npm - oidc-spa - Versions diffs - 8.6.18 → 8.7.0 - Mend

oidc-spa 8.6.18 → 8.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (153) hide show

package/README.md +2 -2
package/backend.d.ts +3 -20
package/backend.js +50 -242
package/backend.js.map +1 -1
package/core/OidcMetadata.d.ts +2 -2
package/core/OidcMetadata.js.map +1 -1
package/core/createOidc.d.ts +2 -4
package/core/createOidc.js +46 -6
package/core/createOidc.js.map +1 -1
package/core/dpop.d.ts +20 -0
package/core/dpop.js +389 -0
package/core/dpop.js.map +1 -0
package/core/earlyInit.js +2 -0
package/core/earlyInit.js.map +1 -1
package/core/evtIsUserActive.d.ts +8 -1
package/core/evtIsUserActive.js +4 -2
package/core/evtIsUserActive.js.map +1 -1
package/core/oidcClientTsUserToTokens.d.ts +1 -0
package/core/oidcClientTsUserToTokens.js +15 -5
package/core/oidcClientTsUserToTokens.js.map +1 -1
package/core/tokenExfiltrationDefense.js +49 -6
package/core/tokenExfiltrationDefense.js.map +1 -1
package/esm/angular.d.ts +2 -0
package/esm/angular.mjs.map +1 -1
package/esm/backend.d.ts +3 -20
package/esm/backend.mjs +50 -242
package/esm/backend.mjs.map +1 -1
package/esm/core/OidcMetadata.d.ts +2 -2
package/esm/core/OidcMetadata.mjs.map +1 -1
package/esm/core/createOidc.d.ts +2 -4
package/esm/core/createOidc.mjs +46 -6
package/esm/core/createOidc.mjs.map +1 -1
package/esm/core/dpop.d.ts +20 -0
package/esm/core/dpop.mjs +384 -0
package/esm/core/dpop.mjs.map +1 -0
package/esm/core/earlyInit.mjs +2 -0
package/esm/core/earlyInit.mjs.map +1 -1
package/esm/core/evtIsUserActive.d.ts +8 -1
package/esm/core/evtIsUserActive.mjs +4 -2
package/esm/core/evtIsUserActive.mjs.map +1 -1
package/esm/core/oidcClientTsUserToTokens.d.ts +1 -0
package/esm/core/oidcClientTsUserToTokens.mjs +15 -5
package/esm/core/oidcClientTsUserToTokens.mjs.map +1 -1
package/esm/core/tokenExfiltrationDefense.mjs +49 -6
package/esm/core/tokenExfiltrationDefense.mjs.map +1 -1
package/esm/react-spa/createOidcSpaApi.mjs +2 -1
package/esm/react-spa/createOidcSpaApi.mjs.map +1 -1
package/esm/react-spa/types.d.ts +2 -0
package/esm/server/createOidcSpaUtils.d.ts +5 -0
package/esm/server/createOidcSpaUtils.mjs +639 -0
package/esm/server/createOidcSpaUtils.mjs.map +1 -0
package/esm/server/index.d.ts +2 -0
package/esm/server/index.mjs +3 -0
package/esm/server/index.mjs.map +1 -0
package/esm/server/types.d.ts +79 -0
package/esm/server/types.mjs +2 -0
package/esm/server/types.mjs.map +1 -0
package/esm/server/utilsBuilder.d.ts +10 -0
package/esm/server/utilsBuilder.mjs +13 -0
package/esm/server/utilsBuilder.mjs.map +1 -0
package/esm/tanstack-start/react/accessTokenValidation_rfc9068.d.ts +1 -1
package/esm/tanstack-start/react/accessTokenValidation_rfc9068.mjs +102 -94
package/esm/tanstack-start/react/accessTokenValidation_rfc9068.mjs.map +1 -1
package/esm/tanstack-start/react/createOidcSpaApi.d.ts +2 -2
package/esm/tanstack-start/react/createOidcSpaApi.mjs +60 -51
package/esm/tanstack-start/react/createOidcSpaApi.mjs.map +1 -1
package/esm/tanstack-start/react/index.d.ts +1 -1
package/esm/tanstack-start/react/index.mjs +2 -2
package/esm/tanstack-start/react/index.mjs.map +1 -1
package/esm/tanstack-start/react/types.d.ts +36 -11
package/esm/tanstack-start/react/{apiBuilder.d.ts → utilsBuilder.d.ts} +9 -9
package/esm/tanstack-start/react/{apiBuilder.mjs → utilsBuilder.mjs} +6 -6
package/esm/tanstack-start/react/utilsBuilder.mjs.map +1 -0
package/esm/tools/generateES256DPoPProof.d.ts +8 -0
package/esm/tools/generateES256DPoPProof.mjs +48 -0
