Merge branch 'master' of https://github.com/auth0/react-native-auth0 into beta

Author: subhankarmaiti

.github/workflows/release.yml

@@ -18,7 +18,7 @@ jobs:
   release:
     uses: ./.github/workflows/npm-release.yml
     with:
-      node-version: 18
+      node-version: 20
       require-build: false
     secrets:
       npm-token: ${{ secrets.NPM_TOKEN }}

.snyk

@@ -5,66 +5,71 @@ ignore:
   SNYK-JS-INFLIGHT-6095116:
     - '*':
         reason: No fix available
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-02-02T05:47:18.380Z
   SNYK-JS-BABELHELPERS-9397697:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
+  SNYK-JS-IMAGESIZE-9634164:
+    - '*':
+        reason: This issue is temporarily ignored untill there is a new release of react native fixed this issue.
+        expires: 2025-05-12T09:15:05.191Z
+        created: 2025-04-07T09:15:05.191Z
   snyk:lic:npm:lightningcss-win32-x64-msvc:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-linux-x64-musl:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-linux-x64-gnu:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-linux-arm64-musl:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-linux-arm64-gnu:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-linux-arm-gnueabihf:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-freebsd-x64:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-darwin-x64:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-darwin-arm64:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-win32-arm64-msvc:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
 patch: {}

.version

@@ -1 +1 @@
-v4.4.0
+v4.5.0

A0Auth0.podspec

@@ -18,9 +18,9 @@ Pod::Spec.new do |s|
   s.requires_arc = true
 
   s.dependency 'React-Core'
-  s.dependency 'Auth0', '2.7.2'
-  s.dependency 'JWTDecode', '3.1.0'
-  s.dependency 'SimpleKeychain', '1.1.0'
+  s.dependency 'Auth0', '2.10'
+  s.dependency 'JWTDecode', '3.2.0'
+  s.dependency 'SimpleKeychain', '1.2.0'
 
   s.compiler_flags = folly_compiler_flags + " -DRCT_NEW_ARCH_ENABLED=1"
   s.pod_target_xcconfig    = {

CHANGELOG.md

@@ -1,5 +1,26 @@
 # Change Log
 
+## [v4.5.0](https://github.com/auth0/react-native-auth0/tree/v4.5.0) (2025-04-17)
+
+[Full Changelog](https://github.com/auth0/react-native-auth0/compare/v4.4.0...v4.5.0)
+
+**Added**
+
+- Update dependencies and enhance webAuth methods to support HTTPS [\#1125](https://github.com/auth0/react-native-auth0/pull/1125) ([subhankarmaiti](https://github.com/subhankarmaiti))
+- feat: add optional timeout prop to Auth0Provider for authentication requests [\#1124](https://github.com/auth0/react-native-auth0/pull/1124) ([subhankarmaiti](https://github.com/subhankarmaiti))
+- Updated Readme recommending App links [\#1094](https://github.com/auth0/react-native-auth0/pull/1094) ([pmathew92](https://github.com/pmathew92))
+
+**Fixed**
+
+- Added deviceCredentialFallback default value [\#1098](https://github.com/auth0/react-native-auth0/pull/1098) ([subhankarmaiti](https://github.com/subhankarmaiti))
+
+**Security**
+
+- fix: TypeDoc configuration and update dependencies [\#1139](https://github.com/auth0/react-native-auth0/pull/1139) ([subhankarmaiti](https://github.com/subhankarmaiti))
+- React Native Bob Builder config update for expo [\#1137](https://github.com/auth0/react-native-auth0/pull/1137) ([subhankarmaiti](https://github.com/subhankarmaiti))
+- Dependency version upgrades [\#1113](https://github.com/auth0/react-native-auth0/pull/1113) ([subhankarmaiti](https://github.com/subhankarmaiti))
+- Dependency and config update as per react-native-builder-bob [\#1097](https://github.com/auth0/react-native-auth0/pull/1097) ([subhankarmaiti](https://github.com/subhankarmaiti))
+
 ## [v4.4.0](https://github.com/auth0/react-native-auth0/tree/v4.4.0) (2025-02-19)
 
