oidc-spa 8.3.6 → 8.3.8

package/src/core/createOidc.ts

@@ -53,6 +53,11 @@ import {
 import { getDesiredPostLoginRedirectUrl } from "./desiredPostLoginRedirectUrl";
 import { getHomeAndRedirectUri } from "./homeAndRedirectUri";
 import { ensureNonBlankPaint } from "../tools/ensureNonBlankPaint";
+import {
+    setStateDataCookieIfEnabled,
+    clearStateDataCookie,
+    getIsStateDataCookieEnabled
+} from "./StateDataCookie";
 
 // NOTE: Replaced at build time
 const VERSION = "{{OIDC_SPA_VERSION}}";
@@ -373,10 +378,11 @@ export async function createOidc_nonMemoized<
         __unsafe_clientSecret,
         __unsafe_useIdTokenAsAccessToken = false,
         __metadata,
-        scopes = ["openid", "profile"],
         sessionRestorationMethod = params.autoLogin === true ? "full page redirect" : "auto"
     } = params;
 
+    const scopes = Array.from(new Set(["openid", ...(params.scopes ?? ["profile"])]));
+
     const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
 
     const { issuerUri, clientId, configId, log } = preProcessedParams;
@@ -607,9 +613,10 @@ export async function createOidc_nonMemoized<
                   redirect_uri: homeUrlAndRedirectUri,
                   silent_redirect_uri: homeUrlAndRedirectUri,
                   post_logout_redirect_uri: homeUrlAndRedirectUri,
-                  response_mode: isKeycloak({ issuerUri }) ? "fragment" : "query",
+                  response_mode:
+                      isKeycloak({ issuerUri }) && !getIsStateDataCookieEnabled() ? "fragment" : "query",
                   response_type: "code",
-                  scope: Array.from(new Set(["openid", ...scopes])).join(" "),
+                  scope: scopes.join(" "),
                   automaticSilentRenew: false,
                   userStore: new WebStorageStateStore({
                       store: (() => {
@@ -647,6 +654,7 @@ export async function createOidc_nonMemoized<
         getExtraQueryParams,
         getExtraTokenParams,
         homeUrl: homeUrlAndRedirectUri,
+        stateUrlParamValue_instance,
         evtInitializationOutcomeUserNotLoggedIn,
         log
     });
@@ -741,6 +749,8 @@ export async function createOidc_nonMemoized<
                 break handle_redirect_auth_response;
             }
 
+            // TODO: Delete cookie if exist
+
             const { stateData, authResponse } = stateDataAndAuthResponse;
 
             switch (stateData.action) {
@@ -763,6 +773,8 @@ export async function createOidc_nonMemoized<
 
                         const authResponseUrl = authResponseToUrl(authResponse);
 
+                        clearStateDataCookie({ stateUrlParamValue: authResponse.state });
+
                         let oidcClientTsUser: OidcClientTsUser | undefined = undefined;
 
                         try {
@@ -786,7 +798,10 @@ export async function createOidc_nonMemoized<
 
                                 if (authResponse_error !== undefined) {
                                     log?.(
-                                        `The auth server responded with: ${authResponse_error}, trying to restore from the http only cookie`
+                                        [
+                                            `The auth server responded with: ${authResponse_error},`,
+                                            `trying to restore session as if we didn't had a auth response.`
+                                        ].join(" ")
                                     );
                                     break handle_redirect_auth_response;
                                 }
@@ -943,6 +958,8 @@ export async function createOidc_nonMemoized<
                     )}`
                 );
 
+                clearStateDataCookie({ stateUrlParamValue: authResponse.state });
+
                 authResponse_error = authResponse.error;
 
                 try {
@@ -1006,9 +1023,7 @@ export async function createOidc_nonMemoized<
 
                             return getDesiredPostLoginRedirectUrl() ?? window.location.href;
                         })(),
-                        // NOTE: Wether or not it's the preferred behavior, pushing to history
-                        // only works on user interaction so it have to be false
-                        doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
+                        doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: true,
                         extraQueryParams_local: undefined,
                         transformUrlBeforeRedirect_local: undefined,
                         interaction: (() => {
@@ -1364,6 +1379,15 @@ export async function createOidc_nonMemoized<
                 location.reload();
             });
 
