oidc-spa 8.4.8 → 8.5.2

package/src/core/earlyInit.ts

@@ -5,19 +5,65 @@ import { setBASE_URL } from "./BASE_URL";
 import { resolvePrShouldLoadApp } from "./prShouldLoadApp";
 import { isBrowser } from "../tools/isBrowser";
 import { createEvt, type Evt } from "../tools/Evt";
+import {
+    handleTokenExfiltrationDefense_legacy,
+    type Params as Params_handleTokenExfiltrationDefense_legacy
+} from "./tokenExfiltrationDefense_legacy";
+import { enableTokenExfiltrationDefense } from "./tokenExfiltrationDefense";
 
 let hasEarlyInitBeenCalled = false;
 
 const IFRAME_MESSAGE_PREFIX = "oidc-spa:cross-window-messaging:";
 
-export function oidcEarlyInit(params: {
-    freezeFetch?: boolean;
-    freezeXMLHttpRequest?: boolean;
-    freezeWebSocket?: boolean;
-    freezePromise?: boolean;
-    safeMode?: boolean;
+export type ParamsOfEarlyInit_legacy = Params_handleTokenExfiltrationDefense_legacy & {
     BASE_URL?: string;
-}) {
+};
+
+export type ParamsOfEarlyInit = {
+    /**
+     * Base path of where is deployed the webapp
+     * usually `import.meta.env.BASE_URL`
+     * if omitted, can be provided to createOidc()
+     */
+    BASE_URL?: string;
+
+    enableTokenExfiltrationDefense: boolean;
+    /**
+     * Only when enableTokenExfiltrationDefense: true
+     *
+     * Example ["vault.domain2.net", "minio.domain2.net", "*.lab.domain3.net"]
+     * Note that any domains first party relative to where your app
+     * is deployed will be automatically allowed.
+     *
+     * So for example if your app is deployed under:
+     * dashboard.my-company.com
+     * Authed request to the following domains will automatically be allowed (examples):
+     * - minio.my-company.com
+     * - minio.dashboard.my-company.com
+     * - my-company.com
+     *
+     * BUT there is an exception to the rule. If your app is deployed under free default domain
+     * provided by known hosting platform like
+     * - xxx.vercel.com
+     * - xxx.netlify.com
+     * - xxx.github.com
+     * - xxx.pages.dev (firebase)
+     * - xxx.web.app (firebase)
+     * - ...
+     *
+     * We we won't allow request to parent domain since those are multi tenant.
+     *
+     * Also, all filtering will be disabled when the app is ran with the dev server, so under:
+     * - localhost
+     * - 127.0.0.1
+     * - [::]
+     * */
+    resourceServersAllowedHostnames?: string[];
+
+    serviceWorkersAllowedHostnames?: string[];
+};
+
+export function oidcEarlyInit(params: ParamsOfEarlyInit | ParamsOfEarlyInit_legacy) {
     if (hasEarlyInitBeenCalled) {
         throw new Error("oidc-spa: oidcEarlyInit() Should be called only once");
     }
@@ -28,224 +74,124 @@ export function oidcEarlyInit(params: {
         return { shouldLoadApp: true };
     }
 
-    const {
-        freezeFetch,
-        freezeXMLHttpRequest,
-        freezeWebSocket,
-        freezePromise,
-        safeMode = false,
-        BASE_URL
-    } = params;
-
     const { shouldLoadApp } = handleOidcCallback();
 
