fix: silentLoginIframe Timeouts.

signinCallback wasn't being called when state was set but not code, which happens when there are errors. I also did some error handling the refreshToken calll. This is kind of a quick fix. I need to revisit the flows here to make sure all the correct things are being done for the various callback states.
2025-12-11 23:50:06 +01:00 · 2020-08-25 13:33:22 -04:00 · 2020-08-25 13:33:22 -04:00 · a4aa8439f1
commit a4aa8439f1
parent e668272c6b
3 changed files with 24 additions and 6 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -1,6 +1,6 @@
 {
 	"name": "@dopry/svelte-oidc",
-	"version": "0.2.0",
+	"version": "0.3.1",
 	"lockfileVersion": 1,
 	"requires": true,
 	"dependencies": {
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
 	"name": "@dopry/svelte-oidc",
-	"version": "0.3.0",
+	"version": "0.3.1",
 	"repository": "https://github.com/dopry/svelte-oidc",
 	"description": "Svelte OIDC Component Library",
 	"keywords": [
--- a/src/components/OidcContext.svelte
+++ b/src/components/OidcContext.svelte
@ -27,11 +27,21 @@
 	export const OIDC_CONTEXT_POST_LOGOUT_REDIRECT_URI = {};

 	/**
-	 * Refresh the accessToken store.
+	 * Refresh the accessToken using the silentRenew method (hidden iframe)
+	 * @return bool indicated whether the token was refreshed, if false error will be set
+	 * in the authError store.
 	 */
 	export async function refreshToken() {
-		const oidc = await getContext(OIDC_CONTEXT_CLIENT_PROMISE);
-		await oidc.signinSilent();
+		try {
+		  const oidc = await getContext(OIDC_CONTEXT_CLIENT_PROMISE);
+		  await oidc.signinSilent();
+		  return true;
+		}
+		catch (e) {
+			// set error state for reactive handling
+			authError.set(e.message);
+			return false;
+		}
 	}

 	/**
@ -98,7 +108,7 @@
 		userInfo.set(user.profile);
 	});

-	userManager.events.addUserUnloaded(function(e) {
+	userManager.events.addUserUnloaded(function() {
 		isAuthenticated.set(false);
 		idToken.set('');
 		accessToken.set('');
@ -119,6 +129,8 @@
    // Not all browsers support this, please program defensively!
    const params = new URLSearchParams(window.location.search);

+	// Use 'error' and 'code' to test if the component is being executed as a part of a login callback. If we're not
+	// running in a login callback, and the user isn't logged in, see if we can capture their existing session.
    if (!params.has('error') && !params.has('code') && !$isAuthenticated) {
        refreshToken();
    }
@ -148,6 +160,12 @@
 			// clear errors on login.
 			authError.set(null);
 		}
+		// if code was not set and there was a state, then we're in an auth callback and there was an error. We still
+		// need to wrap the sign-in silent. We need to sit down and chart out the various success and fail scenarios and
+		// what the uris loook like. I fear this may be problematic in other auth flows in the future.
+		else if (params.has('state')) {
+			const response = await oidc.signinCallback();
+		}
 		isLoading.set(false);
 	}
 	async function handleOnDestroy() {}