Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

supertokens-website

Package Overview
Dependencies
Maintainers
1
Versions
129
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

supertokens-website - npm Package Compare versions

Comparing version 10.0.11 to 10.1.0

lib/build/utils/cookieHandler/defaultImplementation.d.ts

154

CHANGELOG.md
# Changelog
All notable changes to this project will be documented in this file.

@@ -9,3 +10,11 @@

## [10.1.0] - 2022-05-10
### Adds
- A new config property `cookieHandler` that allows for custom handling when the SDK reads/writes cookies
- A new config property `windowHandler` that allows for custom handling when the SDK uses any functions from the Window API.
## [10.0.11] - 2022-04-28
- For electron apps, prod build, we now handle `window.location.hostname` being an empty string.

@@ -17,12 +26,15 @@

- Setting headers in first param of fetch (https://github.com/supertokens/supertokens-website/issues/116)
- Setting headers in first param of fetch (https://github.com/supertokens/supertokens-website/issues/116)
## [10.0.9] - 2022-03-18
### Adds
- New FDI support (v1.13)
- Workflow to verify if pr title follows conventional commits
- New FDI support (v1.13)
- Workflow to verify if pr title follows conventional commits
## [10.0.8] - 2022-01-25
### Fixes
- Issue https://github.com/supertokens/supertokens-website/issues/99

@@ -33,2 +45,3 @@

### Adds
- FDI 1.12 compatibility

@@ -39,2 +52,3 @@

### Added
- Compatibility with FDI 1.11

@@ -47,5 +61,7 @@ - Add tests for using session with jwt enabled

### Changes
- Re-organises code to remove circular dependencies: https://github.com/supertokens/supertokens-auth-react/issues/334
## [10.0.4] - 2021-11-15
- Uses supertokens-js-override from npm

@@ -56,2 +72,3 @@

### Changed:
- When calling a user's API, uses rid "anti-csrf" instead of session to solve https://github.com/supertokens/supertokens-node/issues/202

@@ -62,2 +79,3 @@

### Added
- FDI 1.10 support (just changing the frontendDriverInterfaceSupported.json)

@@ -68,9 +86,11 @@

### Changes
- Uses non arrow functions in api and recipe interface impl to allow for "true" inheritance in override: https://github.com/supertokens/supertokens-node/issues/199
- Uses `bind(this)` when calling original implementation
- Added bundle size checking for PRs
- Uses non arrow functions in api and recipe interface impl to allow for "true" inheritance in override: https://github.com/supertokens/supertokens-node/issues/199
- Uses `bind(this)` when calling original implementation
- Added bundle size checking for PRs
## [10.0.0] - 2021-10-21
### Breaking changes
- Renames `getJWTPayloadSecurely` to `getAccessTokenPayloadSecurely`

@@ -89,3 +109,3 @@

- Not calling refresh after API calls if the refresh API returned an error
- Not calling refresh after an 401 response has removed the session
- Not calling refresh after an 401 response has removed the session

@@ -95,2 +115,3 @@ ## [9.0.2] - 2021-10-01

### Fixes
- Moved axios to dev dependency

@@ -100,2 +121,3 @@ - Fixed axios refresh error test

### Changes
- Using fetch instead of axios to call the refresh API

@@ -106,2 +128,3 @@

### Fixes
- Adds axios as a dependency

@@ -131,3 +154,3 @@

- Updated test behavior for cores after 3.6
- Updated test behavior for cores after 3.6

@@ -138,3 +161,3 @@ ## [8.2.0]

- A sessionExpiredOrRevoked propety on the "UNAUTHORIZED" event.
- A sessionExpiredOrRevoked propety on the "UNAUTHORIZED" event.

@@ -145,13 +168,18 @@ ## [8.1.2] - 2021-07-29

- Fixes typescript issue with default imports. (Related to https://github.com/supertokens/supertokens-auth-react/issues/297)
- Fixes typescript issue with default imports. (Related to https://github.com/supertokens/supertokens-auth-react/issues/297)
## [8.1.1] - 2021-06-25
### Fixed:
- Handles `Uncaught ReferenceError: process is not defined` during getting if testing or not.
## [8.1.0] - 2021-06-25
### Added:
- `SESSION_CREATED` event, which can be consumed by `onHandleEvent`
### Fixed:
- If a new session is created, and we try and fetch userId or jwtPayload before the frontToken is set, then it would throw an error. However, now we wait for the frontend token to be set / removed and then return the requested information.