package/esm/tools/generateES256DPoPProof.mjs.map +1 -0
package/esm/tools/getServerDateNow.d.ts +5 -0
package/esm/tools/getServerDateNow.mjs +7 -0
package/esm/tools/getServerDateNow.mjs.map +1 -0
package/esm/tools/startCountdown.mjs +9 -3
package/esm/tools/startCountdown.mjs.map +1 -1
package/esm/vendor/{backend → server}/evt.mjs +84 -140
package/esm/vendor/{backend → server}/jose.mjs +5 -27
package/esm/vendor/{backend → server}/tsafe.d.ts +1 -0
package/esm/vendor/{backend → server}/tsafe.mjs +6 -0
package/esm/vendor/{backend → server}/zod.mjs +196 -50
package/package.json +6 -1
package/react-spa/createOidcSpaApi.js +2 -1
package/react-spa/createOidcSpaApi.js.map +1 -1
package/react-spa/types.d.ts +2 -0
package/server/createOidcSpaUtils.d.ts +5 -0
package/server/createOidcSpaUtils.js +642 -0
package/server/createOidcSpaUtils.js.map +1 -0
package/server/index.d.ts +2 -0
package/server/index.js +6 -0
package/server/index.js.map +1 -0
package/server/types.d.ts +79 -0
package/server/types.js +3 -0
package/server/types.js.map +1 -0
package/server/utilsBuilder.d.ts +10 -0
package/server/utilsBuilder.js +16 -0
package/server/utilsBuilder.js.map +1 -0
package/src/angular.ts +3 -0
package/src/backend.ts +63 -364
package/src/core/OidcMetadata.ts +4 -2
package/src/core/createOidc.ts +61 -9
package/src/core/dpop.ts +583 -0
package/src/core/earlyInit.ts +3 -0
package/src/core/evtIsUserActive.ts +11 -5
package/src/core/oidcClientTsUserToTokens.ts +18 -4
package/src/core/tokenExfiltrationDefense.ts +60 -5
package/src/react-spa/createOidcSpaApi.ts +2 -1
package/src/react-spa/types.tsx +3 -0
package/src/server/createOidcSpaUtils.ts +848 -0
package/src/server/index.ts +4 -0
package/src/server/types.tsx +99 -0
package/src/server/utilsBuilder.ts +41 -0
package/src/tanstack-start/react/accessTokenValidation_rfc9068.ts +134 -124
package/src/tanstack-start/react/createOidcSpaApi.ts +73 -69
package/src/tanstack-start/react/index.ts +2 -2
package/src/tanstack-start/react/types.tsx +44 -12
package/src/tanstack-start/react/{apiBuilder.ts → utilsBuilder.ts} +14 -14
package/src/tools/generateES256DPoPProof.ts +74 -0
package/src/tools/getServerDateNow.ts +11 -0
package/src/tools/startCountdown.ts +10 -3
package/src/vendor/{backend → server}/tsafe.ts +1 -0
package/tools/generateES256DPoPProof.d.ts +8 -0
package/tools/generateES256DPoPProof.js +51 -0
package/tools/generateES256DPoPProof.js.map +1 -0
package/tools/getServerDateNow.d.ts +5 -0
package/tools/getServerDateNow.js +10 -0
package/tools/getServerDateNow.js.map +1 -0
package/tools/startCountdown.js +9 -3
package/tools/startCountdown.js.map +1 -1
package/vendor/server/evt.js +3 -0
package/vendor/server/jose.js +3 -0
package/vendor/{backend → server}/tsafe.d.ts +1 -0
package/vendor/server/tsafe.js +2 -0
package/vendor/server/zod.js +3 -0
package/esm/tanstack-start/react/apiBuilder.mjs.map +0 -1
package/vendor/backend/evt.js +0 -3
package/vendor/backend/jose.js +0 -3
package/vendor/backend/tsafe.js +0 -2
package/vendor/backend/zod.js +0 -3
/package/esm/vendor/{backend → server}/evt.d.ts +0 -0
/package/esm/vendor/{backend → server}/jose.d.ts +0 -0
/package/esm/vendor/{backend → server}/zod.d.ts +0 -0
/package/src/vendor/{backend → server}/evt.ts +0 -0
/package/src/vendor/{backend → server}/jose.ts +0 -0
/package/src/vendor/{backend → server}/zod.ts +0 -0
/package/vendor/{backend → server}/evt.d.ts +0 -0
/package/vendor/{backend → server}/jose.d.ts +0 -0
/package/vendor/{backend → server}/zod.d.ts +0 -0

