feat(interceptor): auth interceptor is now part of auth-js

Author: Badisi

apps/demo-app/web/common/components/demo-app-playground.element.ts

@@ -64,7 +64,7 @@ template.innerHTML = `
                 </div>
                 <div class="input row">
                     <label for="api-headers-input">Custom headers</label>
-                    <input id="api-headers-input" class="flex" placeholder='ex: "name": "value";' />
+                    <input id="api-headers-input" class="flex" placeholder='ex: name1:one,name2=two' />
                 </div>
             </div>
             <button id="api-get-button">GET</button>

apps/demo-app/web/ngx-auth/src/app/demo/demo.component.ts

@@ -51,18 +51,17 @@ export class DemoComponent implements AfterViewInit {
     // --- HANDLER(s) ---
 
     public callPrivateApi(event: Event): void {
-
         const { url, headers } = (event as CustomEvent).detail as {
             url: string;
             headers: string;
         };
 
         if (url) {
             let httpHeaders = new HttpHeaders();
-            headers.split(';').forEach(header => {
+            headers.split(',').forEach(header => {
                 if (header) {
                     const item = header.split(':');
-                    httpHeaders = httpHeaders.append(item[0]?.trim(), item[1]?.trim() || '');
+                    httpHeaders = httpHeaders.append(item[0]?.trim(), item[1]?.trim() ?? '');
                 }
             });
 

libs/auth-js/oidc/default-settings.ts

@@ -0,0 +1,33 @@
+/* eslint-disable camelcase, @typescript-eslint/naming-convention */
+
+import { LogLevel } from '../core';
+import type { DefaultSettings } from './models/default-settings.model';
+import { DesktopNavigation } from './models/desktop-navigation.enum';
+
+export const REDIRECT_URL_KEY = 'auth-js:oidc_manager:redirect_url';
+
+export const DEFAULT_SETTINGS: DefaultSettings = {
+    loginRequired: false,
+    retrieveUserSession: true,
+    loadUserInfo: false,
+    automaticSilentRenew: true,
+    desktopNavigationType: DesktopNavigation.REDIRECT,
+    scope: 'openid profile email phone',
+    logLevel: LogLevel.NONE,
+    automaticLoginOn401: true,
+    automaticInjectToken: {
+        include: (url: string): boolean => {
+            const res = new URL(url, 'http://default-base');
+            return res.hostname.startsWith('api') || res.pathname.startsWith('/api') || false;
+        }
+    },
+    internal: {
+        response_type: 'code',
+        redirect_uri: '?oidc-callback=login',
+        post_logout_redirect_uri: '?oidc-callback=logout',
+        popup_redirect_uri: 'oidc/callback/popup_redirect.html',
+        popup_post_logout_redirect_uri: 'oidc/callback/popup_redirect.html',
+        silent_redirect_uri: 'oidc/callback/silent_redirect.html',
+        mobileWindowPresentationStyle: 'popover'
+    }
+};

libs/auth-js/oidc/index.ts

@@ -6,13 +6,17 @@
  * Copyright (C) 2018 Badisi
  */
 
-export type { AuthGuardOptions, AuthGuardValidator, AuthSubscriber, AuthSubscriberOptions, AuthSubscription, Optional } from '../core';
+export type {
+    AuthGuardOptions, AuthGuardValidator, AuthSubscriber, AuthSubscriberOptions, AuthSubscription, Optional
+} from '../core';
 export { AuthManager, AuthSubscriptions, AuthUtils, LogLevel } from '../core';
 export { initOidc } from './main';
 export type { AccessToken } from './models/access-token.model';
 export type { LoginArgs, LogoutArgs, RenewArgs, SigninMobileArgs, SignoutMobileArgs } from './models/args.model';
 export { DesktopNavigation } from './models/desktop-navigation.enum';
 export type { IdToken } from './models/id-token.model';
+export type { InjectToken } from './models/inject-token.model';
+export type { InjectTokenPattern } from './models/inject-token-pattern.model';
 export type { MobileWindowParams } from './models/mobile-window-params.model';
 export type { OIDCAuthSettings } from './models/oidc-auth-settings.model';
 export { UserSession } from './models/user-session.model';

libs/auth-js/oidc/models/inject-token-pattern.model.ts

@@ -0,0 +1,3 @@
+export type InjectTokenPattern =
+    | (string | RegExp)[]
+    | ((url: string) => boolean);

libs/auth-js/oidc/models/inject-token.model.ts

@@ -0,0 +1,5 @@
+import type { InjectTokenPattern } from "./inject-token-pattern.model";
+
+export type InjectToken =
+    | boolean
+    | { include?: InjectTokenPattern; exclude?: InjectTokenPattern; };

libs/auth-js/oidc/models/oidc-auth-settings.model.ts

@@ -2,6 +2,7 @@ import type { UserManagerSettings } from 'oidc-client-ts';
 
 import type { AuthSettings as CoreAuthSettings, LogLevel } from '../../core';
 import type { DesktopNavigation } from './desktop-navigation.enum';
+import type { InjectToken } from './inject-token.model';
 import type { MobileWindowParams } from './mobile-window-params.model';
 
