@auth0/auth0-spa-js 2.11.0 → 2.11.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth0-spa-js.development.js +9 -1
- package/dist/auth0-spa-js.development.js.map +1 -1
- package/dist/auth0-spa-js.production.esm.js +1 -1
- package/dist/auth0-spa-js.production.esm.js.map +1 -1
- package/dist/auth0-spa-js.production.js +1 -1
- package/dist/auth0-spa-js.production.js.map +1 -1
- package/dist/auth0-spa-js.worker.development.js.map +1 -1
- package/dist/auth0-spa-js.worker.production.js.map +1 -1
- package/dist/lib/auth0-spa-js.cjs.js +9 -1
- package/dist/lib/auth0-spa-js.cjs.js.map +1 -1
- package/dist/typings/global.d.ts +4 -1
- package/dist/typings/version.d.ts +1 -1
- package/package.json +3 -3
- package/src/Auth0Client.ts +13 -0
- package/src/global.ts +4 -1
- package/src/version.ts +1 -1
package/dist/typings/global.d.ts
CHANGED
|
@@ -140,9 +140,12 @@ export interface Auth0ClientOptions {
|
|
|
140
140
|
*/
|
|
141
141
|
cache?: ICache;
|
|
142
142
|
/**
|
|
143
|
-
* If true, refresh tokens are used to fetch new access tokens from the Auth0 server. If false, the
|
|
143
|
+
* If true, refresh tokens are used to fetch new access tokens from the Auth0 server. If false, the standard technique of using a hidden iframe and the `authorization_code` grant with `prompt=none` is used.
|
|
144
144
|
* The default setting is `false`.
|
|
145
145
|
*
|
|
146
|
+
* Standard technique relies on cookies. Because browsers increasingly block third-party cookies, it requires a Custom Domain to function reliably. Refresh tokens serve as a fallback for environments where third-party cookies are blocked.
|
|
147
|
+
* Using a Custom Domain with this set to `false` is the most secure and recommended approach.
|
|
148
|
+
*
|
|
146
149
|
* **Note**: Use of refresh tokens must be enabled by an administrator on your Auth0 client application.
|
|
147
150
|
*/
|
|
148
151
|
useRefreshTokens?: boolean;
|
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
declare const _default: "2.11.
|
|
1
|
+
declare const _default: "2.11.1";
|
|
2
2
|
export default _default;
|
package/package.json
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
"name": "@auth0/auth0-spa-js",
|
|
4
4
|
"description": "Auth0 SDK for Single Page Applications using Authorization Code Grant Flow with PKCE",
|
|
5
5
|
"license": "MIT",
|
|
6
|
-
"version": "2.11.
|
|
6
|
+
"version": "2.11.1",
|
|
7
7
|
"main": "dist/lib/auth0-spa-js.cjs.js",
|
|
8
8
|
"types": "dist/typings/index.d.ts",
|
|
9
9
|
"module": "dist/auth0-spa-js.production.esm.js",
|
|
@@ -59,7 +59,7 @@
|
|
|
59
59
|
"@types/jest": "^28.1.7",
|
|
60
60
|
"@typescript-eslint/eslint-plugin-tslint": "^5.33.1",
|
|
61
61
|
"@typescript-eslint/parser": "^5.33.1",
|
|
62
|
-
"browserstack-cypress-cli": "1.
|
|
62
|
+
"browserstack-cypress-cli": "1.36.0",
|
|
63
63
|
"cli-table": "^0.3.6",
|
|
64
64
|
"concurrently": "^7.3.0",
|
|
65
65
|
"cypress": "13.17.0",
|
|
@@ -76,7 +76,7 @@
|
|
|
76
76
|
"jest-junit": "^14.0.0",
|
|
77
77
|
"jest-localstorage-mock": "^2.4.22",
|
|
78
78
|
"jsonwebtoken": "^9.0.0",
|
|
79
|
-
"oidc-provider": "^
|
|
79
|
+
"oidc-provider": "^9.6.0",
|
|
80
80
|
"prettier": "^2.7.1",
|
|
81
81
|
"pretty-quick": "^3.1.2",
|
|
82
82
|
"rimraf": "^3.0.2",
|
package/src/Auth0Client.ts
CHANGED
|
@@ -1373,6 +1373,19 @@ export class Auth0Client {
|
|
|
1373
1373
|
organization
|
|
1374
1374
|
);
|
|
1375
1375
|
|
|
1376
|
+
// When logging in with authorization_code, check if a different user is authenticating
|
|
1377
|
+
// If so, clear the cache to prevent tokens from multiple users coexisting
|
|
1378
|
+
if (options.grant_type === 'authorization_code') {
|
|
1379
|
+
const existingIdToken = await this._getIdTokenFromCache();
|
|
1380
|
+
|
|
1381
|
+
if (existingIdToken?.decodedToken?.claims?.sub &&
|
|
1382
|
+
existingIdToken.decodedToken.claims.sub !== decodedToken.claims.sub) {
|
|
1383
|
+
// Different user detected - clear cached tokens
|
|
1384
|
+
await this.cacheManager.clear(this.options.clientId);
|
|
1385
|
+
this.userCache.remove(CACHE_KEY_ID_TOKEN_SUFFIX);
|
|
1386
|
+
}
|
|
1387
|
+
}
|
|
1388
|
+
|
|
1376
1389
|
await this._saveEntryInCache({
|
|
1377
1390
|
...authResult,
|
|
1378
1391
|
decodedToken,
|
package/src/global.ts
CHANGED
|
@@ -161,9 +161,12 @@ export interface Auth0ClientOptions {
|
|
|
161
161
|
cache?: ICache;
|
|
162
162
|
|
|
163
163
|
/**
|
|
164
|
-
* If true, refresh tokens are used to fetch new access tokens from the Auth0 server. If false, the
|
|
164
|
+
* If true, refresh tokens are used to fetch new access tokens from the Auth0 server. If false, the standard technique of using a hidden iframe and the `authorization_code` grant with `prompt=none` is used.
|
|
165
165
|
* The default setting is `false`.
|
|
166
166
|
*
|
|
167
|
+
* Standard technique relies on cookies. Because browsers increasingly block third-party cookies, it requires a Custom Domain to function reliably. Refresh tokens serve as a fallback for environments where third-party cookies are blocked.
|
|
168
|
+
* Using a Custom Domain with this set to `false` is the most secure and recommended approach.
|
|
169
|
+
*
|
|
167
170
|
* **Note**: Use of refresh tokens must be enabled by an administrator on your Auth0 client application.
|
|
168
171
|
*/
|
|
169
172
|
useRefreshTokens?: boolean;
|
package/src/version.ts
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
export default '2.11.
|
|
1
|
+
export default '2.11.1';
|