@auth0/auth0-spa-js 2.12.0 → 2.13.1

package/README.md

@@ -30,7 +30,7 @@ npm install @auth0/auth0-spa-js
 From the CDN:
 
 ```html
-<script src="https://cdn.auth0.com/js/auth0-spa-js/2.12/auth0-spa-js.production.js"></script>
+<script src="https://cdn.auth0.com/js/auth0-spa-js/2.13/auth0-spa-js.production.js"></script>
 ```
 
 ### Configure Auth0
@@ -114,7 +114,9 @@ window.addEventListener('load', async () => {
 });
 ```
 
-For other comprehensive examples, see the [EXAMPLES.md](https://github.com/auth0/auth0-spa-js/blob/main/EXAMPLES.md) document.
+### More Examples
+
+For comprehensive examples covering various scenarios including logging out, calling APIs, refresh tokens, organizations, MFA, DPoP, and more, see the [EXAMPLES.md](https://github.com/auth0/auth0-spa-js/blob/main/EXAMPLES.md) document.
 
 ## API Reference
 

package/dist/auth0-spa-js.development.js

@@ -529,7 +529,7 @@
         return SuperTokensLock;
     }();
     var _default = browserTabsLock.default = SuperTokensLock;
-    var version = "2.12.0";
+    var version = "2.13.1";
     const DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS = 60;
     const DEFAULT_POPUP_CONFIG_OPTIONS = {
         timeoutInSeconds: DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS
@@ -606,9 +606,10 @@
         }
     }
     class MfaRequiredError extends GenericError {
-        constructor(error, error_description, mfa_token) {
+        constructor(error, error_description, mfa_token, mfa_requirements) {
             super(error, error_description);
             this.mfa_token = mfa_token;
+            this.mfa_requirements = mfa_requirements;
             Object.setPrototypeOf(this, MfaRequiredError.prototype);
         }
     }
@@ -748,13 +749,19 @@
         key: "env",
         type: [ "object" ]
     } ];
-    const stripAuth0Client = auth0Client => Object.keys(auth0Client).reduce(((acc, key) => {
-        const allowedProperty = ALLOWED_AUTH0CLIENT_PROPERTIES.find((p => p.key === key));
-        if (allowedProperty && allowedProperty.type.includes(typeof auth0Client[key])) {
-            acc[key] = auth0Client[key];
-        }
-        return acc;
-    }), {});
+    const stripAuth0Client = function stripAuth0Client(auth0Client) {
+        let excludeEnv = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : false;
+        return Object.keys(auth0Client).reduce(((acc, key) => {
+            if (excludeEnv && key === "env") {
+                return acc;
+            }
+            const allowedProperty = ALLOWED_AUTH0CLIENT_PROPERTIES.find((p => p.key === key));
+            if (allowedProperty && allowedProperty.type.includes(typeof auth0Client[key])) {
+                acc[key] = auth0Client[key];
+            }
+            return acc;
+        }), {});
+    };
     const createQueryParams = _a => {
         var {clientId: client_id} = _a, params = __rest(_a, [ "clientId" ]);
         return new URLSearchParams(stripUndefined(Object.assign({
@@ -1099,7 +1106,7 @@
     }
     const DPOP_NONCE_HEADER = "dpop-nonce";
     const KEY_PAIR_ALGORITHM = "ES256";
-    const SUPPORTED_GRANT_TYPES = [ "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange" ];
+    const SUPPORTED_GRANT_TYPES = [ "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange", "http://auth0.com/oauth/grant-type/mfa-oob", "http://auth0.com/oauth/grant-type/mfa-otp", "http://auth0.com/oauth/grant-type/mfa-recovery-code" ];
     function generateKeyPair() {
         return generateKeyPair$1(KEY_PAIR_ALGORITHM, {
             extractable: false
@@ -1212,7 +1219,7 @@
         if (!ok) {
             const errorMessage = error_description || "HTTP error. Unable to fetch ".concat(url);
             if (error === "mfa_required") {
-                throw new MfaRequiredError(error, errorMessage, data.mfa_token);
+                throw new MfaRequiredError(error, errorMessage, data.mfa_token, data.mfa_requirements);
             }
             if (error === "missing_refresh_token") {
                 throw new MissingRefreshTokenError(audience, scope);
@@ -2276,6 +2283,57 @@
             Object.setPrototypeOf(this, MyAccountApiError.prototype);
         }
     }
+    const FACTOR_MAPPING = {
+        otp: {
+            authenticatorTypes: [ "otp" ]
+        },
+        sms: {
