236 lines
6.8 KiB
TypeScript
236 lines
6.8 KiB
TypeScript
/**
|
|
* Secure token storage abstraction
|
|
* Primary: httpOnly cookies (server-side)
|
|
* Fallback: Encrypted localStorage (client-side)
|
|
* SSR-safe: All browser APIs guarded
|
|
*
|
|
* E2E Test Mode: When __PLAYWRIGHT_TEST__ flag is set, encryption is skipped
|
|
* for easier E2E testing without production code pollution
|
|
*/
|
|
|
|
import { encryptData, decryptData, clearEncryptionKey } from './crypto';
|
|
|
|
export interface TokenStorage {
|
|
accessToken: string | null;
|
|
refreshToken: string | null;
|
|
}
|
|
|
|
const STORAGE_KEY = 'auth_tokens';
|
|
const STORAGE_METHOD_KEY = 'auth_storage_method';
|
|
|
|
export type StorageMethod = 'cookie' | 'localStorage';
|
|
|
|
/**
|
|
* Check if running in E2E test mode (Playwright)
|
|
* This flag is set by E2E tests to skip encryption for easier testing
|
|
*/
|
|
function isE2ETestMode(): boolean {
|
|
return typeof window !== 'undefined' && (window as { __PLAYWRIGHT_TEST__?: boolean }).__PLAYWRIGHT_TEST__ === true;
|
|
}
|
|
|
|
/**
|
|
* Check if localStorage is available (browser only)
|
|
*/
|
|
function isLocalStorageAvailable(): boolean {
|
|
/* istanbul ignore next - SSR guard */
|
|
if (typeof window === 'undefined' || typeof localStorage === 'undefined') {
|
|
return false;
|
|
}
|
|
|
|
try {
|
|
const test = '__storage_test__';
|
|
localStorage.setItem(test, test);
|
|
localStorage.removeItem(test);
|
|
return true;
|
|
} catch {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Get current storage method
|
|
* SSR-safe: Returns 'localStorage' as default (actual check happens client-side)
|
|
*/
|
|
export function getStorageMethod(): StorageMethod {
|
|
if (!isLocalStorageAvailable()) {
|
|
return 'localStorage'; // Default, will be checked again client-side
|
|
}
|
|
|
|
try {
|
|
// Check if we previously set a storage method
|
|
const stored = localStorage.getItem(STORAGE_METHOD_KEY);
|
|
if (stored === 'cookie' || stored === 'localStorage') {
|
|
return stored;
|
|
}
|
|
} catch (error) {
|
|
/* istanbul ignore next - Error logging only */
|
|
console.warn('Failed to get storage method:', error);
|
|
}
|
|
|
|
// Default to localStorage for client-side auth
|
|
// In Phase 2, we'll add cookie detection from server
|
|
return 'localStorage';
|
|
}
|
|
|
|
/**
|
|
* Set storage method preference
|
|
* SSR-safe: No-op if localStorage not available
|
|
*/
|
|
export function setStorageMethod(method: StorageMethod): void {
|
|
if (!isLocalStorageAvailable()) {
|
|
/* istanbul ignore next - SSR guard with console warn */
|
|
console.warn('Cannot set storage method: localStorage not available');
|
|
return;
|
|
}
|
|
|
|
try {
|
|
localStorage.setItem(STORAGE_METHOD_KEY, method);
|
|
} catch (error) {
|
|
/* istanbul ignore next - Error logging only */
|
|
console.error('Failed to set storage method:', error);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Save tokens securely
|
|
* @param tokens - Access and refresh tokens
|
|
* @throws Error if storage fails
|
|
*/
|
|
export async function saveTokens(tokens: TokenStorage): Promise<void> {
|
|
const method = getStorageMethod();
|
|
|
|
if (method === 'cookie') {
|
|
// Cookies are handled server-side via Set-Cookie headers
|
|
// This is a no-op for client-side, actual implementation in Phase 2
|
|
// when we add server-side API route handlers
|
|
console.debug('Token storage via cookies (server-side)');
|
|
return;
|
|
}
|
|
|
|
// Fallback: Encrypted localStorage
|
|
if (!isLocalStorageAvailable()) {
|
|
throw new Error('localStorage not available - cannot save tokens');
|
|
}
|
|
|
|
try {
|
|
// E2E TEST MODE: Skip encryption for Playwright tests
|
|
