@auth0/auth0-spa-js 2.0.0 → 2.0.2

package/dist/typings/Auth0Client.utils.d.ts

@@ -1,5 +1,5 @@
 import { ICache } from './cache';
-import { Auth0ClientOptions, AuthorizationParams, AuthorizeOptions } from './global';
+import { Auth0ClientOptions, AuthorizationParams, AuthorizeOptions, LogoutOptions } from './global';
 /**
  * @ignore
  */
@@ -26,3 +26,9 @@ export declare const cacheFactory: (location: string) => () => ICache;
 export declare const getAuthorizeParams: (clientOptions: Auth0ClientOptions & {
     authorizationParams: AuthorizationParams;
 }, scope: string, authorizationParams: AuthorizationParams, state: string, nonce: string, code_challenge: string, redirect_uri: string | undefined, response_mode: string | undefined) => AuthorizeOptions;
+/**
+ * @ignore
+ *
+ * Function used to provide support for the deprecated onRedirect through openUrl.
+ */
+export declare const patchOpenUrlWithOnRedirect: <T extends Pick<LogoutOptions, "openUrl" | "onRedirect">>(options: T) => T;

package/dist/typings/errors.d.ts

@@ -44,6 +44,9 @@ export declare class MfaRequiredError extends GenericError {
     mfa_token: string;
     constructor(error: string, error_description: string, mfa_token: string);
 }
+/**
+ * Error thrown when there is no refresh token to use
+ */
 export declare class MissingRefreshTokenError extends GenericError {
     audience: string;
     scope: string;

package/dist/typings/global.d.ts

@@ -264,8 +264,20 @@ export interface RedirectLoginOptions<TAppState = any> extends BaseLoginOptions
      *     window.location.replace(url);
      *   }
      * });
+     * @deprecated since v2.0.1, use `openUrl` instead.
      */
     onRedirect?: (url: string) => Promise<void>;
+    /**
+     * Used to control the redirect and not rely on the SDK to do the actual redirect.
+     *
+     * @example
+     * const client = new Auth0Client({
+     *   async openUrl(url) {
+     *     window.location.replace(url);
+     *   }
+     * });
+     */
+    openUrl?: (url: string) => Promise<void>;
 }
 export interface RedirectLoginResult<TAppState = any> {
     /**
@@ -395,8 +407,22 @@ export interface LogoutOptions extends LogoutUrlOptions {
      *     window.location.replace(url);
      *   }
      * });
+     * @deprecated since v2.0.1, use `openUrl` instead.
      */
     onRedirect?: (url: string) => Promise<void>;
+    /**
+     * Used to control the redirect and not rely on the SDK to do the actual redirect.
+     *
+     * Set to `false` to disable the redirect, or provide a function to handle the actual redirect yourself.
+     *
+     * @example
+     * await auth0.logout({
+     *   async openUrl(url) {
+     *     window.location.replace(url);
+     *   }
+     * });
+     */
+    openUrl?: false | ((url: string) => Promise<void>);
 }
 /**
  * @ignore

package/dist/typings/index.d.ts

@@ -6,12 +6,12 @@ export * from './global';
  * Asynchronously creates the Auth0Client instance and calls `checkSession`.
  *
  * **Note:** There are caveats to using this in a private browser tab, which may not silently authenticae
- * a user on page refresh. Please see [the checkSession docs](https://auth0.github.io/auth0-spa-js/classes/auth0client.html#checksession) for more info.
+ * a user on page refresh. Please see [the checkSession docs](https://auth0.github.io/auth0-spa-js/classes/Auth0Client.html#checksession) for more info.
  *
  * @param options The client options
  * @returns An instance of Auth0Client
  */
 export declare function createAuth0Client(options: Auth0ClientOptions): Promise<Auth0Client>;
 export { Auth0Client };
-export { GenericError, AuthenticationError, TimeoutError, PopupTimeoutError, PopupCancelledError, MfaRequiredError } from './errors';
+export { GenericError, AuthenticationError, TimeoutError, PopupTimeoutError, PopupCancelledError, MfaRequiredError, MissingRefreshTokenError } from './errors';
 export { ICache, LocalStorageCache, InMemoryCache, Cacheable, DecodedToken, CacheEntry, WrappedCacheEntry, KeyManifestEntry, MaybePromise, CacheKey, CacheKeyData } from './cache';

package/dist/typings/utils.d.ts

@@ -1,5 +1,5 @@
 import { AuthenticationResult, PopupConfigOptions } from './global';
-export declare const parseQueryResult: (queryString: string) => AuthenticationResult;
+export declare const parseAuthenticationResult: (queryString: string) => AuthenticationResult;
 export declare const runIframe: (authorizeUrl: string, eventOrigin: string, timeoutInSeconds?: number) => Promise<AuthenticationResult>;
 export declare const openPopup: (url: string) => Window | null;
 export declare const runPopup: (config: PopupConfigOptions) => Promise<AuthenticationResult>;

package/dist/typings/version.d.ts

@@ -1,2 +1,2 @@
-declare const _default: "2.0.0";
+declare const _default: "2.0.2";
 export default _default;

