auth0-lock 11.32.0 → 11.33.0

package/CHANGELOG.md

@@ -1,9 +1,67 @@
 # Change Log
 
+## [v11.33.0](https://github.com/auth0/lock/tree/v11.33.0) (2022-05-05)
+
+[Full Changelog](https://github.com/auth0/lock/compare/v11.32.2...v11.33.0)
+
+**Important**
+
+This release contains a change to how [custom signup fields](https://github.com/auth0/lock/#additional-sign-up-fields) are processed. From this release, all HTML tags are stripped from user input into any custom signup field before being sent to Auth0 to register the user. This is a security measure to help mitigate from potential XSS attacks in signup verification emails.
+
+If you would be affected by this change and require HTML to be specified in a custom signup field, please leave us some feedback in our [issue tracker](https://github.com/auth0/lock/issues).
+
+**Changed**
+
+- ui box - div replaced by main [\#2114](https://github.com/auth0/lock/pull/2114) ([piwysocki](https://github.com/piwysocki))
+- More complete support for custom passwordless connections [\#2105](https://github.com/auth0/lock/pull/2105) ([peter-isgfunds](https://github.com/peter-isgfunds))
+
+**Fixed**
+
+- fix: initialize reset password inside componentDidMount [\#2111](https://github.com/auth0/lock/pull/2111) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
+**Security**
+
+- [Snyk] Upgrade dompurify from 2.3.4 to 2.3.5 [\#2101](https://github.com/auth0/lock/pull/2101) ([snyk-bot](https://github.com/snyk-bot))
+
+## [v11.32.2](https://github.com/auth0/lock/tree/v11.32.2) (2022-02-08)
+
+[Full Changelog](https://github.com/auth0/lock/compare/v11.32.1...v11.32.2)
+
+**Changed**
+
+- align german loginWithLabel translation with Apple Guidelines [\#2097](https://github.com/auth0/lock/pull/2097) ([Steffen911](https://github.com/Steffen911))
+
+**Fixed**
+
+- [SDK-3087] Captcha for single enterprise AD connections [\#2096](https://github.com/auth0/lock/pull/2096) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
+**Security**
+
+- [Snyk] Upgrade qs from 6.10.2 to 6.10.3 [\#2095](https://github.com/auth0/lock/pull/2095) ([snyk-bot](https://github.com/snyk-bot))
+- Bump cached-path-relative from 1.0.2 to 1.1.0 [\#2091](https://github.com/auth0/lock/pull/2091) ([dependabot[bot]](https://github.com/apps/dependabot))
+
+## [v11.32.1](https://github.com/auth0/lock/tree/v11.32.1) (2022-01-27)
+
+[Full Changelog](https://github.com/auth0/lock/compare/v11.32.0...v11.32.1)
+
+**Changed**
+
+- Update auth0-js and support legacySameSiteCookie option [\#2089](https://github.com/auth0/lock/pull/2089) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
+**Security**
+
+- Bump log4js from 6.3.0 to 6.4.0 [\#2087](https://github.com/auth0/lock/pull/2087) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Security upgrade node-fetch to 2.6.7 [\#2085](https://github.com/auth0/lock/pull/2085) ([evansims](https://github.com/evansims))
+- [Snyk] Upgrade prop-types from 15.7.2 to 15.8.0 [\#2083](https://github.com/auth0/lock/pull/2083) ([snyk-bot](https://github.com/snyk-bot))
+- Bump engine.io from 4.1.1 to 4.1.2 [\#2082](https://github.com/auth0/lock/pull/2082) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump follow-redirects from 1.14.4 to 1.14.7 [\#2081](https://github.com/auth0/lock/pull/2081) ([dependabot[bot]](https://github.com/apps/dependabot))
+