@@ -162,8 +190,9 @@ - Fires `UNAUTHORISED` event before attempting to refresh if we know that a session does not exist.

### Refactor:
- Removes use of `addedFetchInterceptor` in `fetch.ts`
## [8.0.0] - 2021-06-06
### Added:
- Recipe interface that can be overrided

@@ -173,5 +202,7 @@ - `preAPIHook` and `onHandleEvent` functions

### Changed:
- `sessionScope` is a now a string
### Removed:
- Backward compatibility with cross domain localstorage

@@ -182,32 +213,46 @@ - Removes `setAuth0API`, `getAuth0API` and `getRefreshURLDomain` functions.

## [7.2.2] - 2021-06-14
### Fixes:
- Pushes new version to show this version as latest in npm
## [7.2.1] - 2021-06-11
### Fixes:
- Fixes issue https://github.com/supertokens/supertokens-node/issues/134
## [7.2.0] - 2021-06-05
### Added:
- Allow specifying of `cookieDomain` in config to add interceptors to multiple API subdomain: https://github.com/supertokens/supertokens-website/issues/58
## [7.1.1] - 2021-05-31
### Fixed:
- Fixes .d.ts file to allow all styles of imports
### Added:
- Adds a ts testing file in test folder.
## [7.1.0] - 2021-05-11
### Added:
- Support for sessions if used within an iframe: https://github.com/supertokens/supertokens-website/issues/53
## [7.0.1] - 2021-05-07
### Fixed:
- https://github.com/supertokens/supertokens-website/issues/50: originalFetch was being assigned twice such that the the refresh call was calling it too, resulting in a refresh inside a refresh -> deadlock
- When fetching the idRefreshToken from the frontend, if the backend is not working, we assume that the session doesn't exist.
## [7.0.0] - 2021-05-01
## [7.0.0] - 2021-05-01
### Changed:
- Uses frontend set cookies instead of localstorage so that sub domain session works on Safari

@@ -219,16 +264,22 @@ - Sends `rid` on each request - acts as a CSRF protection measure (see https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#use-of-custom-request-headers)

## [6.0.1] - 2021-04-29
### Changed:
- Updates dependencies:
- browser-tabs-lock
- https://github.com/supertokens/supertokens-website/pull/43
- https://github.com/supertokens/supertokens-website/pull/39
- https://github.com/supertokens/supertokens-website/pull/38
- browser-tabs-lock
- https://github.com/supertokens/supertokens-website/pull/43
- https://github.com/supertokens/supertokens-website/pull/39
- https://github.com/supertokens/supertokens-website/pull/38
## [6.0.0] - 2021-04-13
### Changed:
- Uses localstorage and iframes (for cross domain communication of localstorage) for session storage instead of cookies
- `getUserId` and `doesSessionExist` now return `Promises`
- `getUserId` and `doesSessionExist` now return `Promises`
## [5.1.0] - 2021-03-29
### Added:
- Sign out support

@@ -238,47 +289,71 @@ - Support for FDI 1.7

## [5.0.11] - 2021-04-05
### Fixed:
- Sets the cookies set by the frontend to never expire. Previously they were being set as Session cookies which cause them to be removed on browser restart, resulting in an inconsistent state.
## [5.0.10] - 2021-03-05
### Changed:
- Fixes normalisation of URL and path in case the path has a dot in it
## [5.0.9] - 2021-02-04
### Added:
- Compatibility with new FDI version
## [5.0.8] - 2021-01-27
### Fixes:
- Adds ability to use relative path for fetch and axios
## [5.0.7] - 2021-01-15
### Added:
- Compatibility with new FDI version
## [5.0.6] - 2021-01-06
### Fixed:
- Correctly handles fetch interception if the type of url is not a string
## [5.0.5] - 2020-12-19
### Changed:
- Applies dependabot dependency changes
## [5.0.4] - 2020-12-19
### Changed:
- Adds package-lock as per https://github.com/supertokens/supertokens-website/issues/28
## [5.0.3] - 2020-12-10
### Fixes:
- Better error messages for SSR.
## [5.0.2] - 2020-11-30
### Changed
- Added compatibility with new FDI. No change needed for this SDK, but added this since it's still compatible
## [5.0.1] - 2020-11-19
### Changed
- If the sessionScope is the same as the current domain, then we do not use it when setting cookies. This is because we do not want the browser to automatically add a leading dot. See https://github.com/supertokens/supertokens-website/issues/25
## [5.0.0] - 2020-10-24
### Changed
- Enforce interception for fetch and axios for easier use - issue #19

