oidc-spa 8.6.18 → 8.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/backend.d.ts +3 -20
- package/backend.js +50 -242
- package/backend.js.map +1 -1
- package/core/OidcMetadata.d.ts +2 -2
- package/core/OidcMetadata.js.map +1 -1
- package/core/createOidc.d.ts +2 -4
- package/core/createOidc.js +46 -6
- package/core/createOidc.js.map +1 -1
- package/core/dpop.d.ts +20 -0
- package/core/dpop.js +389 -0
- package/core/dpop.js.map +1 -0
- package/core/earlyInit.js +2 -0
- package/core/earlyInit.js.map +1 -1
- package/core/evtIsUserActive.d.ts +8 -1
- package/core/evtIsUserActive.js +4 -2
- package/core/evtIsUserActive.js.map +1 -1
- package/core/oidcClientTsUserToTokens.d.ts +1 -0
- package/core/oidcClientTsUserToTokens.js +15 -5
- package/core/oidcClientTsUserToTokens.js.map +1 -1
- package/core/tokenExfiltrationDefense.js +49 -6
- package/core/tokenExfiltrationDefense.js.map +1 -1
- package/esm/angular.d.ts +2 -0
- package/esm/angular.mjs.map +1 -1
- package/esm/backend.d.ts +3 -20
- package/esm/backend.mjs +50 -242
- package/esm/backend.mjs.map +1 -1
- package/esm/core/OidcMetadata.d.ts +2 -2
- package/esm/core/OidcMetadata.mjs.map +1 -1
- package/esm/core/createOidc.d.ts +2 -4
- package/esm/core/createOidc.mjs +46 -6
- package/esm/core/createOidc.mjs.map +1 -1
- package/esm/core/dpop.d.ts +20 -0
- package/esm/core/dpop.mjs +384 -0
- package/esm/core/dpop.mjs.map +1 -0
- package/esm/core/earlyInit.mjs +2 -0
- package/esm/core/earlyInit.mjs.map +1 -1
- package/esm/core/evtIsUserActive.d.ts +8 -1
- package/esm/core/evtIsUserActive.mjs +4 -2
- package/esm/core/evtIsUserActive.mjs.map +1 -1
- package/esm/core/oidcClientTsUserToTokens.d.ts +1 -0
- package/esm/core/oidcClientTsUserToTokens.mjs +15 -5
- package/esm/core/oidcClientTsUserToTokens.mjs.map +1 -1
- package/esm/core/tokenExfiltrationDefense.mjs +49 -6
- package/esm/core/tokenExfiltrationDefense.mjs.map +1 -1
- package/esm/react-spa/createOidcSpaApi.mjs +2 -1
- package/esm/react-spa/createOidcSpaApi.mjs.map +1 -1
- package/esm/react-spa/types.d.ts +2 -0
- package/esm/server/createOidcSpaUtils.d.ts +5 -0
- package/esm/server/createOidcSpaUtils.mjs +639 -0
- package/esm/server/createOidcSpaUtils.mjs.map +1 -0
- package/esm/server/index.d.ts +2 -0
- package/esm/server/index.mjs +3 -0
- package/esm/server/index.mjs.map +1 -0
- package/esm/server/types.d.ts +79 -0
- package/esm/server/types.mjs +2 -0
- package/esm/server/types.mjs.map +1 -0
- package/esm/server/utilsBuilder.d.ts +10 -0
- package/esm/server/utilsBuilder.mjs +13 -0
- package/esm/server/utilsBuilder.mjs.map +1 -0
- package/esm/tanstack-start/react/accessTokenValidation_rfc9068.d.ts +1 -1
- package/esm/tanstack-start/react/accessTokenValidation_rfc9068.mjs +102 -94
- package/esm/tanstack-start/react/accessTokenValidation_rfc9068.mjs.map +1 -1
- package/esm/tanstack-start/react/createOidcSpaApi.d.ts +2 -2
- package/esm/tanstack-start/react/createOidcSpaApi.mjs +60 -51
- package/esm/tanstack-start/react/createOidcSpaApi.mjs.map +1 -1
- package/esm/tanstack-start/react/index.d.ts +1 -1
- package/esm/tanstack-start/react/index.mjs +2 -2
- package/esm/tanstack-start/react/index.mjs.map +1 -1
- package/esm/tanstack-start/react/types.d.ts +36 -11
- package/esm/tanstack-start/react/{apiBuilder.d.ts → utilsBuilder.d.ts} +9 -9
- package/esm/tanstack-start/react/{apiBuilder.mjs → utilsBuilder.mjs} +6 -6