package/server/index.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export type * from "./types";
2	+ export declare const oidcSpa: import("./utilsBuilder").OidcSpaUtilsBuilder<import("./types").DecodedAccessToken_RFC9068, never>;

package/server/index.js ADDED Viewed

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oidcSpa = void 0;
+const utilsBuilder_1 = require("./utilsBuilder");
+exports.oidcSpa = utilsBuilder_1.oidcSpaUtilsBuilder;
+//# sourceMappingURL=index.js.map

package/server/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/server/index.ts"],"names":[],"mappings":";;;AACA,iDAAqD;AAExC,QAAA,OAAO,GAAG,kCAAmB,CAAC"}

package/server/types.d.ts ADDED Viewed

@@ -0,0 +1,79 @@
+/**
+ * Claims defined by RFC 9068: "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
+ * https://datatracker.ietf.org/doc/html/rfc9068
+ *
+ * These tokens are intended for consumption by resource servers.
+ */
+export type DecodedAccessToken_RFC9068 = {
+    iss: string;
+    sub: string;
+    aud: string | string[];
+    exp: number;
+    iat: number;
+    client_id?: string;
+    scope?: string;
+    jti?: string;
+    nbf?: number;
+    auth_time?: number;
+    cnf?: Record<string, unknown>;
+    [key: string]: unknown;
+};
+export type ValidateAndDecodeAccessToken<DecodedAccessToken> = (params: {
+    request: {
+        method: string;
+        url: string;
+        headers: Record<"Authorization" | "DPoP", string | null | undefined>;
+    };
+}) => Promise<ValidateAndDecodeAccessToken.ReturnType<DecodedAccessToken>>;
+export declare namespace ValidateAndDecodeAccessToken {
+    type ReturnType<DecodedAccessToken> = (ReturnType.Success<DecodedAccessToken> & {
+        errorCause?: never;
+        debugErrorMessage?: never;
+    }) | (ReturnType.Errored & {
+        decodedAccessToken?: never;
+        decodedAccessToken_original?: never;
+        accessToken?: never;
+    });
+    namespace ReturnType {
+        type Success<DecodedAccessToken> = {
+            isSuccess: true;
+            decodedAccessToken: DecodedAccessToken;
+            decodedAccessToken_original: DecodedAccessToken_RFC9068;
+            accessToken: string;
+        };
+        type Errored = {
+            isSuccess: false;
+            errorCause: "missing Authorization header" | "validation error" | "validation error - access token expired" | "validation error - invalid signature";
+            debugErrorMessage: string;
+        };
+    }
+}
+export type ParamsOfBootstrap<DecodedAccessToken> = ParamsOfBootstrap.Real | ParamsOfBootstrap.Mock<DecodedAccessToken>;
+export declare namespace ParamsOfBootstrap {
+    type Real = {
+        implementation: "real";
+        issuerUri: string;
+        expectedAudience: string | undefined;
+    };
+    type Mock<DecodedAccessToken> = Mock.DecodeOnly | Mock.UseStaticIdentity<DecodedAccessToken>;
+    namespace Mock {
+        type Common = {
+            implementation: "mock";
+        };
+        export type DecodeOnly = Common & {
+            behavior: "decode only";
+        };
+        export type UseStaticIdentity<DecodedAccessToken> = Common & {
+            behavior: "use static identity";
+            decodedAccessToken_mock: DecodedAccessToken;
+            decodedAccessToken_original_mock?: DecodedAccessToken_RFC9068;
+            accessToken_mock?: string;
+        };
+        export {};
+    }
+}
+export type OidcSpaUtils<DecodedAccessToken> = {
+    bootstrapAuth: (params: ParamsOfBootstrap<DecodedAccessToken>) => Promise<void>;
+    validateAndDecodeAccessToken: ValidateAndDecodeAccessToken<DecodedAccessToken>;
+    ofTypeDecodedAccessToken: DecodedAccessToken;
+};

