kinde-oss · DanielRivers · Nov 19, 2024 · Sep 23, 2024 · Sep 23, 2024 · Oct 9, 2024
diff --git a/lib/main.test.ts b/lib/main.test.ts
@@ -38,8 +38,10 @@ describe("index exports", () => {
       "generateAuthUrl",
       "generateRandomString",
       "mapLoginMethodParamsForUrl",
-      "sanatizeURL",
+      "sanitizeUrl",
       "exchangeAuthCode",
+      "isAuthenticated",
+      "refreshToken",
 
       // session manager
       "MemoryStorage",
@@ -52,6 +54,10 @@ describe("index exports", () => {
       "getActiveStorage",
       "hasActiveStorage",
       "clearActiveStorage",
+      "clearInsecureStorage",
+      "getInsecureStorage",
+      "hasInsecureStorage",
+      "setInsecureStorage",
       "getClaim",
       "getClaims",
       "getCurrentOrganization",

diff --git a/lib/main.ts b/lib/main.ts
@@ -1,4 +1,4 @@
 export * from "./types";
 export * from "./utils";
 export * from "./sessionManager";
-export * from "./utils/token/index.ts";
+export * from "./utils/token";
diff --git a/lib/utils/base64UrlEncode.test.ts b/lib/utils/base64UrlEncode.test.ts
@@ -36,4 +36,16 @@ describe("base64UrlEncode", () => {
     const result = base64UrlEncode(input);
     expect(result).toBe(expectedOutput);
   });
+
+  it("should encode when passed an ArrayBuffer", () => {
+    const buffer = new ArrayBuffer(8);
+    const view = new Uint8Array(buffer);
+    for (let i = 0; i < view.length; i++) {
+      view[i] = i + 1;
+    }
+
+    const expectedOutput = "AQIDBAUGBwg";
+    const result = base64UrlEncode(buffer);
+    expect(result).toBe(expectedOutput);
+  });
 });
diff --git a/lib/utils/base64UrlEncode.ts b/lib/utils/base64UrlEncode.ts
@@ -3,12 +3,18 @@
  * @param str String to encode
  * @returns encoded string
  */
-export const base64UrlEncode = (str: string): string => {
+export const base64UrlEncode = (input: string | ArrayBuffer): string => {
+  const toBase64Url = (str: string): string =>
+    btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+
+  if (input instanceof ArrayBuffer) {
+    const uint8Array = new Uint8Array(input);
+    const binaryString = String.fromCharCode(...uint8Array);
+    return toBase64Url(binaryString);
+  }
+
   const encoder = new TextEncoder();
-  const uintArray = encoder.encode(str);
-  const charArray = Array.from(uintArray);
-  return btoa(String.fromCharCode.apply(null, charArray))
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=+$/, "");
+  const uint8Array = encoder.encode(input);
+  const binaryString = String.fromCharCode(...uint8Array);
+  return toBase64Url(binaryString);
 };
diff --git a/lib/utils/exchangeAuthCode.test.ts b/lib/utils/exchangeAuthCode.test.ts
@@ -4,16 +4,22 @@ import { MemoryStorage, StorageKeys } from "../sessionManager";
 import { setActiveStorage } from "./token";
 import createFetchMock from "vitest-fetch-mock";
 import { frameworkSettings } from "./exchangeAuthCode";
+import * as refreshTokenTimer from "./refreshTimer";
+import * as main from "../main";
 
 const fetchMock = createFetchMock(vi);
 
 describe("exchangeAuthCode", () => {
   beforeEach(() => {
     fetchMock.enableMocks();
+    vi.spyOn(refreshTokenTimer, "setRefreshTimer");
+    vi.spyOn(main, "refreshToken");
+    vi.useFakeTimers();
   });
 
   afterEach(() => {
     fetchMock.resetMocks();
+    vi.useRealTimers();
   });
 
   it("missing state param", async () => {
@@ -142,10 +148,14 @@ describe("exchangeAuthCode", () => {
     expect(url).toBe("http://test.kinde.com/oauth2/token");
     expect(options).toMatchObject({
       method: "POST",
-      headers: {
-        "Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
-      },
     });
+    expect((options?.headers as Headers).get("Content-type")).toEqual(
+      "application/x-www-form-urlencoded; charset=UTF-8",
+    );
+    expect((options?.headers as Headers).get("Cache-Control")).toEqual(
+      "no-store",
+    );
+    expect((options?.headers as Headers).get("Pragma")).toEqual("no-cache");
   });
 
   it("set the framework and version on header", async () => {
@@ -173,6 +183,7 @@ describe("exchangeAuthCode", () => {
         access_token: "access_token",
         refresh_token: "refresh_token",
         id_token: "id_token",
+        expires_in: 3600,
       }),
     );
 
@@ -188,11 +199,10 @@ describe("exchangeAuthCode", () => {
     expect(url).toBe("http://test.kinde.com/oauth2/token");
     expect(options).toMatchObject({
       method: "POST",
-      headers: {
-        "Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
-        "Kinde-SDK": "Framework/Version",
-      },
     });
+    expect((options?.headers as Headers).get("Kinde-SDK")).toEqual(
+      "Framework/Version",
+    );
   });
 
   it("should handle token exchange failure", async () => {
@@ -226,4 +236,50 @@ describe("exchangeAuthCode", () => {
       error: "Token exchange failed: 500 - error",
     });
   });
+
+  it("should set the refresh timer", async () => {
+    const store = new MemoryStorage();
+    setActiveStorage(store);
+
+    const state = "state";
+
+    await store.setItems({
+      [StorageKeys.state]: state,
+    });
+
+    frameworkSettings.framework = "Framework";
+    frameworkSettings.frameworkVersion = "Version";
+
+    const input = "hello";
+
+    const urlParams = new URLSearchParams();
+    urlParams.append("code", input);
+    urlParams.append("state", state);
+    urlParams.append("client_id", "test");
+
+    fetchMock.mockResponseOnce(
+      JSON.stringify({
+        access_token: "access_token",
+        refresh_token: "refresh_token",
+        id_token: "id_token",
+        expires_in: 3600,
+      }),
+    );
+
+    await exchangeAuthCode({
+      urlParams,
+      domain: "http://test.kinde.com",
+      clientId: "test",
+      redirectURL: "http://test.kinde.com",
+      autoRefresh: true,
+    });
+
+    expect(refreshTokenTimer.setRefreshTimer).toHaveBeenCalledOnce();
+    expect(refreshTokenTimer.setRefreshTimer).toHaveBeenCalledWith(
+      3600,
+      expect.any(Function),
+    );
+    vi.advanceTimersByTime(3600 * 1000);
+    expect(main.refreshToken).toHaveBeenCalledTimes(1);
+  });
 });
diff --git a/lib/utils/exchangeAuthCode.ts b/lib/utils/exchangeAuthCode.ts
@@ -1,4 +1,10 @@
-import { getActiveStorage, StorageKeys } from "../main";
+import {
+  getActiveStorage,
+  getInsecureStorage,
+  refreshToken,
+  StorageKeys,
+} from "../main";
+import { clearRefreshTimer, setRefreshTimer } from "./refreshTimer";
 
 export const frameworkSettings: {
   framework: string;
@@ -13,6 +19,7 @@ interface ExchangeAuthCodeParams {
   domain: string;
   clientId: string;
   redirectURL: string;
+  autoRefresh?: boolean;
 }
 
 interface ExchangeAuthCodeResult {
@@ -28,6 +35,7 @@ export const exchangeAuthCode = async ({
   domain,
   clientId,
   redirectURL,
+  autoRefresh = false,
 }: ExchangeAuthCodeParams): Promise<ExchangeAuthCodeResult> => {
   const state = urlParams.get("state");
   const code = urlParams.get("code");
@@ -40,7 +48,7 @@ export const exchangeAuthCode = async ({
     };
   }
 
-  const activeStorage = getActiveStorage();
+  const activeStorage = getInsecureStorage();
   if (!activeStorage) {
     console.error("No active storage found");
     return {
@@ -88,8 +96,8 @@ export const exchangeAuthCode = async ({
   const response = await fetch(`${domain}/oauth2/token`, {
     method: "POST",
     // ...(isUseCookie && {credentials: 'include'}),
-    credentials: "include",
-    headers,
+    // credentials: "include",
+    headers: new Headers(headers),
     body: new URLSearchParams({
       client_id: clientId,
       code,
@@ -106,20 +114,33 @@ export const exchangeAuthCode = async ({
       error: `Token exchange failed: ${response.status} - ${errorText}`,
     };
   }
+  clearRefreshTimer();
 
   const data: {
     access_token: string;
     id_token: string;
     refresh_token: string;
+    expires_in: number;
   } = await response.json();
 
-  activeStorage.setItems({
+  const secureStore = getActiveStorage();
+  secureStore!.setItems({
     [StorageKeys.accessToken]: data.access_token,
     [StorageKeys.idToken]: data.id_token,
     [StorageKeys.refreshToken]: data.refresh_token,
   });
 
-  await activeStorage.removeItems(StorageKeys.state, StorageKeys.codeVerifier);
+  if (autoRefresh) {
+    setRefreshTimer(data.expires_in, async () => {
+      refreshToken(domain, clientId);
+    });
+  }
+
+  await activeStorage.removeItems(
+    StorageKeys.state,
+    StorageKeys.nonce,
+    StorageKeys.codeVerifier,
+  );
 
   // Clear all url params
   const cleanUrl = (url: URL): URL => {

diff --git a/lib/utils/generateAuthUrl.test.ts b/lib/utils/generateAuthUrl.test.ts
@@ -32,7 +32,7 @@ describe("generateAuthUrl", () => {
     expect(nonce!.length).toBe(16);
     result.url.searchParams.delete("nonce");
     const codeChallenge = result.url.searchParams.get("code_challenge");
-    expect(codeChallenge!.length).toBeGreaterThan(43);
+    expect(codeChallenge!.length).toBeGreaterThanOrEqual(27);
     result.url.searchParams.delete("code_challenge");
     expect(result.url.toString()).toBe(expectedUrl);
   });
@@ -88,7 +88,7 @@ describe("generateAuthUrl", () => {
     result.url.searchParams.delete("nonce");
 
     const codeChallenge = result.url.searchParams.get("code_challenge");
-    expect(codeChallenge!.length).toBeGreaterThan(43);
+    expect(codeChallenge!.length).toBeGreaterThanOrEqual(27);
     result.url.searchParams.delete("code_challenge");
 
     expect(result.url.toString()).toBe(expectedUrl);
@@ -117,7 +117,7 @@ describe("generateAuthUrl", () => {
     expect(state).not.toBeNull();
     expect(state!.length).toBe(32);
     const codeChallenge = result.url.searchParams.get("code_challenge");
-    expect(codeChallenge!.length).toBeGreaterThan(43);
+    expect(codeChallenge!.length).toBeGreaterThanOrEqual(27);
     result.url.searchParams.delete("code_challenge");
     result.url.searchParams.delete("nonce");
     result.url.searchParams.delete("state");

diff --git a/lib/utils/generateAuthUrl.ts b/lib/utils/generateAuthUrl.ts
@@ -1,4 +1,4 @@
-import { base64UrlEncode, getActiveStorage, StorageKeys } from "../main";
+import { base64UrlEncode, getInsecureStorage, StorageKeys } from "../main";
 import { IssuerRouteTypes, LoginOptions } from "../types";
 import { generateRandomString } from "./generateRandomString";
 import { mapLoginMethodParamsForUrl } from "./mapLoginMethodParamsForUrl";
@@ -13,9 +13,14 @@ export const generateAuthUrl = async (
   domain: string,
   type: IssuerRouteTypes = IssuerRouteTypes.login,
   options: LoginOptions,
-): Promise<{ url: URL; state: string; nonce: string }> => {
+): Promise<{
+  url: URL;
+  state: string;
+  nonce: string;
+  codeChallenge: string;
+}> => {
   const authUrl = new URL(`${domain}/oauth2/auth`);
-  const activeStorage = getActiveStorage();
+  const activeStorage = getInsecureStorage();
   const searchParams: Record<string, string> = {
     client_id: options.clientId,
     response_type: options.responseType || "code",
@@ -59,18 +64,17 @@ export const generateAuthUrl = async (
     url: authUrl,
     state: searchParams["state"],
     nonce: searchParams["nonce"],
+    codeChallenge: searchParams["code_challenge"],
   };
 };
 
-async function generatePKCEPair(): Promise<{
+export async function generatePKCEPair(): Promise<{
   codeVerifier: string;
   codeChallenge: string;
 }> {
-  const codeVerifier = generateRandomString(43);
+  const codeVerifier = generateRandomString(52);
   const data = new TextEncoder().encode(codeVerifier);
   const hashed = await crypto.subtle.digest("SHA-256", data);
-  const hashArray = Array.from(new Uint8Array(hashed));
-  const hashString = hashArray.map((b) => String.fromCharCode(b)).join("");
-  const codeChallenge = base64UrlEncode(hashString);
+  const codeChallenge = base64UrlEncode(hashed);
   return { codeVerifier, codeChallenge };
 }
diff --git a/lib/utils/index.ts b/lib/utils/index.ts
@@ -2,7 +2,7 @@
 import { base64UrlEncode } from "./base64UrlEncode";
 import { generateRandomString } from "./generateRandomString";
 import { extractAuthResults } from "./extractAuthResults";
-import { sanatizeURL } from "./sanatizeUrl";
+import { sanitizeUrl } from "./sanitizeUrl";
 import { generateAuthUrl } from "./generateAuthUrl";
 import { mapLoginMethodParamsForUrl } from "./mapLoginMethodParamsForUrl";
 import { exchangeAuthCode, frameworkSettings } from "./exchangeAuthCode";
@@ -15,7 +15,7 @@ export {
   base64UrlEncode,
   generateRandomString,
   extractAuthResults,
-  sanatizeURL,
+  sanitizeUrl,
   generateAuthUrl,
   mapLoginMethodParamsForUrl,
   exchangeAuthCode,

diff --git a/lib/utils/mapLoginMethodParamsForUrl.ts b/lib/utils/mapLoginMethodParamsForUrl.ts
@@ -1,5 +1,5 @@
 import { LoginMethodParams } from "../types";
-import { sanatizeURL } from "./sanatizeUrl";
+import { sanitizeUrl } from "./sanitizeUrl";
 
 export const mapLoginMethodParamsForUrl = (
   options: Partial<LoginMethodParams>,
@@ -9,7 +9,7 @@ export const mapLoginMethodParamsForUrl = (
     is_create_org: options.isCreateOrg?.toString(),
     connection_id: options.connectionId,
     redirect_uri: options.redirectURL
-      ? sanatizeURL(options.redirectURL)
+      ? sanitizeUrl(options.redirectURL)
       : undefined,
     audience: options.audience || "",
     scope: options.scope?.join(" ") || "email profile openid offline",