@auth0/auth0-spa-js 2.7.0 → 2.9.0

package/README.md

@@ -1,7 +1,8 @@
 ![Auth0 SDK for Single Page Applications using Authorization Code Grant Flow with PKCE.](https://cdn.auth0.com/website/sdks/banners/spa-js-banner.png)
 
-![Release](https://img.shields.io/npm/v/@auth0/auth0-spa-js)
+[![npm version](https://img.shields.io/npm/v/@auth0/auth0-spa-js?style=flat-square&logo=npm&logoColor=CB3837)](https://www.npmjs.com/package/@auth0/auth0-spa-js)
 [![Codecov](https://img.shields.io/codecov/c/github/auth0/auth0-spa-js)](https://codecov.io/gh/auth0/auth0-spa-js)
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/auth0/auth0-spa-js)
 ![Downloads](https://img.shields.io/npm/dw/@auth0/auth0-spa-js)
 [![License](https://img.shields.io/:license-mit-blue.svg?style=flat)](https://opensource.org/licenses/MIT)
 ![CircleCI](https://img.shields.io/circleci/build/github/auth0/auth0-spa-js)
@@ -29,7 +30,7 @@ npm install @auth0/auth0-spa-js
 From the CDN:
 
 ```html
-<script src="https://cdn.auth0.com/js/auth0-spa-js/2.7/auth0-spa-js.production.js"></script>
+<script src="https://cdn.auth0.com/js/auth0-spa-js/2.9/auth0-spa-js.production.js"></script>
 ```
 
 ### Configure Auth0
@@ -156,4 +157,4 @@ Please do not report security vulnerabilities on the public GitHub issue tracker
 </p>
 <p align="center">
   This project is licensed under the MIT license. See the <a href="https://github.com/auth0/auth0-spa-js/blob/main/LICENSE"> LICENSE</a> file for more info.
-</p>
+</p>

package/dist/auth0-spa-js.development.js

@@ -540,7 +540,7 @@
         exports.default = SuperTokensLock;
     }));
     var Lock = unwrapExports(browserTabsLock);
-    var version = "2.7.0";
+    var version = "2.9.0";
     const DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS = 60;
     const DEFAULT_POPUP_CONFIG_OPTIONS = {
         timeoutInSeconds: DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS
@@ -558,6 +558,7 @@
         version: version
     };
     const DEFAULT_NOW_PROVIDER = () => Date.now();
+    const DEFAULT_AUDIENCE = "default";
     class GenericError extends Error {
         constructor(error, error_description) {
             super(error_description);
@@ -733,6 +734,23 @@
     const stripUndefined = params => Object.keys(params).filter((k => typeof params[k] !== "undefined")).reduce(((acc, key) => Object.assign(Object.assign({}, acc), {
         [key]: params[key]
     })), {});
+    const ALLOWED_AUTH0CLIENT_PROPERTIES = [ {
+        key: "name",
+        type: [ "string" ]
+    }, {
+        key: "version",
+        type: [ "string", "number" ]
+    }, {
+        key: "env",
+        type: [ "object" ]
+    } ];
+    const stripAuth0Client = auth0Client => Object.keys(auth0Client).reduce(((acc, key) => {
+        const allowedProperty = ALLOWED_AUTH0CLIENT_PROPERTIES.find((p => p.key === key));
+        if (allowedProperty && allowedProperty.type.includes(typeof auth0Client[key])) {
+            acc[key] = auth0Client[key];
+        }
+        return acc;
+    }), {});
     const createQueryParams = _a => {
         var {clientId: client_id} = _a, params = __rest(_a, [ "clientId" ]);
         return new URLSearchParams(stripUndefined(Object.assign({
@@ -1215,17 +1233,42 @@
         });
         const body = useFormData ? createQueryParams(allParams) : JSON.stringify(allParams);
         const isDpopSupported = isGrantTypeSupported(options.grant_type);
-        return await getJSON(`${baseUrl}/oauth/token`, timeout, audience || "default", scope, {
+        return await getJSON(`${baseUrl}/oauth/token`, timeout, audience || DEFAULT_AUDIENCE, scope, {
             method: "POST",
             body: body,
             headers: {
                 "Content-Type": useFormData ? "application/x-www-form-urlencoded" : "application/json",
-                "Auth0-Client": btoa(JSON.stringify(auth0Client || DEFAULT_AUTH0_CLIENT))
+                "Auth0-Client": btoa(JSON.stringify(stripAuth0Client(auth0Client || DEFAULT_AUTH0_CLIENT)))
