auth0-lock 12.5.1 → 13.0.0

package/.github/CODEOWNERS

@@ -1 +1 @@
-*	@auth0/dx-sdks-engineer
+*	@auth0/project-dx-sdks-engineer-codeowner

package/.github/workflows/semgrep.yml

@@ -2,7 +2,7 @@ name: Semgrep
 
 on:
   merge_group:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -20,16 +20,7 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
 jobs:
-  authorize:
-    name: Authorize
-    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: true
-
   run:
-    needs: authorize # Require approval before running on forked pull requests
-
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest
 

package/.github/workflows/snyk.yml

@@ -3,7 +3,7 @@ name: Snyk
 on:
   merge_group:
   workflow_dispatch:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -21,16 +21,7 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
 jobs:
-  authorize:
-    name: Authorize
-    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: true
-
   check:
-    needs: authorize
-
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest
 

package/.version

@@ -1 +1 @@
-v12.5.1
+v13.0.0

package/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Change Log
 
+## [v13.0.0](https://github.com/auth0/lock/tree/v13.0.0) (2024-11-11)
+[Full Changelog](https://github.com/auth0/lock/compare/v12.5.1...v13.0.0)
+
+**Added**
+- [IAMRISK-3539] Use signup classic endpoint for captcha [\#2587](https://github.com/auth0/lock/pull/2587) ([TSLarson](https://github.com/TSLarson))
+
+**Fixed**
+- [IAMRISK-3554] hcaptcha bug fix [\#2566](https://github.com/auth0/lock/pull/2566) ([Treterten](https://github.com/Treterten))
+
+**Security**
+- ci: changed the trigger from pull_request_target to pull_request for better security [\#2584](https://github.com/auth0/lock/pull/2584) ([nandan-bhat](https://github.com/nandan-bhat))
+- Update codeowner file with new GitHub team name [\#2572](https://github.com/auth0/lock/pull/2572) ([stevenwong-okta](https://github.com/stevenwong-okta))
+
 ## [v12.5.1](https://github.com/auth0/lock/tree/v12.5.1) (2024-05-30)
 
 [Full Changelog](https://github.com/auth0/lock/compare/v12.5.0...v12.5.1)

package/README.md

@@ -30,7 +30,7 @@ From CDN
 
 ```html
 <!-- Latest patch release (recommended for production) -->
-<script src="https://cdn.auth0.com/js/lock/12.5.1/lock.min.js"></script>
+<script src="https://cdn.auth0.com/js/lock/13.0.0/lock.min.js"></script>
 ```
 
 ### Configure Auth0

package/lib/__tests__/engine/classic/sign_up_pane.js

@@ -3,6 +3,7 @@
 var _react = _interopRequireDefault(require("react"));
 var _testUtils = require("testUtils");
 var _testUtils2 = require("../../testUtils");
+var _captcha = require("../../../connection/captcha");
 function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
 function _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }
 jest.mock('field/email/email_pane', function () {
@@ -19,7 +20,7 @@ jest.mock('field/custom_input', function () {
 });
 jest.mock('core/index', function () {
   return {
-    captcha: jest.fn()
+    signupCaptcha: jest.fn()
   };
 });
 jest.mock('engine/classic', function () {
@@ -73,6 +74,7 @@ describe('SignUpPane', function () {
         return keys.join(',');
       }
     },
+    flow: _captcha.Flow.SIGNUP,
     model: 'model',
     emailInputPlaceholder: 'emailInputPlaceholder',
     onlyEmail: true,
@@ -92,7 +94,7 @@ describe('SignUpPane', function () {
     }))).toMatchSnapshot();
   });
   it('shows the Captcha pane', function () {
-    require('core/index').captcha.mockReturnValue({
+    require('core/index').signupCaptcha.mockReturnValue({
       get: function get() {
         return true;
       }
@@ -102,7 +104,7 @@ describe('SignUpPane', function () {
     (0, _testUtils2.expectShallowComponent)( /*#__PURE__*/_react.default.createElement(Component, defaultProps)).toMatchSnapshot();
   });
   it('hides the Captcha pane for SSO connections', function () {
-    require('core/index').captcha.mockReturnValue({
+    require('core/index').signupCaptcha.mockReturnValue({
       get: function get() {
         return true;
       }
@@ -112,7 +114,7 @@ describe('SignUpPane', function () {
     (0, _testUtils2.expectShallowComponent)( /*#__PURE__*/_react.default.createElement(Component, defaultProps)).toMatchSnapshot();
   });
   it('shows the Captcha pane for SSO (ADFS) connections', function () {
-    require('core/index').captcha.mockReturnValue({
+    require('core/index').signupCaptcha.mockReturnValue({
       get: function get() {
         return true;
       }

