@okta/okta-auth-js - npm Package Compare versions

Comparing version 3.2.4 to 3.2.5

CHANGELOG.md

 # Changelog
 
+## 3.2.5
+
+- [#491](https://github.com/okta/okta-auth-js/pull/491) Fixes issue with OAuth param cookie when using self-hosted signin widget
+
+- [#489](https://github.com/okta/okta-auth-js/pull/489) Fixes sameSite cookie setting when running on HTTP connection
+
 ## 3.2.4
@@ -4,0 +10,0 @@

lib/browser/browser.js

@@ -31,18 +31,15 @@ /*!
 
-function OktaAuthBuilder(args) {
-  var sdk = this;
-
-  builderUtil.assertValidConfig(args);
-
-  var cookieSettings = util.extend({
-    secure: true
-  }, args.cookies);
-  var isLocalhost = (sdk.features.isLocalhost() && !sdk.features.isHTTPS());
-  if (isLocalhost) {
-    cookieSettings.secure = false; // Force secure=false if running on http://localhost
+function getCookieSettings(sdk, args) {
+  // Secure cookies will be automatically used on a HTTPS connection
+  // Non-secure cookies will be automatically used on a HTTP connection
+  // secure option can override the automatic behavior
+  var cookieSettings = args.cookies || {};
+  if (typeof cookieSettings.secure === 'undefined') {
+    cookieSettings.secure = sdk.features.isHTTPS();
   }
   if (typeof cookieSettings.sameSite === 'undefined') {
-    // Chrome >= 80 will block cookies with SameSite=None unless they are also Secure
     cookieSettings.sameSite = cookieSettings.secure ? 'none' : 'lax';
   }
+
+  // If secure=true, but the connection is not HTTPS, set secure=false.
   if (cookieSettings.secure && !sdk.features.isHTTPS()) {
@@ -58,2 +55,16 @@ // eslint-disable-next-line no-console
 
+  // Chrome >= 80 will block cookies with SameSite=None unless they are also Secure
+  // If sameSite=none, but the connection is not HTTPS, set sameSite=lax.
+  if (cookieSettings.sameSite === 'none' && !cookieSettings.secure) {
+    cookieSettings.sameSite = 'lax';
+  }
+
+  return cookieSettings;
+}
+
+function OktaAuthBuilder(args) {
+  var sdk = this;
+
+  builderUtil.assertValidConfig(args);
+
   this.options = {
@@ -76,3 +87,3 @@ clientId: args.clientId,
     onSessionExpired: args.onSessionExpired,
-    cookies: cookieSettings
+    cookies: getCookieSettings(sdk, args)
   };
@@ -79,0 +90,0 @@

lib/token.js

@@ -714,10 +714,11 @@ /*!
 function getOAuthParamsStrFromStorage() {
-  let oauthParamsStr;
-  if (browserStorage.browserHasSessionStorage()) {
+  // try to read OAuth params from cookie first. This is for backward compatibility
+  let oauthParamsStr = cookies.get(constants.REDIRECT_OAUTH_PARAMS_NAME);
+  cookies.delete(constants.REDIRECT_OAUTH_PARAMS_NAME);
+
+  // latest version of auth-js will store params in session storage
+  if (!oauthParamsStr && browserStorage.browserHasSessionStorage()) {
     const storage = browserStorage.getSessionStorage();
     oauthParamsStr = storage.getItem(constants.REDIRECT_OAUTH_PARAMS_NAME);
     storage.removeItem(constants.REDIRECT_OAUTH_PARAMS_NAME);
-  } else {
-    oauthParamsStr = cookies.get(constants.REDIRECT_OAUTH_PARAMS_NAME);
-    cookies.delete(constants.REDIRECT_OAUTH_PARAMS_NAME);
   }
@@ -724,0 +725,0 @@ return oauthParamsStr;

package.json

 {
   "name": "@okta/okta-auth-js",
   "description": "The Okta Auth SDK",
-  "version": "3.2.4",
+  "version": "3.2.5",
   "homepage": "https://github.com/okta/okta-auth-js",
@@ -89,5 +89,5 @@ "license": "Apache-2.0",
   "okta": {
-    "commitSha": "42d110f0ac5482a110234f634b9c6f86a3532f37",
-    "fullVersion": "3.2.4-g42d110f"
+    "commitSha": "5d88a4426cb525394254ee907672a6ce4e5f2c3b",
+    "fullVersion": "3.2.5-g5d88a44"
   }
 }

No alert changes

Improved metrics

Total package byte prevSize

3747514

0.06%

Lines of code

5992

0.15%

No dependency changes