 [Full Changelog](https://github.com/auth0/react-native-auth0/compare/v4.3.0...v4.4.0)

EXAMPLES.md

@@ -8,14 +8,18 @@
   - [Login using MFA with One Time Password code](#login-using-mfa-with-one-time-password-code)
   - [Login with Passwordless](#login-with-passwordless)
   - [Create user in database connection](#create-user-in-database-connection)
+  - [Using HTTPS callback URLs](#using-https-callback-urls)
 - [Management API (Users)](#management-api-users)
   - [Patch user with user_metadata](#patch-user-with-user_metadata)
   - [Get full user profile](#get-full-user-profile)
 - [Organizations](#organizations)
   - [Log in to an organization](#log-in-to-an-organization)
   - [Accept user invitations](#accept-user-invitations)
 - [Bot Protection](#bot-protection)
-- [Domain Switching](#domain-switching)
+  - [Domain Switching](#domain-switching)
+    - [Android](#android)
+    - [iOS](#ios)
+    - [Expo](#expo)
 
 ## Authentication API
 
@@ -70,7 +74,9 @@ auth0.auth
 Custom Schemes can be used for redirecting to the React Native application after web authentication:
 
 ```js
-authorize({}, { customScheme: 'auth0' }).then(console.log).catch(console.error);
+authorize({}, { customScheme: 'YOUR_AUTH0_DOMAIN' })
+  .then(console.log)
+  .catch(console.error);
 ```
 
