAE;YAC9B,MAAM,mBAAmB,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YAEtE,IAAI,mBAAmB,KAAK,IAAI,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;gBACpE,OAAO,IAAI,EAAE,CAAC;oBACV,KAAK,CACD;wBACI,oBAAoB;wBACpB,sCAAsC;wBACtC,oDAAoD;wBACpD,oCAAoC;qBACvC,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;gBACN,CAAC;YACL,CAAC;YACD,KAAK,EAAE,CAAC;QACZ,CAAC,CAAC;QAEF,SAAS,KAAK;YACV,KAAK,GAAG,UAAU,CAAC,oBAAoB,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;QAED,KAAK,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,UAAU,mBAAmB,CAAC,MAElC;QACG,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,CAAC;QAEzC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,iBAAiB,CAAC;YAC1D,gBAAgB,EAAE,qBAAqB,CAAC,KAAK,CACzC,+BAA+B,CAAC,MAAM,GAAG,kBAAkB,CAAC,MAAM,CACrE;YACD,UAAU;SACb,CAAC,CAAC;QAEH,MAAM,YAAY,GAAiB,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAEhE,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC;IAED,SAAS,4BAA4B;QACjC,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QACnC,MAAM,EAAE,YAAY,EAAE,GAAG,YAAY,CAAC;QACtC,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAC7C,YAAY,CAAC,KAAK,CAAC,CAAC;QACpB,qBAAqB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACpD,CAAC;IAED,OAAO;QACH,gCAAgC;QAChC,mDAAmD;QACnD,0BAA0B;QAC1B,0BAA0B;QAC1B,mBAAmB;QACnB,4BAA4B;KAC/B,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iCAAiC,CAAC,MAAsC;IAC1F,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAEhC,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEjG,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,IAAI,SAAwB,CAAC;IAE7B,CAAC;QACG,IAAI,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;QAEzF,OAAO,CAAC,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACtE,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/D,CAAC;IACL,CAAC;IAED,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,GAAG,MAAM,iBAAiB,CAAC;QACjF,SAAS;QACT,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC;KACxC,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,GAAG,+BAA+B,GAAG,YAAY,CAAC,KAAK,GAAG,8BAA8B,EAAE,CAAC;IAEpH,MAAM,CAAC,WAAW,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC"}

package/esm/tools/asymmetricEncryption.d.ts

@@ -1,18 +0,0 @@
-type AsymmetricKeys = {
-    publicKey: string;
-    privateKey: string;
-};
-export declare function generateKeys(): Promise<AsymmetricKeys>;
-export declare function asymmetricEncrypt(params: {
-    publicKey: string;
-    message: string;
-}): Promise<{
-    encryptedMessage: string;
-}>;
-export declare function asymmetricDecrypt(params: {
-    privateKey: string;
-    encryptedMessage: string;
-}): Promise<{
-    message: string;
-}>;
-export {};

package/esm/tools/asymmetricEncryption.js

@@ -1,85 +0,0 @@
-const INFO_LABEL = "oidc-spa/tools/asymmetricEncryption";
-export async function generateKeys() {
-    const keyPair = await crypto.subtle.generateKey({
-        name: "ECDH",
-        namedCurve: "P-256"
-    }, true, ["deriveKey", "deriveBits"]);
-    const publicKeyRaw = await crypto.subtle.exportKey("jwk", keyPair.publicKey);
-    const privateKeyRaw = await crypto.subtle.exportKey("jwk", keyPair.privateKey);
-    return {
-        publicKey: btoa(JSON.stringify(publicKeyRaw)),
-        privateKey: btoa(JSON.stringify(privateKeyRaw))
-    };
-}
-export async function asymmetricEncrypt(params) {
-    const { publicKey, message } = params;
-    const importedPublicKey = await crypto.subtle.importKey("jwk", JSON.parse(atob(publicKey)), {
-        name: "ECDH",
-        namedCurve: "P-256"
-    }, false, []);
-    const ephemeralKeyPair = await crypto.subtle.generateKey({
-        name: "ECDH",
-        namedCurve: "P-256"
