fix: codeExchange, storage updates, generateAuthUrl fixes

lib/main.test.ts

@@ -49,6 +49,7 @@ describe("index exports", () => {
 
       // token utils
       "getActiveStorage",
+      "hasActiveStorage",
       "getClaim",
       "getClaims",
       "getCurrentOrganization",

lib/utils/generateAuthUrl.test.ts

@@ -3,7 +3,7 @@ import { IssuerRouteTypes, LoginOptions, Scopes } from "../types";
 import { generateAuthUrl } from "./generateAuthUrl";
 
 describe("generateAuthUrl", () => {
-  it("should generate the correct auth URL with required parameters", () => {
+  it("should generate the correct auth URL with required parameters", async () => {
     const domain = "https://auth.example.com";
     const options: LoginOptions = {
       clientId: "client123",
@@ -18,17 +18,24 @@ describe("generateAuthUrl", () => {
       state: "state123",
     };
     const expectedUrl =
-      "https://auth.example.com/oauth2/auth?client_id=client123&response_type=code&start_page=login&login_hint=user%40example.com&is_create_org=true&connection_id=conn123&redirect_uri=https%3A%2F%2Fexample.com&audience=audience123&scope=openid+profile&prompt=login&state=state123";
+      "https://auth.example.com/oauth2/auth?client_id=client123&response_type=code&start_page=login&login_hint=user%40example.com&is_create_org=true&connection_id=conn123&redirect_uri=https%3A%2F%2Fexample.com&audience=audience123&scope=openid+profile&prompt=login&state=state123&code_challenge_method=S256";
 
-    const result = generateAuthUrl(domain, IssuerRouteTypes.login, options);
+    const result = await generateAuthUrl(
+      domain,
+      IssuerRouteTypes.login,
+      options,
+    );
     const nonce = result.url.searchParams.get("nonce");
     expect(nonce).not.toBeNull();
     expect(nonce!.length).toBe(16);
     result.url.searchParams.delete("nonce");
+    const codeChallenge = result.url.searchParams.get("code_challenge");
+    expect(codeChallenge!.length).toBeGreaterThan(32);
+    result.url.searchParams.delete("code_challenge");
     expect(result.url.toString()).toBe(expectedUrl);
   });
 
-  it("should include optional parameters if provided", () => {
+  it("should include optional parameters if provided", async () => {
     const domain = "https://auth.example.com";
     const options: LoginOptions = {
       clientId: "client123",
@@ -41,17 +48,22 @@ describe("generateAuthUrl", () => {
       prompt: "create",
     };
     const expectedUrl =
-      "https://auth.example.com/oauth2/auth?client_id=client123&response_type=code&start_page=login&redirect_uri=https%3A%2F%2Fexample2.com&scope=openid+profile&prompt=create&state=state123&code_challenge=challenge123&code_challenge_method=S256";
+      "https://auth.example.com/oauth2/auth?client_id=client123&response_type=code&start_page=login&redirect_uri=https%3A%2F%2Fexample2.com&audience=&scope=openid+profile&prompt=create&state=state123&code_challenge=challenge123&code_challenge_method=S256";
 
-    const result = generateAuthUrl(domain, IssuerRouteTypes.login, options);
+    const result = await generateAuthUrl(
+      domain,
+      IssuerRouteTypes.login,
+      options,
+    );
     const nonce = result.url.searchParams.get("nonce");
     expect(nonce).not.toBeNull();
     expect(nonce!.length).toBe(16);
     result.url.searchParams.delete("nonce");
+
     expect(result.url.toString()).toBe(expectedUrl);
   });
 
-  it("should handle default responseType if not provided", () => {
+  it("should handle default responseType if not provided", async () => {
     const domain = "https://auth.example.com";
     const options: LoginOptions = {
       clientId: "client123",
@@ -61,17 +73,26 @@ describe("generateAuthUrl", () => {
       state: "state123",
     };
     const expectedUrl =
-      "https://auth.example.com/oauth2/auth?client_id=client123&response_type=code&start_page=login&redirect_uri=https%3A%2F%2Fexample2.com&scope=openid+profile+offline&prompt=create&state=state123";
+      "https://auth.example.com/oauth2/auth?client_id=client123&response_type=code&start_page=login&redirect_uri=https%3A%2F%2Fexample2.com&audience=&scope=openid+profile+offline&prompt=create&state=state123&code_challenge_method=S256";
 
