auth0 · luisrudge · Feb 5, 2018 · Feb 5, 2018 · Feb 5, 2018
@@ -1,6 +1,7 @@
 var IframeHandler = require('../helper/iframe-handler');
 var objectHelper = require('../helper/object');
 var windowHelper = require('../helper/window');
+var Warn = require('../helper/warn');
 
 function runWebMessageFlow(authorizeUrl, options, callback) {
   var handler = new IframeHandler({
@@ -30,6 +31,7 @@ function runWebMessageFlow(authorizeUrl, options, callback) {
 
 function WebMessageHandler(webAuth) {
   this.webAuth = webAuth;
+  this.warn = new Warn(webAuth.baseOptions);
 }
 
 WebMessageHandler.prototype.run = function(options, cb) {
@@ -39,7 +41,7 @@ WebMessageHandler.prototype.run = function(options, cb) {
 
   var currentOrigin = windowHelper.getOrigin();
   var redirectUriOrigin = objectHelper.getOriginFromUrl(options.redirectUri);
-  if (currentOrigin !== redirectUriOrigin) {
+  if (redirectUriOrigin && currentOrigin !== redirectUriOrigin) {
     return cb({
       error: 'origin_mismatch',
       error_description: "The redirectUri's origin (" +
@@ -58,6 +60,15 @@ WebMessageHandler.prototype.run = function(options, cb) {
     if (!err && eventData.event.data.response.error) {
       error = objectHelper.pick(eventData.event.data.response, ['error', 'error_description']);
     }
+    if (
+      error &&
+      error.error === 'consent_required' &&
+      windowHelper.getWindow().location.hostname === 'localhost'
+    ) {
+      _this.warn.warning(
+        "Consent Required. Consent can't be skipped on localhost. Read more here: https://auth0.com/docs/api-auth/user-consent#skipping-consent-for-first-party-clients"
+      );
+    }
     if (error) {
       return cb(error);
     }

@@ -19,7 +19,8 @@ describe('auth0.WebAuth.crossOriginAuthentication', function() {
   context('login', function() {
     before(function() {
       this.webAuthSpy = {
-        authorize: spy()
+        authorize: spy(),
+        baseOptions: {}
       };
       this.co = new CrossOriginAuthentication(this.webAuthSpy, {
         rootUrl: 'https://me.auth0.com',
@@ -313,7 +314,7 @@ describe('auth0.WebAuth.crossOriginAuthentication', function() {
   context('callback', function() {
     before(function() {
       this.co = new CrossOriginAuthentication(
-        {},
+        { baseOptions: {} },
         {
           rootUrl: 'https://me.auth0.com',
           clientID: '...',

@@ -6,6 +6,7 @@ var request = require('superagent');
 var storage = require('../../src/helper/storage');
 var windowHelper = require('../../src/helper/window');
 var ssodata = require('../../src/helper/ssodata');
+var Warn = require('../../src/helper/warn');
 
 var RequestMock = require('../mock/request-mock');
 
@@ -1768,6 +1769,12 @@ describe('auth0.WebAuth', function() {
       if (WebAuth.prototype.validateAuthenticationResponse.restore) {
         WebAuth.prototype.validateAuthenticationResponse.restore();
       }
+      if (windowHelper.getWindow.restore) {
+        windowHelper.getWindow.restore();
+      }
+      if (Warn.prototype.warning.restore) {
+        Warn.prototype.warning.restore();
+      }
       windowHelper.getOrigin.restore();
       objectHelper.getOriginFromUrl.restore();
     });
@@ -1779,7 +1786,18 @@ describe('auth0.WebAuth', function() {
         });
       });
     });
-    it('throws an error if there is an origin mismatch between current window and redirectUrl', function() {
+    it('does not throw an origin_mismatch error if redirectUri is empty', function() {
+      objectHelper.getOriginFromUrl.restore();
+      stub(objectHelper, 'getOriginFromUrl', function() {
+        return undefined;
+      });
+      stub(IframeHandler.prototype, 'init', function() {});
+
+      this.auth0.checkSession({}, function(err) {
+        expect(err).to.be.eql(undefined);
+      });
+    });
+    it('throws an error if there is an origin mismatch between current window and redirectUri', function() {
       objectHelper.getOriginFromUrl.restore();
       stub(objectHelper, 'getOriginFromUrl', function() {
         return 'some-other-origin';
@@ -1861,6 +1879,31 @@ describe('auth0.WebAuth', function() {
         done();
       });
     });
+    it('callback writes to console when consent_required + hostname===localhost', function(done) {
+      var errorResponse = {
+        error: 'consent_required'
+      };
+      stub(IframeHandler.prototype, 'init', function() {
+        this.callback({ event: { data: { response: errorResponse } } });
+      });
+      stub(windowHelper, 'getWindow', function() {
+        return {
+          location: {
+            hostname: 'localhost'
+          }
+        };
+      });
+      var warnings = [];
+      stub(Warn.prototype, 'warning', function(e) {
+        warnings.push(e);
+      });
+      this.auth0.checkSession({}, function() {
+        expect(warnings[1]).to.be(
+          "Consent Required. Consent can't be skipped on localhost. Read more here: https://auth0.com/docs/api-auth/user-consent#skipping-consent-for-first-party-clients"
+        );
+        done();
+      });
+    });
     it('callback handles success response', function(done) {
       var response = { access_token: 'foobar' };
       stub(WebAuth.prototype, 'validateAuthenticationResponse', function(options, parsedHash, cb) {