[FEAT] Active Org Support (#30)

* feat(client): add active org to access token map

* feat(api): clarify status text for user not in org

* fix(getAccessTokenForActiveOrg): return user not in org for 401 response, fix types

* 2.0.17

* refactor: rename function

Author: Itai Levi

package-lock.json

@@ -5,7 +5,7 @@
         "type": "git",
         "url": "https://github.com/PropelAuth/javascript"
     },
-    "version": "2.0.16",
+    "version": "2.0.17",
     "keywords": [
         "auth",
         "user",

package.json

@@ -51,8 +51,16 @@ export type LogoutResponse = {
     redirect_to: string
 }
 
-export function fetchAuthenticationInfo(authUrl: string): Promise<AuthenticationInfo | null> {
-    return fetch(`${authUrl}/api/v1/refresh_token`, {
+export function fetchAuthenticationInfo(authUrl: string, activeOrgId?: string): Promise<AuthenticationInfo | null> {
+    const queryParams = new URLSearchParams()
+    if (activeOrgId) {
+        queryParams.append("active_org_id", activeOrgId)
+    }
+    let path = `${authUrl}/api/v1/refresh_token`
+    if (queryParams.toString()) {
+        path += `?${queryParams.toString()}`
+    }
+    return fetch(path, {
         method: "GET",
         credentials: "include",
         headers: {

src/api.ts

@@ -1,11 +1,12 @@
 import { AuthenticationInfo, fetchAuthenticationInfo, logout } from "./api"
+import { runWithRetriesOnAnyError } from "./fetch_retries"
 import { currentTimeSeconds, getLocalStorageNumber, hasLocalStorage, hasWindow } from "./helpers"
-import {runWithRetriesOnAnyError} from "./fetch_retries";
 
 const LOGGED_IN_AT_KEY = "__PROPEL_AUTH_LOGGED_IN_AT"
 const LOGGED_OUT_AT_KEY = "__PROPEL_AUTH_LOGGED_OUT_AT"
 const AUTH_TOKEN_REFRESH_BEFORE_EXPIRATION_SECONDS = 10 * 60
 const DEBOUNCE_DURATION_FOR_REFOCUS_SECONDS = 60
+const ACTIVE_ORG_ACCESS_TOKEN_REFRESH_EXPIRATION_SECONDS = 60 * 5
 
 const encodeBase64 = (str: string) => {
     const encode = window ? window.btoa : btoa
@@ -38,6 +39,20 @@ export interface RedirectToSetupSAMLPageOptions {
     redirectBackToUrl?: string
 }
 
+export type AccessTokenForActiveOrg =
+    | {
+          error: undefined
+          accessToken: string
+      }
+    | {
+          error: "user_not_in_org"
+          accessToken: never
+      }
+    | {
+          error: "unexpected_error"
+          accessToken: never
+      }
+
 export interface IAuthClient {
     /**
      * If the user is logged in, this method returns an access token, the time (in seconds) that the token will expire,
@@ -88,6 +103,11 @@ export interface IAuthClient {
      */
     getSetupSAMLPageUrl(orgId: string): string
 
+    /**
+     * Gets an access token for a specific organization, known as an Active Org.
+     */
+    getAccessTokenForOrg(orgId: string): Promise<AccessTokenForActiveOrg>
+
     /**
      * Redirects the user to the signup page.
      */
@@ -160,6 +180,13 @@ export interface IAuthOptions {
     enableBackgroundTokenRefresh?: boolean
 }
 
+interface AccessTokenActiveOrgMap {
+    [orgId: string]: {
+        accessToken: string
+        fetchedAt: number
+    }
+}
+
 interface ClientState {
     initialLoadFinished: boolean
     authenticationInfo: AuthenticationInfo | null
@@ -169,6 +196,7 @@ interface ClientState {
     lastLoggedOutAtMessage: number | null
     refreshInterval: number | null
     lastRefresh: number | null
+    accessTokenActiveOrgMap: AccessTokenActiveOrgMap
     readonly authUrl: string
 }
 