package/lib/__tests__/field/captcha/third_party_captcha.js

@@ -158,13 +158,22 @@ describe('ThirdPartyCaptcha', function () {
       });
     });
     it('should call render with the correct renderParams', function () {
-      var renderParams = global.window.hcaptcha.render.mock.calls[0][1];
+      var renderCalls = global.window.hcaptcha.render.mock.calls;
+      var renderParams = renderCalls[0][1];
       expect(renderParams).toEqual({
         sitekey: 'mySiteKey',
         callback: expect.any(Function),
         'expired-callback': expect.any(Function),
         'error-callback': expect.any(Function)
       });
+      expect(renderCalls.length).toEqual(1);
+    });
+    it('should call render on update', function () {
+      (0, _testUtils.act)(function () {
+        wrapper.setState();
+        var renderCalls = global.window.hcaptcha.render.mock.calls;
+        expect(renderCalls.length).toEqual(1);
+      });
     });
   });
   describe('auth0_v2', function () {

package/lib/connection/captcha.js

@@ -19,13 +19,14 @@ function _getRequireWildcardCache(e) { if ("function" != typeof WeakMap) return
 function _interopRequireWildcard(e, r) { if (!r && e && e.__esModule) return e; if (null === e || "object" != _typeof(e) && "function" != typeof e) return { default: e }; var t = _getRequireWildcardCache(r); if (t && t.has(e)) return t.get(e); var n = { __proto__: null }, a = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var u in e) if ("default" !== u && {}.hasOwnProperty.call(e, u)) { var i = a ? Object.getOwnPropertyDescriptor(e, u) : null; i && (i.get || i.set) ? Object.defineProperty(n, u, i) : n[u] = e[u]; } return n.default = e, t && t.set(e, n), n; }
 var Flow = exports.Flow = Object.freeze({
   DEFAULT: 'default',
+  SIGNUP: 'signup',
   PASSWORDLESS: 'passwordless',
   PASSWORD_RESET: 'password_reset'
 });
 
 /**
  * Return the captcha config object based on the type of flow.
- * 
+ *
  * @param {Object} m model
  * @param {Flow} flow Which flow the captcha is being rendered in
  */
@@ -34,6 +35,8 @@ function getCaptchaConfig(m, flow) {
     return l.passwordResetCaptcha(m);
   } else if (flow === Flow.PASSWORDLESS) {
     return l.passwordlessCaptcha(m);
+  } else if (flow === Flow.SIGNUP) {
+    return l.signupCaptcha(m);
   } else {
     return l.captcha(m);
   }
@@ -111,6 +114,15 @@ function swapCaptcha(id, flow, wasInvalid, next) {
         next();
       }
     });
+  } else if (flow === Flow.SIGNUP) {
+    return _web_api.default.getSignupChallenge(id, function (err, newCaptcha) {
+      if (!err && newCaptcha) {
+        (0, _index3.swap)(_index3.updateEntity, 'lock', id, l.setSignupChallenge, newCaptcha, wasInvalid);
+      }
+      if (next) {
+        next();
+      }
+    });
   } else {
     return _web_api.default.getChallenge(id, function (err, newCaptcha) {
       if (!err && newCaptcha) {

