@auth0/auth0-spa-js 2.19.0 → 2.19.2

package/dist/typings/utils.d.ts

@@ -1,36 +1,36 @@
-import { AuthenticationResult, PopupConfigOptions } from './global';
-export declare const parseAuthenticationResult: (queryString: string) => AuthenticationResult;
-export declare const runIframe: (authorizeUrl: string, eventOrigin: string, timeoutInSeconds?: number) => Promise<AuthenticationResult>;
-export declare const openPopup: (url: string) => Window | null;
-export declare const runPopup: (config: PopupConfigOptions, eventOrigin: string) => Promise<AuthenticationResult>;
-export declare const getCrypto: () => Crypto;
-export declare const createRandomString: () => string;
-export declare const encode: (value: string) => string;
-export declare const decode: (value: string) => string;
-/**
- * Strips any property that is not present in ALLOWED_AUTH0CLIENT_PROPERTIES
- * @param auth0Client - The full auth0Client object
- * @param excludeEnv - If true, excludes the 'env' property from the result
- * @returns The stripped auth0Client object
- */
-export declare const stripAuth0Client: (auth0Client: any, excludeEnv?: boolean) => any;
-export declare const createQueryParams: ({ clientId: client_id, ...params }: any) => string;
-export declare const sha256: (s: string) => Promise<any>;
-export declare const urlDecodeB64: (input: string) => string;
-export declare const bufferToBase64UrlEncoded: (input: number[] | Uint8Array) => string;
-export declare const validateCrypto: () => void;
-/**
- * @ignore
- */
-export declare const getDomain: (domainUrl: string) => string;
-/**
- * @ignore
- */
-export declare const getTokenIssuer: (issuer: string | undefined, domainUrl: string) => string;
-export declare const parseNumber: (value: any) => number | undefined;
-/**
- * Ponyfill for `Object.fromEntries()`, which is not available until ES2020.
- *
- * When the target of this project reaches ES2020, this can be removed.
- */
-export declare const fromEntries: <T = any>(iterable: Iterable<[PropertyKey, T]>) => Record<PropertyKey, T>;
+import { AuthenticationResult, PopupConfigOptions } from './global';
+export declare const parseAuthenticationResult: (queryString: string) => AuthenticationResult;
+export declare const runIframe: (authorizeUrl: string, eventOrigin: string, timeoutInSeconds?: number) => Promise<AuthenticationResult>;
+export declare const openPopup: (url: string) => Window | null;
+export declare const runPopup: (config: PopupConfigOptions, eventOrigin: string) => Promise<AuthenticationResult>;
+export declare const getCrypto: () => Crypto;
+export declare const createRandomString: () => string;
+export declare const encode: (value: string) => string;
+export declare const decode: (value: string) => string;
+/**
+ * Strips any property that is not present in ALLOWED_AUTH0CLIENT_PROPERTIES
+ * @param auth0Client - The full auth0Client object
+ * @param excludeEnv - If true, excludes the 'env' property from the result
+ * @returns The stripped auth0Client object
+ */
+export declare const stripAuth0Client: (auth0Client: any, excludeEnv?: boolean) => any;
+export declare const createQueryParams: ({ clientId: client_id, ...params }: any) => string;
+export declare const sha256: (s: string) => Promise<any>;
+export declare const urlDecodeB64: (input: string) => string;
+export declare const bufferToBase64UrlEncoded: (input: number[] | Uint8Array) => string;
+export declare const validateCrypto: () => void;
+/**
+ * @ignore
+ */
+export declare const getDomain: (domainUrl: string) => string;
+/**
+ * @ignore
+ */
+export declare const getTokenIssuer: (issuer: string | undefined, domainUrl: string) => string;
+export declare const parseNumber: (value: any) => number | undefined;
+/**
+ * Ponyfill for `Object.fromEntries()`, which is not available until ES2020.
+ *
+ * When the target of this project reaches ES2020, this can be removed.
+ */
+export declare const fromEntries: <T = any>(iterable: Iterable<[PropertyKey, T]>) => Record<PropertyKey, T>;

package/dist/typings/version.d.ts

@@ -1,2 +1,2 @@
-declare const _default: "2.19.0";
-export default _default;
+declare const _default: "2.19.2";
+export default _default;

package/dist/typings/worker/token.worker.d.ts

@@ -1 +1 @@
-export {};
+export {};