 // TODO: check if `monitorSession` and `revokeAccessTokenOnSignout` might be useful too ?
@@ -14,5 +15,7 @@ export interface OIDCAuthSettings extends CoreAuthSettings, Partial<Pick<UserMan
     retrieveUserSession?: boolean;
     desktopNavigationType?: DesktopNavigation;
     logLevel?: LogLevel;
+    automaticLoginOn401?: boolean;
+    automaticInjectToken?: InjectToken;
     internal?: Partial<Omit<UserManagerSettings, UsefulSettings | 'authority' | 'client_id'>> & MobileWindowParams;
 }

libs/auth-js/oidc/oidc-auth-interceptor.ts

@@ -0,0 +1,205 @@
+/* eslint-disable @typescript-eslint/unbound-method */
+
+import { AuthLogger } from '@badisi/auth-js';
+
+import type { InjectToken } from './models/inject-token.model';
+import type { OIDCAuthManager } from './oidc-auth-manager';
+
+declare global {
+    interface XMLHttpRequest {
+        url?: string | URL;
+    }
+}
+
+const logger = new AuthLogger('OIDCAuthInterceptor');
+
+export class OIDCAuthInterceptor {
+    #manager: OIDCAuthManager;
+
+    #originalFetch = window.fetch;
+    #originalXmlHttpRequestOpen = XMLHttpRequest.prototype.open;
+    #originalXmlHttpRequestSend = XMLHttpRequest.prototype.send;
+
+    constructor(manager: OIDCAuthManager) {
+        logger.debug('init');
+        this.#manager = manager;
+        this.#monkeyPathFetch();
+        this.#monkeyPatchXmlHttpRequest();
+    }
+
+    // ---- HELPER(s) ----
+
+    #getCompleteUrl(url: string): string {
+        try {
+            return new URL(url).href;
+        } catch {
+            return new URL(`${location.origin}${url.startsWith('/') ? '' : '/'}${url}`).href;
+        }
+    }
+
+    #isMatching(url: string, pattern: string | RegExp | ((url: string) => boolean)): boolean {
+        const completeUrl = this.#getCompleteUrl(url);
+        if (typeof pattern === 'function') {
+            return pattern(completeUrl);
+        } else if (typeof pattern === 'string') {
+            // Make the pattern regexp friendly
+            const match = pattern
+                .replace(/\//g, '\\/') // escape / with \/
+                .replace(/\./g, '\\.') // escape . with \.
+                .replace(/\*\*/g, '*') // replace ** with *
+                .replace(/\*/g, '.*'); // replace * with .*
+
+            return (new RegExp(match).exec(completeUrl) !== null);
+        } else {
+            return (pattern.exec(completeUrl) !== null);
+        }
+    }
+
+    #isAllowedRequest(url: string, injectToken: InjectToken): boolean {
+        let isAllowed = false;
+        if (typeof injectToken === 'boolean') {
+            isAllowed = injectToken;
+        } else {
+            const { include, exclude } = injectToken;
+
+            if (Array.isArray(include)) {
+                isAllowed = include.some((pattern: string | RegExp) => this.#isMatching(url, pattern));
+            } else if (include) {
+                isAllowed = this.#isMatching(url, include);
+            }
+
+            if (Array.isArray(exclude)) {
+                if (exclude.some((item: string | RegExp) => this.#isMatching(url, item))) {
+                    isAllowed = false;
+                }
+            } else if (exclude && this.#isMatching(url, exclude)) {
+                isAllowed = false;
+            }
+        }
+        return isAllowed;
+    }
+
+    #shouldInjectAuthToken(url: string): boolean {
+        const injectToken = this.#manager.getSettings().automaticInjectToken ?? false;
+        return (injectToken !== false) && this.#isAllowedRequest(url, injectToken);
+    }
+
+    #monkeyPathFetch(enable = true): void {
+        const _logger = logger.createChild('monkeyPathFetch');
+        _logger.debug(enable ? 'enabling..' : 'disabling..');
+
+        // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
+        if (window.fetch) {
+            if (enable) {
+                window.fetch = async (input: RequestInfo | URL, init?: RequestInit): Promise<Response> => {
+                    const url = (input instanceof Request) ? input.url : input.toString();
+                    logger.debug('received fetch url:', url);
+
+                    // Add token to request headers
+                    if (this.#shouldInjectAuthToken(url)) {
+                        const accessToken = await this.#manager.getAccessToken();
+                        if (init && accessToken) {
+                            logger.debug('adding bearer to url:', url);
+                            init.headers = {
+                                // eslint-disable-next-line @typescript-eslint/naming-convention
+                                'Authorization': `Bearer ${accessToken}`,
+                                ...init.headers
