version 3.0.0

.eslintrc.json

@@ -1,9 +1,17 @@
 {
   "extends": ["eslint:recommended"],
   "env": {
-    "browser": true,
+    "browser": false,
     "commonjs": true
   },
+  "globals": {
+    "Promise": true,
+    "console": true,
+    "setTimeout": true,
+    "clearTimeout": true,
+    "setInterval": true,
+    "clearInterval": true
+  },
   "rules": {
     "camelcase": 2,
     "complexity": [2, 7],

.travis.yml

@@ -1,6 +1,6 @@
 language: node_js
 node_js:
-  - '8'
+  - '10'
 install:
   - yarn install --frozen-lockfile
 script:

CHANGELOG.md

@@ -1,5 +1,33 @@
 # Changelog
 
+## 3.0.0
+
+### Breaking Changes
+
+- [#308](https://github.com/okta/okta-auth-js/pull/308) - Removed `jquery` and `reqwest` httpRequesters
+
+- [#309](https://github.com/okta/okta-auth-js/pull/309) - Removed `Q` library, now using standard Promise. IE11 will require a polyfill for the `Promise` object. Use of `Promise.prototype.finally` requires Node > 10.3 for server-side use.
+
+- [#310](https://github.com/okta/okta-auth-js/pull/310)
+  - `postLogoutRedirectUri` will default to `window.location.origin`
+  - `signOut` will revoke access token and perform redirect by default. Fallback to XHR (`closeSession`) if no idToken.
+  - New method `closeSession` for XHR signout without redirect or reload.
+  - New method `revokeAccessToken`
+
+- [#311](https://github.com/okta/okta-auth-js/pull/311) - `parseFromUrl` now returns tokens in an object hash (instead of array). The `state` parameter (passed to authorize request) is also returned.
+
+- [#313](https://github.com/okta/okta-auth-js/pull/313) - New option `secureCookies`, which is `true` by default. An HTTPS origin will be enforced unless `secureCookies` is set to `false`.
+
+- [#316](https://github.com/okta/okta-auth-js/pull/316) - Option `issuer` is required. Option `url` has been deprecated and is no longer used.
+
+- [#317](https://github.com/okta/okta-auth-js/pull/317) - `pkce` option is now `true` by default. `grantType` option is removed.
+
+- [#321](https://github.com/okta/okta-auth-js/pull/321)
+  - Default responseType when using implicit flow is now ['token', 'id_token'].
+  - When both access token and id token are returned, the id token's at_hash claim will be validated against the access token
+
+### Other
+
 ## 2.13.0
 
 ### Features

THIRD-PARTY-NOTICES

@@ -219,46 +219,6 @@ DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
 
 0. You just DO WHAT THE FUCK YOU WANT TO.
 
-q.js
-Version (if any):		
-Brief Description:	If a function cannot return a value or throw an 
-exception without blocking, it can return a promise instead. A promise is an 
-object that represents the return value or the thrown exception that the 
-function may eventually provide. A promise can also be used as a proxy for a 
-remote object to overcome latency. On the first pass, promises can mitigate the 
-“Pyramid of Doom”: the situation where code marches to the right faster than it 
-marches forward.	
-License	MIT	
-
-Copyright 2009–2014 Kristopher Michael Kowal. All rights reserved. 
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of 
-this software and associated documentation files (the "Software"), to deal in 
-the Software without restriction, including without limitation the rights to 
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 
-of the Software, and to permit persons to whom the Software is furnished to do 
-so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all 
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 
-SOFTWARE.
-
-
-reqwest
-Version (if any):	2.0.5	
-Brief Description:	It's AJAX All over again. Includes support for 
-xmlHttpRequest, JSONP, CORS, and CommonJS Promises A.	
-License	MIT	
-
-Copyright 2015 Dustin Diaz. All rights reserved. 
-
 Permission is hereby granted, free of charge, to any person obtaining a copy of 
 this software and associated documentation files (the "Software"), to deal in 
 the Software without restriction, including without limitation the rights to 

