oidc-spa 8.6.18 → 8.7.0

package/esm/server/index.mjs

@@ -0,0 +1,3 @@
+import { oidcSpaUtilsBuilder } from "./utilsBuilder.mjs";
+export const oidcSpa = oidcSpaUtilsBuilder;
+//# sourceMappingURL=index.mjs.map

package/esm/server/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAErD,MAAM,CAAC,MAAM,OAAO,GAAG,mBAAmB,CAAC"}

package/esm/server/types.d.ts

@@ -0,0 +1,79 @@
+/**
+ * Claims defined by RFC 9068: "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
+ * https://datatracker.ietf.org/doc/html/rfc9068
+ *
+ * These tokens are intended for consumption by resource servers.
+ */
+export type DecodedAccessToken_RFC9068 = {
+    iss: string;
+    sub: string;
+    aud: string | string[];
+    exp: number;
+    iat: number;
+    client_id?: string;
+    scope?: string;
+    jti?: string;
+    nbf?: number;
+    auth_time?: number;
+    cnf?: Record<string, unknown>;
+    [key: string]: unknown;
+};
+export type ValidateAndDecodeAccessToken<DecodedAccessToken> = (params: {
+    request: {
+        method: string;
+        url: string;
+        headers: Record<"Authorization" | "DPoP", string | null | undefined>;
+    };
+}) => Promise<ValidateAndDecodeAccessToken.ReturnType<DecodedAccessToken>>;
+export declare namespace ValidateAndDecodeAccessToken {
+    type ReturnType<DecodedAccessToken> = (ReturnType.Success<DecodedAccessToken> & {
+        errorCause?: never;
+        debugErrorMessage?: never;
+    }) | (ReturnType.Errored & {
+        decodedAccessToken?: never;
+        decodedAccessToken_original?: never;
+        accessToken?: never;
+    });
+    namespace ReturnType {
+        type Success<DecodedAccessToken> = {
+            isSuccess: true;
+            decodedAccessToken: DecodedAccessToken;
+            decodedAccessToken_original: DecodedAccessToken_RFC9068;
+            accessToken: string;
+        };
+        type Errored = {
+            isSuccess: false;
+            errorCause: "missing Authorization header" | "validation error" | "validation error - access token expired" | "validation error - invalid signature";
+            debugErrorMessage: string;
+        };
+    }
+}
+export type ParamsOfBootstrap<DecodedAccessToken> = ParamsOfBootstrap.Real | ParamsOfBootstrap.Mock<DecodedAccessToken>;
+export declare namespace ParamsOfBootstrap {
+    type Real = {
+        implementation: "real";
+        issuerUri: string;
+        expectedAudience: string | undefined;
+    };
+    type Mock<DecodedAccessToken> = Mock.DecodeOnly | Mock.UseStaticIdentity<DecodedAccessToken>;
+    namespace Mock {
+        type Common = {
+            implementation: "mock";
+        };
+        export type DecodeOnly = Common & {
+            behavior: "decode only";
+        };
+        export type UseStaticIdentity<DecodedAccessToken> = Common & {
+            behavior: "use static identity";
+            decodedAccessToken_mock: DecodedAccessToken;
+            decodedAccessToken_original_mock?: DecodedAccessToken_RFC9068;
+            accessToken_mock?: string;
+        };
+        export {};
+    }
+}
+export type OidcSpaUtils<DecodedAccessToken> = {
+    bootstrapAuth: (params: ParamsOfBootstrap<DecodedAccessToken>) => Promise<void>;
+    validateAndDecodeAccessToken: ValidateAndDecodeAccessToken<DecodedAccessToken>;
+    ofTypeDecodedAccessToken: DecodedAccessToken;
+};

package/esm/server/types.mjs

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.mjs.map

package/esm/server/types.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.mjs","sourceRoot":"","sources":["../../src/server/types.tsx"],"names":[],"mappings":""}

package/esm/server/utilsBuilder.d.ts

@@ -0,0 +1,10 @@
+import type { OidcSpaUtils } from "./types";
+import type { ZodSchemaLike } from "../tools/ZodSchemaLike";
+import type { DecodedAccessToken_RFC9068 } from "./types";
+export type OidcSpaUtilsBuilder<DecodedAccessToken extends Record<string, unknown> = DecodedAccessToken_RFC9068, ExcludedMethod extends "withExpectedDecodedAccessTokenShape" | "createUtils" = never> = Omit<{
+    withExpectedDecodedAccessTokenShape: <DecodedAccessToken extends Record<string, unknown>>(params: {
+        decodedAccessTokenSchema: ZodSchemaLike<DecodedAccessToken_RFC9068, DecodedAccessToken>;
+    }) => OidcSpaUtilsBuilder<DecodedAccessToken, ExcludedMethod | "withExpectedDecodedAccessTokenShape">;
+    createUtils: () => OidcSpaUtils<DecodedAccessToken>;
+}, ExcludedMethod>;
+export declare const oidcSpaUtilsBuilder: OidcSpaUtilsBuilder<DecodedAccessToken_RFC9068, never>;