if (isE2ETestMode()) {
|
|
localStorage.setItem(STORAGE_KEY, JSON.stringify(tokens));
|
|
return;
|
|
}
|
|
|
|
// PRODUCTION: Use encryption
|
|
const encrypted = await encryptData(JSON.stringify(tokens));
|
|
localStorage.setItem(STORAGE_KEY, encrypted);
|
|
} catch (error) {
|
|
/* istanbul ignore next - Error logging before throw */
|
|
console.error('Failed to save tokens:', error);
|
|
throw new Error('Token storage failed');
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Retrieve tokens from storage
|
|
* @returns Stored tokens or null
|
|
* SSR-safe: Returns null if localStorage not available
|
|
*/
|
|
export async function getTokens(): Promise<TokenStorage | null> {
|
|
const method = getStorageMethod();
|
|
|
|
if (method === 'cookie') {
|
|
// Cookies are sent automatically with requests
|
|
// For client-side access, we'll implement this in Phase 2
|
|
// with a /api/auth/session endpoint
|
|
console.debug('Token retrieval via cookies (server-side)');
|
|
return null;
|
|
}
|
|
|
|
// Fallback: Encrypted localStorage
|
|
/* istanbul ignore next - SSR guard */
|
|
if (!isLocalStorageAvailable()) {
|
|
return null;
|
|
}
|
|
|
|
try {
|
|
const stored = localStorage.getItem(STORAGE_KEY);
|
|
if (!stored) {
|
|
return null;
|
|
}
|
|
|
|
// E2E TEST MODE: Tokens stored as plain JSON
|
|
if (isE2ETestMode()) {
|
|
const parsed = JSON.parse(stored);
|
|
|
|
// Validate structure - must have required fields
|
|
if (!parsed || typeof parsed !== 'object' ||
|
|
!('accessToken' in parsed) || !('refreshToken' in parsed) ||
|
|
(parsed.accessToken !== null && typeof parsed.accessToken !== 'string') ||
|
|
(parsed.refreshToken !== null && typeof parsed.refreshToken !== 'string')) {
|
|
throw new Error('Invalid token structure');
|
|
}
|
|
|
|
return parsed as TokenStorage;
|
|
}
|
|
|
|
// PRODUCTION: Decrypt tokens
|
|
const decrypted = await decryptData(stored);
|
|
const parsed = JSON.parse(decrypted);
|
|
|
|
// Validate structure - must have required fields
|
|
if (!parsed || typeof parsed !== 'object' ||
|
|
!('accessToken' in parsed) || !('refreshToken' in parsed) ||
|
|
(parsed.accessToken !== null && typeof parsed.accessToken !== 'string') ||
|
|
(parsed.refreshToken !== null && typeof parsed.refreshToken !== 'string')) {
|
|
/* istanbul ignore next - Validation error path */
|
|
throw new Error('Invalid token structure');
|
|
}
|
|
|
|
return parsed as TokenStorage;
|
|
} catch (error) {
|
|
console.error('Failed to retrieve tokens:', error);
|
|
// If decryption fails, clear invalid data
|
|
try {
|
|
localStorage.removeItem(STORAGE_KEY);
|
|
} catch {
|
|
// Ignore cleanup errors
|
|
}
|
|
return null;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Clear all tokens from storage
|
|
* SSR-safe: No-op if localStorage not available
|
|
*/
|
|
export async function clearTokens(): Promise<void> {
|
|
const method = getStorageMethod();
|
|
|
|
if (method === 'cookie') {
|
|
// Cookie clearing via server-side Set-Cookie with Max-Age=0
|
|
// Implementation in Phase 2
|
|
console.debug('Token clearing via cookies (server-side)');
|
|
}
|
|
|
|
// Always clear localStorage (belt and suspenders)
|
|
if (isLocalStorageAvailable()) {
|
|
try {
|
|
localStorage.removeItem(STORAGE_KEY);
|
|
} catch (error) {
|
|
/* istanbul ignore next - Error logging only */
|
|
console.warn('Failed to clear tokens from localStorage:', error);
|
|
}
|
|
}
|
|
|
|
// Clear encryption key
|
|
clearEncryptionKey();
|
|
}
|
|
|
|
/**
|
|
* Check if storage is available
|
|
* @returns true if localStorage is accessible
|
|
* SSR-safe: Returns false on server
|
|
*/
|
|
export function isStorageAvailable(): boolean {
|
|
return isLocalStorageAvailable();
|
|
}
|