+            setStateDataCookieIfEnabled({
+                homeUrl: homeUrlAndRedirectUri,
+                stateUrlParamValue_instance,
+                stateDataCookie: {
+                    action: "logout",
+                    rootRelativeRedirectUrl: rootRelativePostLogoutRedirectUrl
+                }
+            });
+
             try {
                 await oidcClientTsUserManager.signoutRedirect({
                     state: id<StateData.Redirect>({
@@ -1401,7 +1425,7 @@ export async function createOidc_nonMemoized<
                         doForceReloadOnBfCache: true,
                         extraQueryParams_local: undefined,
                         transformUrlBeforeRedirect_local: undefined,
-                        doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: false,
+                        doNavigateBackToLastPublicUrlIfTheTheUserNavigateBack: true,
                         interaction: "directly redirect if active session show login otherwise",
                         preRedirectHook: undefined
                     });
@@ -1465,6 +1489,8 @@ export async function createOidc_nonMemoized<
 
                             log?.("Tokens refresh using iframe", authResponse);
 
+                            clearStateDataCookie({ stateUrlParamValue: authResponse.state });
+
                             const authResponse_error = authResponse.error;
 
                             let oidcClientTsUser_scope: OidcClientTsUser | undefined = undefined;

package/src/core/earlyInit.ts

@@ -1,7 +1,6 @@
 import { getStateData, getIsStatQueryParamValue } from "./StateData";
 import { assert, type Equals } from "../tools/tsafe/assert";
 import type { AuthResponse } from "./AuthResponse";
-import { setOidcRequiredPostHydrationReplaceNavigationUrl } from "./requiredPostHydrationReplaceNavigationUrl";
 import { setBASE_URL } from "./BASE_URL";
 import { resolvePrShouldLoadApp } from "./prShouldLoadApp";
 import { isBrowser } from "../tools/isBrowser";
@@ -17,7 +16,6 @@ export function oidcEarlyInit(params: {
     freezeWebSocket?: boolean;
     freezePromise?: boolean;
     safeMode?: boolean;
-    isPostLoginRedirectManual?: boolean;
     BASE_URL?: string;
 }) {
     if (hasEarlyInitBeenCalled) {
@@ -36,11 +34,10 @@ export function oidcEarlyInit(params: {
         freezeWebSocket,
         freezePromise,
         safeMode = false,
-        isPostLoginRedirectManual = false,
         BASE_URL
     } = params;
 
-    const { shouldLoadApp } = handleOidcCallback({ isPostLoginRedirectManual });
+    const { shouldLoadApp } = handleOidcCallback();
 
     if (shouldLoadApp) {
         const createWriteError = (target: string) =>
@@ -285,11 +282,9 @@ export function getRootRelativeOriginalLocationHref() {
     return rootRelativeOriginalLocationHref;
 }
 
-function handleOidcCallback(params: { isPostLoginRedirectManual?: boolean }): {
+function handleOidcCallback(): {
     shouldLoadApp: boolean;
 } {
-    const { isPostLoginRedirectManual } = params;
-
     const location_urlObj = new URL(window.location.href);
 
     const locationHrefAssessment = (() => {
@@ -390,7 +385,6 @@ function handleOidcCallback(params: { isPostLoginRedirectManual?: boolean }): {
             return { shouldLoadApp: false };
         case "redirect": {
             redirectAuthResponse = authResponse;
-
             const rootRelativeRedirectUrl = (() => {
                 if (stateData.action === "login" && authResponse.error === "consent_required") {
                     return stateData.rootRelativeRedirectUrl_consentRequiredCase;
@@ -398,13 +392,7 @@ function handleOidcCallback(params: { isPostLoginRedirectManual?: boolean }): {
                 return stateData.rootRelativeRedirectUrl;
             })();
 
