auth0-lock 12.5.0 → 13.0.0

package/.github/CODEOWNERS

@@ -1 +1 @@
-*	@auth0/dx-sdks-engineer
+*	@auth0/project-dx-sdks-engineer-codeowner

package/.github/workflows/semgrep.yml

@@ -2,7 +2,7 @@ name: Semgrep
 
 on:
   merge_group:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -20,16 +20,7 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
 jobs:
-  authorize:
-    name: Authorize
-    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: true
-
   run:
-    needs: authorize # Require approval before running on forked pull requests
-
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest
 

package/.github/workflows/snyk.yml

@@ -3,7 +3,7 @@ name: Snyk
 on:
   merge_group:
   workflow_dispatch:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -21,16 +21,7 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
 jobs:
-  authorize:
-    name: Authorize
-    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: true
-
   check:
-    needs: authorize
-
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest
 

package/.version

@@ -1 +1 @@
-v12.5.0
+v13.0.0

package/CHANGELOG.md

@@ -1,59 +1,96 @@
 # Change Log
 
+## [v13.0.0](https://github.com/auth0/lock/tree/v13.0.0) (2024-11-11)
+[Full Changelog](https://github.com/auth0/lock/compare/v12.5.1...v13.0.0)
+
+**Added**
+- [IAMRISK-3539] Use signup classic endpoint for captcha [\#2587](https://github.com/auth0/lock/pull/2587) ([TSLarson](https://github.com/TSLarson))
+
+**Fixed**
+- [IAMRISK-3554] hcaptcha bug fix [\#2566](https://github.com/auth0/lock/pull/2566) ([Treterten](https://github.com/Treterten))
+
+**Security**
+- ci: changed the trigger from pull_request_target to pull_request for better security [\#2584](https://github.com/auth0/lock/pull/2584) ([nandan-bhat](https://github.com/nandan-bhat))
+- Update codeowner file with new GitHub team name [\#2572](https://github.com/auth0/lock/pull/2572) ([stevenwong-okta](https://github.com/stevenwong-okta))
+
+## [v12.5.1](https://github.com/auth0/lock/tree/v12.5.1) (2024-05-30)
+
+[Full Changelog](https://github.com/auth0/lock/compare/v12.5.0...v12.5.1)
+
+- Swap CAPTCHA on each reload [\#2560](https://github.com/auth0/lock/pull/2560) ([josh-cain](https://github.com/josh-cain))
+
 ## [v12.5.0](https://github.com/auth0/lock/tree/v12.5.0) (2024-04-30)
+
 [Full Changelog](https://github.com/auth0/lock/compare/v12.4.0...v12.5.0)
 
 - Support captchas in reset password flow [\#2547](https://github.com/auth0/lock/pull/2547) ([srijonsaha](https://github.com/srijonsaha))
 
 ## [v12.4.0](https://github.com/auth0/lock/tree/v12.4.0) (2024-01-04)
+
 [Full Changelog](https://github.com/auth0/lock/compare/v12.3.1...v12.4.0)
 
 **Added**
+
 - [IAMRISK-2916] Added support for Auth0 v2 captcha provider [\#2503](https://github.com/auth0/lock/pull/2503) ([alexkoumarianos-okta](https://github.com/alexkoumarianos-okta))
 
 **Changed**
+
 - [IAMRISK-3010] Added support for auth0_v2 captcha failOpen [\#2507](https://github.com/auth0/lock/pull/2507) ([alexkoumarianos-okta](https://github.com/alexkoumarianos-okta))
 
 ## [v12.3.1](https://github.com/auth0/lock/tree/v12.3.1) (2023-11-13)
+
 [Full Changelog](https://github.com/auth0/lock/compare/v12.3.0...v12.3.1)
 
 **Security**
+
 - Bump auth0-js to solve crypto-js vulnerability [\#2492](https://github.com/auth0/lock/pull/2492) ([frederikprijck](https://github.com/frederikprijck))
 
 ## [v12.3.0](https://github.com/auth0/lock/tree/v12.3.0) (2023-10-06)
+
 [Full Changelog](https://github.com/auth0/lock/compare/v12.2.0...v12.3.0)
 
 **Added**
+
 - [IAMRISK-2603] Add support for Arkose [\#2455](https://github.com/auth0/lock/pull/2455) ([srijonsaha](https://github.com/srijonsaha))
 
 ## [v12.2.0](https://github.com/auth0/lock/tree/v12.2.0) (2023-09-15)
+
 [Full Changelog](https://github.com/auth0/lock/compare/v12.1.0...v12.2.0)
 
