auth0-lock 12.0.2 → 12.2.0

package/.eslintrc.json

@@ -4,7 +4,7 @@
     "browser": true,
     "es6": true
   },
-  "parser": "babel-eslint",
+  "parser": "@babel/eslint-parser",
   "rules": {
     "react/display-name": "off",
     "react/prop-types": "warn",

package/.github/ISSUE_TEMPLATE/Bug Report.yml

@@ -0,0 +1,79 @@
+name: 🐞 Report a bug
+description: Have you found a bug or issue? Create a bug report for this library
+labels: ["bug"]
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        **Please do not report security vulnerabilities here**. The [Responsible Disclosure Program](https://auth0.com/responsible-disclosure-policy) details the procedure for disclosing security issues.
+  
+  - type: markdown
+    attributes:
+      value: |
+        :warning: **Note:** We are no longer supporting requests for new features. Only requests for bug fixes or security patches will be considered.
+
+  - type: checkboxes
+    id: checklist
+    attributes:
+      label: Checklist
+      options:
+        - label: I have looked into the [Readme](https://github.com/auth0/lock#readme) and [Examples](https://github.com/auth0/lock/blob/master/EXAMPLES.md), and have not found a suitable solution or answer.
+          required: true
+        - label: I have searched the [issues](https://github.com/auth0/lock/issues) and have not found a suitable solution or answer.
+          required: true
+        - label: I have searched the [Auth0 Community](https://community.auth0.com) forums and have not found a suitable solution or answer.
+          required: true
+        - label: I agree to the terms within the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
+          required: true
+
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: Provide a clear and concise description of the issue, including what you expected to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduction
+    attributes:
+      label: Reproduction
+      description: Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent.
+      placeholder: |
+        1. Step 1...
+        2. Step 2...
+        3. ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: Other libraries that might be involved, or any other relevant information you think would be useful.
+    validations:
+      required: false
+
+  - type: input
+    id: environment-version
+    attributes:
+      label: Lock version
+    validations:
+      required: true
+
+  - type: dropdown
+    id: environment-browser
+    attributes:
+      label: Which browsers have you tested in?
+      multiple: true
+      options:
+        - Chrome
+        - Edge
+        - Safari
+        - Firefox
+        - Opera
+        - IE
+        - Other
+    validations:
+      required: true

package/.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +1,8 @@
 blank_issues_enabled: false
 contact_links:
   - name: Auth0 Community
-    url: https://community.auth0.com/c/sdks/5
+    url: https://community.auth0.com
     about: Discuss this SDK in the Auth0 Community forums
   - name: Library Documentation
-    url: https://auth0.com/docs/libraries/lock/v11
+    url: https://auth0.com/docs/libraries/lock
     about: Read the library docs on Auth0.com

package/.github/dependabot.yml

@@ -1,9 +1,6 @@
 version: 2
 updates:
-  - package-ecosystem: "npm" 
-    directory: "/" 
+  - package-ecosystem: "github-actions"
+    directory: "/"
     schedule:
       interval: "daily"
-    ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-major"]

package/.github/workflows/codeql.yml

@@ -1,30 +1,43 @@
-name: "CodeQL"
+name: CodeQL
 
 on:
-  push:
-    branches: [ "master", "v6", "v7", "v8", "v9-optional-signup-username", "v9", "v10" ]
+  merge_group:
   pull_request:
-    branches: [ "master" ]
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - master
+      - v*
   schedule:
-    - cron: "11 10 * * 4"
+    - cron: '11 10 * * 4'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ javascript ]
+        language: [javascript]
 
     steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2
@@ -38,4 +51,4 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v2
         with:
-          category: "/language:${{ matrix.language }}"
+          category: '/language:${{ matrix.language }}'

