add-cms

source/admin/packages/decap-cms-lib-auth/CHANGELOG.md

@@ -0,0 +1,212 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
+
+## [3.0.6](https://github.com/decaporg/decap-cms/compare/decap-cms-lib-auth@3.0.5...decap-cms-lib-auth@3.0.6) (2025-07-31)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [3.0.5](https://github.com/decaporg/decap-cms/compare/decap-cms-lib-auth@3.0.4...decap-cms-lib-auth@3.0.5) (2024-03-21)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [3.0.4](https://github.com/decaporg/decap-cms/compare/decap-cms-lib-auth@3.0.3...decap-cms-lib-auth@3.0.4) (2024-02-21)
+
+### Bug Fixes
+
+- gitlab pkce auth error ([#7110](https://github.com/decaporg/decap-cms/issues/7110)) ([bcd58d6](https://github.com/decaporg/decap-cms/commit/bcd58d6e117b4654b3e0dca173f7f8aaca8dabdf))
+
+## [3.0.3](https://github.com/decaporg/decap-cms/compare/decap-cms-lib-auth@3.0.3-beta.1...decap-cms-lib-auth@3.0.3) (2024-02-01)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [3.0.3-beta.1](https://github.com/decaporg/decap-cms/compare/decap-cms-lib-auth@3.0.3-beta.0...decap-cms-lib-auth@3.0.3-beta.1) (2024-01-31)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [3.0.3-beta.0](https://github.com/decaporg/decap-cms/compare/decap-cms-lib-auth@3.0.2...decap-cms-lib-auth@3.0.3-beta.0) (2024-01-16)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [3.0.2](https://github.com/decaporg/decap-cms/compare/decap-cms-lib-auth@3.0.0...decap-cms-lib-auth@3.0.2) (2023-10-20)
+
+### Features
+
+- **backend:** add gitea backend ([#6808](https://github.com/decaporg/decap-cms/issues/6808)) ([0d89a58](https://github.com/decaporg/decap-cms/commit/0d89a58e93f64f868ff3e4e8f0945ccf166ad738))
+
+## [3.0.1](https://github.com/decaporg/decap-cms/compare/decap-cms-lib-auth@3.0.0...decap-cms-lib-auth@3.0.1) (2023-10-20)
+
+### Features
+
+- **backend:** add gitea backend ([#6808](https://github.com/decaporg/decap-cms/issues/6808)) ([0d89a58](https://github.com/decaporg/decap-cms/commit/0d89a58e93f64f868ff3e4e8f0945ccf166ad738))
+
+# [3.0.0](https://github.com/decaporg/decap-cms/compare/decap-cms-lib-auth@2.5.0...decap-cms-lib-auth@3.0.0) (2023-08-18)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+# [2.5.0](https://github.com/decaporg/decap-cms/compare/decap-cms-lib-auth@2.5.0-beta.0...decap-cms-lib-auth@2.5.0) (2023-08-18)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+# 2.5.0-beta.0 (2023-08-18)
+
+### Features
+
+- rename packages ([#6863](https://github.com/decaporg/decap-cms/issues/6863)) ([d515e7b](https://github.com/decaporg/decap-cms/commit/d515e7bd33216a775d96887b08c4f7b1962941bb))
+
+## [2.4.3-beta.0](https://github.com/decaporg/decap-cms/compare/decap-cms-lib-auth@2.4.2...decap-cms-lib-auth@2.4.3-beta.0) (2023-07-27)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [2.4.2](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.4.1...decap-cms-lib-auth@2.4.2) (2021-06-01)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [2.4.1](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.4.0...decap-cms-lib-auth@2.4.1) (2021-05-19)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+# [2.4.0](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.3.0...decap-cms-lib-auth@2.4.0) (2021-04-14)
+
+### Features
+
+- Adds PKCE authentication for GitLab closes [#5236](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/issues/5236) ([#5239](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/issues/5239)) ([829409e](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/commit/829409e0bc03b4591ee6b59d9895adc4e7190037))
+
+# [2.3.0](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.12...decap-cms-lib-auth@2.3.0) (2020-11-26)
+
+### Features
+
+- add azure devops backend ([#4427](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/issues/4427)) ([4e6dc88](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/commit/4e6dc88efb1dae4cf6137730c3b4fb6d0f75a8cc))
+
+## [2.2.12](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.11...decap-cms-lib-auth@2.2.12) (2020-09-15)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## 2.2.11 (2020-09-08)
+
+### Reverts
+
+- Revert "chore(release): publish" ([828bb16](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/commit/828bb16415b8c22a34caa19c50c38b24ffe9ceae))
+
+## 2.2.10 (2020-08-20)
+
+### Reverts
+
+- Revert "chore(release): publish" ([8262487](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/commit/82624879ccbcb16610090041db28f00714d924c8))
+
+## 2.2.9 (2020-07-27)
+
+### Reverts
+
+- Revert "chore(release): publish" ([118d50a](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/commit/118d50a7a70295f25073e564b5161aa2b9883056))
+
