From 69b854257f71f0657a07c97554ff6d44e3cfa0d7 Mon Sep 17 00:00:00 2001
From: Joseph Garrone <joseph.garrone.gj@gmail.com>
Date: Mon, 21 Oct 2024 00:26:46 +0200
Subject: [PATCH] Impersonation capabilities disabled by default, rename to
 imperativeImpersonation

---
 src/mock/oidc.ts |  3 ++-
 src/oidc.ts      | 27 +++++++++++++++++++++------
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/src/mock/oidc.ts b/src/mock/oidc.ts
index 0e83a98..7113e7a 100644
--- a/src/mock/oidc.ts
+++ b/src/mock/oidc.ts
@@ -175,6 +175,7 @@ export async function createMockOidc<
               }
             : {
                   "authMethod": "silent signin"
-              })
+              }),
+        "isImperativeImpersonation": false
     });
 }
diff --git a/src/oidc.ts b/src/oidc.ts
index b309781..25ece09 100644
--- a/src/oidc.ts
+++ b/src/oidc.ts
@@ -82,6 +82,7 @@ export declare namespace Oidc {
             subscribeToAutoLogoutCountdown: (
                 tickCallback: (params: { secondsLeft: number | undefined }) => void
             ) => { unsubscribeFromAutoLogoutCountdown: () => void };
+            isImperativeImpersonation: boolean;
         } & (
                 | {
                       /**
@@ -200,6 +201,8 @@ export type ParamsOfCreateOidc<
     autoLogoutParams?: Parameters<Oidc.LoggedIn<any>["logout"]>[0];
     isAuthGloballyRequired?: IsAuthGloballyRequired;
     doEnableDebugLogs?: boolean;
+
+    doAllowImperativeImpersonation?: boolean;
 };
 
 const prOidcByConfigHash = new Map<string, Promise<Oidc<any>>>();
@@ -315,7 +318,8 @@ export async function createOidc_nonMemoized<
         __unsafe_ssoSessionIdleSeconds,
         autoLogoutParams = { "redirectTo": "current page" },
         isAuthGloballyRequired = false,
-        postLoginRedirectUrl
+        postLoginRedirectUrl,
+        doAllowImperativeImpersonation = false
     } = params;
 
     const { issuerUri, clientId, scopes, configHash, log } = preProcessedParams;
@@ -407,7 +411,15 @@ export async function createOidc_nonMemoized<
         await new Promise<never>(() => {});
     }
 
-    maybeImpersonate({ configHash });
+    const isImperativeImpersonation = (() => {
+        if (!doAllowImperativeImpersonation) {
+            return false;
+        }
+
+        const { isImperativeImpersonation } = maybeImpersonate({ configHash });
+
+        return isImperativeImpersonation;
+    })();
 
     const oidcClientTsUserManager = new OidcClientTsUserManager({
         configHash,
@@ -1517,7 +1529,8 @@ export async function createOidc_nonMemoized<
               })
             : {
                   "authMethod": resultOfLoginProcess.authMethod
-              })
+              }),
+        isImperativeImpersonation
     });
 
     {
@@ -1761,7 +1774,7 @@ function oidcClientTsUserToTokens<DecodedIdToken extends Record<string, unknown>
     return tokens;
 }
 
-function maybeImpersonate(params: { configHash: string }) {
+function maybeImpersonate(params: { configHash: string }): { isImperativeImpersonation: boolean } {
     const { configHash } = params;
 
     const value = (() => {
@@ -1795,7 +1808,7 @@ function maybeImpersonate(params: { configHash: string }) {
     })();
 
     if (value === undefined) {
-        return;
+        return { "isImperativeImpersonation": false };
     }
 
     const arr = JSON.parse(decodeBase64(value)) as {
@@ -1845,6 +1858,8 @@ function maybeImpersonate(params: { configHash: string }) {
             })
         );
 
-        break;
+        return { "isImperativeImpersonation": true };
     }
+
+    return { "isImperativeImpersonation": false };
 }