openapi-explorer 1.0.534 → 1.0.538

package/dist/es/openapi-explorer.js

@@ -480,6 +480,13 @@ export default class OpenApiExplorer extends LitElement {
       this.resolvedSpec = null;
       console.error('OpenAPI Explorer: Unable to resolve the API spec..', err); // eslint-disable-line no-console
     }
+
+    try {
+      await checkForAuthToken.call(this);
+    } catch (error) {
+      // eslint-disable-next-line no-console
+      console.error('Failed to check for authentication token', error);
+    }
   } // Public Method
 
 

package/dist/es/templates/security-scheme-template.js

@@ -54,8 +54,14 @@ function updateOAuthKey(apiKeyId, tokenType = 'Bearer', accessToken) {
 } // Gets Access-Token in exchange of Authorization Code
 
 
-async function fetchAccessToken(tokenUrl, clientId, clientSecret, redirectUrl, grantType, authCode, sendClientSecretIn = 'header', apiKeyId, authFlowDivEl, scopes = null) {
+async function fetchAccessToken(tokenUrl, suggestedClientId, clientSecret, redirectUrl, grantType, authCode, sendClientSecretIn = 'header', apiKeyId, authFlowDivEl, scopes = null) {
   const respDisplayEl = authFlowDivEl ? authFlowDivEl.querySelector('.oauth-resp-display') : undefined;
+  const {
+    codeVerifier,
+    clientId: requestClientId
+  } = JSON.parse(localStorage.getItem('openapi-explorer-oauth') || '{}');
+  localStorage.removeItem('openapi-explorer-oauth');
+  const clientId = suggestedClientId || requestClientId;
   const urlFormParams = new URLSearchParams();
   const headers = new Headers();
   urlFormParams.append('grant_type', grantType);
@@ -82,11 +88,6 @@ async function fetchAccessToken(tokenUrl, clientId, clientSecret, redirectUrl, g
     urlFormParams.append('scope', scopes);
   }
 
-  const {
-    codeVerifier
-  } = JSON.parse(localStorage.getItem('openapi-explorer-oauth') || '{}');
-  localStorage.removeItem('openapi-explorer-oauth');
-
   if (codeVerifier) {
     urlFormParams.append('code_verifier', codeVerifier);
   }
@@ -163,11 +164,22 @@ export async function checkForAuthToken(redirectToApiLocation) {
 
   const sanitizedUrlWithHash = newUrl.toString().replace(/#((code|state|access_token|id_token|authuser|expires_in|hd|prompt|scope|token_type)=[^&]+&?)*$/ig, '');
   history.replaceState({}, undefined, sanitizedUrlWithHash);
+  let parsedState;
+
+  try {
+    // If somehow the state contains a question mark, just remove it, a ? is not a valid here
+    parsedState = JSON.parse(base64url.decode(parameters.state.replace(/\?.*$/, '')));
+  } catch (error) {
+    // eslint-disable-next-line no-console
+    console.error('The state parameter in the OAuth response is invalid', error, parameters.state);
+    return;
+  }
+
   const {
     apiKeyId,
     flowId,
     url
-  } = JSON.parse(base64url.decode(parameters.state));
+  } = parsedState;
 
   if (redirectToApiLocation && url && !parameters.redirect_auth) {
     const apiExplorerLocation = new URL(url);
@@ -207,25 +219,29 @@ async function onInvokeOAuthFlow(apiKeyId, flowType, authUrl, tokenUrl, e) {
   if (flowType === 'authorizationCode' || flowType === 'implicit') {
     const authUrlObj = new URL(authUrl);
     const authCodeParams = new URLSearchParams(authUrlObj.search);
+    let codeVerifier;
 
     if (flowType === 'authorizationCode') {
-      const randomBytes = new Uint32Array(3);
+      const randomBytes = new Uint32Array(12);
       (window.crypto || window.msCrypto).getRandomValues(randomBytes);
       authCodeParams.set('nonce', randomBytes.toString('hex').split(',').join(''));
       grantType = 'authorization_code';
       responseType = 'code';
-      const codeVerifier = randomBytes.toString('hex').split(',').join('');
+      codeVerifier = randomBytes.toString('hex').split(',').join('');
       const hash = await (window.crypto || window.msCrypto).subtle.digest('SHA-256', new TextEncoder().encode(codeVerifier));
       const codeChallenge = base64url(hash);
       authCodeParams.set('code_challenge', codeChallenge);
       authCodeParams.set('code_challenge_method', 'S256');
-      localStorage.setItem('openapi-explorer-oauth', JSON.stringify({
-        codeVerifier
-      }));
     } else if (flowType === 'implicit') {
       responseType = 'token';
     }
 
+    localStorage.setItem('openapi-explorer-oauth', JSON.stringify({
+      codeVerifier,
+      clientId,
+      apiKeyId,
+      flowId: flowType
+    }));
     const selectedScopes = checkedScopeEls.map(v => v.value).join(' ');
 
     if (selectedScopes) {

package/dist/lib/openapi-explorer.js

@@ -521,6 +521,13 @@ class OpenApiExplorer extends _lit.LitElement {
       this.resolvedSpec = null;
       console.error('OpenAPI Explorer: Unable to resolve the API spec..', err); // eslint-disable-line no-console
     }
+
+    try {
+      await _securitySchemeTemplate.checkForAuthToken.call(this);
+    } catch (error) {
+      // eslint-disable-next-line no-console
+      console.error('Failed to check for authentication token', error);
+    }
   } // Public Method
 
 

package/dist/lib/templates/security-scheme-template.js

@@ -67,8 +67,14 @@ function updateOAuthKey(apiKeyId, tokenType = 'Bearer', accessToken) {
 } // Gets Access-Token in exchange of Authorization Code
 
 
-async function fetchAccessToken(tokenUrl, clientId, clientSecret, redirectUrl, grantType, authCode, sendClientSecretIn = 'header', apiKeyId, authFlowDivEl, scopes = null) {
+async function fetchAccessToken(tokenUrl, suggestedClientId, clientSecret, redirectUrl, grantType, authCode, sendClientSecretIn = 'header', apiKeyId, authFlowDivEl, scopes = null) {
   const respDisplayEl = authFlowDivEl ? authFlowDivEl.querySelector('.oauth-resp-display') : undefined;
+  const {
+    codeVerifier,
+    clientId: requestClientId
+  } = JSON.parse(localStorage.getItem('openapi-explorer-oauth') || '{}');
+  localStorage.removeItem('openapi-explorer-oauth');
+  const clientId = suggestedClientId || requestClientId;
   const urlFormParams = new URLSearchParams();
   const headers = new Headers();
   urlFormParams.append('grant_type', grantType);
@@ -95,11 +101,6 @@ async function fetchAccessToken(tokenUrl, clientId, clientSecret, redirectUrl, g
     urlFormParams.append('scope', scopes);
   }
 
-  const {
-    codeVerifier
-  } = JSON.parse(localStorage.getItem('openapi-explorer-oauth') || '{}');
-  localStorage.removeItem('openapi-explorer-oauth');
-
   if (codeVerifier) {
     urlFormParams.append('code_verifier', codeVerifier);
   }
@@ -176,11 +177,22 @@ async function checkForAuthToken(redirectToApiLocation) {
 
   const sanitizedUrlWithHash = newUrl.toString().replace(/#((code|state|access_token|id_token|authuser|expires_in|hd|prompt|scope|token_type)=[^&]+&?)*$/ig, '');
   history.replaceState({}, undefined, sanitizedUrlWithHash);
+  let parsedState;
+
+  try {
+    // If somehow the state contains a question mark, just remove it, a ? is not a valid here
+    parsedState = JSON.parse(_base64url.default.decode(parameters.state.replace(/\?.*$/, '')));
+  } catch (error) {
+    // eslint-disable-next-line no-console
+    console.error('The state parameter in the OAuth response is invalid', error, parameters.state);
+    return;
+  }
+
   const {
     apiKeyId,
     flowId,
     url
-  } = JSON.parse(_base64url.default.decode(parameters.state));
+  } = parsedState;
 
   if (redirectToApiLocation && url && !parameters.redirect_auth) {
     const apiExplorerLocation = new URL(url);
@@ -220,25 +232,29 @@ async function onInvokeOAuthFlow(apiKeyId, flowType, authUrl, tokenUrl, e) {
   if (flowType === 'authorizationCode' || flowType === 'implicit') {
     const authUrlObj = new URL(authUrl);
     const authCodeParams = new URLSearchParams(authUrlObj.search);
+    let codeVerifier;
 
     if (flowType === 'authorizationCode') {
-      const randomBytes = new Uint32Array(3);
+      const randomBytes = new Uint32Array(12);
       (window.crypto || window.msCrypto).getRandomValues(randomBytes);
       authCodeParams.set('nonce', randomBytes.toString('hex').split(',').join(''));
       grantType = 'authorization_code';
       responseType = 'code';
-      const codeVerifier = randomBytes.toString('hex').split(',').join('');
+      codeVerifier = randomBytes.toString('hex').split(',').join('');
       const hash = await (window.crypto || window.msCrypto).subtle.digest('SHA-256', new TextEncoder().encode(codeVerifier));
       const codeChallenge = (0, _base64url.default)(hash);
       authCodeParams.set('code_challenge', codeChallenge);
       authCodeParams.set('code_challenge_method', 'S256');
-      localStorage.setItem('openapi-explorer-oauth', JSON.stringify({
-        codeVerifier
-      }));
     } else if (flowType === 'implicit') {
       responseType = 'token';
     }
 
+    localStorage.setItem('openapi-explorer-oauth', JSON.stringify({
+      codeVerifier,
+      clientId,
+      apiKeyId,
+      flowId: flowType
+    }));
     const selectedScopes = checkedScopeEls.map(v => v.value).join(' ');
 
     if (selectedScopes) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openapi-explorer",
-  "version": "1.0.534",
+  "version": "1.0.538",
   "description": "OpenAPI Explorer - API viewer with dynamically generated components, documentation, and interaction console",
   "author": "Rhosys Developers <developers@rhosys.ch>",
   "type": "module",