@auth0/auth0-spa-js 2.12.0 → 2.13.0

package/dist/lib/auth0-spa-js.cjs.js

@@ -551,7 +551,7 @@ var SuperTokensLock = function() {
 
 var _default = browserTabsLock.default = SuperTokensLock;
 
-var version = "2.12.0";
+var version = "2.13.0";
 
 const DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS = 60;
 
@@ -649,9 +649,10 @@ class PopupOpenError extends GenericError {
 }
 
 class MfaRequiredError extends GenericError {
-    constructor(error, error_description, mfa_token) {
+    constructor(error, error_description, mfa_token, mfa_requirements) {
         super(error, error_description);
         this.mfa_token = mfa_token;
+        this.mfa_requirements = mfa_requirements;
         Object.setPrototypeOf(this, MfaRequiredError.prototype);
     }
 }
@@ -805,13 +806,19 @@ const ALLOWED_AUTH0CLIENT_PROPERTIES = [ {
     type: [ "object" ]
 } ];
 
-const stripAuth0Client = auth0Client => Object.keys(auth0Client).reduce(((acc, key) => {
-    const allowedProperty = ALLOWED_AUTH0CLIENT_PROPERTIES.find((p => p.key === key));
-    if (allowedProperty && allowedProperty.type.includes(typeof auth0Client[key])) {
-        acc[key] = auth0Client[key];
-    }
-    return acc;
-}), {});
+const stripAuth0Client = function stripAuth0Client(auth0Client) {
+    let excludeEnv = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : false;
+    return Object.keys(auth0Client).reduce(((acc, key) => {
+        if (excludeEnv && key === "env") {
+            return acc;
+        }
+        const allowedProperty = ALLOWED_AUTH0CLIENT_PROPERTIES.find((p => p.key === key));
+        if (allowedProperty && allowedProperty.type.includes(typeof auth0Client[key])) {
+            acc[key] = auth0Client[key];
+        }
+        return acc;
+    }), {});
+};
 
 const createQueryParams = _a => {
     var {clientId: client_id} = _a, params = __rest(_a, [ "clientId" ]);
@@ -1193,7 +1200,7 @@ const DPOP_NONCE_HEADER = "dpop-nonce";
 
 const KEY_PAIR_ALGORITHM = "ES256";
 
-const SUPPORTED_GRANT_TYPES = [ "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange" ];
+const SUPPORTED_GRANT_TYPES = [ "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange", "http://auth0.com/oauth/grant-type/mfa-oob", "http://auth0.com/oauth/grant-type/mfa-otp", "http://auth0.com/oauth/grant-type/mfa-recovery-code" ];
 
 function generateKeyPair() {
     return generateKeyPair$1(KEY_PAIR_ALGORITHM, {
@@ -1318,7 +1325,7 @@ async function getJSON(url, timeout, audience, scope, options, worker, useFormDa
     if (!ok) {
         const errorMessage = error_description || "HTTP error. Unable to fetch ".concat(url);
         if (error === "mfa_required") {
-            throw new MfaRequiredError(error, errorMessage, data.mfa_token);
+            throw new MfaRequiredError(error, errorMessage, data.mfa_token, data.mfa_requirements);
         }
         if (error === "missing_refresh_token") {
             throw new MissingRefreshTokenError(audience, scope);
@@ -2454,6 +2461,61 @@ class MyAccountApiError extends Error {
     }
 }
 
+const FACTOR_MAPPING = {
+    otp: {
+        authenticatorTypes: [ "otp" ]
+    },
+    sms: {
+        authenticatorTypes: [ "oob" ],
+        oobChannels: [ "sms" ]
+    },
+    email: {
+        authenticatorTypes: [ "oob" ],
+        oobChannels: [ "email" ]
+    },
+    push: {
+        authenticatorTypes: [ "oob" ],
+        oobChannels: [ "auth0" ]
+    },
+    voice: {
+        authenticatorTypes: [ "oob" ],
+        oobChannels: [ "voice" ]
+    }
+};
+
+const MfaGrantTypes = {
+    OTP: "http://auth0.com/oauth/grant-type/mfa-otp",
+    OOB: "http://auth0.com/oauth/grant-type/mfa-oob",
+    RECOVERY_CODE: "http://auth0.com/oauth/grant-type/mfa-recovery-code"
+};
+
+function getAuthJsEnrollParams(params) {
+    const mapping = FACTOR_MAPPING[params.factorType];
+    return Object.assign(Object.assign(Object.assign({
+        mfaToken: params.mfaToken,
+        authenticatorTypes: mapping.authenticatorTypes
+    }, mapping.oobChannels && {
+        oobChannels: mapping.oobChannels
+    }), "phoneNumber" in params && {
+        phoneNumber: params.phoneNumber
+    }), "email" in params && {
+        email: params.email
+    });
+}
+
+function getGrantType(params) {
+    if ("otp" in params && params.otp) {
+        return MfaGrantTypes.OTP;
+    }
+    if ("oobCode" in params && params.oobCode) {
+        return MfaGrantTypes.OOB;
+    }
+    if ("recoveryCode" in params && params.recoveryCode) {
+        return MfaGrantTypes.RECOVERY_CODE;
+    }
+    return undefined;
+}
+
 function _OverloadYield(e, d) {
     this.v = e, this.k = d;
 }
@@ -7036,7 +7098,7 @@ function stripUndefinedProperties(value) {
     })), {});
 }
 