- package/esm/tanstack-start/react/utilsBuilder.mjs.map +1 -0
- package/esm/tools/generateES256DPoPProof.d.ts +8 -0
- package/esm/tools/generateES256DPoPProof.mjs +48 -0
- package/esm/tools/generateES256DPoPProof.mjs.map +1 -0
- package/esm/tools/getServerDateNow.d.ts +5 -0
- package/esm/tools/getServerDateNow.mjs +7 -0
- package/esm/tools/getServerDateNow.mjs.map +1 -0
- package/esm/tools/startCountdown.mjs +9 -3
- package/esm/tools/startCountdown.mjs.map +1 -1
- package/esm/vendor/{backend → server}/evt.mjs +84 -140
- package/esm/vendor/{backend → server}/jose.mjs +5 -27
- package/esm/vendor/{backend → server}/tsafe.d.ts +1 -0
- package/esm/vendor/{backend → server}/tsafe.mjs +6 -0
- package/esm/vendor/{backend → server}/zod.mjs +196 -50
- package/package.json +6 -1
- package/react-spa/createOidcSpaApi.js +2 -1
- package/react-spa/createOidcSpaApi.js.map +1 -1
- package/react-spa/types.d.ts +2 -0
- package/server/createOidcSpaUtils.d.ts +5 -0
- package/server/createOidcSpaUtils.js +642 -0
- package/server/createOidcSpaUtils.js.map +1 -0
- package/server/index.d.ts +2 -0
- package/server/index.js +6 -0
- package/server/index.js.map +1 -0
- package/server/types.d.ts +79 -0
- package/server/types.js +3 -0
- package/server/types.js.map +1 -0
- package/server/utilsBuilder.d.ts +10 -0
- package/server/utilsBuilder.js +16 -0
- package/server/utilsBuilder.js.map +1 -0
- package/src/angular.ts +3 -0
- package/src/backend.ts +63 -364
- package/src/core/OidcMetadata.ts +4 -2
- package/src/core/createOidc.ts +61 -9
- package/src/core/dpop.ts +583 -0
- package/src/core/earlyInit.ts +3 -0
- package/src/core/evtIsUserActive.ts +11 -5
- package/src/core/oidcClientTsUserToTokens.ts +18 -4
- package/src/core/tokenExfiltrationDefense.ts +60 -5
- package/src/react-spa/createOidcSpaApi.ts +2 -1
- package/src/react-spa/types.tsx +3 -0
- package/src/server/createOidcSpaUtils.ts +848 -0
- package/src/server/index.ts +4 -0
- package/src/server/types.tsx +99 -0
- package/src/server/utilsBuilder.ts +41 -0
- package/src/tanstack-start/react/accessTokenValidation_rfc9068.ts +134 -124
- package/src/tanstack-start/react/createOidcSpaApi.ts +73 -69
- package/src/tanstack-start/react/index.ts +2 -2
- package/src/tanstack-start/react/types.tsx +44 -12
- package/src/tanstack-start/react/{apiBuilder.ts → utilsBuilder.ts} +14 -14
- package/src/tools/generateES256DPoPProof.ts +74 -0
- package/src/tools/getServerDateNow.ts +11 -0
- package/src/tools/startCountdown.ts +10 -3
- package/src/vendor/{backend → server}/tsafe.ts +1 -0
- package/tools/generateES256DPoPProof.d.ts +8 -0
- package/tools/generateES256DPoPProof.js +51 -0
- package/tools/generateES256DPoPProof.js.map +1 -0
- package/tools/getServerDateNow.d.ts +5 -0
- package/tools/getServerDateNow.js +10 -0
- package/tools/getServerDateNow.js.map +1 -0
- package/tools/startCountdown.js +9 -3
- package/tools/startCountdown.js.map +1 -1
- package/vendor/server/evt.js +3 -0
- package/vendor/server/jose.js +3 -0
- package/vendor/{backend → server}/tsafe.d.ts +1 -0
- package/vendor/server/tsafe.js +2 -0
- package/vendor/server/zod.js +3 -0
- package/esm/tanstack-start/react/apiBuilder.mjs.map +0 -1
- package/vendor/backend/evt.js +0 -3
- package/vendor/backend/jose.js +0 -3
- package/vendor/backend/tsafe.js +0 -2
