feat: Add usage examples for React Native Auth0 on Web and update migration guide for v5

subhankarmaiti · subhankarmaiti · commit 1f88157bd80f · 2025-07-14T03:24:12.000+05:30
diff --git a/EXAMPLES-WEB.md b/EXAMPLES-WEB.md
@@ -0,0 +1,135 @@
+# React Native Auth0 for Web: Examples
+
+This guide provides usage examples specifically for developers targeting **React Native Web**. The web platform uses the underlying `@auth0/auth0-spa-js` library, and its features are aligned with browser security best practices.
+
+## Setup: The `Auth0Provider`
+
+All web-based authentication starts with wrapping your application in the `Auth0Provider`. You can also pass `auth0-spa-js` specific options.
+
+```jsx
+// App.js
+import { Auth0Provider } from 'react-native-auth0';
+
+const App = () => {
+  return (
+    <Auth0Provider
+      domain="YOUR_AUTH0_DOMAIN"
+      clientId="YOUR_AUTH0_CLIENT_ID"
+      // Optional spa-js specific settings
+      cacheLocation="localstorage"
+      useRefreshTokens={true}
+    >
+      <YourAppRoot />
+    </Auth0Provider>
+  );
+};
+
+export default App;
+```
+
+## Basic Login and Logout
+
+Use the `useAuth0` hook to access authentication methods and state. The primary flow involves redirecting the user to the Auth0 Universal Login page.
+
+```jsx
+import { useAuth0 } from 'react-native-auth0';
+import { View, Button, Text } from 'react-native';
+
+const LoginProfile = () => {
+  const { authorize, clearSession, user, error, isLoading } = useAuth0();
+
+  const onLogin = async () => {
+    try {
+      // This will redirect the user to the login page.
+      // The promise does not resolve as the page context is lost.
+      await authorize({ scope: 'openid profile email' });
+    } catch (e) {
+      console.log('Login cancelled or failed', e);
+    }
+  };
+
+  const onLogout = async () => {
+    try {
+      // This will redirect the user to the logout page.
+      await clearSession();
+    } catch (e) {
+      console.log('Logout error', e);
+    }
+  };
+
+  if (isLoading) {
+    return (
+      <View>
+        <Text>Loading...</Text>
+      </View>
+    );
+  }
+
+  return (
+    <View>
+      {user && (
+        <>
+          <Text>Logged in as {user.name}</Text>
+          <Button onPress={onLogout} title="Log Out" />
+        </>
+      )}
+      {!user && <Button onPress={onLogin} title="Log In" />}
+      {error && <Text style={{ color: 'red' }}>{error.message}</Text>}
+    </View>
+  );
+};
+```
+
+## Accessing User Information and Tokens
+
+After a user is logged in, you can access their profile from the `user` object. To get a fresh access token for calling a protected API, use `getCredentials`.
+
+```jsx
+import { useAuth0 } from 'react-native-auth0';
+
+const Profile = () => {
+  const { user } = useAuth0();
+  return user ? <Text>Welcome, {user.name}!</Text> : null;
+};
+
+const ApiButton = () => {
+  const { getCredentials } = useAuth0();
+
+  const callApi = async () => {
+    try {
+      // getCredentials uses getTokenSilently() from auth0-spa-js
+      // to get a valid token, refreshing it if necessary.
+      const credentials = await getCredentials();
+      const accessToken = credentials.accessToken;
+
+      const response = await fetch('https://api.example.com/data', {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+        },
+      });
+      const data = await response.json();
+      console.log('API Data:', data);
+    } catch (e) {
+      console.error('Failed to get token or call API', e);
+    }
+  };
+
+  return <Button onPress={callApi} title="Call Protected API" />;
+};
+```
+
+## Unsupported Web Features
+
+For security reasons, the web platform **does not support** direct authentication grants. The following methods from the `auth` provider will throw a `NotImplemented` error:
+
+- `auth.passwordRealm()`
+- `auth.loginWithOTP()`
+- `auth.loginWithSMS()`
+- `auth.loginWithEmail()`
+- `auth.refreshToken()`
+
+All these flows should be configured in your [Auth0 Universal Login](https://auth0.com/docs/universal-login) page and initiated via the `authorize()` method.
+
+```
+
+```
diff --git a/MIGRATION_GUIDE.md b/MIGRATION_GUIDE.md
@@ -2,69 +2,159 @@
 
 ## Upgrading from v4 -> v5
 
-### Compatibility Requirements
+Version 5.0 of `react-native-auth0` is a significant update featuring a complete architectural overhaul. This new foundation improves performance, maintainability, and provides a more consistent API across all platforms.
 
-- **React**: v5 requires React 19 or higher
-- **React Native**: v5 requires React Native 0.78.0 or higher
-- **Expo**: v5 requires Expo 53 or higher
+Upgrading from v4.x requires addressing several breaking changes. Please follow this guide carefully.
 