+                            };
+                        }
+                    }
+
+                    // Proceed with request
+                    const response = await this.#originalFetch.apply(window, [input, init]);
+
+                    // Do a login on 401
+                    if (response.status === 401) {
+                        const shouldLoginOn401 = this.#manager.getSettings().automaticLoginOn401 ?? false;
+                        if (shouldLoginOn401) {
+                            await this.#manager.login();
+                        }
+                    }
+
+                    return response;
+                };
+            } else {
+                window.fetch = this.#originalFetch;
+            }
+
+            _logger.debug('done');
+        }
+    }
+
+    #monkeyPatchXmlHttpRequest(enable = true): void {
+        const _logger = logger.createChild('monkeyPatchXmlHttpRequest');
+        _logger.debug(enable ? 'enabling..' : 'disabling..');
+
+        // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
+        if (XMLHttpRequest.prototype.open && XMLHttpRequest.prototype.send) {
+            if (enable) {
+                // eslint-disable-next-line @typescript-eslint/no-this-alias
+                const interceptor = this;
+
+                XMLHttpRequest.prototype.open = function (method: string, url: string | URL, ...rest: unknown[]): void {
+                    this.url = url;
+                    // @ts-expect-error Rest should not be of type unknown
+                    interceptor.#originalXmlHttpRequestOpen.apply(this, [method, url, ...rest]);
+                };
+
+                XMLHttpRequest.prototype.send = function (body?: Document | XMLHttpRequestBodyInit | null): void {
+                    const url = (typeof this.url === 'string') ? this.url : this.url?.href;
+                    logger.debug('received xhr url:', url);
+
+                    // Do a login on 401
+                    const onReadyStateChange = (): void => {
+                        if (this.readyState === XMLHttpRequest.DONE) {
+                            removeListeners();
+
+                            if (this.status === 401) {
+                                const shouldLoginOn401 = interceptor.#manager.getSettings().automaticLoginOn401 ?? false;
+                                if (shouldLoginOn401) {
+                                    void interceptor.#manager.login();
+                                }
+                            }
+                        }
+                    }
+                    const removeListeners = (): void => {
+                        this.removeEventListener('readystatechange', onReadyStateChange);
+                        this.removeEventListener('timeout', removeListeners);
+                        this.removeEventListener('error', removeListeners);
+                        this.removeEventListener('abort', removeListeners);
+
+                    };
+                    this.addEventListener('readystatechange', onReadyStateChange);
+                    this.addEventListener('timeout', removeListeners);
+                    this.addEventListener('error', removeListeners);
+                    this.addEventListener('abort', removeListeners);
+
+                    // Add token to request headers
+                    const shouldInjectToken = url ? interceptor.#shouldInjectAuthToken(url) : false;
+                    if (this.readyState === XMLHttpRequest.OPENED && shouldInjectToken) {
+                        interceptor.#manager.getAccessToken()
+                            .then(accessToken => {
+                                if (accessToken) {
+                                    logger.debug('adding bearer to url:', url);
+                                    this.setRequestHeader('Authorization', `Bearer ${accessToken}`);
+                                }
+                            })
+                            .catch((error: unknown) => {
+                                logger.error(error)
+                            })
+                            .finally(() => {
+                                interceptor.#originalXmlHttpRequestSend.apply(this, [body]);
+                            })
+                    } else {
+                        interceptor.#originalXmlHttpRequestSend.apply(this, [body]);
+                    }
+                };
+            } else {
+                XMLHttpRequest.prototype.open = this.#originalXmlHttpRequestOpen;
+                XMLHttpRequest.prototype.send = this.#originalXmlHttpRequestSend;
+            }
+
+            _logger.debug('done');
+        }
+    }
+}