@@ -294,7 +369,11 @@ - Renames `websiteRootDomain` to `sessionScope`

## [4.4.1] - 2020-10-03
### Changed
- Changed success refresh call status code to >= 200 && < 300
## [4.4.0] - 2020-08-30
### Changed
- Stores Anti CSRF token in cookie that can be shared across sub domains. This value is then read and added to the request header separately.

@@ -305,7 +384,11 @@ - Compatible with FDI 1.2 and not with previous versions

## [4.3.0] - 2020-08-20
### Changed
- Adds 1.1 as supported FDI
## [4.2.0] - 2020-08-11
### Changed
- Changed the default session expiry status code to 401

@@ -317,6 +400,9 @@ - Changed function signature of `init` for `axios` and `fetch`

### Fixes:
- If current hostname is `localhost`, we do not add that as an explicit domain when setting the `IRTFrontend` cookie.
## [4.1.5] - 2020-07-30
### Added
- Function to get Refresh URL's domain

@@ -326,5 +412,9 @@ - Function to set and get Auth0's API path

## [4.1.4] - 2020-06-09
### Added
- New tests added for testing JWT payload update
### Changed
- For testing, cookie domain changed from localhost to localhost.org

@@ -334,50 +424,76 @@ - In testing, GET "/" API will return userId of the logged in user

## [4.1.3] - 2020-04-02
### Changed
- In axios interception, when handling error, we no longer create a new axios instance
## [4.1.2] - 2020-03-20
### Changed
- Update license in package.json to match github's license.
## [4.1.1] - 2020-03-18
### Changed
- Updated dependency browser-tabs-lock's version
## [4.1.0] - 2020-03-17
### Changed
- Makes frontend id refresh token's cookie path = `/` So that it is accessible throughout a website and not just the page that was used to login the user (in case tha page was not `/`).
- Makes frontend id refresh token's cookie path = `/` So that it is accessible throughout a website and not just the page that was used to login the user (in case tha page was not `/`).
## [4.0.12] - 2020-03-09
### Changed
- Relaxes constraint for checking if session is alive
## [4.0.0]
### Changed
- Handles id refresh token via frontend cookies so that non sub domain cross domain requests can be made.
## [3.2.0] - 2019-07-22
### Added
- Added ability to check if a session exists or not.
## [3.1.0] - 2019-07-15
### Changed
- Minor changes.
## [3.0.3] - 2019-07-14
### Changed
- Adds support for api on a different domain (as long as there is a shared sub domain between currently loaded page and API) - via setting withCredentials to true.
## [3.0.2] - 2019-07-10
### Changed
- makeSuper is now a part of the default import
## [3.0.1] - 2019-07-10
### Changed
- creates fetch interceptor so that users do not need to change their existing fetch calls
### Added
- added support for axios calls
## [3.0.0] - 2019-07-10
### Added
- handling of anti-csrf token
- package testing
- package testing

9

lib/build/axios.js

@@ -152,2 +152,3 @@ "use strict";

var utils_1 = require("./utils");
var windowHandler_1 = require("./utils/windowHandler");
function getUrlFromConfig(config) {

@@ -187,3 +188,3 @@ var url = config.url === undefined ? "" : config.url;

doNotDoInterception = !utils_1.shouldDoInterceptionBasedOnUrl(
window.location.origin,
windowHandler_1.default.getReferenceOrThrow().windowHandler.location.getOrigin(),
fetch_1.default.config.apiDomain,

