Multiple Instances in MSAL Pt. 2: Further improvements to cache strategy

lib/msal-core/README.md

@@ -11,15 +11,34 @@ The MSAL library for JavaScript enables client-side JavaScript web applications,
 [![Build Status](https://travis-ci.org/AzureAD/microsoft-authentication-library-for-js.png?branch=dev)](https://travis-ci.org/AzureAD/microsoft-authentication-library-for-js)[![npm version](https://img.shields.io/npm/v/msal.svg?style=flat)](https://www.npmjs.com/package/msal)[![npm version](https://img.shields.io/npm/dm/msal.svg)](https://nodei.co/npm/msal/)
 
 ## Installation
-Via NPM:
+### Via NPM:
 
     npm install msal
 
-Via CDN:
+### Via Latest Microsoft CDN Version:
 
     <!-- Latest compiled and minified JavaScript -->
-    <script src="https://secure.aadcdn.microsoftonline-p.com/lib/<version>/js/msal.js"></script>
-    <script src="https://secure.aadcdn.microsoftonline-p.com/lib/<version>/js/msal.min.js"></script>
+    <script type="text/javascript" src="https://alcdn.msauth.net/lib/1.1.3/js/msal.js"></script>
+    <script type="text/javascript" src="https://alcdn.msauth.net/lib/1.1.3/js/msal.min.js"></script>
+
+    <!-- Alternate region URLs -->
+    <script type="text/javascript" src="https://alcdn.msftauth.net/lib/1.1.3/js/msal.js"></script>
+    <script type="text/javascript" src="https://alcdn.msftauth.net/lib/1.1.3/js/msal.min.js"></script>
+
+### Via Latest Microsoft CDN Version (with SRI Hash):
+
+    <!-- Latest compiled and minified JavaScript -->
+    <script type="text/javascript" src="https://alcdn.msauth.net/lib/1.1.3/js/msal.js" integrity="sha384-3cT22wEPS/umVHpe5hGwbRF8PLObcSXaaFncKfbzutTBzn/aEMQ6aIlxaa6J2TG1" crossorigin="anonymous"></script>
+    <script type="text/javascript" src="https://alcdn.msauth.net/lib/1.1.3/js/msal.min.js" integrity="sha384-kYijiCrNWywvKX1VI7259ktIf0ebXhlDeVD2dBEX+GeVbmY1GEboq3dsDDvYuDP/" crossorigin="anonymous"></script>
+
+    <!-- Alternate region URLs -->
+    <script type="text/javascript" src="https://alcdn.msftauth.net/lib/1.1.3/js/msal.js" integrity="sha384-3cT22wEPS/umVHpe5hGwbRF8PLObcSXaaFncKfbzutTBzn/aEMQ6aIlxaa6J2TG1" crossorigin="anonymous"></script>
+    <script type="text/javascript" src="https://alcdn.msftauth.net/lib/1.1.3/js/msal.min.js" integrity="sha384-kYijiCrNWywvKX1VI7259ktIf0ebXhlDeVD2dBEX+GeVbmY1GEboq3dsDDvYuDP/" crossorigin="anonymous"></script>
+
+#### Notes: 
+- [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) attributes are optional in the script tag.
+- All hashes are unique to the version of MSAL. You can find the previous hashes on the [MSAL Wiki page](https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/MSAL-JS-CDN-URL-and-SRI-Hash).
+- We recommend including the SRI Hash with all script tags when using `msal.js` or `msal.min.js` (including when using a third-party CDN). When providing the SRI Hash, you *must* also provide the `crossorigin="anonymous"` field in the same tag.
 
 Internet Explorer does not have native `Promise` support, and so you will need to include a polyfill for promises such as `bluebird`.
 
