@frontegg/js 6.139.0-alpha.2 → 6.139.0-alpha.4

package/FronteggApp/FronteggApp.d.ts

@@ -57,7 +57,6 @@ export declare class FronteggApp {
     logout(): void;
     loadScript(component: string): Promise<unknown>;
     loadLoginBox(): Promise<void>;
-    loadGTM(): void;
     showAdminPortal(): Promise<void>;
     hideAdminPortal(): void;
     showCheckoutDialog(opts: FronteggCheckoutDialogOptions): Promise<void>;

package/FronteggApp/FronteggApp.js

@@ -13,6 +13,7 @@ import * as FronteggRestApi from '@frontegg/rest-api';
 import * as FronteggTypes from '@frontegg/types';
 import versions from '../version';
 import { mockFlagsList } from '../utils/mockFlagsList';
+import { loadGTM } from './utils';
 export var FronteggApp = /*#__PURE__*/function () {
   function FronteggApp(_options, name) {
     var _this = this,
@@ -223,7 +224,7 @@ export var FronteggApp = /*#__PURE__*/function () {
             case 11:
               if (!this.options.previewMode && !this.options.customLoginBox) {
                 this.loadLoginBox();
-                this.loadGTM();
+                loadGTM(this.name);
               }
               if (!this.options.lazyLoadAdminPortal) {
                 this.loadScript('FronteggAdminPortal');
@@ -367,30 +368,6 @@ export var FronteggApp = /*#__PURE__*/function () {
       }
       return loadLoginBox;
     }()
-  }, {
-    key: "loadGTM",
-    value: function loadGTM() {
-      // fetch key from backend. generate script and no script only when the gtm key is loaded
-      // noscript is used for cases where js is not enabled in the browser. I think that noscript is not needed but it should be verified.
-
-      // Q: where the key comes from?
-      // Q: where the key is set in the metadata if so?
-      var metadata = Metadata.getInstance(this.name);
-      var gtmKeysConfig = metadata == null ? void 0 : metadata.integrations.gtm; //'GTM-PD6MBZX2';//'GTM-WG233XFQ';
-
-      gtmKeysConfig == null ? void 0 : gtmKeysConfig.filter(function (_ref4) {
-        var enabled = _ref4.enabled;
-        return enabled;
-      }).forEach(function (_ref5) {
-        var id = _ref5.id;
-        // Load GTM container script dynamically
-        var script = document.createElement('script');
-        script.innerHTML = "\n        (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':\n        new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],\n        j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=\n        'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);\n        })(window,document,'script','dataLayer','".concat(id, "');\n      ");
-
-        // Q: Does it important where to locate the script? login box has a container, admin box as well - for the script
-        document.body.appendChild(script);
-      });
-    }
   }, {
     key: "showAdminPortal",
     value: function () {

package/FronteggApp/utils.d.ts

@@ -0,0 +1,5 @@
+/**
+ * load gtm scripts by using metadata gtm keys
+ * @param fronteggAppName
+ */
+export declare const loadGTM: (fronteggAppName: string) => void;

package/FronteggApp/utils.js

@@ -0,0 +1,33 @@
+import { Metadata } from '@frontegg/types';
+
+/**
+ * To prevent XSS attack, this function check for gtm key validity
+ * XSS attack may happen if values are injected by postman because we don't have validity check in the BE
+ *
+ * @param key gtm key
+ * @returns true if gtm key is valid: starts with GTM- and contains letters and digits only
+ */
+var isValidGTMKey = function isValidGTMKey(key) {
+  return /^GTM-[a-zA-Z0-9]+$/.test(key);
+};
+
+/**
+ * load gtm scripts by using metadata gtm keys
+ * @param fronteggAppName
+ */
+export var loadGTM = function loadGTM(fronteggAppName) {
+  var _metadata$integration;
+  var metadata = Metadata.getInstance(fronteggAppName);
+  var gtmKeysConfig = metadata == null ? void 0 : (_metadata$integration = metadata.integrations) == null ? void 0 : _metadata$integration.gtm;
+  gtmKeysConfig == null ? void 0 : gtmKeysConfig.filter(function (_ref) {
+    var id = _ref.id,
+      enabled = _ref.enabled;
+    return enabled && isValidGTMKey(id);
+  }).forEach(function (_ref2) {
+    var id = _ref2.id;
+    // Load GTM container script dynamically
+    var script = document.createElement('script');
+    script.innerHTML = "\n        (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':\n        new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],\n        j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=\n        'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);\n        })(window,document,'script','dataLayer','".concat(id, "');\n      ");
+    document.body.appendChild(script);
+  });
+};

package/index.js

@@ -1,4 +1,4 @@
-/** @license Frontegg v6.139.0-alpha.2
+/** @license Frontegg v6.139.0-alpha.4
  *
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.