+            authenticatorTypes: [ "oob" ],
+            oobChannels: [ "sms" ]
+        },
+        email: {
+            authenticatorTypes: [ "oob" ],
+            oobChannels: [ "email" ]
+        },
+        push: {
+            authenticatorTypes: [ "oob" ],
+            oobChannels: [ "auth0" ]
+        },
+        voice: {
+            authenticatorTypes: [ "oob" ],
+            oobChannels: [ "voice" ]
+        }
+    };
+    const MfaGrantTypes = {
+        OTP: "http://auth0.com/oauth/grant-type/mfa-otp",
+        OOB: "http://auth0.com/oauth/grant-type/mfa-oob",
+        RECOVERY_CODE: "http://auth0.com/oauth/grant-type/mfa-recovery-code"
+    };
+    function getAuthJsEnrollParams(params) {
+        const mapping = FACTOR_MAPPING[params.factorType];
+        return Object.assign(Object.assign(Object.assign({
+            mfaToken: params.mfaToken,
+            authenticatorTypes: mapping.authenticatorTypes
+        }, mapping.oobChannels && {
+            oobChannels: mapping.oobChannels
+        }), "phoneNumber" in params && {
+            phoneNumber: params.phoneNumber
+        }), "email" in params && {
+            email: params.email
+        });
+    }
+    function getGrantType(params) {
+        if ("otp" in params && params.otp) {
+            return MfaGrantTypes.OTP;
+        }
+        if ("oobCode" in params && params.oobCode) {
+            return MfaGrantTypes.OOB;
+        }
+        if ("recoveryCode" in params && params.recoveryCode) {
+            return MfaGrantTypes.RECOVERY_CODE;
+        }
+        return undefined;
+    }
     function _OverloadYield(e, d) {
         this.v = e, this.k = d;
     }
@@ -6503,7 +6561,7 @@
             [curr[0]]: curr[1]
         })), {});
     }
-    var MfaError = class MfaError extends Error {
+    var MfaError$1 = class MfaError extends Error {
         constructor(code, message, cause) {
             super(message);
             _defineProperty(this, "cause", void 0);
@@ -6516,25 +6574,25 @@
             };
         }
     };
-    var MfaListAuthenticatorsError = class extends MfaError {
+    var MfaListAuthenticatorsError$1 = class extends MfaError$1 {
         constructor(message, cause) {
             super("mfa_list_authenticators_error", message, cause);
             this.name = "MfaListAuthenticatorsError";
         }
     };
-    var MfaEnrollmentError = class extends MfaError {
+    var MfaEnrollmentError$1 = class extends MfaError$1 {
         constructor(message, cause) {
             super("mfa_enrollment_error", message, cause);
             this.name = "MfaEnrollmentError";
         }
     };
-    var MfaDeleteAuthenticatorError = class extends MfaError {
+    var MfaDeleteAuthenticatorError = class extends MfaError$1 {
         constructor(message, cause) {
             super("mfa_delete_authenticator_error", message, cause);
             this.name = "MfaDeleteAuthenticatorError";
         }
     };
-    var MfaChallengeError = class extends MfaError {
+    var MfaChallengeError$1 = class extends MfaError$1 {
         constructor(message, cause) {
             super("mfa_challenge_error", message, cause);
             this.name = "MfaChallengeError";
@@ -6608,7 +6666,7 @@
             });
             if (!response.ok) {
                 const error = await response.json();
-                throw new MfaListAuthenticatorsError(error.error_description || "Failed to list authenticators", error);
+                throw new MfaListAuthenticatorsError$1(error.error_description || "Failed to list authenticators", error);
             }
             const apiResponse = await response.json();
             return apiResponse.map(transformAuthenticatorResponse);
@@ -6638,7 +6696,7 @@
             });
             if (!response.ok) {
                 const error = await response.json();
-                throw new MfaEnrollmentError(error.error_description || "Failed to enroll authenticator", error);
+                throw new MfaEnrollmentError$1(error.error_description || "Failed to enroll authenticator", error);
             }
             const apiResponse = await response.json();
             return transformEnrollmentResponse(apiResponse);
@@ -6678,7 +6736,7 @@
             });
             if (!response.ok) {
                 const error = await response.json();