package/server/types.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/server/types.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../src/server/types.tsx"],"names":[],"mappings":""}

package/server/utilsBuilder.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import type { OidcSpaUtils } from "./types";
+import type { ZodSchemaLike } from "../tools/ZodSchemaLike";
+import type { DecodedAccessToken_RFC9068 } from "./types";
+export type OidcSpaUtilsBuilder<DecodedAccessToken extends Record<string, unknown> = DecodedAccessToken_RFC9068, ExcludedMethod extends "withExpectedDecodedAccessTokenShape" | "createUtils" = never> = Omit<{
+    withExpectedDecodedAccessTokenShape: <DecodedAccessToken extends Record<string, unknown>>(params: {
+        decodedAccessTokenSchema: ZodSchemaLike<DecodedAccessToken_RFC9068, DecodedAccessToken>;
+    }) => OidcSpaUtilsBuilder<DecodedAccessToken, ExcludedMethod | "withExpectedDecodedAccessTokenShape">;
+    createUtils: () => OidcSpaUtils<DecodedAccessToken>;
+}, ExcludedMethod>;
+export declare const oidcSpaUtilsBuilder: OidcSpaUtilsBuilder<DecodedAccessToken_RFC9068, never>;

package/server/utilsBuilder.js ADDED Viewed

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oidcSpaUtilsBuilder = void 0;
+const createOidcSpaUtils_1 = require("./createOidcSpaUtils");
+function createOidcSpaUtilsBuilder(params) {
+    return {
+        withExpectedDecodedAccessTokenShape: ({ decodedAccessTokenSchema }) => createOidcSpaUtilsBuilder({ decodedAccessTokenSchema }),
+        createUtils: () => (0, createOidcSpaUtils_1.createOidcSpaUtils)({
+            decodedAccessTokenSchema: params.decodedAccessTokenSchema
+        })
+    };
+}
+exports.oidcSpaUtilsBuilder = createOidcSpaUtilsBuilder({
+    decodedAccessTokenSchema: undefined
+});
+//# sourceMappingURL=utilsBuilder.js.map

package/server/utilsBuilder.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"utilsBuilder.js","sourceRoot":"","sources":["../src/server/utilsBuilder.ts"],"names":[],"mappings":";;;AAEA,6DAA0D;AAqB1D,SAAS,yBAAyB,CAEhC,MAED;IACG,OAAO;QACH,mCAAmC,EAAE,CAAC,EAAE,wBAAwB,EAAE,EAAE,EAAE,CAClE,yBAAyB,CAAC,EAAE,wBAAwB,EAAE,CAAC;QAC3D,WAAW,EAAE,GAAG,EAAE,CACd,IAAA,uCAAkB,EAAqB;YACnC,wBAAwB,EAAE,MAAM,CAAC,wBAAwB;SAC5D,CAAC;KACT,CAAC;AACN,CAAC;AAEY,QAAA,mBAAmB,GAAG,yBAAyB,CAAC;IACzD,wBAAwB,EAAE,SAAS;CACtC,CAAC,CAAC"}

