|
1 | 1 | /** |
2 | | - * auth0-js v9.32.0 |
| 2 | + * auth0-js v10.0.0 |
3 | 3 | * Author: Auth0 |
4 | | - * Date: 2026-03-25 |
| 4 | + * Date: 2026-05-06 |
5 | 5 | * License: MIT |
6 | 6 | */ |
7 | 7 |
|
|
6047 | 6047 | if (hasRequiredVersion) return version$1; |
6048 | 6048 | hasRequiredVersion = 1; |
6049 | 6049 | version$1 = { |
6050 | | - raw: '9.32.0' |
| 6050 | + raw: '10.0.0' |
6051 | 6051 | }; |
6052 | 6052 | return version$1; |
6053 | 6053 | } |
|
8772 | 8772 | * |
8773 | 8773 | * Only validates id_tokens signed by Auth0 using the RS256 algorithm using the public key exposed |
8774 | 8774 | * by the `/.well-known/jwks.json` endpoint of your account. |
8775 | | - * Tokens signed with the HS256 algorithm cannot be properly validated. |
8776 | | - * Instead, a call to {@link userInfo} will be made with the parsed `access_token`. |
8777 | | - * If the {@link userInfo} call fails, the {@link userInfo} error will be passed to the callback. |
| 8775 | + * Tokens signed with the HS256 algorithm cannot be properly validated and will result in an error. |
8778 | 8776 | * Tokens signed with other algorithms will not be accepted. |
8779 | 8777 | * |
8780 | 8778 | * @example |
|
8839 | 8837 | * |
8840 | 8838 | * Only validates id_tokens signed by Auth0 using the RS256 algorithm using the public key exposed |
8841 | 8839 | * by the `/.well-known/jwks.json` endpoint of your account. |
8842 | | - * Tokens signed with the HS256 algorithm cannot be properly validated. |
8843 | | - * Instead, a call to {@link userInfo} will be made with the parsed `access_token`. |
8844 | | - * If the {@link userInfo} call fails, the {@link userInfo} error will be passed to the callback. |
| 8840 | + * Tokens signed with the HS256 algorithm cannot be properly validated and will result in an error. |
8845 | 8841 | * Tokens signed with other algorithms will not be accepted. |
8846 | 8842 | * |
8847 | 8843 | * @method validateAuthenticationResponse |
|
8924 | 8920 | return callback(null, payload); |
8925 | 8921 | }); |
8926 | 8922 | } |
8927 | | - if (validationError.error !== 'invalid_token' || validationError.errorDescription && validationError.errorDescription.indexOf('Nonce (nonce) claim value mismatch in the ID token') > -1) { |
8928 | | - return callback(validationError); |
8929 | | - } |
8930 | | - |
8931 | | - // if it's an invalid_token error, decode the token |
8932 | | - var decodedToken = new I().decode(parsedHash.id_token); |
8933 | | - |
8934 | | - // if the alg is not HS256, return the raw error |
8935 | | - if (decodedToken.header.alg !== 'HS256') { |
8936 | | - return callback(validationError); |
8937 | | - } |
8938 | | - if ((decodedToken.payload.nonce || null) !== transactionNonce) { |
8939 | | - return callback({ |
8940 | | - error: 'invalid_token', |
8941 | | - errorDescription: 'Nonce (nonce) claim value mismatch in the ID token; expected "' + transactionNonce + '", found "' + decodedToken.payload.nonce + '"' |
8942 | | - }); |
8943 | | - } |
8944 | | - if (!parsedHash.access_token) { |
8945 | | - var noAccessTokenError = { |
8946 | | - error: 'invalid_token', |
8947 | | - description: 'The id_token cannot be validated because it was signed with the HS256 algorithm and public clients (like a browser) can’t store secrets. Please read the associated doc for possible ways to fix this. Read more: https://auth0.com/docs/errors/libraries/auth0-js/invalid-token#parsing-an-hs256-signed-id-token-without-an-access-token' |
8948 | | - }; |
8949 | | - return callback(noAccessTokenError); |
8950 | | - } |
8951 | | - |
8952 | | - // if the alg is HS256, use the /userinfo endpoint to build the payload |
8953 | | - return _this.client.userInfo(parsedHash.access_token, function (errUserInfo, profile) { |
8954 | | - // if the /userinfo request fails, use the validationError instead |
8955 | | - if (errUserInfo) { |
8956 | | - return callback(errUserInfo); |
8957 | | - } |
8958 | | - return callback(null, profile); |
8959 | | - }); |
| 8923 | + return callback(validationError); |
8960 | 8924 | }); |
8961 | 8925 | }; |
8962 | 8926 | function buildParseHashResponse(qsParams, appState, token) { |
|
0 commit comments