package/package.json

@@ -3,7 +3,7 @@
   "name": "@auth0/auth0-spa-js",
   "description": "Auth0 SDK for Single Page Applications using Authorization Code Grant Flow with PKCE",
   "license": "MIT",
-  "version": "2.0.0",
+  "version": "2.0.2",
   "main": "dist/lib/auth0-spa-js.cjs.js",
   "types": "dist/typings/index.d.ts",
   "module": "dist/auth0-spa-js.production.esm.js",
@@ -41,14 +41,15 @@
     "@typescript-eslint/eslint-plugin-tslint": "^5.33.1",
     "@typescript-eslint/parser": "^5.33.1",
     "babel-jest": "^28.1.3",
-    "browserstack-cypress-cli": "1.8.1",
     "browser-tabs-lock": "^1.2.15",
+    "browserstack-cypress-cli": "1.8.1",
     "cli-table": "^0.3.6",
     "concurrently": "^7.3.0",
     "cypress": "7.2.0",
     "es-check": "^7.0.1",
     "es-cookie": "~1.3.2",
     "eslint": "^8.22.0",
+    "eslint-plugin-security": "^1.5.0",
     "gzip-size": "^7.0.0",
     "husky": "^7.0.4",
     "idtoken-verifier": "^2.2.2",
@@ -57,9 +58,9 @@
     "jest-fetch-mock": "^3.0.3",
     "jest-junit": "^14.0.0",
     "jest-localstorage-mock": "^2.4.22",
-    "jsonwebtoken": "^8.5.1",
+    "jsonwebtoken": "^9.0.0",
     "node-fetch": "^3.2.10",
-    "oidc-provider": "^7.11.5",
+    "oidc-provider": "^7.14.0",
     "prettier": "^2.7.1",
     "pretty-quick": "^3.1.2",
     "qss": "^2.0.3",
@@ -78,8 +79,6 @@
     "serve": "^14.0.1",
     "ts-jest": "^28.0.8",
     "tslib": "^2.4.0",
-    "tslint": "^6.1.3",
-    "tslint-config-security": "^1.16.0",
     "typedoc": "^0.23.10",
     "typescript": "^4.7.4",
     "wait-on": "^6.0.0"

package/src/Auth0Client.ts

@@ -3,7 +3,7 @@ import Lock from 'browser-tabs-lock';
 import {
   createQueryParams,
   runPopup,
-  parseQueryResult,
+  parseAuthenticationResult,
   encode,
   createRandomString,
   runIframe,
@@ -89,7 +89,8 @@ import {
   cacheFactory,
   getAuthorizeParams,
   GET_TOKEN_SILENTLY_LOCK_KEY,
-  OLD_IS_AUTHENTICATED_COOKIE_NAME
+  OLD_IS_AUTHENTICATED_COOKIE_NAME,
+  patchOpenUrlWithOnRedirect
 } from './Auth0Client.utils';
 
 /**
@@ -444,7 +445,8 @@ export class Auth0Client {
   public async loginWithRedirect<TAppState = any>(
     options: RedirectLoginOptions<TAppState> = {}
   ) {
-    const { onRedirect, fragment, appState, ...urlOptions } = options;
+    const { openUrl, fragment, appState, ...urlOptions } =
+      patchOpenUrlWithOnRedirect(options);
 
     const organizationId =
       urlOptions.authorizationParams?.organization ||
@@ -462,8 +464,8 @@ export class Auth0Client {
 
     const urlWithFragment = fragment ? `${url}#${fragment}` : url;
 
-    if (onRedirect) {
-      await onRedirect(urlWithFragment);
+    if (openUrl) {
+      await openUrl(urlWithFragment);
     } else {
       window.location.assign(urlWithFragment);
     }
@@ -484,7 +486,7 @@ export class Auth0Client {
       throw new Error('There are no query params available for parsing.');
     }
 
-    const { state, code, error, error_description } = parseQueryResult(
+    const { state, code, error, error_description } = parseAuthenticationResult(
       queryStringFragments.join('')
     );
 
@@ -824,7 +826,7 @@ export class Auth0Client {
    * @param options
    */
   public async logout(options: LogoutOptions = {}): Promise<void> {
-    const { onRedirect, ...logoutOptions } = options;
+    const { openUrl, ...logoutOptions } = patchOpenUrlWithOnRedirect(options);
 
     await this.cacheManager.clear();
 
@@ -838,9 +840,9 @@ export class Auth0Client {
 
     const url = this._buildLogoutUrl(logoutOptions);
 
-    if (onRedirect) {
-      await onRedirect(url);
-    } else {
+    if (openUrl) {
+      await openUrl(url);
+    } else if (openUrl !== false) {
       window.location.assign(url);
     }
   }
@@ -918,7 +920,7 @@ export class Auth0Client {
     } catch (e) {
       if (e.error === 'login_required') {
         this.logout({
-          onRedirect: async () => {}
+          openUrl: false
         });
       }
       throw e;

package/src/Auth0Client.utils.ts

@@ -2,7 +2,8 @@ import { ICache, InMemoryCache, LocalStorageCache } from './cache';
 import {
   Auth0ClientOptions,
   AuthorizationParams,
-  AuthorizeOptions
+  AuthorizeOptions,
+  LogoutOptions
 } from './global';
 import { getUniqueScopes } from './scope';
 