             }
         }, worker, useFormData, useMrrt, isDpopSupported ? dpop : undefined);
     }
     const dedupe = arr => Array.from(new Set(arr));
     const getUniqueScopes = (...scopes) => dedupe(scopes.filter(Boolean).join(" ").trim().split(/\s+/)).join(" ");
+    const injectDefaultScopes = (authScopes, openIdScope, ...extraScopes) => {
+        if (typeof authScopes !== "object") {
+            return {
+                [DEFAULT_AUDIENCE]: getUniqueScopes(openIdScope, authScopes, ...extraScopes)
+            };
+        }
+        let requestedScopes = {
+            [DEFAULT_AUDIENCE]: getUniqueScopes(openIdScope, ...extraScopes)
+        };
+        Object.keys(authScopes).forEach((key => {
+            const audienceScopes = authScopes[key];
+            requestedScopes[key] = getUniqueScopes(openIdScope, audienceScopes, ...extraScopes);
+        }));
+        return requestedScopes;
+    };
+    const scopesToRequest = (authScopes, methodScopes, audience) => {
+        let scope;
+        if (audience) {
+            scope = authScopes[audience];
+        }
+        if (!scope) {
+            scope = authScopes[DEFAULT_AUDIENCE];
+        }
+        return getUniqueScopes(scope, methodScopes);
+    };
     const CACHE_KEY_PREFIX = "@@auth0spajs@@";
     const CACHE_KEY_ID_TOKEN_SUFFIX = "@@user@@";
     class CacheKey {
@@ -1394,6 +1437,14 @@
             await this.cache.set(cacheKey.toKey(), wrappedEntry);
             await ((_a = this.keyManifest) === null || _a === void 0 ? void 0 : _a.add(cacheKey.toKey()));
         }
+        async remove(client_id, audience, scope) {
+            const cacheKey = new CacheKey({
+                clientId: client_id,
+                scope: scope,
+                audience: audience
+            });
+            await this.cache.remove(cacheKey.toKey());
+        }
         async clear(clientId) {
             var _a;
             const keys = await this.getCacheKeys();
@@ -1868,6 +1919,7 @@
         }
     }
     const GET_TOKEN_SILENTLY_LOCK_KEY = "auth0.lock.getTokenSilently";
+    const buildGetTokenSilentlyLockKey = (clientId, audience) => `${GET_TOKEN_SILENTLY_LOCK_KEY}.${clientId}.${audience}`;
     const buildOrganizationHintCookieName = clientId => `auth0.${clientId}.organization_hint`;
     const OLD_IS_AUTHENTICATED_COOKIE_NAME = "auth0.is.authenticated";
     const buildIsAuthenticatedCookieName = clientId => `auth0.${clientId}.is.authenticated`;
@@ -1879,7 +1931,7 @@
     const getAuthorizeParams = (clientOptions, scope, authorizationParams, state, nonce, code_challenge, redirect_uri, response_mode, thumbprint) => Object.assign(Object.assign(Object.assign({
         client_id: clientOptions.clientId
     }, clientOptions.authorizationParams), authorizationParams), {
-        scope: getUniqueScopes(scope, authorizationParams.scope),
+        scope: scopesToRequest(scope, authorizationParams.scope, authorizationParams.audience),
         response_type: "code",
         response_mode: response_mode || "query",
         state: state,
@@ -2215,6 +2267,7 @@
     class Auth0Client {
         constructor(options) {
             this.userCache = (new InMemoryCache).enclosedCache;
+            this.activeLockKeys = new Set;
             this.defaultOptions = {
                 authorizationParams: {
                     scope: DEFAULT_SCOPE
@@ -2223,7 +2276,11 @@
                 useFormData: true
             };
             this._releaseLockOnPageHide = async () => {
-                await lock.releaseLock(GET_TOKEN_SILENTLY_LOCK_KEY);
+                const lockKeysToRelease = Array.from(this.activeLockKeys);
+                for (const lockKey of lockKeysToRelease) {
+                    await lock.releaseLock(lockKey);
+                }
+                this.activeLockKeys.clear();
                 window.removeEventListener("pagehide", this._releaseLockOnPageHide);
             };
