npm - oidc-spa - Versions diffs - 8.6.19 → 8.7.1 - Mend

oidc-spa 8.6.19 → 8.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (140) hide show

package/backend.d.ts +3 -20
package/backend.js +50 -242
package/backend.js.map +1 -1
package/core/OidcMetadata.d.ts +2 -2
package/core/OidcMetadata.js.map +1 -1
package/core/createOidc.d.ts +2 -4
package/core/createOidc.js +49 -3
package/core/createOidc.js.map +1 -1
package/core/dpop.d.ts +20 -0
package/core/dpop.js +389 -0
package/core/dpop.js.map +1 -0
package/core/earlyInit.js +2 -0
package/core/earlyInit.js.map +1 -1
package/core/oidcClientTsUserToTokens.d.ts +1 -0
package/core/oidcClientTsUserToTokens.js +15 -5
package/core/oidcClientTsUserToTokens.js.map +1 -1
package/core/tokenExfiltrationDefense.js +49 -6
package/core/tokenExfiltrationDefense.js.map +1 -1
package/esm/angular.d.ts +2 -0
package/esm/angular.mjs.map +1 -1
package/esm/backend.d.ts +3 -20
package/esm/backend.mjs +50 -242
package/esm/backend.mjs.map +1 -1
package/esm/core/OidcMetadata.d.ts +2 -2
package/esm/core/OidcMetadata.mjs.map +1 -1
package/esm/core/createOidc.d.ts +2 -4
package/esm/core/createOidc.mjs +49 -3
package/esm/core/createOidc.mjs.map +1 -1
package/esm/core/dpop.d.ts +20 -0
package/esm/core/dpop.mjs +384 -0
package/esm/core/dpop.mjs.map +1 -0
package/esm/core/earlyInit.mjs +2 -0
package/esm/core/earlyInit.mjs.map +1 -1
package/esm/core/oidcClientTsUserToTokens.d.ts +1 -0
package/esm/core/oidcClientTsUserToTokens.mjs +15 -5
package/esm/core/oidcClientTsUserToTokens.mjs.map +1 -1
package/esm/core/tokenExfiltrationDefense.mjs +49 -6
package/esm/core/tokenExfiltrationDefense.mjs.map +1 -1
package/esm/react-spa/createOidcSpaApi.mjs +2 -1
package/esm/react-spa/createOidcSpaApi.mjs.map +1 -1
package/esm/react-spa/types.d.ts +2 -0
package/esm/server/createOidcSpaUtils.d.ts +5 -0
package/esm/server/createOidcSpaUtils.mjs +639 -0
package/esm/server/createOidcSpaUtils.mjs.map +1 -0
package/esm/server/index.d.ts +2 -0
package/esm/server/index.mjs +3 -0
package/esm/server/index.mjs.map +1 -0
package/esm/server/types.d.ts +79 -0
package/esm/server/types.mjs +2 -0
package/esm/server/types.mjs.map +1 -0
package/esm/server/utilsBuilder.d.ts +10 -0
package/esm/server/utilsBuilder.mjs +13 -0
package/esm/server/utilsBuilder.mjs.map +1 -0
package/esm/tanstack-start/react/accessTokenValidation_rfc9068.d.ts +1 -1
package/esm/tanstack-start/react/accessTokenValidation_rfc9068.mjs +102 -94
package/esm/tanstack-start/react/accessTokenValidation_rfc9068.mjs.map +1 -1
package/esm/tanstack-start/react/createOidcSpaApi.d.ts +2 -2
package/esm/tanstack-start/react/createOidcSpaApi.mjs +60 -51
package/esm/tanstack-start/react/createOidcSpaApi.mjs.map +1 -1
package/esm/tanstack-start/react/index.d.ts +1 -1
package/esm/tanstack-start/react/index.mjs +2 -2
package/esm/tanstack-start/react/index.mjs.map +1 -1
package/esm/tanstack-start/react/types.d.ts +36 -11
package/esm/tanstack-start/react/{apiBuilder.d.ts → utilsBuilder.d.ts} +9 -9
package/esm/tanstack-start/react/{apiBuilder.mjs → utilsBuilder.mjs} +6 -6
package/esm/tanstack-start/react/utilsBuilder.mjs.map +1 -0
package/esm/tools/generateES256DPoPProof.d.ts +8 -0
package/esm/tools/generateES256DPoPProof.mjs +48 -0