 ## [v11.32.0](https://github.com/auth0/lock/tree/v11.32.0) (2022-01-07)
+
 [Full Changelog](https://github.com/auth0/lock/compare/v11.31.1...v11.32.0)
 
 **Fixed**
+
 - [SDK-2970] Remove captcha for enterprise SSO connections [\#2071](https://github.com/auth0/lock/pull/2071) ([stevehobbsdev](https://github.com/stevehobbsdev))
 - Add ID attributes to password field + submit button [\#2072](https://github.com/auth0/lock/pull/2072) ([stevehobbsdev](https://github.com/stevehobbsdev))
 

package/README.md

@@ -25,7 +25,7 @@ From CDN
 
 ```html
 <!-- Latest patch release (recommended for production) -->
-<script src="https://cdn.auth0.com/js/lock/11.32.0/lock.min.js"></script>
+<script src="https://cdn.auth0.com/js/lock/11.33.0/lock.min.js"></script>
 ```
 
 From [npm](https://npmjs.org)
@@ -415,11 +415,11 @@ Specify your hooks using a new `hooks` configuration item when setting up the li
 ```js
 new Auth0Lock('client ID', 'domain', {
   hooks: {
-    loggingIn: function(context, cb) {
+    loggingIn: function (context, cb) {
       console.log('Hello from the login hook!');
       cb();
     },
-    signingUp: function(context, cb) {
+    signingUp: function (context, cb) {
       console.log('Hello from the sign-up hook!');
       cb();
     }
@@ -434,12 +434,12 @@ The developer can throw an error to block the login or sign-up process. The deve
 ```js
 new Auth0Lock('client ID', 'domain', {
   hooks: {
-    loggingIn: function(context, cb) {
+    loggingIn: function (context, cb) {
       // Throw an object with code: `hook_error` to display this on the Login screen
       throw { code: 'hook_error', description: 'There was an error in the login hook!' };
 
       // Throw something generic to show a fallback error message
-      throw "Some error happened";
+      throw 'Some error happened';
     }
   }
 });
@@ -453,6 +453,7 @@ new Auth0Lock('client ID', 'domain', {
 - **languageBaseUrl {String}**: Overrides the language source URL for Auth0's provided translations. By default it uses to Auth0's CDN URL `https://cdn.auth0.com`.
 - **hashCleanup {Boolean}**: When enabled, it will remove the hash part of the callback URL after the user authentication. Defaults to `true`.
 - **connectionResolver {Function}**: When in use, provides an extensibility point to make it possible to choose which connection to use based on the username information. Has `username`, `context`, and `callback` as parameters. The callback expects an object like: `{type: 'database', name: 'connection name'}`. **This only works for database connections.** Keep in mind that this resolver will run in the form's `onSubmit` event, so keep it simple and fast. **This is a beta feature. If you find a bug, please open a GitHub [issue](https://github.com/auth0/lock/issues/new).**
+- **legacySameSiteCookie**: If `false`, no compatibility cookies will be created for those browsers that do not understand the `SameSite` attribute. Defaults to `true`
 
 ```js
 var options = {
@@ -489,6 +490,8 @@ Extra input fields can be added to the sign up screen with the `additionalSignUp
 
 Additional sign up fields are rendered below the default fields in the order they are provided.
 
+:warning: **Note**: From `11.33.0` onwards, all HTML tags are stripped from user input into custom signup fields.
+
 ##### Text field
 
 A `validator` function can also be provided.