             this.options = Object.assign(Object.assign(Object.assign({}, this.defaultOptions), options), {
@@ -2250,7 +2307,7 @@
             this.isAuthenticatedCookieName = buildIsAuthenticatedCookieName(this.options.clientId);
             this.sessionCheckExpiryDays = options.sessionCheckExpiryDays || DEFAULT_SESSION_CHECK_EXPIRY_DAYS;
             const transactionStorage = options.useCookiesForTransactions ? this.cookieStorage : SessionStorage;
-            this.scope = getUniqueScopes("openid", this.options.authorizationParams.scope, this.options.useRefreshTokens ? "offline_access" : "");
+            this.scope = injectDefaultScopes(this.options.authorizationParams.scope, "openid", this.options.useRefreshTokens ? "offline_access" : "");
             this.transactionManager = new TransactionManager(transactionStorage, this.options.clientId, this.options.cookieDomain);
             this.nowProvider = this.options.nowProvider || DEFAULT_NOW_PROVIDER;
             this.cacheManager = new CacheManager(cache, !cache.allKeys ? new CacheKeyManifest(cache, this.options.clientId) : undefined, this.nowProvider);
@@ -2324,7 +2381,7 @@
                 nonce: nonce,
                 code_verifier: code_verifier,
                 scope: params.scope,
-                audience: params.audience || "default",
+                audience: params.audience || DEFAULT_AUDIENCE,
                 redirect_uri: params.redirect_uri,
                 state: state,
                 url: url
@@ -2474,12 +2531,12 @@
             } catch (_) {}
         }
         async getTokenSilently(options = {}) {
-            var _a;
+            var _a, _b;
             const localOptions = Object.assign(Object.assign({
                 cacheMode: "on"
             }, options), {
                 authorizationParams: Object.assign(Object.assign(Object.assign({}, this.options.authorizationParams), options.authorizationParams), {
-                    scope: getUniqueScopes(this.scope, (_a = options.authorizationParams) === null || _a === void 0 ? void 0 : _a.scope)
+                    scope: scopesToRequest(this.scope, (_a = options.authorizationParams) === null || _a === void 0 ? void 0 : _a.scope, ((_b = options.authorizationParams) === null || _b === void 0 ? void 0 : _b.audience) || this.options.authorizationParams.audience)
                 })
             });
             const result = await singlePromise((() => this._getTokenSilently(localOptions)), `${this.options.clientId}::${localOptions.authorizationParams.audience}::${localOptions.authorizationParams.scope}`);
@@ -2490,7 +2547,7 @@
             if (cacheMode !== "off") {
                 const entry = await this._getEntryFromCache({
                     scope: getTokenOptions.authorizationParams.scope,
-                    audience: getTokenOptions.authorizationParams.audience || "default",
+                    audience: getTokenOptions.authorizationParams.audience || DEFAULT_AUDIENCE,
                     clientId: this.options.clientId,
                     cacheMode: cacheMode
                 });
@@ -2501,13 +2558,17 @@
             if (cacheMode === "cache-only") {
                 return;
             }
-            if (await retryPromise((() => lock.acquireLock(GET_TOKEN_SILENTLY_LOCK_KEY, 5e3)), 10)) {
-                try {
+            const lockKey = buildGetTokenSilentlyLockKey(this.options.clientId, getTokenOptions.authorizationParams.audience || "default");
+            if (await retryPromise((() => lock.acquireLock(lockKey, 5e3)), 10)) {
+                this.activeLockKeys.add(lockKey);
+                if (this.activeLockKeys.size === 1) {
                     window.addEventListener("pagehide", this._releaseLockOnPageHide);
+                }
+                try {
                     if (cacheMode !== "off") {
                         const entry = await this._getEntryFromCache({
                             scope: getTokenOptions.authorizationParams.scope,