+## [2.2.8](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.7...decap-cms-lib-auth@2.2.8) (2020-04-01)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [2.2.7](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.6...decap-cms-lib-auth@2.2.7) (2020-01-14)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [2.2.6](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.6-beta.0...decap-cms-lib-auth@2.2.6) (2019-12-18)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [2.2.6-beta.0](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.5...decap-cms-lib-auth@2.2.6-beta.0) (2019-12-02)
+
+### Bug Fixes
+
+- pass auth type in authURL to be used in identity widget ([#2920](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/issues/2920)) ([87b4d0f](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/commit/87b4d0f7657df83ba25a9d4ab23b878dc3324b86))
+
+## [2.2.5](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.4...decap-cms-lib-auth@2.2.5) (2019-11-18)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [2.2.4](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.3...decap-cms-lib-auth@2.2.4) (2019-07-24)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [2.2.3](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.2...decap-cms-lib-auth@2.2.3) (2019-06-26)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [2.2.2](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.2-beta.0...decap-cms-lib-auth@2.2.2) (2019-04-10)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [2.2.2-beta.0](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.1...decap-cms-lib-auth@2.2.2-beta.0) (2019-04-05)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [2.2.1](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.1-beta.1...decap-cms-lib-auth@2.2.1) (2019-03-29)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+## [2.2.1-beta.1](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.1-beta.0...decap-cms-lib-auth@2.2.1-beta.1) (2019-03-26)
+
+### Bug Fixes
+
+- export on decap-cms and maps on esm ([#2244](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/issues/2244)) ([6ffd13b](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/commit/6ffd13b))
+
+## [2.2.1-beta.0](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.2.0...decap-cms-lib-auth@2.2.1-beta.0) (2019-03-25)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+# [2.2.0](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.1.0...decap-cms-lib-auth@2.2.0) (2019-03-22)
+
+### Features
+
+- add ES module builds ([#2215](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/issues/2215)) ([d142b32](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/commit/d142b32))
+
+# [2.1.0](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.1.0-beta.0...decap-cms-lib-auth@2.1.0) (2019-03-22)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+# [2.1.0-beta.0](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.0.6-beta.0...decap-cms-lib-auth@2.1.0-beta.0) (2019-03-21)
+
+### Features
+
+- provide usable UMD builds for all packages ([#2141](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/issues/2141)) ([82cc794](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/commit/82cc794))
+
+## [2.0.6-beta.0](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.0.5...decap-cms-lib-auth@2.0.6-beta.0) (2019-03-15)
+
+### Features
+
+- upgrade to Emotion 10 ([#2166](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/issues/2166)) ([ccef446](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/commit/ccef446))
+
+## [2.0.5](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.0.4...decap-cms-lib-auth@2.0.5) (2018-11-12)
+
+### Bug Fixes
+
+- **auth:** scrollbars not appearing in auth window ([#1766](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/issues/1766)) ([8176243](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/commit/8176243))
+
+<a name="2.0.4"></a>
+
+## [2.0.4](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.0.3...decap-cms-lib-auth@2.0.4) (2018-08-24)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+<a name="2.0.3"></a>
+
+## [2.0.3](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.0.2...decap-cms-lib-auth@2.0.3) (2018-08-01)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+<a name="2.0.2"></a>
+
+## [2.0.2](https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth/compare/decap-cms-lib-auth@2.0.1...decap-cms-lib-auth@2.0.2) (2018-07-28)
+
+**Note:** Version bump only for package decap-cms-lib-auth
+
+<a name="2.0.1"></a>
+
+## 2.0.1 (2018-07-26)
+
+<a name="2.0.0"></a>
+
+# 2.0.0 (2018-07-26)
+
+### Bug Fixes
+
+- **bitbucket:** fix rebasing mistakes in bitbucket backend and deps ([#1522](https://github.com/decaporg/decap-cms/issues/1522)) ([bdfd944](https://github.com/decaporg/decap-cms/commit/bdfd944))

