auth0-spa-js

Full Changelog

Added

• Silent auth fallback when using Refresh Tokens can now be disabled #907 (frederikprijck)

Security

• [Snyk] Upgrade core-js 3.22.4 #910 (crew-security)

Fixed

• Organization ID hint cookie now respects cookieDomain config setting #900 (Dannnir)

Security

• [Snyk] Upgrade core-js from 3.21.1 to 3.22.0 #901 (snyk-bot)
• [Snyk] Upgrade promise-polyfill from 8.2.1 to 8.2.3 #893 (snyk-bot)

Added

• FEAT override cookie domain option #885 (Soviut)

Fixed

• fix: handle NPE when no popup is available #888 (stevehobbsdev)

Fixed

• Prevent cache.get when key is undefined #882 (stevehobbsdev)

Added

• SDK-3105 Add httpTimeoutInSeconds to control fetch timeout #875 (stevehobbsdev)

Changed

• clarify documentation comment for getTokenSilently #874 (jdugan1024)

Fixed

• Fix getTokenSilently reference in example code #868 (mdlavin)

Security

• [Snyk] Upgrade core-js from 3.20.2 to 3.20.3 #873 (snyk-bot)
• Bump node-fetch from 2.6.1 to 2.6.7 #870 (dependabot[bot])
• [Snyk] Upgrade core-js from 3.20.1 to 3.20.2 #869 (snyk-bot)
• [Snyk] Upgrade core-js from 3.20.0 to 3.20.1 #864 (snyk-bot)

Fixed

• Org ID hint cookie expiry now aligns with is.authenticated cookie #861 (stevehobbsdev)

Security

• Bump follow-redirects from 1.14.0 to 1.14.7 #860 (dependabot[bot])
• [Snyk] Upgrade core-js from 3.19.2 to 3.20.0 #858 (snyk-bot)
• [Snyk] Upgrade core-js from 3.19.1 to 3.19.2 #851 (snyk-bot)

Changed

• Make RedirectLoginOptions and RedirectLoginResult accept generic AppState #846 (frederikprijck)

Fixed

• Getidtokenclaims return type #844 (jmac105)
• Add check for state in handleRedirectCallback #841 (stevehobbsdev)
• Prevent nowProvider from being passed to authorize endpoint #840 (stevehobbsdev)
• Fix cached scopes when using detailed response mode #824 (stevehobbsdev)

This release fixes an anomoly with a new type we exposed in #803, where it was incorrectly wrapped with Partial. We don't expect this change to introduce any issues, but if you are affected please raise it on our issue tracker.

Fixed

• GetTokenSilentlyVerboseResponse no longer uses partial TokenEndpointResponse type #820 (stevehobbsdev)

Republished version 1.19.0, which got published during a period npm was suffering downtime issues, resulting in 1.19.0 being released but not installable for end users. Users should install 1.19.1 instead.

Added

• SDK-2794 Return token response in getTokenSilently #803 (stevehobbsdev)
• SDK-2793 Ability to define a custom now provider #802 (frederikprijck)

Added

• SDK-2750 Expose mfa_token from the mfa_required error when getting new tokens #789 (frederikprijck)

Changed

• SDK-2759 Re-scoping cookies and transactions to client ID #796 (stevehobbsdev)
• SDK-2320 Throw login_required error in SPA SDK if running in a cross-origin is… #790 (frederikprijck)

Fixed

• SDK-2692 Remember organization ID for silent authentication #788 (stevehobbsdev)

Fixed

• Correct cache interface #779 (employee451)

Added

• Add useFormData to enable application/x-www-form-urlencoded requests #768 (stevehobbsdev)

Changed

• Allow providing a domain that includes http or https. #768 (stevehobbsdev)

This release fixes an edge case when using logout({ localOnly: true }), where it generates a race condition if you happen to query for SDK state directly after logging out.

Now, logout can return a Promise when using a custom cache implementation. In general, if you're interested in accurately assessing SDK state after logging out locally, you should await the result and act afterwards.

const logout = async () => {
  await auth0.logout({ localOnly: true });
  
  const authed = await isAuthenticated();
}

Fixed

• Changes to logout and cache synchronicity #758 (stevehobbsdev)

This release adds a new extensible cache API, that enables you to bring your own cache implementation instead of relying on our built-in in-memory storage and localStorage implementations.

It's a Promise-based API that opens up the possibility to provide a more secure and complex cache to the SDK.

Here's a simple example that shows how sessionStorage support can be added to the cache:

const sessionStorageCache = {
  get(key) {
    return Promise.resolve(JSON.parse(sessionStorage.getItem(key)));
  },

  set(key, value) {
    return Promise.resolve(sessionStorage.setItem(key, JSON.stringify(value)));
  },

  remove(key) {
    sessionStorage.removeItem(key);
    return Promise.resolve();
  },
};

await createAuth0Client({
  domain: '<AUTH0_DOMAIN>',
  client_id: '<AUTH0_CLIENT_ID>',
  redirect_uri: '<MY_CALLBACK_URL>',
  cache: sessionStorageCache
});

You can read more about the cache API in the readme doc.

Added

• [SDK-2555] Extensible cache #743 (stevehobbsdev)

Added

• Add Popup cancelled event #724 (degrammer)

Fixed

• Fix popup blocker showing for loginWithPopup in Firefox & Safari #732 (stevehobbsdev)

Full Changelog

Added

• Add redirectMethod option to loginWithRedirect #717 (slaywell)
• Export errors for type checking #716 (adamjmcgrath)
• Add support for Organizations #720 (stevehobbsdev)

Changed

• Add screen_hint parameter to BaseLoginOptions #721 (damieng)

Fixed

• Updated minor syntax, to allow for TypeScript compiler to be happier #714 (kachihro)
• Revert [SDK-2183] Add warning when requested scopes differ from retrieved scopes #712 (frederikprijck)

Changed

• Update docs for getIdTokenClaims and getUser #690 (adamjmcgrath)
• [SDK-2238] Only use timeout promise when using fetchWithTimeout without a worker #689 (frederikprijck)
• Do not use AbortController in the worker if not available #679 (stevehobbsdev)
• Do not send useCookiesForTransactions to authorize request #673 (frederikprijck)

Fixed

• Remove the nonce check in handleRedirectCallback #678 (stevehobbsdev)

Security

• Update wait-on to solve security vulnerability #687 (frederikprijck)
• [Security] Bump ini from 1.3.5 to 1.3.7 #672 (dependabot-preview[bot])

Changed

• [SDK-2173] Expand on behaviour of checkSession in docs #666 (stevehobbsdev)
• [SDK-2183] Add warning when requested scopes differ from retrieved scopes #665 (frederikprijck)
• [SDK-2170] Avoid the possibility to do simultaneous calls to the token endpoint #664 (frederikprijck)
• [SDK-2025] Internal module refactor #661 (stevehobbsdev)
• [SDK-2039] Change cache lookup mechanism #652 (frederikprijck)

Fixed

• [SDK-1739] Recover and logout when throwing invalid_grant on Refresh Token #668 (frederikprijck)

Remarks

This release updates the getUser return type to be more correct. Instead of returning Promise<TUser>, it now returns Promise<TUser | undefined>, which might lead to an Object is possible 'undefined' compiler error in situation where the return value is not checked for being undefined while having set the TypeScript's --strictNullChecks compiler flag to true.

Added

• [SDK-2172] Add SDK metrics to all API calls #659 (frederikprijck)

Changed

• [SDK-1159] Use generics for getUser #651 (frederikprijck)