-                            audience: getTokenOptions.authorizationParams.audience || "default",
+                            audience: getTokenOptions.authorizationParams.audience || DEFAULT_AUDIENCE,
                             clientId: this.options.clientId
                         });
                         if (entry) {
@@ -2526,25 +2587,28 @@
                         expires_in: expires_in
                     });
                 } finally {
-                    await lock.releaseLock(GET_TOKEN_SILENTLY_LOCK_KEY);
-                    window.removeEventListener("pagehide", this._releaseLockOnPageHide);
+                    await lock.releaseLock(lockKey);
+                    this.activeLockKeys.delete(lockKey);
+                    if (this.activeLockKeys.size === 0) {
+                        window.removeEventListener("pagehide", this._releaseLockOnPageHide);
+                    }
                 }
             } else {
                 throw new TimeoutError;
             }
         }
         async getTokenWithPopup(options = {}, config = {}) {
-            var _a;
+            var _a, _b;
             const localOptions = Object.assign(Object.assign({}, options), {
                 authorizationParams: Object.assign(Object.assign(Object.assign({}, this.options.authorizationParams), options.authorizationParams), {
-                    scope: getUniqueScopes(this.scope, (_a = options.authorizationParams) === null || _a === void 0 ? void 0 : _a.scope)
+                    scope: scopesToRequest(this.scope, (_a = options.authorizationParams) === null || _a === void 0 ? void 0 : _a.scope, ((_b = options.authorizationParams) === null || _b === void 0 ? void 0 : _b.audience) || this.options.authorizationParams.audience)
                 })
             });
             config = Object.assign(Object.assign({}, DEFAULT_POPUP_CONFIG_OPTIONS), config);
             await this.loginWithPopup(localOptions, config);
             const cache = await this.cacheManager.get(new CacheKey({
                 scope: localOptions.authorizationParams.scope,
-                audience: localOptions.authorizationParams.audience || "default",
+                audience: localOptions.authorizationParams.audience || DEFAULT_AUDIENCE,
                 clientId: this.options.clientId
             }), undefined, this.options.useMrrt);
             return cache.access_token;
@@ -2642,14 +2706,14 @@
         async _getTokenUsingRefreshToken(options) {
             const cache = await this.cacheManager.get(new CacheKey({
                 scope: options.authorizationParams.scope,
-                audience: options.authorizationParams.audience || "default",
+                audience: options.authorizationParams.audience || DEFAULT_AUDIENCE,
                 clientId: this.options.clientId
             }), undefined, this.options.useMrrt);
             if ((!cache || !cache.refresh_token) && !this.worker) {
                 if (this.options.useRefreshTokensFallback) {
                     return await this._getTokenFromIFrame(options);
                 }
-                throw new MissingRefreshTokenError(options.authorizationParams.audience || "default", options.authorizationParams.scope);
+                throw new MissingRefreshTokenError(options.authorizationParams.audience || DEFAULT_AUDIENCE, options.authorizationParams.scope);
             }
             const redirect_uri = options.authorizationParams.redirect_uri || this.options.authorizationParams.redirect_uri || window.location.origin;
             const timeout = typeof options.timeoutInSeconds === "number" ? options.timeoutInSeconds * 1e3 : null;
@@ -2675,6 +2739,7 @@
                             if (this.options.useRefreshTokensFallback) {
                                 return await this._getTokenFromIFrame(options);
                             }