- package/vendor/backend/zod.js +0 -3
- /package/esm/vendor/{backend → server}/evt.d.ts +0 -0
- /package/esm/vendor/{backend → server}/jose.d.ts +0 -0
- /package/esm/vendor/{backend → server}/zod.d.ts +0 -0
- /package/src/vendor/{backend → server}/evt.ts +0 -0
- /package/src/vendor/{backend → server}/jose.ts +0 -0
- /package/src/vendor/{backend → server}/zod.ts +0 -0
- /package/vendor/{backend → server}/evt.d.ts +0 -0
- /package/vendor/{backend → server}/jose.d.ts +0 -0
- /package/vendor/{backend → server}/zod.d.ts +0 -0
package/esm/backend.mjs
CHANGED
|
@@ -1,259 +1,67 @@
|
|
|
1
|
-
import { assert,
|
|
2
|
-
import {
|
|
3
|
-
|
|
4
|
-
import { Evt, throttleTime } from "./vendor/backend/evt.mjs";
|
|
5
|
-
const zDecodedAccessToken_RFC9068 = (() => {
|
|
6
|
-
const zTargetType = z
|
|
7
|
-
.object({
|
|
8
|
-
iss: z.string(),
|
|
9
|
-
sub: z.string(),
|
|
10
|
-
aud: z.union([z.string(), z.array(z.string())]),
|
|
11
|
-
exp: z.number(),
|
|
12
|
-
iat: z.number(),
|
|
13
|
-
client_id: z.string().optional(),
|
|
14
|
-
scope: z.string().optional(),
|
|
15
|
-
jti: z.string().optional(),
|
|
16
|
-
nbf: z.number().optional(),
|
|
17
|
-
auth_time: z.number().optional(),
|
|
18
|
-
cnf: z.record(z.unknown()).optional()
|
|
19
|
-
})
|
|
20
|
-
.catchall(z.unknown());
|
|
21
|
-
assert;
|
|
22
|
-
return id(zTargetType);
|
|
23
|
-
})();
|
|
1
|
+
import { assert, id } from "./vendor/server/tsafe.mjs";
|
|
2
|
+
import { oidcSpa } from "./server/index.mjs";
|
|
3
|
+
/** @deprecated: Use "oidc-spa/server" instead */
|
|
24
4
|
export async function createOidcBackend(params) {
|
|
25
5
|
const { issuerUri, decodedAccessTokenSchema } = params;
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
}
|
|
34
|
-
catch (error) {
|
|
35
|
-
if (count === 9) {
|
|
36
|
-
console.warn(`Failed to refresh public key and signing algorithm after ${count + 1} attempts`);
|
|
37
|
-
return undefined;
|
|
38
|
-
}
|
|
39
|
-
const delayMs = 1000 * Math.pow(2, count);
|
|
40
|
-
console.warn(`Failed to refresh public key and signing algorithm: ${String(error)}, retrying in ${delayMs}ms`);
|
|
41
|
-
await new Promise(resolve => setTimeout(resolve, delayMs));
|
|
42
|
-
return callee(count + 1);
|
|
43
|
-
}
|
|
44
|
-
return wrap;
|
|
45
|
-
})(0);
|
|
46
|
-
if (publicSigningKeys_new === undefined) {
|
|
47
|
-
return;
|
|
48
|
-
}
|
|
49
|
-
publicSigningKeys = publicSigningKeys_new;
|
|
6
|
+
const { bootstrapAuth, validateAndDecodeAccessToken } = decodedAccessTokenSchema === undefined
|
|
7
|
+
? oidcSpa.createUtils()
|
|
8
|
+
: oidcSpa.withExpectedDecodedAccessTokenShape({ decodedAccessTokenSchema }).createUtils();
|
|
9
|
+
await bootstrapAuth({
|
|
10
|
+
implementation: "real",
|
|
11
|
+
issuerUri,
|
|
12
|
+
expectedAudience: undefined
|
|
50
13
|
});
|
|
51
14
|
return {
|
|
52
15
|
verifyAndDecodeAccessToken: async ({ accessToken }) => {
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
return {
|
|
62
|
-
isValid: false,
|
|
63
|
-
errorCase: "invalid signature",
|
|
64
|
-
errorMessage: "Failed to decode the JWT header"
|
|
65
|
-
};
|
|
66
|
-
}
|
|
67
|
-
const { kid: kidFromHeader, alg: algFromHeader } = header;
|
|
68
|
-
if (typeof kidFromHeader !== "string" || kidFromHeader.length === 0) {
|
|
69
|
-
return {
|
|
70
|
-
isValid: false,
|
|
71
|
-
errorCase: "invalid signature",