 **Added**
+
 - Wrap CheckBoxInput in InputWrapper to provide visual feedback [\#2423](https://github.com/auth0/lock/pull/2423) ([ewanharris](https://github.com/ewanharris))
 
 ## [v12.1.0](https://github.com/auth0/lock/tree/v12.1.0) (2023-07-17)
+
 [Full Changelog](https://github.com/auth0/lock/compare/v12.0.2...v12.1.0)
 
 **Added**
+
 - Added support for hCaptcha and Friendly Captcha [\#2387](https://github.com/auth0/lock/pull/2387) ([DominickBattistini](https://github.com/DominickBattistini))
 
 **Changed**
+
 - WelcomeMessage header text marked as heading [\#2373](https://github.com/auth0/lock/pull/2373) ([piwysocki](https://github.com/piwysocki))
 
 ## [v12.0.2](https://github.com/auth0/lock/tree/v12.0.2) (2023-02-10)
+
 [Full Changelog](https://github.com/auth0/lock/compare/v12.0.1...v12.0.2)
 
 **Changed**
+
 - Slight tweaks to Captcha input component handler methods + refresh button mask [\#2272](https://github.com/auth0/lock/pull/2272) ([stevehobbsdev](https://github.com/stevehobbsdev))
 
 **Fixed**
+
 - Fix for when component is undefined on unmount [\#2271](https://github.com/auth0/lock/pull/2271) ([codetheweb](https://github.com/codetheweb))
 
 ## [v12.0.1](https://github.com/auth0/lock/tree/v12.0.1) (2023-02-01)
+
 [Full Changelog](https://github.com/auth0/lock/compare/v12.0.0...v12.0.1)
 
 **Changed**
+
 - FDR-487 - feat: update microsoft button [\#2259](https://github.com/auth0/lock/pull/2259) ([jamescgarrett](https://github.com/jamescgarrett))
 
 ## [v12.0.0](https://github.com/auth0/lock/tree/v12.0.0) (2023-01-20)
@@ -99,6 +136,7 @@ Despite the major version bump, **v12 is completely API-compatible with v11**.
 - Upgrade to React 18 [\#2209](https://github.com/auth0/lock/pull/2209) ([stevehobbsdev](https://github.com/stevehobbsdev))
 - Upgrade to Webpack 5, Jest 29, Babel 8 [\#2213](https://github.com/auth0/lock/pull/2213) ([stevehobbsdev](https://github.com/stevehobbsdev))
 - bump dependencies to latest patch and fix typos [\#2210](https://github.com/auth0/lock/pull/2210) ([piwysocki](https://github.com/piwysocki))
+
 ## [v11.34.2](https://github.com/auth0/lock/tree/v11.34.2) (2022-10-10)
 
 [Full Changelog](https://github.com/auth0/lock/compare/v11.34.1...v11.34.2)

package/README.md

@@ -30,8 +30,9 @@ From CDN
 
 ```html
 <!-- Latest patch release (recommended for production) -->
-<script src="https://cdn.auth0.com/js/lock/12.5.0/lock.min.js"></script>
+<script src="https://cdn.auth0.com/js/lock/13.0.0/lock.min.js"></script>
 ```
+
 ### Configure Auth0
 
 Create a **Single Page Application** in the [Auth0 Dashboard](https://manage.auth0.com/#/applications).

package/lib/__tests__/connection/database/actions.js

@@ -1,11 +1,17 @@
 "use strict";
 