@@ -269,3 +270,3 @@ fetch_1.default.config.cookieDomain

doNotDoInterception = !utils_1.shouldDoInterceptionBasedOnUrl(
window.location.origin,
windowHandler_1.default.getReferenceOrThrow().windowHandler.location.getOrigin(),
fetch_1.default.config.apiDomain,

@@ -441,3 +442,5 @@ fetch_1.default.config.cookieDomain

!utils_1.shouldDoInterceptionBasedOnUrl(
window.location.origin,
windowHandler_1.default
.getReferenceOrThrow()
.windowHandler.location.getOrigin(),
fetch_1.default.config.apiDomain,

@@ -444,0 +447,0 @@ fetch_1.default.config.cookieDomain

@@ -166,2 +166,12 @@ "use strict";

var utils_1 = require("./utils");
var cookieHandler_1 = require("./utils/cookieHandler");
var windowHandler_1 = require("./utils/windowHandler");
function getWindowOrThrow() {
if (typeof window === "undefined") {
throw Error(
"If you are using this package with server-side rendering, please make sure that you are checking if the window object is defined."
);
}
return window;
}
var AntiCsrfToken = /** @class */ (function() {

@@ -328,3 +338,3 @@ function AntiCsrfToken() {}

AuthHttpRequest.init = function(config, recipeImpl) {
AuthHttpRequest.env = utils_1.getWindowOrThrow().fetch === undefined ? global : utils_1.getWindowOrThrow();
AuthHttpRequest.env = getWindowOrThrow().fetch === undefined ? global : getWindowOrThrow();
AuthHttpRequest.refreshTokenUrl = config.apiDomain + config.apiBasePath + "/session/refresh";

@@ -391,3 +401,3 @@ AuthHttpRequest.signOutUrl = config.apiDomain + config.apiBasePath + "/signout";

doNotDoInterception = !utils_1.shouldDoInterceptionBasedOnUrl(
window.location.origin,
windowHandler_1.default.getReferenceOrThrow().windowHandler.location.getOrigin(),
AuthHttpRequest.config.apiDomain,

@@ -738,21 +748,40 @@ AuthHttpRequest.config.cookieDomain

function getIDFromCookieOld() {
var value = "; " + utils_1.getWindowOrThrow().document.cookie;
var parts = value.split("; " + ID_REFRESH_TOKEN_NAME + "=");
if (parts.length >= 2) {
var last = parts.pop();
if (last === "remove") {
// it means no session exists. This is different from
// it being undefined since in that case a session may or may not exist.
return "remove";
}
if (last !== undefined) {
return last.split(";").shift();
}
}
return undefined;
return __awaiter(this, void 0, void 0, function() {
var value, _a, parts, last;
return __generator(this, function(_b) {
switch (_b.label) {
case 0:
_a = "; ";
return [
4 /*yield*/,
cookieHandler_1.default.getReferenceOrThrow().cookieHandler.getCookie()
];
case 1:
value = _a + _b.sent();
parts = value.split("; " + ID_REFRESH_TOKEN_NAME + "=");
if (parts.length >= 2) {
last = parts.pop();
if (last === "remove") {
// it means no session exists. This is different from
// it being undefined since in that case a session may or may not exist.
return [2 /*return*/, "remove"];
}
if (last !== undefined) {
return [2 /*return*/, last.split(";").shift()];
}
}
return [2 /*return*/, undefined];
}
});
});
}
var fromCookie;
return __generator(this, function(_a) {
fromCookie = getIDFromCookieOld();
return [2 /*return*/, fromCookie];
switch (_a.label) {
case 0:
return [4 /*yield*/, getIDFromCookieOld()];
case 1:
fromCookie = _a.sent();
return [2 /*return*/, fromCookie];
}
});

