@cimpress/simple-auth-wrapper - npm Package Compare versions

Comparing version 8.0.0 to 8.1.0

CHANGELOG.md

 # Changelog
 
+## 8.1.0 (2021-08-01)
+
+* Added more secured PKCE flow.
+* Added module exports to support ES6 tree shaking. 
 ## 8.0 (2021-08-18)
@@ -4,0 +8,0 @@

lib/centralizedauth.js

@@ -9,6 +9,4 @@ 'use strict';
 
-var _auth0Js = require('auth0-js');
+var _auth0SpaJs = require('@auth0/auth0-spa-js');
 
-var _auth0Js2 = _interopRequireDefault(_auth0Js);
-
 var _events3 = require('events');
@@ -22,11 +20,12 @@
 
-var _promisify = require('./promisify');
+var _qs = require('qs');
 
+var _qs2 = _interopRequireDefault(_qs);
+
 function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
 
+function _asyncToGenerator(fn) { return function () { var gen = fn.apply(this, arguments); return new Promise(function (resolve, reject) { function step(key, arg) { try { var info = gen[key](arg); var value = info.value; } catch (error) { reject(error); return; } if (info.done) { resolve(value); } else { return Promise.resolve(value).then(function (value) { step("next", value); }, function (err) { step("throw", err); }); } } return step("next"); }); }; }
+
 function _classCallCheck(instance, Constructor) { if (!(instance instanceof Constructor)) { throw new TypeError("Cannot call a class as a function"); } }
 
-/// quickstart
-/// https://auth0.com/docs/quickstart/spa/vanillajs
-
 var DEFAULT_OPTIONS = {
@@ -75,10 +74,11 @@ redirectRoute: '',
   this.redirectUri = window.location.origin + this.redirectRoute;
-
-  this.auth0 = new _auth0Js2.default.WebAuth({
+  // PKCE spa auth0 js implementation
+  this.auth0 = new _auth0SpaJs.Auth0Client({
+    cacheLocation: 'localstorage',
     domain: this.domain,
-    clientID: this.clientID,
+    client_id: this.clientID,
     responseType: 'id_token token',
     audience: this.audience,
     scope: this.scope,
-    redirectUri: this.redirectUri, //auth0 redirects back to this page after authentication
+    redirect_uri: this.redirectUri, //auth0 redirects back to this page after authentication
     leeway: this.leeway // avoid the "The token was issued in the future. Please check your computed clock." error
@@ -97,2 +97,5 @@ });
 
+// Extracts code and state params from the url and returns a dictionary.
+
+
 // Subscribe to events that the auth wrapper emits
@@ -157,2 +160,19 @@ // Subscribable event types:
 
+  this.wasAuth0Redirect = function () {
+    var parsedUrl = _this.getFragments();
+    return parsedUrl['code'] && parsedUrl['state'];
+  };
+
+  this.getFragments = function () {
+    if (!window.location.search) {
+      return {};
+    }
+
+    return window.location.search.substring(1).split('&').reduce(function (prev, cur) {
+      var kv = cur.split('=');
+      prev[kv[0]] = kv[1];
+      return prev;
+    }, {});
+  };
+
   this.on = function (eventType) {
@@ -308,80 +328,159 @@ var _events;
 