package/esm/tools/generateES256DPoPProof.mjs.map +1 -0
package/esm/tools/getServerDateNow.d.ts +5 -0
package/esm/tools/getServerDateNow.mjs +7 -0
package/esm/tools/getServerDateNow.mjs.map +1 -0
package/esm/vendor/{backend → server}/evt.mjs +84 -140
package/esm/vendor/{backend → server}/jose.mjs +5 -27
package/esm/vendor/{backend → server}/tsafe.d.ts +1 -0
package/esm/vendor/{backend → server}/tsafe.mjs +6 -0
package/esm/vendor/{backend → server}/zod.mjs +196 -50
package/package.json +6 -1
package/react-spa/createOidcSpaApi.js +2 -1
package/react-spa/createOidcSpaApi.js.map +1 -1
package/react-spa/types.d.ts +2 -0
package/server/createOidcSpaUtils.d.ts +5 -0
package/server/createOidcSpaUtils.js +642 -0
package/server/createOidcSpaUtils.js.map +1 -0
package/server/index.d.ts +2 -0
package/server/index.js +6 -0
package/server/index.js.map +1 -0
package/server/types.d.ts +79 -0
package/server/types.js +3 -0
package/server/types.js.map +1 -0
package/server/utilsBuilder.d.ts +10 -0
package/server/utilsBuilder.js +16 -0
package/server/utilsBuilder.js.map +1 -0
package/src/angular.ts +3 -0
package/src/backend.ts +63 -364
package/src/core/OidcMetadata.ts +4 -2
package/src/core/createOidc.ts +62 -6
package/src/core/dpop.ts +583 -0
package/src/core/earlyInit.ts +3 -0
package/src/core/oidcClientTsUserToTokens.ts +18 -4
package/src/core/tokenExfiltrationDefense.ts +60 -5
package/src/react-spa/createOidcSpaApi.ts +2 -1
package/src/react-spa/types.tsx +3 -0
package/src/server/createOidcSpaUtils.ts +848 -0
package/src/server/index.ts +4 -0
package/src/server/types.tsx +99 -0
package/src/server/utilsBuilder.ts +41 -0
package/src/tanstack-start/react/accessTokenValidation_rfc9068.ts +134 -124
package/src/tanstack-start/react/createOidcSpaApi.ts +73 -69
package/src/tanstack-start/react/index.ts +2 -2
package/src/tanstack-start/react/types.tsx +44 -12
package/src/tanstack-start/react/{apiBuilder.ts → utilsBuilder.ts} +14 -14
package/src/tools/generateES256DPoPProof.ts +74 -0
package/src/tools/getServerDateNow.ts +11 -0
package/src/vendor/{backend → server}/tsafe.ts +1 -0
package/tools/generateES256DPoPProof.d.ts +8 -0
package/tools/generateES256DPoPProof.js +51 -0
package/tools/generateES256DPoPProof.js.map +1 -0
package/tools/getServerDateNow.d.ts +5 -0
package/tools/getServerDateNow.js +10 -0
package/tools/getServerDateNow.js.map +1 -0
package/vendor/server/evt.js +3 -0
package/vendor/server/jose.js +3 -0
package/vendor/{backend → server}/tsafe.d.ts +1 -0
package/vendor/server/tsafe.js +2 -0
package/vendor/server/zod.js +3 -0
package/esm/tanstack-start/react/apiBuilder.mjs.map +0 -1
package/vendor/backend/evt.js +0 -3
package/vendor/backend/jose.js +0 -3
package/vendor/backend/tsafe.js +0 -2
package/vendor/backend/zod.js +0 -3
/package/esm/vendor/{backend → server}/evt.d.ts +0 -0
/package/esm/vendor/{backend → server}/jose.d.ts +0 -0
/package/esm/vendor/{backend → server}/zod.d.ts +0 -0
/package/src/vendor/{backend → server}/evt.ts +0 -0
/package/src/vendor/{backend → server}/jose.ts +0 -0
/package/src/vendor/{backend → server}/zod.ts +0 -0
/package/vendor/{backend → server}/evt.d.ts +0 -0
/package/vendor/{backend → server}/jose.d.ts +0 -0
/package/vendor/{backend → server}/zod.d.ts +0 -0