source/admin/packages/decap-cms-lib-auth/README.md

@@ -0,0 +1,3 @@
+# Lib Auth
+
+Shared components to handle OAuth and implicit authentication flows.

source/admin/packages/decap-cms-lib-auth/index.d.ts

@@ -0,0 +1,11 @@
+declare module 'decap-cms-lib-auth' {
+  class NetlifyAuthenticator {
+    constructor(config = {});
+
+    refresh: (args: {
+      provider: string;
+      refresh_token: string;
+    }) => Promise<{ token: string; refresh_token: string }>;
+  }
+  export { NetlifyAuthenticator };
+}

source/admin/packages/decap-cms-lib-auth/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "decap-cms-lib-auth",
+  "description": "Shared authentication functionality for Decap CMS.",
+  "version": "3.0.6",
+  "repository": "https://github.com/decaporg/decap-cms/tree/main/packages/decap-cms-lib-auth",
+  "bugs": "https://github.com/decaporg/decap-cms/issues",
+  "module": "dist/esm/index.js",
+  "main": "dist/decap-cms-lib-auth.js",
+  "license": "MIT",
+  "files": [
+    "src/",
+    "dist/"
+  ],
+  "keywords": [
+    "decap-cms"
+  ],
+  "sideEffects": false,
+  "scripts": {
+    "develop": "npm run build:esm -- --watch",
+    "build": "cross-env NODE_ENV=production webpack",
+    "build:esm": "cross-env NODE_ENV=esm babel src --out-dir dist/esm --ignore \"**/__tests__\" --root-mode upward"
+  },
+  "peerDependencies": {
+    "immutable": "^3.7.6",
+    "lodash": "^4.17.11",
+    "uuid": "^8.3.2"
+  }
+}