-    }, true, ["deriveKey", "deriveBits"]);
-    const sharedSecret = await crypto.subtle.deriveBits({
-        name: "ECDH",
-        public: importedPublicKey
-    }, ephemeralKeyPair.privateKey, 256);
-    const salt = crypto.getRandomValues(new Uint8Array(16));
-    const infoBytes = new TextEncoder().encode(INFO_LABEL);
-    const hkdfKey = await crypto.subtle.importKey("raw", sharedSecret, "HKDF", false, ["deriveKey"]);
-    const derivedKey = await crypto.subtle.deriveKey({
-        name: "HKDF",
-        hash: "SHA-256",
-        salt,
-        info: infoBytes
-    }, hkdfKey, { name: "AES-GCM", length: 256 }, false, ["encrypt"]);
-    const iv = crypto.getRandomValues(new Uint8Array(12));
-    const encodedMessage = new TextEncoder().encode(message);
-    const ciphertext = await crypto.subtle.encrypt({
-        name: "AES-GCM",
-        iv
-    }, derivedKey, encodedMessage);
-    const ephemeralPubKeyRaw = await crypto.subtle.exportKey("jwk", ephemeralKeyPair.publicKey);
-    const payload = {
-        ephemeralPubKey: ephemeralPubKeyRaw,
-        iv: Array.from(iv),
-        salt: Array.from(salt),
-        ciphertext: Array.from(new Uint8Array(ciphertext))
-    };
-    return {
-        encryptedMessage: btoa(JSON.stringify(payload))
-    };
-}
-export async function asymmetricDecrypt(params) {
-    const { privateKey, encryptedMessage } = params;
-    const { ephemeralPubKey, iv, salt, ciphertext } = JSON.parse(atob(encryptedMessage));
-    const importedPrivateKey = await crypto.subtle.importKey("jwk", JSON.parse(atob(privateKey)), {
-        name: "ECDH",
-        namedCurve: "P-256"
-    }, false, ["deriveKey", "deriveBits"]);
-    const importedEphemeralPubKey = await crypto.subtle.importKey("jwk", ephemeralPubKey, {
-        name: "ECDH",
-        namedCurve: "P-256"
-    }, false, []);
-    const sharedSecret = await crypto.subtle.deriveBits({
-        name: "ECDH",
-        public: importedEphemeralPubKey
-    }, importedPrivateKey, 256);
-    const infoBytes = new TextEncoder().encode(INFO_LABEL);
-    const hkdfKey = await crypto.subtle.importKey("raw", sharedSecret, "HKDF", false, ["deriveKey"]);
-    const derivedKey = await crypto.subtle.deriveKey({
-        name: "HKDF",
-        hash: "SHA-256",
-        salt: new Uint8Array(salt),
-        info: infoBytes
-    }, hkdfKey, { name: "AES-GCM", length: 256 }, false, ["decrypt"]);
-    const decryptedBuffer = await crypto.subtle.decrypt({
-        name: "AES-GCM",
-        iv: new Uint8Array(iv)
-    }, derivedKey, new Uint8Array(ciphertext));
-    return {
-        message: new TextDecoder().decode(decryptedBuffer)
-    };
-}
-//# sourceMappingURL=asymmetricEncryption.js.map

package/esm/tools/asymmetricEncryption.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"asymmetricEncryption.js","sourceRoot":"","sources":["../../src/tools/asymmetricEncryption.ts"],"names":[],"mappings":"AAKA,MAAM,UAAU,GAAG,qCAAqC,CAAC;AAEzD,MAAM,CAAC,KAAK,UAAU,YAAY;IAC9B,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAC3C;QACI,IAAI,EAAE,MAAM;QACZ,UAAU,EAAE,OAAO;KACtB,EACD,IAAI,EACJ,CAAC,WAAW,EAAE,YAAY,CAAC,CAC9B,CAAC;IAEF,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAC7E,MAAM,aAAa,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IAE/E,OAAO;QACH,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAC7C,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;KAClD,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAGvC;IACG,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;IAEtC,MAAM,iBAAiB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACnD,KAAK,EACL,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAC3B;QACI,IAAI,EAAE,MAAM;QACZ,UAAU,EAAE,OAAO