package/lib/connection/database/actions.js

@@ -85,9 +85,9 @@ function signUp(id) {
       password: c.getFieldValue(m, 'password'),
       autoLogin: (0, _index4.shouldAutoLogin)(m)
     };
-    var isCaptchaValid = (0, _captcha.setCaptchaParams)(m, params, _captcha.Flow.DEFAULT, fields);
+    var isCaptchaValid = (0, _captcha.setCaptchaParams)(m, params, _captcha.Flow.SIGNUP, fields);
     if (!isCaptchaValid) {
-      return (0, _captcha.showMissingCaptcha)(m, id);
+      return (0, _captcha.showMissingCaptcha)(m, id, _captcha.Flow.SIGNUP);
     }
     if ((0, _index4.databaseConnectionRequiresUsername)(m)) {
       if ((0, _index4.signUpHideUsernameField)(m)) {
@@ -126,7 +126,7 @@ function signUp(id) {
         popupHandler._current_popup.kill();
       }
       var wasInvalidCaptcha = error && error.code === 'invalid_captcha';
-      (0, _captcha.swapCaptcha)(id, _captcha.Flow.DEFAULT, wasInvalidCaptcha, function () {
+      (0, _captcha.swapCaptcha)(id, _captcha.Flow.SIGNUP, wasInvalidCaptcha, function () {
         setTimeout(function () {
           return signUpError(id, error);
         }, 250);
@@ -299,11 +299,11 @@ function showLoginActivity(id) {
 function showSignUpActivity(id) {
   var fields = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : ['password'];
   var m = (0, _index.read)(_index.getEntity, 'lock', id);
-  var captchaConfig = l.captcha(m);
+  var captchaConfig = l.signupCaptcha(m);
   if (captchaConfig && captchaConfig.get('provider') === 'arkose') {
     (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'signUp', fields);
   } else {
-    (0, _captcha.swapCaptcha)(id, 'login', false, function () {
+    (0, _captcha.swapCaptcha)(id, _captcha.Flow.SIGNUP, false, function () {
       (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'signUp', fields);
     });
   }
@@ -315,7 +315,7 @@ function showResetPasswordActivity(id) {
   if (captchaConfig && captchaConfig.get('provider') === 'arkose') {
     (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'forgotPassword', fields);
   } else {
-    (0, _captcha.swapCaptcha)(id, 'login', false, function () {
+    (0, _captcha.swapCaptcha)(id, _captcha.Flow.PASSWORD_RESET, false, function () {
       (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'forgotPassword', fields);
     });
   }

package/lib/connection/passwordless/index.js

@@ -24,7 +24,8 @@ exports.showTerms = showTerms;
 exports.termsAccepted = termsAccepted;
 exports.toggleTermsAcceptance = toggleTermsAcceptance;
 var _immutable = _interopRequireWildcard(require("immutable"));
-var l = _interopRequireWildcard(require("../../core/index"));
+var _index = _interopRequireWildcard(require("../../core/index"));
+var l = _index;
 var _index2 = require("../../field/index");
 var _phone_number = require("../../field/phone_number");
 var _data_utils = require("../../utils/data_utils");
@@ -49,6 +50,14 @@ function initPasswordless(m, opts) {
     mustAcceptTerms: mustAcceptTerms,
     showTerms: showTerms
   }));
+  m = (0, _sync.default)(m, 'passwordlessCaptcha', {
+    syncFn: function syncFn(m, cb) {
+      _web_api.default.getPasswordlessChallenge(m.get('id'), function (err, r) {
+        cb(null, r);
+      });
+    },
+    successFn: _index.setPasswordlessCaptcha
+  });
   if (opts.defaultLocation && typeof opts.defaultLocation === 'string') {
     m = (0, _phone_number.initLocation)(m, opts.defaultLocation.toUpperCase());
   } else {

package/lib/core/index.js

@@ -58,10 +58,12 @@ exports.setLoggedIn = setLoggedIn;
 exports.setPasswordResetCaptcha = setPasswordResetCaptcha;
 exports.setPasswordlessCaptcha = setPasswordlessCaptcha;
 exports.setResolvedConnection = setResolvedConnection;
+exports.setSignupChallenge = setSignupChallenge;
 exports.setSubmitting = setSubmitting;
 exports.setSupressSubmitOverlay = setSupressSubmitOverlay;
 exports.setup = setup;
 exports.showBadge = showBadge;
+exports.signupCaptcha = signupCaptcha;
 exports.stop = stop;
 exports.stopRendering = stopRendering;
 exports.submitting = submitting;
@@ -488,6 +490,10 @@ function setCaptcha(m, value, wasInvalid) {
   m = captchaField.reset(m, wasInvalid);
   return set(m, 'captcha', _immutable.default.fromJS(value));
 }
+function setSignupChallenge(m, value, wasInvalid) {
+  m = captchaField.reset(m, wasInvalid);
+  return set(m, 'signupCaptcha', _immutable.default.fromJS(value));
+}
 function setPasswordlessCaptcha(m, value, wasInvalid) {
   m = captchaField.reset(m, wasInvalid);
   return set(m, 'passwordlessCaptcha', _immutable.default.fromJS(value));
@@ -499,6 +505,9 @@ function setPasswordResetCaptcha(m, value, wasInvalid) {
 function captcha(m) {
   return get(m, 'captcha');
 }
+function signupCaptcha(m) {
+  return get(m, 'signupCaptcha');
+}
 function passwordlessCaptcha(m) {
   return get(m, 'passwordlessCaptcha');
 }