package/dist/typings/worker/worker.types.d.ts

@@ -1,27 +1,30 @@
-import { FetchOptions } from '../global';
-export type WorkerInitMessage = {
-    type: 'init';
-    allowedBaseUrl: string;
-};
-type WorkerTokenMessage = {
-    timeout: number;
-    fetchUrl: string;
-    fetchOptions: FetchOptions;
-    useFormData?: boolean;
-    auth: {
-        audience: string;
-        scope: string;
-    };
-};
-export type WorkerRefreshTokenMessage = WorkerTokenMessage & {
-    type: 'refresh';
-    useMrrt?: boolean;
-};
-export type WorkerRevokeTokenMessage = Omit<WorkerTokenMessage, 'auth'> & {
-    type: 'revoke';
-    auth: {
-        audience: string;
-    };
-};
-export type WorkerMessage = WorkerInitMessage | WorkerRefreshTokenMessage | WorkerRevokeTokenMessage;
-export {};
+import { FetchOptions } from '../global';
+export type WorkerInitMessage = {
+    type: 'init';
+    allowedBaseUrl: string;
+};
+type WorkerTokenMessage = {
+    timeout: number;
+    fetchUrl: string;
+    fetchOptions: FetchOptions;
+    useFormData?: boolean;
+    auth: {
+        audience: string;
+        scope: string;
+    };
+};
+export type WorkerRefreshTokenMessage = WorkerTokenMessage & {
+    type: 'refresh';
+    useMrrt?: boolean;
+};
+export type WorkerRevokeTokenMessage = Omit<WorkerTokenMessage, 'auth'> & {
+    type: 'revoke';
+    auth: {
+        audience: string;
+    };
+};
+export type WorkerClearMessage = {
+    type: 'clear';
+};
+export type WorkerMessage = WorkerInitMessage | WorkerRefreshTokenMessage | WorkerRevokeTokenMessage | WorkerClearMessage;
+export {};

package/dist/typings/worker/worker.utils.d.ts

@@ -1,13 +1,13 @@
-import { WorkerRefreshTokenMessage, WorkerRevokeTokenMessage } from './worker.types';
-/**
- * Sends a message to a Web Worker and returns a Promise that resolves with
- * the worker's response, or rejects if the worker replies with an error.
- *
- * Uses a {@link MessageChannel} so each call gets its own private reply port,
- * making concurrent calls safe without shared state.
- *
- * @param message - The typed message to send (`refresh` or `revoke`).
- * @param to      - The target {@link Worker} instance.
- * @returns A Promise that resolves with the worker's response payload.
- */
-export declare const sendMessage: <T = any>(message: WorkerRefreshTokenMessage | WorkerRevokeTokenMessage, to: Worker) => Promise<T>;
+import { WorkerClearMessage, WorkerRefreshTokenMessage, WorkerRevokeTokenMessage } from './worker.types';
+/**
+ * Sends a message to a Web Worker and returns a Promise that resolves with
+ * the worker's response, or rejects if the worker replies with an error.
+ *
+ * Uses a {@link MessageChannel} so each call gets its own private reply port,
+ * making concurrent calls safe without shared state.
+ *
+ * @param message - The typed message to send (`refresh` or `revoke`).
+ * @param to      - The target {@link Worker} instance.
+ * @returns A Promise that resolves with the worker's response payload.
+ */
+export declare const sendMessage: <T = any>(message: WorkerRefreshTokenMessage | WorkerRevokeTokenMessage | WorkerClearMessage, to: Worker) => Promise<T>;

package/package.json

@@ -3,7 +3,7 @@
   "name": "@auth0/auth0-spa-js",
   "description": "Auth0 SDK for Single Page Applications using Authorization Code Grant Flow with PKCE",
   "license": "MIT",
-  "version": "2.19.0",
+  "version": "2.19.2",
   "main": "dist/lib/auth0-spa-js.cjs.js",
   "types": "dist/typings/index.d.ts",
   "module": "dist/auth0-spa-js.production.esm.js",

package/src/Auth0Client.ts

@@ -96,6 +96,7 @@ import {
 
 // @ts-ignore
 import TokenWorker from './worker/token.worker.ts';
+import { sendMessage } from './worker/worker.utils';
 import { singlePromise, retryPromise } from './promise-utils';
 import { CacheKeyManifest } from './cache/key-manifest';
 import {
@@ -1247,6 +1248,15 @@ export class Auth0Client {
 
     await this.dpop?.clear();
 
+    if (this.worker) {
+      try {
+        await sendMessage({ type: 'clear' }, this.worker);
+      } catch {
+        // Worker is an internal, best-effort cleanup channel. If the ACK round-trip
+        // fails we still proceed with logout so the user is not left in a half-state.
+      }
+    }
+
     const url = this._buildLogoutUrl(logoutOptions);
 
     if (openUrl) {

package/src/api.ts

@@ -130,17 +130,21 @@ export async function revokeToken(
       ? createQueryParams(baseParams)
       : JSON.stringify(baseParams);
 
-    return sendMessage(
-      {
-        type: 'revoke',
-        timeout: resolvedTimeout,
-        fetchUrl,
-        fetchOptions: { method: 'POST', body, headers },
-        useFormData,
-        auth: { audience: audience ?? DEFAULT_AUDIENCE }
-      },
-      worker
-    );
+    try {
+      return await sendMessage(
+        {
+          type: 'revoke',
+          timeout: resolvedTimeout,
+          fetchUrl,
+          fetchOptions: { method: 'POST', body, headers },
+          useFormData,
+          auth: { audience: audience ?? DEFAULT_AUDIENCE }
+        },
+        worker
+      );
+    } catch (e) {
+      throw new GenericError('revoke_error', (e as Error).message);
+    }
   }
 
   for (const refreshToken of refreshTokens) {

package/src/cache/cache-manager.ts

@@ -77,6 +77,11 @@ export class CacheManager {
       cacheKey.toKey()
     );
 