-            if (isPostLoginRedirectManual) {
-                setOidcRequiredPostHydrationReplaceNavigationUrl({ rootRelativeRedirectUrl });
-                history.replaceState({}, "", rootRelativeOriginalLocationHref);
-            } else {
-                history.replaceState({}, "", rootRelativeRedirectUrl);
-            }
-
+            history.replaceState({}, "", rootRelativeRedirectUrl);
             return { shouldLoadApp: true };
         }
         default:

package/src/core/loginOrGoToAuthServer.ts

@@ -8,6 +8,7 @@ import { createStatefulEvt } from "../tools/StatefulEvt";
 import { Deferred } from "../tools/Deferred";
 import { addOrUpdateSearchParam, getAllSearchParams } from "../tools/urlSearchParams";
 import { getIsOnline } from "../tools/getIsOnline";
+import { setStateDataCookieIfEnabled } from "./StateDataCookie";
 
 const globalContext = {
     evtHasLoginBeenCalled: createStatefulEvt(() => false)
@@ -65,7 +66,9 @@ export function createLoginOrGoToAuthServer(params: {
     getExtraTokenParams: (() => Record<string, string | undefined>) | undefined;
 
     homeUrl: string;
+    stateUrlParamValue_instance: string;
     evtInitializationOutcomeUserNotLoggedIn: NonPostableEvt<void>;
+
     log: typeof console.log | undefined;
 }) {
     const {
@@ -78,6 +81,7 @@ export function createLoginOrGoToAuthServer(params: {
         getExtraTokenParams,
 
         homeUrl,
+        stateUrlParamValue_instance,
         evtInitializationOutcomeUserNotLoggedIn,
 
         log
@@ -204,20 +208,32 @@ export function createLoginOrGoToAuthServer(params: {
 
         log?.(`redirectUrl: ${rootRelativeRedirectUrl}`);
 
-        const stateData: StateData = {
+        const rootRelativeRedirectUrl_consentRequiredCase = (() => {
+            switch (rest.action) {
+                case "login":
+                    return (lastPublicUrl ?? homeUrl).slice(window.location.origin.length);
+                case "go to auth server":
+                    return rootRelativeRedirectUrl;
+            }
+        })();
+
+        setStateDataCookieIfEnabled({
+            homeUrl,
+            stateUrlParamValue_instance,
+            stateDataCookie: {
+                action: "login",
+                rootRelativeRedirectUrl,
+                rootRelativeRedirectUrl_consentRequiredCase
+            }
+        });
+
+        const stateData: StateData.Redirect = {
             context: "redirect",
             rootRelativeRedirectUrl,
             extraQueryParams: {},
             configId,
             action: "login",
-            rootRelativeRedirectUrl_consentRequiredCase: (() => {
-                switch (rest.action) {
-                    case "login":
-                        return (lastPublicUrl ?? homeUrl).slice(window.location.origin.length);
-                    case "go to auth server":
-                        return rootRelativeRedirectUrl;
-                }
-            })()
+            rootRelativeRedirectUrl_consentRequiredCase
         };
 
         const isSilent = rest.action === "login" && rest.interaction === "ensure no interaction";

package/src/entrypoint.ts

@@ -1,2 +1 @@
 export { oidcEarlyInit } from "./core/earlyInit";
-export { getOidcRequiredPostHydrationReplaceNavigationUrl } from "./core/requiredPostHydrationReplaceNavigationUrl";

