1import { CreateURLOptions } from 'expo-linking';
2import { WebBrowserOpenOptions, WebBrowserWindowFeatures } from 'expo-web-browser';
3
4// @needsAudit
5export enum CodeChallengeMethod {
6  /**
7   * The default and recommended method for transforming the code verifier.
8   * - Convert the code verifier to ASCII.
9   * - Create a digest of the string using crypto method SHA256.
10   * - Convert the digest to Base64 and URL encode it.
11   */
12  S256 = 'S256',
13  /**
14   * This should not be used. When used, the code verifier will be sent to the server as-is.
15   */
16  Plain = 'plain',
17}
18
19// @needsAudit
20/**
21 * The client informs the authorization server of the desired grant type by using the response type.
22 *
23 * @see [Section 3.1.1](https://tools.ietf.org/html/rfc6749#section-3.1.1).
24 */
25export enum ResponseType {
26  /**
27   * For requesting an authorization code as described by [Section 4.1.1](https://tools.ietf.org/html/rfc6749#section-4.1.1).
28   */
29  Code = 'code',
30  /**
31   * For requesting an access token (implicit grant) as described by [Section 4.2.1](https://tools.ietf.org/html/rfc6749#section-4.2.1).
32   */
33  Token = 'token',
34  /**
35   * A custom registered type for getting an `id_token` from Google OAuth.
36   */
37  IdToken = 'id_token',
38}
39
40// @needsAudit
41/**
42 * Informs the server if the user should be prompted to login or consent again.
43 * This can be used to present a dialog for switching accounts after the user has already been logged in.
44 * You should use this in favor of clearing cookies (which is mostly not possible on iOS).
45 *
46 * @see [Section 3.1.2.1](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationRequest).
47 */
48export enum Prompt {
49  /**
50   * Server must not display any auth or consent UI. Can be used to check for existing auth or consent.
51   * An error is returned if a user isn't already authenticated or the client doesn't have pre-configured consent for the requested claims, or does not fulfill other conditions for processing the request.
52   * The error code will typically be `login_required`, `interaction_required`, or another code defined in [Section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthError).
53   */
54  None = 'none',
55  /**
56   * The server should prompt the user to reauthenticate.
57   * If it cannot reauthenticate the End-User, it must return an error, typically `login_required`.
58   */
59  Login = 'login',
60  /**
61   * Server should prompt the user for consent before returning information to the client.
62   * If it cannot obtain consent, it must return an error, typically `consent_required`.
63   */
64  Consent = 'consent',
65  /**
66   * Server should prompt the user to select an account. Can be used to switch accounts.
67   * If it can't obtain an account selection choice made by the user, it must return an error, typically `account_selection_required`.
68   */
69  SelectAccount = 'select_account',
70}
71
72// @needsAudit
73/**
74 * Options passed to the `promptAsync()` method of `AuthRequest`s.
75 * This can be used to configure how the web browser should look and behave.
76 */
77export type AuthRequestPromptOptions = Omit<WebBrowserOpenOptions, 'windowFeatures'> & {
78  /**
79   * URL to open when prompting the user. This usually should be defined internally and left `undefined` in most cases.
80   */
81  url?: string;
82  /**
83   * Should the authentication request use the Expo proxy service `auth.expo.io`.
84   * @default false
85   */
86  useProxy?: boolean;
87  /**
88   * Project name to use for the \`auth.expo.io\` proxy when `useProxy` is true.
89   */
90  projectNameForProxy?: string;
91  /**
92   * URL options to be used when creating the redirect URL for the auth proxy.
93   */
94  proxyOptions?: Omit<CreateURLOptions, 'queryParams'> & { path?: string };
95  /**
96   * Features to use with `window.open()`.
97   * @platform web
98   */
99  windowFeatures?: WebBrowserWindowFeatures;
100};
101
102// @needsAudit
103/**
104 * Represents an OAuth authorization request as JSON.
105 */
106export interface AuthRequestConfig {
107  /**
108   * Specifies what is returned from the authorization server.
109   *
110   * [Section 3.1.1](https://tools.ietf.org/html/rfc6749#section-3.1.1)
111   *
112   * @default ResponseType.Code
113   */
114  responseType?: ResponseType | string;
115  /**
116   * A unique string representing the registration information provided by the client.
117   * The client identifier is not a secret; it is exposed to the resource owner and shouldn't be used
118   * alone for client authentication.
119   *
120   * The client identifier is unique to the authorization server.
121   *
122   * [Section 2.2](https://tools.ietf.org/html/rfc6749#section-2.2)
123   */
124  clientId: string;
125  /**
126   * After completing an interaction with a resource owner the
127   * server will redirect to this URI. Learn more about [linking in Expo](https://docs.expo.dev/versions/latest/workflow/linking/).
128   *
129   * [Section 3.1.2](https://tools.ietf.org/html/rfc6749#section-3.1.2)
130   */
131  redirectUri: string;
132  /**
133   * List of strings to request access to.
134   *
135   * [Section 3.3](https://tools.ietf.org/html/rfc6749#section-3.3)
136   */
137  scopes?: string[];
138  /**
139   * Client secret supplied by an auth provider.
140   * There is no secure way to store this on the client.
141   *
142   * [Section 2.3.1](https://tools.ietf.org/html/rfc6749#section-2.3.1)
143   */
144  clientSecret?: string;
145  /**
146   * Method used to generate the code challenge. You should never use `Plain` as it's not good enough for secure verification.
147   * @default CodeChallengeMethod.S256
148   */
149  codeChallengeMethod?: CodeChallengeMethod;
150  /**
151   * Derived from the code verifier by using the `CodeChallengeMethod`.
152   *
153   * [Section 4.2](https://tools.ietf.org/html/rfc7636#section-4.2)
154   */
155  codeChallenge?: string;
156  /**
157   * Informs the server if the user should be prompted to login or consent again.
158   * This can be used to present a dialog for switching accounts after the user has already been logged in.
159   *
160   * [Section 3.1.2.1](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationRequest)
161   */
162  prompt?: Prompt;
163  /**
164   * Used for protection against [Cross-Site Request Forgery](https://tools.ietf.org/html/rfc6749#section-10.12).
165   */
166  state?: string;
167  /**
168   * Extra query params that'll be added to the query string.
169   */
170  extraParams?: Record<string, string>;
171  /**
172   * Should use [Proof Key for Code Exchange](https://oauth.net/2/pkce/).
173   * @default true
174   */
175  usePKCE?: boolean;
176}
177