+    // Track the key where the entry was actually found, so that
+    // expiry-related writes (strip / remove) target the correct entry
+    // instead of creating a ghost entry under the lookup key.
+    let resolvedCacheKey = cacheKey;
+
     if (!wrappedEntry) {
       const keys = await this.getCacheKeys();
 
@@ -86,6 +91,7 @@ export class CacheManager {
 
       if (matchedKey) {
         wrappedEntry = await this.cache.get<WrappedCacheEntry>(matchedKey);
+        resolvedCacheKey = CacheKey.fromKey(matchedKey);
       }
 
       // To refresh using MRRT we need to send a request to the server
@@ -106,11 +112,11 @@ export class CacheManager {
 
     if (wrappedEntry.expiresAt - expiryAdjustmentSeconds < nowSeconds) {
       if (wrappedEntry.body.refresh_token) {
-        return this.modifiedCachedEntry(wrappedEntry, cacheKey);
+        return this.modifiedCachedEntry(wrappedEntry, resolvedCacheKey);
       }
 
-      await this.cache.remove(cacheKey.toKey());
-      await this.keyManifest?.remove(cacheKey.toKey());
+      await this.cache.remove(resolvedCacheKey.toKey());
+      await this.keyManifest?.remove(resolvedCacheKey.toKey());
 
       return;
     }
@@ -121,18 +127,27 @@ export class CacheManager {
   private async modifiedCachedEntry(wrappedEntry: WrappedCacheEntry, cacheKey: CacheKey): Promise<Partial<CacheEntry>> {
     // We need to keep audience and scope in order to check them later when doing refresh
     // using MRRT. See getScopeToRequest method.
-    wrappedEntry.body = {
+    //
+    // Build a new object instead of mutating wrappedEntry.body in-place,
+    // because InMemoryCache returns direct references — mutating would
+    // corrupt the original entry stored under a different (superset) key.
+    const strippedBody: Partial<CacheEntry> = {
       refresh_token: wrappedEntry.body.refresh_token,
       audience: wrappedEntry.body.audience,
       scope: wrappedEntry.body.scope,
     };
 
-    await this.cache.set(cacheKey.toKey(), wrappedEntry);
+    const strippedEntry: WrappedCacheEntry = {
+      body: strippedBody,
+      expiresAt: wrappedEntry.expiresAt,
+    };
+
+    await this.cache.set(cacheKey.toKey(), strippedEntry);
 
     return {
-      refresh_token: wrappedEntry.body.refresh_token,
-      audience: wrappedEntry.body.audience,
-      scope: wrappedEntry.body.scope,
+      refresh_token: strippedBody.refresh_token,
+      audience: strippedBody.audience,
+      scope: strippedBody.scope,
     };
   }
 
@@ -278,7 +293,11 @@ export class CacheManager {
         const cachedEntry = await this.cache.get<WrappedCacheEntry>(key);
 
         if (cachedEntry?.body?.refresh_token) {
-          return this.modifiedCachedEntry(cachedEntry, keyToMatch);
+          return {
+            refresh_token: cachedEntry.body.refresh_token,
+            audience: cachedEntry.body.audience,
+            scope: cachedEntry.body.scope,
+          };
         }
       }
     }

package/src/version.ts

@@ -1 +1 @@
-export default '2.19.0';
+export default '2.19.2';

package/src/worker/token.worker.ts

@@ -316,6 +316,12 @@ const messageRouter = (event: MessageEvent<WorkerMessage>) => {
     return;
   }
 
+  if ('type' in data && data.type === 'clear') {
+    refreshTokens = {};
+    port?.postMessage({ ok: true });
+    return;
+  }
+
   if ('type' in data && data.type === 'revoke') {
     if (!isAuthorizedWorkerRequest(data as WorkerRevokeTokenMessage, '/oauth/revoke')) {
       port?.postMessage({

package/src/worker/worker.types.ts

@@ -28,7 +28,12 @@ export type WorkerRevokeTokenMessage = Omit<WorkerTokenMessage, 'auth'> & {
   };
 };
 
+export type WorkerClearMessage = {
+  type: 'clear';
+};
+
 export type WorkerMessage =
   | WorkerInitMessage
   | WorkerRefreshTokenMessage
-  | WorkerRevokeTokenMessage;
+  | WorkerRevokeTokenMessage
+  | WorkerClearMessage;

package/src/worker/worker.utils.ts

@@ -1,4 +1,5 @@
 import {
+  WorkerClearMessage,
   WorkerRefreshTokenMessage,
   WorkerRevokeTokenMessage
 } from './worker.types';
@@ -15,7 +16,10 @@ import {
  * @returns A Promise that resolves with the worker's response payload.
  */
 export const sendMessage = <T = any>(
-  message: WorkerRefreshTokenMessage | WorkerRevokeTokenMessage,
+  message:
+    | WorkerRefreshTokenMessage
+    | WorkerRevokeTokenMessage
+    | WorkerClearMessage,
   to: Worker
 ): Promise<T> =>
   new Promise<T>(function (resolve, reject) {