|
|
72
|
-
errorMessage: "The decoded JWT header does not have a kid property"
|
|
73
|
-
};
|
|
74
|
-
}
|
|
75
|
-
if (typeof algFromHeader !== "string") {
|
|
76
|
-
return {
|
|
77
|
-
isValid: false,
|
|
78
|
-
errorCase: "invalid signature",
|
|
79
|
-
errorMessage: "The decoded JWT header does not specify an algorithm"
|
|
80
|
-
};
|
|
81
|
-
}
|
|
82
|
-
const supportedAlgs = [
|
|
83
|
-
"RS256",
|
|
84
|
-
"RS384",
|
|
85
|
-
"RS512",
|
|
86
|
-
"ES256",
|
|
87
|
-
"ES384",
|
|
88
|
-
"ES512",
|
|
89
|
-
"PS256",
|
|
90
|
-
"PS384",
|
|
91
|
-
"PS512"
|
|
92
|
-
];
|
|
93
|
-
if (!isAmong(supportedAlgs, algFromHeader)) {
|
|
94
|
-
return {
|
|
95
|
-
isValid: false,
|
|
96
|
-
errorCase: "invalid signature",
|
|
97
|
-
errorMessage: `Unsupported or too weak algorithm ${algFromHeader}`
|
|
98
|
-
};
|
|
99
|
-
}
|
|
100
|
-
kid = kidFromHeader;
|
|
101
|
-
alg = algFromHeader;
|
|
102
|
-
}
|
|
103
|
-
if (!publicSigningKeys.kidSet.has(kid)) {
|
|
104
|
-
return {
|
|
105
|
-
isValid: false,
|
|
106
|
-
errorCase: "invalid signature",
|
|
107
|
-
errorMessage: `No public signing key found with kid ${kid}`
|
|
108
|
-
};
|
|
109
|
-
}
|
|
110
|
-
let payload;
|
|
111
|
-
try {
|
|
112
|
-
const verification = await jwtVerify(accessToken, publicSigningKeys.keyResolver, {
|
|
113
|
-
algorithms: [alg]
|
|
114
|
-
});
|
|
115
|
-
payload = verification.payload;
|
|
116
|
-
}
|
|
117
|
-
catch (error) {
|
|
118
|
-
if (error instanceof errors.JWTExpired) {
|
|
119
|
-
return id({
|
|
120
|
-
isValid: false,
|
|
121
|
-
errorCase: "expired",
|
|
122
|
-
errorMessage: error.message
|
|
123
|
-
});
|
|
124
|
-
}
|
|
125
|
-
evtInvalidSignature.post();
|
|
126
|
-
return id({
|
|
127
|
-
isValid: false,
|
|
128
|
-
errorCase: "invalid signature",
|
|
129
|
-
errorMessage: error instanceof Error ? error.message : String(error)
|
|
130
|
-
});
|
|
131
|
-
}
|
|
132
|
-
const decodedAccessToken_unknown = payload;
|
|
133
|
-
try {
|
|
134
|
-
zDecodedAccessToken_RFC9068.parse(decodedAccessToken_unknown);
|
|
135
|
-
}
|
|
136
|
-
catch (error) {
|
|
137
|
-
return id({
|
|
138
|
-
isValid: false,
|
|
139
|
-
errorCase: "does not respect schema",
|
|
140
|
-
errorMessage: [
|
|
141
|
-
`The decoded access token does not satisfies`,
|
|
142
|
-
`the shape mandated by RFC9068: ${String(error)}`
|
|
143
|
-
].join(" ")
|
|
144
|
-
});
|
|
145
|
-
}
|
|
146
|
-
assert(is(decodedAccessToken_unknown));
|
|
147
|
-
const decodedAccessToken_original = decodedAccessToken_unknown;
|
|
148
|
-
let decodedAccessToken;
|
|
149
|
-
if (decodedAccessTokenSchema === undefined) {
|
|
150
|
-
decodedAccessToken = decodedAccessToken_original;
|
|
151
|
-
}
|
|
152
|
-
else {
|
|
153
|
-
try {
|
|
154
|
-
decodedAccessToken = decodedAccessTokenSchema.parse(decodedAccessToken_original);
|
|
16
|
+
const { isSuccess, errorCause, debugErrorMessage, decodedAccessToken, decodedAccessToken_original } = await validateAndDecodeAccessToken({
|
|
17
|
+
request: {
|
|
18
|
+
method: "GET",
|
|
19
|
+
url: "https://dummy.com",
|
|
20
|
+
headers: {
|
|
21
|
+
Authorization: `Bearer ${accessToken}`,
|
|
22
|
+
DPoP: undefined
|
|
23
|
+
}
|
|
155
24
|
}
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
25
|
+
});
|
|
26
|
+
if (!isSuccess) {
|
|
27
|
+
switch (errorCause) {
|
|
28
|
+