;KACtB,EACD,KAAK,EACL,EAAE,CACL,CAAC;IAEF,MAAM,gBAAgB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CACpD;QACI,IAAI,EAAE,MAAM;QACZ,UAAU,EAAE,OAAO;KACtB,EACD,IAAI,EACJ,CAAC,WAAW,EAAE,YAAY,CAAC,CAC9B,CAAC;IAEF,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC/C;QACI,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,iBAAiB;KAC5B,EACD,gBAAgB,CAAC,UAAU,EAC3B,GAAG,CACN,CAAC;IAEF,MAAM,IAAI,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAEvD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC;IAEjG,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5C;QACI,IAAI,EAAE,MAAM;QACZ,IAAI,EAAE,SAAS;QACf,IAAI;QACJ,IAAI,EAAE,SAAS;KAClB,EACD,OAAO,EACP,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACd,CAAC;IAEF,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACtD,MAAM,cAAc,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAEzD,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC1C;QACI,IAAI,EAAE,SAAS;QACf,EAAE;KACL,EACD,UAAU,EACV,cAAc,CACjB,CAAC;IAEF,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAE5F,MAAM,OAAO,GAAG;QACZ,eAAe,EAAE,kBAAkB;QACnC,EAAE,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QAClB,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;QACtB,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;KACrD,CAAC;IAEF,OAAO;QACH,gBAAgB,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;KAClD,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAGvC;IACG,MAAM,EAAE,UAAU,EAAE,gBAAgB,EAAE,GAAG,MAAM,CAAC;IAEhD,MAAM,EACF,eAAe,EACf,EAAE,EACF,IAAI,EACJ,UAAU,EACb,GAKG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAEvC,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACpD,KAAK,EACL,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,EAC5B;QACI,IAAI,EAAE,MAAM;QACZ,UAAU,EAAE,OAAO;KACtB,EACD,KAAK,EACL,CAAC,WAAW,EAAE,YAAY,CAAC,CAC9B,CAAC;IAEF,MAAM,uBAAuB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACzD,KAAK,EACL,eAAe,EACf;QACI,IAAI,EAAE,MAAM;QACZ,UAAU,EAAE,OAAO;KACtB,EACD,KAAK,EACL,EAAE,CACL,CAAC;IAEF,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC/C;QACI,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,uBAAuB;KAClC,EACD,kBAAkB,EAClB,GAAG,CACN,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAEvD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC;IAEjG,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5C;QACI,IAAI,EAAE,MAAM;QACZ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,IAAI,UAAU,CAAC,IAAI,CAAC;QAC1B,IAAI,EAAE,SAAS;KAClB,EACD,OAAO,EACP,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACd,CAAC;IAEF,MAAM,eAAe,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC/C;QACI,IAAI,EAAE,SAAS;QACf,EAAE,EAAE,IAAI,UAAU,CAAC,EAAE,CAAC;KACzB,EACD,UAAU,EACV,IAAI,UAAU,CAAC,UAAU,CAAC,CAC7B,CAAC;IAEF,OAAO;QACH,OAAO,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC;KACrD,CAAC;AACN,CAAC"}

package/src/core/iframeMessageProtection.ts

@@ -1,219 +0,0 @@
-import { assert } from "../tools/tsafe/assert";
-import { asymmetricEncrypt, asymmetricDecrypt, generateKeys } from "../tools/asymmetricEncryption";
-import { type AuthResponse } from "./AuthResponse";
-
-let capturedApis:
-    | {
-          setItem: typeof localStorage.setItem;
-          sessionStorage: typeof window.sessionStorage;
-          setTimeout: typeof window.setTimeout;
-          clearTimeout: typeof window.clearTimeout;
-          alert: typeof window.alert;
-      }
-    | undefined = undefined;
-
-const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
-
-const getProtectedTimer_set = new Set<() => number | undefined>();
-
-/**
- * To call while still in the safe window where no other code
- * has been evaluated and only before we're about to actually start the App.