@@ -814,45 +843,78 @@ });

function setIDToCookie(idRefreshToken, domain) {
// if the value of the token is "remove", it means
// the session is being removed. So we set it to "remove" in the
// cookie. This way, when we query for this token, we will return
// undefined (see getIdRefreshToken), and not refresh the session
// unnecessarily.
var expires = "Fri, 31 Dec 9999 23:59:59 GMT";
var cookieVal = "remove";
if (idRefreshToken !== "remove") {
var splitted = idRefreshToken.split(";");
cookieVal = splitted[0];
// we must always respect this expiry and not set it to infinite
// cause this ties into the session's lifetime. If we set this
// to infinite, then a session may not exist, and this will exist,
// then for example, if we check a session exists, and this says yes,
// then if we getAccessTokenPayload, that will attempt a session refresh which will fail.
// Another reason to respect this is that if we don't, then signOut will
// call the API which will return 200 (no 401 cause the API thinks no session exists),
// in which case, we will not end up firing the SIGN_OUT on handle event.
expires = new Date(Number(splitted[1])).toUTCString();
}
if (domain === "localhost" || domain === window.location.hostname) {
// since some browsers ignore cookies with domain set to localhost
// see https://github.com/supertokens/supertokens-website/issues/25
utils_1.getWindowOrThrow().document.cookie =
ID_REFRESH_TOKEN_NAME +
"=" +
cookieVal +
";expires=" +
expires +
";path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax");
} else {
utils_1.getWindowOrThrow().document.cookie =
ID_REFRESH_TOKEN_NAME +
"=" +
cookieVal +
";expires=" +
expires +
";domain=" +
domain +
";path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax");
}
return __awaiter(this, void 0, void 0, function() {
var expires, cookieVal, splitted;
return __generator(this, function(_a) {
switch (_a.label) {
case 0:
expires = "Fri, 31 Dec 9999 23:59:59 GMT";
cookieVal = "remove";
if (idRefreshToken !== "remove") {
splitted = idRefreshToken.split(";");
cookieVal = splitted[0];
// we must always respect this expiry and not set it to infinite
// cause this ties into the session's lifetime. If we set this
// to infinite, then a session may not exist, and this will exist,
// then for example, if we check a session exists, and this says yes,
// then if we getAccessTokenPayload, that will attempt a session refresh which will fail.
// Another reason to respect this is that if we don't, then signOut will
// call the API which will return 200 (no 401 cause the API thinks no session exists),
// in which case, we will not end up firing the SIGN_OUT on handle event.
expires = new Date(Number(splitted[1])).toUTCString();
}
if (
!(
domain === "localhost" ||
domain ===
windowHandler_1.default
.getReferenceOrThrow()
.windowHandler.location.getHostName()
)
)
return [3 /*break*/, 2];
// since some browsers ignore cookies with domain set to localhost
// see https://github.com/supertokens/supertokens-website/issues/25
return [
4 /*yield*/,
cookieHandler_1.default
.getReferenceOrThrow()
.cookieHandler.setCookie(
ID_REFRESH_TOKEN_NAME +
"=" +
cookieVal +
";expires=" +
expires +
";path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax")
)
];
case 1:
// since some browsers ignore cookies with domain set to localhost
// see https://github.com/supertokens/supertokens-website/issues/25
_a.sent();
return [3 /*break*/, 4];
case 2:
return [
4 /*yield*/,
cookieHandler_1.default
.getReferenceOrThrow()
.cookieHandler.setCookie(
ID_REFRESH_TOKEN_NAME +
"=" +
cookieVal +
";expires=" +
expires +
";domain=" +
domain +
";path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax")
)
];
case 3:
_a.sent();
_a.label = 4;
case 4:
return [2 /*return*/];
}
});
});
}

@@ -866,3 +928,5 @@ var status;

status = _a.sent().status;
setIDToCookie(idRefreshToken, AuthHttpRequest.config.sessionScope);
return [4 /*yield*/, setIDToCookie(idRefreshToken, AuthHttpRequest.config.sessionScope)];
case 2:
_a.sent();
if (idRefreshToken === "remove" && status === "EXISTS") {

@@ -897,15 +961,29 @@ // we check for wasLoggedIn cause we don't want to fire an event

function getAntiCSRFromCookie() {
var value = "; " + utils_1.getWindowOrThrow().document.cookie;
var parts = value.split("; " + ANTI_CSRF_NAME + "=");
if (parts.length >= 2) {
var last = parts.pop();
if (last !== undefined) {
var temp = last.split(";").shift();
if (temp === undefined) {
return null;
return __awaiter(this, void 0, void 0, function() {
var value, _a, parts, last, temp;
return __generator(this, function(_b) {
switch (_b.label) {
case 0:
_a = "; ";
return [
4 /*yield*/,
cookieHandler_1.default.getReferenceOrThrow().cookieHandler.getCookie()
];
case 1:
value = _a + _b.sent();
parts = value.split("; " + ANTI_CSRF_NAME + "=");
if (parts.length >= 2) {
last = parts.pop();
if (last !== undefined) {
temp = last.split(";").shift();
if (temp === undefined) {
return [2 /*return*/, null];
}
return [2 /*return*/, temp];
}
}
return [2 /*return*/, null];
}
return temp;
}
}
return null;
});
});
}