-function _typeof(o) { "@babel/helpers - typeof"; return _typeof = "function" == typeof Symbol && "symbol" == typeof Symbol.iterator ? function (o) { return typeof o; } : function (o) { return o && "function" == typeof Symbol && o.constructor === Symbol && o !== Symbol.prototype ? "symbol" : typeof o; }, _typeof(o); }
 var _immutable = _interopRequireWildcard(require("immutable"));
 var _actions = require("../../../connection/database/actions");
 var _store = require("../../../store");
+var _captcha = require("../../../connection/captcha");
 function _getRequireWildcardCache(e) { if ("function" != typeof WeakMap) return null; var r = new WeakMap(), t = new WeakMap(); return (_getRequireWildcardCache = function _getRequireWildcardCache(e) { return e ? t : r; })(e); }
 function _interopRequireWildcard(e, r) { if (!r && e && e.__esModule) return e; if (null === e || "object" != _typeof(e) && "function" != typeof e) return { default: e }; var t = _getRequireWildcardCache(r); if (t && t.has(e)) return t.get(e); var n = { __proto__: null }, a = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var u in e) if ("default" !== u && {}.hasOwnProperty.call(e, u)) { var i = a ? Object.getOwnPropertyDescriptor(e, u) : null; i && (i.get || i.set) ? Object.defineProperty(n, u, i) : n[u] = e[u]; } return n.default = e, t && t.set(e, n), n; }
+function _typeof(o) { "@babel/helpers - typeof"; return _typeof = "function" == typeof Symbol && "symbol" == typeof Symbol.iterator ? function (o) { return typeof o; } : function (o) { return o && "function" == typeof Symbol && o.constructor === Symbol && o !== Symbol.prototype ? "symbol" : typeof o; }, _typeof(o); }
+function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
+function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
+function _defineProperty(obj, key, value) { key = _toPropertyKey(key); if (key in obj) { Object.defineProperty(obj, key, { value: value, enumerable: true, configurable: true, writable: true }); } else { obj[key] = value; } return obj; }
+function _toPropertyKey(t) { var i = _toPrimitive(t, "string"); return "symbol" == _typeof(i) ? i : i + ""; }
+function _toPrimitive(t, r) { if ("object" != _typeof(t) || !t) return t; var e = t[Symbol.toPrimitive]; if (void 0 !== e) { var i = e.call(t, r || "default"); if ("object" != _typeof(i)) return i; throw new TypeError("@@toPrimitive must return a primitive value."); } return ("string" === r ? String : Number)(t); }
 var webApiMock = function webApiMock() {
   return require('core/web_api');
 };
@@ -17,6 +23,16 @@ jest.mock('core/actions', function () {
     validateAndSubmit: jest.fn()
   };
 });
+jest.mock('../../../connection/captcha', function () {
+  var originalCaptcha = jest.requireActual('../../../connection/captcha');
+  return _objectSpread(_objectSpread({
+    __esModule: true
+  }, originalCaptcha), {}, {
+    swapCaptcha: jest.fn(function (id, flow, wasInvalid, next) {
+      next();
+    })
+  });
+});
 jest.mock('core/web_api', function () {
   return {
     signUp: jest.fn()
@@ -225,4 +241,89 @@ describe('database/actions.js', function () {
       }
     });
   });
+  describe('exported functions', function () {
+    var id = 2;
+    var mCaptcha = _immutable.default.fromJS({
+      field: {
+        email: {
+          value: 'test@email.com'
+        },
+        password: {
+          value: 'testpass'
+        },
+        family_name: {
+          value: 'test-family-name'
+        },
+        given_name: {
+          value: 'test-given-name'
+        },
+        name: {
+          value: 'test-name'
+        },
+        nickname: {
+          value: 'test-nickname'
+        },
+        picture: {
+          value: 'test-pic'
+        },
+        other_prop: {
+          value: 'test-other'
+        }
+      },
+      database: {
+        additionalSignUpFields: [{
+          name: 'family_name',
+          storage: 'root'
+        }, {
+          name: 'given_name',
+          storage: 'root'
+        }, {
+          name: 'name',
+          storage: 'root'
+        }, {
+          name: 'nickname',
+          storage: 'root'
+        }, {
+          name: 'picture',
+          storage: 'root'
+        }, {
+          name: 'other_prop'
+        }]
+      },
+      captcha: {
+        provider: 'auth0'
+      },
+      passwordResetCaptcha: {
+        provider: 'auth0'
+      }
+    });
+    describe('resetPasswordSuccess', function () {
+      it('runs swap CAPTCHA', function () {
+        (0, _store.swap)(_store.setEntity, 'lock', id, mCaptcha);
+        (0, _actions.resetPasswordSuccess)(id);
+        expect(_captcha.swapCaptcha.mock.calls.length).toEqual(1);
+      });
+    });
+    describe('showResetPasswordActivity', function () {
+      it('runs swap CAPTCHA', function () {
+        (0, _store.swap)(_store.setEntity, 'lock', id, mCaptcha);
+        (0, _actions.showResetPasswordActivity)(id);
+        expect(_captcha.swapCaptcha.mock.calls.length).toEqual(1);
+      });
+    });
+    describe('showLoginActivity', function () {
+      it('runs swap CAPTCHA', function () {
+        (0, _store.swap)(_store.setEntity, 'lock', id, mCaptcha);
+        (0, _actions.showLoginActivity)(id);
+        expect(_captcha.swapCaptcha.mock.calls.length).toEqual(1);
+      });
+    });
+    describe('showSignupActivity', function () {
+      it('runs swap CAPTCHA', function () {
+        (0, _store.swap)(_store.setEntity, 'lock', id, mCaptcha);
+        (0, _actions.showSignUpActivity)(id);
+        expect(_captcha.swapCaptcha.mock.calls.length).toEqual(1);
+      });
+    });
+  });
 });

