auth0-lock 12.5.1 → 13.1.0

package/.github/CODEOWNERS

@@ -1 +1 @@
-*	@auth0/dx-sdks-engineer
+*	@auth0/project-dx-sdks-engineer-codeowner

package/.github/workflows/semgrep.yml

@@ -2,7 +2,7 @@ name: Semgrep
 
 on:
   merge_group:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -20,16 +20,7 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
 jobs:
-  authorize:
-    name: Authorize
-    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: true
-
   run:
-    needs: authorize # Require approval before running on forked pull requests
-
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest
 

package/.github/workflows/snyk.yml

@@ -3,7 +3,7 @@ name: Snyk
 on:
   merge_group:
   workflow_dispatch:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -21,16 +21,7 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
 jobs:
-  authorize:
-    name: Authorize
-    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: true
-
   check:
-    needs: authorize
-
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest
 

package/.version

@@ -1 +1 @@
-v12.5.1
+v13.1.0

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Change Log
 
+## [v13.1.0](https://github.com/auth0/lock/tree/v13.1.0) (2025-07-17)
+
+**Added**
+- Add support for social connection Sign in with Shop [\#2602](https://github.com/auth0/lock/pull/2602) ([reinisb](https://github.com/reinisb))
+- fix: Rename shop strategy [\#2641](https://github.com/auth0/lock/pull/2641) ([omarquazi-okta](https://github.com/omarquazi-okta)) 
+
+## [v13.0.0](https://github.com/auth0/lock/tree/v13.0.0) (2024-11-11)
+[Full Changelog](https://github.com/auth0/lock/compare/v12.5.1...v13.0.0)
+
+**Added**
+- [IAMRISK-3539] Use signup classic endpoint for captcha [\#2587](https://github.com/auth0/lock/pull/2587) ([TSLarson](https://github.com/TSLarson))
+
+**Fixed**
+- [IAMRISK-3554] hcaptcha bug fix [\#2566](https://github.com/auth0/lock/pull/2566) ([Treterten](https://github.com/Treterten))
+
+**Security**
+- ci: changed the trigger from pull_request_target to pull_request for better security [\#2584](https://github.com/auth0/lock/pull/2584) ([nandan-bhat](https://github.com/nandan-bhat))
+- Update codeowner file with new GitHub team name [\#2572](https://github.com/auth0/lock/pull/2572) ([stevenwong-okta](https://github.com/stevenwong-okta))
+
 ## [v12.5.1](https://github.com/auth0/lock/tree/v12.5.1) (2024-05-30)
 
 [Full Changelog](https://github.com/auth0/lock/compare/v12.5.0...v12.5.1)

package/Makefile

@@ -1,12 +1,24 @@
 #!/usr/bin/env make
 
-#SHELL := /bin/bash
-#.SHELLFLAGS = -ec
+# SHELL := /bin/bash
+# .SHELLFLAGS = -ec
 
-.PHONY: install lint test build cdn-publish
+.PHONY: install lint test build publish
+
+# Puppeteer and config/cache directories
+PUPPETEER_CACHE_DIR := $(CURDIR)/.puppeteer-cache
+XDG_CONFIG_HOME := $(WORKSPACE)@tmp/.chromium
+XDG_CACHE_HOME := $(WORKSPACE)@tmp/.chromium
 
 install:
 	@echo "Running install..."
+	mkdir -p $(PUPPETEER_CACHE_DIR)
+	mkdir -p $(XDG_CONFIG_HOME)
+	mkdir -p $(XDG_CACHE_HOME)
+	XDG_CONFIG_HOME=$(XDG_CONFIG_HOME) \
+	XDG_CACHE_HOME=$(XDG_CACHE_HOME) \
+	PUPPETEER_CACHE_DIR=$(PUPPETEER_CACHE_DIR) \
+	PUPPETEER_SKIP_DOWNLOAD=true \
 	npm install
 
 test:
@@ -19,4 +31,4 @@ build:
 
 publish:
 	@echo "Running cdn-publish..."
-	npm run publish:cdn
+	npm run publish:cdn

package/README.md

@@ -30,7 +30,7 @@ From CDN
 
 ```html
 <!-- Latest patch release (recommended for production) -->
-<script src="https://cdn.auth0.com/js/lock/12.5.1/lock.min.js"></script>
+<script src="https://cdn.auth0.com/js/lock/13.1.0/lock.min.js"></script>
 ```
 