@@ -923,3 +1001,5 @@ var fromCookie;

}
fromCookie = getAntiCSRFromCookie();
return [4 /*yield*/, getAntiCSRFromCookie()];
case 2:
fromCookie = _a.sent();
return [2 /*return*/, fromCookie];

@@ -934,55 +1014,112 @@ }

function setAntiCSRFToCookie(antiCSRFToken, domain) {
var expires = "Thu, 01 Jan 1970 00:00:01 GMT";
var cookieVal = "";
if (antiCSRFToken !== undefined) {
cookieVal = antiCSRFToken;
expires = undefined; // set cookie without expiry
}
if (domain === "localhost" || domain === window.location.hostname) {
// since some browsers ignore cookies with domain set to localhost
// see https://github.com/supertokens/supertokens-website/issues/25
if (expires !== undefined) {
utils_1.getWindowOrThrow().document.cookie =
ANTI_CSRF_NAME +
"=" +
cookieVal +
";expires=" +
expires +
";path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax");
} else {
utils_1.getWindowOrThrow().document.cookie =
ANTI_CSRF_NAME +
"=" +
cookieVal +
";expires=Fri, 31 Dec 9999 23:59:59 GMT;path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax");
}
} else {
if (expires !== undefined) {
utils_1.getWindowOrThrow().document.cookie =
ANTI_CSRF_NAME +
"=" +
cookieVal +
";expires=" +
expires +
";domain=" +
domain +
";path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax");
} else {
utils_1.getWindowOrThrow().document.cookie =
ANTI_CSRF_NAME +
"=" +
cookieVal +
";domain=" +
domain +
";expires=Fri, 31 Dec 9999 23:59:59 GMT;path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax");
}
}
return __awaiter(this, void 0, void 0, function() {
var expires, cookieVal;
return __generator(this, function(_a) {
switch (_a.label) {
case 0:
expires = "Thu, 01 Jan 1970 00:00:01 GMT";
cookieVal = "";
if (antiCSRFToken !== undefined) {
cookieVal = antiCSRFToken;
expires = undefined; // set cookie without expiry
}
if (
!(
domain === "localhost" ||
domain ===
windowHandler_1.default
.getReferenceOrThrow()
.windowHandler.location.getHostName()
)
)
return [3 /*break*/, 5];
if (!(expires !== undefined)) return [3 /*break*/, 2];
return [
4 /*yield*/,
cookieHandler_1.default
.getReferenceOrThrow()
.cookieHandler.setCookie(
ANTI_CSRF_NAME +
"=" +
cookieVal +
";expires=" +
expires +
";path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax")
)
];
case 1:
_a.sent();
return [3 /*break*/, 4];
case 2:
return [
4 /*yield*/,
cookieHandler_1.default
.getReferenceOrThrow()
.cookieHandler.setCookie(
ANTI_CSRF_NAME +
"=" +
cookieVal +
";expires=Fri, 31 Dec 9999 23:59:59 GMT;path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax")
)
];
case 3:
_a.sent();
_a.label = 4;
case 4:
return [3 /*break*/, 9];
case 5:
if (!(expires !== undefined)) return [3 /*break*/, 7];
return [
4 /*yield*/,
cookieHandler_1.default
.getReferenceOrThrow()
.cookieHandler.setCookie(
ANTI_CSRF_NAME +
"=" +
cookieVal +
";expires=" +
expires +
";domain=" +
domain +
";path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax")
)
];
case 6:
_a.sent();
return [3 /*break*/, 9];
case 7:
return [
4 /*yield*/,
cookieHandler_1.default
.getReferenceOrThrow()
.cookieHandler.setCookie(
ANTI_CSRF_NAME +
"=" +
cookieVal +
";domain=" +
domain +
";expires=Fri, 31 Dec 9999 23:59:59 GMT;path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax")
)
];
case 8:
_a.sent();
_a.label = 9;
case 9:
return [2 /*return*/];
}
});
});
}
return __generator(this, function(_a) {
setAntiCSRFToCookie(antiCSRFToken, AuthHttpRequest.config.sessionScope);
return [2 /*return*/];
switch (_a.label) {
case 0:
return [4 /*yield*/, setAntiCSRFToCookie(antiCSRFToken, AuthHttpRequest.config.sessionScope)];
case 1:
_a.sent();
return [2 /*return*/];
}
});

