forked from OneDrive/onedrive-explorer-js
-
Notifications
You must be signed in to change notification settings - Fork 0
/
odauth.js
211 lines (187 loc) · 7.02 KB
/
odauth.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
// instructions:
// - host a copy of callback.html and odauth.js on your domain.
// - embed odauth.js in your app like this:
// <script id="odauth" src="odauth.js"
// clientId="YourClientId" scopes="ScopesYouNeed"
// redirectUri="YourUrlForCallback.html"></script>
// - define the onAuthenticated(token) function in your app to receive the auth token.
// - call odauth() to begin, as well as whenever you need an auth token
// to make an API call. if you're making an api call in response to a user's
// click action, call odAuth(true), otherwise just call odAuth(). the difference
// is that sometimes odauth needs to pop up a window so the user can sign in,
// grant your app permission, etc. the pop up can only be launched in response
// to a user click, otherwise the browser's popup blocker will block it. when
// odauth isn't called in click mode, it'll put a sign-in button at the top of
// your page for the user to click. when it's done, it'll remove that button.
//
// how it all works:
// when you call odauth(), we first check if we have the user's auth token stored
// in a cookie. if so, we read it and immediately call your onAuthenticated() method.
// if we can't find the auth cookie, we need to pop up a window and send the user
// to Microsoft Account so that they can sign in or grant your app the permissions
// it needs. depending on whether or not odauth() was called in response to a user
// click, it will either pop up the auth window or display a sign-in button for
// the user to click (which results in the pop-up). when the user finishes the
// auth flow, the popup window redirects back to your hosted callback.html file,
// which calls the onAuthCallback() method below. it then sets the auth cookie
// and calls your app's onAuthenticated() function, passing in the optional 'window'
// argument for the popup window. your onAuthenticated function should close the
// popup window if it's passed in.
//
// subsequent calls to odauth() will usually complete immediately without the
// popup because the cookie is still fresh.
function odauth(wasClicked) {
ensureHttps();
var token = getTokenFromCookie();
if (token) {
onAuthenticated(token);
}
else if (wasClicked) {
challengeForAuth();
}
else {
showLoginButton();
}
}
// for added security we require https
function ensureHttps() {
if (window.location.protocol != "https:") {
window.location.href = "https:" + window.location.href.substring(window.location.protocol.length);
}
}
function onAuthCallback() {
var authInfo = getAuthInfoFromUrl();
var token = authInfo["access_token"];
var expiry = parseInt(authInfo["expires_in"]);
setCookie(token, expiry);
window.opener.onAuthenticated(token, window);
}
function getAuthInfoFromUrl() {
if (window.location.hash) {
var authResponse = window.location.hash.substring(1);
var authInfo = JSON.parse(
'{"' + authResponse.replace(/&/g, '","').replace(/=/g, '":"') + '"}',
function(key, value) { return key === "" ? value : decodeURIComponent(value); });
return authInfo;
}
else {
alert("failed to receive auth token");
}
}
function getTokenFromCookie() {
var cookies = document.cookie;
var name = "odauth=";
var start = cookies.indexOf(name);
if (start >= 0) {
start += name.length;
var end = cookies.indexOf(';', start);
if (end < 0) {
end = cookies.length;
}
else {
postCookie = cookies.substring(end);
}
var value = cookies.substring(start, end);
return value;
}
return "";
}
function setCookie(token, expiresInSeconds) {
var expiration = new Date();
expiration.setTime(expiration.getTime() + expiresInSeconds * 1000);
var cookie = "odauth=" + token +"; path=/; expires=" + expiration.toUTCString();
if (document.location.protocol.toLowerCase() == "https") {
cookie = cookie + ";secure";
}
document.cookie = cookie;
}
function getAppInfo() {
var scriptTag = document.getElementById("odauth");
if (!scriptTag) {
alert("the script tag for odauth.js should have its id set to 'odauth'");
}
var clientId = scriptTag.getAttribute("clientId");
if (!clientId) {
alert("the odauth script tag needs a clientId attribute set to your application id");
}
var scopes = scriptTag.getAttribute("scopes");
if (!scopes) {
alert("the odauth script tag needs a scopes attribute set to the scopes your app needs");
}
var redirectUri = scriptTag.getAttribute("redirectUri");
if (!redirectUri) {
alert("the odauth script tag needs a redirectUri attribute set to your redirect landing url");
}
var appInfo = {
"clientId": clientId,
"scopes": scopes,
"redirectUri": redirectUri
};
return appInfo;
}
// called when a login button needs to be displayed for the user to click on.
// if a customLoginButton() function is defined by your app, it will be called
// with 'true' passed in to indicate the button should be added. otherwise, it
// will insert a textual login link at the top of the page. if defined, your
// showCustomLoginButton should call challengeForAuth() when clicked.
function showLoginButton() {
if (typeof showCustomLoginButton === "function") {
showCustomLoginButton(true);
return;
}
var loginText = document.createElement('a');
loginText.href = "#";
loginText.id = "loginText";
loginText.onclick = challengeForAuth;
loginText.innerText = "[sign in]";
document.body.insertBefore(loginText, document.body.children[0]);
}
// called with the login button created by showLoginButton() needs to be
// removed. if a customLoginButton() function is defined by your app, it will
// be called with 'false' passed in to indicate the button should be removed.
// otherwise it will remove the textual link that showLoginButton() created.
function removeLoginButton() {
if (typeof showCustomLoginButton === "function") {
showCustomLoginButton(false);
return;
}
var loginText = document.getElementById("loginText");
if (loginText) {
document.body.removeChild(loginText);
}
}
function challengeForAuth() {
var appInfo = getAppInfo();
var url =
"https://login.live.com/oauth20_authorize.srf" +
"?client_id=" + appInfo.clientId +
"&scope=" + encodeURIComponent(appInfo.scopes) +
"&response_type=token" +
"&redirect_uri=" + encodeURIComponent(appInfo.redirectUri);
popup(url);
}
function popup(url) {
var width = 525,
height = 525,
screenX = window.screenX,
screenY = window.screenY,
outerWidth = window.outerWidth,
outerHeight = window.outerHeight;
var left = screenX + Math.max(outerWidth - width, 0) / 2;
var top = screenY + Math.max(outerHeight - height, 0) / 2;
var features = [
"width=" + width,
"height=" + height,
"top=" + top,
"left=" + left,
"status=no",
"resizable=yes",
"toolbar=no",
"menubar=no",
"scrollbars=yes"];
var popup = window.open(url, "oauth", features.join(","));
if (!popup) {
alert("failed to pop up auth window");
}
popup.focus();
}