package/lib/__tests__/connection/database/actions.js

@@ -158,4 +158,73 @@ describe('database/actions.js', function () {
     expect(signUpMock.calls.length).toBe(1);
     expect(signUpMock.calls[0][0]).toBe(id);
   });
+
+  it('sanitizes additionalSignUp fields using dompurify', function () {
+    var id = 1;
+    var hookRunner = jest.fn(function (str, m, context, fn) {
+      return fn();
+    });
+
+    require('connection/database/index').databaseConnectionName = function () {
+      return 'test-connection';
+    };
+    require('connection/database/index').shouldAutoLogin = function () {
+      return true;
+    };
+
+    // Test different fields using some examples from DOMPurify
+    // https://github.com/cure53/DOMPurify#some-purification-samples-please
+    var m = _immutable2.default.fromJS({
+      field: {
+        email: {
+          value: 'test@email.com'
+        },
+        password: {
+          value: 'testpass'
+        },
+        family_name: {
+          value: 'Test <a href="https://www.google.co.uk">Fake link</a>' // HTML but not malicious
+        },
+        given_name: {
+          value: '<img src=x onerror=alert(1)//>'
+        },
+        name: {
+          value: '<p>abc<iframe//src=jAva&Tab;script:alert(3)>def</p>'
+        },
+        other_name: {
+          value: '<div onclick=alert(0)><form onsubmit=alert(1)><input onfocus=alert(2) name=parentNode>123</form></div>'
+        }
+      },
+      database: {
+        additionalSignUpFields: [{ name: 'family_name', storage: 'root' }, { name: 'given_name', storage: 'root' }, { name: 'name', storage: 'root' }, { name: 'other_name' }]
+      },
+      core: {
+        hookRunner: hookRunner
+      }
+    });
+
+    (0, _store.swap)(_store.setEntity, 'lock', id, m);
+    (0, _actions.signUp)(id);
+
+    var _coreActionsMock3 = coreActionsMock(),
+        validateAndSubmitMock = _coreActionsMock3.validateAndSubmit.mock;
+
+    validateAndSubmitMock.calls[0][2](m);
+
+    var _webApiMock3 = webApiMock(),
+        signUpMock = _webApiMock3.signUp.mock;
+
+    expect(signUpMock.calls[0][1]).toMatchObject({
+      connection: 'test-connection',
+      email: 'test@email.com',
+      password: 'testpass',
+      autoLogin: true,
+      family_name: 'Test Fake link',
+      given_name: '',
+      name: 'abc',
+      user_metadata: {
+        other_name: '123'
+      }
+    });
+  });
 });

package/lib/__tests__/connection/enterprise/actions.js

@@ -139,7 +139,7 @@ describe('Login with connection scopes', function () {
         username: 'test',
         password: 'test',
         login_hint: 'test'
-      });
+      }, expect.any(Function));
     });
   });
 });

package/lib/__tests__/connection/enterprise/hrd_pane.js

@@ -0,0 +1,55 @@
+'use strict';
+
+var _react = require('react');
+
+var _react2 = _interopRequireDefault(_react);
+
+var _testUtils = require('testUtils');
+
+var _immutable = require('immutable');
+
+var _immutable2 = _interopRequireDefault(_immutable);
+
+var _i18n = require('../../../i18n');
+
+var i18n = _interopRequireWildcard(_i18n);
+
+var _hrd_pane = require('../../../connection/enterprise/hrd_pane');
+
+var _hrd_pane2 = _interopRequireDefault(_hrd_pane);
+
+function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) newObj[key] = obj[key]; } } newObj.default = obj; return newObj; } }
+
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+
+var lock = _immutable2.default.fromJS({ id: '__lock-id__' });
+
+jest.mock('core/index');
+
+describe('HRDPane', function () {
+  var defaultProps = {
+    model: lock,
+    header: _react2.default.createElement('header', null),
+    i18n: i18n,
+    passwordInputPlaceholder: 'password',
+    usernameInputPlaceholder: 'username'
+  };
+
+  beforeEach(function () {
+    jest.resetAllMocks();
+  });
+
+  it('renders correctly', function () {
+    (0, _testUtils.expectShallowComponent)(_react2.default.createElement(_hrd_pane2.default, defaultProps)).toMatchSnapshot();