package/src/core/earlyInit.ts CHANGED Viewed

@@ -10,6 +10,7 @@ import {
     type Params as Params_handleTokenExfiltrationDefense_legacy
 } from "./tokenExfiltrationDefense_legacy";
 import { enableTokenExfiltrationDefense } from "./tokenExfiltrationDefense";
+import { implementFetchAndXhrDPoPInterceptor } from "./dpop";
 let hasEarlyInitBeenCalled = false;
@@ -77,6 +78,8 @@ export function oidcEarlyInit(params: ParamsOfEarlyInit | ParamsOfEarlyInit_lega
     const { shouldLoadApp } = handleOidcCallback();
     if (shouldLoadApp) {
+        implementFetchAndXhrDPoPInterceptor();
         token_exfiltration_defense: {
             if (!("enableTokenExfiltrationDefense" in params)) {
                 handleTokenExfiltrationDefense_legacy({

package/src/core/oidcClientTsUserToTokens.ts CHANGED Viewed

@@ -6,6 +6,8 @@ import { decodeJwt } from "../tools/decodeJwt";
 import type { Oidc } from "./Oidc";
 import { INFINITY_TIME } from "../tools/INFINITY_TIME";
 import { getIsTokenSubstitutionEnabled, getTokensPlaceholders } from "./tokenPlaceholderSubstitution";
+import { registerAccessTokenForDPoP } from "./dpop";
+import { createGetServerDateNow, type ParamsOfCreateGetServerDateNow } from "../tools/getServerDateNow";
 export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, unknown>>(params: {
     configId: string;
@@ -15,6 +17,7 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
     };
     __unsafe_useIdTokenAsAccessToken: boolean;
     decodedIdToken_previous: DecodedIdToken | undefined;
+    isDPoPEnabled: boolean;
     log: typeof console.log | undefined;
 }): Oidc.Tokens<DecodedIdToken> {
     const {
@@ -23,6 +26,7 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
         decodedIdTokenSchema,
         __unsafe_useIdTokenAsAccessToken,
         decodedIdToken_previous,
+        isDPoPEnabled,
         log
     } = params;
@@ -107,6 +111,11 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
         return id_token_iat * 1000;
     })();
+    const paramsOfCreateGetServerDateNow: ParamsOfCreateGetServerDateNow = {
+        issuedAtTime_local: oidcClientTsUser.__oidc_spa_localTimeWhenTokenIssued,
+        issuedAtTime
+    };
     const tokens_common: Oidc.Tokens.Common<DecodedIdToken> = {
         ...(__unsafe_useIdTokenAsAccessToken
             ? {
@@ -166,10 +175,7 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
         decodedIdToken,
         decodedIdToken_original,
         issuedAtTime,
-        getServerDateNow: (() => {
-            const issuedAtTime_local = oidcClientTsUser.__oidc_spa_localTimeWhenTokenIssued;
-            return () => Date.now() + (issuedAtTime - issuedAtTime_local);
-        })()
+        getServerDateNow: createGetServerDateNow(paramsOfCreateGetServerDateNow)
     };
     const tokens: Oidc.Tokens<DecodedIdToken> =
@@ -229,6 +235,14 @@ export function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, u
                   })()
               });
+    if (isDPoPEnabled) {
+        registerAccessTokenForDPoP({
+            configId,
+            accessToken: tokens.accessToken,
+            paramsOfCreateGetServerDateNow
+        });
+    }
     if (getIsTokenSubstitutionEnabled()) {
         const placeholders = getTokensPlaceholders({
             configId,

