IPPEnterpriseAuthProvider.sys.mjs

Enable keyboard shortcuts

/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs";

import { IPPAuthProvider } from "moz-src:///toolkit/components/ipprotection/IPPAuthProvider.sys.mjs";

import {

  ProxyPass,

  ProxyUsage,

} from "moz-src:///toolkit/components/ipprotection/GuardianTypes.sys.mjs";

const lazy = {};

ChromeUtils.defineESModuleGetters(lazy, {

  IPProtectionService:

    "moz-src:///toolkit/components/ipprotection/IPProtectionService.sys.mjs",

});

ChromeUtils.defineLazyGetter(lazy, "logConsole", () =>

  console.createInstance({

    prefix: "IPPEnterpriseAuthProvider",

    maxLogLevel: Services.prefs.getBoolPref("browser.ipProtection.log", false)

      ? "Debug"

      : "Warn",

})

);

/**

 * Enterprise / Access-Connector implementation of IPPAuthProvider.

 * The enterprise build always treats the user as signed-in and entitled. The

 * OAuth token comes from `Services.felt`, registered by

 * `browser/extensions/felt/api.js`. fetchProxyPass hits the access-connector

 * endpoint configured by `browser.ipProtection.guardian.endpoint` (same pref

 * and route as Guardian, but a different backend that does not emit

 * `X-Quota-*` headers — hence usage is canned, not parsed).

*/

class IPPEnterpriseAuthProviderSingleton extends IPPAuthProvider {

  constructor() {

    super();

    XPCOMUtils.defineLazyPreferenceGetter(

      this,

      "accessConnectorEndpoint",

      "browser.ipProtection.guardian.endpoint",

      "https://vpn.mozilla.com"

);

/**

   * @param {AbortSignal} [abortSignal]

   * @returns {{token: string} & Disposable}

*/

  // eslint-disable-next-line require-await

  async getToken(abortSignal = null) {

    abortSignal?.throwIfAborted();

    // Services.felt is registered by browser/extensions/felt/api.js, which is

    // only built into enterprise builds, hence the eslint exception.

    // eslint-disable-next-line mozilla/valid-services

    const felt = Services.felt;

    if (!felt) {

      throw new Error(

        "IPPEnterpriseAuthProvider: Services.felt is not available"

);

    return {

      token: felt.getAccessTokenIfValid(),

      [Symbol.dispose]: () => {},

};

/**

   * @param {AbortSignal} [abortSignal]

   * @returns {Promise<ProxyUsage>}

*/

  // eslint-disable-next-line require-await

  async fetchProxyUsage(abortSignal = null) {

    abortSignal?.throwIfAborted();

    const reset = Temporal.Now.zonedDateTimeISO()

      .add(Temporal.Duration.from({ days: 30 }))

      .toString();

    return new ProxyUsage("1000000", "1000000", reset);

/**

   * Fetches a proxy pass from the access-connector backend.

   * @param {AbortSignal} [abortSignal]

   * @returns {Promise<{pass?: ProxyPass, status?: number, usage: null, error?: string}>}

*/

  async fetchProxyPass(abortSignal = null) {

    using tokenHandle = await this.getToken(abortSignal);

    const response = await fetch(this.#tokenURL, {

      method: "GET",

      cache: "no-cache",

      headers: {

        Authorization: `Bearer ${tokenHandle.token}`,

        "Content-Type": "application/json",

},

      signal: abortSignal,

});

    if (!response) {

      return { error: "login_needed", usage: null };

    const status = response.status;

    if (!response.ok) {

      return { status, error: `status_${status}`, usage: null };

    try {

      const pass = await ProxyPass.fromResponse(response);

      if (!pass) {

        return { status, error: "invalid_response", usage: null };

      return { pass, status, usage: null };

    } catch (error) {

      lazy.logConsole.error("Error parsing pass:", error);

      return { status, error: "parse_error", usage: null };

  get #tokenURL() {

    const url = new URL(this.accessConnectorEndpoint);

    url.pathname = "/api/v1/fpn/token";

    return url;

  // eslint-disable-next-line require-await

  async enroll() {

    this.dispatchEvent(

      new CustomEvent("IPPAuthProvider:StateChanged", {

        bubbles: true,

        composed: true,

})

);

    return { isEnrolledAndEntitled: true };

  async aboutToStart() {

    return null;

  init() {}

  // eslint-disable-next-line require-await

  async initOnStartupCompleted() {

    this.dispatchEvent(

      new CustomEvent("IPPAuthProvider:StateChanged", {

        bubbles: true,

        composed: true,

})

);

    lazy.IPProtectionService.updateState();

  uninit() {}

  get helpers() {

    return [this];

  get isReady() {

    return true;

  get hasUpgraded() {

    return true;

  get maxBytes() {

    return BigInt(1000000);

  get isEnrolling() {

    return false;

  // eslint-disable-next-line require-await

  async checkForUpgrade() {}

  get excludedUrlPrefs() {

    return [];

const IPPEnterpriseAuthProvider = new IPPEnterpriseAuthProviderSingleton();

export { IPPEnterpriseAuthProvider, IPPEnterpriseAuthProviderSingleton };