package/src/tanstack-start/react/createOidcSpaApi.tsx

@@ -25,6 +25,7 @@ import { toFullyQualifiedUrl } from "../../tools/toFullyQualifiedUrl";
 import { BEFORE_LOAD_FN_BRAND_PROPERTY_NAME } from "./disableSsrIfLoginEnforced";
 import { setDesiredPostLoginRedirectUrl } from "../../core/desiredPostLoginRedirectUrl";
 import type { MaybeAsync } from "../../tools/MaybeAsync";
+import { enableStateDataCookie } from "../../core/StateDataCookie";
 
 export function createOidcSpaApi<
     AutoLogin extends boolean,
@@ -640,6 +641,8 @@ export function createOidcSpaApi<
                     break;
                 case "real":
                     {
+                        enableStateDataCookie();
+
                         const { createOidc } = await prModuleCore;
 
                         let oidcCoreOrInitializationError:

package/src/tanstack-start/react/index.ts

@@ -1,5 +1,5 @@
-export { withHandlingOidcPostLoginNavigation } from "./withHandlingOidcPostLoginNavigation";
 export { __disableSsrIfLoginEnforced } from "./disableSsrIfLoginEnforced";
+export { __withOidcSpaServerEntry } from "./withOidcSpaServerEntry";
 export type * from "./types";
 import { oidcSpaApiBuilder } from "./apiBuilder";
 

package/src/tanstack-start/react/withOidcSpaServerEntry.ts

@@ -0,0 +1,60 @@
+import type { Register } from "@tanstack/react-router";
+// NOTE: This is actually "@tanstack/react-start/server" but since our module is not labeled as ESM we import it from here.
+// it does not matter since it's type level only.
+import type { RequestHandler } from "@tanstack/react-start-server";
+import { getStateDataCookies } from "../../core/StateDataCookie";
+
+export function __withOidcSpaServerEntry<T extends { fetch: RequestHandler<Register> }>(
+    serverEntry_original: T
+): T {
+    return {
+        ...serverEntry_original,
+        fetch: async (request, requestOpts) => {
+            render_deepLink_instead_of_home_on_authResponse: {
+                const url = new URL(request.url);
+
+                const stateUrlParamValue = url.searchParams.get("state");
+
+                if (stateUrlParamValue === null) {
+                    break render_deepLink_instead_of_home_on_authResponse;
+                }
+
+                const { stateDataCookies } = getStateDataCookies({
+                    cookieHeaderParamValue: request.headers.get("cookie")
+                });
+
+                const entry = stateDataCookies.find(
+                    entry => entry.stateUrlParamValue === stateUrlParamValue
+                );
+
+                if (entry === undefined) {
+                    break render_deepLink_instead_of_home_on_authResponse;
+                }
+
+                const { stateDataCookie } = entry;
+
+                const rootRelativeRedirectUrl = (() => {
+                    if (
+                        stateDataCookie.action === "login" &&
+                        url.searchParams.get("error") === "consent_required"
+                    ) {
+                        return stateDataCookie.rootRelativeRedirectUrl_consentRequiredCase;
+                    }
+                    return stateDataCookie.rootRelativeRedirectUrl;
+                })();
+
+                url.pathname = "/";
+                url.search = "";
+                url.hash = "";
+
+                const url_str_new = `${url.href.slice(0, -1)}${rootRelativeRedirectUrl}`;
+
+                const request_new = new Request(url_str_new, request);
+
+                return serverEntry_original.fetch(request_new, requestOpts);
+            }
+
+            return serverEntry_original.fetch(request, requestOpts);
+        }
+    };
+}

package/src/vite-plugin/handleClientEntrypoint.ts

@@ -1,14 +1,18 @@
 import type { OidcSpaVitePluginParams } from "./vite-plugin";
 import type { ResolvedConfig } from "vite";
 import type { PluginContext } from "rollup";
-import { existsSync } from "node:fs";
 import { promises as fs } from "node:fs";
 import * as path from "node:path";
-import { fileURLToPath } from "node:url";
-import { normalizePath } from "vite";
 import { assert } from "../tools/tsafe/assert";
 import type { Equals } from "../tools/tsafe/Equals";
 import type { ProjectType } from "./projectType";
+import {
+    resolveCandidate,
+    resolvePackageFile,
+    normalizeAbsolute,
+    splitId,
+    normalizeRequestPath
+} from "./utils";
 
 type EntryResolution = {
     absolutePath: string;
@@ -29,7 +33,7 @@ const REACT_ROUTER_ENTRY_CANDIDATES = [
 
 const TANSTACK_ENTRY_CANDIDATES = ["client.tsx", "client.ts", "client.jsx", "client.js"];
 
