kinde-oss
diff --git a/‎lib/main.test.ts
+1 b/‎lib/main.test.ts
+1
diff --git a/‎lib/sessionManager/index.ts
+7 b/‎lib/sessionManager/index.ts
+7
diff --git a/‎lib/sessionManager/types.ts
+1 b/‎lib/sessionManager/types.ts
+1
diff --git a/‎lib/utils/checkAuth.test.ts
+111 b/‎lib/utils/checkAuth.test.ts
+111
diff --git a/‎lib/utils/checkAuth.ts
+30 b/‎lib/utils/checkAuth.ts
+30
diff --git a/‎lib/utils/exchangeAuthCode.test.ts
+54 b/‎lib/utils/exchangeAuthCode.test.ts
+54
diff --git a/‎lib/utils/exchangeAuthCode.ts
+15-7 b/‎lib/utils/exchangeAuthCode.ts
+15-7
diff --git a/‎lib/utils/getCookie.test.ts
+87 b/‎lib/utils/getCookie.test.ts
+87
diff --git a/‎lib/utils/getCookie.ts
+8 b/‎lib/utils/getCookie.ts
+8
@@ -43,6 +43,7 @@ describe("index exports", () => {
       "exchangeAuthCode",
       "isAuthenticated",
       "refreshToken",
+      "checkAuth",
       "isCustomDomain",
 
       // session manager
 
@@ -11,6 +11,13 @@ export const storageSettings: StorageSettingsType = {
    * If the length is exceeded the items will be split into multiple storage items.
    */
   maxLength: 2000,
+
+  /**
+   * Use insecure storage for refresh token.
+   *
+   * Warning: This should only be used when you're not using a custom domain and no backend app to authenticate on.
+   */
+  useInsecureForRefreshToken: false,
 };
 
 export { MemoryStorage } from "./stores/memory.js";
 
@@ -17,6 +17,7 @@ export enum StorageKeys {
 export type StorageSettingsType = {
   keyPrefix: string;
   maxLength: number;
+  useInsecureForRefreshToken: boolean;
 };
 
