From 4ae7f99264d1ed71ed3154de1f2090c1160f4d10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89tienne=20L=C3=A9vesque?= <contact@etiennel.dev>
Date: Sat, 17 May 2025 16:47:24 -0400
Subject: [PATCH] fix: Fixes the implicit OAuth flow not waiting for user to
 authenticate (#8)

---
 plugins/auth-oauth2/src/grants/implicit.ts | 24 ++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/plugins/auth-oauth2/src/grants/implicit.ts b/plugins/auth-oauth2/src/grants/implicit.ts
index a54d1964..592f875f 100644
--- a/plugins/auth-oauth2/src/grants/implicit.ts
+++ b/plugins/auth-oauth2/src/grants/implicit.ts
@@ -31,7 +31,7 @@ export function getImplicit(
     }
 
     const authorizationUrl = new URL(`${authorizationUrlRaw ?? ''}`);
-    authorizationUrl.searchParams.set('response_type', 'code');
+    authorizationUrl.searchParams.set('response_type', 'token');
     authorizationUrl.searchParams.set('client_id', clientId);
     if (redirectUri) authorizationUrl.searchParams.set('redirect_uri', redirectUri);
     if (scope) authorizationUrl.searchParams.set('scope', scope);
@@ -42,25 +42,33 @@ export function getImplicit(
     }
 
     const authorizationUrlStr = authorizationUrl.toString();
+    let foundAccessToken = false;
     let { close } = await ctx.window.openUrl({
       url: authorizationUrlStr,
       label: 'oauth-authorization-url',
+      async onClose() {
+        if (!foundAccessToken) {
+          reject(new Error('Authorization window closed'));
+        }
+      },
       async onNavigate({ url: urlStr }) {
         const url = new URL(urlStr);
         if (url.searchParams.has('error')) {
           return reject(Error(`Failed to authorize: ${url.searchParams.get('error')}`));
         }
 
+        const hash = url.hash.slice(1);
+        const params = new URLSearchParams(hash);
+
+        const accessToken = params.get('access_token');
+        if (!accessToken) {
+          return;
+        }
+        foundAccessToken = true;
+
         // Close the window here, because we don't need it anymore
         close();
 
-        const hash = url.hash.slice(1);
-        const params = new URLSearchParams(hash);
-        const idToken = params.get('id_token');
-        if (idToken) {
-          params.set('access_token', idToken);
-          params.delete('id_token');
-        }
         const response = Object.fromEntries(params) as unknown as AccessTokenRawResponse;
         try {
           resolve(await storeToken(ctx, contextId, response));