-export function createLoadHandleEntrypoint(params: {
+export function createHandleClientEntrypoint(params: {
     oidcSpaVitePluginParams: OidcSpaVitePluginParams;
     resolvedConfig: ResolvedConfig;
     projectType: ProjectType;
@@ -41,7 +45,7 @@ export function createLoadHandleEntrypoint(params: {
         projectType
     });
 
-    async function loadHandleEntrypoint(params: {
+    async function load_handleClientEntrypoint(params: {
         id: string;
         pluginContext: PluginContext;
     }): Promise<null | string> {
@@ -77,7 +81,6 @@ export function createLoadHandleEntrypoint(params: {
             `    freezeWebSocket: ${freezeWebSocket},`,
             `    freezePromise: ${freezePromise},`,
             `    safeMode: ${safeMode},`,
-            `    isPostLoginRedirectManual: ${projectType === "tanstack-start"},`,
             `    BASE_URL: "${resolvedConfig.base}"`,
             `});`,
             ``,
@@ -93,7 +96,7 @@ export function createLoadHandleEntrypoint(params: {
         return stubSourceCache;
     }
 
-    return loadHandleEntrypoint;
+    return { load_handleClientEntrypoint };
 }
 
 function resolveEntryForProject({
@@ -192,63 +195,3 @@ function loadOriginalModule(
     entry.watchFiles.forEach(file => context.addWatchFile(file));
     return fs.readFile(entry.absolutePath, "utf8");
 }
-
-function resolveCandidate({
-    root,
-    subDirectories,
-    filenames
-}: {
-    root: string;
-    subDirectories: string[];
-    filenames: string[];
-}): string | undefined {
-    for (const subDirectory of subDirectories) {
-        for (const filename of filenames) {
-            const candidate = path.resolve(root, subDirectory, filename);
-            if (existsSync(candidate)) {
-                return candidate;
-            }
-        }
-    }
-    return undefined;
-}
-
-function resolvePackageFile(packageName: string, segments: string[]): string {
-    const pkgPath = require.resolve(`${packageName}/package.json`);
-    return path.resolve(path.dirname(pkgPath), ...segments);
-}
-
-function normalizeAbsolute(filePath: string): string {
-    return normalizePath(filePath);
-}
-
-function splitId(id: string): { path: string; queryParams: URLSearchParams } {
-    const queryIndex = id.indexOf("?");
-    if (queryIndex === -1) {
-        return { path: id, queryParams: new URLSearchParams() };
-    }
-
-    const pathPart = id.slice(0, queryIndex);
-    const queryString = id.slice(queryIndex + 1);
-    return { path: pathPart, queryParams: new URLSearchParams(queryString) };
-}
-
-function normalizeRequestPath(id: string): string {
-    let requestPath = id;
-
-    if (requestPath.startsWith("\0")) {
-        requestPath = requestPath.slice(1);
-    }
-
-    if (requestPath.startsWith("/@fs/")) {
-        requestPath = requestPath.slice("/@fs/".length);
-    } else if (requestPath.startsWith("file://")) {
-        requestPath = fileURLToPath(requestPath);
-    }
-
-    if (path.isAbsolute(requestPath) || requestPath.startsWith(".")) {
-        return normalizePath(requestPath);
-    }
-
-    return normalizePath(requestPath);
-}