-  this.handleAuthentication = function () {
-    if (_this.isLoggedIn() && !window.location.hash) {
-      _this.setExpirationTimer();
-      return Promise.resolve(true);
-    }
-    if (!window.location.hash) {
-      return Promise.resolve(false);
-    }
-    var parseHash = (0, _promisify.promisify)(_this.auth0.parseHash.bind(_this.auth0));
-    return parseHash().then(function (authResult) {
-      if (authResult && authResult.accessToken && authResult.idToken) {
-        window.location.hash = '';
-        _this.clearOldNonces();
-        _this.saveToken(authResult.idToken, authResult.accessToken, authResult.idTokenPayload, authResult.expiresIn);
-        var returnUri = sessionStorage.getItem('returnUri');
-        if (returnUri) {
-          sessionStorage.removeItem('returnUri');
+  this.handleAuthentication = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee() {
+    var authResult, returnUri;
+    return regeneratorRuntime.wrap(function _callee$(_context) {
+      while (1) {
+        switch (_context.prev = _context.next) {
+          case 0:
+            if (!_this.isLoggedIn()) {
+              _context.next = 3;
+              break;
+            }
+
+            _this.setExpirationTimer();
+            return _context.abrupt('return', Promise.resolve(true));
+
+          case 3:
+            if (!_this.wasAuth0Redirect()) {
+              _context.next = 25;
+              break;
+            }
+
+            authResult = {};
+            _context.prev = 5;
+            _context.next = 8;
+            return _this.auth0.handleRedirectCallback();
+
+          case 8:
+            authResult = _this.auth0.cacheManager.cache.get(_this.auth0.cacheManager.cache.allKeys()).body;
+            _context.next = 15;
+            break;
+
+          case 11:
+            _context.prev = 11;
+            _context.t0 = _context['catch'](5);
+
+            // apps should handle this themselves
+            console.log(_context.t0);
+            throw _context.t0;
+
+          case 15:
+            if (!(authResult && authResult.access_token && authResult.id_token)) {
+              _context.next = 24;
+              break;
+            }
+
+            window.location.hash = '';
+            _this.clearOldNonces();
+            _this.saveToken(authResult.id_token, authResult.access_token, authResult.decodedToken.user, authResult.expires_in);
+            returnUri = sessionStorage.getItem('returnUri');
+
+            if (returnUri) {
+              sessionStorage.removeItem('returnUri');
+            }
+            window.location = returnUri || '/';
+            _this.setExpirationTimer();
+            return _context.abrupt('return', true);
+
+          case 24:
+            return _context.abrupt('return', false);
+
+          case 25:
+            return _context.abrupt('return', false);
+
+          case 26:
+          case 'end':
+            return _context.stop();
         }
-        window.location = returnUri || '/';
-        return true;
       }
-      return false;
-    }).then(function (authenticated) {
-      if (authenticated) {
-        _this.setExpirationTimer();
-      }
-      return authenticated;
-    }).catch(function (err) {
-      // apps should handle this themselves
-      throw err;
-    });
-  };
+    }, _callee, _this, [[5, 11]]);
+  }));
 
   this.login = function () {
-    var options = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
+    var _ref2 = _asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee2() {
+      var options = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
 
-    // this isn't pretty, but it makes this method backwards compatible
-    // TODO: v7.0 remove backwards compatibilty
-    if (typeof options === 'string') {
-      options = {
-        nextUri: options,
-        forceLogin: false
-      };
-      console.warn('Calling login("string") is deprecated. Please refer to the documentation and pass an options object instead.');
-    }
+      var _options, forceLogin, nextUri, _options$authorizePar, authorizeParams, authorizeParamsZeroDepth, authOptions, authResult;
 
-    var _options = options,
-        forceLogin = _options.forceLogin,
-        nextUri = _options.nextUri,
-        _options$authorizePar = _options.authorizeParams,
-        authorizeParams = _options$authorizePar === undefined ? {} : _options$authorizePar;
+      return regeneratorRuntime.wrap(function _callee2$(_context2) {
+        while (1) {
+          switch (_context2.prev = _context2.next) {
+            case 0:
+              // this isn't pretty, but it makes this method backwards compatible
+              // TODO: v7.0 remove backwards compatibilty
+              if (typeof options === 'string') {
+                options = {
+                  nextUri: options,
+                  forceLogin: false
+                };
+                console.warn('Calling login("string") is deprecated. Please refer to the documentation and pass an options object instead.');
+              }
 
+              _options = options, forceLogin = _options.forceLogin, nextUri = _options.nextUri, _options$authorizePar = _options.authorizeParams, authorizeParams = _options$authorizePar === undefined ? {} : _options$authorizePar;
 
-    if (_this.isLoggedIn() && !forceLogin) {
-      return Promise.resolve(true);
-    }
+              if (!(_this.isLoggedIn() && !forceLogin)) {
+                _context2.next = 4;
+                break;
+              }
 
-    var authOptions = _extends({ redirectUri: _this.redirectUri }, authorizeParams);
-    var checkSession = (0, _promisify.promisify)(_this.auth0.checkSession.bind(_this.auth0));
+              return _context2.abrupt('return', Promise.resolve(true));
 