-### Breaking Changes
+## 1. Compatibility & Installation
 
-- **Platform Compatibility**: The minimum iOS deployment target is now 14.0. Update your iOS/Podfile with:
+Before updating the library, ensure your project meets the new minimum requirements.
 
-  ```
-  platform :ios, '14.0'
-  ```
+### Environment Requirements
 
-- **Android Requirements**: Android SDK API level 35 or higher is now required
+- **React:** `19.0.0` or higher
+- **React Native:** `0.78.0` or higher
+- **Expo:** SDK `53` or higher
+- **iOS:** Deployment Target `14.0`
+- **Android:** Target SDK `35` or higher
 
-### Migration Steps
+### Updating Your Project
 
-#### For Regular React Native Projects
+#### For Standard React Native Projects:
 
-1. First, ensure your project uses React 19 and React Native 0.78.0 or higher:
+1.  **Upgrade React Native:**
+    ```bash
+    npm install react@^19.0.0 react-native@^0.78.0
+    ```
+2.  **Update this Library:**
+    ```bash
+    npm install react-native-auth0@beta
+    ```
+3.  **Update iOS Target:** In your `ios/Podfile`, set the platform version:
+    ```ruby
+    platform :ios, '14.0'
+    ```
+4.  **Install Pods:**
+    ```bash
+    cd ios && pod install && cd ..
+    ```
 
-   ```bash
-   npm install react@^19.0.0
-   npm install react-native@^0.78.0
-   ```
+#### For Expo Projects:
 
-2. Update the react-native-auth0 package:
+1.  **Upgrade Expo SDK:**
+    ```bash
+    npx expo upgrade
+    ```
+2.  **Update this Library:**
+    ```bash
+    npm install react-native-auth0@beta
+    ```
+3.  **Rebuild Native Code:**
+    ```bash
+    npx expo prebuild --clean
+    ```
+    > **Warning:** This will overwrite any manual changes in your `ios` and `android` directories.
 
-   ```bash
-   npm install react-native-auth0@beta
-   ```
+## 2. Breaking API Changes
 
-3. Update your iOS minimum deployment target in your Podfile:
+The following API changes require code modifications in your application.
 
-   ```ruby
-   platform :ios, '14.0'
-   ```
+### Change #1: User Profile Properties are now `camelCase`
 
-4. Install the updated pods:
-   ```bash
-   cd ios && pod install && cd ..
-   ```
+To align with modern JavaScript standards, all properties on the `user` object are now `camelCase`.
 
-#### For Expo Projects
+**✅ Action Required:** Update all references to `user` properties.
 
-1. Update to Expo 53 or higher:
+| Before (snake_case)   | After (camelCase)    |
+| :-------------------- | :------------------- |
+| `user.given_name`     | `user.givenName`     |
+| `user.family_name`    | `user.familyName`    |
+| `user.email_verified` | `user.emailVerified` |
+| `user.phone_number`   | `user.phoneNumber`   |
+| ...and so on.         |                      |
 
-   ```bash
-   npx expo upgrade
-   ```
+### Change #2: Credentials Object uses `expiresAt`
 
-2. Update the react-native-auth0 package:
+The `Credentials` object no longer includes `expiresIn` (a duration). It now provides `expiresAt`, an absolute **UNIX timestamp** (in seconds), making expiration checks simpler and less error-prone.
 
-   ```bash
-   npm install react-native-auth0@beta
-   ```
+**✅ Action Required:** Replace all logic using `expiresIn` with `expiresAt`.
 
-3. Rebuild your app:
-   ```bash
-   npx expo prebuild --clean
-   ```
-   Note: This will reset any manual changes to your native code.
+**Before:**
+
+```javascript
+const expiresAt = Date.now() / 1000 + credentials.expiresIn;
+if (isExpired(expiresAt)) {
+  // ...
+}
+```
+
+**After:**
+
+```javascript
+// Direct comparison is now possible
+if (credentials.expiresAt < Date.now() / 1000) {
+  // ...
+}
+
+// Or, use the new helper method (if you have an instance of the Credentials model):
+if (credentials.isExpired()) {
+  // ...
+}
+```
+
+### Change #3: Standardized `AuthError` Object
+
+All errors thrown by the library are now instances of a single, consistent `AuthError` class. This replaces multiple error types like `CredentialsManagerError`.
+
+**✅ Action Required:** Update your `try...catch` blocks to handle the new unified error object.
+
+**Before:**
+
+```javascript
+catch (e) {
+  // Inconsistent properties like e.error, e.error_description
+  console.error(e.message);
+}
+```
+
+**After:**
+
+```javascript
+import { AuthError } from 'react-native-auth0';
+
+catch (e) {
+  if (e instanceof AuthError) {
+    // Consistent properties are now available
+    console.error(e.name, e.message); // e.g., 'invalid_grant', 'The refresh token is invalid.'
+  }
+}
+```
+
+### Change #4: Updated `authorize` and `clearSession` Signatures
+
+For improved clarity, SDK-specific options (like `ephemeralSession`) have been moved into a separate, second `options` object.
+
+**✅ Action Required:** Restructure calls to `authorize` and `clearSession`.
+
+**Before:**
+
+```javascript
+// Mixed parameters and options
+await authorize({
+  scope: 'openid profile',
+  ephemeralSession: true,
+});
+```
+
+**After:**
+
+```javascript
+// Parameters and options are now separate arguments
+await authorize(
+  { scope: 'openid profile' }, // 1. OIDC / Auth0 Parameters
+  { ephemeralSession: true } // 2. SDK-Specific Options
+);
+```
 
