@auth0/auth0-spa-js 2.11.2 → 2.11.3

package/dist/typings/Auth0Client.utils.d.ts

@@ -4,10 +4,22 @@ import { Auth0ClientOptions, AuthorizationParams, AuthorizeOptions, ClientAuthor
  * @ignore
  */
 export declare const GET_TOKEN_SILENTLY_LOCK_KEY = "auth0.lock.getTokenSilently";
+/**
+ * @ignore
+ */
+export declare const GET_TOKEN_FROM_IFRAME_LOCK_KEY = "auth0.lock.getTokenFromIFrame";
 /**
  * @ignore
  */
 export declare const buildGetTokenSilentlyLockKey: (clientId: string, audience: string) => string;
+/**
+ * @ignore
+ * Builds a global lock key for iframe-based authentication flows.
+ * This ensures only one iframe authorization request runs at a time per client,
+ * preventing "Invalid state" errors from concurrent iframe requests overwriting
+ * each other's state in the Auth0 session.
+ */
+export declare const buildIframeLockKey: (clientId: string) => string;
 /**
  * @ignore
  */

package/dist/typings/version.d.ts

@@ -1,2 +1,2 @@
-declare const _default: "2.11.2";
+declare const _default: "2.11.3";
 export default _default;

package/package.json

@@ -3,7 +3,7 @@
   "name": "@auth0/auth0-spa-js",
   "description": "Auth0 SDK for Single Page Applications using Authorization Code Grant Flow with PKCE",
   "license": "MIT",
-  "version": "2.11.2",
+  "version": "2.11.3",
   "main": "dist/lib/auth0-spa-js.cjs.js",
   "types": "dist/typings/index.d.ts",
   "module": "dist/auth0-spa-js.production.esm.js",

package/src/Auth0Client.ts

@@ -98,6 +98,7 @@ import {
   cacheFactory,
   getAuthorizeParams,
   buildGetTokenSilentlyLockKey,
+  buildIframeLockKey,
   OLD_IS_AUTHENTICATED_COOKIE_NAME,
   patchOpenUrlWithOnRedirect,
   getScopeToRequest,
@@ -1023,87 +1024,105 @@ export class Auth0Client {
       authorizationParams: AuthorizationParams & { scope: string };
     }
   ): Promise<GetTokenSilentlyResult> {
-    const params: AuthorizationParams & { scope: string } = {
-      ...options.authorizationParams,
-      prompt: 'none'
-    };
-
-    const orgHint = this.cookieStorage.get<string>(this.orgHintCookieName);
+    const iframeLockKey = buildIframeLockKey(this.options.clientId);
+
+    // Acquire global iframe lock to serialize iframe authorization flows.
+    // This is necessary because the SDK does not support multiple simultaneous transactions.
+    // Since https://github.com/auth0/auth0-spa-js/pull/1408, when calling
+    // `getTokenSilently()`, the global locking will lock per `audience` instead of locking
+    // only per `client_id`.
+    // This means that calls for different audiences would happen in parallel, which does
+    // not work when using silent authentication (prompt=none) from within the SDK, as that
+    // relies on the same transaction context as a top-level `loginWithRedirect`.
+    // To resolve that, we add a second-level locking that locks only the iframe calls in
+    // the same way as was done before https://github.com/auth0/auth0-spa-js/pull/1408.
+    if (await retryPromise(() => lock.acquireLock(iframeLockKey, 5000), 10)) {
+      try {
+        const params: AuthorizationParams & { scope: string } = {
+          ...options.authorizationParams,
+          prompt: 'none'
+        };
 
-    if (orgHint && !params.organization) {
-      params.organization = orgHint;
-    }
+        const orgHint = this.cookieStorage.get<string>(this.orgHintCookieName);
 
-    const {
-      url,
-      state: stateIn,
-      nonce: nonceIn,
-      code_verifier,
-      redirect_uri,
-      scope,
-      audience
-    } = await this._prepareAuthorizeUrl(
-      params,
-      { response_mode: 'web_message' },
-      window.location.origin
-    );
+        if (orgHint && !params.organization) {
+          params.organization = orgHint;
+        }
 
-    try {
-      // When a browser is running in a Cross-Origin Isolated context, using iframes is not possible.
-      // It doesn't throw an error but times out instead, so we should exit early and inform the user about the reason.
-      // https://developer.mozilla.org/en-US/docs/Web/API/crossOriginIsolated
-      if ((window as any).crossOriginIsolated) {
-        throw new GenericError(
-          'login_required',
-          'The application is running in a Cross-Origin Isolated context, silently retrieving a token without refresh token is not possible.'
+        const {
+          url,
+          state: stateIn,
+          nonce: nonceIn,
+          code_verifier,
+          redirect_uri,
+          scope,
+          audience
+        } = await this._prepareAuthorizeUrl(
+          params,
+          { response_mode: 'web_message' },
+          window.location.origin
         );
-      }
 