 ### Login using MFA with One Time Password code
@@ -154,6 +160,17 @@ auth0.auth
   .catch(console.error);
 ```
 
+### Using HTTPS callback URLs
+
+HTTPS callback URLs provide enhanced security compared to custom URL schemes. They work with Android App Links and iOS Universal Links to prevent URL scheme hijacking:
+
+```js
+auth0.webAuth
+  .authorize({ scope: 'openid profile email' }, { customScheme: 'https' })
+  .then((credentials) => console.log(credentials))
+  .catch((error) => console.log(error));
+```
+
 ## Management API (Users)
 
 ### Patch user with user_metadata

FAQ.md

@@ -261,4 +261,4 @@ If you don't need SSO, consider using `ephemeral sessions` or `SFSafariViewContr
 
 ## 9. How can I prevent the autogenerated redirect_uri from breaking if the applicationId has mixed cases or special characters in it on Android ?
 
-It is recommended to have your applicationId in lower case without special characters to prevent any mismatch with the generated redirect_uri. But in the scenario where you require your applicationId to be of mixed case, to avoid any mismatch , the user can pass a `redirectUri` whihc matches the one provided in the manage dashboard as part of the `AgentLoginOptions` property.
+It is recommended to have your applicationId in lower case without special characters to prevent any mismatch with the generated redirect_uri. But in the scenario where you require your applicationId to be of mixed case, to avoid any mismatch , the user can pass a `redirectUri` which matches the one provided in the manage dashboard as part of the `AgentLoginOptions` property.

README.md

@@ -103,8 +103,6 @@ Take note of this value as you'll be requiring it to define the callback URLs be
 
 > For more info please read the [React Native docs](https://facebook.github.io/react-native/docs/linking.html).
 
-> Whenever possible, Auth0 recommends using `https` scheme with [Android App Links](https://auth0.com/docs/applications/enable-android-app-links) as a secure way to link directly to content within your app. Custom URL schemes can be subject to [client impersonation attacks](https://datatracker.ietf.org/doc/html/rfc8252#section-8.6).
-
 ##### Skipping the Web Authentication setup
 
 If you don't plan to use Web Authentication, you will notice that the compiler will still prompt you to provide the `manifestPlaceholders` values, since the `RedirectActivity` included in this library will require them, and the Gradle tasks won't be able to run without them.
@@ -213,21 +211,112 @@ Go to the [Auth0 Dashboard](https://manage.auth0.com/#/applications), select you
 
 If in addition you plan to use the log out method, you must also add these URLs to the **Allowed Logout URLs**.
 
+> [!NOTE]
+> Whenever possible, Auth0 recommends using [Android App Links](https://developer.android.com/training/app-links) and [Apple Universal Links](https://developer.apple.com/documentation/xcode/allowing-apps-and-websites-to-link-to-your-content) for your callback and logout URLs. Custom URL schemes can be subject to [client impersonation attacks](https://datatracker.ietf.org/doc/html/rfc8252#section-8.6).
+>
+> 💡 If your Android app is using [product flavors](https://developer.android.com/studio/build/build-variants#product-flavors), you might need to specify different manifest placeholders for each flavor.
+
 #### Android
 
+##### Custom Scheme
+
+```text
+{YOUR_APP_PACKAGE_NAME}.auth0://{YOUR_AUTH0_DOMAIN}/android/{YOUR_APP_PACKAGE_NAME}/callback
+```
+
+##### App Link (Recommended):
+
 ```text
-{YOUR_APP_PACKAGE_NAME}.auth0://{AUTH0_DOMAIN}/android/{YOUR_APP_PACKAGE_NAME}/callback
+https://{YOUR_AUTH0_DOMAIN}/android/{YOUR_APP_PACKAGE_NAME}/callback
+```
+
+> Replace {YOUR_APP_PACKAGE_NAME} and {YOUR_AUTH0_DOMAIN} with your actual application package name and Auth0 domain. Ensure that {YOUR_APP_PACKAGE_NAME} is all lowercase.
+
+To enable App Links, set the `auth0Scheme` to `https` in your `build.gradle` file.
+
+```text
+android {
+    defaultConfig {
+        manifestPlaceholders = [auth0Domain: "@string/com_auth0_domain", auth0Scheme: "https"]
+    }
+}
 ```
 
-> Make sure to replace {YOUR_APP_PACKAGE_NAME} and {AUTH0_DOMAIN} with the actual values for your application. The {YOUR_APP_PACKAGE_NAME} value provided should be all lower case.
+This configuration ensures that your app uses https for the callback URL scheme, which is required for Android App Links.
+
+#### Enable Android App Links Support
+