package.json

@@ -5,6 +5,7 @@
     "@babel/preset-env": "^7.6.3",
     "@babel/register": "^7.6.2",
     "dotenv": "^8.1.0",
+    "eslint-plugin-compat": "^3.3.0",
     "eslint-plugin-jasmine": "^2.10.1",
     "globby": "^6.1.0",
     "lerna": "^2.11.0"
@@ -23,6 +24,7 @@
     "test:e2e": "yarn --cwd test/e2e start",
     "test:browser": "yarn workspace @okta/okta-auth-js test:browser",
     "test:server": "yarn workspace @okta/okta-auth-js test:server",
+    "test:karma": "yarn workspace @okta/okta-auth-js test:karma",
     "test:unit": "yarn workspace @okta/okta-auth-js test",
     "test:report": "yarn test:unit --ci --silent || true",
     "prepare": "yarn build",

packages/okta-auth-js/.eslintrc.json

@@ -0,0 +1,14 @@
+{
+  "extends": ["plugin:compat/recommended"],
+  "settings": {
+    "polyfills": [
+      "Promise",
+      "Array.from",
+      "TextEncoder"
+    ]
+  },
+  "parserOptions": {
+    "sourceType": "module",
+    "ecmaVersion": 2017
+  }
+}

packages/okta-auth-js/jest.server.js

@@ -1,5 +1,4 @@
-var packageJson = require('./package.json');
-var OktaAuth = '<rootDir>/' + packageJson.main;
+var OktaAuth = '<rootDir>/lib/server/serverIndex.js';
 
 module.exports = {
   'coverageDirectory': '<rootDir>/build2/reports/coverage',
@@ -12,6 +11,8 @@ module.exports = {
   ],
   'testPathIgnorePatterns': [
     './test/spec/browser.js',
+    './test/spec/browserStorage.js',
+    './test/spec/cookies.js',
     './test/spec/fingerprint.js',
     './test/spec/general.js',
     './test/spec/oauthUtil.js',

packages/okta-auth-js/lib/TokenManager.js

@@ -10,12 +10,11 @@
  * See the License for the specific language governing permissions and limitations under the License.
  *
  */
-
+/* global localStorage, sessionStorage */
 /* eslint complexity:[0,8] max-statements:[0,21] */
 var util = require('./util');
 var AuthSdkError = require('./errors/AuthSdkError');
 var storageUtil = require('./browser/browserStorage');
-var Q = require('q');
 var constants = require('./constants');
 var storageBuilder = require('./storageBuilder');
 var SdkClock = require('./clock');
@@ -115,7 +114,7 @@ function get(storage, key) {
 }
 
 function getAsync(sdk, tokenMgmtRef, storage, key) {
-  return Q.Promise(function(resolve) {
+  return new Promise(function(resolve) {
     var token = get(storage, key);
     if (!token || !hasExpired(tokenMgmtRef, token)) {
       return resolve(token);
@@ -152,23 +151,15 @@ function renew(sdk, tokenMgmtRef, storage, key) {
       throw new AuthSdkError('The tokenManager has no token for the key: ' + key);
     }
   } catch (e) {
-    return Q.reject(e);
+    return Promise.reject(e);
   }
 
   // Remove existing autoRenew timeout for this key
   clearExpireEventTimeout(tokenMgmtRef, key);
 
   // Store the renew promise state, to avoid renewing again
   tokenMgmtRef.renewPromise[key] = sdk.token.renew(token)
-    .then(function(freshTokens) {
-      var freshToken = freshTokens;
-      // With PKCE flow we will receive multiple tokens. Find the one we are looking for
-      if (freshTokens instanceof Array) {
-        freshToken = freshTokens.find(function(freshToken) {
-          return (freshToken.idToken && token.idToken) || (freshToken.accessToken && token.accessToken);
-        });
-      }
-
+    .then(function(freshToken) {
       var oldToken = get(storage, key);
       if (!oldToken) {
         // It is possible to enter a state where the tokens have been cleared
@@ -228,7 +219,10 @@ function TokenManager(sdk, options) {
         storageProvider = sessionStorage;
         break;
       case 'cookie':
-        storageProvider = storageUtil.getCookieStorage(options);
+        storageProvider = storageUtil.getCookieStorage({
+          secure: sdk.options.secureCookies,
+          sameSite: 'lax'
+        });
         break;
       case 'memory':
         storageProvider = storageUtil.getInMemoryStorage();