source/admin/packages/decap-cms-lib-auth/src/implicit-oauth.js

@@ -0,0 +1,70 @@
+import { Map } from 'immutable';
+import trim from 'lodash/trim';
+import trimEnd from 'lodash/trimEnd';
+
+import { createNonce, validateNonce, isInsecureProtocol } from './utils';
+
+export default class ImplicitAuthenticator {
+  constructor(config = {}) {
+    const baseURL = trimEnd(config.base_url, '/');
+    const authEndpoint = trim(config.auth_endpoint, '/');
+    this.auth_url = `${baseURL}/${authEndpoint}`;
+    this.appID = config.app_id;
+    this.clearHash = config.clearHash;
+  }
+
+  authenticate(options, cb) {
+    if (isInsecureProtocol()) {
+      return cb(new Error('Cannot authenticate over insecure protocol!'));
+    }
+
+    const authURL = new URL(this.auth_url);
+    authURL.searchParams.set('client_id', this.appID);
+    authURL.searchParams.set('redirect_uri', document.location.origin + document.location.pathname);
+    authURL.searchParams.set('response_type', 'token');
+    authURL.searchParams.set('scope', options.scope);
+
+    if (options.prompt != null && options.prompt != undefined) {
+      authURL.searchParams.set('prompt', options.prompt);
+    }
+
+    if (options.resource != null && options.resource != undefined) {
+      authURL.searchParams.set('resource', options.resource);
+    }
+
+    const state = JSON.stringify({ auth_type: 'implicit', nonce: createNonce() });
+
+    authURL.searchParams.set('state', state);
+
+    document.location.assign(authURL.href);
+  }
+
+  /**
+   * Complete authentication if we were redirected back to from the provider.
+   */
+  completeAuth(cb) {
+    const hashParams = new URLSearchParams(document.location.hash.replace(/^#?\/?/, ''));
+    if (!hashParams.has('access_token') && !hashParams.has('error')) {
+      return;
+    }
+    // Remove tokens from hash so that token does not remain in browser history.
+    this.clearHash();
+
+    const params = Map(hashParams.entries());
+
+    const { nonce } = JSON.parse(params.get('state'));
+    const validNonce = validateNonce(nonce);
+    if (!validNonce) {
+      return cb(new Error('Invalid nonce'));
+    }
+
+    if (params.has('error')) {
+      return cb(new Error(`${params.get('error')}: ${params.get('error_description')}`));
+    }
+
+    if (params.has('access_token')) {
+      const { access_token: token, ...data } = params.toJS();
+      cb(null, { token, ...data });
+    }
+  }
+}

source/admin/packages/decap-cms-lib-auth/src/index.js

@@ -0,0 +1,5 @@
+import NetlifyAuthenticator from './netlify-auth';
+import ImplicitAuthenticator from './implicit-oauth';
+import PkceAuthenticator from './pkce-oauth';
+export const DecapCmsLibAuth = { NetlifyAuthenticator, ImplicitAuthenticator, PkceAuthenticator };
+export { NetlifyAuthenticator, ImplicitAuthenticator, PkceAuthenticator };

