New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More
Socket
Sign inDemoInstall
Socket

@okta/okta-auth-js

Package Overview
Dependencies
Maintainers
1
Versions
161
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@okta/okta-auth-js - npm Package Compare versions

Comparing version

to
3.2.5

6

CHANGELOG.md
# Changelog
## 3.2.5
- [#491](https://github.com/okta/okta-auth-js/pull/491) Fixes issue with OAuth param cookie when using self-hosted signin widget
- [#489](https://github.com/okta/okta-auth-js/pull/489) Fixes sameSite cookie setting when running on HTTP connection
## 3.2.4

@@ -4,0 +10,0 @@

37

lib/browser/browser.js

@@ -31,18 +31,15 @@ /*!

function OktaAuthBuilder(args) {
var sdk = this;
builderUtil.assertValidConfig(args);
var cookieSettings = util.extend({
secure: true
}, args.cookies);
var isLocalhost = (sdk.features.isLocalhost() && !sdk.features.isHTTPS());
if (isLocalhost) {
cookieSettings.secure = false; // Force secure=false if running on http://localhost
function getCookieSettings(sdk, args) {
// Secure cookies will be automatically used on a HTTPS connection
// Non-secure cookies will be automatically used on a HTTP connection
// secure option can override the automatic behavior
var cookieSettings = args.cookies || {};
if (typeof cookieSettings.secure === 'undefined') {
cookieSettings.secure = sdk.features.isHTTPS();
}
if (typeof cookieSettings.sameSite === 'undefined') {
// Chrome >= 80 will block cookies with SameSite=None unless they are also Secure
cookieSettings.sameSite = cookieSettings.secure ? 'none' : 'lax';
}
// If secure=true, but the connection is not HTTPS, set secure=false.
if (cookieSettings.secure && !sdk.features.isHTTPS()) {

@@ -58,2 +55,16 @@ // eslint-disable-next-line no-console

// Chrome >= 80 will block cookies with SameSite=None unless they are also Secure
// If sameSite=none, but the connection is not HTTPS, set sameSite=lax.
if (cookieSettings.sameSite === 'none' && !cookieSettings.secure) {
cookieSettings.sameSite = 'lax';
}
return cookieSettings;
}
function OktaAuthBuilder(args) {
var sdk = this;
builderUtil.assertValidConfig(args);
this.options = {

@@ -76,3 +87,3 @@ clientId: args.clientId,

onSessionExpired: args.onSessionExpired,
cookies: cookieSettings
cookies: getCookieSettings(sdk, args)
};

@@ -79,0 +90,0 @@

@@ -714,10 +714,11 @@ /*!

function getOAuthParamsStrFromStorage() {
let oauthParamsStr;
if (browserStorage.browserHasSessionStorage()) {
// try to read OAuth params from cookie first. This is for backward compatibility
let oauthParamsStr = cookies.get(constants.REDIRECT_OAUTH_PARAMS_NAME);
cookies.delete(constants.REDIRECT_OAUTH_PARAMS_NAME);
// latest version of auth-js will store params in session storage
if (!oauthParamsStr && browserStorage.browserHasSessionStorage()) {
const storage = browserStorage.getSessionStorage();
oauthParamsStr = storage.getItem(constants.REDIRECT_OAUTH_PARAMS_NAME);
storage.removeItem(constants.REDIRECT_OAUTH_PARAMS_NAME);
} else {
oauthParamsStr = cookies.get(constants.REDIRECT_OAUTH_PARAMS_NAME);
cookies.delete(constants.REDIRECT_OAUTH_PARAMS_NAME);
}

@@ -724,0 +725,0 @@ return oauthParamsStr;

{
"name": "@okta/okta-auth-js",
"description": "The Okta Auth SDK",
"version": "3.2.4",
"version": "3.2.5",
"homepage": "https://github.com/okta/okta-auth-js",

@@ -89,5 +89,5 @@ "license": "Apache-2.0",

"okta": {
"commitSha": "42d110f0ac5482a110234f634b9c6f86a3532f37",
"fullVersion": "3.2.4-g42d110f"
"commitSha": "5d88a4426cb525394254ee907672a6ce4e5f2c3b",
"fullVersion": "3.2.5-g5d88a44"
}
}

Sorry, the diff of this file is too big to display

Sorry, the diff of this file is not supported yet