@auth0/auth0-spa-js 2.18.2 → 2.18.3

package/dist/typings/version.d.ts

@@ -1,2 +1,2 @@
-declare const _default: "2.18.2";
+declare const _default: "2.18.3";
 export default _default;

package/dist/typings/worker/worker.types.d.ts

@@ -2,6 +2,10 @@ import { FetchOptions } from '../global';
 /**
  * @ts-ignore
  */
+export type WorkerInitMessage = {
+    type: 'init';
+    allowedBaseUrl: string;
+};
 export type WorkerRefreshTokenMessage = {
     timeout: number;
     fetchUrl: string;
@@ -13,3 +17,4 @@ export type WorkerRefreshTokenMessage = {
         scope: string;
     };
 };
+export type WorkerMessage = WorkerInitMessage | WorkerRefreshTokenMessage;

package/package.json

@@ -3,7 +3,7 @@
   "name": "@auth0/auth0-spa-js",
   "description": "Auth0 SDK for Single Page Applications using Authorization Code Grant Flow with PKCE",
   "license": "MIT",
-  "version": "2.18.2",
+  "version": "2.18.3",
   "main": "dist/lib/auth0-spa-js.cjs.js",
   "types": "dist/typings/index.d.ts",
   "module": "dist/auth0-spa-js.production.esm.js",
@@ -51,7 +51,7 @@
     "serve:coverage": "serve coverage/lcov-report -n",
     "serve:stats": "serve bundle-stats -n",
     "print-bundle-size": "node ./scripts/print-bundle-size.mjs",
-    "prepack": "npm run build && npm run build:types && node ./scripts/prepack",
+    "prepack": "npm run build && npm run build:types",
     "publish:cdn": "ccu --trace"
   },
   "devDependencies": {

package/src/Auth0Client.ts

@@ -306,6 +306,11 @@ export class Auth0Client {
       } else {
         this.worker = new TokenWorker();
       }
+
+      this.worker!.postMessage({
+        type: 'init',
+        allowedBaseUrl: this.domainUrl
+      });
     }
   }
 

package/src/version.ts

@@ -1 +1 @@
-export default '2.18.2';
+export default '2.18.3';

package/src/worker/__mocks__/token.worker.ts

@@ -1,10 +1,10 @@
-const { messageHandler } = jest.requireActual('../token.worker');
+const { messageRouter } = jest.requireActual('../token.worker');
 
 export default class {
   postMessage(data, ports) {
-    messageHandler({
+    messageRouter({
       data,
-      ports
+      ports: ports || []
     });
   }
 }

package/src/worker/token.worker.ts

@@ -1,9 +1,10 @@
 import { MissingRefreshTokenError } from '../errors';
 import { FetchResponse } from '../global';
 import { createQueryParams, fromEntries } from '../utils';
-import { WorkerRefreshTokenMessage } from './worker.types';
+import { WorkerMessage, WorkerRefreshTokenMessage } from './worker.types';
 
 let refreshTokens: Record<string, string> = {};
+let allowedBaseUrl: string | null = null;
 
 const cacheKey = (audience: string, scope: string) => `${audience}|${scope}`;
 
@@ -180,11 +181,66 @@ const messageHandler = async ({
   }
 };
 
+const isAuthorizedWorkerRequest = (
+  workerRequest: WorkerRefreshTokenMessage
+) => {
+  if (!allowedBaseUrl) {
+    return false;
+  }
+
+  try {
+    const allowedBaseOrigin = new URL(allowedBaseUrl).origin;
+    const requestedUrl = new URL(workerRequest.fetchUrl);
+
+    return (
+      requestedUrl.origin === allowedBaseOrigin &&
+      requestedUrl.pathname === '/oauth/token'
+    );
+  } catch {
+    return false;
+  }
+};
+
+const messageRouter = (event: MessageEvent<WorkerMessage>) => {
+  const { data, ports } = event;
+  const [port] = ports;
+
+  if ('type' in data && data.type === 'init') {
+    if (allowedBaseUrl === null) {
+      try {
+        new URL(data.allowedBaseUrl);
+        allowedBaseUrl = data.allowedBaseUrl;
+      } catch {
+        return;
+      }
+    }
+
+    return;
+  }
+
+  if (
+    !('fetchUrl' in data) ||
+    !isAuthorizedWorkerRequest(data as WorkerRefreshTokenMessage)
+  ) {
+    port?.postMessage({
+      ok: false,
+      json: {
+        error: 'invalid_fetch_url',
+        error_description: 'Unauthorized fetch URL'
+      },
+      headers: {}
+    });
+    return;
+  }
+
+  messageHandler(event as MessageEvent<WorkerRefreshTokenMessage>);
+};
+
 // Don't run `addEventListener` in our tests (this is replaced in rollup)
 if (process.env.NODE_ENV === 'test') {
-  module.exports = { messageHandler };
+  module.exports = { messageHandler, messageRouter };
   /* c8 ignore next 4  */
 } else {
   // @ts-ignore
-  addEventListener('message', messageHandler);
+  addEventListener('message', messageRouter);
 }

package/src/worker/worker.types.ts

@@ -3,6 +3,11 @@ import { FetchOptions } from '../global';
 /**
  * @ts-ignore
  */
+export type WorkerInitMessage = {
+  type: 'init';
+  allowedBaseUrl: string;
+};
+
 export type WorkerRefreshTokenMessage = {
   timeout: number;
   fetchUrl: string;
@@ -14,3 +19,5 @@ export type WorkerRefreshTokenMessage = {
     scope: string;
   };
 };
+
+export type WorkerMessage = WorkerInitMessage | WorkerRefreshTokenMessage;