source/admin/packages/decap-cms-lib-auth/src/netlify-auth.js

@@ -0,0 +1,165 @@
+import trim from 'lodash/trim';
+import trimEnd from 'lodash/trimEnd';
+
+const NETLIFY_API = 'https://api.netlify.com';
+const AUTH_ENDPOINT = 'auth';
+
+class NetlifyError {
+  constructor(err) {
+    this.err = err;
+  }
+  toString() {
+    return this.err && this.err.message;
+  }
+}
+
+const PROVIDERS = {
+  github: {
+    width: 960,
+    height: 600,
+  },
+  gitlab: {
+    width: 960,
+    height: 600,
+  },
+  bitbucket: {
+    width: 960,
+    height: 500,
+  },
+  email: {
+    width: 500,
+    height: 400,
+  },
+};
+
+class Authenticator {
+  constructor(config = {}) {
+    this.site_id = config.site_id || null;
+    this.base_url = trimEnd(config.base_url, '/') || NETLIFY_API;
+    this.auth_endpoint = trim(config.auth_endpoint, '/') || AUTH_ENDPOINT;
+  }
+
+  handshakeCallback(options, cb) {
+    const fn = e => {
+      if (e.data === 'authorizing:' + options.provider && e.origin === this.base_url) {
+        window.removeEventListener('message', fn, false);
+        window.addEventListener('message', this.authorizeCallback(options, cb), false);
+        return this.authWindow.postMessage(e.data, e.origin);
+      }
+    };
+    return fn;
+  }
+
+  authorizeCallback(options, cb) {
+    const fn = e => {
+      if (e.origin !== this.base_url) {
+        return;
+      }
+
+      if (e.data.indexOf('authorization:' + options.provider + ':success:') === 0) {
+        const data = JSON.parse(
+          e.data.match(new RegExp('^authorization:' + options.provider + ':success:(.+)$'))[1],
+        );
+        window.removeEventListener('message', fn, false);
+        this.authWindow.close();
+        cb(null, data);
+      }
+      if (e.data.indexOf('authorization:' + options.provider + ':error:') === 0) {
+        const err = JSON.parse(
+          e.data.match(new RegExp('^authorization:' + options.provider + ':error:(.+)$'))[1],
+        );
+        window.removeEventListener('message', fn, false);
+        this.authWindow.close();
+        cb(new NetlifyError(err));
+      }
+    };
+    return fn;
+  }
+
+  getSiteID() {
+    if (this.site_id) {
+      return this.site_id;
+    }
+    const host = document.location.host.split(':')[0];
+    return host === 'localhost' ? 'demo.decapcms.org' : host;
+  }
+
+  authenticate(options, cb) {
+    const { provider } = options;
+    const siteID = this.getSiteID();
+
+    if (!provider) {
+      return cb(
+        new NetlifyError({
+          message: 'You must specify a provider when calling netlify.authenticate',
+        }),
+      );
+    }
+    if (!siteID) {
+      return cb(
+        new NetlifyError({
+          message:
+            "You must set a site_id with netlify.configure({site_id: 'your-site-id'}) to make authentication work from localhost",
+        }),
+      );
+    }
+
+    const conf = PROVIDERS[provider] || PROVIDERS.github;
+    const left = screen.width / 2 - conf.width / 2;
+    const top = screen.height / 2 - conf.height / 2;
+    window.addEventListener('message', this.handshakeCallback(options, cb), false);
+    let url = `${this.base_url}/${this.auth_endpoint}?provider=${options.provider}&site_id=${siteID}`;
+    if (options.scope) {
+      url += '&scope=' + options.scope;
+    }
+    if (options.login === true) {
+      url += '&login=true';
+    }
+    if (options.beta_invite) {
+      url += '&beta_invite=' + options.beta_invite;
+    }
+    if (options.invite_code) {
+      url += '&invite_code=' + options.invite_code;
+    }
+    this.authWindow = window.open(
+      url,
+      'Netlify Authorization',
+      `width=${conf.width}, height=${conf.height}, top=${top}, left=${left}`,
+    );
+    this.authWindow.focus();
+  }
+
+  refresh(options, cb) {
+    const { provider, refresh_token } = options;
+    const siteID = this.getSiteID();
+    const onError = cb || Promise.reject.bind(Promise);
+
+    if (!provider || !refresh_token) {
+      return onError(
+        new NetlifyError({
+          message: 'You must specify a provider and refresh token when calling netlify.refresh',
+        }),
+      );
+    }
+    if (!siteID) {
+      return onError(
+        new NetlifyError({
+          message:
+            "You must set a site_id with netlify.configure({site_id: 'your-site-id'}) to make token refresh work from localhost",
+        }),
+      );
+    }
+    const url = `${this.base_url}/${this.auth_endpoint}/refresh?provider=${provider}&site_id=${siteID}&refresh_token=${refresh_token}`;
+    const refreshPromise = fetch(url, { method: 'POST', body: '' }).then(res => res.json());
+
+    // Return a promise if a callback wasn't provided
+    if (!cb) {
+      return refreshPromise;
+    }
+
+    // Otherwise, use the provided callback.
+    refreshPromise.then(data => cb(null, data)).catch(cb);
+  }
+}
+
+export default Authenticator;