package/src/angular.ts CHANGED Viewed

@@ -169,6 +169,9 @@ export type ParamsOfProvide = {
      * Default is 60 seconds.
      */
     warnUserSecondsBeforeAutoLogout?: number;
+    /** Default: false */
+    dpop?: boolean;
 };
 assert<

package/src/backend.ts CHANGED Viewed

@@ -1,66 +1,9 @@
-import { assert, isAmong, id, type Equals, is } from "./vendor/backend/tsafe";
-import {
-    decodeProtectedHeader,
-    jwtVerify,
-    createLocalJWKSet,
-    errors,
-    type JWTPayload
-} from "./vendor/backend/jose";
-import { z } from "./vendor/backend/zod";
-import { Evt, throttleTime } from "./vendor/backend/evt";
+import { assert, id } from "./vendor/server/tsafe";
 import type { ZodSchemaLike } from "./tools/ZodSchemaLike";
+import { DecodedAccessToken_RFC9068 } from "./server/types";
+import { oidcSpa } from "./server";
-/**
- * Claims defined by RFC 9068: "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
- * https://datatracker.ietf.org/doc/html/rfc9068
- *
- * These tokens are intended for consumption by resource servers.
- */
-export type DecodedAccessToken_RFC9068 = {
-    // --- REQUIRED (MUST) ---
-    iss: string; // Issuer Identifier
-    sub: string; // Subject Identifier
-    aud: string | string[]; // Audience(s)
-    exp: number; // Expiration time (seconds since epoch)
-    iat: number; // Issued-at time (seconds since epoch)
-    // --- RECOMMENDED (SHOULD) ---
-    client_id?: string; // OAuth2 Client ID that requested the token
-    scope?: string; // Space-separated list of granted scopes
-    jti?: string; // Unique JWT ID (for replay detection)
-    // --- OPTIONAL / EXTENSION CLAIMS ---
-    nbf?: number; // Not-before time (standard JWT claim)
-    auth_time?: number; // Time of user authentication (optional)
-    cnf?: Record<string, unknown>; // Confirmation (e.g. proof-of-possession)
-    [key: string]: unknown; // Allow custom claims (e.g. roles, groups)
-};
-const zDecodedAccessToken_RFC9068 = (() => {
-    type TargetType = DecodedAccessToken_RFC9068;
-    const zTargetType = z
-        .object({
-            iss: z.string(),
-            sub: z.string(),
-            aud: z.union([z.string(), z.array(z.string())]),
-            exp: z.number(),
-            iat: z.number(),
-            client_id: z.string().optional(),
-            scope: z.string().optional(),
-            jti: z.string().optional(),
-            nbf: z.number().optional(),
-            auth_time: z.number().optional(),
-            cnf: z.record(z.unknown()).optional()
-        })
-        .catchall(z.unknown());
-    type InferredType = z.infer<typeof zTargetType>;
-    assert<Equals<TargetType, InferredType>>;
-    return id<z.ZodType<TargetType>>(zTargetType);
-})();
+export type { DecodedAccessToken_RFC9068 };
 export type ParamsOfCreateOidcBackend<DecodedAccessToken> = {
     issuerUri: string;
@@ -98,329 +41,85 @@ export namespace ResultOfAccessTokenVerify {
     };
 }
+/** @deprecated: Use "oidc-spa/server" instead */
 export async function createOidcBackend<
     DecodedAccessToken extends Record<string, unknown> = DecodedAccessToken_RFC9068
 >(params: ParamsOfCreateOidcBackend<DecodedAccessToken>): Promise<OidcBackend<DecodedAccessToken>> {
     const { issuerUri, decodedAccessTokenSchema } = params;
-    let publicSigningKeys = await fetchPublicSigningKeys({ issuerUri });
-    const evtInvalidSignature = Evt.create<void>();
-    evtInvalidSignature.pipe(throttleTime(3600_000)).attach(async () => {
-        const publicSigningKeys_new = await (async function callee(
-            count: number
-        ): Promise<PublicSigningKeys | undefined> {
-            let wrap: PublicSigningKeys | undefined;
-            try {
-                wrap = await fetchPublicSigningKeys({ issuerUri });
-            } catch (error) {
-                if (count === 9) {
-                    console.warn(
-                        `Failed to refresh public key and signing algorithm after ${count + 1} attempts`
-                    );
-                    return undefined;
-                }
-                const delayMs = 1000 * Math.pow(2, count);
-                console.warn(
-                    `Failed to refresh public key and signing algorithm: ${String(