package/lib/core/remote_data.js

@@ -78,21 +78,5 @@ function syncRemoteData(m) {
     },
     successFn: _index2.setCaptcha
   });
-  m = (0, _sync.default)(m, 'passwordlessCaptcha', {
-    syncFn: function syncFn(m, cb) {
-      _web_api.default.getPasswordlessChallenge(m.get('id'), function (err, r) {
-        cb(null, r);
-      });
-    },
-    successFn: _index2.setPasswordlessCaptcha
-  });
-  m = (0, _sync.default)(m, 'passwordResetCaptcha', {
-    syncFn: function syncFn(m, cb) {
-      _web_api.default.getPasswordResetChallenge(m.get('id'), function (err, r) {
-        cb(null, r);
-      });
-    },
-    successFn: _index2.setPasswordResetCaptcha
-  });
   return m;
 }

package/lib/core/web_api/helper.js

@@ -169,5 +169,5 @@ function trimAuthParams() {
   return p;
 }
 function getVersion() {
-  return "12.5.1";
+  return "13.0.0";
 }

package/lib/core/web_api/p2_api.js

@@ -192,6 +192,12 @@ var Auth0APIClient = /*#__PURE__*/function () {
       var _this$client$client2;
       return (_this$client$client2 = this.client.client).getChallenge.apply(_this$client$client2, arguments);
     }
+  }, {
+    key: "getSignupChallenge",
+    value: function getSignupChallenge() {
+      var _this$client$client$d;
+      return (_this$client$client$d = this.client.client.dbConnection).getSignupChallenge.apply(_this$client$client$d, arguments);
+    }
   }, {
     key: "getPasswordlessChallenge",
     value: function getPasswordlessChallenge() {
@@ -201,8 +207,8 @@ var Auth0APIClient = /*#__PURE__*/function () {
   }, {
     key: "getPasswordResetChallenge",
     value: function getPasswordResetChallenge() {
-      var _this$client$client$d;
-      return (_this$client$client$d = this.client.client.dbConnection).getPasswordResetChallenge.apply(_this$client$client$d, arguments);
+      var _this$client$client$d2;
+      return (_this$client$client$d2 = this.client.client.dbConnection).getPasswordResetChallenge.apply(_this$client$client$d2, arguments);
     }
   }, {
     key: "getUserCountry",

package/lib/core/web_api.js

@@ -84,6 +84,11 @@ var Auth0WebAPI = /*#__PURE__*/function () {
     value: function getChallenge(lockID, callback) {
       return this.clients[lockID].getChallenge(callback);
     }
+  }, {
+    key: "getSignupChallenge",
+    value: function getSignupChallenge(lockID, callback) {
+      return this.clients[lockID].getSignupChallenge(callback);
+    }
   }, {
     key: "getPasswordlessChallenge",
     value: function getPasswordlessChallenge(lockID, callback) {

package/lib/engine/classic/sign_up_pane.js

@@ -74,11 +74,12 @@ var SignUpPane = exports.default = /*#__PURE__*/function (_React$Component) {
           value: x.get('value')
         });
       });
-      var captchaPane = l.captcha(model) && l.captcha(model).get('required') && ((0, _enterprise.isHRDDomain)(model, (0, _index.databaseUsernameValue)(model)) || !sso) ? /*#__PURE__*/_react.default.createElement(_captcha_pane.default, {
+      var captchaPane = l.signupCaptcha(model) && l.signupCaptcha(model).get('required') && ((0, _enterprise.isHRDDomain)(model, (0, _index.databaseUsernameValue)(model)) || !sso) ? /*#__PURE__*/_react.default.createElement(_captcha_pane.default, {
         i18n: i18n,
         lock: model,
+        flow: _captcha.Flow.SIGNUP,
         onReload: function onReload() {
-          return (0, _captcha.swapCaptcha)(l.id(model), _captcha.Flow.DEFAULT, false);
+          return (0, _captcha.swapCaptcha)(l.id(model), _captcha.Flow.SIGNUP, false);
         }
       }) : null;
       var passwordPane = !onlyEmail && /*#__PURE__*/_react.default.createElement(_password_pane.default, {