+                            await this.cacheManager.remove(this.options.clientId, options.authorizationParams.audience, options.authorizationParams.scope);
                             const missingScopes = getMissingScopes(scopesToRequest, tokenResult.scope);
                             throw new MissingScopesError(options.authorizationParams.audience || "default", missingScopes);
                         }
@@ -2683,7 +2748,7 @@
                 return Object.assign(Object.assign({}, tokenResult), {
                     scope: options.authorizationParams.scope,
                     oauthTokenScope: tokenResult.scope,
-                    audience: options.authorizationParams.audience || "default"
+                    audience: options.authorizationParams.audience || DEFAULT_AUDIENCE
                 });
             } catch (e) {
                 if ((e.message.indexOf(MISSING_REFRESH_TOKEN_ERROR_MESSAGE) > -1 || e.message && e.message.indexOf(INVALID_REFRESH_TOKEN_ERROR_MESSAGE) > -1) && this.options.useRefreshTokensFallback) {
@@ -2702,11 +2767,12 @@
             await this.cacheManager.set(entryWithoutIdToken);
         }
         async _getIdTokenFromCache() {
-            const audience = this.options.authorizationParams.audience || "default";
+            const audience = this.options.authorizationParams.audience || DEFAULT_AUDIENCE;
+            const scope = this.scope[audience];
             const cache = await this.cacheManager.getIdToken(new CacheKey({
                 clientId: this.options.clientId,
                 audience: audience,
-                scope: this.scope
+                scope: scope
             }));
             const currentCache = this.userCache.get(CACHE_KEY_ID_TOKEN_SUFFIX);
             if (cache && cache.id_token === (currentCache === null || currentCache === void 0 ? void 0 : currentCache.id_token)) {
@@ -2752,7 +2818,7 @@
             await this._saveEntryInCache(Object.assign(Object.assign(Object.assign(Object.assign({}, authResult), {
                 decodedToken: decodedToken,
                 scope: options.scope,
-                audience: options.audience || "default"
+                audience: options.audience || DEFAULT_AUDIENCE
             }), authResult.scope ? {
                 oauthTokenScope: authResult.scope
             } : null), {
@@ -2772,7 +2838,7 @@
                 grant_type: "urn:ietf:params:oauth:grant-type:token-exchange",
                 subject_token: options.subject_token,
                 subject_token_type: options.subject_token_type,
-                scope: getUniqueScopes(options.scope, this.scope),
+                scope: scopesToRequest(this.scope, options.scope, options.audience || this.options.authorizationParams.audience),
                 audience: options.audience || this.options.authorizationParams.audience
             });
         }
@@ -2812,7 +2878,7 @@
             });
         }
         async connectAccountWithRedirect(options) {
-            const {openUrl: openUrl, appState: appState, connection: connection, authorization_params: authorization_params, redirectUri: redirectUri = this.options.authorizationParams.redirect_uri || window.location.origin} = options;
+            const {openUrl: openUrl, appState: appState, connection: connection, scopes: scopes, authorization_params: authorization_params, redirectUri: redirectUri = this.options.authorizationParams.redirect_uri || window.location.origin} = options;
             if (!connection) {
                 throw new Error("connection is required");
             }
@@ -2822,6 +2888,7 @@
             const code_challenge = bufferToBase64UrlEncoded(code_challengeBuffer);
             const {connect_uri: connect_uri, connect_params: connect_params, auth_session: auth_session} = await this.myAccountApi.connectAccount({
                 connection: connection,
+                scopes: scopes,
                 redirect_uri: redirectUri,
                 state: state,
                 code_challenge: code_challenge,