package/esm/server/utilsBuilder.mjs

@@ -0,0 +1,13 @@
+import { createOidcSpaUtils } from "./createOidcSpaUtils.mjs";
+function createOidcSpaUtilsBuilder(params) {
+    return {
+        withExpectedDecodedAccessTokenShape: ({ decodedAccessTokenSchema }) => createOidcSpaUtilsBuilder({ decodedAccessTokenSchema }),
+        createUtils: () => createOidcSpaUtils({
+            decodedAccessTokenSchema: params.decodedAccessTokenSchema
+        })
+    };
+}
+export const oidcSpaUtilsBuilder = createOidcSpaUtilsBuilder({
+    decodedAccessTokenSchema: undefined
+});
+//# sourceMappingURL=utilsBuilder.mjs.map

package/esm/server/utilsBuilder.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"utilsBuilder.mjs","sourceRoot":"","sources":["../../src/server/utilsBuilder.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAqB1D,SAAS,yBAAyB,CAEhC,MAED;IACG,OAAO;QACH,mCAAmC,EAAE,CAAC,EAAE,wBAAwB,EAAE,EAAE,EAAE,CAClE,yBAAyB,CAAC,EAAE,wBAAwB,EAAE,CAAC;QAC3D,WAAW,EAAE,GAAG,EAAE,CACd,kBAAkB,CAAqB;YACnC,wBAAwB,EAAE,MAAM,CAAC,wBAAwB;SAC5D,CAAC;KACT,CAAC;AACN,CAAC;AAED,MAAM,CAAC,MAAM,mBAAmB,GAAG,yBAAyB,CAAC;IACzD,wBAAwB,EAAE,SAAS;CACtC,CAAC,CAAC"}

package/esm/tanstack-start/react/accessTokenValidation_rfc9068.d.ts

@@ -1,5 +1,5 @@
 import type { CreateValidateAndGetAccessTokenClaims, ParamsOfBootstrap } from "./types";
-import type { DecodedAccessToken_RFC9068 as AccessTokenClaims_RFC9068 } from "../../backend";
+import type { DecodedAccessToken_RFC9068 as AccessTokenClaims_RFC9068 } from "../../server/types";
 import type { ZodSchemaLike } from "../../tools/ZodSchemaLike";
 export declare function createCreateValidateAndGetAccessTokenClaims_rfc9068<AccessTokenClaims extends Record<string, unknown>>(params: {
     accessTokenClaimsSchema?: ZodSchemaLike<AccessTokenClaims_RFC9068, AccessTokenClaims>;

