@auth0/auth0-spa-js 2.16.0 → 2.17.1

package/dist/typings/Auth0Client.d.ts

@@ -187,9 +187,20 @@ export declare class Auth0Client {
     private _getTokenSilently;
     /**
      * Checks if an error should be handled by the interactive error handler.
-     * Currently only handles mfa_required; extensible for future error types.
+     * Matches:
+     * - MfaRequiredError (refresh token path, error='mfa_required')
+     * - GenericError from iframe path (error='login_required',
+     *   error_description='Multifactor authentication required')
+     * Extensible for future interactive error types.
      */
     private _isInteractiveError;
+    /**
+     * Checks if a login_required error from the iframe flow is actually
+     * an MFA step-up requirement. The /authorize endpoint returns
+     * error='login_required' with error_description='Multifactor authentication required'
+     * when MFA is needed but prompt=none prevents interaction.
+     */
+    private _isIframeMfaError;
     /**
      * Handles MFA errors by opening a popup to complete authentication,
      * then reads the resulting token from cache.

package/dist/typings/constants.d.ts

@@ -33,6 +33,12 @@ export declare const INVALID_REFRESH_TOKEN_ERROR_MESSAGE = "invalid refresh toke
  * @ignore
  */
 export declare const USER_BLOCKED_ERROR_MESSAGE = "user is blocked";
+/**
+ * @ignore
+ * The error_description returned by the /authorize endpoint when MFA is required
+ * but prompt=none prevents interaction (iframe silent auth flow).
+ */
+export declare const MFA_STEP_UP_ERROR_DESCRIPTION = "Multifactor authentication required";
 /**
  * @ignore
  */

package/dist/typings/index.d.ts

@@ -5,7 +5,7 @@ export * from './global';
 /**
  * Asynchronously creates the Auth0Client instance and calls `checkSession`.
  *
- * **Note:** There are caveats to using this in a private browser tab, which may not silently authenticae
+ * **Note:** There are caveats to using this in a private browser tab, which may not silently authenticate
  * a user on page refresh. Please see [the checkSession docs](https://auth0.github.io/auth0-spa-js/classes/Auth0Client.html#checksession) for more info.
  *
  * @param options The client options

package/dist/typings/version.d.ts

@@ -1,2 +1,2 @@
-declare const _default: "2.16.0";
+declare const _default: "2.17.1";
 export default _default;

package/package.json

@@ -3,7 +3,7 @@
   "name": "@auth0/auth0-spa-js",
   "description": "Auth0 SDK for Single Page Applications using Authorization Code Grant Flow with PKCE",
   "license": "MIT",
-  "version": "2.16.0",
+  "version": "2.17.1",
   "main": "dist/lib/auth0-spa-js.cjs.js",
   "types": "dist/typings/index.d.ts",
   "module": "dist/auth0-spa-js.production.esm.js",
@@ -23,10 +23,10 @@
     }
   },
   "dependencies": {
-    "@auth0/auth0-auth-js": "^1.4.0",
-    "browser-tabs-lock": "^1.2.15",
-    "dpop": "^2.1.1",
-    "es-cookie": "~1.3.2"
+    "@auth0/auth0-auth-js": "1.5.0",
+    "browser-tabs-lock": "1.3.0",
+    "dpop": "2.1.1",
+    "es-cookie": "1.3.2"
   },
   "scripts": {
     "dev": "rimraf dist && rollup -c --watch",
@@ -61,11 +61,10 @@
     "@rollup/plugin-commonjs": "^21.1.0",
     "@rollup/plugin-node-resolve": "^16.0.3",
     "@rollup/plugin-replace": "^4.0.0",
-    "@types/cypress": "^1.1.3",
     "@types/jest": "^28.1.7",
     "@typescript-eslint/eslint-plugin-tslint": "^5.33.1",
     "@typescript-eslint/parser": "^5.33.1",
-    "browserstack-cypress-cli": "1.36.2",
+    "browserstack-cypress-cli": "1.36.3",
     "cli-table": "^0.3.6",
     "concurrently": "^7.3.0",
     "cypress": "13.17.0",
@@ -94,7 +93,7 @@
     "rollup-plugin-terser": "^7.0.2",
     "rollup-plugin-typescript2": "^0.36.0",
     "rollup-plugin-visualizer": "^5.7.1",
-    "rollup-plugin-web-worker-loader": "^1.6.1",
+    "rollup-plugin-web-worker-loader": "~1.6.1",
     "serve": "^14.0.1",
     "ts-jest": "^28.0.8",
     "tslib": "^2.4.0",