 export abstract class SessionBase<V extends string = StorageKeys>
 
@@ -0,0 +1,111 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import * as CheckAuth from "./checkAuth";
+import * as RefreshToken from "./token/refreshToken";
+import * as GetCookie from "./getCookie";
+
+describe("checkAuth", () => {
+  const domain = "auth.test.com";
+  const clientId = "client-id";
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("should use cookie refresh type when using not custom domain and no _kbrte cookie", async () => {
+    vi.spyOn(RefreshToken, "refreshToken").mockResolvedValue({
+      success: true,
+    });
+    vi.spyOn(GetCookie, "getCookie").mockResolvedValue("value");
+
+    await CheckAuth.checkAuth({ domain: "test.kinde.com", clientId });
+
+    expect(GetCookie.getCookie).not.toHaveBeenCalled();
+    expect(RefreshToken.refreshToken).toHaveBeenCalledWith({
+      domain: "test.kinde.com",
+      clientId,
+      refreshType: RefreshToken.RefreshType.refreshToken,
+    });
+  });
+
+  it("should use cookie refresh type when using custom domain and _kbrte cookie exists", async () => {
+    vi.spyOn(RefreshToken, "refreshToken").mockResolvedValue({
+      success: true,
+    });
+    vi.spyOn(GetCookie, "getCookie").mockReturnValue("value");
+
+    await CheckAuth.checkAuth({ domain, clientId });
+
+    expect(GetCookie.getCookie).toHaveBeenCalledWith("_kbrte");
+
+    expect(RefreshToken.refreshToken).toHaveBeenCalledWith({
+      domain,
+      clientId,
+      refreshType: RefreshToken.RefreshType.cookie,
+    });
+  });
+
+  it("should use cookie refresh type when using custom domain and no _kbrte cookie", async () => {
+    vi.spyOn(RefreshToken, "refreshToken").mockResolvedValue({
+      success: true,
+    });
+    vi.spyOn(GetCookie, "getCookie").mockReturnValue(null);
+
+    await CheckAuth.checkAuth({ domain, clientId });
+
+    expect(GetCookie.getCookie).toHaveBeenCalledWith("_kbrte");
+
+    expect(RefreshToken.refreshToken).toHaveBeenCalledWith({
+      domain,
+      clientId,
+      refreshType: RefreshToken.RefreshType.refreshToken,
+    });
+  });
+
+  // it.only('should use cookie refresh type when using custom domain and no _kbrte cookie', async () => {
+  //   vi.spyOn(refreshToken, "refreshToken").mockResolvedValue({
+  //     success: true,
+  //   });
+
+  //   const result = await checkAuth({ domain: "test.kinde.com", clientId });
+
+  //   expect(refreshToken.refreshToken).toHaveBeenCalledWith({
+  //     domain: "test.kinde.com",
+  //     clientId,
+  //     refreshType: refreshToken.RefreshType.refreshToken,
+  //   });
+  //   expect(result).toEqual({});
+  // });
+
+  // it('should use refresh token type when not using custom domain', async () => {
+  //   (refreshToken as vi.Mock).mockResolvedValue({} as RefreshTokenResult);
+
+  //   const result = await checkAuth({ domain: 'test.kinde.com', clientId });
+
+  //   expect(refreshToken).toHaveBeenCalledWith({
+  //     domain: 'not-custom.com',
+  //     clientId,
+  //     refreshType: RefreshType.refreshToken,
+  //   });
+  //   expect(result).toEqual({});
+  // });
+
+  // it('should use refresh token type when forceLocalStorage is true', async () => {
+  //   (refreshToken as vi.Mock).mockResolvedValue({} as RefreshTokenResult);
+
+  //   // Mock storageSettings to force local storage
+  //   const originalStorageSettings = storageSettings;
+  //   storageSettings.useInsecureForRefreshToken = true;
+
+  //   const result = await checkAuth({ domain, clientId });
+
+  //   expect(refreshToken).toHaveBeenCalledWith({
+  //     domain,
+  //     clientId,
+  //     refreshType: RefreshType.refreshToken,
+  //   });
+  //   expect(result).toEqual({});
+
+  //   // Restore original storageSettings
+  //   storageSettings.useInsecureForRefreshToken = originalStorageSettings.useInsecureForRefreshToken;
+  // });
+});
@@ -0,0 +1,30 @@
+import { isCustomDomain, refreshToken, storageSettings } from "../main";
+import { getCookie } from "./getCookie";
+import { RefreshType, RefreshTokenResult } from "./token/refreshToken";
+
+const kindeCookieName = "_kbrte";
+
+export const checkAuth = async ({
+  domain,
+  clientId,
+}: {
+  domain: string;
+  clientId: string;
+}): Promise<RefreshTokenResult> => {
+  const usingCustomDomain = isCustomDomain(domain);
+  const forceLocalStorage = storageSettings.useInsecureForRefreshToken;
+  console.log("usingCustomDomain", usingCustomDomain);
+  console.log("forceLocalStorage", forceLocalStorage);
+  let kbrteCookie = null;
+  if (usingCustomDomain && !forceLocalStorage) {
+    console.log("getting cookie");
+    kbrteCookie = getCookie(kindeCookieName);
+    console.log("kbrteCookie", kbrteCookie);
+  }
+
+  return await refreshToken({
+    domain,
+    clientId,
+    refreshType: kbrteCookie ? RefreshType.cookie : RefreshType.refreshToken,
+  });
+};
@@ -15,6 +15,7 @@ describe("exchangeAuthCode", () => {
     vi.spyOn(refreshTokenTimer, "setRefreshTimer");
     vi.spyOn(main, "refreshToken");
     vi.useFakeTimers();
+    main.storageSettings.useInsecureForRefreshToken = false;
   });
 
   afterEach(() => {
@@ -158,6 +159,59 @@ describe("exchangeAuthCode", () => {
     expect((options?.headers as Headers).get("Pragma")).toEqual("no-cache");
   });
 
+  it("uses insecure storage for code verifier when storage setting applies", async () => {
+    const store = new MemoryStorage();
+    main.setInsecureStorage(store);
+
+    const store2 = new MemoryStorage();
+    const state = "state";
+
+    await store.setItems({
+      [StorageKeys.state]: state,
+    });
+
+    const input = "hello";
+
+    const urlParams = new URLSearchParams();
+    urlParams.append("code", input);
+    urlParams.append("state", state);
+    urlParams.append("client_id", "test");
+
+    fetchMock.mockResponseOnce(
+      JSON.stringify({
+        access_token: "access_token",
+        refresh_token: "refresh_token",
+        id_token: "id_token",
+      }),
+    );
+
+    main.storageSettings.useInsecureForRefreshToken = true;
+
+    console.log('here');
+    const result = await exchangeAuthCode({
+      urlParams,
+      domain: "http://test.kinde.com",
+      clientId: "test",
+      redirectURL: "http://test.kinde.com",
+    });
+
+    expect(result).toStrictEqual({
+      accessToken: "access_token",
+      refreshToken: "refresh_token",
+      idToken: "id_token",
+      success: true,
+    });
+
+    const postCodeVerifier = await store.getSessionItem(
+      StorageKeys.codeVerifier,
+    );
+    expect(postCodeVerifier).toBeNull();
+    const insecureRefreshToken = await store2.getSessionItem(
+      StorageKeys.refreshToken,
+    );
+    expect(insecureRefreshToken).toBeNull();
+  });
+
   it("set the framework and version on header", async () => {
     const store = new MemoryStorage();
     setActiveStorage(store);
 
