diff --git a/src/web-auth/web-message-handler.js b/src/web-auth/web-message-handler.js index 3e4cc0de..3ae1e577 100644 --- a/src/web-auth/web-message-handler.js +++ b/src/web-auth/web-message-handler.js @@ -1,6 +1,7 @@ var IframeHandler = require('../helper/iframe-handler'); var objectHelper = require('../helper/object'); var windowHelper = require('../helper/window'); +var Warn = require('../helper/warn'); function runWebMessageFlow(authorizeUrl, options, callback) { var handler = new IframeHandler({ @@ -30,6 +31,7 @@ function runWebMessageFlow(authorizeUrl, options, callback) { function WebMessageHandler(webAuth) { this.webAuth = webAuth; + this.warn = new Warn(webAuth.baseOptions); } WebMessageHandler.prototype.run = function(options, cb) { @@ -39,7 +41,7 @@ WebMessageHandler.prototype.run = function(options, cb) { var currentOrigin = windowHelper.getOrigin(); var redirectUriOrigin = objectHelper.getOriginFromUrl(options.redirectUri); - if (currentOrigin !== redirectUriOrigin) { + if (redirectUriOrigin && currentOrigin !== redirectUriOrigin) { return cb({ error: 'origin_mismatch', error_description: "The redirectUri's origin (" + @@ -58,6 +60,15 @@ WebMessageHandler.prototype.run = function(options, cb) { if (!err && eventData.event.data.response.error) { error = objectHelper.pick(eventData.event.data.response, ['error', 'error_description']); } + if ( + error && + error.error === 'consent_required' && + windowHelper.getWindow().location.hostname === 'localhost' + ) { + _this.warn.warning( + "Consent Required. Consent can't be skipped on localhost. Read more here: https://auth0.com/docs/api-auth/user-consent#skipping-consent-for-first-party-clients" + ); + } if (error) { return cb(error); } diff --git a/test/web-auth/cross-origin-authentication.test.js b/test/web-auth/cross-origin-authentication.test.js index 1962b3fa..227f873d 100644 --- a/test/web-auth/cross-origin-authentication.test.js +++ b/test/web-auth/cross-origin-authentication.test.js @@ -19,7 +19,8 @@ describe('auth0.WebAuth.crossOriginAuthentication', function() { context('login', function() { before(function() { this.webAuthSpy = { - authorize: spy() + authorize: spy(), + baseOptions: {} }; this.co = new CrossOriginAuthentication(this.webAuthSpy, { rootUrl: 'https://me.auth0.com', @@ -313,7 +314,7 @@ describe('auth0.WebAuth.crossOriginAuthentication', function() { context('callback', function() { before(function() { this.co = new CrossOriginAuthentication( - {}, + { baseOptions: {} }, { rootUrl: 'https://me.auth0.com', clientID: '...', diff --git a/test/web-auth/web-auth.test.js b/test/web-auth/web-auth.test.js index 3becbcfd..6da8ca28 100644 --- a/test/web-auth/web-auth.test.js +++ b/test/web-auth/web-auth.test.js @@ -6,6 +6,7 @@ var request = require('superagent'); var storage = require('../../src/helper/storage'); var windowHelper = require('../../src/helper/window'); var ssodata = require('../../src/helper/ssodata'); +var Warn = require('../../src/helper/warn'); var RequestMock = require('../mock/request-mock'); @@ -1768,6 +1769,12 @@ describe('auth0.WebAuth', function() { if (WebAuth.prototype.validateAuthenticationResponse.restore) { WebAuth.prototype.validateAuthenticationResponse.restore(); } + if (windowHelper.getWindow.restore) { + windowHelper.getWindow.restore(); + } + if (Warn.prototype.warning.restore) { + Warn.prototype.warning.restore(); + } windowHelper.getOrigin.restore(); objectHelper.getOriginFromUrl.restore(); }); @@ -1779,7 +1786,18 @@ describe('auth0.WebAuth', function() { }); }); }); - it('throws an error if there is an origin mismatch between current window and redirectUrl', function() { + it('does not throw an origin_mismatch error if redirectUri is empty', function() { + objectHelper.getOriginFromUrl.restore(); + stub(objectHelper, 'getOriginFromUrl', function() { + return undefined; + }); + stub(IframeHandler.prototype, 'init', function() {}); + + this.auth0.checkSession({}, function(err) { + expect(err).to.be.eql(undefined); + }); + }); + it('throws an error if there is an origin mismatch between current window and redirectUri', function() { objectHelper.getOriginFromUrl.restore(); stub(objectHelper, 'getOriginFromUrl', function() { return 'some-other-origin'; @@ -1861,6 +1879,31 @@ describe('auth0.WebAuth', function() { done(); }); }); + it('callback writes to console when consent_required + hostname===localhost', function(done) { + var errorResponse = { + error: 'consent_required' + }; + stub(IframeHandler.prototype, 'init', function() { + this.callback({ event: { data: { response: errorResponse } } }); + }); + stub(windowHelper, 'getWindow', function() { + return { + location: { + hostname: 'localhost' + } + }; + }); + var warnings = []; + stub(Warn.prototype, 'warning', function(e) { + warnings.push(e); + }); + this.auth0.checkSession({}, function() { + expect(warnings[1]).to.be( + "Consent Required. Consent can't be skipped on localhost. Read more here: https://auth0.com/docs/api-auth/user-consent#skipping-consent-for-first-party-clients" + ); + done(); + }); + }); it('callback handles success response', function(done) { var response = { access_token: 'foobar' }; stub(WebAuth.prototype, 'validateAuthenticationResponse', function(options, parsedHash, cb) {