@@ -201,6 +229,7 @@ export function createClient(authOptions: IAuthOptions): IAuthClient {
         authUrl: authOptions.authUrl,
         refreshInterval: null,
         lastRefresh: null,
+        accessTokenActiveOrgMap: {},
     }
 
     // Helper functions
@@ -248,6 +277,13 @@ export function createClient(authOptions: IAuthOptions): IAuthClient {
         }
     }
 
+    /**
+     * Invalidates all org's access tokens.
+     */
+    function resetAccessTokenActiveOrgMap() {
+        clientState.accessTokenActiveOrgMap = {}
+    }
+
     function setAuthenticationInfoAndUpdateDownstream(authenticationInfo: AuthenticationInfo | null) {
         const previousAccessToken = clientState.authenticationInfo?.accessToken
         clientState.authenticationInfo = authenticationInfo
@@ -265,14 +301,18 @@ export function createClient(authOptions: IAuthOptions): IAuthClient {
             notifyObserversOfAccessTokenChange(accessToken)
         }
 
+        resetAccessTokenActiveOrgMap()
+
         clientState.lastRefresh = currentTimeSeconds()
         clientState.initialLoadFinished = true
     }
 
     async function forceRefreshToken(returnCached: boolean): Promise<AuthenticationInfo | null> {
         try {
             // Happy case, we fetch auth info and save it
-            const authenticationInfo = await runWithRetriesOnAnyError(() => fetchAuthenticationInfo(clientState.authUrl))
+            const authenticationInfo = await runWithRetriesOnAnyError(() =>
+                fetchAuthenticationInfo(clientState.authUrl)
+            )
             setAuthenticationInfoAndUpdateDownstream(authenticationInfo)
             return authenticationInfo
         } catch (e) {
@@ -449,6 +489,52 @@ export function createClient(authOptions: IAuthOptions): IAuthClient {
             }
         },
 
+        async getAccessTokenForOrg(orgId: string): Promise<AccessTokenForActiveOrg> {
+            // First, check if there is a valid access token for the org ID in the
+            // valid time frame.
+            const currentTimeSecs = currentTimeSeconds()
+
+            const activeOrgAccessToken = clientState.accessTokenActiveOrgMap[orgId]
+            if (!!activeOrgAccessToken) {
+                if (
+                    currentTimeSecs <
+                    activeOrgAccessToken.fetchedAt + ACTIVE_ORG_ACCESS_TOKEN_REFRESH_EXPIRATION_SECONDS
+                ) {
+                    return {
+                        accessToken: activeOrgAccessToken.accessToken,
+                        error: undefined,
+                    }
+                }
+            }
+            // Fetch the access token for the org ID and update.
+            try {
+                const authenticationInfo = await runWithRetriesOnAnyError(() =>
+                    fetchAuthenticationInfo(clientState.authUrl, orgId)
+                )
+                if (!authenticationInfo) {
+                    // Only null if 401 unauthorized.
+                    return {
+                        error: "user_not_in_org",
+                        accessToken: null as never,
+                    }
+                }
+                const { accessToken } = authenticationInfo
+                clientState.accessTokenActiveOrgMap[orgId] = {
+                    accessToken,
+                    fetchedAt: currentTimeSecs,
+                }
+                return {
+                    accessToken,
+                    error: undefined,
+                }
+            } catch (e) {
+                return {
+                    error: "unexpected_error",
+                    accessToken: null as never,
+                }
+            }
+        },
+
         getSignupPageUrl(options?: RedirectToSignupOptions): string {
             return getSignupPageUrl(options)
         },

src/client.ts

@@ -2,6 +2,7 @@ export type { AccessHelper, AccessHelperWithOrg } from "./access_helper"
 export type { AuthenticationInfo, User } from "./api"
 export { createClient } from "./client"
 export type {
+    AccessTokenForActiveOrg,
     IAuthClient,
     IAuthOptions,
     RedirectToAccountOptions,