chore(deps): update dependency @auth0/auth0-spa-js to v2 (#7524)

* chore(deps): update dependency @auth0/auth0-spa-js to v2

* fix type errors

* changes to setup

* add wip codemod

* add upgrade step

* finish codemod

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Dominic Saadi <[email protected]>

packages/auth-providers/auth0/setup/src/setupHandler.ts

@@ -18,7 +18,7 @@ export async function handler({ force: forceArg }: Args) {
       "import { authDecoder } from '@redwoodjs/auth-auth0-api'",
     apiPackages: [`@redwoodjs/auth-auth0-api@${version}`],
     webPackages: [
-      '@auth0/auth0-spa-js@^1',
+      '@auth0/auth0-spa-js@^2',
       `@redwoodjs/auth-auth0-web@${version}`,
     ],
     notes: [

packages/auth-providers/auth0/setup/src/templates/web/auth.ts.template

@@ -4,15 +4,17 @@ import { createAuth } from '@redwoodjs/auth-auth0-web'
 
 const auth0 = new Auth0Client({
   domain: process.env.AUTH0_DOMAIN || '',
-  client_id: process.env.AUTH0_CLIENT_ID || '',
-  redirect_uri: process.env.AUTH0_REDIRECT_URI,
+  clientId: process.env.AUTH0_CLIENT_ID || '',
+  authorizationParams: {
+    redirect_uri: process.env.AUTH0_REDIRECT_URI,
+    audience: process.env.AUTH0_AUDIENCE,
+  },
 
   // Storing tokens in the browser's local storage provides persistence across page refreshes and browser tabs.
   // But if an attacker can run JavaScript in your SPA using a cross-site scripting (XSS) attack,
   // they can retrieve the tokens stored in local storage.
   // See https://auth0.com/docs/libraries/auth0-spa-js#change-storage-options.
   cacheLocation: 'localstorage',
-  audience: process.env.AUTH0_AUDIENCE,
 
   // `useRefreshTokens` is required for automatically extending sessions beyond what's set in the initial JWT expiration.
   // See https://auth0.com/docs/tokens/refresh-tokens.

packages/auth-providers/auth0/web/package.json

@@ -27,7 +27,7 @@
     "core-js": "3.29.0"
   },
   "devDependencies": {
-    "@auth0/auth0-spa-js": "1.22.6",
+    "@auth0/auth0-spa-js": "2.0.4",
     "@babel/cli": "7.21.0",
     "@babel/core": "7.21.0",
     "@types/react": "18.0.28",
@@ -36,7 +36,7 @@
     "typescript": "4.9.5"
   },
   "peerDependencies": {
-    "@auth0/auth0-spa-js": "1.22.6"
+    "@auth0/auth0-spa-js": "2.0.4"
   },
   "gitHead": "3905ed045508b861b495f8d5630d76c7a157d8f1"
 }

packages/auth-providers/auth0/web/src/auth0.ts

@@ -46,8 +46,10 @@ function createAuthImplementation(auth0Client: Auth0Client) {
     signup: async (options?: RedirectLoginOptions) =>
       auth0Client.loginWithRedirect({
         ...options,
-        screen_hint: 'signup',
-        prompt: 'login',
+        authorizationParams: {
+          screen_hint: 'signup',
+          prompt: 'login',
+        },
       }),
     getToken: () => auth0Client.getTokenSilently(),
     getUserMetadata: async () => {

packages/codemods/src/codemods/v5.x.x/updateAuth0/__testfixtures__/default.input.js