case "missing Authorization header":
|
|
29
|
+
assert(false, "29330204");
|
|
30
|
+
case "validation error":
|
|
31
|
+
if (debugErrorMessage.includes("shape") ||
|
|
32
|
+
debugErrorMessage.includes("schema")) {
|
|
33
|
+
return {
|
|
34
|
+
isValid: false,
|
|
35
|
+
errorCase: "does not respect schema",
|
|
36
|
+
errorMessage: debugErrorMessage
|
|
37
|
+
};
|
|
38
|
+
}
|
|
39
|
+
return {
|
|
40
|
+
isValid: false,
|
|
41
|
+
errorCase: "invalid signature",
|
|
42
|
+
errorMessage: debugErrorMessage
|
|
43
|
+
};
|
|
44
|
+
case "validation error - access token expired":
|
|
45
|
+
return {
|
|
46
|
+
isValid: false,
|
|
47
|
+
errorCase: "expired",
|
|
48
|
+
errorMessage: debugErrorMessage
|
|
49
|
+
};
|
|
50
|
+
case "validation error - invalid signature":
|
|
51
|
+
return {
|
|
52
|
+
isValid: false,
|
|
53
|
+
errorCase: "invalid signature",
|
|
54
|
+
errorMessage: debugErrorMessage
|
|
55
|
+
};
|
|
162
56
|
}
|
|
163
57
|
}
|
|
164
58
|
return id({
|
|
165
59
|
isValid: true,
|
|
60
|
+
// @ts-expect-error
|
|
166
61
|
decodedAccessToken,
|
|
167
62
|
decodedAccessToken_original
|
|
168
63
|
});
|
|
169
64
|
}
|
|
170
65
|
};
|
|
171
66
|
}
|
|
172
|
-
async function fetchPublicSigningKeys(params) {
|
|
173
|
-
const { issuerUri } = params;
|
|
174
|
-
const { jwks_uri } = await (async () => {
|
|
175
|
-
const url = `${issuerUri.replace(/\/$/, "")}/.well-known/openid-configuration`;
|
|
176
|
-
const response = await fetch(url);
|
|
177
|
-
if (!response.ok) {
|
|
178
|
-
throw new Error(`Failed to fetch openid configuration of the issuerUri: ${issuerUri} (${url}): ${response.statusText}`);
|
|
179
|
-
}
|
|
180
|
-
let data;
|
|
181
|
-
try {
|
|
182
|
-
data = await response.json();
|
|
183
|
-
}
|
|
184
|
-
catch (error) {
|
|
185
|
-
throw new Error(`Failed to parse json from ${url}: ${String(error)}`);
|
|
186
|
-
}
|
|
187
|
-
{
|
|
188
|
-
const zWellKnownConfiguration = z.object({
|
|
189
|
-
jwks_uri: z.string()
|
|
190
|
-
});
|
|
191
|
-
assert();
|
|
192
|
-
try {
|
|
193
|
-
zWellKnownConfiguration.parse(data);
|
|
194
|
-
}
|
|
195
|
-
catch {
|
|
196
|
-
throw new Error(`${url} does not have a jwks_uri property`);
|
|
197
|
-
}
|
|
198
|
-
assert(is(data));
|
|
199
|
-
}
|
|
200
|
-
const { jwks_uri } = data;
|
|
201
|
-
return { jwks_uri };
|
|
202
|
-
})();
|
|
203
|
-
const { jwks } = await (async () => {
|
|
204
|
-
const response = await fetch(jwks_uri);
|
|
205
|
-
if (!response.ok) {
|
|
206
|
-
throw new Error(`Failed to fetch public key and algorithm from ${jwks_uri}: ${response.statusText}`);
|
|
207
|
-
}
|
|
208
|
-
let jwks;
|
|
209
|
-
try {
|
|
210
|
-
jwks = await response.json();
|
|
211
|
-
}
|
|
212
|
-
catch (error) {
|
|
213
|
-
throw new Error(`Failed to parse json from ${jwks_uri}: ${String(error)}`);
|
|
214
|
-
}
|
|
215
|
-
{
|
|
216
|
-
const zJwks = z.object({
|
|
217
|
-
keys: z.array(z.object({
|
|
218
|
-
kid: z.string(),
|
|
219
|
-
kty: z.string(),
|
|
220
|
-
use: z.string().optional(),
|
|
221
|
-
alg: z.string().optional()
|
|
222
|
-
}))
|
|
223
|
-
});
|
|
224
|
-
assert();
|
|
225
|
-
try {
|
|
226
|
-
zJwks.parse(jwks);
|
|
227
|
-
}
|
|
228
|
-
catch {
|
|
229
|
-
throw new Error(`${jwks_uri} does not have the expected shape`);
|
|
230
|
-
}
|
|
231
|
-
assert(is(jwks));
|
|
232
|
-
}
|
|
233
|
-
