Auth0.js Versions Save

Fixed

• Updated jsdocs for Authentication#login #1284 (siddtheone)

Security

• Bump jsonwebtoken from 8.5.1 to 9.0.0 #1282 (dependabot[bot])

Note: This release is functionally identical to the previous release, but has been released to ensure tooling no longer detects a vulnerable version of jsonwebtoken being used (we only include it as a dev dependency and use it in some tests).

Added

• Support Captcha challenge for passwordless login #1277 (DominickBattistini)

Changed

• Regenerate API docs using new readme #1271 (frederikprijck)
• Update readme based on the internal redesign #1269 (frederikprijck)

Fixed

• support timeout option in Popup.loginWithCredentials #1273 (stevehobbsdev)

This release includes some clarification updates to the readme, as well as a culmination of security patches from dependabot.

Changed

• Clean up old/missing library migration links #1256 (stevehobbsdev)
• Clarify usage of legacySameSiteCookie in readme #1255 (stevehobbsdev)

Security

• Security: Bump dev dependencies and update lockfile #1244 (evansims)

This release by default now stores additional cookies for backward compatibility when using the SameSite attribute, for those older browsers that do not understand SameSite=None. As well as creating the normal transaction cookies with Secure=true and SameSite=none, it also stores a _x_compat cookie (where x is the name of the original cookie) which only sets Secure=true.

If the generation of these extra cookies is undesirable or unnecessary for your use case, you can turn them back off by setting legacySameSiteCookie: false in the SDK configuration.

Added

• Add compatibility cookie for SameSite, with option to turn it off #1232 (stevehobbsdev)

Fixed

• Set sameSite to 'none' for cookies when using HTTPS #1229 (stevehobbsdev)

Added

• Make state expiration configurable #1217 (aedelbro)

Added

• Add xRequestLanguage, which sends X-Request-Language header to /passwordless/start #1210 (stevehobbsdev)

Fixed

• Check window object only if it is options.hash is not set #1209 (FDiskas)

Fixed

• Fix: Passwordless Verify now sends client_id when specified #1202 (seanaye)

Security

• Dependency updates #1200 (stevehobbsdev)

Fixed

• Add check around accessing event.data in web-message-handler #1195 (stevehobbsdev)