UNPKG

@badgateway/oauth2-client

Version:

OAuth2 client for browsers and Node.js. Tiny footprint, PKCE support

github.com/badgateway/oauth2-client

badgateway/oauth2-client

280 lines (221 loc) 7.59 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
import type { OAuth2Token } from './token.ts'; import { OAuth2Client } from './client.ts'; type FetchMiddleware = (request: Request, next: (request: Request) => Promise<Response>) => Promise<Response>; type OAuth2FetchOptions = { /** * Reference to OAuth2 client. */ client: OAuth2Client; /** * You are responsible for implementing this function. * it's purpose is to supply the 'initial' oauth2 token. * * This function may be async. Return `null` to fail the process. */ getNewToken(): OAuth2Token | null | Promise<OAuth2Token | null>; /** * If set, will be called if authentication fatally failed. */ onError?: (err: Error) => void; /** * This function is called whenever the active token changes. Using this is * optional, but it may be used to (for example) put the token in off-line * storage for later usage. */ storeToken?: (token: OAuth2Token) => void; /** * Also an optional feature. Implement this if you want the wrapper to try a * stored token before attempting a full re-authentication. * * This function may be async. Return null if there was no token. */ getStoredToken?: () => OAuth2Token | null | Promise<OAuth2Token | null>; /** * Whether to automatically schedule token refresh. * * Certain execution environments, e.g. React Native, do not handle scheduled * tasks with setTimeout() in a graceful or predictable fashion. The default * behavior is to schedule refresh. Set this to false to disable scheduling. */ scheduleRefresh?: boolean; } export class OAuth2Fetch { private options: OAuth2FetchOptions; /** * Current active token (if any) */ private token: OAuth2Token | null = null; /** * If the user had a storedToken, the process to fetch it * may be async. We keep track of this process in this * promise, so it may be awaited to avoid race conditions. * * As soon as this promise resolves, this property gets nulled. */ private activeGetStoredToken: null | Promise<void> = null; constructor(options: OAuth2FetchOptions) { if (options?.scheduleRefresh === undefined) { options.scheduleRefresh = true; } this.options = options; if (options.getStoredToken) { this.activeGetStoredToken = (async () => { this.token = await options.getStoredToken!(); this.activeGetStoredToken = null; })(); } this.scheduleRefresh(); } /** * Does a fetch request and adds a Bearer / access token. * * If the access token is not known, this function attempts to fetch it * first. If the access token is almost expiring, this function might attempt * to refresh it. */ async fetch(input: RequestInfo, init?: RequestInit): Promise<Response> { // input might be a string or a Request object, we want to make sure this // is always a fully-formed Request object. const request = new Request(input, init); return this.mw()( request, req => fetch(req) ); } /** * This function allows the fetch-mw to be called as more traditional * middleware. * * This function returns a middleware function with the signature * (request, next): Response */ mw(): FetchMiddleware { return async (request, next) => { const accessToken = await this.getAccessToken(); // Make a clone. We need to clone if we need to retry the request later. let authenticatedRequest = request.clone(); authenticatedRequest.headers.set('Authorization', 'Bearer ' + accessToken); let response = await next(authenticatedRequest); if (!response.ok && response.status === 401) { const newToken = await this.refreshToken(); authenticatedRequest = request.clone(); authenticatedRequest.headers.set('Authorization', 'Bearer ' + newToken.accessToken); response = await next(authenticatedRequest); } return response; }; } /** * Returns current token information. * * There result object will have: * * accessToken * * expiresAt - when the token expires, or null. * * refreshToken - may be null * * This function will attempt to automatically refresh if stale. */ async getToken(): Promise<OAuth2Token> { if (this.token && (this.token.expiresAt === null || this.token.expiresAt > Date.now())) { // The current token is still valid return this.token; } return this.refreshToken(); } /** * Returns an access token. * * If the current access token is not known, it will attempt to fetch it. * If the access token is expiring, it will attempt to refresh it. */ async getAccessToken(): Promise<string> { // Ensure getStoredToken finished. await this.activeGetStoredToken; const token = await this.getToken(); return token.accessToken; } /** * Keeping track of an active refreshToken operation. * * This will allow us to ensure only 1 such operation happens at any * given time. */ private activeRefresh: Promise<OAuth2Token> | null = null; /** * Forces an access token refresh */ async refreshToken(): Promise<OAuth2Token> { if (this.activeRefresh) { // If we are currently already doing this operation, // make sure we don't do it twice in parallel. return this.activeRefresh; } const oldToken = this.token; this.activeRefresh = (async() => { let newToken: OAuth2Token|null = null; try { if (oldToken?.refreshToken) { // We had a refresh token, lets see if we can use it! newToken = await this.options.client.refreshToken(oldToken); } } catch (_err) { console.warn('[oauth2] refresh token not accepted, we\'ll try reauthenticating'); } if (!newToken) { newToken = await this.options.getNewToken(); } if (!newToken) { const err = new Error('Unable to obtain OAuth2 tokens, a full reauth may be needed'); this.options.onError?.(err); throw err; } return newToken; })(); try { const token = await this.activeRefresh; this.token = token; this.options.storeToken?.(token); this.scheduleRefresh(); return token; } catch (err: any) { if (this.options.onError) { this.options.onError(err); } throw err; } finally { // Make sure we clear the current refresh operation. this.activeRefresh = null; } } /** * Timer trigger for the next automated refresh */ private refreshTimer: ReturnType<typeof setTimeout> | null = null; private scheduleRefresh() { if (!this.options.scheduleRefresh) { return; } if (this.refreshTimer) { clearTimeout(this.refreshTimer); this.refreshTimer = null; } if (!this.token?.expiresAt || !this.token.refreshToken) { // If we don't know when the token expires, or don't have a refresh_token, don't bother. return; } const expiresIn = this.token.expiresAt - Date.now(); // We only schedule this event if it happens more than 2 minutes in the future. if (expiresIn < 120*1000) { return; } // Schedule 1 minute before expiry this.refreshTimer = setTimeout(async () => { try { await this.refreshToken(); } catch (err) { // eslint-disable-next-line no-console console.error('[fetch-mw-oauth2] error while doing a background OAuth2 auto-refresh', err); } }, expiresIn - 60*1000); } }