 ### Configure Auth0

package/lib/__tests__/engine/classic/sign_up_pane.js

@@ -3,6 +3,7 @@
 var _react = _interopRequireDefault(require("react"));
 var _testUtils = require("testUtils");
 var _testUtils2 = require("../../testUtils");
+var _captcha = require("../../../connection/captcha");
 function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
 function _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }
 jest.mock('field/email/email_pane', function () {
@@ -19,7 +20,7 @@ jest.mock('field/custom_input', function () {
 });
 jest.mock('core/index', function () {
   return {
-    captcha: jest.fn()
+    signupCaptcha: jest.fn()
   };
 });
 jest.mock('engine/classic', function () {
@@ -73,6 +74,7 @@ describe('SignUpPane', function () {
         return keys.join(',');
       }
     },
+    flow: _captcha.Flow.SIGNUP,
     model: 'model',
     emailInputPlaceholder: 'emailInputPlaceholder',
     onlyEmail: true,
@@ -92,7 +94,7 @@ describe('SignUpPane', function () {
     }))).toMatchSnapshot();
   });
   it('shows the Captcha pane', function () {
-    require('core/index').captcha.mockReturnValue({
+    require('core/index').signupCaptcha.mockReturnValue({
       get: function get() {
         return true;
       }
@@ -102,7 +104,7 @@ describe('SignUpPane', function () {
     (0, _testUtils2.expectShallowComponent)( /*#__PURE__*/_react.default.createElement(Component, defaultProps)).toMatchSnapshot();
   });
   it('hides the Captcha pane for SSO connections', function () {
-    require('core/index').captcha.mockReturnValue({
+    require('core/index').signupCaptcha.mockReturnValue({
       get: function get() {
         return true;
       }
@@ -112,7 +114,7 @@ describe('SignUpPane', function () {
     (0, _testUtils2.expectShallowComponent)( /*#__PURE__*/_react.default.createElement(Component, defaultProps)).toMatchSnapshot();
   });
   it('shows the Captcha pane for SSO (ADFS) connections', function () {
-    require('core/index').captcha.mockReturnValue({
+    require('core/index').signupCaptcha.mockReturnValue({
       get: function get() {
         return true;
       }

package/lib/__tests__/field/captcha/third_party_captcha.js

@@ -158,13 +158,22 @@ describe('ThirdPartyCaptcha', function () {
       });
     });
     it('should call render with the correct renderParams', function () {
-      var renderParams = global.window.hcaptcha.render.mock.calls[0][1];
+      var renderCalls = global.window.hcaptcha.render.mock.calls;
+      var renderParams = renderCalls[0][1];
       expect(renderParams).toEqual({
         sitekey: 'mySiteKey',
         callback: expect.any(Function),
         'expired-callback': expect.any(Function),
         'error-callback': expect.any(Function)
       });
+      expect(renderCalls.length).toEqual(1);
+    });
+    it('should call render on update', function () {
+      (0, _testUtils.act)(function () {
+        wrapper.setState();
+        var renderCalls = global.window.hcaptcha.render.mock.calls;
+        expect(renderCalls.length).toEqual(1);
+      });
     });
   });
   describe('auth0_v2', function () {

package/lib/connection/captcha.js

@@ -19,13 +19,14 @@ function _getRequireWildcardCache(e) { if ("function" != typeof WeakMap) return
 function _interopRequireWildcard(e, r) { if (!r && e && e.__esModule) return e; if (null === e || "object" != _typeof(e) && "function" != typeof e) return { default: e }; var t = _getRequireWildcardCache(r); if (t && t.has(e)) return t.get(e); var n = { __proto__: null }, a = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var u in e) if ("default" !== u && {}.hasOwnProperty.call(e, u)) { var i = a ? Object.getOwnPropertyDescriptor(e, u) : null; i && (i.get || i.set) ? Object.defineProperty(n, u, i) : n[u] = e[u]; } return n.default = e, t && t.set(e, n), n; }
 var Flow = exports.Flow = Object.freeze({
   DEFAULT: 'default',
+  SIGNUP: 'signup',
   PASSWORDLESS: 'passwordless',
   PASSWORD_RESET: 'password_reset'
 });
 
 /**
  * Return the captcha config object based on the type of flow.
- * 
+ *
  * @param {Object} m model
  * @param {Flow} flow Which flow the captcha is being rendered in
  */
@@ -34,6 +35,8 @@ function getCaptchaConfig(m, flow) {
     return l.passwordResetCaptcha(m);
   } else if (flow === Flow.PASSWORDLESS) {
     return l.passwordlessCaptcha(m);
+  } else if (flow === Flow.SIGNUP) {
+    return l.signupCaptcha(m);
   } else {
     return l.captcha(m);
   }
@@ -111,6 +114,15 @@ function swapCaptcha(id, flow, wasInvalid, next) {
         next();
       }
     });
+  } else if (flow === Flow.SIGNUP) {
+    return _web_api.default.getSignupChallenge(id, function (err, newCaptcha) {
+      if (!err && newCaptcha) {
+        (0, _index3.swap)(_index3.updateEntity, 'lock', id, l.setSignupChallenge, newCaptcha, wasInvalid);
+      }
+      if (next) {
+        next();
+      }
+    });
   } else {
     return _web_api.default.getChallenge(id, function (err, newCaptcha) {
       if (!err && newCaptcha) {