-      const authorizeTimeout =
-        options.timeoutInSeconds || this.options.authorizeTimeoutInSeconds;
+        // When a browser is running in a Cross-Origin Isolated context, using iframes is not possible.
+        // It doesn't throw an error but times out instead, so we should exit early and inform the user about the reason.
+        // https://developer.mozilla.org/en-US/docs/Web/API/crossOriginIsolated
+        if ((window as any).crossOriginIsolated) {
+          throw new GenericError(
+            'login_required',
+            'The application is running in a Cross-Origin Isolated context, silently retrieving a token without refresh token is not possible.'
+          );
+        }
 
-      // Extract origin from domainUrl, fallback to domainUrl if URL parsing fails
-      let eventOrigin: string;
-      try {
-        eventOrigin = new URL(this.domainUrl).origin;
-      } catch {
-        eventOrigin = this.domainUrl;
-      }
+        const authorizeTimeout =
+          options.timeoutInSeconds || this.options.authorizeTimeoutInSeconds;
 
-      const codeResult = await runIframe(url, eventOrigin, authorizeTimeout);
+        // Extract origin from domainUrl, fallback to domainUrl if URL parsing fails
+        let eventOrigin: string;
+        try {
+          eventOrigin = new URL(this.domainUrl).origin;
+        } catch {
+          eventOrigin = this.domainUrl;
+        }
 
-      if (stateIn !== codeResult.state) {
-        throw new GenericError('state_mismatch', 'Invalid state');
-      }
+        const codeResult = await runIframe(url, eventOrigin, authorizeTimeout);
 
-      const tokenResult = await this._requestToken(
-        {
-          ...options.authorizationParams,
-          code_verifier,
-          code: codeResult.code as string,
-          grant_type: 'authorization_code',
-          redirect_uri,
-          timeout: options.authorizationParams.timeout || this.httpTimeoutMs
-        },
-        {
-          nonceIn,
-          organization: params.organization
+        if (stateIn !== codeResult.state) {
+          throw new GenericError('state_mismatch', 'Invalid state');
         }
-      );
 
-      return {
-        ...tokenResult,
-        scope: scope,
-        oauthTokenScope: tokenResult.scope,
-        audience: audience
-      };
-    } catch (e) {
-      if (e.error === 'login_required') {
-        this.logout({
-          openUrl: false
-        });
+        const tokenResult = await this._requestToken(
+          {
+            ...options.authorizationParams,
+            code_verifier,
+            code: codeResult.code as string,
+            grant_type: 'authorization_code',
+            redirect_uri,
+            timeout: options.authorizationParams.timeout || this.httpTimeoutMs
+          },
+          {
+            nonceIn,
+            organization: params.organization
+          }
+        );
+
+        return {
+          ...tokenResult,
+          scope: scope,
+          oauthTokenScope: tokenResult.scope,
+          audience: audience
+        };
+      } catch (e) {
+        if (e.error === 'login_required') {
+          this.logout({
+            openUrl: false
+          });
+        }
+        throw e;
+      } finally {
+        await lock.releaseLock(iframeLockKey);
       }
-      throw e;
+    } else {
+      throw new TimeoutError();
     }
   }
 
@@ -1169,7 +1188,7 @@ export class Auth0Client {
 
       // If is refreshed with MRRT, we update all entries that have the old
       // refresh_token with the new one if the server responded with one
-      if (tokenResult.refresh_token && this.options.useMrrt && cache?.refresh_token) {
+      if (tokenResult.refresh_token && cache?.refresh_token) {
         await this.cacheManager.updateEntry(
           cache.refresh_token,
           tokenResult.refresh_token

package/src/Auth0Client.utils.ts

@@ -13,6 +13,11 @@ import { scopesToRequest } from './scope';
  */
 export const GET_TOKEN_SILENTLY_LOCK_KEY = 'auth0.lock.getTokenSilently';
 
+/**
+ * @ignore
+ */
+export const GET_TOKEN_FROM_IFRAME_LOCK_KEY = 'auth0.lock.getTokenFromIFrame';
+
 /**
  * @ignore
  */
@@ -21,6 +26,16 @@ export const buildGetTokenSilentlyLockKey = (
   audience: string
 ) => `${GET_TOKEN_SILENTLY_LOCK_KEY}.${clientId}.${audience}`;
 
+/**
+ * @ignore
+ * Builds a global lock key for iframe-based authentication flows.
+ * This ensures only one iframe authorization request runs at a time per client,
+ * preventing "Invalid state" errors from concurrent iframe requests overwriting
+ * each other's state in the Auth0 session.
+ */
+export const buildIframeLockKey = (clientId: string) =>
+  `${GET_TOKEN_FROM_IFRAME_LOCK_KEY}.${clientId}`;
+
 /**
  * @ignore
  */

package/src/cache/cache-manager.ts

@@ -91,7 +91,7 @@ export class CacheManager {
       // To refresh using MRRT we need to send a request to the server
       // If cacheMode is 'cache-only', this will make us unable to call the server
       // so it won't be needed to find a valid refresh token
-      if (!matchedKey && useMrrt && cacheMode !== 'cache-only') {
+      if (!wrappedEntry && useMrrt && cacheMode !== 'cache-only') {
         return this.getEntryWithRefreshToken(cacheKey, keys);
       }
     }

package/src/version.ts

@@ -1 +1 @@
-export default '2.11.2';
+export default '2.11.3';