@@ -0,0 +1,22 @@
+import { Auth0Client } from '@auth0/auth0-spa-js'
+
+import { createAuth } from '@redwoodjs/auth-auth0-web'
+
+const auth0 = new Auth0Client({
+  domain: process.env.AUTH0_DOMAIN || '',
+  client_id: process.env.AUTH0_CLIENT_ID || '',
+  redirect_uri: process.env.AUTH0_REDIRECT_URI,
+
+  // Storing tokens in the browser's local storage provides persistence across page refreshes and browser tabs.
+  // But if an attacker can run JavaScript in your SPA using a cross-site scripting (XSS) attack,
+  // they can retrieve the tokens stored in local storage.
+  // See https://auth0.com/docs/libraries/auth0-spa-js#change-storage-options.
+  cacheLocation: 'localstorage',
+  audience: process.env.AUTH0_AUDIENCE,
+
+  // `useRefreshTokens` is required for automatically extending sessions beyond what's set in the initial JWT expiration.
+  // See https://auth0.com/docs/tokens/refresh-tokens.
+  // useRefreshTokens: true,
+})
+
+export const { AuthProvider, useAuth } = createAuth(auth0)

packages/codemods/src/codemods/v5.x.x/updateAuth0/__testfixtures__/default.output.js

@@ -0,0 +1,21 @@
+import { Auth0Client } from '@auth0/auth0-spa-js'
+
+import { createAuth } from '@redwoodjs/auth-auth0-web'
+
+const auth0 = new Auth0Client({
+  domain: process.env.AUTH0_DOMAIN || '',
+  clientId: process.env.AUTH0_CLIENT_ID || '',
+
+  authorizationParams: {
+    redirect_uri: process.env.AUTH0_REDIRECT_URI,
+    audience: process.env.AUTH0_AUDIENCE,
+  },
+
+  // Storing tokens in the browser's local storage provides persistence across page refreshes and browser tabs.
+  // But if an attacker can run JavaScript in your SPA using a cross-site scripting (XSS) attack,
+  // they can retrieve the tokens stored in local storage.
+  // See https://auth0.com/docs/libraries/auth0-spa-js#change-storage-options.
+  cacheLocation: 'localstorage',
+})
+
+export const { AuthProvider, useAuth } = createAuth(auth0)

packages/codemods/src/codemods/v5.x.x/updateAuth0/__tests__/updateAuth0.ts

@@ -0,0 +1,5 @@
+describe('auth0', () => {
+  it('updates the auth0 file', async () => {
+    await matchTransformSnapshot('updateAuth0', 'default')
+  })
+})

packages/codemods/src/codemods/v5.x.x/updateAuth0/updateAuth0.ts

@@ -0,0 +1,36 @@
+import type { FileInfo, API } from 'jscodeshift'
+
+export default function transform(file: FileInfo, api: API) {
+  const j = api.jscodeshift
+  const ast = j(file.source)
+
+  const paths = ast.find(j.ObjectProperty, (node) => {
+    return ['redirect_uri', 'audience'].includes(node.key.name)
+  })
+
+  let nodes = paths.nodes()
+
+  nodes = nodes.map((node) => {
+    const { comments: _comments, ...rest } = node
+    return rest
+  })
+
+  paths.remove()
+
+  ast
+    .find(j.ObjectProperty, { key: { name: 'client_id' } })
+    .insertAfter(
+      j.objectProperty(
+        j.identifier('authorizationParams'),
+        j.objectExpression(nodes)
+      )
+    )
+
+  ast.find(j.Identifier, { name: 'client_id' }).replaceWith('clientId')
+
+  return ast.toSource({
+    trailingComma: true,
+    quote: 'single',
+    lineTerminator: '\n',
+  })
+}