package/lib/connection/database/actions.js

@@ -85,9 +85,9 @@ function signUp(id) {
       password: c.getFieldValue(m, 'password'),
       autoLogin: (0, _index4.shouldAutoLogin)(m)
     };
-    var isCaptchaValid = (0, _captcha.setCaptchaParams)(m, params, _captcha.Flow.DEFAULT, fields);
+    var isCaptchaValid = (0, _captcha.setCaptchaParams)(m, params, _captcha.Flow.SIGNUP, fields);
     if (!isCaptchaValid) {
-      return (0, _captcha.showMissingCaptcha)(m, id);
+      return (0, _captcha.showMissingCaptcha)(m, id, _captcha.Flow.SIGNUP);
     }
     if ((0, _index4.databaseConnectionRequiresUsername)(m)) {
       if ((0, _index4.signUpHideUsernameField)(m)) {
@@ -126,7 +126,7 @@ function signUp(id) {
         popupHandler._current_popup.kill();
       }
       var wasInvalidCaptcha = error && error.code === 'invalid_captcha';
-      (0, _captcha.swapCaptcha)(id, _captcha.Flow.DEFAULT, wasInvalidCaptcha, function () {
+      (0, _captcha.swapCaptcha)(id, _captcha.Flow.SIGNUP, wasInvalidCaptcha, function () {
         setTimeout(function () {
           return signUpError(id, error);
         }, 250);
@@ -299,11 +299,11 @@ function showLoginActivity(id) {
 function showSignUpActivity(id) {
   var fields = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : ['password'];
   var m = (0, _index.read)(_index.getEntity, 'lock', id);
-  var captchaConfig = l.captcha(m);
+  var captchaConfig = l.signupCaptcha(m);
   if (captchaConfig && captchaConfig.get('provider') === 'arkose') {
     (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'signUp', fields);
   } else {
-    (0, _captcha.swapCaptcha)(id, 'login', false, function () {
+    (0, _captcha.swapCaptcha)(id, _captcha.Flow.SIGNUP, false, function () {
       (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'signUp', fields);
     });
   }
@@ -315,7 +315,7 @@ function showResetPasswordActivity(id) {
   if (captchaConfig && captchaConfig.get('provider') === 'arkose') {
     (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'forgotPassword', fields);
   } else {
-    (0, _captcha.swapCaptcha)(id, 'login', false, function () {
+    (0, _captcha.swapCaptcha)(id, _captcha.Flow.PASSWORD_RESET, false, function () {
       (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setScreen, 'forgotPassword', fields);
     });
   }

package/lib/connection/passwordless/index.js

@@ -24,7 +24,8 @@ exports.showTerms = showTerms;
 exports.termsAccepted = termsAccepted;
 exports.toggleTermsAcceptance = toggleTermsAcceptance;
 var _immutable = _interopRequireWildcard(require("immutable"));
-var l = _interopRequireWildcard(require("../../core/index"));
+var _index = _interopRequireWildcard(require("../../core/index"));
+var l = _index;
 var _index2 = require("../../field/index");
 var _phone_number = require("../../field/phone_number");
 var _data_utils = require("../../utils/data_utils");
@@ -49,6 +50,14 @@ function initPasswordless(m, opts) {
     mustAcceptTerms: mustAcceptTerms,
     showTerms: showTerms
   }));
+  m = (0, _sync.default)(m, 'passwordlessCaptcha', {
+    syncFn: function syncFn(m, cb) {
+      _web_api.default.getPasswordlessChallenge(m.get('id'), function (err, r) {
+        cb(null, r);
+      });
+    },
+    successFn: _index.setPasswordlessCaptcha
+  });
   if (opts.defaultLocation && typeof opts.defaultLocation === 'string') {
     m = (0, _phone_number.initLocation)(m, opts.defaultLocation.toUpperCase());
   } else {

package/lib/connection/social/index.js

@@ -44,6 +44,7 @@ var STRATEGIES = exports.STRATEGIES = {
   evernote: 'Evernote',
   'evernote-sandbox': 'Evernote (sandbox)',
   shopify: 'Shopify',
+  shop: 'Shop',
   soundcloud: 'Soundcloud',
   thecity: 'The City',
   'thecity-sandbox': 'The City (sandbox)',