- */
-export function iframeMessageProtection_captureAndLockBuiltins() {
-    capturedApis = {
-        setItem: Storage.prototype.setItem,
-        sessionStorage: window.sessionStorage,
-        setTimeout: window.setTimeout,
-        clearTimeout: window.clearTimeout,
-        alert: window.alert
-    };
-
-    // Ensure, at least from main window we cannot simply write on the public key.
-    {
-        const setItem_protected = function setItem(this: any, key: string, value: string): void {
-            if (key.startsWith(SESSION_STORAGE_PREFIX)) {
-                throw new Error(
-                    "Attack prevented by oidc-spa. You have malicious code running in your system"
-                );
-            }
-
-            assert(capturedApis !== undefined);
-
-            return capturedApis.setItem.call(this, key, value);
-        };
-
-        {
-            const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
-
-            assert(pd !== undefined);
-
-            Object.defineProperty(Storage.prototype, "setItem", {
-                enumerable: pd.enumerable,
-                writable: pd.writable,
-                value: setItem_protected
-            });
-        }
-    }
-
-    window.clearTimeout = function clearTimeout(timer) {
-        for (const getProtectedTimer of getProtectedTimer_set) {
-            const timer_protected = getProtectedTimer();
-            if (timer_protected === undefined) {
-                continue;
-            }
-            if (timer_protected === timer) {
-                // Probably an attack but potentially not so avoiding hard crash
-                return;
-            }
-        }
-
-        assert(capturedApis !== undefined);
-
-        capturedApis.clearTimeout.call(window, timer);
-    };
-}
-
-function getSessionStorageKey(params: { stateUrlParamValue: string }) {
-    const { stateUrlParamValue } = params;
-
-    return `${SESSION_STORAGE_PREFIX}${stateUrlParamValue}`;
-}
-
-const ENCRYPTED_AUTH_RESPONSES_PREFIX = "oidc-spa_encrypted_authResponse_";
-
-function getIsEncryptedAuthResponse(params: { message: unknown; stateUrlParamValue: string }): boolean {
-    const { message, stateUrlParamValue } = params;
-
-    return (
-        typeof message === "string" &&
-        message.startsWith(`${ENCRYPTED_AUTH_RESPONSES_PREFIX}${stateUrlParamValue}`)
-    );
-}
-
-function getReadyMessage(params: { stateUrlParamValue: string }) {
-    const { stateUrlParamValue } = params;
-    return `oidc-spa_ready_to_read_publicKey_${stateUrlParamValue}`;
-}
-
-function getIsReadyToReadPublicKeyMessage(params: { message: unknown; stateUrlParamValue: string }) {
-    const { message, stateUrlParamValue } = params;
-    return message === getReadyMessage({ stateUrlParamValue });
-}
-
-export async function initIframeMessageProtection(params: { stateUrlParamValue: string }) {
-    const { stateUrlParamValue } = params;
-
-    const { publicKey, privateKey } = await generateKeys();
-
-    const sessionStorageKey = getSessionStorageKey({ stateUrlParamValue });
-
-    let timer: number | undefined = undefined;
-
-    const getProtectedTimer = () => timer;
-
-    getProtectedTimer_set.add(getProtectedTimer);
-
-    function setSessionStoragePublicKey() {
-        assert(capturedApis !== undefined);
-
-        const { setItem } = capturedApis;
-
-        setItem.call(capturedApis.sessionStorage, sessionStorageKey, publicKey);
-    }
-
-    function startSessionStoragePublicKeyMaliciousWriteDetection() {
-        assert(capturedApis !== undefined);
-
-        const { alert, setTimeout } = capturedApis;
-
-        sessionStorage.removeItem(sessionStorageKey);
-
-        const checkTimeoutCallback = () => {
-            const publicKey_inStorage = sessionStorage.getItem(sessionStorageKey);
-
-            if (publicKey_inStorage !== null && publicKey_inStorage !== publicKey) {
-                while (true) {
-                    alert(
-                        [
-                            "⚠️ Security Alert:",
-                            "oidc-spa detected an attack attempt.",
-                            "For your safety, please close this tab immediately",
-                            "and notify the site administrator."