packages/codemods/src/codemods/v5.x.x/updateAuth0/updateAuth0.yargs.ts

@@ -0,0 +1,35 @@
+import path from 'path'
+
+import execa from 'execa'
+import task, { TaskInnerAPI } from 'tasuku'
+
+import getRWPaths from '../../../lib/getRWPaths'
+import isTSProject from '../../../lib/isTSProject'
+import runTransform from '../../../lib/runTransform'
+
+export const command = 'update-auth0'
+export const description =
+  '(v4.x.x->v5.x.x) For Auth0 users; updates the web-side auth.ts,js file'
+
+export const handler = () => {
+  task('Update Auth0', async ({ setOutput }: TaskInnerAPI) => {
+    const authFile = isTSProject ? 'auth.ts' : 'auth.js'
+
+    try {
+      await execa.command('yarn up @auth0/auth0-spa-js@^2', {
+        cwd: getRWPaths().web.base,
+      })
+    } catch {
+      console.error(
+        "Couldn't update @auth0/auth0-spa-js; you'll have to upgrade it manually to the latest v2.x.x version"
+      )
+    }
+
+    await runTransform({
+      transformPath: path.join(__dirname, 'updateAuth0.js'),
+      targetPaths: [path.join(getRWPaths().web.src, authFile)],
+    })
+
+    setOutput('All done! Run `yarn rw lint --fix` to prettify your code')
+  })
+}

yarn.lock

@@ -285,18 +285,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@auth0/auth0-spa-js@npm:1.22.6":
-  version: 1.22.6
-  resolution: "@auth0/auth0-spa-js@npm:1.22.6"
-  dependencies:
-    abortcontroller-polyfill: ^1.7.3
-    browser-tabs-lock: ^1.2.15
-    core-js: ^3.25.4
-    es-cookie: ~1.3.2
-    fast-text-encoding: ^1.0.6
-    promise-polyfill: ^8.2.3
-    unfetch: ^4.2.0
-  checksum: 7f00391a30d1753ca4dee8c88501cd2d26cb064495e9b346b1639608c5135021ffd09f867fb113da561e1e4b7edb767ea031ca376eed467a0f089e76d2a7769c
+"@auth0/auth0-spa-js@npm:2.0.4":
+  version: 2.0.4
+  resolution: "@auth0/auth0-spa-js@npm:2.0.4"
+  checksum: 3532a554d606ee3f8fdfe421668c2572f6d7f108245501ac40470374e5f3dbe9ff55048557d2f6c35c97543ca1256703a3695fdc550a0d13285885f975498065
   languageName: node
   linkType: hard
 
@@ -6290,7 +6282,7 @@ __metadata:
   version: 0.0.0-use.local
   resolution: "@redwoodjs/auth-auth0-web@workspace:packages/auth-providers/auth0/web"
   dependencies:
-    "@auth0/auth0-spa-js": 1.22.6
+    "@auth0/auth0-spa-js": 2.0.4
     "@babel/cli": 7.21.0
     "@babel/core": 7.21.0
     "@babel/runtime-corejs3": 7.21.0
@@ -6301,7 +6293,7 @@ __metadata:
     react: 18.2.0
     typescript: 4.9.5
   peerDependencies:
-    "@auth0/auth0-spa-js": 1.22.6
+    "@auth0/auth0-spa-js": 2.0.4
   languageName: unknown
   linkType: soft
 