-var MfaError = class MfaError extends Error {
+var MfaError$1 = class MfaError extends Error {
     constructor(code, message, cause) {
         super(message);
         _defineProperty(this, "cause", void 0);
@@ -7050,28 +7112,28 @@ var MfaError = class MfaError extends Error {
     }
 };
 
-var MfaListAuthenticatorsError = class extends MfaError {
+var MfaListAuthenticatorsError$1 = class extends MfaError$1 {
     constructor(message, cause) {
         super("mfa_list_authenticators_error", message, cause);
         this.name = "MfaListAuthenticatorsError";
     }
 };
 
-var MfaEnrollmentError = class extends MfaError {
+var MfaEnrollmentError$1 = class extends MfaError$1 {
     constructor(message, cause) {
         super("mfa_enrollment_error", message, cause);
         this.name = "MfaEnrollmentError";
     }
 };
 
-var MfaDeleteAuthenticatorError = class extends MfaError {
+var MfaDeleteAuthenticatorError = class extends MfaError$1 {
     constructor(message, cause) {
         super("mfa_delete_authenticator_error", message, cause);
         this.name = "MfaDeleteAuthenticatorError";
     }
 };
 
-var MfaChallengeError = class extends MfaError {
+var MfaChallengeError$1 = class extends MfaError$1 {
     constructor(message, cause) {
         super("mfa_challenge_error", message, cause);
         this.name = "MfaChallengeError";
@@ -7149,7 +7211,7 @@ class MfaClient {
         });
         if (!response.ok) {
             const error = await response.json();
-            throw new MfaListAuthenticatorsError(error.error_description || "Failed to list authenticators", error);
+            throw new MfaListAuthenticatorsError$1(error.error_description || "Failed to list authenticators", error);
         }
         const apiResponse = await response.json();
         return apiResponse.map(transformAuthenticatorResponse);
@@ -7179,7 +7241,7 @@ class MfaClient {
         });
         if (!response.ok) {
             const error = await response.json();
-            throw new MfaEnrollmentError(error.error_description || "Failed to enroll authenticator", error);
+            throw new MfaEnrollmentError$1(error.error_description || "Failed to enroll authenticator", error);
         }
         const apiResponse = await response.json();
         return transformEnrollmentResponse(apiResponse);
@@ -7219,7 +7281,7 @@ class MfaClient {
         });
         if (!response.ok) {
             const error = await response.json();
-            throw new MfaChallengeError(error.error_description || "Failed to challenge authenticator", error);
+            throw new MfaChallengeError$1(error.error_description || "Failed to challenge authenticator", error);
         }
         const apiResponse = await response.json();
         return transformChallengeResponse(apiResponse);
@@ -7668,6 +7730,203 @@ async function _buildAuthorizationUrl(options) {
     };
 }
 