source/admin/packages/decap-cms-lib-auth/src/pkce-oauth.js

@@ -0,0 +1,190 @@
+import trim from 'lodash/trim';
+import trimEnd from 'lodash/trimEnd';
+
+import { createNonce, validateNonce, isInsecureProtocol } from './utils';
+
+async function sha256(text) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(text);
+  const digest = await window.crypto.subtle.digest('SHA-256', data);
+  const sha = String.fromCharCode(...new Uint8Array(digest));
+  return sha;
+}
+
+// based on https://github.com/auth0/auth0-spa-js/blob/9a83f698127eae7da72691b0d4b1b847567687e3/src/utils.ts#L147
+function generateVerifierCode() {
+  // characters that can be used for codeVerifier
+  // excludes _~ as if included would cause an uneven distribution as char.length would no longer be a factor of 256
+  const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-.';
+  const randomValues = Array.from(window.crypto.getRandomValues(new Uint8Array(128)));
+  return randomValues
+    .map(val => {
+      return chars[val % chars.length];
+    })
+    .join('');
+}
+
+async function createCodeChallenge(codeVerifier) {
+  const sha = await sha256(codeVerifier);
+  // https://tools.ietf.org/html/rfc7636#appendix-A
+  return btoa(sha).split('=')[0].replace(/\+/g, '-').replace(/\//g, '_');
+}
+
+const CODE_VERIFIER_STORAGE_KEY = 'decap-cms-pkce-verifier-code';
+
+function createCodeVerifier() {
+  const codeVerifier = generateVerifierCode();
+  window.sessionStorage.setItem(CODE_VERIFIER_STORAGE_KEY, codeVerifier);
+  return codeVerifier;
+}
+
+function getCodeVerifier() {
+  return window.sessionStorage.getItem(CODE_VERIFIER_STORAGE_KEY);
+}
+
+function clearCodeVerifier() {
+  window.sessionStorage.removeItem(CODE_VERIFIER_STORAGE_KEY);
+}
+
+export default class PkceAuthenticator {
+  /**
+   *  @typedef {Object} PkceConfig
+   *  @prop {boolean} [use_oidc]
+   *  @prop {string} base_url
+   *  @prop {string} [auth_endpoint]
+   *  @prop {string} [auth_token_endpoint]
+   *  @prop {string} [auth_token_endpoint_content_type]
+   *  @prop {string} app_id
+   */
+
+  /**
+   * @param {PkceConfig} config
+   */
+  constructor(config = {}) {
+    const useOidc = config.use_oidc;
+    const baseURL = trimEnd(config.base_url, '/');
+    const authEndpoint = trim(config.auth_endpoint, '/');
+    const authTokenEndpoint = trim(config.auth_token_endpoint, '/');
+    if (useOidc) {
+      // The code will try to auto-find the correct token/auth endpoints using OIDC standards
+      this.oidc_url = baseURL;
+    } else {
+      this.auth_url = `${baseURL}/${authEndpoint}`;
+      this.auth_token_url = `${baseURL}/${authTokenEndpoint}`;
+    }
+    this.auth_token_endpoint_content_type = config.auth_token_endpoint_content_type;
+    this.appID = config.app_id;
+  }
+
+  async _loadOidcConfig() {
+    if (this.auth_url && this.auth_token_url) return;
+    if (!this.oidc_url) throw new Error('Missing auth URLs');
+
+    const response = await fetch(`${this.oidc_url}/.well-known/openid-configuration`).catch(() => {
+      throw new Error('Failed to load OIDC configuration');
+    });
+    if (!response.ok) {
+      throw new Error('Bad response while getting OIDC configuration');
+    }
+    const json = await response.json().catch(() => {
+      throw new Error('Failed to parse OIDC configuration JSON');
+    });
+    if (!json.authorization_endpoint || !json.token_endpoint) {
+      throw new Error('OIDC configuration missing endpoint fields');
+    }
+    this.auth_url = json.authorization_endpoint;
+    this.auth_token_url = json.token_endpoint;
+  }
+
+  async authenticate(options, cb) {
+    if (isInsecureProtocol()) {
+      return cb(new Error('Cannot authenticate over insecure protocol!'));
+    }
+    try {
+      await this._loadOidcConfig();
+    } catch (err) {