@@ -10685,13 +10677,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"abortcontroller-polyfill@npm:^1.7.3":
-  version: 1.7.5
-  resolution: "abortcontroller-polyfill@npm:1.7.5"
-  checksum: d7a5ab6fda4f9a54f22ddeb233a2564d2f4f857ec17be25fee21a91bb5090bee57c630c454634b5c4b93fc06bd90d592d1f2fc69f77cd28791ac0fe361feb7d2
-  languageName: node
-  linkType: hard
-
 "abstract-logging@npm:^2.0.1":
   version: 2.0.1
   resolution: "abstract-logging@npm:2.0.1"
@@ -12477,15 +12462,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"browser-tabs-lock@npm:^1.2.15":
-  version: 1.2.15
-  resolution: "browser-tabs-lock@npm:1.2.15"
-  dependencies:
-    lodash: ">=4.17.21"
-  checksum: 6d9243d6ec7da4d48e39d89db53945979433e390c4c9e4342b7f28060d3a40c01220a6cf53bfdd8f49857fb0031865f5b5b843254f40a57762f40e90c75cc68d
-  languageName: node
-  linkType: hard
-
 "browserify-aes@npm:^1.0.0, browserify-aes@npm:^1.0.4":
   version: 1.2.0
   resolution: "browserify-aes@npm:1.2.0"
@@ -14157,7 +14133,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"core-js@npm:3.29.0, core-js@npm:^3.0.4, core-js@npm:^3.25.4, core-js@npm:^3.26.0, core-js@npm:^3.27.2, core-js@npm:^3.6.5, core-js@npm:^3.8.2":
+"core-js@npm:3.29.0, core-js@npm:^3.0.4, core-js@npm:^3.26.0, core-js@npm:^3.27.2, core-js@npm:^3.6.5, core-js@npm:^3.8.2":
   version: 3.29.0
   resolution: "core-js@npm:3.29.0"
   checksum: 6955cbbc34d130239d8992a8dd807b406088b74d7fe32cecbcee497de21aa0a0498a64195635d292b90a87e71b9b7e985200d32b674b00fc63e9d852fd9033a5
@@ -15935,13 +15911,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"es-cookie@npm:~1.3.2":
-  version: 1.3.2
-  resolution: "es-cookie@npm:1.3.2"
-  checksum: 26eb6e06b25b5569d8763fcb23b5335a5098e354b0a9a7bc5122e8c8705003307187a165ddaeda5cff08fa4cc8e1675dbddd5709279fb27cfa8875514dc3eccb
-  languageName: node
-  linkType: hard
-
 "es-get-iterator@npm:^1.0.2, es-get-iterator@npm:^1.1.2":
   version: 1.1.3
   resolution: "es-get-iterator@npm:1.1.3"
@@ -17090,7 +17059,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"fast-text-encoding@npm:^1.0.0, fast-text-encoding@npm:^1.0.3, fast-text-encoding@npm:^1.0.6":
+"fast-text-encoding@npm:^1.0.0, fast-text-encoding@npm:^1.0.3":
   version: 1.0.6
   resolution: "fast-text-encoding@npm:1.0.6"
   checksum: e1d0381bda229c92c7906f63308f3b9caca8c78b732768b1ee16f560089ed21bc159bbe1434138ccd3815931ec8d4785bdade1ad1c45accfdf27ac6606ac67d2
@@ -22316,7 +22285,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"lodash@npm:4.17.21, lodash@npm:>=4.17.21, lodash@npm:^4.11.2, lodash@npm:^4.17.14, lodash@npm:^4.17.15, lodash@npm:^4.17.19, lodash@npm:^4.17.20, lodash@npm:^4.17.21, lodash@npm:~4.17.0":
+"lodash@npm:4.17.21, lodash@npm:^4.11.2, lodash@npm:^4.17.14, lodash@npm:^4.17.15, lodash@npm:^4.17.19, lodash@npm:^4.17.20, lodash@npm:^4.17.21, lodash@npm:~4.17.0":
   version: 4.17.21
   resolution: "lodash@npm:4.17.21"
   checksum: d8cbea072bb08655bb4c989da418994b073a608dffa608b09ac04b43a791b12aeae7cd7ad919aa4c925f33b48490b5cfe6c1f71d827956071dae2e7bb3a6b74c
@@ -26210,13 +26179,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"promise-polyfill@npm:^8.2.3":
-  version: 8.2.3
-  resolution: "promise-polyfill@npm:8.2.3"
-  checksum: 8d0418ef94d92ff53b3d8a42f47596bd354f4dfadcf21a5d52682f3addba05b05c02d88d4674e4909c069c8e14128a6d0d5e646392fb088b5300f99982a11a6c
-  languageName: node
-  linkType: hard
-
 "promise-retry@npm:^2.0.1":
   version: 2.0.1
   resolution: "promise-retry@npm:2.0.1"