package/src/vite-plugin/handleServerEntrypoint.ts

@@ -0,0 +1,129 @@
+import type { ResolvedConfig } from "vite";
+import type { PluginContext } from "rollup";
+import { promises as fs } from "node:fs";
+import * as path from "node:path";
+import { assert } from "../tools/tsafe/assert";
+import type { Equals } from "../tools/tsafe/Equals";
+import type { ProjectType } from "./projectType";
+import {
+    resolveCandidate,
+    resolvePackageFile,
+    normalizeAbsolute,
+    splitId,
+    normalizeRequestPath
+} from "./utils";
+
+type EntryResolution = {
+    absolutePath: string;
+    normalizedPath: string;
+    watchFiles: string[];
+};
+
+const ORIGINAL_QUERY_PARAM = "oidc-spa-original";
+
+export function createHandleServerEntrypoint(params: {
+    resolvedConfig: ResolvedConfig;
+    projectType: ProjectType;
+}) {
+    const { resolvedConfig, projectType } = params;
+
+    const entryResolution = resolveEntryForProject({
+        config: resolvedConfig,
+        projectType
+    });
+
+    async function load_handleServerEntrypoint(params: {
+        id: string;
+        pluginContext: PluginContext;
+    }): Promise<null | string> {
+        if (entryResolution === undefined) {
+            return null;
+        }
+
+        const { id, pluginContext } = params;
+        const { path: rawPath, queryParams } = splitId(id);
+        const normalizedRequestPath = normalizeRequestPath(rawPath);
+        if (!normalizedRequestPath) {
+            return null;
+        }
+
+        if (normalizedRequestPath !== entryResolution.normalizedPath) {
+            return null;
+        }
+
+        const isOriginalRequest = queryParams.getAll(ORIGINAL_QUERY_PARAM).includes("true");
+
+        if (isOriginalRequest) {
+            return loadOriginalModule(entryResolution, pluginContext);
+        }
+
+        entryResolution.watchFiles.forEach(file => pluginContext.addWatchFile(file));
+
+        const stubSourceCache = [
+            `import serverEntry_original from "./${path.basename(
+                entryResolution.absolutePath
+            )}?${ORIGINAL_QUERY_PARAM}=true";`,
+            `import { __withOidcSpaServerEntry } from "oidc-spa/react-tanstack-start";`,
+            ``,
+            `const serverEntry = __withOidcSpaServerEntry(serverEntry_original);`,
+            ``,
+            `export default serverEntry;`
+        ].join("\n");
+
+        return stubSourceCache;
+    }
+
+    return { load_handleServerEntrypoint };
+}
+
+function resolveEntryForProject({
+    config,
+    projectType
+}: {
+    config: ResolvedConfig;
+    projectType: ProjectType;
+}): EntryResolution | undefined {
+    const root = config.root;
+
+    switch (projectType) {
+        case "tanstack-start": {
+            const candidate = resolveCandidate({
+                root,
+                subDirectories: ["src"],
+                filenames: ["server.ts", "server.js", "server.tsx", "server.jsx"]
+            });
+
+            const entryPath =
+                candidate ??
+                resolvePackageFile("@tanstack/react-start", [
+                    "dist",
+                    "plugin",
+                    "default-entry",
+                    "server.ts"
+                ]);
+
+            const normalized = normalizeAbsolute(entryPath);
+
+            const resolution: EntryResolution = {
+                absolutePath: entryPath,
+                normalizedPath: normalized,
+                watchFiles: [entryPath]
+            };
+
+            return resolution;
+        }
+        case "react-router-framework":
+        case "other":
+            return undefined;
+        default:
+            assert<Equals<typeof projectType, never>>(false);
+    }
+}
+
+function loadOriginalModule(
+    entry: EntryResolution,
+    context: { addWatchFile(id: string): void }
+): Promise<string> {
+    entry.watchFiles.forEach(file => context.addWatchFile(file));
+    return fs.readFile(entry.absolutePath, "utf8");
+}