package/esm/tanstack-start/react/accessTokenValidation_rfc9068.mjs

@@ -1,14 +1,67 @@
 import { createObjectThatThrowsIfAccessed } from "../../tools/createObjectThatThrowsIfAccessed.mjs";
-import { assert, is } from "../../tools/tsafe/assert.mjs";
+import { assert, is, id } from "../../vendor/server/tsafe.mjs";
 export function createCreateValidateAndGetAccessTokenClaims_rfc9068(params) {
     const { accessTokenClaimsSchema, accessTokenClaims_mock, expectedAudience: expectedAudienceGetter } = params;
     const createValidateAndGetAccessTokenClaims = ({ paramsOfBootstrap }) => {
-        if (paramsOfBootstrap.implementation === "mock") {
-            return {
-                validateAndGetAccessTokenClaims: async () => {
-                    return {
-                        isValid: true,
-                        accessTokenClaims: (() => {
+        const prValidateAndDecodeAccessToken = (async () => {
+            const { oidcSpa: oidcSpa_server } = await import("../../server/index.mjs");
+            const { bootstrapAuth, validateAndDecodeAccessToken } = accessTokenClaimsSchema === undefined
+                ? oidcSpa_server.createUtils()
+                : oidcSpa_server
+                    .withExpectedDecodedAccessTokenShape({
+                    decodedAccessTokenSchema: accessTokenClaimsSchema
+                })
+                    .createUtils();
+            switch (paramsOfBootstrap.implementation) {
+                case "real":
+                    {
+                        const expectedAudience = (() => {
+                            if (expectedAudienceGetter === undefined) {
+                                return undefined;
+                            }
+                            const missingEnvNames = new Set();
+                            const env_proxy = new Proxy({}, {
+                                get: (...[, envName]) => {
+                                    assert(typeof envName === "string");
+                                    const value = process.env[envName];
+                                    if (value === undefined) {
+                                        missingEnvNames.add(envName);
+                                        return "";
+                                    }
+                                    return value;
+                                },
+                                has: (...[, envName]) => {
+                                    assert(typeof envName === "string");
+                                    return true;
+                                }
+                            });
+                            const expectedAudience = expectedAudienceGetter?.({
+                                paramsOfBootstrap,
+                                process: { env: env_proxy }
+                            });
+                            if (!expectedAudience) {
+                                throw new Error([
+                                    "oidc-spa: The expectedAudience() you provided returned empty.",
+                                    "If you specified the expectedAudience in withAccessTokenValidation",
+                                    "it's probably an error.",
+                                    missingEnvNames.size !== 0 &&
+                                        `Did you forget to set the env var: ${Array.from(missingEnvNames).join(", ")} ?`
+                                ]
+                                    .filter(line => typeof line === "string")
+                                    .join(" "));
+                            }
+                            return expectedAudience;
+                        })();
+                        await bootstrapAuth({
+                            implementation: "real",
+                            issuerUri: paramsOfBootstrap.issuerUri,
+                            expectedAudience
+                        });
+                    }
+                    break;
+                case "mock":
+                    {
+                        const decodedAccessToken_mock = (() => {
                             if (paramsOfBootstrap.accessTokenClaims_mock !== undefined) {
                                 assert(is(paramsOfBootstrap.accessTokenClaims_mock));
                                 return paramsOfBootstrap.accessTokenClaims_mock;
@@ -24,99 +77,54 @@ export function createCreateValidateAndGetAccessTokenClaims_rfc9068(params) {
                                     "specify accessTokenClaims_mock when calling bootstrapOidc()"
                                 ].join(" ")
                             });
-                        })()
-                    };
-                }
-            };
-        }
-        assert;
-        const prVerifyAndDecodeAccessToken = (async () => {
-            const { createOidcBackend } = await import("../../backend.mjs");
-            const { verifyAndDecodeAccessToken } = await createOidcBackend({
-                issuerUri: paramsOfBootstrap.issuerUri,
-                decodedAccessTokenSchema: accessTokenClaimsSchema
-            });
-            return verifyAndDecodeAccessToken;
-        })();
-        const expectedAudience = (() => {
-            if (expectedAudienceGetter === undefined) {
-                return undefined;
-            }
-            const missingEnvNames = new Set();
-            const env_proxy = new Proxy({}, {
-                get: (...[, envName]) => {
-                    assert(typeof envName === "string");
-                    const value = process.env[envName];
-                    if (value === undefined) {
-                        missingEnvNames.add(envName);
-                        return "";
+                        })();
+                        await bootstrapAuth({
+                            implementation: "mock",
+                            behavior: "use static identity",
+                            decodedAccessToken_mock
+                        });
                     }
-                    return value;
-                },
-                has: (...[, envName]) => {
-                    assert(typeof envName === "string");
-                    return true;
-                }
-            });
-            const expectedAudience = expectedAudienceGetter?.({
-                paramsOfBootstrap,
-                process: { env: env_proxy }
-            });
-            if (!expectedAudience) {
-                throw new Error([
-                    "oidc-spa: The expectedAudience() you provided returned empty.",
-                    "If you specified the expectedAudience in withAccessTokenValidation",
-                    "it's probably and error.",
-                    missingEnvNames.size !== 0 &&
-                        `Did you forget to set the env var: ${Array.from(missingEnvNames).join(", ")} ?`
-                ]
-                    .filter(line => typeof line === "string")
-                    .join(" "));
+                    break;
+                default:
+                    assert(false);
             }
-            return expectedAudience;
+            return validateAndDecodeAccessToken;
         })();
-        return {
-            validateAndGetAccessTokenClaims: async ({ accessToken }) => {
-                const verifyAndDecodeAccessToken = await prVerifyAndDecodeAccessToken;
-                const { isValid, errorCase, errorMessage, decodedAccessToken, decodedAccessToken_original } = await verifyAndDecodeAccessToken({ accessToken });
-                if (!isValid) {
-                    return {
-                        isValid: false,
-                        errorMessage: `${errorCase}: ${errorMessage}`,
-                        wwwAuthenticateHeaderErrorDescription: (() => {
-                            switch (errorCase) {
-                                case "does not respect schema":
-                                    return "The access token is malformed or missing required claims";
-                                case "expired":
-                                    return "The access token expired";
-                                case "invalid signature":
-                                    return "The access token signature is invalid";
-                            }
-                        })()
-                    };
-                }
-                if (expectedAudience !== undefined) {
-                    const aud_array = typeof decodedAccessToken_original.aud === "string"
-                        ? [decodedAccessToken_original.aud]
-                        : decodedAccessToken_original.aud;
-                    if (!aud_array.includes(expectedAudience)) {
-                        return {
-                            isValid: false,
-                            errorMessage: [
-                                "Access token is not for the expected audience.",
-                                `Got aud claim: ${JSON.stringify(decodedAccessToken_original.aud)}`,
-                                `Expected: ${expectedAudience}`
-                            ].join(" "),
-                            wwwAuthenticateHeaderErrorDescription: "The access token audience is invalid"
-                        };
-                    }
+        const validateAndGetAccessTokenClaims = async ({ request }) => {
+            const validateAndDecodeAccessToken = await prValidateAndDecodeAccessToken;
+            const { isSuccess, errorCause, debugErrorMessage, decodedAccessToken, accessToken } = await validateAndDecodeAccessToken({
+                request
+            });
+            if (!isSuccess) {
+                if (errorCause === "missing Authorization header") {
+                    return id({
+                        isSuccess: false,
+                        isAnonymousRequest: true
+                    });
                 }
-                return {
-                    isValid: true,
-                    accessTokenClaims: decodedAccessToken
-                };
+                return id({
+                    isSuccess: false,
+                    isAnonymousRequest: false,
+                    debugErrorMessage: `${errorCause}: ${debugErrorMessage}`,
+                    wwwAuthenticateResponseHeaderValue: `Bearer error="invalid_token", error_description="${(() => {
+                        switch (errorCause) {
+                            case "validation error":
+                            case "validation error - invalid signature":
+                            case "validation error - access token expired":
+                                return "Validation Failed";
+                            default:
+                                assert(false);
+                        }
+                    })()}"`
+                });
             }
+            return id({
+                isSuccess: true,
+                accessTokenClaims: decodedAccessToken,
+                accessToken
+            });
         };
+        return { validateAndGetAccessTokenClaims };
     };
     return { createValidateAndGetAccessTokenClaims };
 }