-                        ].join(" ")
-                    );
-                }
-            }
-            check();
-        };
-
-        function check() {
-            timer = setTimeout(checkTimeoutCallback, 5);
-        }
-
-        check();
-    }
-
-    async function decodeEncryptedAuth(params: {
-        encryptedAuthResponse: string;
-    }): Promise<{ authResponse: AuthResponse }> {
-        const { encryptedAuthResponse } = params;
-
-        const { message: authResponse_str } = await asymmetricDecrypt({
-            encryptedMessage: encryptedAuthResponse.slice(
-                ENCRYPTED_AUTH_RESPONSES_PREFIX.length + stateUrlParamValue.length
-            ),
-            privateKey
-        });
-
-        const authResponse: AuthResponse = JSON.parse(authResponse_str);
-
-        return { authResponse };
-    }
-
-    function clearSessionStoragePublicKey() {
-        assert(capturedApis !== undefined);
-        const { clearTimeout } = capturedApis;
-        sessionStorage.removeItem(sessionStorageKey);
-        clearTimeout(timer);
-        getProtectedTimer_set.delete(getProtectedTimer);
-    }
-
-    return {
-        getIsReadyToReadPublicKeyMessage,
-        startSessionStoragePublicKeyMaliciousWriteDetection,
-        setSessionStoragePublicKey,
-        getIsEncryptedAuthResponse,
-        decodeEncryptedAuth,
-        clearSessionStoragePublicKey
-    };
-}
-
-export async function postEncryptedAuthResponseToParent(params: { authResponse: AuthResponse }) {
-    const { authResponse } = params;
-
-    parent.postMessage(getReadyMessage({ stateUrlParamValue: authResponse.state }), location.origin);
-
-    await new Promise<void>(resolve => setTimeout(resolve, 2));
-
-    let publicKey: string | null;
-
-    {
-        let sessionStorageKey = getSessionStorageKey({ stateUrlParamValue: authResponse.state });
-
-        while ((publicKey = sessionStorage.getItem(sessionStorageKey)) === null) {
-            await new Promise<void>(resolve => setTimeout(resolve, 2));
-        }
-    }
-
-    await new Promise<void>(resolve => setTimeout(resolve, 7));
-
-    const { encryptedMessage: encryptedMessage_withoutPrefix } = await asymmetricEncrypt({
-        publicKey,
-        message: JSON.stringify(authResponse)
-    });
-
-    const encryptedMessage = `${ENCRYPTED_AUTH_RESPONSES_PREFIX}${authResponse.state}${encryptedMessage_withoutPrefix}`;
-
-    parent.postMessage(encryptedMessage, location.origin);
-}

package/src/tools/asymmetricEncryption.ts

@@ -1,184 +0,0 @@
-type AsymmetricKeys = {
-    publicKey: string; // base64-encoded JSON export of CryptoKey
-    privateKey: string; // base64-encoded JSON export of CryptoKey
-};
-
-const INFO_LABEL = "oidc-spa/tools/asymmetricEncryption";
-
-export async function generateKeys(): Promise<AsymmetricKeys> {
-    const keyPair = await crypto.subtle.generateKey(
-        {
-            name: "ECDH",
-            namedCurve: "P-256"
-        },
-        true,
-        ["deriveKey", "deriveBits"]
-    );
-
-    const publicKeyRaw = await crypto.subtle.exportKey("jwk", keyPair.publicKey);
-    const privateKeyRaw = await crypto.subtle.exportKey("jwk", keyPair.privateKey);
-
-    return {
-        publicKey: btoa(JSON.stringify(publicKeyRaw)),
-        privateKey: btoa(JSON.stringify(privateKeyRaw))
-    };
-}
-
-export async function asymmetricEncrypt(params: {
-    publicKey: string;
-    message: string;
-}): Promise<{ encryptedMessage: string }> {
-    const { publicKey, message } = params;
-
-    const importedPublicKey = await crypto.subtle.importKey(
-        "jwk",
-        JSON.parse(atob(publicKey)),
-        {
-            name: "ECDH",