-                        error
-                    )}, retrying in ${delayMs}ms`
-                );
+    const { bootstrapAuth, validateAndDecodeAccessToken } =
+        decodedAccessTokenSchema === undefined
+            ? oidcSpa.createUtils()
+            : oidcSpa.withExpectedDecodedAccessTokenShape({ decodedAccessTokenSchema }).createUtils();
-                await new Promise(resolve => setTimeout(resolve, delayMs));
-                return callee(count + 1);
-            }
-            return wrap;
-        })(0);
-        if (publicSigningKeys_new === undefined) {
-            return;
-        }
-        publicSigningKeys = publicSigningKeys_new;
+    await bootstrapAuth({
+        implementation: "real",
+        issuerUri,
+        expectedAudience: undefined
     });
     return {
         verifyAndDecodeAccessToken: async ({ accessToken }) => {
-            let kid: string;
-            let alg: string;
-            {
-                let header: ReturnType<typeof decodeProtectedHeader>;
-                try {
-                    header = decodeProtectedHeader(accessToken);
-                } catch {
-                    return {
-                        isValid: false,
-                        errorCase: "invalid signature",
-                        errorMessage: "Failed to decode the JWT header"
-                    };
-                }
-                const { kid: kidFromHeader, alg: algFromHeader } = header;
-                if (typeof kidFromHeader !== "string" || kidFromHeader.length === 0) {
-                    return {
-                        isValid: false,
-                        errorCase: "invalid signature",
-                        errorMessage: "The decoded JWT header does not have a kid property"
-                    };
-                }
-                if (typeof algFromHeader !== "string") {
-                    return {
-                        isValid: false,
-                        errorCase: "invalid signature",
-                        errorMessage: "The decoded JWT header does not specify an algorithm"
-                    };
-                }
-                const supportedAlgs = [
-                    "RS256",
-                    "RS384",
-                    "RS512",
-                    "ES256",
-                    "ES384",
-                    "ES512",
-                    "PS256",
-                    "PS384",
-                    "PS512"
-                ] as const;
-                if (!isAmong(supportedAlgs, algFromHeader as (typeof supportedAlgs)[number])) {
-                    return {
-                        isValid: false,
-                        errorCase: "invalid signature",
-                        errorMessage: `Unsupported or too weak algorithm ${algFromHeader}`
-                    };
-                }
-                kid = kidFromHeader;
-                alg = algFromHeader;
-            }
-            if (!publicSigningKeys.kidSet.has(kid)) {
-                return {
-                    isValid: false,
-                    errorCase: "invalid signature",
-                    errorMessage: `No public signing key found with kid ${kid}`
-                };
-            }
-            let payload: JWTPayload;
-            try {
-                const verification = await jwtVerify(accessToken, publicSigningKeys.keyResolver, {
-                    algorithms: [alg]
-                });
-                payload = verification.payload;
-            } catch (error) {
-                if (error instanceof errors.JWTExpired) {
-                    return id<ResultOfAccessTokenVerify.Invalid>({
-                        isValid: false,
-                        errorCase: "expired",
-                        errorMessage: error.message
-                    });
+            const {
+                isSuccess,
+                errorCause,
+                debugErrorMessage,
+                decodedAccessToken,
+                decodedAccessToken_original
+            } = await validateAndDecodeAccessToken({
+                request: {
+                    method: "GET",
+                    url: "https://dummy.com",