+class MfaError extends GenericError {
+    constructor(error, error_description) {
+        super(error, error_description);
+        Object.setPrototypeOf(this, MfaError.prototype);
+    }
+    static fromPayload(_ref) {
+        let {error: error, error_description: error_description} = _ref;
+        return new MfaError(error, error_description);
+    }
+}
+
+class MfaListAuthenticatorsError extends MfaError {
+    constructor(error, error_description) {
+        super(error, error_description);
+        Object.setPrototypeOf(this, MfaListAuthenticatorsError.prototype);
+    }
+}
+
+class MfaEnrollmentError extends MfaError {
+    constructor(error, error_description) {
+        super(error, error_description);
+        Object.setPrototypeOf(this, MfaEnrollmentError.prototype);
+    }
+}
+
+class MfaChallengeError extends MfaError {
+    constructor(error, error_description) {
+        super(error, error_description);
+        Object.setPrototypeOf(this, MfaChallengeError.prototype);
+    }
+}
+
+class MfaVerifyError extends MfaError {
+    constructor(error, error_description) {
+        super(error, error_description);
+        Object.setPrototypeOf(this, MfaVerifyError.prototype);
+    }
+}
+
+class MfaEnrollmentFactorsError extends MfaError {
+    constructor(error, error_description) {
+        super(error, error_description);
+        Object.setPrototypeOf(this, MfaEnrollmentFactorsError.prototype);
+    }
+}
+
+const DEFAULT_TTL_MS = 10 * 60 * 1e3;
+
+class MfaContextManager {
+    constructor() {
+        let ttlMs = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : DEFAULT_TTL_MS;
+        this.contexts = new Map;
+        this.ttlMs = ttlMs;
+    }
+    set(mfaToken, context) {
+        this.cleanup();
+        this.contexts.set(mfaToken, Object.assign(Object.assign({}, context), {
+            createdAt: Date.now()
+        }));
+    }
+    get(mfaToken) {
+        const context = this.contexts.get(mfaToken);
+        if (!context) {
+            return undefined;
+        }
+        if (Date.now() - context.createdAt > this.ttlMs) {
+            this.contexts.delete(mfaToken);
+            return undefined;
+        }
+        return context;
+    }
+    remove(mfaToken) {
+        this.contexts.delete(mfaToken);
+    }
+    cleanup() {
+        const now = Date.now();
+        for (const [key, value] of this.contexts) {
+            if (now - value.createdAt > this.ttlMs) {
+                this.contexts.delete(key);
+            }
+        }
+    }
+    get size() {
+        return this.contexts.size;
+    }
+}
+
+class MfaApiClient {
+    constructor(authJsMfaClient, auth0Client) {
+        this.authJsMfaClient = authJsMfaClient;
+        this.auth0Client = auth0Client;
+        this.contextManager = new MfaContextManager;
+    }
+    setMFAAuthDetails(mfaToken, scope, audience, mfaRequirements) {
+        this.contextManager.set(mfaToken, {
+            scope: scope,
+            audience: audience,
+            mfaRequirements: mfaRequirements
+        });
+    }
+    async getAuthenticators(mfaToken) {
+        var _a, _b;
+        const context = this.contextManager.get(mfaToken);
+        if (!((_a = context === null || context === void 0 ? void 0 : context.mfaRequirements) === null || _a === void 0 ? void 0 : _a.challenge) || context.mfaRequirements.challenge.length === 0) {
+            throw new MfaListAuthenticatorsError("invalid_request", "challengeType is required and must contain at least one challenge type, please check mfa_required error payload");
+        }
+        const challengeTypes = context.mfaRequirements.challenge.map((c => c.type));
+        try {
+            const allAuthenticators = await this.authJsMfaClient.listAuthenticators({
+                mfaToken: mfaToken
+            });
+            return allAuthenticators.filter((auth => {
+                if (!auth.type) return false;
+                return challengeTypes.includes(auth.type);
+            }));
+        } catch (error) {
+            if (error instanceof MfaListAuthenticatorsError$1) {
+                throw new MfaListAuthenticatorsError((_b = error.cause) === null || _b === void 0 ? void 0 : _b.error, error.message);
+            }
+            throw error;
+        }
+    }
+    async enroll(params) {
+        var _a;
+        const authJsParams = getAuthJsEnrollParams(params);
+        try {
+            return await this.authJsMfaClient.enrollAuthenticator(authJsParams);
+        } catch (error) {
+            if (error instanceof MfaEnrollmentError$1) {
+                throw new MfaEnrollmentError((_a = error.cause) === null || _a === void 0 ? void 0 : _a.error, error.message);
+            }
+            throw error;
+        }
+    }
+    async challenge(params) {
+        var _a;
+        try {
+            const authJsParams = {
+                challengeType: params.challengeType,
+                mfaToken: params.mfaToken
+            };
+            if (params.authenticatorId) {
+                authJsParams.authenticatorId = params.authenticatorId;
+            }
+            return await this.authJsMfaClient.challengeAuthenticator(authJsParams);
+        } catch (error) {
+            if (error instanceof MfaChallengeError$1) {
+                throw new MfaChallengeError((_a = error.cause) === null || _a === void 0 ? void 0 : _a.error, error.message);
+            }
+            throw error;
+        }
+    }
+    async getEnrollmentFactors(mfaToken) {
+        const context = this.contextManager.get(mfaToken);
+        if (!context || !context.mfaRequirements) {
+            throw new MfaEnrollmentFactorsError("mfa_context_not_found", "MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");
+        }
+        if (!context.mfaRequirements.enroll || context.mfaRequirements.enroll.length === 0) {
+            return [];
+        }
+        return context.mfaRequirements.enroll;
+    }
+    async verify(params) {
+        const context = this.contextManager.get(params.mfaToken);
+        if (!context) {
+            throw new MfaVerifyError("mfa_context_not_found", "MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");
+        }
+        const grantType = getGrantType(params);
+        if (!grantType) {
+            throw new MfaVerifyError("invalid_request", "Unable to determine grant type. Provide one of: otp, oobCode, or recoveryCode.");
+        }
+        const scope = context.scope;
+        const audience = context.audience;
+        try {
+            const result = await this.auth0Client._requestTokenForMfa({
+                grant_type: grantType,
+                mfaToken: params.mfaToken,
+                scope: scope,
+                audience: audience,
+                otp: params.otp,
+                oob_code: params.oobCode,
+                binding_code: params.bindingCode,
+                recovery_code: params.recoveryCode
+            });
+            this.contextManager.remove(params.mfaToken);
+            return result;
+        } catch (error) {
+            if (error instanceof MfaRequiredError) {
+                this.setMFAAuthDetails(error.mfa_token, scope, audience, error.mfa_requirements);
+            } else if (error instanceof MfaVerifyError) {
+                throw new MfaVerifyError(error.error, error.error_description);
+            }
+            throw error;
+        }
+    }
+}
+
 const lock = new _default;
 