+[Android App Links](https://developer.android.com/training/app-links) allow an application to designate itself as the default handler of a given type of link. For example, clicking a URL in an email would open the link in the designated application. This guide will show you how to enable Android App links support for your Auth0-registered application using Auth0's Dashboard.
+
+1.  Go to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/#/applications), and select the name of the application to view.
+
+2.  Scroll to the bottom of the Settings page, and select **Show Advanced Settings**.
+3.  Select Device Settings, provide the [App Package Name and](https://developer.android.com/studio/build/application-id) the SHA256 fingerprints of your app’s signing certificate for your Android application, and select Save Changes.
+    ![android-app-link](assets/android-app-link.png)
+
+> You can use the following command to generate the fingerprint using the Java keytool in your terminal: `keytool -list -v -keystore my-release-key.keystore`
+
+To learn more about signing certificates, see Android's [Sign Your App](https://developer.android.com/studio/publish/app-signing.html) developer documentation.
 
 #### iOS
 
+##### Custom Scheme
+
 ```text
-{PRODUCT_BUNDLE_IDENTIFIER}.auth0://{AUTH0_DOMAIN}/ios/{PRODUCT_BUNDLE_IDENTIFIER}/callback
+{PRODUCT_BUNDLE_IDENTIFIER}.auth0://{YOUR_AUTH0_DOMAIN}/ios/{PRODUCT_BUNDLE_IDENTIFIER}/callback
 ```
 
-> Make sure to replace {PRODUCT_BUNDLE_IDENTIFIER} and {AUTH0_DOMAIN} with the actual values for your application. The {PRODUCT_BUNDLE_IDENTIFIER} value provided should be all lower case.
+##### Universal Link (Recommended):
+
+```text
+https://{YOUR_AUTH0_DOMAIN}/ios/{PRODUCT_BUNDLE_IDENTIFIER}/callback
+```
+
+> Replace `{PRODUCT_BUNDLE_IDENTIFIER}` and `{YOUR_AUTH0_DOMAIN}` with your actual product bundle identifier and Auth0 domain. Ensure that {PRODUCT_BUNDLE_IDENTIFIER} is all lowercase.
+
+#### Configure an associated domain for iOS
+
+> [!IMPORTANT]
+> This step requires a paid Apple Developer account. It is needed to use Universal Links as callback and logout URLs.
+> Skip this step to use a custom URL scheme instead.
+
+##### Configure the Team ID and bundle identifier
+
+Scroll to the end of the settings page of your Auth0 application and open **Advanced Settings > Device Settings**. In the **iOS** section, set **Team ID** to your [Apple Team ID](https://developer.apple.com/help/account/manage-your-team/locate-your-team-id/), and **App ID** to your app's bundle identifier.
+
+![Screenshot of the iOS section inside the Auth0 application settings page](https://github.com/auth0/Auth0.swift/assets/5055789/7eb5f6a2-7cc7-4c70-acf3-633fd72dc506)
+
+This will add your app to your Auth0 tenant's `apple-app-site-association` file.
+
+##### Add the associated domain capability
+
+In Xcode, go to the **Signing and Capabilities** [tab](https://developer.apple.com/documentation/xcode/adding-capabilities-to-your-app#Add-a-capability) of your app's target settings, and press the **+ Capability** button. Then select **Associated Domains**.
+
+![Screenshot of the capabilities library inside Xcode](https://github.com/auth0/Auth0.swift/assets/5055789/3f7b0a70-c36c-46bf-9441-29f98724204a)
+
+Next, add the following [entry](https://developer.apple.com/documentation/xcode/configuring-an-associated-domain#Define-a-service-and-its-associated-domain) under **Associated Domains**:
+
+```text
+webcredentials:YOUR_AUTH0_DOMAIN
+```
+
+<details>
+  <summary>Example</summary>
+
+If your Auth0 Domain were `example.us.auth0.com`, then this value would be:
+
+```text
+webcredentials:example.us.auth0.com
+```
+
+</details>
+
+If you have a [custom domain](https://auth0.com/docs/customize/custom-domains), replace `YOUR_AUTH0_DOMAIN` with your custom domain.
+
+> [!NOTE]
+> For the associated domain to work, your app must be signed with your team certificate **even when building for the iOS simulator**. Make sure you are using the Apple Team whose Team ID is configured in the settings page of your Auth0 application.
+
+Refer to the example of [Using custom scheme for web authentication redirection](https://github.com/auth0/react-native-auth0/blob/master/EXAMPLES.md#using-custom-scheme-for-web-authentication-redirection)
 
 ## Next Steps
 

assets/android-app-link.png

@@ -0,0 +1,2 @@
+window.hierarchyData =
+  'eJyNj8FqwzAQRP9lzkrqCMs2uiWlh57bW/BB2BssIktFWkNL8L8XN9i4pSE5LezO8N5eEEPgBH3MKyVkUdYCkU6OGrbBJ+gLZKam4U1P0Hi3PYWBX2IMEQJn61vonawEhuig0TiTEqWndW7bce8grjdocGo3U3FzXYwCsihXjINJdB/w9UFpu0TvMASazro2koc+ykzVE7TMV9D9wF32HDzTJ796pngyDS0CUhWzgJ2Ps8O/zZs+S336O6/UH4U3Nvw49if9AOr3+2Vej+P4Dc50qC0=';