package/lib/__tests__/engine/classic/sign_up_pane.js

@@ -3,6 +3,7 @@
 var _react = _interopRequireDefault(require("react"));
 var _testUtils = require("testUtils");
 var _testUtils2 = require("../../testUtils");
+var _captcha = require("../../../connection/captcha");
 function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
 function _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }
 jest.mock('field/email/email_pane', function () {
@@ -19,7 +20,7 @@ jest.mock('field/custom_input', function () {
 });
 jest.mock('core/index', function () {
   return {
-    captcha: jest.fn()
+    signupCaptcha: jest.fn()
   };
 });
 jest.mock('engine/classic', function () {
@@ -73,6 +74,7 @@ describe('SignUpPane', function () {
         return keys.join(',');
       }
     },
+    flow: _captcha.Flow.SIGNUP,
     model: 'model',
     emailInputPlaceholder: 'emailInputPlaceholder',
     onlyEmail: true,
@@ -92,7 +94,7 @@ describe('SignUpPane', function () {
     }))).toMatchSnapshot();
   });
   it('shows the Captcha pane', function () {
-    require('core/index').captcha.mockReturnValue({
+    require('core/index').signupCaptcha.mockReturnValue({
       get: function get() {
         return true;
       }
@@ -102,7 +104,7 @@ describe('SignUpPane', function () {
     (0, _testUtils2.expectShallowComponent)( /*#__PURE__*/_react.default.createElement(Component, defaultProps)).toMatchSnapshot();
   });
   it('hides the Captcha pane for SSO connections', function () {
-    require('core/index').captcha.mockReturnValue({
+    require('core/index').signupCaptcha.mockReturnValue({
       get: function get() {
         return true;
       }
@@ -112,7 +114,7 @@ describe('SignUpPane', function () {
     (0, _testUtils2.expectShallowComponent)( /*#__PURE__*/_react.default.createElement(Component, defaultProps)).toMatchSnapshot();
   });
   it('shows the Captcha pane for SSO (ADFS) connections', function () {
-    require('core/index').captcha.mockReturnValue({
+    require('core/index').signupCaptcha.mockReturnValue({
       get: function get() {
         return true;
       }

package/lib/__tests__/field/captcha/third_party_captcha.js

@@ -158,13 +158,22 @@ describe('ThirdPartyCaptcha', function () {
       });
     });
     it('should call render with the correct renderParams', function () {
-      var renderParams = global.window.hcaptcha.render.mock.calls[0][1];
+      var renderCalls = global.window.hcaptcha.render.mock.calls;
+      var renderParams = renderCalls[0][1];
       expect(renderParams).toEqual({
         sitekey: 'mySiteKey',
         callback: expect.any(Function),
         'expired-callback': expect.any(Function),
         'error-callback': expect.any(Function)
       });
+      expect(renderCalls.length).toEqual(1);
+    });
+    it('should call render on update', function () {
+      (0, _testUtils.act)(function () {
+        wrapper.setState();
+        var renderCalls = global.window.hcaptcha.render.mock.calls;
+        expect(renderCalls.length).toEqual(1);
+      });
     });
   });
   describe('auth0_v2', function () {

package/lib/connection/captcha.js

@@ -19,13 +19,14 @@ function _getRequireWildcardCache(e) { if ("function" != typeof WeakMap) return
 function _interopRequireWildcard(e, r) { if (!r && e && e.__esModule) return e; if (null === e || "object" != _typeof(e) && "function" != typeof e) return { default: e }; var t = _getRequireWildcardCache(r); if (t && t.has(e)) return t.get(e); var n = { __proto__: null }, a = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var u in e) if ("default" !== u && {}.hasOwnProperty.call(e, u)) { var i = a ? Object.getOwnPropertyDescriptor(e, u) : null; i && (i.get || i.set) ? Object.defineProperty(n, u, i) : n[u] = e[u]; } return n.default = e, t && t.set(e, n), n; }
 var Flow = exports.Flow = Object.freeze({
   DEFAULT: 'default',
+  SIGNUP: 'signup',
   PASSWORDLESS: 'passwordless',
   PASSWORD_RESET: 'password_reset'
 });
 