@@ -995,15 +1132,29 @@ });

function getFrontTokenFromCookie() {
var value = "; " + utils_1.getWindowOrThrow().document.cookie;
var parts = value.split("; " + FRONT_TOKEN_NAME + "=");
if (parts.length >= 2) {
var last = parts.pop();
if (last !== undefined) {
var temp = last.split(";").shift();
if (temp === undefined) {
return null;
return __awaiter(this, void 0, void 0, function() {
var value, _a, parts, last, temp;
return __generator(this, function(_b) {
switch (_b.label) {
case 0:
_a = "; ";
return [
4 /*yield*/,
cookieHandler_1.default.getReferenceOrThrow().cookieHandler.getCookie()
];
case 1:
value = _a + _b.sent();
parts = value.split("; " + FRONT_TOKEN_NAME + "=");
if (parts.length >= 2) {
last = parts.pop();
if (last !== undefined) {
temp = last.split(";").shift();
if (temp === undefined) {
return [2 /*return*/, null];
}
return [2 /*return*/, temp];
}
}
return [2 /*return*/, null];
}
return temp;
}
}
return null;
});
});
}

@@ -1021,3 +1172,5 @@ var fromCookie;

}
fromCookie = getFrontTokenFromCookie();
return [4 /*yield*/, getFrontTokenFromCookie()];
case 2:
fromCookie = _a.sent();
return [2 /*return*/, fromCookie];