+      return cb(err);
+    }
+
+    const authURL = new URL(this.auth_url);
+    authURL.searchParams.set('client_id', this.appID);
+    authURL.searchParams.set('redirect_uri', document.location.origin + document.location.pathname);
+    authURL.searchParams.set('response_type', 'code');
+    authURL.searchParams.set('scope', options.scope);
+
+    const state = JSON.stringify({ auth_type: 'pkce', nonce: createNonce() });
+
+    authURL.searchParams.set('state', state);
+
+    authURL.searchParams.set('code_challenge_method', 'S256');
+    const codeVerifier = createCodeVerifier();
+    const codeChallenge = await createCodeChallenge(codeVerifier);
+    authURL.searchParams.set('code_challenge', codeChallenge);
+
+    document.location.assign(authURL.href);
+  }
+
+  /**
+   * Complete authentication if we were redirected back to from the provider.
+   */
+  async completeAuth(cb) {
+    const params = new URLSearchParams(document.location.search);
+
+    // Remove code from url
+    window.history.replaceState(null, '', document.location.pathname);
+
+    if (!params.has('code') && !params.has('error')) {
+      return;
+    }
+
+    let nonce;
+    try {
+      nonce = JSON.parse(params.get('state')).nonce;
+    } catch (SyntaxError) {
+      nonce = JSON.parse(params.get('state').replace(/\\"/g, '"')).nonce;
+    }
+
+    const validNonce = validateNonce(nonce);
+    if (!validNonce) {
+      return cb(new Error('Invalid nonce'));
+    }
+
+    if (params.has('error')) {
+      return cb(new Error(`${params.get('error')}: ${params.get('error_description')}`));
+    }
+
+    if (params.has('code')) {
+      try {
+        await this._loadOidcConfig();
+      } catch (err) {
+        return cb(err);
+      }
+
+      const code = params.get('code');
+      const authURL = new URL(this.auth_token_url);
+
+      const token_request_body_object = {
+        client_id: this.appID,
+        code,
+        grant_type: 'authorization_code',
+        redirect_uri: document.location.origin + document.location.pathname,
+        code_verifier: getCodeVerifier(),
+      };
+
+      const response = await fetch(authURL.href, {
+        method: 'POST',
+        body: this.auth_token_endpoint_content_type.startsWith('application/x-www-form-urlencoded')
+          ? new URLSearchParams(Object.entries(token_request_body_object)).toString()
+          : JSON.stringify(token_request_body_object),
+        headers: {
+          'Content-Type': this.auth_token_endpoint_content_type,
+        },
+      });
+      const data = await response.json();
+
+      //no need for verifier code so remove
+      clearCodeVerifier();
+      cb(null, { token: data.access_token, ...data });
+    }
+  }
+}

source/admin/packages/decap-cms-lib-auth/src/utils.js

@@ -0,0 +1,24 @@
+import { v4 as uuid } from 'uuid';
+
+export function createNonce() {
+  const nonce = uuid();
+  window.sessionStorage.setItem('decap-cms-auth', JSON.stringify({ nonce }));
+  return nonce;
+}
+
+export function validateNonce(check) {
+  const auth = window.sessionStorage.getItem('decap-cms-auth');
+  const valid = auth && JSON.parse(auth).nonce;
+  window.localStorage.removeItem('decap-cms-auth');
+  return check === valid;
+}
+
+export function isInsecureProtocol() {
+  return (
+    document.location.protocol !== 'https:' &&
+    // TODO: Is insecure localhost a bad idea as well? I don't think it is, since you are not actually
+    //       sending the token over the internet in this case, assuming the auth URL is secure.
+    document.location.hostname !== 'localhost' &&
+    document.location.hostname !== '127.0.0.1'
+  );
+}

source/admin/packages/decap-cms-lib-auth/webpack.config.js

@@ -0,0 +1,3 @@
+const { getConfig } = require('../../scripts/webpack.js');
+
+module.exports = getConfig();