package/src/core/tokenExfiltrationDefense.ts CHANGED Viewed

@@ -341,11 +341,7 @@ function patchXMLHttpRequestApiToSubstituteTokenPlaceholder(params: {
             throw new Error("oidc-spa: Blocked request to hashed static asset.");
         }
-        if (async === undefined) {
-            return open_actual.bind(this)(method, state.url);
-        } else {
-            return open_actual.call(this, method, state.url, async, username, password);
-        }
+        return open_actual.call(this, method, state.url, async as true, username, password);
     };
     XMLHttpRequest.prototype.setRequestHeader = function setRequestHeader(name, value) {
@@ -911,6 +907,65 @@ function runMonkeyPatchingPrevention() {
         });
     }
+    crypto_subtle: {
+        const { crypto } = window;
+        if (!crypto?.subtle) {
+            break crypto_subtle;
+        }
+        const subtle = crypto.subtle;
+        const prototype = Object.getPrototypeOf(subtle);
+        for (const propertyName of Object.getOwnPropertyNames(prototype)) {
+            const pd = Object.getOwnPropertyDescriptor(prototype, propertyName);
+            assert(pd !== undefined);
+            if (!pd.configurable) {
+                continue;
+            }
+            const target = `window.crypto.subtle.${propertyName}`;
+            Object.defineProperty(prototype, propertyName, {
+                enumerable: pd.enumerable,
+                configurable: false,
+                ...("value" in pd
+                    ? {
+                          get: () => pd.value,
+                          set: () => {
+                              throw createWriteError(target);
+                          }
+                      }
+                    : {
+                          get: pd.get,
+                          set:
+                              pd.set ??
+                              (() => {
+                                  throw createWriteError(target);
+                              })
+                      })
+            });
+        }
+        {
+            const subtlePd = Object.getOwnPropertyDescriptor(crypto, "subtle");
+            if (subtlePd !== undefined && !subtlePd.configurable) {
+                break crypto_subtle;
+            }
+        }
+        Object.defineProperty(crypto, "subtle", {
+            configurable: false,
+            enumerable: true,
+            get: () => subtle,
+            set: () => {
+                throw createWriteError("window.crypto.subtle");
+            }
+        });
+    }
     {
         const name = "serviceWorker";

package/src/react-spa/createOidcSpaApi.ts CHANGED Viewed

@@ -414,7 +414,8 @@ export function createOidcSpaApi<
                                 __metadata: paramsOfBootstrap.__metadata,
                                 __unsafe_useIdTokenAsAccessToken:
                                     paramsOfBootstrap.__unsafe_useIdTokenAsAccessToken,
-                                autoLogoutParams: paramsOfBootstrap.autoLogoutParams
+                                autoLogoutParams: paramsOfBootstrap.autoLogoutParams,
+                                dpop: paramsOfBootstrap.dpop
                             });
                         } catch (error) {
                             if (!(error instanceof OidcInitializationError)) {

package/src/react-spa/types.tsx CHANGED Viewed

@@ -289,6 +289,9 @@ export namespace ParamsOfBootstrap {
          * (if you weren't able to provide it)
          */
         BASE_URL?: string;
+        /** See: https://docs.oidc-spa.dev/v/v8/features/dpop */
+        dpop?: "disabled" | "enabled" | "auto";
     } & (AutoLogin extends true ? {} : {});
     export type Mock<AutoLogin, DecodedIdToken> = {