package/lib/field/captcha/third_party_captcha.js

@@ -84,6 +84,13 @@ var providerDomPrefix = function providerDomPrefix(provider) {
       return 'auth0-v2';
   }
 };
+var providerComponentId = function providerComponentId(provider) {
+  if (provider === HCAPTCHA_PROVIDER) {
+    return 'h-captcha';
+  } else {
+    return '';
+  }
+};
 var loadScript = function loadScript(url, attributes) {
   var script = document.createElement('script');
   for (var attr in attributes) {
@@ -321,15 +328,20 @@ var ThirdPartyCaptcha = exports.ThirdPartyCaptcha = /*#__PURE__*/function (_Reac
         className: this.props.isValid ? "auth0-lock-".concat(providerDomPrefix(this.props.provider), "-block") : "auth0-lock-".concat(providerDomPrefix(this.props.provider), "-block auth0-lock-").concat(providerDomPrefix(this.props.provider), "-block-error")
       }, /*#__PURE__*/_react.default.createElement("div", {
         className: "auth0-lock-".concat(providerDomPrefix(this.props.provider) === 'recaptcha' ? 'recaptchav2' : providerDomPrefix(this.props.provider)),
+        id: providerComponentId(this.props.provider),
         ref: this.ref
       }));
     }
   }, {
     key: "componentDidUpdate",
     value: function componentDidUpdate(prevProps, prevState) {
+      var hCaptchaComponent = document.getElementById("h-captcha");
       if (prevProps.value !== this.props.value && this.props.value === '') {
         this.reset();
       }
+      if (this.props.provider === HCAPTCHA_PROVIDER && hCaptchaComponent && window[this.props.provider]) {
+        window[this.props.provider].render('h-captcha', this.getRenderParams());
+      }
     }
   }], [{
     key: "getDerivedStateFromProps",

package/lib/i18n.js

@@ -91,7 +91,7 @@ function assertLanguage(m, language, base) {
 function syncLang(m, language, _cb) {
   (0, _cdn_utils.load)({
     method: 'registerLanguageDictionary',
-    url: "".concat(l.languageBaseUrl(m), "/js/lock/").concat("12.5.1", "/").concat(language, ".js"),
+    url: "".concat(l.languageBaseUrl(m), "/js/lock/").concat("13.0.0", "/").concat(language, ".js"),
     check: function check(str) {
       return str && str === language;
     },

package/lib/lock.js

@@ -37,7 +37,7 @@ var Auth0Lock = exports.default = /*#__PURE__*/function (_Core) {
   _inherits(Auth0Lock, _Core);
   return _createClass(Auth0Lock);
 }(_core.default); // telemetry
-Auth0Lock.version = "12.5.1";
+Auth0Lock.version = "13.0.0";
 
 // TODO: should we have different telemetry for classic/passwordless?
 // TODO: should we set telemetry info before each request?

package/lib/passwordless.js

@@ -37,4 +37,4 @@ var Auth0LockPasswordless = exports.default = /*#__PURE__*/function (_Core) {
   _inherits(Auth0LockPasswordless, _Core);
   return _createClass(Auth0LockPasswordless);
 }(_core.default);
-Auth0LockPasswordless.version = "12.5.1";
+Auth0LockPasswordless.version = "13.0.0";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auth0-lock",
-  "version": "12.5.1",
+  "version": "13.0.0",
   "description": "Auth0 Lock",
   "author": "Auth0 <support@auth0.com> (http://auth0.com)",
   "license": "MIT",
@@ -121,11 +121,11 @@
     "webpack-dev-server": "^4.11.1"
   },
   "dependencies": {
-    "auth0-js": "^9.26.0",
+    "auth0-js": "^9.27.0",
     "auth0-password-policies": "^1.0.2",
     "blueimp-md5": "^2.19.0",
     "classnames": "^2.3.2",
-    "dompurify": "^2.3.12",
+    "dompurify": "^2.5.4",
     "immutable": "^3.7.6",
     "jsonp": "^0.2.1",
     "password-sheriff": "^1.1.1",