+  });
+
+  it('renders the captcha if required', function () {
+    require('core/index').captcha.mockReturnValue({
+      get: function get() {
+        return true;
+      }
+    });
+
+    (0, _testUtils.expectShallowComponent)(_react2.default.createElement(_hrd_pane2.default, defaultProps)).toMatchSnapshot();
+  });
+});

package/lib/connection/database/actions.js

@@ -13,10 +13,6 @@ exports.cancelMFALogin = cancelMFALogin;
 exports.toggleTermsAcceptance = toggleTermsAcceptance;
 exports.showLoginMFAActivity = showLoginMFAActivity;
 
-var _immutable = require('immutable');
-
-var _immutable2 = _interopRequireDefault(_immutable);
-
 var _index = require('../../store/index');
 
 var _web_api = require('../../core/web_api');
@@ -33,6 +29,8 @@ var _index3 = require('../../field/index');
 
 var c = _interopRequireWildcard(_index3);
 
+var _dompurify = require('dompurify');
+
 var _index4 = require('./index');
 
 var _i18n = require('../../i18n');
@@ -136,7 +134,8 @@ function signUp(id) {
       (0, _index4.additionalSignUpFields)(m).forEach(function (x) {
         var storage = x.get('storage');
         var fieldName = x.get('name');
-        var fieldValue = c.getFieldValue(m, x.get('name'));
+        var fieldValue = (0, _dompurify.sanitize)(c.getFieldValue(m, x.get('name')), { ALLOWED_TAGS: [] });
+
         switch (storage) {
           case 'root':
             params[fieldName] = fieldValue;

package/lib/connection/database/reset_password.js

@@ -48,35 +48,53 @@ function _possibleConstructorReturn(self, call) { if (!self) { throw new Referen
 
 function _inherits(subClass, superClass) { if (typeof superClass !== "function" && superClass !== null) { throw new TypeError("Super expression must either be null or a function, not " + typeof superClass); } subClass.prototype = Object.create(superClass && superClass.prototype, { constructor: { value: subClass, enumerable: false, writable: true, configurable: true } }); if (superClass) Object.setPrototypeOf ? Object.setPrototypeOf(subClass, superClass) : subClass.__proto__ = superClass; }
 
-var Component = function Component(_ref) {
-  var i18n = _ref.i18n,
-      model = _ref.model;
-
-  var headerText = i18n.html('forgotPasswordInstructions') || null;
-  var header = headerText && _react2.default.createElement(
-    'p',
-    null,
-    headerText
-  );
-  var connectionResolver = l.connectionResolver(model);
-
-  // When using a custom connection resolver, `usernameStyle` is always 'username' (as opposed to 'email').
-  // If the user has entered an email address as the username, and a custom resolver is being used, copy the
-  // value from the 'username' field to the 'email' field so that `EmailPane` can render it.
-  if (connectionResolver) {
-    var field = (0, _field.getField)(model, 'username');
-    var value = field.get('value', '');
-
-    (0, _index4.swap)(_index4.updateEntity, 'lock', l.id(model), _email.setEmail, (0, _email.isEmail)(value, false) ? value : '', false);
+var Component = function (_React$Component) {
+  _inherits(Component, _React$Component);
+
+  function Component() {
+    _classCallCheck(this, Component);
+
+    return _possibleConstructorReturn(this, _React$Component.apply(this, arguments));
   }
 
-  return _react2.default.createElement(_reset_password_pane2.default, {
-    emailInputPlaceholder: i18n.str('emailInputPlaceholder'),
-    header: header,
-    i18n: i18n,
-    lock: model
-  });
-};
+  Component.prototype.componentDidMount = function componentDidMount() {
+    var model = this.props.model;
+
+    var connectionResolver = l.connectionResolver(model);
+
+    // When using a custom connection resolver, `usernameStyle` is always 'username' (as opposed to 'email').
+    // If the user has entered an email address as the username, and a custom resolver is being used, copy the
+    // value from the 'username' field to the 'email' field so that `EmailPane` can render it.
