Migrate from NPM token to OIDC authentication (v4) (#1250)

Author: developerkunal

.github/actions/npm-publish/action.yml

@@ -3,8 +3,6 @@ name: Publish release to npm
 inputs:
   node-version:
     required: true
-  npm-token:
-    required: true
   version:
     required: true
   require-build:
@@ -48,5 +46,4 @@ runs:
         fi
         npm publish --provenance --tag $TAG
       env:
-        NODE_AUTH_TOKEN: ${{ inputs.npm-token }}
         VERSION: ${{ inputs.version }}

.github/actions/release-create/action.yml

@@ -33,14 +33,15 @@ runs:
   using: composite
 
   steps:
-    - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
+    - uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # pin@v2.4.2
       with:
         body: ${{ inputs.body }}
         name: ${{ inputs.name }}
         tag_name: ${{ inputs.tag }}
         target_commitish: ${{ inputs.commit }}
         draft: ${{ inputs.draft }}
         prerelease: ${{ inputs.prerelease }}
+        make_latest: false
         fail_on_unmatched_files: ${{ inputs.fail_on_unmatched_files }}
         files: ${{ inputs.files }}
       env:

.github/workflows/npm-release.yml

@@ -15,8 +15,6 @@ on:
     secrets:
       github-token:
         required: true
-      npm-token:
-        required: true
 
 ### TODO: Replace instances of './.github/actions/' w/ `auth0/dx-sdk-actions/` and append `@latest` after the common `dx-sdk-actions` repo is made public.
 ### TODO: Also remove `get-prerelease`, `get-version`, `release-create`, `tag-create` and `tag-exists` actions from this repo's .github/actions folder once the repo is public.
@@ -26,6 +24,9 @@ jobs:
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     runs-on: ubuntu-latest
     environment: release
+    permissions:
+      contents: write
+      id-token: write
 
     steps:
       # Checkout the code
@@ -70,7 +71,6 @@ jobs:
           require-build: ${{ inputs.require-build }}
           release-directory: ${{ inputs.release-directory }}
           version: ${{ steps.get_version.outputs.version }}
-          npm-token: ${{ secrets.npm-token }}
 
       # Create a release for the tag
       - uses: ./.github/actions/release-create

.github/workflows/release.yml

@@ -35,5 +35,4 @@ jobs:
       node-version: 18
       require-build: true
     secrets:
-      npm-token: ${{ secrets.NPM_TOKEN }}
       github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -6,16 +6,18 @@ on:
   pull_request:
     branches:
       - master
+      - v4
   push:
     branches:
       - master
+      - v4
 
 permissions:
   contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+  cancel-in-progress: ${{ !contains(fromJSON('["refs/heads/master", "refs/heads/v4"]'), github.ref) }}
 
 jobs:
   build:

src/auth/database.ts

@@ -156,17 +156,17 @@ export class Database extends BaseAuthAPI {
     );
 
     // Transform the response to ensure id field is always available
-        const jsonResponse = await JSONApiResponse.fromResponse(response);
+    const jsonResponse = await JSONApiResponse.fromResponse(response);
 
-        if (jsonResponse.data) {
-            const data = jsonResponse.data as Record<string, unknown>;
-            // Map _id or user_id to id
-            if (!data.id && (data._id || data.user_id)) {
-                data.id = data._id || data.user_id;
-            }
-        }
+    if (jsonResponse.data) {
+      const data = jsonResponse.data as Record<string, unknown>;
+      // Map _id or user_id to id
+      if (!data.id && (data._id || data.user_id)) {
+        data.id = data._id || data.user_id;
+      }
+    }
 
-        return jsonResponse as JSONApiResponse<SignUpResponse>;
+    return jsonResponse as JSONApiResponse<SignUpResponse>;
   }
 
   /**

src/management/__generated/models/index.ts

@@ -275,7 +275,7 @@ export interface Auth0V2CaptchaConfig {
 /**
  * List of IP addresses or CIDR blocks to allowlist
  */
-export interface BotDetectionAllowlist extends Array<BotDetectionIpAddressOrCidrBlock> {}
+export type BotDetectionAllowlist = Array<BotDetectionIpAddressOrCidrBlock>;
 