 class Auth0Client {
@@ -7737,6 +7996,7 @@ class Auth0Client {
             domain: this.options.domain,
             clientId: this.options.clientId
         });
+        this.mfa = new MfaApiClient(this.authJsClient.mfa, this);
         if (typeof window !== "undefined" && window.Worker && this.options.useRefreshTokens && cacheLocation === CACHE_LOCATION_MEMORY) {
             if (this.options.workerUrl) {
                 this.worker = new Worker(this.options.workerUrl);
@@ -7752,7 +8012,9 @@ class Auth0Client {
         });
     }
     _url(path) {
-        const auth0Client = encodeURIComponent(btoa(JSON.stringify(this.options.auth0Client || DEFAULT_AUTH0_CLIENT)));
+        const auth0ClientObj = this.options.auth0Client || DEFAULT_AUTH0_CLIENT;
+        const strippedAuth0Client = stripAuth0Client(auth0ClientObj, true);
+        const auth0Client = encodeURIComponent(btoa(JSON.stringify(strippedAuth0Client)));
         return "".concat(this.domainUrl).concat(path, "&auth0Client=").concat(auth0Client);
     }
     _authorizeUrl(authorizeOptions) {
@@ -8133,6 +8395,7 @@ class Auth0Client {
         }
     }
     async _getTokenUsingRefreshToken(options) {
+        var _a, _b;
         const cache = await this.cacheManager.get(new CacheKey({
             scope: options.authorizationParams.scope,
             audience: options.authorizationParams.audience || DEFAULT_AUDIENCE,
@@ -8183,6 +8446,9 @@ class Auth0Client {
             if ((e.message.indexOf(MISSING_REFRESH_TOKEN_ERROR_MESSAGE) > -1 || e.message && e.message.indexOf(INVALID_REFRESH_TOKEN_ERROR_MESSAGE) > -1) && this.options.useRefreshTokensFallback) {
                 return await this._getTokenFromIFrame(options);
             }
+            if (e instanceof MfaRequiredError) {
+                this.mfa.setMFAAuthDetails(e.mfa_token, (_a = options.authorizationParams) === null || _a === void 0 ? void 0 : _a.scope, (_b = options.authorizationParams) === null || _b === void 0 ? void 0 : _b.audience, e.mfa_requirements);
+            }
             throw e;
         }
     }
@@ -8352,6 +8618,12 @@ class Auth0Client {
             window.location.assign(url);
         }
     }
+    async _requestTokenForMfa(options, additionalParameters) {
+        const {mfaToken: mfaToken} = options, restOptions = __rest(options, [ "mfaToken" ]);
+        return this._requestToken(Object.assign(Object.assign({}, restOptions), {
+            mfa_token: mfaToken
+        }), additionalParameters);
+    }
 }
 
 async function createAuth0Client(options) {
@@ -8374,8 +8646,22 @@ exports.InMemoryCache = InMemoryCache;
 
 exports.LocalStorageCache = LocalStorageCache;
 
+exports.MfaApiClient = MfaApiClient;
+
+exports.MfaChallengeError = MfaChallengeError;
+
+exports.MfaEnrollmentError = MfaEnrollmentError;
+
+exports.MfaEnrollmentFactorsError = MfaEnrollmentFactorsError;
+
+exports.MfaError = MfaError;
+
+exports.MfaListAuthenticatorsError = MfaListAuthenticatorsError;
+
 exports.MfaRequiredError = MfaRequiredError;
 
+exports.MfaVerifyError = MfaVerifyError;
+
 exports.MissingRefreshTokenError = MissingRefreshTokenError;
 
 exports.MyAccountApiError = MyAccountApiError;