+    if (connectionResolver) {
+      var field = (0, _field.getField)(model, 'username');
+      var value = field.get('value', '');
+
+      (0, _index4.swap)(_index4.updateEntity, 'lock', l.id(model), _email.setEmail, (0, _email.isEmail)(value, false) ? value : '', false);
+    }
+  };
+
+  Component.prototype.render = function render() {
+    var _props = this.props,
+        i18n = _props.i18n,
+        model = _props.model;
+
+    var headerText = i18n.html('forgotPasswordInstructions') || null;
+    var header = headerText && _react2.default.createElement(
+      'p',
+      null,
+      headerText
+    );
+
+    return _react2.default.createElement(_reset_password_pane2.default, {
+      emailInputPlaceholder: i18n.str('emailInputPlaceholder'),
+      header: header,
+      i18n: i18n,
+      lock: model
+    });
+  };
+
+  return Component;
+}(_react2.default.Component);
 
 var ResetPassword = function (_Screen) {
   _inherits(ResetPassword, _Screen);

package/lib/connection/enterprise/actions.js

@@ -93,7 +93,10 @@ function logInActiveFlow(id, params) {
     username: username,
     password: (0, _index2.getFieldValue)(m, 'password'),
     login_hint: username
-  }));
+  }), function (id, error, fields, next) {
+    var wasCaptchaInvalid = error && error.code === 'invalid captcha';
+    (0, _captcha.swapCaptcha)(id, wasCaptchaInvalid, next);
+  });
 }
 
 function logInSSO(id, connection, params) {

package/lib/connection/enterprise/hrd_pane.js

@@ -18,6 +18,12 @@ var _password_pane = require('../../field/password/password_pane');
 
 var _password_pane2 = _interopRequireDefault(_password_pane);
 
+var _captcha_pane = require('../../field/captcha/captcha_pane');
+
+var _captcha_pane2 = _interopRequireDefault(_captcha_pane);
+
+var _captcha = require('../captcha');
+
 var _index = require('../../core/index');
 
 var l = _interopRequireWildcard(_index);
@@ -50,6 +56,10 @@ var HRDPane = function (_React$Component) {
         usernameInputPlaceholder = _props.usernameInputPlaceholder;
 
 
+    var captchaPane = l.captcha(model) && l.captcha(model).get('required') ? _react2.default.createElement(_captcha_pane2.default, { i18n: i18n, lock: model, onReload: function onReload() {
+        return (0, _captcha.swapCaptcha)(l.id(model), false);
+      } }) : null;
+
     return _react2.default.createElement(
       'div',
       null,
@@ -61,7 +71,8 @@ var HRDPane = function (_React$Component) {
         validateFormat: false,
         strictValidation: false
       }),
-      _react2.default.createElement(_password_pane2.default, { i18n: i18n, lock: model, placeholder: passwordInputPlaceholder })
+      _react2.default.createElement(_password_pane2.default, { i18n: i18n, lock: model, placeholder: passwordInputPlaceholder }),
+      captchaPane
     );
   };
 

package/lib/connection/passwordless/actions.js

@@ -86,12 +86,15 @@ function resendEmailError(id, error) {
   (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setResendFailed);
 }
 
-function sendEmail(m, successFn, errorFn) {
-  var connections = l.connections(m, 'passwordless', 'email');
-  var connectionName = connections.size > 0 && l.useCustomPasswordlessConnection(m) ? connections.first().get('name') : 'email';
+function getPasswordlessConnectionName(m, defaultPasswordlessConnection) {
+  var connections = l.connections(m, 'passwordless', defaultPasswordlessConnection);
+
+  return connections.size > 0 && l.useCustomPasswordlessConnection(m) ? connections.first().get('name') : defaultPasswordlessConnection;
+}
 
+function sendEmail(m, successFn, errorFn) {
   var params = {
-    connection: connectionName,
+    connection: getPasswordlessConnectionName(m, 'email'),
     email: c.getFieldValue(m, 'email'),
     send: (0, _index4.send)(m)
   };
@@ -113,11 +116,8 @@ function sendEmail(m, successFn, errorFn) {
 
 function sendSMS(id) {
   (0, _actions.validateAndSubmit)(id, ['phoneNumber'], function (m) {
-    var connections = l.connections(m, 'passwordless', 'sms');