 /**
  * Return the captcha config object based on the type of flow.
- * 
+ *
  * @param {Object} m model
  * @param {Flow} flow Which flow the captcha is being rendered in
  */
@@ -34,6 +35,8 @@ function getCaptchaConfig(m, flow) {
     return l.passwordResetCaptcha(m);
   } else if (flow === Flow.PASSWORDLESS) {
     return l.passwordlessCaptcha(m);
+  } else if (flow === Flow.SIGNUP) {
+    return l.signupCaptcha(m);
   } else {
     return l.captcha(m);
   }
@@ -111,6 +114,15 @@ function swapCaptcha(id, flow, wasInvalid, next) {
         next();
       }
     });
+  } else if (flow === Flow.SIGNUP) {
+    return _web_api.default.getSignupChallenge(id, function (err, newCaptcha) {
+      if (!err && newCaptcha) {
+        (0, _index3.swap)(_index3.updateEntity, 'lock', id, l.setSignupChallenge, newCaptcha, wasInvalid);
+      }
+      if (next) {
+        next();
+      }
+    });
   } else {
     return _web_api.default.getChallenge(id, function (err, newCaptcha) {
       if (!err && newCaptcha) {

package/lib/connection/database/actions.js

@@ -8,6 +8,7 @@ exports.cancelMFALogin = cancelMFALogin;
 exports.cancelResetPassword = cancelResetPassword;
 exports.logIn = logIn;
 exports.resetPassword = resetPassword;
+exports.resetPasswordSuccess = resetPasswordSuccess;
 exports.showLoginActivity = showLoginActivity;
 exports.showLoginMFAActivity = showLoginMFAActivity;
 exports.showResetPasswordActivity = showResetPasswordActivity;
@@ -84,9 +85,9 @@ function signUp(id) {
       password: c.getFieldValue(m, 'password'),
       autoLogin: (0, _index4.shouldAutoLogin)(m)
     };
-    var isCaptchaValid = (0, _captcha.setCaptchaParams)(m, params, _captcha.Flow.DEFAULT, fields);
+    var isCaptchaValid = (0, _captcha.setCaptchaParams)(m, params, _captcha.Flow.SIGNUP, fields);
     if (!isCaptchaValid) {
-      return (0, _captcha.showMissingCaptcha)(m, id);
+      return (0, _captcha.showMissingCaptcha)(m, id, _captcha.Flow.SIGNUP);
     }
     if ((0, _index4.databaseConnectionRequiresUsername)(m)) {
       if ((0, _index4.signUpHideUsernameField)(m)) {
@@ -125,7 +126,7 @@ function signUp(id) {
         popupHandler._current_popup.kill();
       }
       var wasInvalidCaptcha = error && error.code === 'invalid_captcha';
-      (0, _captcha.swapCaptcha)(id, _captcha.Flow.DEFAULT, wasInvalidCaptcha, function () {
+      (0, _captcha.swapCaptcha)(id, _captcha.Flow.SIGNUP, wasInvalidCaptcha, function () {
         setTimeout(function () {
           return signUpError(id, error);
         }, 250);
@@ -247,10 +248,12 @@ function resetPassword(id) {
 function resetPasswordSuccess(id) {
   var m = (0, _index.read)(_index.getEntity, 'lock', id);
   if ((0, _index4.hasScreen)(m, 'login')) {
-    (0, _index.swap)(_index.updateEntity, 'lock', id, function (m) {
-      return (0, _index4.setScreen)(l.setSubmitting(m, false), 'login', ['']);
-    } // array with one empty string tells the function to not clear any field
-    );
+    (0, _captcha.swapCaptcha)(id, _captcha.Flow.PASSWORD_RESET, false, function () {
+      (0, _index.swap)(_index.updateEntity, 'lock', id, function (m) {
+        return (0, _index4.setScreen)(l.setSubmitting(m, false), 'login', ['']);
+      } // array with one empty string tells the function to not clear any field
+      );
+    });
 