return { jwks };
|
|
234
|
-
})();
|
|
235
|
-
//const signatureKeys = jwks.keys.filter((key): key is JWKS["keys"][number] & { kid: string } => {
|
|
236
|
-
const signatureKeys = jwks.keys.filter(key => {
|
|
237
|
-
if (typeof key.kid !== "string" || key.kid.length === 0) {
|
|
238
|
-
return false;
|
|
239
|
-
}
|
|
240
|
-
if (key.use !== undefined && key.use !== "sig") {
|
|
241
|
-
return false;
|
|
242
|
-
}
|
|
243
|
-
const supportedKty = ["RSA", "EC"];
|
|
244
|
-
if (!supportedKty.includes(key.kty)) {
|
|
245
|
-
return false;
|
|
246
|
-
}
|
|
247
|
-
return true;
|
|
248
|
-
});
|
|
249
|
-
assert(signatureKeys.length !== 0, `No public signing key found at ${jwks_uri}, ${JSON.stringify(jwks, null, 2)}`);
|
|
250
|
-
const kidSet = new Set(signatureKeys.map(({ kid }) => kid));
|
|
251
|
-
const keyResolver = createLocalJWKSet({
|
|
252
|
-
keys: signatureKeys
|
|
253
|
-
});
|
|
254
|
-
return {
|
|
255
|
-
keyResolver,
|
|
256
|
-
kidSet
|
|
257
|
-
};
|
|
258
|
-
}
|
|
259
67
|
//# sourceMappingURL=backend.mjs.map
|
package/esm/backend.mjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"backend.mjs","sourceRoot":"","sources":["../src/backend.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,
|
|
1
|
+
{"version":3,"file":"backend.mjs","sourceRoot":"","sources":["../src/backend.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,uBAAuB,CAAC;AAGnD,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAwCnC,iDAAiD;AACjD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAErC,MAAqD;IACnD,MAAM,EAAE,SAAS,EAAE,wBAAwB,EAAE,GAAG,MAAM,CAAC;IAEvD,MAAM,EAAE,aAAa,EAAE,4BAA4B,EAAE,GACjD,wBAAwB,KAAK,SAAS;QAClC,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE;QACvB,CAAC,CAAC,OAAO,CAAC,mCAAmC,CAAC,EAAE,wBAAwB,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAElG,MAAM,aAAa,CAAC;QAChB,cAAc,EAAE,MAAM;QACtB,SAAS;QACT,gBAAgB,EAAE,SAAS;KAC9B,CAAC,CAAC;IAEH,OAAO;QACH,0BAA0B,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE;YAClD,MAAM,EACF,SAAS,EACT,UAAU,EACV,iBAAiB,EACjB,kBAAkB,EAClB,2BAA2B,EAC9B,GAAG,MAAM,4BAA4B,CAAC;gBACnC,OAAO,EAAE;oBACL,MAAM,EAAE,KAAK;oBACb,GAAG,EAAE,mBAAmB;oBACxB,OAAO,EAAE;wBACL,aAAa,EAAE,UAAU,WAAW,EAAE;wBACtC,IAAI,EAAE,SAAS;qBAClB;iBACJ;aACJ,CAAC,CAAC;YAEH,IAAI,CAAC,SAAS,EAAE,CAAC;gBACb,QAAQ,UAAU,EAAE,CAAC;oBACjB,KAAK,8BAA8B;wBAC/B,MAAM,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;oBAC9B,KAAK,kBAAkB;wBACnB,IACI,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC;4BACnC,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,EACtC,CAAC;4BACC,OAAO;gCACH,OAAO,EAAE,KAAK;gCACd,SAAS,EAAE,yBAAyB;gCACpC,YAAY,EAAE,iBAAiB;6BAClC,CAAC;wBACN,CAAC;wBAED,OAAO;4BACH,OAAO,EAAE,KAAK;4BACd,SAAS,EAAE,mBAAmB;4BAC9B,YAAY,EAAE,iBAAiB;yBAClC,CAAC;oBAEN,KAAK,yCAAyC;wBAC1C,OAAO;4BACH,OAAO,EAAE,KAAK;4BACd,SAAS,EAAE,SAAS;4BACpB,YAAY,EAAE,iBAAiB;yBAClC,CAAC;oBACN,KAAK,sCAAsC;wBACvC,OAAO;4BACH,OAAO,EAAE,KAAK;4BACd,SAAS,EAAE,mBAAmB;4BAC9B,YAAY,EAAE,iBAAiB;yBAClC,CAAC;gBACV,CAAC;YACL,CAAC;YAED,OAAO,EAAE,CAAsD;gBAC3D,OAAO,EAAE,IAAI;gBACb,mBAAmB;gBACnB,kBAAkB;gBAClB,2BAA2B;aAC9B,CAAC,CAAC;QACP,CAAC;KACJ,CAAC;AACN,CAAC"}
|
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
import { type OidcMetadata as OidcClientTsOidcMetadata } from "../vendor/frontend/oidc-client-ts";
|
|
2
1
|
/**
|
|
3
2
|
* OpenID Providers have metadata describing their configuration.