     if (shouldLoadApp) {
-        const createWriteError = (target: string) =>
-            new Error(
-                [
-                    `oidc-spa: Monkey patching of ${target} has been blocked for security reasons.`,
-                    "You can disable this restriction by setting `safeMode: false` in `oidcEarlyInit()`",
-                    "or in your Vite plugin configuration,",
-                    "but please note this will reduce security.",
-                    "If you believe this restriction is too strict, please open an issue at:",
-                    "https://github.com/keycloakify/oidc-spa",
-                    "We're still identifying real-world blockers and can safely add exceptions where needed.",
-                    "For now, we prefer to err on the side of hardening rather than exposure."
-                ].join(" ")
-            );
-
-        for (const name of [
-            "fetch",
-            "XMLHttpRequest",
-            "WebSocket",
-            "Headers",
-            "URLSearchParams",
-            "String",
-            "Object",
-            "Promise",
-            "Array",
-            "RegExp",
-            "TextEncoder",
-            "Uint8Array",
-            "Uint32Array",
-            "Response",
-            "Reflect",
-            "JSON",
-            "encodeURIComponent",
-            "decodeURIComponent",
-            "atob",
-            "btoa"
-        ] as const) {
-            const doSkip = (() => {
-                switch (name) {
-                    case "XMLHttpRequest":
-                        if (freezeXMLHttpRequest !== undefined) {
-                            return !freezeXMLHttpRequest;
-                        }
-                        break;
-                    case "fetch":
-                        if (freezeFetch !== undefined) {
-                            return !freezeFetch;
-                        }
-                        break;
-                    case "WebSocket":
-                        if (freezeWebSocket !== undefined) {
-                            return !freezeWebSocket;
-                        }
-                        break;
-                    case "Promise":
-                        if (freezePromise !== undefined) {
-                            return !freezePromise;
-                        }
-                        break;
-                }
-
-                return !safeMode;
-            })();
-
-            if (doSkip) {
-                continue;
+        token_exfiltration_defense: {
+            if (!("enableTokenExfiltrationDefense" in params)) {
+                handleTokenExfiltrationDefense_legacy({
+                    freezeFetch: params.freezeFetch,
+                    freezeXMLHttpRequest: params.freezeXMLHttpRequest,
+                    freezeWebSocket: params.freezeWebSocket,
+                    freezePromise: params.freezePromise,
+                    safeMode: params.safeMode
+                });
+                break token_exfiltration_defense;
             }
 
-            const original = window[name];
-
-            if ("prototype" in original) {
-                for (const propertyName of Object.getOwnPropertyNames(original.prototype)) {
-                    if (name === "Object") {
-                        if (
-                            propertyName === "toString" ||
-                            propertyName === "constructor" ||
-                            propertyName === "valueOf"
-                        ) {
-                            continue;
-                        }
-                    }
-
-                    if (name === "Array") {
-                        if (propertyName === "constructor" || propertyName === "concat") {
-                            continue;
-                        }
-                    }
-
-                    const pd = Object.getOwnPropertyDescriptor(original.prototype, propertyName);
-
-                    assert(pd !== undefined);
-
-                    if (!pd.configurable) {
-                        continue;
-                    }
+            const {
+                enableTokenExfiltrationDefense: doEnableTokenExfiltrationDefense,
+                resourceServersAllowedHostnames,
+                serviceWorkersAllowedHostnames
+            } = params;
+
+            if (!doEnableTokenExfiltrationDefense) {
+                if (resourceServersAllowedHostnames !== undefined) {
+                    console.warn(
+                        [
+                            "oidc-spa: resourceServersAllowedHostnames is ignored when",
+                            "enableTokenExfiltrationDefense is set to false."
+                        ].join(" ")
+                    );
+                }
 
-                    Object.defineProperty(original.prototype, propertyName, {
-                        enumerable: pd.enumerable,
-                        configurable: false,
-                        ...("value" in pd
-                            ? {
-                                  get: () => pd.value,
-                                  set: () => {
-                                      throw createWriteError(`window.${name}.prototype.${propertyName}`);
-                                  }
-                              }
-                            : {
-                                  get: pd.get,
-                                  set:
-                                      pd.set ??
-                                      (() => {
-                                          throw createWriteError(
-                                              `window.${name}.prototype.${propertyName}`
-                                          );
-                                      })
-                              })
-                    });
+                if (serviceWorkersAllowedHostnames !== undefined) {
+                    console.warn(
+                        [
+                            "oidc-spa: serviceWorkersAllowedHostnames is ignored when",
+                            "enableTokenExfiltrationDefense is set to false."
+                        ].join(" ")
+                    );
                 }
+
+                break token_exfiltration_defense;
             }
 
-            Object.defineProperty(window, name, {
-                configurable: false,
-                enumerable: true,
-                get: () => original,
-                set: () => {
-                    throw createWriteError(`window.${name}`);
-                }
+            enableTokenExfiltrationDefense({
+                resourceServersAllowedHostnames,
+                serviceWorkersAllowedHostnames
             });
         }
 
-        if (safeMode) {
-            for (const name of ["call", "apply", "bind"] as const) {
-                const original = Function.prototype[name];
+        {
+            const _MessageEvent_prototype_data_get = (() => {
+                const pd = Object.getOwnPropertyDescriptor(MessageEvent.prototype, "data");
 
-                Object.defineProperty(Function.prototype, name, {
-                    configurable: false,
-                    enumerable: true,
-                    get: () => original,
-                    set: () => {
-                        throw createWriteError(`window.Function.prototype.${name});`);
-                    }
-                });
-            }
-        }
+                assert(pd !== undefined);
 
-        const _MessageEvent_prototype_data_get = (() => {
-            const pd = Object.getOwnPropertyDescriptor(MessageEvent.prototype, "data");
+                const { get } = pd;
 