     // TODO: should be handled by box
     setTimeout(function () {
@@ -261,8 +264,10 @@ function resetPasswordSuccess(id) {
     if (l.ui.autoclose(m)) {
       (0, _actions.closeLock)(id);
     } else {
-      (0, _index.swap)(_index.updateEntity, 'lock', id, function (m) {
-        return l.setSubmitting(m, false).set('passwordResetted', true);
+      (0, _captcha.swapCaptcha)(id, _captcha.Flow.PASSWORD_RESET, false, function () {
+        (0, _index.swap)(_index.updateEntity, 'lock', id, function (m) {
+          return l.setSubmitting(m, false).set('passwordResetted', true);
+        });
       });
     }
   }
@@ -281,15 +286,39 @@ function resetPasswordError(id, error) {
 }
 function showLoginActivity(id) {
   var fields = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : ['password'];
-  (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'login', fields);
+  var m = (0, _index.read)(_index.getEntity, 'lock', id);
+  var captchaConfig = l.captcha(m);
+  if (captchaConfig && captchaConfig.get('provider') === 'arkose') {
+    (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'login', fields);
+  } else {
+    (0, _captcha.swapCaptcha)(id, 'login', false, function () {
+      (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'login', fields);
+    });
+  }
 }
 function showSignUpActivity(id) {
   var fields = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : ['password'];
-  (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'signUp', fields);
+  var m = (0, _index.read)(_index.getEntity, 'lock', id);
+  var captchaConfig = l.signupCaptcha(m);
+  if (captchaConfig && captchaConfig.get('provider') === 'arkose') {
+    (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'signUp', fields);
+  } else {
+    (0, _captcha.swapCaptcha)(id, _captcha.Flow.SIGNUP, false, function () {
+      (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'signUp', fields);
+    });
+  }
 }
 function showResetPasswordActivity(id) {
   var fields = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : ['password'];
-  (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'forgotPassword', fields);
+  var m = (0, _index.read)(_index.getEntity, 'lock', id);
+  var captchaConfig = l.passwordResetCaptcha(m);
+  if (captchaConfig && captchaConfig.get('provider') === 'arkose') {
+    (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'forgotPassword', fields);
+  } else {
+    (0, _captcha.swapCaptcha)(id, _captcha.Flow.PASSWORD_RESET, false, function () {
+      (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'forgotPassword', fields);
+    });
+  }
 }
 function cancelResetPassword(id) {
   return showLoginActivity(id);

package/lib/connection/passwordless/index.js

@@ -24,7 +24,8 @@ exports.showTerms = showTerms;
 exports.termsAccepted = termsAccepted;
 exports.toggleTermsAcceptance = toggleTermsAcceptance;
 var _immutable = _interopRequireWildcard(require("immutable"));
-var l = _interopRequireWildcard(require("../../core/index"));
+var _index = _interopRequireWildcard(require("../../core/index"));
+var l = _index;
 var _index2 = require("../../field/index");
 var _phone_number = require("../../field/phone_number");
 var _data_utils = require("../../utils/data_utils");
@@ -49,6 +50,14 @@ function initPasswordless(m, opts) {
     mustAcceptTerms: mustAcceptTerms,
     showTerms: showTerms
   }));
+  m = (0, _sync.default)(m, 'passwordlessCaptcha', {
+    syncFn: function syncFn(m, cb) {
+      _web_api.default.getPasswordlessChallenge(m.get('id'), function (err, r) {
+        cb(null, r);
+      });
+    },
+    successFn: _index.setPasswordlessCaptcha
+  });
   if (opts.defaultLocation && typeof opts.defaultLocation === 'string') {
     m = (0, _phone_number.initLocation)(m, opts.defaultLocation.toUpperCase());
   } else {

package/lib/core/index.js

@@ -58,10 +58,12 @@ exports.setLoggedIn = setLoggedIn;
 exports.setPasswordResetCaptcha = setPasswordResetCaptcha;
 exports.setPasswordlessCaptcha = setPasswordlessCaptcha;
 exports.setResolvedConnection = setResolvedConnection;
+exports.setSignupChallenge = setSignupChallenge;
 exports.setSubmitting = setSubmitting;
 exports.setSupressSubmitOverlay = setSupressSubmitOverlay;
 exports.setup = setup;
 exports.showBadge = showBadge;
+exports.signupCaptcha = signupCaptcha;
 exports.stop = stop;
 exports.stopRendering = stopRendering;
 exports.submitting = submitting;
@@ -488,6 +490,10 @@ function setCaptcha(m, value, wasInvalid) {
   m = captchaField.reset(m, wasInvalid);
   return set(m, 'captcha', _immutable.default.fromJS(value));
 }
+function setSignupChallenge(m, value, wasInvalid) {
+  m = captchaField.reset(m, wasInvalid);
+  return set(m, 'signupCaptcha', _immutable.default.fromJS(value));
+}
 function setPasswordlessCaptcha(m, value, wasInvalid) {
   m = captchaField.reset(m, wasInvalid);
   return set(m, 'passwordlessCaptcha', _immutable.default.fromJS(value));
@@ -499,6 +505,9 @@ function setPasswordResetCaptcha(m, value, wasInvalid) {
 function captcha(m) {
   return get(m, 'captcha');
 }
+function signupCaptcha(m) {
+  return get(m, 'signupCaptcha');
+}
 function passwordlessCaptcha(m) {
   return get(m, 'passwordlessCaptcha');
 }