package/node/FronteggApp/FronteggApp.js

@@ -18,6 +18,7 @@ var _AppHolder = require("../AppHolder");
 var FronteggRestApi = _interopRequireWildcard(require("@frontegg/rest-api"));
 var _version = _interopRequireDefault(require("../version"));
 var _mockFlagsList = require("../utils/mockFlagsList");
+var _utils2 = require("./utils");
 function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function _getRequireWildcardCache(nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
 function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || _typeof(obj) !== "object" && typeof obj !== "function") { return { "default": obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj["default"] = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
 var FronteggApp = /*#__PURE__*/function () {
@@ -230,7 +231,7 @@ var FronteggApp = /*#__PURE__*/function () {
             case 11:
               if (!this.options.previewMode && !this.options.customLoginBox) {
                 this.loadLoginBox();
-                this.loadGTM();
+                (0, _utils2.loadGTM)(this.name);
               }
               if (!this.options.lazyLoadAdminPortal) {
                 this.loadScript('FronteggAdminPortal');
@@ -374,30 +375,6 @@ var FronteggApp = /*#__PURE__*/function () {
       }
       return loadLoginBox;
     }()
-  }, {
-    key: "loadGTM",
-    value: function loadGTM() {
-      // fetch key from backend. generate script and no script only when the gtm key is loaded
-      // noscript is used for cases where js is not enabled in the browser. I think that noscript is not needed but it should be verified.
-
-      // Q: where the key comes from?
-      // Q: where the key is set in the metadata if so?
-      var metadata = FronteggTypes.Metadata.getInstance(this.name);
-      var gtmKeysConfig = metadata == null ? void 0 : metadata.integrations.gtm; //'GTM-PD6MBZX2';//'GTM-WG233XFQ';
-
-      gtmKeysConfig == null ? void 0 : gtmKeysConfig.filter(function (_ref4) {
-        var enabled = _ref4.enabled;
-        return enabled;
-      }).forEach(function (_ref5) {
-        var id = _ref5.id;
-        // Load GTM container script dynamically
-        var script = document.createElement('script');
-        script.innerHTML = "\n        (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':\n        new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],\n        j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=\n        'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);\n        })(window,document,'script','dataLayer','".concat(id, "');\n      ");
-
-        // Q: Does it important where to locate the script? login box has a container, admin box as well - for the script
-        document.body.appendChild(script);
-      });
-    }
   }, {
     key: "showAdminPortal",
     value: function () {

package/node/FronteggApp/utils.js

@@ -0,0 +1,39 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.loadGTM = void 0;
+var _types = require("@frontegg/types");
+/**
+ * To prevent XSS attack, this function check for gtm key validity
+ * XSS attack may happen if values are injected by postman because we don't have validity check in the BE
+ *
+ * @param key gtm key
+ * @returns true if gtm key is valid: starts with GTM- and contains letters and digits only
+ */
+var isValidGTMKey = function isValidGTMKey(key) {
+  return /^GTM-[a-zA-Z0-9]+$/.test(key);
+};
+
+/**
+ * load gtm scripts by using metadata gtm keys
+ * @param fronteggAppName
+ */
+var loadGTM = function loadGTM(fronteggAppName) {
+  var _metadata$integration;
+  var metadata = _types.Metadata.getInstance(fronteggAppName);
+  var gtmKeysConfig = metadata == null ? void 0 : (_metadata$integration = metadata.integrations) == null ? void 0 : _metadata$integration.gtm;
+  gtmKeysConfig == null ? void 0 : gtmKeysConfig.filter(function (_ref) {
+    var id = _ref.id,
+      enabled = _ref.enabled;
+    return enabled && isValidGTMKey(id);
+  }).forEach(function (_ref2) {
+    var id = _ref2.id;
+    // Load GTM container script dynamically
+    var script = document.createElement('script');
+    script.innerHTML = "\n        (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':\n        new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],\n        j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=\n        'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);\n        })(window,document,'script','dataLayer','".concat(id, "');\n      ");
+    document.body.appendChild(script);
+  });
+};
+exports.loadGTM = loadGTM;

package/node/index.js

@@ -1,4 +1,4 @@
-/** @license Frontegg v6.139.0-alpha.2
+/** @license Frontegg v6.139.0-alpha.4
  *
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.

package/node/version.js

@@ -5,6 +5,6 @@ Object.defineProperty(exports, "__esModule", {
 });
 exports["default"] = void 0;
 var _default = {
-  cdnVersion: '6.139.0-alpha.2'
+  cdnVersion: '6.139.0-alpha.4'
 };
 exports["default"] = _default;

package/package.json

@@ -1,12 +1,12 @@
 {
   "name": "@frontegg/js",
-  "version": "6.139.0-alpha.2",
+  "version": "6.139.0-alpha.4",
   "main": "./node/index.js",
   "license": "MIT",
   "author": "Frontegg LTD",
   "dependencies": {
     "@babel/runtime": "^7.18.6",
-    "@frontegg/types": "6.139.0-alpha.2"
+    "@frontegg/types": "6.139.0-alpha.4"
   },
   "browserslist": {
     "production": [