-    var connectionName = connections.size > 0 && l.useCustomPasswordlessConnection(m) ? connections.first().get('name') : 'sms';
-
     var params = {
-      connection: connectionName,
+      connection: getPasswordlessConnectionName(m, 'sms'),
       phoneNumber: (0, _phone_number.phoneNumberWithDiallingCode)(m),
       send: (0, _index4.send)(m)
     };
@@ -155,10 +155,10 @@ function logIn(id) {
     verificationCode: c.getFieldValue(m, 'vcode')
   }, authParams);
   if ((0, _index4.isEmail)(m)) {
-    params.connection = 'email';
+    params.connection = getPasswordlessConnectionName(m, 'email');
     params.email = c.getFieldValue(m, 'email');
   } else {
-    params.connection = 'sms';
+    params.connection = getPasswordlessConnectionName(m, 'sms');
     params.phoneNumber = (0, _phone_number.phoneNumberWithDiallingCode)(m);
   }
   (0, _index.swap)(_index.updateEntity, 'lock', id, l.setSubmitting, true);

package/lib/core/web_api/helper.js

@@ -176,5 +176,5 @@ function trimAuthParams() {
 }
 
 function getVersion() {
-  return '11.32.0';
+  return '11.33.0';
 }

package/lib/core/web_api/p2_api.js

@@ -60,7 +60,8 @@ var Auth0APIClient = function () {
       _telemetryInfo: telemetry,
       state: state,
       nonce: nonce,
-      scope: scope
+      scope: scope,
+      legacySameSiteCookie: opts.legacySameSiteCookie
     });
 
     this.authOpt = {

package/lib/i18n/de.js

@@ -77,7 +77,7 @@ exports.default = {
   loginAtLabel: 'Anmelden bei %s',
   loginLabel: 'Anmelden',
   loginSubmitLabel: 'Anmelden',
-  loginWithLabel: 'Anmelden mit %s',
+  loginWithLabel: 'Mit %s anmelden',
   notYourAccountAction: 'Falsches Konto?',
   passwordInputPlaceholder: 'Ihr Passwort',
   passwordStrength: {

package/lib/i18n.js

@@ -125,7 +125,7 @@ function assertLanguage(m, language, base) {
 function syncLang(m, language, _cb) {
   (0, _cdn_utils.load)({
     method: 'registerLanguageDictionary',
-    url: l.languageBaseUrl(m) + '/js/lock/' + '11.32.0' + '/' + language + '.js',
+    url: l.languageBaseUrl(m) + '/js/lock/' + '11.33.0' + '/' + language + '.js',
     check: function check(str) {
       return str && str === language;
     },

package/lib/lock.js

@@ -42,7 +42,7 @@ var Auth0Lock = function (_Core) {
 
 
 exports.default = Auth0Lock;
-Auth0Lock.version = '11.32.0';
+Auth0Lock.version = '11.33.0';
 
 // TODO: should we have different telemetry for classic/passwordless?
 // TODO: should we set telemetry info before each request?

package/lib/passwordless.js

@@ -41,4 +41,4 @@ var Auth0LockPasswordless = function (_Core) {
 exports.default = Auth0LockPasswordless;
 
 
-Auth0LockPasswordless.version = '11.32.0';
+Auth0LockPasswordless.version = '11.33.0';

package/lib/ui/box.js

@@ -32,7 +32,7 @@ var ContainerManager = function () {
     var container = window.document.getElementById(id);
 
     if (!container && shouldAppend) {
-      container = window.document.createElement('div');
+      container = window.document.createElement('main');
       container.id = id;
       container.className = 'auth0-lock-container';
       window.document.body.appendChild(container);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auth0-lock",
-  "version": "11.32.0",
+  "version": "11.33.0",
   "description": "Auth0 Lock",
   "author": "Auth0 <support@auth0.com> (http://auth0.com)",
   "license": "MIT",
@@ -105,17 +105,17 @@
     "webpack-dev-server": "^2.3.0"
   },
   "dependencies": {
-    "auth0-js": "^9.18.0",
+    "auth0-js": "^9.19.0",
     "auth0-password-policies": "^1.0.2",
     "blueimp-md5": "^2.19.0",
     "classnames": "^2.3.1",
-    "dompurify": "^2.3.4",
+    "dompurify": "^2.3.5",
     "immutable": "^3.7.3",
     "jsonp": "^0.2.1",
-    "node-fetch": "^2.6.6",
+    "node-fetch": "^2.6.7",
     "password-sheriff": "^1.1.1",
-    "prop-types": "^15.6.0",
-    "qs": "^6.10.2",
+    "prop-types": "^15.8.0",
+    "qs": "^6.10.3",
     "react": "^15.6.2",
     "react-dom": "^15.6.2",
     "react-transition-group": "^2.2.1",