@@ -65,7 +84,7 @@ After instantiating your instance, if you plan on using a redirect flow (`loginR
 ```JavaScript
     import * as Msal from "msal";
     // if using cdn version, 'Msal' will be available in the global scope
-    
+
     const msalConfig = {
         auth: {
             clientId: 'your_client_id'
@@ -189,26 +208,6 @@ You can learn further details about MSAL.js functionality documented in the [MSA
 
 You can learn further details about MSAL.js functionality documented in the [MSAL Wiki](https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki) and find complete [code samples](https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/Samples).
 
-## Community Help and Support
-
-- [FAQs](https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/FAQs) for access to our frequently asked questions
-
-- [Stack Overflow](http://stackoverflow.com/questions/tagged/msal) using "msal" and "msal.js" tag.
-
-We highly recommend you ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before.
-
-- [GitHub Issues](../../issues) for reporting a bug or feature requests
-
-- [User Voice page](https://feedback.azure.com/forums/169401-azure-active-directory) to provide recommendations and/or feedback
-
-## Contribute
-
-We enthusiastically welcome contributions and feedback. Please read the [contributing guide](contributing.md) before you begin.
-
-## Security Library
-
-This library controls how users sign-in and access services. We recommend you always take the latest version of our library in your app when possible. We use [semantic versioning](http://semver.org) so you can control the risk associated with updating your app. As an example, always downloading the latest minor version number (e.g. x.*y*.x) ensures you get the latest security and feature enhanements but our API surface remains the same. You can always see the latest version and release notes under the Releases tab of GitHub.
-
 ## Security Reporting
 
 If you find a security issue with our libraries or services please report it to [[email protected]](mailto:[email protected]) with as much detail as possible. Your submission may be eligible for a bounty through the [Microsoft Bounty](http://aka.ms/bugbounty) program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting [this page](https://technet.microsoft.com/en-us/security/dd252948) and subscribing to Security Advisory Alerts.

lib/msal-core/src/Configuration.ts

@@ -9,6 +9,7 @@ import { TelemetryEmitter } from "./telemetry/TelemetryTypes";
 
 /**
  * Cache location options supported by MSAL are:
+ *
  * - local storage: MSAL uses browsers local storage to store its cache
  * - session storage: MSAL uses the browsers session storage to store its cache
  */
@@ -30,7 +31,6 @@ const NAVIGATE_FRAME_WAIT = 500;
  *  - redirectUri                 - The redirect URI of the application, this should be same as the value in the application registration portal.Defaults to `window.location.href`.
  *  - postLogoutRedirectUri       - Used to redirect the user to this location after logout. Defaults to `window.location.href`.
  *  - navigateToLoginRequestUrl   - Used to turn off default navigation to start page after login. Default is true. This is used only for redirect flows.
- *
  */
 export type AuthOptions = {
     clientId: string;
@@ -54,6 +54,7 @@ export type CacheOptions = {
 
 /**
  * Telemetry Config Options
+ *
  * - applicationName              - Name of the consuming apps application
  * - applicationVersion           - Verison of the consuming application
  * - telemetryEmitter             - Function where telemetry events are flushed to
@@ -95,6 +96,18 @@ export type FrameworkOptions = {
     protectedResourceMap?: Map<string, Array<string>>;
 };
 
+/**
+ * Options to specify communication between embedded (iframed) apps and the Top Frame
+ *
+ * - topFrameOrigin             - origin check to restrict messages to the top frame origin only
+ * - consentNeeded              - indicates if the library needs consent from the topframe to delegate interaction from the embedded (iframe) application
+ */
+export type BrokerOptions = {
+    topFrameOrigin?: string;
+    embeddedFrameOrigin?: string;
+    consentNeeded?: boolean;
+};
+
 /**
  * Use the configuration object to configure MSAL and initialize the UserAgentApplication.
  *
@@ -103,20 +116,22 @@ export type FrameworkOptions = {
  * - cache: this is where you configure cache location and whether to store cache in cookies
  * - system: this is where you can configure the logger, frame timeout etc.
  * - framework: this is where you can configure the running mode of angular. More to come here soon.
+ * - broker: this is where you can configure broker options if your application resides in an iframe and needs the topframe for interaction flows (redirect APIs only)
  */
 export type Configuration = {
     auth: AuthOptions,
     cache?: CacheOptions,
     system?: SystemOptions,
-    framework?: FrameworkOptions
+    framework?: FrameworkOptions,
+    broker?: BrokerOptions
 };
 
 const DEFAULT_AUTH_OPTIONS: AuthOptions = {
     clientId: "",
     authority: null,
     validateAuthority: true,
-    redirectUri: () => UrlUtils.getDefaultRedirectUri(),
-    postLogoutRedirectUri: () => UrlUtils.getDefaultRedirectUri(),
+    redirectUri: () => UrlUtils.getCurrentUri(),
+    postLogoutRedirectUri: () => UrlUtils.getCurrentUri(),
     navigateToLoginRequestUrl: true
 };
 
@@ -138,23 +153,30 @@ const DEFAULT_FRAMEWORK_OPTIONS: FrameworkOptions = {
     protectedResourceMap: new Map<string, Array<string>>()
 };
 
+const DEFAULT_BROKER_OPTIONS: BrokerOptions = {
+    topFrameOrigin: null,
+    embeddedFrameOrigin: null,
+    consentNeeded: false
+};
+
 /**
  * MSAL function that sets the default options when not explicitly configured from app developer
  *
- * @param TAuthOptions
- * @param TCacheOptions
- * @param TSystemOptions
- * @param TFrameworkOptions
+ * @param AuthOptions
+ * @param CacheOptions
+ * @param SystemOptions
+ * @param FrameworkOptions
+ * @param BrokerOptions
  *
- * @returns TConfiguration object
+ * @returns Configuration object
  */
-
-export function buildConfiguration({ auth, cache = {}, system = {}, framework = {}}: Configuration): Configuration {
+export function buildConfiguration({ auth, cache = {}, system = {}, framework = {}, broker = {}}: Configuration): Configuration {
     const overlayedConfig: Configuration = {
         auth: { ...DEFAULT_AUTH_OPTIONS, ...auth },
         cache: { ...DEFAULT_CACHE_OPTIONS, ...cache },
         system: { ...DEFAULT_SYSTEM_OPTIONS, ...system },
-        framework: { ...DEFAULT_FRAMEWORK_OPTIONS, ...framework }
+        framework: { ...DEFAULT_FRAMEWORK_OPTIONS, ...framework },
+        broker: { ...DEFAULT_BROKER_OPTIONS, ...broker }
     };
     return overlayedConfig;
 }

lib/msal-core/src/ServerRequestParameters.ts

@@ -137,7 +137,7 @@ export class ServerRequestParameters {
      * @param request
      */
     private validatePromptParameter (prompt: string) {
-        if (!([PromptState.LOGIN, PromptState.SELECT_ACCOUNT, PromptState.CONSENT, PromptState.NONE].indexOf(prompt) >= 0)) {
+        if ([PromptState.LOGIN, PromptState.SELECT_ACCOUNT, PromptState.CONSENT, PromptState.NONE].indexOf(prompt) < 0) {
             throw ClientConfigurationError.createInvalidPromptError(prompt);
         }
     }