-                throw new MfaChallengeError(error.error_description || "Failed to challenge authenticator", error);
+                throw new MfaChallengeError$1(error.error_description || "Failed to challenge authenticator", error);
             }
             const apiResponse = await response.json();
             return transformChallengeResponse(apiResponse);
@@ -7109,6 +7167,194 @@
             codeVerifier: codeVerifier
         };
     }
+    class MfaError extends GenericError {
+        constructor(error, error_description) {
+            super(error, error_description);
+            Object.setPrototypeOf(this, MfaError.prototype);
+        }
+        static fromPayload(_ref) {
+            let {error: error, error_description: error_description} = _ref;
+            return new MfaError(error, error_description);
+        }
+    }
+    class MfaListAuthenticatorsError extends MfaError {
+        constructor(error, error_description) {
+            super(error, error_description);
+            Object.setPrototypeOf(this, MfaListAuthenticatorsError.prototype);
+        }
+    }
+    class MfaEnrollmentError extends MfaError {
+        constructor(error, error_description) {
+            super(error, error_description);
+            Object.setPrototypeOf(this, MfaEnrollmentError.prototype);
+        }
+    }
+    class MfaChallengeError extends MfaError {
+        constructor(error, error_description) {
+            super(error, error_description);
+            Object.setPrototypeOf(this, MfaChallengeError.prototype);
+        }
+    }
+    class MfaVerifyError extends MfaError {
+        constructor(error, error_description) {
+            super(error, error_description);
+            Object.setPrototypeOf(this, MfaVerifyError.prototype);
+        }
+    }
+    class MfaEnrollmentFactorsError extends MfaError {
+        constructor(error, error_description) {
+            super(error, error_description);
+            Object.setPrototypeOf(this, MfaEnrollmentFactorsError.prototype);
+        }
+    }
+    const DEFAULT_TTL_MS = 10 * 60 * 1e3;
+    class MfaContextManager {
+        constructor() {
+            let ttlMs = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : DEFAULT_TTL_MS;
+            this.contexts = new Map;
+            this.ttlMs = ttlMs;
+        }
+        set(mfaToken, context) {
+            this.cleanup();
+            this.contexts.set(mfaToken, Object.assign(Object.assign({}, context), {
+                createdAt: Date.now()
+            }));
+        }
+        get(mfaToken) {
+            const context = this.contexts.get(mfaToken);
+            if (!context) {
+                return undefined;
+            }
+            if (Date.now() - context.createdAt > this.ttlMs) {
+                this.contexts.delete(mfaToken);
+                return undefined;
+            }
+            return context;
+        }
+        remove(mfaToken) {
+            this.contexts.delete(mfaToken);
+        }
+        cleanup() {
+            const now = Date.now();
+            for (const [key, value] of this.contexts) {
+                if (now - value.createdAt > this.ttlMs) {
+                    this.contexts.delete(key);
+                }
+            }
+        }
+        get size() {
+            return this.contexts.size;
+        }
+    }
+    class MfaApiClient {
+        constructor(authJsMfaClient, auth0Client) {
+            this.authJsMfaClient = authJsMfaClient;
+            this.auth0Client = auth0Client;
+            this.contextManager = new MfaContextManager;
+        }
+        setMFAAuthDetails(mfaToken, scope, audience, mfaRequirements) {
+            this.contextManager.set(mfaToken, {
+                scope: scope,
+                audience: audience,
+                mfaRequirements: mfaRequirements
+            });
+        }
+        async getAuthenticators(mfaToken) {
+            var _a, _b;
+            const context = this.contextManager.get(mfaToken);
+            if (!((_a = context === null || context === void 0 ? void 0 : context.mfaRequirements) === null || _a === void 0 ? void 0 : _a.challenge) || context.mfaRequirements.challenge.length === 0) {
+                throw new MfaListAuthenticatorsError("invalid_request", "challengeType is required and must contain at least one challenge type, please check mfa_required error payload");