-    // try silent sso first
-    return checkSession(authOptions).then(function (authResult) {
-      if (authResult && authResult.accessToken && authResult.idToken) {
-        _this.clearOldNonces();
-        _this.saveToken(authResult.idToken, authResult.accessToken, authResult.idTokenPayload, authResult.expiresIn);
-        _this.setExpirationTimer();
-        return true;
-      }
-      return false;
-    }).catch(function (err) {
-      if (nextUri) {
-        sessionStorage.setItem('returnUri', nextUri);
-      }
-      _this.auth0.authorize(authOptions);
-      return false;
-    });
-  };
+            case 4:
+              // fix for authorizeParams having depth more than zero
+              authorizeParamsZeroDepth = _qs2.default.parse(_qs2.default.stringify(authorizeParams), {
+                depth: 0
+              });
+              authOptions = _extends({
+                redirect_uri: _this.redirectUri
+              }, authorizeParamsZeroDepth);
 
+              // try silent sso first
+
+              _context2.prev = 6;
+              _context2.next = 9;
+              return _this.auth0.getTokenSilently(authOptions);
+
+            case 9:
+              authResult = _this.auth0.cacheManager.cache.get(_this.auth0.cacheManager.cache.allKeys()).body;
+
+              if (!(authResult && authResult.access_token && authResult.id_token)) {
+                _context2.next = 15;
+                break;
+              }
+
+              _this.clearOldNonces();
+              _this.saveToken(authResult.id_token, authResult.access_token, authResult.decodedToken.user, authResult.expires_in);
+              _this.setExpirationTimer();
+              return _context2.abrupt('return', true);
+
+            case 15:
+              return _context2.abrupt('return', false);
+
+            case 18:
+              _context2.prev = 18;
+              _context2.t0 = _context2['catch'](6);
+
+              console.log(_context2.t0);
+              if (nextUri) {
+                sessionStorage.setItem('returnUri', nextUri);
+              }
+              _context2.next = 24;
+              return _this.auth0.loginWithRedirect(authOptions);
+
+            case 24:
+              return _context2.abrupt('return', false);
+
+            case 25:
+            case 'end':
+              return _context2.stop();
+          }
+        }
+      }, _callee2, _this, [[6, 18]]);
+    }));
+
+    return function () {
+      return _ref2.apply(this, arguments);
+    };
+  }();
+
   this.ensureAuthentication = function () {
@@ -388,0 +487,0 @@ var options = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};

package.json

 {
   "name": "@cimpress/simple-auth-wrapper",
-  "version": "8.0.0",
+  "version": "8.1.0",
   "description": "A simple utility class to wrap basic Auth0 functionality",
   "main": "lib/index.js",
+  "module": "module/index.js",
+  "files": [
+    "lib",
+    "module"
+  ],
+  "sideEffects": [],
   "scripts": {
@@ -18,2 +24,3 @@ "test": "jest",
   "dependencies": {
+    "@auth0/auth0-spa-js": "^1.17.0",
     "auth0-js": "^9.14.0",
@@ -20,0 +27,0 @@ "events": "^2.0.0",

Fixed alerts

Shell access

Supply chain risk

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Found 1 instance in 1 package

Improved metrics

Number of medium supply chain risk alerts

3

decreased by-57.14%

Worsened metrics

Total package byte prevSize

147144

decreased by-30.56%

Dependency count

8

increased by14.29%

Number of package files

17

decreased by-46.87%

Lines of code

1291

decreased by-53.96%

Dependency changes

• + Added@auth0/auth0-spa-js@^1.17.0

• + Added@auth0/auth0-spa-js@1.22.6(transitive)

• + Addedabortcontroller-polyfill@1.7.8(transitive)

• + Addedbrowser-tabs-lock@1.3.0(transitive)

• + Addedcore-js@3.40.0(transitive)

• + Addedes-cookie@1.3.2(transitive)

• + Addedfast-text-encoding@1.0.6(transitive)

• + Addedlodash@4.17.21(transitive)

• + Addedpromise-polyfill@8.3.0(transitive)