package/esm/tanstack-start/react/accessTokenValidation_rfc9068.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"accessTokenValidation_rfc9068.mjs","sourceRoot":"","sources":["../../../src/tanstack-start/react/accessTokenValidation_rfc9068.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gCAAgC,EAAE,MAAM,8CAA8C,CAAC;AAChG,OAAO,EAAE,MAAM,EAAe,EAAE,EAAE,MAAM,0BAA0B,CAAC;AAEnE,MAAM,UAAU,mDAAmD,CAEjE,MAOD;IACG,MAAM,EACF,uBAAuB,EACvB,sBAAsB,EACtB,gBAAgB,EAAE,sBAAsB,EAC3C,GAAG,MAAM,CAAC;IAEX,MAAM,qCAAqC,GAEvC,CAAC,EAAE,iBAAiB,EAAE,EAAE,EAAE;QAC1B,IAAI,iBAAiB,CAAC,cAAc,KAAK,MAAM,EAAE,CAAC;YAC9C,OAAO;gBACH,+BAA+B,EAAE,KAAK,IAAI,EAAE;oBACxC,OAAO;wBACH,OAAO,EAAE,IAAI;wBACb,iBAAiB,EAAE,CAAC,GAAG,EAAE;4BACrB,IAAI,iBAAiB,CAAC,sBAAsB,KAAK,SAAS,EAAE,CAAC;gCACzD,MAAM,CAAC,EAAE,CAAoB,iBAAiB,CAAC,sBAAsB,CAAC,CAAC,CAAC;gCACxE,OAAO,iBAAiB,CAAC,sBAAsB,CAAC;4BACpD,CAAC;4BAED,IAAI,sBAAsB,KAAK,SAAS,EAAE,CAAC;gCACvC,OAAO,sBAAsB,CAAC;4BAClC,CAAC;4BAED,OAAO,gCAAgC,CAAoB;gCACvD,YAAY,EAAE;oCACV,iEAAiE;oCACjE,mEAAmE;oCACnE,iDAAiD;oCACjD,6DAA6D;iCAChE,CAAC,IAAI,CAAC,GAAG,CAAC;6BACd,CAAC,CAAC;wBACP,CAAC,CAAC,EAAE;qBACP,CAAC;gBACN,CAAC;aACJ,CAAC;QACN,CAAC;QACD,MAAoE,CAAC;QAErE,MAAM,4BAA4B,GAAG,CAAC,KAAK,IAAI,EAAE;YAC7C,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;YAE5D,MAAM,EAAE,0BAA0B,EAAE,GAAG,MAAM,iBAAiB,CAAC;gBAC3D,SAAS,EAAE,iBAAiB,CAAC,SAAS;gBACtC,wBAAwB,EAAE,uBAAuB;aACpD,CAAC,CAAC;YAEH,OAAO,0BAA0B,CAAC;QACtC,CAAC,CAAC,EAAE,CAAC;QAEL,MAAM,gBAAgB,GAAG,CAAC,GAAG,EAAE;YAC3B,IAAI,sBAAsB,KAAK,SAAS,EAAE,CAAC;gBACvC,OAAO,SAAS,CAAC;YACrB,CAAC;YAED,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;YAE1C,MAAM,SAAS,GAAG,IAAI,KAAK,CACvB,EAAE,EACF;gBACI,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,EAAE,EAAE;oBACpB,MAAM,CAAC,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC;oBAEpC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;oBAEnC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;wBACtB,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;wBAC7B,OAAO,EAAE,CAAC;oBACd,CAAC;oBAED,OAAO,KAAK,CAAC;gBACjB,CAAC;gBACD,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,EAAE,EAAE;oBACpB,MAAM,CAAC,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC;oBACpC,OAAO,IAAI,CAAC;gBAChB,CAAC;aACJ,CACJ,CAAC;YAEF,MAAM,gBAAgB,GAAG,sBAAsB,EAAE,CAAC;gBAC9C,iBAAiB;gBACjB,OAAO,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE;aAC9B,CAAC,CAAC;YAEH,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACpB,MAAM,IAAI,KAAK,CACX;oBACI,+DAA+D;oBAC/D,oEAAoE;oBACpE,0BAA0B;oBAC1B,eAAe,CAAC,IAAI,KAAK,CAAC;wBACtB,sCAAsC,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,CAClE,IAAI,CACP,IAAI;iBACZ;qBACI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC;qBACxC,IAAI,CAAC,GAAG,CAAC,CACjB,CAAC;YACN,CAAC;YAED,OAAO,gBAAgB,CAAC;QAC5B,CAAC,CAAC,EAAE,CAAC;QAEL,OAAO;YACH,+BAA+B,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE;gBACvD,MAAM,0BAA0B,GAAG,MAAM,4BAA4B,CAAC;gBAEtE,MAAM,EACF,OAAO,EACP,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,2BAA2B,EAC9B,GAAG,MAAM,0BAA0B,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC;gBAEtD,IAAI,CAAC,OAAO,EAAE,CAAC;oBACX,OAAO;wBACH,OAAO,EAAE,KAAK;wBACd,YAAY,EAAE,GAAG,SAAS,KAAK,YAAY,EAAE;wBAC7C,qCAAqC,EAAE,CAAC,GAAG,EAAE;4BACzC,QAAQ,SAAS,EAAE,CAAC;gCAChB,KAAK,yBAAyB;oCAC1B,OAAO,0DAA0D,CAAC;gCACtE,KAAK,SAAS;oCACV,OAAO,0BAA0B,CAAC;gCACtC,KAAK,mBAAmB;oCACpB,OAAO,uCAAuC,CAAC;4BACvD,CAAC;wBACL,CAAC,CAAC,EAAE;qBACP,CAAC;gBACN,CAAC;gBAED,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;oBACjC,MAAM,SAAS,GACX,OAAO,2BAA2B,CAAC,GAAG,KAAK,QAAQ;wBAC/C,CAAC,CAAC,CAAC,2BAA2B,CAAC,GAAG,CAAC;wBACnC,CAAC,CAAC,2BAA2B,CAAC,GAAG,CAAC;oBAE1C,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;wBACxC,OAAO;4BACH,OAAO,EAAE,KAAK;4BACd,YAAY,EAAE;gCACV,gDAAgD;gCAChD,kBAAkB,IAAI,CAAC,SAAS,CAAC,2BAA2B,CAAC,GAAG,CAAC,EAAE;gCACnE,aAAa,gBAAgB,EAAE;6BAClC,CAAC,IAAI,CAAC,GAAG,CAAC;4BACX,qCAAqC,EAAE,sCAAsC;yBAChF,CAAC;oBACN,CAAC;gBACL,CAAC;gBAED,OAAO;oBACH,OAAO,EAAE,IAAI;oBACb,iBAAiB,EAAE,kBAAkB;iBACxC,CAAC;YACN,CAAC;SACJ,CAAC;IACN,CAAC,CAAC;IAEF,OAAO,EAAE,qCAAqC,EAAE,CAAC;AACrD,CAAC"}
+{"version":3,"file":"accessTokenValidation_rfc9068.mjs","sourceRoot":"","sources":["../../../src/tanstack-start/react/accessTokenValidation_rfc9068.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,gCAAgC,EAAE,MAAM,8CAA8C,CAAC;AAChG,OAAO,EAAE,MAAM,EAAe,EAAE,EAAE,EAAE,EAAE,MAAM,2BAA2B,CAAC;AAExE,MAAM,UAAU,mDAAmD,CAEjE,MAOD;IACG,MAAM,EACF,uBAAuB,EACvB,sBAAsB,EACtB,gBAAgB,EAAE,sBAAsB,EAC3C,GAAG,MAAM,CAAC;IAEX,MAAM,qCAAqC,GAEvC,CAAC,EAAE,iBAAiB,EAAE,EAAE,EAAE;QAC1B,MAAM,8BAA8B,GAAG,CAAC,KAAK,IAAI,EAAE;YAC/C,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC;YAEjE,MAAM,EAAE,aAAa,EAAE,4BAA4B,EAAE,GACjD,uBAAuB,KAAK,SAAS;gBACjC,CAAC,CAAE,cAAc,CAAC,WAAW,EAAY;gBACzC,CAAC,CAAC,cAAc;qBACT,mCAAmC,CAAC;oBACjC,wBAAwB,EAAE,uBAAuB;iBACpD,CAAC;qBACD,WAAW,EAAE,CAAC;YAE7B,QAAQ,iBAAiB,CAAC,cAAc,EAAE,CAAC;gBACvC,KAAK,MAAM;oBACP,CAAC;wBACG,MAAM,gBAAgB,GAAG,CAAC,GAAG,EAAE;4BAC3B,IAAI,sBAAsB,KAAK,SAAS,EAAE,CAAC;gCACvC,OAAO,SAAS,CAAC;4BACrB,CAAC;4BAED,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;4BAE1C,MAAM,SAAS,GAAG,IAAI,KAAK,CACvB,EAAE,EACF;gCACI,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,EAAE,EAAE;oCACpB,MAAM,CAAC,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC;oCAEpC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;oCAEnC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