@@ -1032,55 +1185,112 @@ }

function setFrontTokenToCookie(frontToken, domain) {
var expires = "Thu, 01 Jan 1970 00:00:01 GMT";
var cookieVal = "";
if (frontToken !== undefined) {
cookieVal = frontToken;
expires = undefined; // set cookie without expiry
}
if (domain === "localhost" || domain === window.location.hostname) {
// since some browsers ignore cookies with domain set to localhost
// see https://github.com/supertokens/supertokens-website/issues/25
if (expires !== undefined) {
utils_1.getWindowOrThrow().document.cookie =
FRONT_TOKEN_NAME +
"=" +
cookieVal +
";expires=" +
expires +
";path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax");
} else {
utils_1.getWindowOrThrow().document.cookie =
FRONT_TOKEN_NAME +
"=" +
cookieVal +
";expires=Fri, 31 Dec 9999 23:59:59 GMT;path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax");
}
} else {
if (expires !== undefined) {
utils_1.getWindowOrThrow().document.cookie =
FRONT_TOKEN_NAME +
"=" +
cookieVal +
";expires=" +
expires +
";domain=" +
domain +
";path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax");
} else {
utils_1.getWindowOrThrow().document.cookie =
FRONT_TOKEN_NAME +
"=" +
cookieVal +
";domain=" +
domain +
";expires=Fri, 31 Dec 9999 23:59:59 GMT;path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax");
}
}
return __awaiter(this, void 0, void 0, function() {
var expires, cookieVal;
return __generator(this, function(_a) {
switch (_a.label) {
case 0:
expires = "Thu, 01 Jan 1970 00:00:01 GMT";
cookieVal = "";
if (frontToken !== undefined) {
cookieVal = frontToken;
expires = undefined; // set cookie without expiry
}
if (
!(
domain === "localhost" ||
domain ===
windowHandler_1.default
.getReferenceOrThrow()
.windowHandler.location.getHostName()
)
)
return [3 /*break*/, 5];
if (!(expires !== undefined)) return [3 /*break*/, 2];
return [
4 /*yield*/,
cookieHandler_1.default
.getReferenceOrThrow()
.cookieHandler.setCookie(
FRONT_TOKEN_NAME +
"=" +
cookieVal +
";expires=" +
expires +
";path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax")
)
];
case 1:
_a.sent();
return [3 /*break*/, 4];
case 2:
return [
4 /*yield*/,
cookieHandler_1.default
.getReferenceOrThrow()
.cookieHandler.setCookie(
FRONT_TOKEN_NAME +
"=" +
cookieVal +
";expires=Fri, 31 Dec 9999 23:59:59 GMT;path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax")
)
];
case 3:
_a.sent();
_a.label = 4;
case 4:
return [3 /*break*/, 9];
case 5:
if (!(expires !== undefined)) return [3 /*break*/, 7];
return [
4 /*yield*/,
cookieHandler_1.default
.getReferenceOrThrow()
.cookieHandler.setCookie(
FRONT_TOKEN_NAME +
"=" +
cookieVal +
";expires=" +
expires +
";domain=" +
domain +
";path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax")
)
];
case 6:
_a.sent();
return [3 /*break*/, 9];
case 7:
return [
4 /*yield*/,
cookieHandler_1.default
.getReferenceOrThrow()
.cookieHandler.setCookie(
FRONT_TOKEN_NAME +
"=" +
cookieVal +
";domain=" +
domain +
";expires=Fri, 31 Dec 9999 23:59:59 GMT;path=/;samesite=" +
(AuthHttpRequest.config.isInIframe ? "none;secure" : "lax")
)
];
case 8:
_a.sent();
_a.label = 9;
case 9:
return [2 /*return*/];
}
});
});
}
return __generator(this, function(_a) {
setFrontTokenToCookie(frontToken, AuthHttpRequest.config.sessionScope);
return [2 /*return*/];
switch (_a.label) {
case 0:
return [4 /*yield*/, setFrontTokenToCookie(frontToken, AuthHttpRequest.config.sessionScope)];
case 1:
_a.sent();
return [2 /*return*/];
}
});

@@ -1087,0 +1297,0 @@ });

@@ -152,5 +152,9 @@ "use strict";

var utils_1 = require("./utils");
var cookieHandler_1 = require("./utils/cookieHandler");
var windowHandler_1 = require("./utils/windowHandler");
var AuthHttpRequest = /** @class */ (function() {
function AuthHttpRequest() {}
AuthHttpRequest.init = function(options) {
cookieHandler_1.default.init(options.cookieHandler);
windowHandler_1.default.init(options.windowHandler);
var config = utils_1.validateAndNormaliseInputOrThrowError(options);

@@ -157,0 +161,0 @@ var recipeImpl = new supertokens_js_override_1.default(recipeImplementation_1.default())

import OverrideableBuilder from "supertokens-js-override";
import { CookieHandlerInput } from "./utils/cookieHandler/types";
import { WindowHandlerInput } from "./utils/windowHandler/types";
export declare type Event = {

@@ -17,2 +19,4 @@ action: "SIGN_OUT" | "REFRESH_SESSION" | "SESSION_CREATED";

cookieDomain?: string;
cookieHandler?: CookieHandlerInput;
windowHandler?: WindowHandlerInput;
preAPIHook?: (context: {

@@ -19,0 +23,0 @@ action: "SIGN_OUT" | "REFRESH_SESSION";

@@ -1,2 +0,2 @@

export declare const package_version = "10.0.11";
export declare const package_version = "10.1.0";
export declare const supported_fdi: string[];

@@ -17,3 +17,3 @@ "use strict";

*/
exports.package_version = "10.0.11";
exports.package_version = "10.1.0";
exports.supported_fdi = ["1.8", "1.9", "1.10", "1.11", "1.12", "1.13"];
{
"name": "supertokens-website",
"version": "10.0.11",
"version": "10.1.0",
"description": "frontend sdk for website to be used for auth solution.",

@@ -67,3 +67,3 @@ "main": "index.js",

"path": "lib/build/bundleEntry.js",
"limit": "10kb"
"limit": "11kb"
}

@@ -70,0 +70,0 @@ ],

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc