UNPKG

@aws-amplify/auth

Version:

Auth category of aws-amplify

aws-amplify.github.io

aws-amplify/amplify-js

171 lines (169 loc) • 7.14 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
'use strict'; // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 Object.defineProperty(exports, "__esModule", { value: true }); exports.completeOAuthFlow = void 0; const utils_1 = require("@aws-amplify/core/internals/utils"); const core_1 = require("@aws-amplify/core"); const cacheTokens_1 = require("../../tokenProvider/cacheTokens"); const dispatchSignedInHubEvent_1 = require("../dispatchSignedInHubEvent"); const tokenProvider_1 = require("../../tokenProvider"); const createOAuthError_1 = require("./createOAuthError"); const inflightPromise_1 = require("./inflightPromise"); const validateState_1 = require("./validateState"); const oAuthStore_1 = require("./oAuthStore"); const completeOAuthFlow = async ({ currentUrl, userAgentValue, clientId, redirectUri, responseType, domain, preferPrivateSession, }) => { const urlParams = new utils_1.AmplifyUrl(currentUrl); const error = urlParams.searchParams.get('error'); const errorMessage = urlParams.searchParams.get('error_description'); if (error) { throw (0, createOAuthError_1.createOAuthError)(errorMessage ?? error); } if (responseType === 'code') { return handleCodeFlow({ currentUrl, userAgentValue, clientId, redirectUri, domain, preferPrivateSession, }); } return handleImplicitFlow({ currentUrl, redirectUri, preferPrivateSession, }); }; exports.completeOAuthFlow = completeOAuthFlow; const handleCodeFlow = async ({ currentUrl, userAgentValue, clientId, redirectUri, domain, preferPrivateSession, }) => { /* Convert URL into an object with parameters as keys { redirect_uri: 'http://localhost:3000/', response_type: 'code', ...} */ const url = new utils_1.AmplifyUrl(currentUrl); const code = url.searchParams.get('code'); const state = url.searchParams.get('state'); // if `code` or `state` is not presented in the redirect url, most likely // that the end user cancelled the inflight oauth flow by: // 1. clicking the back button of browser // 2. closing the provider hosted UI page and coming back to the app if (!code || !state) { throw (0, createOAuthError_1.createOAuthError)('User cancelled OAuth flow.'); } // may throw error is being caught in attemptCompleteOAuthFlow.ts const validatedState = await (0, validateState_1.validateState)(state); const oAuthTokenEndpoint = 'https://' + domain + '/oauth2/token'; // TODO(v6): check hub events // dispatchAuthEvent( // 'codeFlow', // {}, // `Retrieving tokens from ${oAuthTokenEndpoint}` // ); const codeVerifier = await oAuthStore_1.oAuthStore.loadPKCE(); const oAuthTokenBody = { grant_type: 'authorization_code', code, client_id: clientId, redirect_uri: redirectUri, ...(codeVerifier ? { code_verifier: codeVerifier } : {}), }; const body = Object.entries(oAuthTokenBody) .map(([k, v]) => `${encodeURIComponent(k)}=${encodeURIComponent(v)}`) .join('&'); const { access_token, refresh_token: refreshToken, id_token, error, error_message: errorMessage, token_type, expires_in, } = await (await fetch(oAuthTokenEndpoint, { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', [utils_1.USER_AGENT_HEADER]: userAgentValue, }, body, })).json(); if (error) { // error is being caught in attemptCompleteOAuthFlow.ts throw (0, createOAuthError_1.createOAuthError)(errorMessage ?? error); } const username = (access_token && (0, core_1.decodeJWT)(access_token).payload.username) ?? 'username'; await (0, cacheTokens_1.cacheCognitoTokens)({ username, AccessToken: access_token, IdToken: id_token, RefreshToken: refreshToken, TokenType: token_type, ExpiresIn: expires_in, }); return completeFlow({ redirectUri, state: validatedState, preferPrivateSession, }); }; const handleImplicitFlow = async ({ currentUrl, redirectUri, preferPrivateSession, }) => { // hash is `null` if `#` doesn't exist on URL const url = new utils_1.AmplifyUrl(currentUrl); const { id_token, access_token, state, token_type, expires_in, error_description, error, } = (url.hash ?? '#') .substring(1) // Remove # from returned code .split('&') .map(pairings => pairings.split('=')) .reduce((accum, [k, v]) => ({ ...accum, [k]: v }), { id_token: undefined, access_token: undefined, state: undefined, token_type: undefined, expires_in: undefined, error_description: undefined, error: undefined, }); if (error) { throw (0, createOAuthError_1.createOAuthError)(error_description ?? error); } if (!access_token) { // error is being caught in attemptCompleteOAuthFlow.ts throw (0, createOAuthError_1.createOAuthError)('No access token returned from OAuth flow.'); } const validatedState = await (0, validateState_1.validateState)(state); const username = (access_token && (0, core_1.decodeJWT)(access_token).payload.username) ?? 'username'; await (0, cacheTokens_1.cacheCognitoTokens)({ username, AccessToken: access_token, IdToken: id_token, TokenType: token_type, ExpiresIn: expires_in, }); return completeFlow({ redirectUri, state: validatedState, preferPrivateSession, }); }; const completeFlow = async ({ redirectUri, state, preferPrivateSession, }) => { await tokenProvider_1.tokenOrchestrator.setOAuthMetadata({ oauthSignIn: true, }); await oAuthStore_1.oAuthStore.clearOAuthData(); await oAuthStore_1.oAuthStore.storeOAuthSignIn(true, preferPrivateSession); // this should be called before any call that involves `fetchAuthSession` // e.g. `getCurrentUser()` below, so it allows every inflight async calls to // `fetchAuthSession` can be resolved (0, inflightPromise_1.resolveAndClearInflightPromises)(); // clear history before sending out final Hub events clearHistory(redirectUri); if (isCustomState(state)) { core_1.Hub.dispatch('auth', { event: 'customOAuthState', data: (0, utils_1.urlSafeDecode)(getCustomState(state)), }, 'Auth', utils_1.AMPLIFY_SYMBOL); } core_1.Hub.dispatch('auth', { event: 'signInWithRedirect' }, 'Auth', utils_1.AMPLIFY_SYMBOL); await (0, dispatchSignedInHubEvent_1.dispatchSignedInHubEvent)(); }; const isCustomState = (state) => { return /-/.test(state); }; const getCustomState = (state) => { return state.split('-').splice(1).join('-'); }; const clearHistory = (redirectUri) => { if (typeof window !== 'undefined' && typeof window.history !== 'undefined') { window.history.replaceState(window.history.state, '', redirectUri); } }; //# sourceMappingURL=completeOAuthFlow.js.map