;wCACtB,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;wCAC7B,OAAO,EAAE,CAAC;oCACd,CAAC;oCAED,OAAO,KAAK,CAAC;gCACjB,CAAC;gCACD,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,EAAE,EAAE;oCACpB,MAAM,CAAC,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC;oCACpC,OAAO,IAAI,CAAC;gCAChB,CAAC;6BACJ,CACJ,CAAC;4BAEF,MAAM,gBAAgB,GAAG,sBAAsB,EAAE,CAAC;gCAC9C,iBAAiB;gCACjB,OAAO,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE;6BAC9B,CAAC,CAAC;4BAEH,IAAI,CAAC,gBAAgB,EAAE,CAAC;gCACpB,MAAM,IAAI,KAAK,CACX;oCACI,+DAA+D;oCAC/D,oEAAoE;oCACpE,yBAAyB;oCACzB,eAAe,CAAC,IAAI,KAAK,CAAC;wCACtB,sCAAsC,KAAK,CAAC,IAAI,CAC5C,eAAe,CAClB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;iCACvB;qCACI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC;qCACxC,IAAI,CAAC,GAAG,CAAC,CACjB,CAAC;4BACN,CAAC;4BAED,OAAO,gBAAgB,CAAC;wBAC5B,CAAC,CAAC,EAAE,CAAC;wBAEL,MAAM,aAAa,CAAC;4BAChB,cAAc,EAAE,MAAM;4BACtB,SAAS,EAAE,iBAAiB,CAAC,SAAS;4BACtC,gBAAgB;yBACnB,CAAC,CAAC;oBACP,CAAC;oBACD,MAAM;gBACV,KAAK,MAAM;oBACP,CAAC;wBACG,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE;4BAClC,IAAI,iBAAiB,CAAC,sBAAsB,KAAK,SAAS,EAAE,CAAC;gCACzD,MAAM,CAAC,EAAE,CAAoB,iBAAiB,CAAC,sBAAsB,CAAC,CAAC,CAAC;gCACxE,OAAO,iBAAiB,CAAC,sBAAsB,CAAC;4BACpD,CAAC;4BAED,IAAI,sBAAsB,KAAK,SAAS,EAAE,CAAC;gCACvC,OAAO,sBAAsB,CAAC;4BAClC,CAAC;4BAED,OAAO,gCAAgC,CAAoB;gCACvD,YAAY,EAAE;oCACV,iEAAiE;oCACjE,mEAAmE;oCACnE,iDAAiD;oCACjD,6DAA6D;iCAChE,CAAC,IAAI,CAAC,GAAG,CAAC;6BACd,CAAC,CAAC;wBACP,CAAC,CAAC,EAAE,CAAC;wBAEL,MAAM,aAAa,CAAC;4BAChB,cAAc,EAAE,MAAM;4BACtB,QAAQ,EAAE,qBAAqB;4BAC/B,uBAAuB;yBAC1B,CAAC,CAAC;oBACP,CAAC;oBACD,MAAM;gBACV;oBACI,MAAM,CAA0C,KAAK,CAAC,CAAC;YAC/D,CAAC;YAED,OAAO,4BAA4B,CAAC;QACxC,CAAC,CAAC,EAAE,CAAC;QAEL,MAAM,+BAA+B,GAEjC,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;YACtB,MAAM,4BAA4B,GAAG,MAAM,8BAA8B,CAAC;YAE1E,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,WAAW,EAAE,GAC/E,MAAM,4BAA4B,CAAC;gBAC/B,OAAO;aACV,CAAC,CAAC;YAEP,IAAI,CAAC,SAAS,EAAE,CAAC;gBACb,IAAI,UAAU,KAAK,8BAA8B,EAAE,CAAC;oBAChD,OAAO,EAAE,CAAsE;wBAC3E,SAAS,EAAE,KAAK;wBAChB,kBAAkB,EAAE,IAAI;qBAC3B,CAAC,CAAC;gBACP,CAAC;gBAED,OAAO,EAAE,CAAsE;oBAC3E,SAAS,EAAE,KAAK;oBAChB,kBAAkB,EAAE,KAAK;oBACzB,iBAAiB,EAAE,GAAG,UAAU,KAAK,iBAAiB,EAAE;oBACxD,kCAAkC,EAAE,oDAAoD,CAAC,GAAG,EAAE;wBAC1F,QAAQ,UAAU,EAAE,CAAC;4BACjB,KAAK,kBAAkB,CAAC;4BACxB,KAAK,sCAAsC,CAAC;4BAC5C,KAAK,yCAAyC;gCAC1C,OAAO,mBAAmB,CAAC;4BAC/B;gCACI,MAAM,CAAmC,KAAK,CAAC,CAAC;wBACxD,CAAC;oBACL,CAAC,CAAC,EAAE,GAAG;iBACV,CAAC,CAAC;YACP,CAAC;YAED,OAAO,EAAE,CAAwE;gBAC7E,SAAS,EAAE,IAAI;gBACf,iBAAiB,EAAE,kBAAkB;gBACrC,WAAW;aACd,CAAC,CAAC;QACP,CAAC,CAAC;QAEF,OAAO,EAAE,+BAA+B,EAAE,CAAC;IAC/C,CAAC,CAAC;IAEF,OAAO,EAAE,qCAAqC,EAAE,CAAC;AACrD,CAAC"}