|
|
4
3
|
*
|
|
@@ -264,8 +263,9 @@ export type OidcMetadata = {
|
|
|
264
263
|
* @see https://datatracker.ietf.org/doc/html/rfc8414
|
|
265
264
|
*/
|
|
266
265
|
code_challenge_methods_supported: string[];
|
|
266
|
+
dpop_signing_alg_values_supported: string[];
|
|
267
267
|
};
|
|
268
268
|
export declare const WELL_KNOWN_PATH = "/.well-known/openid-configuration";
|
|
269
269
|
export declare function fetchOidcMetadata(params: {
|
|
270
270
|
issuerUri: string;
|
|
271
|
-
}): Promise<Partial<
|
|
271
|
+
}): Promise<Partial<OidcMetadata> | undefined>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OidcMetadata.mjs","sourceRoot":"","sources":["../../src/core/OidcMetadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAe,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;
|
|
1
|
+
{"version":3,"file":"OidcMetadata.mjs","sourceRoot":"","sources":["../../src/core/OidcMetadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAe,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AA+QlE,MAAiG,CAAC;AAElG,MAAM,CAAC,MAAM,eAAe,GAAG,mCAAmC,CAAC;AAEnE,SAAS,oBAAoB,CAAC,MAA6B;IACvD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,OAAO,iCAAiC,SAAS,EAAE,CAAC;AACxD,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA6B;IACrD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;IAE1E,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACjB,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAA0B,CAAC;AACtD,CAAC;AAED,SAAS,iBAAiB,CAAC,MAAkE;IACzF,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAE3C,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC;AAC9F,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAA6B;IACjE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,UAAU,EAAE,CAAC;QACT,MAAM,YAAY,GAAG,kBAAkB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;QAEvD,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,UAAU,CAAC;QACrB,CAAC;QAED,OAAO,YAAY,CAAC;IACxB,CAAC;IAED,IAAI,YAAmC,CAAC;IAExC,IAAI,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,GAAG,eAAe,EAAE,EAAE;YAC3D,OAAO,EAAE;gBACL,MAAM,EAAE,4CAA4C;aACvD;SACJ,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAElC,CAAC;YACG,MAAM,EAAE,sBAAsB,EAAE,GAAG,GAAG,CAAC;YAEvC,IAAI,OAAO,sBAAsB,KAAK,QAAQ,EAAE,CAAC;gBAC7C,MAAM,IAAI,KAAK,EAAE,CAAC;YACtB,CAAC;QACL,CAAC;QAED,YAAY,GAAG,GAAG,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC1B,iBAAiB,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,YAAY,CAAC;AACxB,CAAC"}
|
package/esm/core/createOidc.d.ts
CHANGED
|
@@ -65,10 +65,6 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
|
|
|
65
65
|
* */
|
|
66
66
|
idleSessionLifetimeInSeconds?: number;
|
|
67
67
|
/**
|
|
68
|
-
* Usage discouraged, this parameter exists because we don't want to assume
|
|
69
|
-
* too much about your usecase but I can't think of a scenario where you would
|
|
70
|
-
* want anything other than the current page.
|
|
71
|
-
*
|
|
72
68
|
* Default: { redirectTo: "current page" }
|
|
73
69
|
*/
|
|
74
70
|
autoLogoutParams?: Parameters<Oidc.LoggedIn<any>["logout"]>[0];
|
|
@@ -170,6 +166,8 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
|
|
|
170
166
|
* API and no iframe capabilities.
|
|
171
167
|
*/
|
|
172
168
|
postLoginRedirectUrl?: string;
|
|
169
|
+
/** Default: false */
|
|
170
|
+
dpop?: boolean;
|
|
173
171
|
};
|
|
174
172
|
/** @see: https://docs.oidc-spa.dev/v/v8/usage */
|
|
175
173
|
export declare function createOidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec, AutoLogin extends boolean = false>(params: ParamsOfCreateOidc<DecodedIdToken, AutoLogin>): Promise<AutoLogin extends true ? Oidc.LoggedIn<DecodedIdToken> : Oidc<DecodedIdToken>>;
|
package/esm/core/createOidc.mjs
CHANGED
|
@@ -35,9 +35,10 @@ import { getHomeAndRedirectUri } from "./homeAndRedirectUri.mjs";
|
|
|
35
35
|
import { ensureNonBlankPaint } from "../tools/ensureNonBlankPaint.mjs";
|
|
36
36
|
import { setStateDataCookieIfEnabled, clearStateDataCookie, getIsStateDataCookieEnabled } from "./StateDataCookie.mjs";
|
|
37
37
|
import { getIsTokenSubstitutionEnabled } from "./tokenPlaceholderSubstitution.mjs";
|
|
38
|
+
import { createInMemoryDPoPStore } from "./dpop.mjs";
|
|
38
39
|
import { loadWebcryptoLinerShim } from "../tools/loadWebcryptoLinerShim.mjs";
|
|
39
40
|
// NOTE: Replaced at build time
|
|
40
|
-
const VERSION = "8.