package/.github/workflows/publish.yml

@@ -0,0 +1,74 @@
+name: Publish Release
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+' # Release versions
+      - '[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+' # Beta versions
+      - '[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+'
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  publish-npm:
+    name: 'NPM'
+    runs-on: ubuntu-latest
+    environment: release
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+          cache: 'npm'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build release
+        run: rm -rf dist && rm -rf build && npm run dist && npm run build
+
+      - name: Publish release to NPM
+        run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Publish release to CDN
+        run: ccu --trace
+
+  publish-gh:
+    needs: publish-npm # Don't publish to GitHub Packages until NPM is done
+
+    name: 'GitHub Packages'
+    runs-on: ubuntu-latest
+    environment: release
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+          registry-url: 'https://npm.pkg.github.com'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build release
+        run: rm -rf dist && rm -rf build && npm run dist && npm run build
+
+      - name: Publish release to GitHub Packages
+        run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package/.github/workflows/semgrep.yml

@@ -1,24 +1,48 @@
 name: Semgrep
 
 on:
-  pull_request: {}
-
+  merge_group:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
   push:
-    branches: ["master", "main"]
-
+    branches:
+      - master
   schedule:
     - cron: '30 0 1,15 * *'
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
 jobs:
-  semgrep:
-    name: Scan
+  authorize:
+    name: Authorize
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
     runs-on: ubuntu-latest
+    steps:
+      - run: true
+
+  run:
+    needs: authorize # Require approval before running on forked pull requests
+
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
     container:
       image: returntocorp/semgrep
-    # Skip any PR created by dependabot to avoid permission issues
-    if: (github.actor != 'dependabot[bot]')
+
     steps:
-      - uses: actions/checkout@v3
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
       - run: semgrep ci
         env:

package/.github/workflows/snyk.yml

@@ -0,0 +1,47 @@
+name: Snyk
+
+on:
+  merge_group:
+  workflow_dispatch:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: '30 0 1,15 * *'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
+jobs:
+  authorize:
+    name: Authorize
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
+
+  check:
+    needs: authorize
+
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
+    steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

package/.github/workflows/test.yml

@@ -0,0 +1,66 @@
+name: Build and Test
+
+on:
+  merge_group:
+  workflow_dispatch:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - master
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
+jobs:
+  authorize:
+    name: Authorize
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
+
+  run:
+    needs: authorize # Require approval before running on forked pull requests
+
+    name: Build Package
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build package
+        run: npm run build
+
+      - name: Run `es-check`
+        run: npm run test:es-check
+
+      - name: Run `i18n:validate`
+        run: npm run i18n:validate
+
+      - name: Run Jest unit tests
+        run: npm run test
+
+      - name: Run Karma end-to-end tests
+        run: npm run test:e2e
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4

package/.semgrepignore

@@ -0,0 +1,8 @@
+.circleci/
+.github/
+.vscode/
+css/
+examples/
+support/
+test/
+Gruntfile.js

package/.shiprc

@@ -2,5 +2,5 @@
   "files": {
     "README.md": []
   },
-  "postbump": "yarn dist build"
+  "postbump": "npm run dist && npm run build"
 }

package/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Change Log
 
+## [v12.2.0](https://github.com/auth0/lock/tree/v12.2.0) (2023-09-15)
+[Full Changelog](https://github.com/auth0/lock/compare/v12.1.0...v12.2.0)
+
+**Added**
+- Wrap CheckBoxInput in InputWrapper to provide visual feedback [\#2423](https://github.com/auth0/lock/pull/2423) ([ewanharris](https://github.com/ewanharris))
+
+## [v12.1.0](https://github.com/auth0/lock/tree/v12.1.0) (2023-07-17)
+[Full Changelog](https://github.com/auth0/lock/compare/v12.0.2...v12.1.0)
+
+**Added**
+- Added support for hCaptcha and Friendly Captcha [\#2387](https://github.com/auth0/lock/pull/2387) ([DominickBattistini](https://github.com/DominickBattistini))
+
+**Changed**
+- WelcomeMessage header text marked as heading [\#2373](https://github.com/auth0/lock/pull/2373) ([piwysocki](https://github.com/piwysocki))
+
 ## [v12.0.2](https://github.com/auth0/lock/tree/v12.0.2) (2023-02-10)
 [Full Changelog](https://github.com/auth0/lock/compare/v12.0.1...v12.0.2)
 

package/DEVELOPMENT.md

@@ -2,7 +2,6 @@
 
 Requires:
 