package/lib/core/remote_data.js

@@ -78,21 +78,5 @@ function syncRemoteData(m) {
     },
     successFn: _index2.setCaptcha
   });
-  m = (0, _sync.default)(m, 'passwordlessCaptcha', {
-    syncFn: function syncFn(m, cb) {
-      _web_api.default.getPasswordlessChallenge(m.get('id'), function (err, r) {
-        cb(null, r);
-      });
-    },
-    successFn: _index2.setPasswordlessCaptcha
-  });
-  m = (0, _sync.default)(m, 'passwordResetCaptcha', {
-    syncFn: function syncFn(m, cb) {
-      _web_api.default.getPasswordResetChallenge(m.get('id'), function (err, r) {
-        cb(null, r);
-      });
-    },
-    successFn: _index2.setPasswordResetCaptcha
-  });
   return m;
 }

package/lib/core/web_api/helper.js

@@ -169,5 +169,5 @@ function trimAuthParams() {
   return p;
 }
 function getVersion() {
-  return "12.5.0";
+  return "13.0.0";
 }

package/lib/core/web_api/p2_api.js

@@ -192,6 +192,12 @@ var Auth0APIClient = /*#__PURE__*/function () {
       var _this$client$client2;
       return (_this$client$client2 = this.client.client).getChallenge.apply(_this$client$client2, arguments);
     }
+  }, {
+    key: "getSignupChallenge",
+    value: function getSignupChallenge() {
+      var _this$client$client$d;
+      return (_this$client$client$d = this.client.client.dbConnection).getSignupChallenge.apply(_this$client$client$d, arguments);
+    }
   }, {
     key: "getPasswordlessChallenge",
     value: function getPasswordlessChallenge() {
@@ -201,8 +207,8 @@ var Auth0APIClient = /*#__PURE__*/function () {
   }, {
     key: "getPasswordResetChallenge",
     value: function getPasswordResetChallenge() {
-      var _this$client$client$d;
-      return (_this$client$client$d = this.client.client.dbConnection).getPasswordResetChallenge.apply(_this$client$client$d, arguments);
+      var _this$client$client$d2;
+      return (_this$client$client$d2 = this.client.client.dbConnection).getPasswordResetChallenge.apply(_this$client$client$d2, arguments);
     }
   }, {
     key: "getUserCountry",

package/lib/core/web_api.js

@@ -84,6 +84,11 @@ var Auth0WebAPI = /*#__PURE__*/function () {
     value: function getChallenge(lockID, callback) {
       return this.clients[lockID].getChallenge(callback);
     }
+  }, {
+    key: "getSignupChallenge",
+    value: function getSignupChallenge(lockID, callback) {
+      return this.clients[lockID].getSignupChallenge(callback);
+    }
   }, {
     key: "getPasswordlessChallenge",
     value: function getPasswordlessChallenge(lockID, callback) {

package/lib/engine/classic/sign_up_pane.js

@@ -74,11 +74,12 @@ var SignUpPane = exports.default = /*#__PURE__*/function (_React$Component) {
           value: x.get('value')
         });
       });
-      var captchaPane = l.captcha(model) && l.captcha(model).get('required') && ((0, _enterprise.isHRDDomain)(model, (0, _index.databaseUsernameValue)(model)) || !sso) ? /*#__PURE__*/_react.default.createElement(_captcha_pane.default, {
+      var captchaPane = l.signupCaptcha(model) && l.signupCaptcha(model).get('required') && ((0, _enterprise.isHRDDomain)(model, (0, _index.databaseUsernameValue)(model)) || !sso) ? /*#__PURE__*/_react.default.createElement(_captcha_pane.default, {
         i18n: i18n,
         lock: model,
+        flow: _captcha.Flow.SIGNUP,
         onReload: function onReload() {
-          return (0, _captcha.swapCaptcha)(l.id(model), _captcha.Flow.DEFAULT, false);
+          return (0, _captcha.swapCaptcha)(l.id(model), _captcha.Flow.SIGNUP, false);
         }
       }) : null;
       var passwordPane = !onlyEmail && /*#__PURE__*/_react.default.createElement(_password_pane.default, {