+            }
+            const challengeTypes = context.mfaRequirements.challenge.map((c => c.type));
+            try {
+                const allAuthenticators = await this.authJsMfaClient.listAuthenticators({
+                    mfaToken: mfaToken
+                });
+                return allAuthenticators.filter((auth => {
+                    if (!auth.type) return false;
+                    return challengeTypes.includes(auth.type);
+                }));
+            } catch (error) {
+                if (error instanceof MfaListAuthenticatorsError$1) {
+                    throw new MfaListAuthenticatorsError((_b = error.cause) === null || _b === void 0 ? void 0 : _b.error, error.message);
+                }
+                throw error;
+            }
+        }
+        async enroll(params) {
+            var _a;
+            const authJsParams = getAuthJsEnrollParams(params);
+            try {
+                return await this.authJsMfaClient.enrollAuthenticator(authJsParams);
+            } catch (error) {
+                if (error instanceof MfaEnrollmentError$1) {
+                    throw new MfaEnrollmentError((_a = error.cause) === null || _a === void 0 ? void 0 : _a.error, error.message);
+                }
+                throw error;
+            }
+        }
+        async challenge(params) {
+            var _a;
+            try {
+                const authJsParams = {
+                    challengeType: params.challengeType,
+                    mfaToken: params.mfaToken
+                };
+                if (params.authenticatorId) {
+                    authJsParams.authenticatorId = params.authenticatorId;
+                }
+                return await this.authJsMfaClient.challengeAuthenticator(authJsParams);
+            } catch (error) {
+                if (error instanceof MfaChallengeError$1) {
+                    throw new MfaChallengeError((_a = error.cause) === null || _a === void 0 ? void 0 : _a.error, error.message);
+                }
+                throw error;
+            }
+        }
+        async getEnrollmentFactors(mfaToken) {
+            const context = this.contextManager.get(mfaToken);
+            if (!context || !context.mfaRequirements) {
+                throw new MfaEnrollmentFactorsError("mfa_context_not_found", "MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");
+            }
+            if (!context.mfaRequirements.enroll || context.mfaRequirements.enroll.length === 0) {
+                return [];
+            }
+            return context.mfaRequirements.enroll;
+        }
+        async verify(params) {
+            const context = this.contextManager.get(params.mfaToken);
+            if (!context) {
+                throw new MfaVerifyError("mfa_context_not_found", "MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");
+            }
+            const grantType = getGrantType(params);
+            if (!grantType) {
+                throw new MfaVerifyError("invalid_request", "Unable to determine grant type. Provide one of: otp, oobCode, or recoveryCode.");
+            }
+            const scope = context.scope;
+            const audience = context.audience;
+            try {
+                const result = await this.auth0Client._requestTokenForMfa({
+                    grant_type: grantType,
+                    mfaToken: params.mfaToken,
+                    scope: scope,
+                    audience: audience,
+                    otp: params.otp,
+                    oob_code: params.oobCode,
+                    binding_code: params.bindingCode,
+                    recovery_code: params.recoveryCode
+                });
+                this.contextManager.remove(params.mfaToken);
+                return result;
+            } catch (error) {
+                if (error instanceof MfaRequiredError) {
+                    this.setMFAAuthDetails(error.mfa_token, scope, audience, error.mfa_requirements);
+                } else if (error instanceof MfaVerifyError) {
+                    throw new MfaVerifyError(error.error, error.error_description);
+                }
+                throw error;
+            }
+        }
+    }
     const lock = new _default;