-- [Yarn](https://yarnpkg.com/)
 - [Node LTS](https://nodejs.org)
 
 ## Building
@@ -12,7 +11,7 @@ The SDK uses [Webpack](https://webpack.js.org/) to compile all JavaScript assets
 To perform a build, use the `build` script:
 
 ```
-yarn build
+npm run build
 ```
 
 ## Running Tests
@@ -20,23 +19,23 @@ yarn build
 Unit tests can be executed using [Jest](https://jestjs.io/) by issuing the following command:
 
 ```
-yarn test
+npm run test
 ```
 
 To interactively perform tests using Jest's `watch` mode, use:
 
 ```
-yarn test:watch
+npm run test:watch
 ```
 
 End-to-end tests can be executed locally using [Karma](https://karma-runner.github.io/), in both watch and CLI mode:
 
 ```
 # CLI mode using Chrome Headless browser:
-yarn test:e2e
+npm run test:e2e
 
 # Watch mode using Chrome desktop browser, in watch mode:
-yarn test:e2e:watch
+npm run test:e2e:watch
 ```
 
 ## The SDK Playground
@@ -44,7 +43,7 @@ yarn test:e2e:watch
 To test the SDK manually and play around with the various options and features, you can invoke the Playground by using:
 
 ```
-yarn start
+npm start
 ```
 
 Next, open `https://localhost:3000/support`, which will display a simple web app that allows you to interact with Auth0 to test functionality. The HTML template in `support/index.html` can be modified to test various different pieces of functionality.
@@ -59,7 +58,7 @@ You can then use another SPA app to log in using this tenant that has this custo
 
 You may need to run Lock using HTTPS with a valid certificate if you want to do this testing in Safari, as Safari will not load mixed content pages, and will also not load HTTPS with untrusted testing certificates.
 
-Lock can already support HTTPS just by running `yarn start` if you have `mkcert` installed.
+Lock can already support HTTPS just by running `npm start` if you have `mkcert` installed.
 
 To install `mkcert`:
 
@@ -71,9 +70,9 @@ brew install nss # if you use Firefox
 mkcert install
 
 # Serve lock
-yarn start
+npm start
 ```
 
 Once Lock has started, use another SPA app to log in using a tenant with the template customized as above.
 
-If you don't have `mkcert`, HTTPS will still be used but it will be untrusted.
+If you don't have `mkcert`, HTTPS will still be used but it will be untrusted.

package/EXAMPLES.md

@@ -117,7 +117,7 @@ Lock will emit events during its lifecycle.
 
 Displays the widget, allowing you to override some options.
 
-- **options {Object}**: Allows you to customize some aspect of the dialog's appearance and behavior. The options allowed in here are a subset of the options allowed in the constructor and will override them: `allowedConnections`, `auth.params`, `allowLogin`, `allowSignUp`, `allowForgotPassword`, `initialScreen`, `rememberLastLogin`, `flashMessage` and `languageDictionary`. See [below](#customization) for the details. Keep in mind that `auth.params` will be fully replaced and not merged.
+- **options {Object}**: Allows you to customize some aspect of the dialog's appearance and behavior. The options allowed in here are a subset of the options allowed in the constructor and will override them: `allowedConnections`, `auth.params`, `allowLogin`, `allowSignUp`, `allowForgotPassword`, `initialScreen`, `rememberLastLogin`, and `languageDictionary`. See [below](#customization) for the details. Keep in mind that `auth.params` will be fully replaced and not merged.
 
 #### Example
 
@@ -132,6 +132,22 @@ lock.show({ allowedConnections: ['twitter', 'facebook'] });
 lock.show({ auth: { params: { state: 'auth_state' } } });
 ```
 
