Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@descope/user-profile-widget
Advanced tools
.env
fileIn the widget package create an .env
file which includes;
DESCOPE_BASE_URL= # env base url
DESCOPE_PROJECT_ID= # project ID
DESCOPE_WIDGET_ID= # default: user-profile-widget
DEBUG_MODE= # "true" / "false", default: "false"
DESCOPE_THEME= # "light" / "dark" / "os", default: "light"
<script src="https://cdn.jsdelivr.net/npm/@descope/user-profile-widget/dist/index.js"></script>
<descope-user-profile-widget
base-url="<DESCOPE_BASE_URL>"
project-id="<DESCOPE_PROJECT_ID>"
tenant="<DESCOPE_TENANT>"
debug="<DEBUG_MODE>"
theme="<DESCOPE_THEME>"
widget-id="<DESCOPE_WIDGET_ID>"
></descope-user-profile-widget>
<script>
function onLogout(error) {
window.location.reload();
}
const descopeWidgetEle = document.getElementsByTagName('descope-user-profile-widget')[0];
descopeWidgetEle.logout = onLogout;
</script>
In order to work with the widget, you must be logged in In case you are not authenticated, a login flow will run first, and after logging in, the widget will be rendered
run npm start
to start the widget.
/app
- contains index.html
/lib
- widget's source codelib/widget
- widget related implementationslib/widget/api
- Logic related to API callslib/widget/mixins
- Widget specific logiclib/widget/state
- State management logicThe widget is composed of mixins, each mixin contains specific logic parts, and sometime exposes an API that can be used in other mixins.
Mixins can be composed on top of each other, so we can create new mixins by composing several mixins together.
Functions that create mixins, can get a configuration, and returns the mixin functions.
Since mixins are composable, in some cases we want to make sure a mixin is loaded only once. For example: When there is no need for its logic to run multiple times when composed in different mixins.
For this case we have a wrapper function (createSingletonMixin
) to ensure that a mixin is loaded only once, regardless how many times it will be composed.
Mixins should be wrapped with the createSingletonMixin
wrapper function, unless there is a reason for running the mixin's logic multiple times.
We're using several tools to handle the widget's state:
An abstraction layer that provides an API for components, and enables handling interactions with components within the widget.
The motivation to use drivers is to decouple the widget's code from the component's implementation, and therefore it's important to interact with components only using drivers (and not relying on component's implementation details).
Widget UI is composed of @descope/web-components-ui
, which is loaded during the widget init in runtime.
For optimization, we load only the relevant components, defined on the widget screens DOM.
Since screen are fetched dynamically, when developing a new screen for the widget you will probably want to use mock templates. To do so, simply replace the call to fetchWidgetPage
with a string which includes your HTML.
In some cases you want to make changes to components anf see how it affects the widget. To do so, you need to build web-components-ui
and serve the dist
folder from your machine (with npx serve
or other util).
Add the key base.ui.components.url
to your localStorage and set its value to the URL of the served dist umd/index.js
file.
Pay attention that theme changes will not take affect until the components
FAQs
Descope user profile widget
The npm package @descope/user-profile-widget receives a total of 15,153 weekly downloads. As such, @descope/user-profile-widget popularity was classified as popular.
We found that @descope/user-profile-widget demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.