@okta/okta-auth-js
Advanced tools
Comparing version
# Changelog | ||
## 3.2.5 | ||
- [#491](https://github.com/okta/okta-auth-js/pull/491) Fixes issue with OAuth param cookie when using self-hosted signin widget | ||
- [#489](https://github.com/okta/okta-auth-js/pull/489) Fixes sameSite cookie setting when running on HTTP connection | ||
## 3.2.4 | ||
@@ -4,0 +10,0 @@ |
@@ -31,18 +31,15 @@ /*! | ||
function OktaAuthBuilder(args) { | ||
var sdk = this; | ||
builderUtil.assertValidConfig(args); | ||
var cookieSettings = util.extend({ | ||
secure: true | ||
}, args.cookies); | ||
var isLocalhost = (sdk.features.isLocalhost() && !sdk.features.isHTTPS()); | ||
if (isLocalhost) { | ||
cookieSettings.secure = false; // Force secure=false if running on http://localhost | ||
function getCookieSettings(sdk, args) { | ||
// Secure cookies will be automatically used on a HTTPS connection | ||
// Non-secure cookies will be automatically used on a HTTP connection | ||
// secure option can override the automatic behavior | ||
var cookieSettings = args.cookies || {}; | ||
if (typeof cookieSettings.secure === 'undefined') { | ||
cookieSettings.secure = sdk.features.isHTTPS(); | ||
} | ||
if (typeof cookieSettings.sameSite === 'undefined') { | ||
// Chrome >= 80 will block cookies with SameSite=None unless they are also Secure | ||
cookieSettings.sameSite = cookieSettings.secure ? 'none' : 'lax'; | ||
} | ||
// If secure=true, but the connection is not HTTPS, set secure=false. | ||
if (cookieSettings.secure && !sdk.features.isHTTPS()) { | ||
@@ -58,2 +55,16 @@ // eslint-disable-next-line no-console | ||
// Chrome >= 80 will block cookies with SameSite=None unless they are also Secure | ||
// If sameSite=none, but the connection is not HTTPS, set sameSite=lax. | ||
if (cookieSettings.sameSite === 'none' && !cookieSettings.secure) { | ||
cookieSettings.sameSite = 'lax'; | ||
} | ||
return cookieSettings; | ||
} | ||
function OktaAuthBuilder(args) { | ||
var sdk = this; | ||
builderUtil.assertValidConfig(args); | ||
this.options = { | ||
@@ -76,3 +87,3 @@ clientId: args.clientId, | ||
onSessionExpired: args.onSessionExpired, | ||
cookies: cookieSettings | ||
cookies: getCookieSettings(sdk, args) | ||
}; | ||
@@ -79,0 +90,0 @@ |
@@ -714,10 +714,11 @@ /*! | ||
function getOAuthParamsStrFromStorage() { | ||
let oauthParamsStr; | ||
if (browserStorage.browserHasSessionStorage()) { | ||
// try to read OAuth params from cookie first. This is for backward compatibility | ||
let oauthParamsStr = cookies.get(constants.REDIRECT_OAUTH_PARAMS_NAME); | ||
cookies.delete(constants.REDIRECT_OAUTH_PARAMS_NAME); | ||
// latest version of auth-js will store params in session storage | ||
if (!oauthParamsStr && browserStorage.browserHasSessionStorage()) { | ||
const storage = browserStorage.getSessionStorage(); | ||
oauthParamsStr = storage.getItem(constants.REDIRECT_OAUTH_PARAMS_NAME); | ||
storage.removeItem(constants.REDIRECT_OAUTH_PARAMS_NAME); | ||
} else { | ||
oauthParamsStr = cookies.get(constants.REDIRECT_OAUTH_PARAMS_NAME); | ||
cookies.delete(constants.REDIRECT_OAUTH_PARAMS_NAME); | ||
} | ||
@@ -724,0 +725,0 @@ return oauthParamsStr; |
{ | ||
"name": "@okta/okta-auth-js", | ||
"description": "The Okta Auth SDK", | ||
"version": "3.2.4", | ||
"version": "3.2.5", | ||
"homepage": "https://github.com/okta/okta-auth-js", | ||
@@ -89,5 +89,5 @@ "license": "Apache-2.0", | ||
"okta": { | ||
"commitSha": "42d110f0ac5482a110234f634b9c6f86a3532f37", | ||
"fullVersion": "3.2.4-g42d110f" | ||
"commitSha": "5d88a4426cb525394254ee907672a6ce4e5f2c3b", | ||
"fullVersion": "3.2.5-g5d88a44" | ||
} | ||
} |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is not supported yet
3747514
0.06%5992
0.15%