 ## Upgrading from v3 -> v4
 
diff --git a/README.md b/README.md
@@ -664,6 +664,31 @@ _Note_ : We have platform agnostic error codes available only for `CredentialsMa
 | `NO_NETWORK`          | `NO_NETWORK`                                                                                                                                                                                                                                                                                                                                     |                                 |
 | `API_ERROR`           | `API_ERROR`                                                                                                                                                                                                                                                                                                                                      |                                 |
 
+## Features and Platform Support
+
+This library provides a unified API across Native (iOS/Android) and Web platforms. However, due to security models and underlying technology, not all features are available on every platform.
+
+| Feature / Method Category                  | Native (iOS/Android) | Web (Browser) | Notes & Rationale                                                                                                                                                        |
+| ------------------------------------------ | :------------------: | :-----------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| **Web Authentication**                     |                      |               | ---                                                                                                                                                                      |
+| `webAuth.authorize()`                      |          ✅          |      ✅       | **Primary login method.** Uses `ASWebAuthenticationSession`/`Custom Tabs` on Native and `loginWithRedirect` on Web.                                                      |
+| `webAuth.clearSession()`                   |          ✅          |      ✅       | **Primary logout method.** Clears the session cookie on the server via a browser redirect.                                                                               |
+| **Credential Management**                  |                      |               | ---                                                                                                                                                                      |
+| `credentialsManager.getCredentials()`      |          ✅          |      ✅       | Retrieves stored tokens. On Native, it uses the secure Keychain/Keystore. On Web, it uses the `@auth0/auth0-spa-js` cache and `getTokenSilently`.                        |
+| `credentialsManager.hasValidCredentials()` |          ✅          |      ✅       | Checks for a valid local session.                                                                                                                                        |
+| `credentialsManager.saveCredentials()`     |          ✅          |      ❌       | **Native-only.** Manually saving credentials is required on Native. On Web, this is handled automatically by the underlying SPA SDK and is a no-op.                      |
+| `credentialsManager.clearCredentials()`    |          ✅          |      ✅       | Clears locally stored tokens. On Web, this performs a "local-only" logout.                                                                                               |
+| **Direct Authentication Grants**           |                      |               | ---                                                                                                                                                                      |
+| `auth.passwordRealm()`                     |          ✅          |      ❌       | **Not supported on Web for security reasons.** The Resource Owner Password Grant exposes credentials to the browser and is not recommended for Single Page Applications. |
+| `auth.passwordless...()`                   |          ✅          |      ❌       | **Not supported on Web.** Passwordless flows on the web should be configured via Universal Login and initiated with `webAuth.authorize()`.                               |
+| `auth.loginWith...()` (OTP/SMS etc)        |          ✅          |      ❌       | **Not supported on Web.** These direct grant flows are not secure for public clients like browsers.                                                                      |
+| **Token & User Management**                |                      |               | ---                                                                                                                                                                      |
+| `auth.refreshToken()`                      |          ✅          |      ❌       | **Not supported on Web.** Token refresh is handled automatically by `getCredentials()` via `getTokenSilently()` on the web.                                              |
+| `auth.userInfo()`                          |          ✅          |      ✅       | Fetches the user's profile from the `/userinfo` endpoint using an access token.                                                                                          |
+| `auth.createUser()`                        |          ✅          |      ✅       | Calls the `/dbconnections/signup` endpoint. Works on both platforms.                                                                                                     |
+| `auth.resetPassword()`                     |          ✅          |      ✅       | Calls the `/dbconnections/change_password` endpoint. Works on both platforms.                                                                                            |
+| `users(token).patchUser()`                 |          ✅          |      ✅       | Calls the Management API. Works on any platform with a valid token, but use with caution in the browser.                                                                 |
+
 ## Troubleshooting
 
 ### Swift 6 Compatibility Issues on iOS
@@ -698,7 +723,7 @@ We appreciate feedback and contribution to this repo! Before you get started, pl
 
 - [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
 - [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
-- [This repo's development guide](DEVELOPMENT.md)
+- [This repo's development guide](CONTRIBUTING.md)
 
 ### Raise an issue
 