package/src/Auth0Client.ts

@@ -57,6 +57,7 @@ import {
   DEFAULT_POPUP_CONFIG_OPTIONS,
   DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS,
   MISSING_REFRESH_TOKEN_ERROR_MESSAGE,
+  MFA_STEP_UP_ERROR_DESCRIPTION,
   DEFAULT_SCOPE,
   DEFAULT_SESSION_CHECK_EXPIRY_DAYS,
   DEFAULT_AUTH0_CLIENT,
@@ -926,10 +927,29 @@ export class Auth0Client {
 
   /**
    * Checks if an error should be handled by the interactive error handler.
-   * Currently only handles mfa_required; extensible for future error types.
+   * Matches:
+   * - MfaRequiredError (refresh token path, error='mfa_required')
+   * - GenericError from iframe path (error='login_required',
+   *   error_description='Multifactor authentication required')
+   * Extensible for future interactive error types.
    */
-  private _isInteractiveError(error: unknown): error is MfaRequiredError {
-    return error instanceof MfaRequiredError;
+  private _isInteractiveError(
+    error: unknown
+  ): error is MfaRequiredError | GenericError {
+    return error instanceof MfaRequiredError || (error instanceof GenericError && this._isIframeMfaError(error));
+  }
+
+  /**
+   * Checks if a login_required error from the iframe flow is actually
+   * an MFA step-up requirement. The /authorize endpoint returns
+   * error='login_required' with error_description='Multifactor authentication required'
+   * when MFA is needed but prompt=none prevents interaction.
+   */
+  private _isIframeMfaError(error: GenericError): boolean {
+    return (
+      error.error === 'login_required' &&
+      error.error_description === MFA_STEP_UP_ERROR_DESCRIPTION
+    );
   }
 
   /**
@@ -1207,9 +1227,19 @@ export class Auth0Client {
       );
     } catch (e) {
       if (e.error === 'login_required') {
-        this.logout({
-          openUrl: false
-        });
+        // When the login_required error is actually an MFA step-up requirement
+        // and the interactive error handler is configured, skip logout so the
+        // session is preserved for the popup flow.
+        const shouldSkipLogoutForMfaStepUp =
+          e instanceof GenericError &&
+          this._isIframeMfaError(e) &&
+          this.options.interactiveErrorHandler === 'popup';
+
+        if (!shouldSkipLogoutForMfaStepUp) {
+          this.logout({
+            openUrl: false
+          });
+        }
       }
       throw e;
     }

package/src/constants.ts

@@ -46,6 +46,13 @@ export const INVALID_REFRESH_TOKEN_ERROR_MESSAGE = 'invalid refresh token';
  */
 export const USER_BLOCKED_ERROR_MESSAGE = 'user is blocked';
 
+/**
+ * @ignore
+ * The error_description returned by the /authorize endpoint when MFA is required
+ * but prompt=none prevents interaction (iframe silent auth flow).
+ */
+export const MFA_STEP_UP_ERROR_DESCRIPTION = 'Multifactor authentication required';
+
 /**
  * @ignore
  */

package/src/index.ts

@@ -8,7 +8,7 @@ export * from './global';
 /**
  * Asynchronously creates the Auth0Client instance and calls `checkSession`.
  *
- * **Note:** There are caveats to using this in a private browser tab, which may not silently authenticae
+ * **Note:** There are caveats to using this in a private browser tab, which may not silently authenticate
  * a user on page refresh. Please see [the checkSession docs](https://auth0.github.io/auth0-spa-js/classes/Auth0Client.html#checksession) for more info.
  *
  * @param options The client options

package/src/version.ts

@@ -1 +1 @@
-export default '2.16.0';
+export default '2.17.1';