package/esm/tanstack-start/react/createOidcSpaApi.d.ts

@@ -1,4 +1,4 @@
-import type { CreateValidateAndGetAccessTokenClaims, OidcSpaApi } from "./types";
+import type { CreateValidateAndGetAccessTokenClaims, OidcSpaUtils } from "./types";
 import type { ZodSchemaLike } from "../../tools/ZodSchemaLike";
 import type { Oidc as Oidc_core } from "../../core";
 export declare function createOidcSpaApi<AutoLogin extends boolean, DecodedIdToken extends Record<string, unknown>, AccessTokenClaims extends Record<string, unknown> | undefined>(params: {
@@ -6,4 +6,4 @@ export declare function createOidcSpaApi<AutoLogin extends boolean, DecodedIdTok
     decodedIdTokenSchema: ZodSchemaLike<Oidc_core.Tokens.DecodedIdToken_OidcCoreSpec, DecodedIdToken> | undefined;
     decodedIdToken_mock: DecodedIdToken | undefined;
     createValidateAndGetAccessTokenClaims: CreateValidateAndGetAccessTokenClaims<AccessTokenClaims> | undefined;
-}): OidcSpaApi<AutoLogin, DecodedIdToken, AccessTokenClaims>;
+}): OidcSpaUtils<AutoLogin, DecodedIdToken, AccessTokenClaims>;