+                    headers: {
+                        Authorization: `Bearer ${accessToken}`,
+                        DPoP: undefined
+                    }
                 }
+            });
-                evtInvalidSignature.post();
-                return id<ResultOfAccessTokenVerify.Invalid>({
-                    isValid: false,
-                    errorCase: "invalid signature",
-                    errorMessage: error instanceof Error ? error.message : String(error)
-                });
-            }
-            const decodedAccessToken_unknown = payload as unknown;
-            try {
-                zDecodedAccessToken_RFC9068.parse(decodedAccessToken_unknown);
-            } catch (error) {
-                return id<ResultOfAccessTokenVerify.Invalid>({
-                    isValid: false,
-                    errorCase: "does not respect schema",
-                    errorMessage: [
-                        `The decoded access token does not satisfies`,
-                        `the shape mandated by RFC9068: ${String(error)}`
-                    ].join(" ")
-                });
-            }
-            assert(is<DecodedAccessToken_RFC9068>(decodedAccessToken_unknown));
-            const decodedAccessToken_original = decodedAccessToken_unknown;
-            let decodedAccessToken: DecodedAccessToken;
-            if (decodedAccessTokenSchema === undefined) {
-                decodedAccessToken = decodedAccessToken_original as unknown as DecodedAccessToken;
-            } else {
-                try {
-                    decodedAccessToken = decodedAccessTokenSchema.parse(decodedAccessToken_original);
-                } catch (error) {
-                    return id<ResultOfAccessTokenVerify.Invalid>({
-                        isValid: false,
-                        errorCase: "does not respect schema",
-                        errorMessage: String(error)
-                    });
+            if (!isSuccess) {
+                switch (errorCause) {
+                    case "missing Authorization header":
+                        assert(false, "29330204");
+                    case "validation error":
+                        if (
+                            debugErrorMessage.includes("shape") ||
+                            debugErrorMessage.includes("schema")
+                        ) {
+                            return {
+                                isValid: false,
+                                errorCase: "does not respect schema",
+                                errorMessage: debugErrorMessage
+                            };
+                        }
+                        return {
+                            isValid: false,
+                            errorCase: "invalid signature",
+                            errorMessage: debugErrorMessage
+                        };
+                    case "validation error - access token expired":
+                        return {
+                            isValid: false,
+                            errorCase: "expired",
+                            errorMessage: debugErrorMessage
+                        };
+                    case "validation error - invalid signature":
+                        return {
+                            isValid: false,
+                            errorCase: "invalid signature",
+                            errorMessage: debugErrorMessage
+                        };
                 }
             }
             return id<ResultOfAccessTokenVerify.Valid<DecodedAccessToken>>({
                 isValid: true,
+                // @ts-expect-error
                 decodedAccessToken,
                 decodedAccessToken_original
             });
         }
     };
 }
-type PublicSigningKeys = {
-    keyResolver: ReturnType<typeof createLocalJWKSet>;
-    kidSet: Set<string>;
-};
-async function fetchPublicSigningKeys(params: { issuerUri: string }): Promise<PublicSigningKeys> {
-    const { issuerUri } = params;
-    const { jwks_uri } = await (async () => {
-        const url = `${issuerUri.replace(/\/$/, "")}/.well-known/openid-configuration`;
-        const response = await fetch(url);
-        if (!response.ok) {