 /**
  * The policy that defines how often to show CAPTCHA
@@ -6771,8 +6771,7 @@ export interface GetConnections200ResponseOneOf {
 /**
  *
  */
-export interface GetConnectionsKeysResponseContent
-  extends Array<GetConnectionsKeysResponseContentInner> {}
+export type GetConnectionsKeysResponseContent = Array<GetConnectionsKeysResponseContentInner>;
 /**
  *
  */
@@ -19972,7 +19971,7 @@ export type UserAttributeProfilePatchUserId = UserAttributeProfileUserId;
 /**
  * SAML mapping override for this strategy
  */
-export interface UserAttributeProfileSamlMapping extends Array<string> {}
+export type UserAttributeProfileSamlMapping = Array<string>;
 /**
  * Strategy-specific overrides for this attribute
  */
@@ -20186,7 +20185,7 @@ export type UserAttributeProfileUserIdOidcStrategyOverrideMapping =
 /**
  * SAML mapping for user ID
  */
-export interface UserAttributeProfileUserIdSamlMapping extends Array<string> {}
+export type UserAttributeProfileUserIdSamlMapping = Array<string>;
 /**
  *
  */

test/auth/database.test.ts

@@ -42,35 +42,35 @@ describe('Database', () => {
     });
 
     it("should signup a user when response param for id is 'user_id'", async () => {
-            const database = new Database(opts);
-            const email = "test-email-1@example.com";
-            const { data } = await database.signUp({
-                email,
-                password: PASSWORD,
-                connection: "Username-Password-Authentication",
-            });
-            expect(data).toEqual({
-                user_id: "test-id",
-                id: "test-id",
-                email_verified: false,
-                email,
-            });
-        });
+      const database = new Database(opts);
+      const email = 'test-email-1@example.com';
+      const { data } = await database.signUp({
+        email,
+        password: PASSWORD,
+        connection: 'Username-Password-Authentication',
+      });
+      expect(data).toEqual({
+        user_id: 'test-id',
+        id: 'test-id',
+        email_verified: false,
+        email,
+      });
+    });
 
-        it("should signup a user when response param for id is 'id'", async () => {
-            const database = new Database(opts);
-            const email = "test-email-2@example.com";
-            const { data } = await database.signUp({
-                email,
-                password: PASSWORD,
-                connection: "Username-Password-Authentication",
-            });
-            expect(data).toEqual({
-                id: "test-id",
-                email_verified: false,
-                email,
-            });
-        });
+    it("should signup a user when response param for id is 'id'", async () => {
+      const database = new Database(opts);
+      const email = 'test-email-2@example.com';
+      const { data } = await database.signUp({
+        email,
+        password: PASSWORD,
+        connection: 'Username-Password-Authentication',
+      });
+      expect(data).toEqual({
+        id: 'test-id',
+        email_verified: false,
+        email,
+      });
+    });
 
     it('should require connection', async () => {
       const database = new Database(opts);

test/management/organizations.test.ts

@@ -1532,7 +1532,7 @@ describe('OrganizationsManager', () => {
     const operation = organizations.postOrganizationClientGrants(requestParameters, requestBody);
     const expectedResponse: GetOrganizationClientGrants200ResponseOneOfInner = <
       GetOrganizationClientGrants200ResponseOneOfInner
-      >{};
+    >{};
     const uri = `/organizations/{id}/client-grants`.replace(
       '{id}',
       encodeURIComponent(String(requestParameters.id))
@@ -1571,7 +1571,9 @@ describe('OrganizationsManager', () => {
     };
 
     beforeEach(() => {
-      request = nock(API_URL).get(`/organizations/${data.id}/discovery-domains`).reply(200, responseData);
+      request = nock(API_URL)
+        .get(`/organizations/${data.id}/discovery-domains`)
+        .reply(200, responseData);
     });
 
     it('should return a promise when no callback is given', (done) => {
@@ -1652,7 +1654,10 @@ describe('OrganizationsManager', () => {
     });
 
     it('should return a promise if no callback is given', (done) => {
-      organizations.getDiscoveryDomain(data).then(done.bind(null, null)).catch(done.bind(null, null));
+      organizations
+        .getDiscoveryDomain(data)
+        .then(done.bind(null, null))
+        .catch(done.bind(null, null));
     });
 
     it('should perform a GET request to /api/v2/organizations/:id/discovery-domains/:discovery_domain_id', (done) => {
@@ -1690,11 +1695,15 @@ describe('OrganizationsManager', () => {
     });
 
