		# Changelog

		## 7.1.X (2020-12-07)

		Added support for the Authorization Code Grant With PKCE Flow. See the [README](/README.md) for details.

		## 7.0 (2020-11-02)
		@@ -4,0 +8,0 @@

lib/index.js

		@@ -43,3 +43,12 @@ 'use strict';

		var _PKCE = require('./PKCE');

		Object.defineProperty(exports, 'AuthorizationCodeGrantPKCE', {
		enumerable: true,
		get: function get() {
		return _interopRequireDefault(_PKCE).default;
		}
		});

		function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
		//# sourceMappingURL=index.js.map

package.json

		{
		"name": "@cimpress/simple-auth-wrapper",
		"version": "7.0.1",
		"version": "7.1.0",
		"description": "A simple utility class to wrap basic Auth0 functionality",
		@@ -21,3 +21,5 @@ "main": "lib/index.js",
		"events": "^2.0.0",
		"lodash.merge": "^4.6.2"
		"lodash.merge": "^4.6.2",
		"randombytes": "^2.1.0",
		"sha.js": "^2.4.11"
		},
		@@ -30,3 +32,3 @@ "devDependencies": {
		"del": "3.0.0",
		"gulp": "4.0.2",
		"gulp": "^4.0.0",
		"gulp-babel": "7.0.0",
		@@ -36,4 +38,5 @@ "gulp-concat": "2.6.1",
		"jest": "^23.5.0",
		"jest-fetch-mock": "^3.0.3",
		"jest-plugin-clock": "^2.9.0"
		}
		}

README.md

		@@ -138,2 +138,75 @@ # MEX Simple Auth Wrapper v. 3.0
		\|-------------------\|---------\|---------\|--------------------------------------------------------------------------\|
		\| `performRedirect` \| Boolean \| true \| Indicates if the wrapper should redirect back to the specified `nextUri` \|
		\| `performRedirect` \| Boolean \| true \| Indicates if the wrapper should redirect back to the specified `nextUri` \|

		### Authorization Code Flow with Proof Key for Code Exchange (PKCE)

		The [Authorization Code Flow With PKCE](https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce) can be used to retrieve a refresh token for a user. This is used along with the [Sessions API](https://developer.cimpress.io/apis/auth/sessions-cimpress-io) where the session is used to retireve an access token for the user.

		#### Why the change from AuthorizationCodeGrant to AuthorizationCodeGrantPKCE?

		When public clients (e.g., native and single-page applications) request Access Tokens, some additional security concerns (Cannot securely store a Client Secret) are posed that are not mitigated by the Authorization Code Flow alone.

		To mitigate this, The PKCE-enhanced Authorization Code Flow introduces a secret created by the calling application that can be verified by the authorization server; this secret is called the Code Verifier. Additionally, the calling app creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. This way, a malicious attacker can only intercept the Authorization Code, and they cannot exchange it for a token without the Code Verifier.

		```javascript

		import { AuthorizationCodeGrantPKCE } from '@cimpress/simple-auth-wrapper';

		const authorizationCodeGrantPKCE = new AuthorizationCodeGrantPKCE(options);

		```

		\| Name \| Type \| Default \| Description \|
		\|------------------\|----------\|----------------------------\|------------------------------------------------------------------------------------------------------------------------------------------------------\|
		\| `clientID` \| String \| None (required) \| The clientID used in the Authorization Code Grant Flow \|
		\| `redirectRoute` \| String \| "" \| The route Auth0 will redirect back to: `window.location.origin + redirectRoute` \|
		\| `domain` \| String \| `cimpress.auth0.com` \| The auth0 domain \|
		\| `audience` \| String \| `https://api.cimpress.io/` \| The auth0 audience \|
		\| `scope` \| String \| `offline_access` \| The scope which you want to request access for \|
		\| `sessionEnabled` \| Boolean \| `true` \| Determines whether the calling client supports session-based flow. If false, the token refresh is handled by the library instead of the sessions api \|


		This will give you access to:

		`login(options)` Starts the Authorization Code Grant Flow, redirecting the user to the centralized lock page.

		\| Name \| Type \| Default \| Description \|
		\|--------------\|--------\|---------\|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\|
		\| `nextUri` \| String \| `/` \| Takes the user through the flow and will be returned to this `nextUri` route. \|

		`handleAuthentication(options)` Resumes the authorization code grant flow. Should be called at the base of your application, or at the `redirectUri` specified to continue the flow. Returns a boolean value indicating whether the User has successfully completed the authorization code grant flow.

		\| Name \| Type \| Default \| Description \|
		\|-------------------\|---------\|---------\|--------------------------------------------------------------------------\|
		\| `performRedirect` \| Boolean \| true \| Indicates if the wrapper should redirect back to the specified `nextUri` \|

		`ensureAuthentication(options)` combines handleAuthentication and login together. This single call can be used on page load and it will do everything necessary to ensure the user is authenticated.

		\| Name \| Type \| Default \| Description \|
		\|--------------\|--------\|---------\|-------------------------------------------------------------------------------\|
		\| `nextUri` \| String \| `/` \| Takes the user through the flow and will be returned to this `nextUri` route. \|
		\| `forceLogin` \| String \| `/` \| Forcefully redirect the user to the centralized lock page. \|

		`getProfile(sessionId)` returns the profile information of a user in exchange of a sessionId. This makes a call to the [Profile Service API](https://developer.cimpress.io/apis/misc/profile-service--profile-cimpress-io-) to fetch the information and to avoid multiple calls to API, we cache the profile information for a set interval (1 hour) before invoking the profile service again.

		`logout(nextUri,sessionId)` closes the active session and clears the local storage. After logging the user out, the user is sent to the url specified in 'nextUri'.

		`checkSession(sessionId)` returns the status of the session in exchange of a session ID

		#### Subscribing to Events

		Listed below are the different events you can subscribe to.

		\| Name \| Description \|
		\|----------------\|---------------\|
		\| `sessionExpired` \| This event is triggered when the user's session expires. By default this event will emit 30 seconds before the actual expiry. You can change this offset value via the `sessionExpirationOffset` constructor option. It is also possible for this to be fired on browser focus. This is controlled by the `checkExpirationOnFocus` constructor option and exists because the session expired timer can be unreliable when the user's computer is asleep.\|

		```javascript
		import { AuthorizationCodeGrantPKCE } from '@cimpress/simple-auth-wrapper';

		const auth = new AuthorizationCodeGrantPKCE(options);

		auth.on('sessionExpired', () => {
		console.log('The session has expired.');
		});
		```

src/index.js

		@@ -1,4 +0,5 @@
		export { default as centralizedAuth } from './centralizedauth';
		export { default as centralizedAuth } from './centralizedauth';
		export { default as UserMetadata } from './usermetadata';
		export { default as Delegation } from './delegation';
		export { default as AuthorizationCodeGrant } from './authorizationcodegrant';
		export { default as AuthorizationCodeGrantPKCE } from './PKCE';

.git-tag

Sorry, the diff of this file is not supported yet

lib/index.js.map

Sorry, the diff of this file is not supported yet

@cimpress/simple-auth-wrapper - npm Package Compare versions

Improved metrics

Worsened metrics

Dependency changes