-            assert(pd !== undefined);
+                assert(get !== undefined);
 
-            const { get } = pd;
+                return get;
+            })();
 
-            assert(get !== undefined);
+            const _MessageEvent_prototype_origin_get = (() => {
+                const pd = Object.getOwnPropertyDescriptor(MessageEvent.prototype, "origin");
 
-            return get;
-        })();
+                assert(pd !== undefined);
 
-        const _MessageEvent_prototype_origin_get = (() => {
-            const pd = Object.getOwnPropertyDescriptor(MessageEvent.prototype, "origin");
+                const { get } = pd;
 
-            assert(pd !== undefined);
+                assert(get !== undefined);
 
-            const { get } = pd;
+                return get;
+            })();
 
-            assert(get !== undefined);
+            const _Event_prototype_stopImmediatePropagation_value =
+                Event.prototype.stopImmediatePropagation;
 
-            return get;
-        })();
+            const origin = window.location.origin;
 
-        const _Event_prototype_stopImmediatePropagation_value = Event.prototype.stopImmediatePropagation;
+            window.addEventListener(
+                "message",
+                event => {
+                    if (_MessageEvent_prototype_origin_get.call(event) !== origin) {
+                        return;
+                    }
 
-        const origin = window.location.origin;
+                    const eventData: unknown = _MessageEvent_prototype_data_get.call(event);
 
-        window.addEventListener(
-            "message",
-            event => {
-                if (_MessageEvent_prototype_origin_get.call(event) !== origin) {
-                    return;
-                }
+                    if (typeof eventData !== "string") {
+                        return;
+                    }
 
-                const eventData: unknown = _MessageEvent_prototype_data_get.call(event);
+                    if (!eventData.startsWith(IFRAME_MESSAGE_PREFIX)) {
+                        return;
+                    }
 
-                if (typeof eventData !== "string") {
-                    return;
-                }
+                    _Event_prototype_stopImmediatePropagation_value.call(event);
 
-                if (!eventData.startsWith(IFRAME_MESSAGE_PREFIX)) {
-                    return;
-                }
+                    const authResponse: AuthResponse = JSON.parse(
+                        eventData.slice(IFRAME_MESSAGE_PREFIX.length)
+                    );
 
-                _Event_prototype_stopImmediatePropagation_value.call(event);
+                    (evtIframeAuthResponse ??= createEvt()).post(authResponse);
+                },
+                {
+                    capture: true,
+                    once: false,
+                    passive: false
+                }
+            );
+        }
 
-                const authResponse: AuthResponse = JSON.parse(
-                    eventData.slice(IFRAME_MESSAGE_PREFIX.length)
-                );
+        {
+            const { BASE_URL } = params;
 
-                (evtIframeAuthResponse ??= createEvt()).post(authResponse);
-            },
-            {
-                capture: true,
-                once: false,
-                passive: false
+            if (BASE_URL !== undefined) {
+                setBASE_URL({ BASE_URL });
             }
-        );
-
-        if (BASE_URL !== undefined) {
-            setBASE_URL({ BASE_URL });
         }
     }
 

package/src/core/oidcClientTsUserToTokens.ts

@@ -5,8 +5,10 @@ import { readExpirationTimeInJwt } from "../tools/readExpirationTimeInJwt";
 import { decodeJwt } from "../tools/decodeJwt";
 import type { Oidc } from "./Oidc";
 import { INFINITY_TIME } from "../tools/INFINITY_TIME";
+import { getIsTokenSubstitutionEnabled, getTokensPlaceholders } from "./tokenPlaceholderSubstitution";
 
 export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, unknown>>(params: {
+    configId: string;
     oidcClientTsUser: OidcClientTsUser;
     decodedIdTokenSchema?: {
         parse: (decodedIdToken_original: Oidc.Tokens.DecodedIdToken_OidcCoreSpec) => DecodedIdToken;
@@ -16,6 +18,7 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
     log: typeof console.log | undefined;
 }): Oidc.Tokens<DecodedIdToken> {
     const {
+        configId,
         oidcClientTsUser,
         decodedIdTokenSchema,
         __unsafe_useIdTokenAsAccessToken,
@@ -226,6 +229,17 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
                   })()
               });
 
+    if (getIsTokenSubstitutionEnabled()) {
+        const placeholders = getTokensPlaceholders({
+            configId,
+            tokens
+        });
+
+        tokens.accessToken = placeholders.accessToken;
+        tokens.idToken = placeholders.idToken;
+        tokens.refreshToken = placeholders.refreshToken;
+    }
+
     if (
         isFirstInit &&
         tokens.hasRefreshToken &&