-            throw new Error(
-                `Failed to fetch openid configuration of the issuerUri: ${issuerUri} (${url}): ${response.statusText}`
-            );
-        }
-        let data: unknown;
-        try {
-            data = await response.json();
-        } catch (error) {
-            throw new Error(`Failed to parse json from ${url}: ${String(error)}`);
-        }
-        {
-            type WellKnownConfiguration = {
-                jwks_uri: string;
-            };
-            const zWellKnownConfiguration = z.object({
-                jwks_uri: z.string()
-            });
-            assert<Equals<WellKnownConfiguration, z.infer<typeof zWellKnownConfiguration>>>();
-            try {
-                zWellKnownConfiguration.parse(data);
-            } catch {
-                throw new Error(`${url} does not have a jwks_uri property`);
-            }
-            assert(is<WellKnownConfiguration>(data));
-        }
-        const { jwks_uri } = data;
-        return { jwks_uri };
-    })();
-    const { jwks } = await (async () => {
-        const response = await fetch(jwks_uri);
-        if (!response.ok) {
-            throw new Error(
-                `Failed to fetch public key and algorithm from ${jwks_uri}: ${response.statusText}`
-            );
-        }
-        let jwks: unknown;
-        try {
-            jwks = await response.json();
-        } catch (error) {
-            throw new Error(`Failed to parse json from ${jwks_uri}: ${String(error)}`);
-        }
-        {
-            type Jwks = {
-                keys: {
-                    kid: string;
-                    kty: string;
-                    use?: string;
-                    alg?: string;
-                }[];
-            };
-            const zJwks = z.object({
-                keys: z.array(
-                    z.object({
-                        kid: z.string(),
-                        kty: z.string(),
-                        use: z.string().optional(),
-                        alg: z.string().optional()
-                    })
-                )
-            });
-            assert<Equals<Jwks, z.infer<typeof zJwks>>>();
-            try {
-                zJwks.parse(jwks);
-            } catch {
-                throw new Error(`${jwks_uri} does not have the expected shape`);
-            }
-            assert(is<Jwks>(jwks));
-        }
-        return { jwks };
-    })();
-    //const signatureKeys = jwks.keys.filter((key): key is JWKS["keys"][number] & { kid: string } => {
-    const signatureKeys = jwks.keys.filter(key => {
-        if (typeof key.kid !== "string" || key.kid.length === 0) {
-            return false;
-        }
-        if (key.use !== undefined && key.use !== "sig") {
-            return false;
-        }
-        const supportedKty = ["RSA", "EC"] as const;
-        if (!supportedKty.includes(key.kty as (typeof supportedKty)[number])) {
-            return false;
-        }
-        return true;
-    });
-    assert(
-        signatureKeys.length !== 0,
-        `No public signing key found at ${jwks_uri}, ${JSON.stringify(jwks, null, 2)}`
-    );
-    const kidSet = new Set(signatureKeys.map(({ kid }) => kid));
-    const keyResolver = createLocalJWKSet({
-        keys: signatureKeys
-    });
-    return {
-        keyResolver,
-        kidSet
-    };
-}

package/src/core/OidcMetadata.ts CHANGED Viewed

@@ -267,9 +267,11 @@ export type OidcMetadata = {
      * @see https://datatracker.ietf.org/doc/html/rfc8414
      */
     code_challenge_methods_supported: string[];
+    dpop_signing_alg_values_supported: string[];
 };
-assert<Equals<OidcMetadata, OidcClientTsOidcMetadata>>;
+assert<Equals<Omit<OidcMetadata, "dpop_signing_alg_values_supported">, OidcClientTsOidcMetadata>>;
 export const WELL_KNOWN_PATH = "/.well-known/openid-configuration";
@@ -288,7 +290,7 @@ function readSessionStorage(params: { issuerUri: string }) {
         return undefined;
     }
-    return JSON.parse(value) as Partial<OidcClientTsOidcMetadata>;
+    return JSON.parse(value) as Partial<OidcMetadata>;
 }
 function setSessionStorage(params: { issuerUri: string; oidcMetadata: Partial<OidcMetadata> }): void {