package/lib/core/index.js

@@ -58,10 +58,12 @@ exports.setLoggedIn = setLoggedIn;
 exports.setPasswordResetCaptcha = setPasswordResetCaptcha;
 exports.setPasswordlessCaptcha = setPasswordlessCaptcha;
 exports.setResolvedConnection = setResolvedConnection;
+exports.setSignupChallenge = setSignupChallenge;
 exports.setSubmitting = setSubmitting;
 exports.setSupressSubmitOverlay = setSupressSubmitOverlay;
 exports.setup = setup;
 exports.showBadge = showBadge;
+exports.signupCaptcha = signupCaptcha;
 exports.stop = stop;
 exports.stopRendering = stopRendering;
 exports.submitting = submitting;
@@ -488,6 +490,10 @@ function setCaptcha(m, value, wasInvalid) {
   m = captchaField.reset(m, wasInvalid);
   return set(m, 'captcha', _immutable.default.fromJS(value));
 }
+function setSignupChallenge(m, value, wasInvalid) {
+  m = captchaField.reset(m, wasInvalid);
+  return set(m, 'signupCaptcha', _immutable.default.fromJS(value));
+}
 function setPasswordlessCaptcha(m, value, wasInvalid) {
   m = captchaField.reset(m, wasInvalid);
   return set(m, 'passwordlessCaptcha', _immutable.default.fromJS(value));
@@ -499,6 +505,9 @@ function setPasswordResetCaptcha(m, value, wasInvalid) {
 function captcha(m) {
   return get(m, 'captcha');
 }
+function signupCaptcha(m) {
+  return get(m, 'signupCaptcha');
+}
 function passwordlessCaptcha(m) {
   return get(m, 'passwordlessCaptcha');
 }

package/lib/core/remote_data.js

@@ -78,21 +78,5 @@ function syncRemoteData(m) {
     },
     successFn: _index2.setCaptcha
   });
-  m = (0, _sync.default)(m, 'passwordlessCaptcha', {
-    syncFn: function syncFn(m, cb) {
-      _web_api.default.getPasswordlessChallenge(m.get('id'), function (err, r) {
-        cb(null, r);
-      });
-    },
-    successFn: _index2.setPasswordlessCaptcha
-  });
-  m = (0, _sync.default)(m, 'passwordResetCaptcha', {
-    syncFn: function syncFn(m, cb) {
-      _web_api.default.getPasswordResetChallenge(m.get('id'), function (err, r) {
-        cb(null, r);
-      });
-    },
-    successFn: _index2.setPasswordResetCaptcha
-  });
   return m;
 }

package/lib/core/web_api/helper.js

@@ -169,5 +169,5 @@ function trimAuthParams() {
   return p;
 }
 function getVersion() {
-  return "12.5.1";
+  return "13.1.0";
 }

package/lib/core/web_api/p2_api.js

@@ -192,6 +192,12 @@ var Auth0APIClient = /*#__PURE__*/function () {
       var _this$client$client2;
       return (_this$client$client2 = this.client.client).getChallenge.apply(_this$client$client2, arguments);
     }
+  }, {
+    key: "getSignupChallenge",
+    value: function getSignupChallenge() {
+      var _this$client$client$d;
+      return (_this$client$client$d = this.client.client.dbConnection).getSignupChallenge.apply(_this$client$client$d, arguments);
+    }
   }, {
     key: "getPasswordlessChallenge",
     value: function getPasswordlessChallenge() {
@@ -201,8 +207,8 @@ var Auth0APIClient = /*#__PURE__*/function () {
   }, {
     key: "getPasswordResetChallenge",
     value: function getPasswordResetChallenge() {
-      var _this$client$client$d;
-      return (_this$client$client$d = this.client.client.dbConnection).getPasswordResetChallenge.apply(_this$client$client$d, arguments);
+      var _this$client$client$d2;
+      return (_this$client$client$d2 = this.client.client.dbConnection).getPasswordResetChallenge.apply(_this$client$client$d2, arguments);
     }
   }, {
     key: "getUserCountry",

package/lib/core/web_api.js

@@ -84,6 +84,11 @@ var Auth0WebAPI = /*#__PURE__*/function () {
     value: function getChallenge(lockID, callback) {
       return this.clients[lockID].getChallenge(callback);
     }
+  }, {
+    key: "getSignupChallenge",
+    value: function getSignupChallenge(lockID, callback) {
+      return this.clients[lockID].getSignupChallenge(callback);
+    }
   }, {
     key: "getPasswordlessChallenge",
     value: function getPasswordlessChallenge(lockID, callback) {