+#### Flash message
+
+Configuration for `flashMessage` can be specified when using `show` to display a configurable message when Lock is opened. It contains the following properties:
+
+- **type {String}**: The message type, it should be `error` or `success`.
+- **text {String}**: The text to show.
+
+```js
+lock.show({
+  flashMessage: {
+    type: 'error',
+    text: 'This is an error message'
+  }
+}
+```
+
 ### resumeAuth(hash, callback)
 
 If you set the [auth.autoParseHash](#authentication-options) option to `false`, you'll need to call this method to complete the authentication flow. This method is useful when you're using a client-side router that uses a `#` to handle URLs (angular2 with `useHash` or react-router with `hashHistory`).
@@ -210,9 +226,6 @@ The appearance of the widget and the mechanics of authentication can be customiz
 - **closable {Boolean}**: Determines whether or not the Lock can be closed. When a `container` option is provided its value is always `false`, otherwise it defaults to `true`.
 - **popupOptions {Object}**: Allows you to customize the location of the popup in the screen. Any [position and size feature](https://developer.mozilla.org/en-US/docs/Web/API/Window/open#Position_and_size_features) allowed by `window.open` is accepted. Defaults to `{}`.
 - **rememberLastLogin {Boolean}**: Determines whether or not to show a screen that allows you to quickly log in with the account you used the last time when the `initialScreen` option is set to `"login"` (the default). Defaults to `true`.
-- **flashMessage {Object}**: Shows an `error` or `success` flash message when Lock is shown.
-  - **type {String}**: The message type, it should be `error` or `success`.
-  - **text {String}**: The text to show.
 - **allowAutocomplete {Boolean}**: Determines whether or not the email or username inputs will allow autocomplete (`<input autocomplete />`). Defaults to `false`.
 - **scrollGlobalMessagesIntoView {Boolean}**: Determines whether or not a globalMessage should be scrolled into the user's viewport. Defaults to `true`.
 - **allowShowPassword {Boolean}**: Determines whether or not add a checkbox to show the password when typing it. Defaults to `false`.
@@ -648,4 +661,4 @@ var lock = new Auth0Lock(clientId, domain, options);
 lock.show();
 ```
 
-More information can be found in [Auth0's documentation](https://auth0.com/docs/libraries/lock/v11/authentication-modes#popup-mode).
+More information can be found in [Auth0's documentation](https://auth0.com/docs/libraries/lock/v11/authentication-modes#popup-mode).

package/README.md

@@ -2,7 +2,7 @@
 ![Release](https://img.shields.io/npm/v/auth0-lock)
 ![Downloads](https://img.shields.io/npm/dw/auth0-lock)
 [![License](https://img.shields.io/:license-mit-blue.svg?style=flat)](https://opensource.org/licenses/MIT)
-![CircleCI](https://img.shields.io/circleci/build/github/auth0/lock)
+[![Build Status](https://github.com/auth0/lock/actions/workflows/test.yml/badge.svg)](https://github.com/auth0/lock/actions/workflows/test.yml)
 
 > :warning: Lock is built using React 18 from v12 onwards. Getting issues? Please [submit a bug report](https://github.com/auth0/lock/issues/new?assignees=&labels=bug+report,v12&template=report_a_bug.md&title=).
 
@@ -30,7 +30,7 @@ From CDN
 
 ```html
 <!-- Latest patch release (recommended for production) -->
-<script src="https://cdn.auth0.com/js/lock/12.0.2/lock.min.js"></script>
+<script src="https://cdn.auth0.com/js/lock/12.2.0/lock.min.js"></script>
 ```
 ### Configure Auth0
 
@@ -39,7 +39,6 @@ Create a **Single Page Application** in the [Auth0 Dashboard](https://manage.aut
 > **If you're using an existing application**, verify that you have configured the following settings in your Single Page Application:
 >
 > - Click on the "Settings" tab of your application's page.
-> - Ensure that "Token Endpoint Authentication Method" under "Application Properties" is set to "None"
 > - Scroll down and click on the "Show Advanced Settings" link.
 > - Under "Advanced Settings", click on the "OAuth" tab.
 > - Ensure that "JsonWebToken Signature Algorithm" is set to `RS256` and that "OIDC Conformant" is enabled.