     class Auth0Client {
         constructor(options) {
@@ -7177,6 +7423,7 @@
                 domain: this.options.domain,
                 clientId: this.options.clientId
             });
+            this.mfa = new MfaApiClient(this.authJsClient.mfa, this);
             if (typeof window !== "undefined" && window.Worker && this.options.useRefreshTokens && cacheLocation === CACHE_LOCATION_MEMORY) {
                 if (this.options.workerUrl) {
                     this.worker = new Worker(this.options.workerUrl);
@@ -7192,7 +7439,9 @@
             });
         }
         _url(path) {
-            const auth0Client = encodeURIComponent(btoa(JSON.stringify(this.options.auth0Client || DEFAULT_AUTH0_CLIENT)));
+            const auth0ClientObj = this.options.auth0Client || DEFAULT_AUTH0_CLIENT;
+            const strippedAuth0Client = stripAuth0Client(auth0ClientObj, true);
+            const auth0Client = encodeURIComponent(btoa(JSON.stringify(strippedAuth0Client)));
             return "".concat(this.domainUrl).concat(path, "&auth0Client=").concat(auth0Client);
         }
         _authorizeUrl(authorizeOptions) {
@@ -7573,6 +7822,7 @@
             }
         }
         async _getTokenUsingRefreshToken(options) {
+            var _a, _b;
             const cache = await this.cacheManager.get(new CacheKey({
                 scope: options.authorizationParams.scope,
                 audience: options.authorizationParams.audience || DEFAULT_AUDIENCE,
@@ -7623,6 +7873,9 @@
                 if ((e.message.indexOf(MISSING_REFRESH_TOKEN_ERROR_MESSAGE) > -1 || e.message && e.message.indexOf(INVALID_REFRESH_TOKEN_ERROR_MESSAGE) > -1) && this.options.useRefreshTokensFallback) {
                     return await this._getTokenFromIFrame(options);
                 }
+                if (e instanceof MfaRequiredError) {
+                    this.mfa.setMFAAuthDetails(e.mfa_token, (_a = options.authorizationParams) === null || _a === void 0 ? void 0 : _a.scope, (_b = options.authorizationParams) === null || _b === void 0 ? void 0 : _b.audience, e.mfa_requirements);
+                }
                 throw e;
             }
         }
@@ -7712,14 +7965,14 @@
             });
         }
         async exchangeToken(options) {
-            return this._requestToken({
+            return this._requestToken(Object.assign(Object.assign({}, options), {
                 grant_type: "urn:ietf:params:oauth:grant-type:token-exchange",
                 subject_token: options.subject_token,
                 subject_token_type: options.subject_token_type,
                 scope: scopesToRequest(this.scope, options.scope, options.audience || this.options.authorizationParams.audience),
                 audience: options.audience || this.options.authorizationParams.audience,
                 organization: options.organization || this.options.authorizationParams.organization
-            });
+            }));
         }
         _assertDpop(dpop) {
             if (!dpop) {
@@ -7792,6 +8045,12 @@
                 window.location.assign(url);
             }
         }
+        async _requestTokenForMfa(options, additionalParameters) {
+            const {mfaToken: mfaToken} = options, restOptions = __rest(options, [ "mfaToken" ]);
+            return this._requestToken(Object.assign(Object.assign({}, restOptions), {
+                mfa_token: mfaToken
+            }), additionalParameters);
+        }
     }
     async function createAuth0Client(options) {
         const auth0 = new Auth0Client(options);
@@ -7805,7 +8064,14 @@
     exports.GenericError = GenericError;
     exports.InMemoryCache = InMemoryCache;
     exports.LocalStorageCache = LocalStorageCache;
+    exports.MfaApiClient = MfaApiClient;
+    exports.MfaChallengeError = MfaChallengeError;
+    exports.MfaEnrollmentError = MfaEnrollmentError;
+    exports.MfaEnrollmentFactorsError = MfaEnrollmentFactorsError;
+    exports.MfaError = MfaError;
+    exports.MfaListAuthenticatorsError = MfaListAuthenticatorsError;
     exports.MfaRequiredError = MfaRequiredError;
+    exports.MfaVerifyError = MfaVerifyError;
     exports.MissingRefreshTokenError = MissingRefreshTokenError;
     exports.MyAccountApiError = MyAccountApiError;
     exports.PopupCancelledError = PopupCancelledError;