@@ -3,6 +3,7 @@ import {
   getInsecureStorage,
   refreshToken,
   StorageKeys,
+  storageSettings,
 } from "../main";
 import { clearRefreshTimer, setRefreshTimer } from "./refreshTimer";
 
@@ -65,6 +66,7 @@ export const exchangeAuthCode = async ({
   }
 
   const storedState = await activeStorage.getSessionItem(StorageKeys.state);
+  console.log('----', state, storedState);
   if (state !== storedState) {
     console.error("Invalid state");
     return {
@@ -124,15 +126,21 @@ export const exchangeAuthCode = async ({
   } = await response.json();
 
   const secureStore = getActiveStorage();
-  secureStore!.setItems({
-    [StorageKeys.accessToken]: data.access_token,
-    [StorageKeys.idToken]: data.id_token,
-    [StorageKeys.refreshToken]: data.refresh_token,
-  });
+  if (secureStore) {
+    secureStore.setItems({
+      [StorageKeys.accessToken]: data.access_token,
+      [StorageKeys.idToken]: data.id_token,
+      [StorageKeys.refreshToken]: data.refresh_token,
+    });
+  }
+
+  if (storageSettings.useInsecureForRefreshToken) {
+    activeStorage.setSessionItem(StorageKeys.refreshToken, data.refresh_token);
+  }
 
   if (autoRefresh) {
     setRefreshTimer(data.expires_in, async () => {
-      refreshToken(domain, clientId);
+      refreshToken({ domain, clientId });
     });
   }
 
@@ -157,4 +165,4 @@ export const exchangeAuthCode = async ({
     [StorageKeys.idToken]: data.id_token,
     [StorageKeys.refreshToken]: data.refresh_token,
   };
-};
+};
@@ -0,0 +1,87 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { getCookie } from "./getCookie";
+
+describe("getCookie", () => {
+  let cookieStore: { [key: string]: string } = {};
+
+  beforeEach(() => {
+    // Reset the cookie store before each test
+    cookieStore = {};
+
+    // Mock document.cookie
+    Object.defineProperty(document, "cookie", {
+      get: () => {
+        return Object.entries(cookieStore)
+          .map(([key, value]) => `${key}=${value}`)
+          .join("; ");
+      },
+      set: (cookie) => {
+        const [keyValue] = cookie.split(";");
+        const [key, value] = keyValue.split("=");
+        cookieStore[key.trim()] = value;
+      },
+      configurable: true,
+    });
+  });
+
+  it("should return the value of the cookie if it exists", () => {
+    document.cookie = "_kbrte=cookie-value;path=/";
+    const result = getCookie("_kbrte");
+    expect(result).toBe("cookie-value");
+  });
+
+  it("should return null if the cookie does not exist", () => {
+    const result = getCookie("_kbrte");
+    expect(result).toBeNull();
+  });
+
+  it("should handle multiple cookies and return the correct one", () => {
+    document.cookie = "cookie1=value1;path=/";
+    document.cookie = "_kbrte=cookie-value;path=/";
+    document.cookie = "cookie2=value2;path=/";
+    const result = getCookie("_kbrte");
+    expect(result).toBe("cookie-value");
+  });
+
+  it("should return null if the cookie name is a substring of another cookie name", () => {
+    document.cookie = "not_kbrte=value;path=/";
+    const result = getCookie("_kbrte");
+    expect(result).toBeNull();
+  });
+
+  it("should return null if the cookie name is a substring of another cookie name with space", () => {
+    document.cookie = "not _kbrte=value;path=/";
+    const result = getCookie("_kbrte");
+    expect(result).toBeNull();
+  });
+
+  it("should return null if the cookie value is empty", () => {
+    document.cookie = "_kbrte=;path=/";
+    const result = getCookie("_kbrte");
+    expect(result).toBeNull();
+  });
+
+  it("should return null if the cookie value is undefined", () => {
+    document.cookie = "_kbrte=undefined;path=/";
+    const result = getCookie("_kbrte");
+    expect(result).toBe("undefined");
+  });
+
+  it("should return null if the cookie value is null", () => {
+    document.cookie = "_kbrte=null;path=/";
+    const result = getCookie("_kbrte");
+    expect(result).toBe("null");
+  });
+
+  it("should return null if parts.length is not equal to 2", () => {
+    document.cookie = "cookie1=value1;path=/";
+    const result = getCookie("_kbrte");
+    expect(result).toBeNull();
+  });
+
+  it("should return null if parts.pop() returns undefined", () => {
+    document.cookie = "_kbrte=;path=/";
+    const result = getCookie("_kbrte");
+    expect(result).toBeNull();
+  });
+});
@@ -0,0 +1,8 @@
+export function getCookie(name: string): string | null {
+  const value = `; ${document.cookie}`;
+  console.log("value", value);
+  const parts = value.split(`; ${name}=`);
+  console.log("parts.length", parts);
+  if (parts.length === 2) return parts.pop()?.split(";").shift() || null;
+  return null;
+}