|
|
41
|
+
const VERSION = "8.7.0";
|
|
41
42
|
const globalContext = {
|
|
42
43
|
prOidcByConfigId: new Map(),
|
|
43
44
|
hasLogoutBeenCalled: id(false)
|
|
@@ -114,7 +115,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
|
|
|
114
115
|
return new Promise(() => { });
|
|
115
116
|
}
|
|
116
117
|
}
|
|
117
|
-
const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, sessionRestorationMethod = params.autoLogin === true ? "full page redirect" : "auto" } = params;
|
|
118
|
+
const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, sessionRestorationMethod = params.autoLogin === true ? "full page redirect" : "auto", dpop } = params;
|
|
118
119
|
const scopes = Array.from(new Set(["openid", ...(params.scopes ?? ["profile"])]));
|
|
119
120
|
const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
|
|
120
121
|
const { issuerUri, clientId, configId, log } = preProcessedParams;
|
|
@@ -163,6 +164,35 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
|
|
|
163
164
|
}
|
|
164
165
|
const stateUrlParamValue_instance = generateStateUrlParamValue();
|
|
165
166
|
const oidcMetadata = __metadata ?? (await fetchOidcMetadata({ issuerUri }));
|
|
167
|
+
const isDPoPEnabled = (() => {
|
|
168
|
+
if (dpop === undefined) {
|
|
169
|
+
log?.("DPoP disabled because it wasn't explicitly enabled when calling createOidc/bootstrapOidc");
|
|
170
|
+
}
|
|
171
|
+
if (!dpop) {
|
|
172
|
+
log?.("DPoP explicitly disabled in createOidc/bootstrapOidc params");
|
|
173
|
+
return false;
|
|
174
|
+
}
|
|
175
|
+
if (oidcMetadata === undefined) {
|
|
176
|
+
return false;
|
|
177
|
+
}
|
|
178
|
+
if (__unsafe_useIdTokenAsAccessToken) {
|
|
179
|
+
return false;
|
|
180
|
+
}
|
|
181
|
+
const isSupported = (() => {
|
|
182
|
+
const { dpop_signing_alg_values_supported } = oidcMetadata;
|
|
183
|
+
if (dpop_signing_alg_values_supported === undefined) {
|
|
184
|
+
return false;
|
|
185
|
+
}
|
|
186
|
+
return dpop_signing_alg_values_supported.includes("ES256");
|
|
187
|
+
})();
|
|
188
|
+
if (!isSupported) {
|
|
189
|
+
log?.("DPoP disabled because it's not supported by your IdP");
|
|
190
|
+
}
|
|
191
|
+
else {
|
|
192
|
+
log?.("DPoP enabled");
|
|
193
|
+
}
|
|
194
|
+
return isSupported;
|
|
195
|
+
})();
|
|
166
196
|
const canUseIframe = (() => {
|
|
167
197
|
switch (sessionRestorationMethod) {
|
|
168
198
|
case "auto":
|
|
@@ -334,7 +364,13 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
|
|
|
334
364
|
prefix: STATE_STORE_KEY_PREFIX
|
|
335
365
|
}),
|
|
336
366
|
client_secret: __unsafe_clientSecret,
|
|
337
|
-
metadata: oidcMetadata
|
|
367
|
+
metadata: oidcMetadata,
|
|
368
|
+
dpop: !isDPoPEnabled
|
|
369
|
+
? undefined
|
|
370
|
+
: {
|
|
371
|
+
bind_authorization_code: false,
|
|
372
|
+
store: createInMemoryDPoPStore({ configId })
|
|
373
|
+
}
|
|
338
374
|
});
|
|
339
375
|
const evtInitializationOutcomeUserNotLoggedIn = createEvt();
|
|
340
376
|
const { loginOrGoToAuthServer } = createLoginOrGoToAuthServer({
|
|
@@ -754,6 +790,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
|
|
|
754
790
|
decodedIdTokenSchema,
|
|
755
791
|
__unsafe_useIdTokenAsAccessToken,
|
|
756
792
|
decodedIdToken_previous: undefined,
|
|
793
|
+
isDPoPEnabled,
|
|
757
794
|
log
|
|
758
795
|
});
|
|
759
796
|
detect_useless_idleSessionLifetimeInSeconds: {
|
|
@@ -1007,6 +1044,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
|
|
|
1007
1044
|
decodedIdTokenSchema,
|
|
1008
1045
|
__unsafe_useIdTokenAsAccessToken,
|
|
1009
1046
|
decodedIdToken_previous: currentTokens.decodedIdToken,
|
|
1047
|
+
isDPoPEnabled,
|
|
1010
1048
|
log
|
|
1011
1049
|
});
|
|
1012
1050
|
if (getPersistedAuthState({ configId }) !== undefined) {
|
|
@@ -1333,8 +1371,8 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
|
|
|
1333
1371
|
configId,
|
|
1334
1372
|
sessionId
|
|
1335
1373
|
});
|
|
1336
|
-
const { unsubscribe: unsubscribeFromIsUserActive } = evtIsUserActive.subscribe(
|
|
1337
|
-
if (isUserActive) {
|
|
1374
|
+
const { unsubscribe: unsubscribeFromIsUserActive } = evtIsUserActive.subscribe(eventData => {
|
|
1375
|
+
if (eventData.isUserActive) {
|
|
1338
1376
|
if (stopCountdown !== undefined) {
|
|
1339
1377
|
stopCountdown();
|
|
1340
1378
|
stopCountdown = undefined;
|
|
@@ -1345,7 +1383,9 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
|
|
|
1345
1383
|
const currentRefreshTokenTtlInSeconds = getCurrentRefreshTokenTtlInSeconds();
|
|
1346
1384
|
assert(currentRefreshTokenTtlInSeconds !== undefined, "902992326");
|
|
1347
1385
|
stopCountdown = startCountdown({
|
|
1348
|
-
countDownFromSeconds: currentRefreshTokenTtlInSeconds
|
|
1386
|
+
countDownFromSeconds: Math.floor((currentRefreshTokenTtlInSeconds * 1000 -
|
|
1387
|
+
eventData.hasBeenInactiveForHowLongMs) /
|
|
1388
|
+
1000)
|
|
1349
1389
|
}).stopCountdown;
|
|
1350
1390
|
}
|
|
1351
1391
|
});
|