package/esm/tanstack-start/react/createOidcSpaApi.mjs

@@ -10,6 +10,7 @@ import { typeGuard } from "../../tools/tsafe/typeGuard.mjs";
 import { createServerFn, createMiddleware } from "@tanstack/react-start";
 // @ts-expect-error: Since our module is not labeled as ESM we don't have the types here.
 import { getRequest, setResponseHeader, setResponseStatus } from "@tanstack/react-start/server";
+//import { getRequest, setResponseHeader, setResponseStatus } from "@tanstack/react-start-server";
 import { toFullyQualifiedUrl } from "../../tools/toFullyQualifiedUrl.mjs";
 import { BEFORE_LOAD_FN_BRAND_PROPERTY_NAME } from "./disableSsrIfLoginEnforced.mjs";
 import { setDesiredPostLoginRedirectUrl } from "../../core/desiredPostLoginRedirectUrl.mjs";
@@ -469,7 +470,8 @@ export function createOidcSpaApi(params) {
                                 __unsafe_clientSecret: paramsOfBootstrap.__unsafe_clientSecret,
                                 __metadata: paramsOfBootstrap.__metadata,
                                 __unsafe_useIdTokenAsAccessToken: paramsOfBootstrap.__unsafe_useIdTokenAsAccessToken,
-                                autoLogoutParams: paramsOfBootstrap.autoLogoutParams
+                                autoLogoutParams: paramsOfBootstrap.autoLogoutParams,
+                                dpop: paramsOfBootstrap.dpop
                             });
                         }
                         catch (error) {
@@ -550,57 +552,64 @@ export function createOidcSpaApi(params) {
         return async (options) => {
             const { next } = options;
             const unauthorized = (params) => {
-                const { errorMessage, wwwAuthenticateHeaderErrorDescription } = params;
-                setResponseHeader("WWW-Authenticate", `Bearer error="invalid_token", error_description="${wwwAuthenticateHeaderErrorDescription}"`);
-                setResponseStatus(401, "Unauthorized");
-                return new Error(`oidc-spa: ${errorMessage}`);
-            };
-            const { headers } = getRequest();
-            const authorizationHeaderValue = headers.get("Authorization");
-            if (authorizationHeaderValue === null) {
-                if (params?.assert === "user logged in") {
-                    const errorMessage = [
-                        "Asserted user logged in for that serverFn request",
-                        "but no access token was attached to the request"
-                    ].join(" ");
-                    throw unauthorized({
-                        errorMessage,
-                        wwwAuthenticateHeaderErrorDescription: errorMessage
-                    });
-                }
-                return next({
-                    context: {
-                        oidc: id(id({
-                            isUserLoggedIn: false
-                        }))
+                const { code, wwwAuthenticateResponseHeaderValue, debugErrorMessage } = params;
+                setResponseHeader("WWW-Authenticate", wwwAuthenticateResponseHeaderValue);
+                setResponseStatus(code, (() => {
+                    switch (code) {
+                        case 401:
+                            return "Unauthorized";
+                        case 403:
+                            return "Forbidden";
+                        default:
+                            assert(false);
                     }
-                });
-            }
-            const accessToken = (() => {
-                const prefix = "Bearer ";
-                if (!authorizationHeaderValue.startsWith(prefix)) {
-                    return undefined;
+                })());
+                if (process.env.NODE_ENV === "development") {
+                    console.error(`oidc-spa: ${debugErrorMessage}`);
                 }
-                return authorizationHeaderValue.slice(prefix.length);
-            })();
-            if (accessToken === undefined) {
-                const errorMessage = "Missing well formed Authorization header with Bearer <access_token>";
-                throw unauthorized({
-                    errorMessage,
-                    wwwAuthenticateHeaderErrorDescription: errorMessage
-                });
-            }
+                return new Error(`oidc-spa: ${wwwAuthenticateResponseHeaderValue}`);
+            };
             assert(prValidateAndGetAccessTokenClaims !== undefined);
             const { validateAndGetAccessTokenClaims } = await prValidateAndGetAccessTokenClaims;
-            const resultOfValidate = await validateAndGetAccessTokenClaims({ accessToken });
-            if (!resultOfValidate.isValid) {
-                const { errorMessage, wwwAuthenticateHeaderErrorDescription } = resultOfValidate;
+            const { headers, url, method } = getRequest();
+            const resultOfValidate = await validateAndGetAccessTokenClaims({
+                request: {
+                    url,
+                    method,
+                    headers: {
+                        Authorization: headers.get("Authorization"),
+                        DPoP: headers.get("DPoP")
+                    }
+                }
+            });
+            if (!resultOfValidate.isSuccess) {
+                if (resultOfValidate.isAnonymousRequest) {
+                    if (params?.assert === "user logged in") {
+                        throw unauthorized({
+                            code: 401,
+                            wwwAuthenticateResponseHeaderValue: "Bearer error=\"invalid_request\", error_description=\"Missing access token\"",
+                            debugErrorMessage: [
+                                "Asserted user logged in for that serverFn request",
+                                "but no access token was attached to the request"
+                            ].join(" ")
+                        });
+                    }
+                    return next({
+                        context: {
+                            oidc: id(id({
+                                isUserLoggedIn: false
+                            }))
+                        }
+                    });
+                }
+                const { debugErrorMessage, wwwAuthenticateResponseHeaderValue } = resultOfValidate;
                 throw unauthorized({
-                    errorMessage,
-                    wwwAuthenticateHeaderErrorDescription
+                    code: 401,
+                    wwwAuthenticateResponseHeaderValue,
+                    debugErrorMessage
                 });
             }
-            const { accessTokenClaims } = resultOfValidate;
+            const { accessTokenClaims, accessToken } = resultOfValidate;
             assert(is(accessTokenClaims));
             check_required_claims: {
                 const getHasRequiredClaims = params?.hasRequiredClaims;
@@ -626,13 +635,13 @@ export function createOidcSpaApi(params) {
                 if (hasRequiredClaims) {
                     break check_required_claims;
                 }
-                const errorMessage = [
-                    "Missing or invalid required access token claim.",
-                    `Related to claims: ${Array.from(accessedClaimNames).join(" and/or ")}`
-                ].join(" ");
                 throw unauthorized({
-                    errorMessage,
-                    wwwAuthenticateHeaderErrorDescription: errorMessage
+                    code: 403,
+                    wwwAuthenticateResponseHeaderValue: "Bearer error=\"insufficient_scope\", error_description=\"Insufficient privileges\"",
+                    debugErrorMessage: [
+                        "Missing or invalid required access token claim.",
+                        `Related to claims: ${Array.from(accessedClaimNames).join(" and/or ")}`
+                    ].join(" ")
                 });
             }
             return next({