[SDK-2320] Throw login_required error in SPA SDK if running in a cros…

…s-origin isolated context (#790) * Throw login_required error in SPA SDK if running in a cross-origin isolated context * Use dot syntax * Remove fit Co-authored-by: Steve Hobbs <[email protected]>
auth0 · Sep 8, 2021 · b51eb7a · b51eb7a
1 parent 6e627a4
commit b51eb7a
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/__tests__/Auth0Client/getTokenSilently.test.ts b/__tests__/Auth0Client/getTokenSilently.test.ts
@@ -1507,5 +1507,26 @@ describe('Auth0Client', () => {
       ).rejects.toThrow('login_required');
       expect(auth0.logout).toHaveBeenCalledWith({ localOnly: true });
     });
+
+    it('when not using Refresh Tokens and crossOriginIsolated is true, login_required is returned and the user is logged out', async () => {
+      const auth0 = setup();
+
+      await loginWithRedirect(auth0);
+
+      mockFetch.mockReset();
+
+      jest.spyOn(auth0, 'logout');
+      const originalWindow = { ...window };
+      const windowSpy = jest.spyOn(global as any, 'window', 'get');
+      windowSpy.mockImplementation(() => ({
+        ...originalWindow,
+        crossOriginIsolated: true
+      }));
+
+      await expect(
+        auth0.getTokenSilently({ ignoreCache: true })
+      ).rejects.toHaveProperty('error', 'login_required');
+      expect(auth0.logout).toHaveBeenCalledWith({ localOnly: true });
+    });
   });
 });
diff --git a/src/Auth0Client.ts b/src/Auth0Client.ts
@@ -27,7 +27,7 @@ import {
 
 import TransactionManager from './transaction-manager';
 import { verify as verifyIdToken } from './jwt';
-import { AuthenticationError, TimeoutError } from './errors';
+import { AuthenticationError, GenericError, TimeoutError } from './errors';
 
 import {
   ClientStorage,
@@ -918,6 +918,16 @@ export default class Auth0Client {
       options.timeoutInSeconds || this.options.authorizeTimeoutInSeconds;
 
     try {
+      // When a browser is running in a Cross-Origin Isolated context, using iframes is not possible.
+      // It doesn't throw an error but times out instead, so we should exit early and inform the user about the reason.
+      // https://developer.mozilla.org/en-US/docs/Web/API/crossOriginIsolated
+      if ((window as any).crossOriginIsolated) {
+        throw new GenericError(
+          'login_required',
+          'The application is running in a Cross-Origin Isolated context, silently retrieving a token without refresh token is not possible.'
+        );
+      }
+
       const codeResult = await runIframe(url, this.domainUrl, timeout);
 
       if (stateIn !== codeResult.state) {