     it('should return error when id is not sent', async () => {
-      await expect(organizations.getDiscoveryDomain({ discovery_domain_id: 'ord_123' } as any)).rejects.toThrow(RequiredError);
+      await expect(
+        organizations.getDiscoveryDomain({ discovery_domain_id: 'ord_123' } as any)
+      ).rejects.toThrow(RequiredError);
     });
 
     it('should return error when discovery_domain_id is not sent', async () => {
-      await expect(organizations.getDiscoveryDomain({ id: 'org_123' } as any)).rejects.toThrow(RequiredError);
+      await expect(organizations.getDiscoveryDomain({ id: 'org_123' } as any)).rejects.toThrow(
+        RequiredError
+      );
     });
   });
 
@@ -1724,7 +1733,10 @@ describe('OrganizationsManager', () => {
     });
 
     it('should return a promise if no callback is given', (done) => {
-      organizations.createDiscoveryDomain(data, body).then(done.bind(null, null)).catch(done.bind(null, null));
+      organizations
+        .createDiscoveryDomain(data, body)
+        .then(done.bind(null, null))
+        .catch(done.bind(null, null));
     });
 
     it('should pass any errors to the promise catch handler', (done) => {
@@ -1746,7 +1758,9 @@ describe('OrganizationsManager', () => {
     });
 
     it('should return error when id is not sent', async () => {
-      await expect(organizations.createDiscoveryDomain({} as any, body)).rejects.toThrow(RequiredError);
+      await expect(organizations.createDiscoveryDomain({} as any, body)).rejects.toThrow(
+        RequiredError
+      );
     });
 
     it('should pass the data in the body of the request', (done) => {
@@ -1800,7 +1814,10 @@ describe('OrganizationsManager', () => {
     });
 
     it('should return a promise if no callback is given', (done) => {
-      organizations.updateDiscoveryDomain(data, body).then(done.bind(null, null)).catch(done.bind(null, null));
+      organizations
+        .updateDiscoveryDomain(data, body)
+        .then(done.bind(null, null))
+        .catch(done.bind(null, null));
     });
 
     it('should pass any errors to the promise catch handler', (done) => {
@@ -1824,11 +1841,15 @@ describe('OrganizationsManager', () => {
     });
 
     it('should return error when id is not sent', async () => {
-      await expect(organizations.updateDiscoveryDomain({ discovery_domain_id: 'ord_123' } as any, body)).rejects.toThrow(RequiredError);
+      await expect(
+        organizations.updateDiscoveryDomain({ discovery_domain_id: 'ord_123' } as any, body)
+      ).rejects.toThrow(RequiredError);
     });
 
     it('should return error when discovery_domain_id is not sent', async () => {
-      await expect(organizations.updateDiscoveryDomain({ id: 'org_123' } as any, body)).rejects.toThrow(RequiredError);
+      await expect(
+        organizations.updateDiscoveryDomain({ id: 'org_123' } as any, body)
+      ).rejects.toThrow(RequiredError);
     });
 
     it('should pass the data in the body of the request', (done) => {
@@ -1872,7 +1893,9 @@ describe('OrganizationsManager', () => {
     });
 
     it('should validate empty id', async () => {
-      await expect(organizations.deleteDiscoveryDomain({ discovery_domain_id: 'ord_123' } as any)).rejects.toThrow(RequiredError);
+      await expect(
+        organizations.deleteDiscoveryDomain({ discovery_domain_id: 'ord_123' } as any)
+      ).rejects.toThrow(RequiredError);
     });
 
     it('should return a promise if no callback is given', (done) => {
@@ -1900,7 +1923,9 @@ describe('OrganizationsManager', () => {
     });
 
     it('should return error when discovery_domain_id is not sent', async () => {
-      await expect(organizations.deleteDiscoveryDomain({ id: 'org_123' } as any)).rejects.toThrow(RequiredError);
+      await expect(organizations.deleteDiscoveryDomain({ id: 'org_123' } as any)).rejects.toThrow(
+        RequiredError
+      );
     });
 
     it('should include the token in the Authorization header', (done) => {

test/management/user-attribute-profiles.test.ts

@@ -71,8 +71,8 @@ describe('UserAttributeProfilesManager', () => {
           auth0_mapping: 'testUser',
           oidc_mapping: {
             mapping: 'preferred_username',
-            display_name: 'Display Name'
-          }
+            display_name: 'Display Name',
+          },
         },
       },
     };