-    const result = generateAuthUrl(domain, IssuerRouteTypes.login, options);
+    const result = await generateAuthUrl(
+      domain,
+      IssuerRouteTypes.login,
+      options,
+    );
     const nonce = result.url.searchParams.get("nonce");
     expect(nonce).not.toBeNull();
     expect(nonce!.length).toBe(16);
     result.url.searchParams.delete("nonce");
+
+    const codeChallenge = result.url.searchParams.get("code_challenge");
+    expect(codeChallenge!.length).toBeGreaterThan(32);
+    result.url.searchParams.delete("code_challenge");
+
     expect(result.url.toString()).toBe(expectedUrl);
   });
 
-  it("should handle default responseType if not provided", () => {
+  it("should handle default responseType if not provided", async () => {
     const domain = "https://auth.example.com";
     const options: LoginOptions = {
       clientId: "client123",
@@ -80,15 +101,22 @@ describe("generateAuthUrl", () => {
       prompt: "create",
     };
     const expectedUrl =
-      "https://auth.example.com/oauth2/auth?client_id=client123&response_type=code&start_page=login&redirect_uri=https%3A%2F%2Fexample2.com&scope=openid+profile+offline&prompt=create";
+      "https://auth.example.com/oauth2/auth?client_id=client123&response_type=code&start_page=login&redirect_uri=https%3A%2F%2Fexample2.com&audience=&scope=openid+profile+offline&prompt=create&code_challenge_method=S256";
 
-    const result = generateAuthUrl(domain, IssuerRouteTypes.login, options);
+    const result = await generateAuthUrl(
+      domain,
+      IssuerRouteTypes.login,
+      options,
+    );
     const nonce = result.url.searchParams.get("nonce");
     expect(nonce).not.toBeNull();
     expect(nonce!.length).toBe(16);
     const state = result.url.searchParams.get("state");
     expect(state).not.toBeNull();
     expect(state!.length).toBe(32);
+    const codeChallenge = result.url.searchParams.get("code_challenge");
+    expect(codeChallenge!.length).toBeGreaterThan(32);
+    result.url.searchParams.delete("code_challenge");
     result.url.searchParams.delete("nonce");
     result.url.searchParams.delete("state");
     expect(result.url.toString()).toBe(expectedUrl);

lib/utils/generateAuthUrl.ts

@@ -1,3 +1,4 @@
+import { base64UrlEncode, getActiveStorage, StorageKeys } from "../main";
 import { IssuerRouteTypes, LoginOptions } from "../types";
 import { generateRandomString } from "./generateRandomString";
 import { mapLoginMethodParamsForUrl } from "./mapLoginMethodParamsForUrl";
@@ -8,13 +9,13 @@
  * @param type
  * @returns URL to redirect to
  */
-export const generateAuthUrl = (
+export const generateAuthUrl = async (
   domain: string,
   type: IssuerRouteTypes = IssuerRouteTypes.login,
   options: LoginOptions,
-): { url: URL; state: string; nonce: string } => {
+): Promise<{ url: URL; state: string; nonce: string }> => {
   const authUrl = new URL(`${domain}/oauth2/auth`);
-
+  const activeStorage = getActiveStorage();
   const searchParams: Record<string, string> = {
     client_id: options.clientId,
     response_type: options.responseType || "code",
@@ -24,18 +25,30 @@
 
   if (!options.state) {
     options.state = generateRandomString(32);
+    if (activeStorage) {
+      activeStorage.setSessionItem(StorageKeys.state, options.state);
+    }
   }
   searchParams["state"] = options.state;
 
   if (!options.nonce) {
     options.nonce = generateRandomString(16);
   }
   searchParams["nonce"] = options.nonce;
+  if (activeStorage) {
+    activeStorage.setSessionItem(StorageKeys.nonce, options.nonce);
+  }
 
   if (options.codeChallenge) {
     searchParams["code_challenge"] = options.codeChallenge;
-    searchParams["code_challenge_method"] = "S256";
+  } else {
+    const { codeVerifier, codeChallenge } = await generatePKCEPair();
+    if (activeStorage) {
+      activeStorage.setSessionItem(StorageKeys.codeVerifier, codeVerifier);
+    }
+    searchParams["code_challenge"] = codeChallenge;
   }
+  searchParams["code_challenge_method"] = "S256";
 
   if (options.codeChallengeMethod) {
     searchParams["code_challenge_method"] = options.codeChallengeMethod;
@@ -48,3 +61,14 @@
     nonce: searchParams["nonce"],
   };
 };
+
+async function generatePKCEPair(): Promise<{
+  codeVerifier: string;
+  codeChallenge: string;
+}> {
+  const codeVerifier = generateRandomString(32);
+  const data = new TextEncoder().encode(codeVerifier);
+  const hashed = await crypto.subtle.digest("SHA-256", data);
+  const codeChallenge = base64UrlEncode(new TextDecoder().decode(hashed));
+  return { codeVerifier, codeChallenge };
+}

lib/utils/mapLoginMethodParamsForUrl.test.ts

@@ -46,6 +46,7 @@ describe("mapLoginMethodParamsForUrl", () => {
     const expectedOutput = {
       login_hint: "[email protected]",
       scope: "openid",
+      audience: "",
     };
 
     const result = mapLoginMethodParamsForUrl(options);
@@ -60,6 +61,7 @@ describe("mapLoginMethodParamsForUrl", () => {
     const expectedOutput = {
       login_hint: "[email protected]",
       scope: "email profile openid offline",
+      audience: "",
     };
 
     const result = mapLoginMethodParamsForUrl(options);
@@ -74,6 +76,7 @@ describe("mapLoginMethodParamsForUrl", () => {
     const expectedOutput = {
       redirect_uri: "https://example.com",
       scope: "email profile openid offline",
+      audience: "",
     };
 
     const result = mapLoginMethodParamsForUrl(options);
@@ -90,6 +93,7 @@ describe("mapLoginMethodParamsForUrl", () => {
       is_create_org: "false",
       has_success_page: "false",
       scope: "email profile openid offline",
+      audience: "",
     };
 
     const result = mapLoginMethodParamsForUrl(options);
@@ -113,6 +117,7 @@ describe("mapLoginMethodParamsForUrl", () => {
 
     const expectedOutput = {
       scope: "email profile openid offline",
+      audience: "",
     };
 
     const result = mapLoginMethodParamsForUrl(options);

lib/utils/mapLoginMethodParamsForUrl.ts

@@ -11,7 +11,7 @@ export const mapLoginMethodParamsForUrl = (
     redirect_uri: options.redirectURL
       ? sanatizeURL(options.redirectURL)
       : undefined,
-    audience: options.audience,
+    audience: options.audience || "",
     scope: options.scope?.join(" ") || "email profile openid offline",
     prompt: options.prompt,
     lang: options.lang,

lib/utils/token/getDecodedToken.test.ts

@@ -5,10 +5,8 @@ import { setActiveStorage } from ".";
 import { createMockAccessToken } from "./testUtils";
 
 describe("getDecodedToken", () => {
-  it("error when no active storage is set", () => {
-    expect(() => getDecodedToken("idToken")).rejects.toThrowError(
-      "Session manager is not initialized",
-    );
+  it("return null when no active storage is defined", async () => {
+    expect(await getDecodedToken("idToken")).toBe(null);
   });
 });
 

lib/utils/token/getDecodedToken.ts

@@ -16,6 +16,10 @@ export const getDecodedToken = async <
 ): Promise<T | null> => {
   const activeStorage = getActiveStorage();
 
+  if (!activeStorage) {
+    return null;
+  }
+
   const token = (await activeStorage.getSessionItem(
     tokenType === "accessToken" ? StorageKeys.accessToken : StorageKeys.idToken,
   )) as string;

lib/utils/token/index.ts

@@ -15,20 +15,34 @@ const storage = {
   value: null as SessionManager | null,
 };
 
+/**
+ * Sets the active storage
+ * @param store Session manager instance
+ */
 const setActiveStorage = (store: SessionManager) => {
   storage.value = store;
 };
 
-const getActiveStorage = () => {
-  if (!storage.value) {
-    throw new Error("Session manager is not initialized");
-  }
-  return storage.value;
+/**
+ * Gets the current active storage
+ * @returns Session manager instance or null
+ */
+const getActiveStorage = (): SessionManager | null => {
+  return storage.value || null;
+};
+
+/**
+ * Checks if there is an active storage
+ * @returns boolean
+ */
+const hasActiveStorage = (): boolean => {
+  return storage.value !== null;
 };
 
 export {
   setActiveStorage,
   getActiveStorage,
+  hasActiveStorage,
   getClaim,
   getClaims,
   getCurrentOrganization,