From 83267803705dfb5488e587eaaccffc3d03a71b65 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 22 Jan 2025 13:57:16 +0000
Subject: [PATCH 1/2] delete .RELEASE.md

---
 .RELEASE.md | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 .RELEASE.md

diff --git a/.RELEASE.md b/.RELEASE.md
deleted file mode 100644
index 5de6429..0000000
--- a/.RELEASE.md
+++ /dev/null
@@ -1 +0,0 @@
-- Add `refreshAccessToken()` method to Figma provider ([#258](https://github.com/pilcrowonpaper/arctic/pull/258)).

From 5fec3b9c5a960d22a4f96c8b77bc22a6a06d726f Mon Sep 17 00:00:00 2001
From: pilcrowOnPaper <pilcrowonpaper@gmail.com>
Date: Thu, 30 Jan 2025 21:17:30 +0900
Subject: [PATCH 2/2] define origin

---
 src/providers/microsoft-entra-id.ts | 75 ++++++++++++++++++++++-------
 1 file changed, 57 insertions(+), 18 deletions(-)

diff --git a/src/providers/microsoft-entra-id.ts b/src/providers/microsoft-entra-id.ts
index faa46ef..d64bcb9 100644
--- a/src/providers/microsoft-entra-id.ts
+++ b/src/providers/microsoft-entra-id.ts
@@ -1,13 +1,19 @@
-import { CodeChallengeMethod, OAuth2Client } from "../client.js";
+import { createS256CodeChallenge } from "../oauth2.js";
+import {
+	createOAuth2Request,
+	encodeBasicCredentials,
+	joinURIAndPath,
+	sendTokenRequest
+} from "../request.js";
 
 import type { OAuth2Tokens } from "../oauth2.js";
-import { joinURIAndPath } from "../request.js";
 
 export class MicrosoftEntraId {
 	private authorizationEndpoint: string;
 	private tokenEndpoint: string;
-
-	private client: OAuth2Client;
+	private clientId: string;
+	private clientSecret: string | null;
+	private redirectURI: string;
 
 	constructor(tenant: string, clientId: string, clientSecret: string | null, redirectURI: string) {
 		this.authorizationEndpoint = joinURIAndPath(
@@ -20,17 +26,23 @@ export class MicrosoftEntraId {
 			tenant,
 			"/oauth2/v2.0/token"
 		);
-		this.client = new OAuth2Client(clientId, clientSecret, redirectURI);
+		this.clientId = clientId;
+		this.clientSecret = clientSecret;
+		this.redirectURI = redirectURI;
 	}
 
 	public createAuthorizationURL(state: string, codeVerifier: string, scopes: string[]): URL {
-		const url = this.client.createAuthorizationURLWithPKCE(
-			this.authorizationEndpoint,
-			state,
-			CodeChallengeMethod.S256,
-			codeVerifier,
-			scopes
-		);
+		const url = new URL(this.authorizationEndpoint);
+		url.searchParams.set("response_type", "code");
+		url.searchParams.set("client_id", this.clientId);
+		url.searchParams.set("redirect_uri", this.redirectURI);
+		url.searchParams.set("state", state);
+		const codeChallenge = createS256CodeChallenge(codeVerifier);
+		url.searchParams.set("code_challenge_method", "S256");
+		url.searchParams.set("code_challenge", codeChallenge);
+		if (scopes.length > 0) {
+			url.searchParams.set("scope", scopes.join(" "));
+		}
 		return url;
 	}
 
@@ -38,16 +50,43 @@ export class MicrosoftEntraId {
 		code: string,
 		codeVerifier: string
 	): Promise<OAuth2Tokens> {
-		const tokens = await this.client.validateAuthorizationCode(
-			this.tokenEndpoint,
-			code,
-			codeVerifier
-		);
+		const body = new URLSearchParams();
+		body.set("grant_type", "authorization_code");
+		body.set("code", code);
+		body.set("redirect_uri", this.redirectURI);
+		body.set("code_verifier", codeVerifier);
+		if (this.clientSecret === null) {
+			body.set("client_id", this.clientId);
+		}
+		const request = createOAuth2Request(this.tokenEndpoint, body);
+		// Origin header required for public clients. Value can be anything.
+		request.headers.set("Origin", "arctic");
+		if (this.clientSecret !== null) {
+			const encodedCredentials = encodeBasicCredentials(this.clientId, this.clientId);
+			request.headers.set("Authorization", `Basic ${encodedCredentials}`);
+		}
+		const tokens = await sendTokenRequest(request);
 		return tokens;
 	}
 
 	public async refreshAccessToken(refreshToken: string, scopes: string[]): Promise<OAuth2Tokens> {
-		const tokens = await this.client.refreshAccessToken(this.tokenEndpoint, refreshToken, scopes);
+		const body = new URLSearchParams();
+		body.set("grant_type", "refresh_token");
+		body.set("refresh_token", refreshToken);
+		if (this.clientSecret === null) {
+			body.set("client_id", this.clientId);
+		}
+		if (scopes.length > 0) {
+			body.set("scope", scopes.join(" "));
+		}
+		const request = createOAuth2Request(this.tokenEndpoint, body);
+		// Origin header required for public clients. Value can be anything.
+		request.headers.set("Origin", "arctic");
+		if (this.clientSecret !== null) {
+			const encodedCredentials = encodeBasicCredentials(this.clientId, this.clientSecret);
+			request.headers.set("Authorization", `Basic ${encodedCredentials}`);
+		}
+		const tokens = await sendTokenRequest(request);
 		return tokens;
 	}
 }