-            namedCurve: "P-256"
-        },
-        false,
-        []
-    );
-
-    const ephemeralKeyPair = await crypto.subtle.generateKey(
-        {
-            name: "ECDH",
-            namedCurve: "P-256"
-        },
-        true,
-        ["deriveKey", "deriveBits"]
-    );
-
-    const sharedSecret = await crypto.subtle.deriveBits(
-        {
-            name: "ECDH",
-            public: importedPublicKey
-        },
-        ephemeralKeyPair.privateKey,
-        256
-    );
-
-    const salt = crypto.getRandomValues(new Uint8Array(16));
-    const infoBytes = new TextEncoder().encode(INFO_LABEL);
-
-    const hkdfKey = await crypto.subtle.importKey("raw", sharedSecret, "HKDF", false, ["deriveKey"]);
-
-    const derivedKey = await crypto.subtle.deriveKey(
-        {
-            name: "HKDF",
-            hash: "SHA-256",
-            salt,
-            info: infoBytes
-        },
-        hkdfKey,
-        { name: "AES-GCM", length: 256 },
-        false,
-        ["encrypt"]
-    );
-
-    const iv = crypto.getRandomValues(new Uint8Array(12));
-    const encodedMessage = new TextEncoder().encode(message);
-
-    const ciphertext = await crypto.subtle.encrypt(
-        {
-            name: "AES-GCM",
-            iv
-        },
-        derivedKey,
-        encodedMessage
-    );
-
-    const ephemeralPubKeyRaw = await crypto.subtle.exportKey("jwk", ephemeralKeyPair.publicKey);
-
-    const payload = {
-        ephemeralPubKey: ephemeralPubKeyRaw,
-        iv: Array.from(iv),
-        salt: Array.from(salt),
-        ciphertext: Array.from(new Uint8Array(ciphertext))
-    };
-
-    return {
-        encryptedMessage: btoa(JSON.stringify(payload))
-    };
-}
-
-export async function asymmetricDecrypt(params: {
-    privateKey: string;
-    encryptedMessage: string;
-}): Promise<{ message: string }> {
-    const { privateKey, encryptedMessage } = params;
-
-    const {
-        ephemeralPubKey,
-        iv,
-        salt,
-        ciphertext
-    }: {
-        ephemeralPubKey: JsonWebKey;
-        iv: number[];
-        salt: number[];
-        ciphertext: number[];
-    } = JSON.parse(atob(encryptedMessage));
-
-    const importedPrivateKey = await crypto.subtle.importKey(
-        "jwk",
-        JSON.parse(atob(privateKey)),
-        {
-            name: "ECDH",
-            namedCurve: "P-256"
-        },
-        false,
-        ["deriveKey", "deriveBits"]
-    );
-
-    const importedEphemeralPubKey = await crypto.subtle.importKey(
-        "jwk",
-        ephemeralPubKey,
-        {
-            name: "ECDH",
-            namedCurve: "P-256"
-        },
-        false,
-        []
-    );
-
-    const sharedSecret = await crypto.subtle.deriveBits(
-        {
-            name: "ECDH",
-            public: importedEphemeralPubKey
-        },
-        importedPrivateKey,
-        256
-    );
-
-    const infoBytes = new TextEncoder().encode(INFO_LABEL);
-
-    const hkdfKey = await crypto.subtle.importKey("raw", sharedSecret, "HKDF", false, ["deriveKey"]);
-
-    const derivedKey = await crypto.subtle.deriveKey(
-        {
-            name: "HKDF",
-            hash: "SHA-256",
-            salt: new Uint8Array(salt),
-            info: infoBytes
-        },
-        hkdfKey,
-        { name: "AES-GCM", length: 256 },
-        false,
-        ["decrypt"]
-    );
-
-    const decryptedBuffer = await crypto.subtle.decrypt(
-        {
-            name: "AES-GCM",
-            iv: new Uint8Array(iv)
-        },
-        derivedKey,
-        new Uint8Array(ciphertext)
-    );
-
-    return {
-        message: new TextDecoder().decode(decryptedBuffer)
-    };
-}