package/lib/field/captcha/third_party_captcha.js

@@ -84,6 +84,13 @@ var providerDomPrefix = function providerDomPrefix(provider) {
       return 'auth0-v2';
   }
 };
+var providerComponentId = function providerComponentId(provider) {
+  if (provider === HCAPTCHA_PROVIDER) {
+    return 'h-captcha';
+  } else {
+    return '';
+  }
+};
 var loadScript = function loadScript(url, attributes) {
   var script = document.createElement('script');
   for (var attr in attributes) {
@@ -321,15 +328,20 @@ var ThirdPartyCaptcha = exports.ThirdPartyCaptcha = /*#__PURE__*/function (_Reac
         className: this.props.isValid ? "auth0-lock-".concat(providerDomPrefix(this.props.provider), "-block") : "auth0-lock-".concat(providerDomPrefix(this.props.provider), "-block auth0-lock-").concat(providerDomPrefix(this.props.provider), "-block-error")
       }, /*#__PURE__*/_react.default.createElement("div", {
         className: "auth0-lock-".concat(providerDomPrefix(this.props.provider) === 'recaptcha' ? 'recaptchav2' : providerDomPrefix(this.props.provider)),
+        id: providerComponentId(this.props.provider),
         ref: this.ref
       }));
     }
   }, {
     key: "componentDidUpdate",
     value: function componentDidUpdate(prevProps, prevState) {
+      var hCaptchaComponent = document.getElementById("h-captcha");
       if (prevProps.value !== this.props.value && this.props.value === '') {
         this.reset();
       }
+      if (this.props.provider === HCAPTCHA_PROVIDER && hCaptchaComponent && window[this.props.provider]) {
+        window[this.props.provider].render('h-captcha', this.getRenderParams());
+      }
     }
   }], [{
     key: "getDerivedStateFromProps",

package/lib/i18n.js

@@ -91,7 +91,7 @@ function assertLanguage(m, language, base) {
 function syncLang(m, language, _cb) {
   (0, _cdn_utils.load)({
     method: 'registerLanguageDictionary',
-    url: "".concat(l.languageBaseUrl(m), "/js/lock/").concat("12.5.0", "/").concat(language, ".js"),
+    url: "".concat(l.languageBaseUrl(m), "/js/lock/").concat("13.0.0", "/").concat(language, ".js"),
     check: function check(str) {
       return str && str === language;
     },

package/lib/lock.js

@@ -37,7 +37,7 @@ var Auth0Lock = exports.default = /*#__PURE__*/function (_Core) {
   _inherits(Auth0Lock, _Core);
   return _createClass(Auth0Lock);
 }(_core.default); // telemetry
-Auth0Lock.version = "12.5.0";
+Auth0Lock.version = "13.0.0";
 
 // TODO: should we have different telemetry for classic/passwordless?
 // TODO: should we set telemetry info before each request?

package/lib/passwordless.js

@@ -37,4 +37,4 @@ var Auth0LockPasswordless = exports.default = /*#__PURE__*/function (_Core) {
   _inherits(Auth0LockPasswordless, _Core);
   return _createClass(Auth0LockPasswordless);
 }(_core.default);
-Auth0LockPasswordless.version = "12.5.0";
+Auth0LockPasswordless.version = "13.0.0";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auth0-lock",
-  "version": "12.5.0",
+  "version": "13.0.0",
   "description": "Auth0 Lock",
   "author": "Auth0 <support@auth0.com> (http://auth0.com)",
   "license": "MIT",
@@ -61,7 +61,7 @@
     "@babel/plugin-syntax-import-meta": "^7.0.0",
     "@babel/preset-env": "^7.0.0",
     "@babel/preset-react": "^7.0.0",
-    "@cfaester/enzyme-adapter-react-18": "^0.7.0",
+    "@cfaester/enzyme-adapter-react-18": "^0.8.0",
     "@google-cloud/translate": "^6.0.2",
     "babel-jest": "^29.3.1",
     "babel-loader": "8.3.0",
@@ -111,7 +111,7 @@
     "puppeteer": "^10.1.0",
     "react-test-renderer": "^18.2.0",
     "sinon": "^1.15.4",
-    "stylus": "^0.62.0",
+    "stylus": "^0.63.0",
     "stylus-loader": "^3.0.2",
     "tmp": "^0.2.1",
     "unminified-webpack-plugin": "^3.0.0",
@@ -121,11 +121,11 @@
     "webpack-dev-server": "^4.11.1"
   },
   "dependencies": {
-    "auth0-js": "^9.26.0",
+    "auth0-js": "^9.27.0",
     "auth0-password-policies": "^1.0.2",
     "blueimp-md5": "^2.19.0",
     "classnames": "^2.3.2",
-    "dompurify": "^2.3.12",
+    "dompurify": "^2.5.4",
     "immutable": "^3.7.6",
     "jsonp": "^0.2.1",
     "password-sheriff": "^1.1.1",