@@ -73,3 +74,23 @@ export const getAuthorizeParams = (
     code_challenge_method: 'S256'
   };
 };
+
+/**
+ * @ignore
+ *
+ * Function used to provide support for the deprecated onRedirect through openUrl.
+ */
+export const patchOpenUrlWithOnRedirect = <
+  T extends Pick<LogoutOptions, 'openUrl' | 'onRedirect'>
+>(
+  options: T
+) => {
+  const { openUrl, onRedirect, ...originalOptions } = options;
+
+  const result = {
+    ...originalOptions,
+    openUrl: openUrl === false || openUrl ? openUrl : onRedirect
+  };
+
+  return result as T;
+};

package/src/errors.ts

@@ -81,6 +81,9 @@ export class MfaRequiredError extends GenericError {
   }
 }
 
+/**
+ * Error thrown when there is no refresh token to use
+ */
 export class MissingRefreshTokenError extends GenericError {
   constructor(public audience: string, public scope: string) {
     super(

package/src/global.ts

@@ -296,8 +296,21 @@ export interface RedirectLoginOptions<TAppState = any>
    *     window.location.replace(url);
    *   }
    * });
+   * @deprecated since v2.0.1, use `openUrl` instead.
    */
   onRedirect?: (url: string) => Promise<void>;
+
+  /**
+   * Used to control the redirect and not rely on the SDK to do the actual redirect.
+   *
+   * @example
+   * const client = new Auth0Client({
+   *   async openUrl(url) {
+   *     window.location.replace(url);
+   *   }
+   * });
+   */
+  openUrl?: (url: string) => Promise<void>;
 }
 
 export interface RedirectLoginResult<TAppState = any> {
@@ -442,8 +455,23 @@ export interface LogoutOptions extends LogoutUrlOptions {
    *     window.location.replace(url);
    *   }
    * });
+   * @deprecated since v2.0.1, use `openUrl` instead.
    */
   onRedirect?: (url: string) => Promise<void>;
+
+  /**
+   * Used to control the redirect and not rely on the SDK to do the actual redirect.
+   *
+   * Set to `false` to disable the redirect, or provide a function to handle the actual redirect yourself.
+   *
+   * @example
+   * await auth0.logout({
+   *   async openUrl(url) {
+   *     window.location.replace(url);
+   *   }
+   * });
+   */
+  openUrl?: false | ((url: string) => Promise<void>);
 }
 
 /**

package/src/index.ts

@@ -9,7 +9,7 @@ export * from './global';
  * Asynchronously creates the Auth0Client instance and calls `checkSession`.
  *
  * **Note:** There are caveats to using this in a private browser tab, which may not silently authenticae
- * a user on page refresh. Please see [the checkSession docs](https://auth0.github.io/auth0-spa-js/classes/auth0client.html#checksession) for more info.
+ * a user on page refresh. Please see [the checkSession docs](https://auth0.github.io/auth0-spa-js/classes/Auth0Client.html#checksession) for more info.
  *
  * @param options The client options
  * @returns An instance of Auth0Client
@@ -28,7 +28,8 @@ export {
   TimeoutError,
   PopupTimeoutError,
   PopupCancelledError,
-  MfaRequiredError
+  MfaRequiredError,
+  MissingRefreshTokenError
 } from './errors';
 
 export {

package/src/utils.ts

@@ -12,24 +12,21 @@ import {
   PopupCancelledError
 } from './errors';
 
-export const parseQueryResult = (queryString: string): AuthenticationResult => {
+export const parseAuthenticationResult = (
+  queryString: string
+): AuthenticationResult => {
   if (queryString.indexOf('#') > -1) {
-    queryString = queryString.substr(0, queryString.indexOf('#'));
+    queryString = queryString.substring(0, queryString.indexOf('#'));
   }
 
-  const queryParams = queryString.split('&');
-  const parsedQuery: Record<string, any> = {};
+  const searchParams = new URLSearchParams(queryString);
 
-  queryParams.forEach(qp => {
-    const [key, val] = qp.split('=');
-    parsedQuery[key] = decodeURIComponent(val);
-  });
-
-  if (parsedQuery.expires_in) {
-    parsedQuery.expires_in = parseInt(parsedQuery.expires_in);
-  }
-
-  return parsedQuery as AuthenticationResult;
+  return {
+    state: searchParams.get('state')!,
+    code: searchParams.get('code') || undefined,
+    error: searchParams.get('error') || undefined,
+    error_description: searchParams.get('error_description') || undefined
+  };
 };
 
 export const runIframe = (

package/src/version.ts

@@ -1 +1 @@
-export default '2.0.0';
+export default '2.0.2';