UNPKG

@delewis13/appauth

Version:

A general purpose OAuth client. Vendored awaiting PR merge

openid/AppAuth-JS

121 lines (112 loc) 3.78 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
/* * Copyright 2017 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except * in compliance with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software distributed under the * License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either * express or implied. See the License for the specific language governing permissions and * limitations under the License. */ import {Crypto, DefaultCrypto} from './crypto_utils'; import {log} from './logger'; import {StringMap} from './types'; /** * Represents an AuthorizationRequest as JSON. */ export interface AuthorizationRequestJson { response_type: string; client_id: string; redirect_uri: string; scope: string; state?: string; extras?: StringMap; internal?: StringMap; } /** * Generates a cryptographically random new state. Useful for CSRF protection. */ const SIZE = 10; // 10 bytes const newState = function(crypto: Crypto): string { return crypto.generateRandom(SIZE); }; /** * Represents the AuthorizationRequest. * For more information look at * https://tools.ietf.org/html/rfc6749#section-4.1.1 */ export class AuthorizationRequest { static RESPONSE_TYPE_TOKEN = 'token'; static RESPONSE_TYPE_CODE = 'code'; // NOTE: // Both redirect_uri and state are actually optional. // However AppAuth is more opionionated, and requires you to use both. clientId: string; redirectUri: string; scope: string; responseType: string; state: string; extras?: StringMap; internal?: StringMap; /** * Constructs a new AuthorizationRequest. * Use a `undefined` value for the `state` parameter, to generate a random * state for CSRF protection. */ constructor( request: AuthorizationRequestJson, private crypto: Crypto = new DefaultCrypto(), private usePkce: boolean = true) { this.clientId = request.client_id; this.redirectUri = request.redirect_uri; this.scope = request.scope; this.responseType = request.response_type || AuthorizationRequest.RESPONSE_TYPE_CODE; this.state = request.state || newState(crypto); this.extras = request.extras; // read internal properties if available this.internal = request.internal; } setupCodeVerifier(): Promise<void> { if (!this.usePkce) { return Promise.resolve(); } else { const codeVerifier = this.crypto.generateRandom(128); const challenge: Promise<string|undefined> = this.crypto.deriveChallenge(codeVerifier).catch(error => { log('Unable to generate PKCE challenge. Not using PKCE', error); return undefined; }); return challenge.then(result => { if (result) { // keep track of the code used. this.internal = this.internal || {}; this.internal['code_verifier'] = codeVerifier; this.extras = this.extras || {}; this.extras['code_challenge'] = result; // We always use S256. Plain is not good enough. this.extras['code_challenge_method'] = 'S256'; } }); } } /** * Serializes the AuthorizationRequest to a JavaScript Object. */ toJson(): Promise<AuthorizationRequestJson> { // Always make sure that the code verifier is setup when toJson() is called. return this.setupCodeVerifier().then(() => { return { response_type: this.responseType, client_id: this.clientId, redirect_uri: this.redirectUri, scope: this.scope, state: this.state, extras: this.extras, internal: this.internal }; }); } }