Merge branch 'main' into code_formatting

Author: AlexElin

.github/CODEOWNERS

@@ -1 +1 @@
-*	@auth0/dx-sdks-engineer
+*	@auth0/project-dx-sdks-engineer-codeowner

.github/actions/rl-scanner/action.yml

@@ -0,0 +1,71 @@
+name: 'Reversing Labs Scanner'
+description: 'Runs the Reversing Labs scanner on a specified artifact.'
+inputs:
+  artifact-path:
+    description: 'Path to the artifact to be scanned.'
+    required: true
+  version:
+    description: 'Version of the artifact.'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.10'
+
+    - name: Install Python dependencies
+      shell: bash
+      run: |
+        pip install boto3 requests
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }}
+        aws-region: us-east-1
+        mask-aws-account-id: true
+
+    - name: Install RL Wrapper
+      shell: bash
+      run: |
+        pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
+
+    - name: Run RL Scanner
+      shell: bash
+      env:
+        RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }}
+        RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }}
+        SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }}
+        PYTHONUNBUFFERED: 1
+      run: |
+        if [ ! -f "${{ inputs.artifact-path }}" ]; then
+          echo "Artifact not found: ${{ inputs.artifact-path }}"
+          exit 1
+        fi
+
+        rl-wrapper \
+          --artifact "${{ inputs.artifact-path }}" \
+          --name "${{ github.event.repository.name }}" \
+          --version "${{ inputs.version }}" \
+          --repository "${{ github.repository }}" \
+          --commit "${{ github.sha }}" \
+          --build-env "github_actions" \
+          --suppress_output
+
+        # Check the outcome of the scanner
+        if [ $? -ne 0 ]; then
+          echo "RL Scanner failed."
+          echo "scan-status=failed" >> $GITHUB_ENV
+          exit 1
+        else
+          echo "RL Scanner passed."
+          echo "scan-status=success" >> $GITHUB_ENV
+        fi
+
+outputs:
+  scan-status:
+    description: 'The outcome of the scan process.'
+    value: ${{ env.scan-status }}

.github/workflows/browserstack.yml

@@ -3,7 +3,7 @@ name: Browserstack
 on:
   merge_group:
   workflow_dispatch:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -23,15 +23,8 @@ env:
   CACHE_KEY: '${{ github.event.pull_request.head.sha || github.ref }}-${{ github.run_id }}-${{ github.run_attempt }}'
 
 jobs:
-  authorize:
-    name: Authorize
-    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: true
 
   browserstack:
-    needs: authorize # Require approval before running on forked pull requests
 
     name: BrowserStack Tests
     runs-on: ubuntu-latest

.github/workflows/publish.yml

@@ -52,8 +52,9 @@ jobs:
       # Build the tag string from package.json version and release suffix. Produces something like `1.0.0-beta.1` for a beta, or `1.0.0` for a stable release.
       - name: Build tag
         id: vtag
-        run: |
+        env:
           PACKAGE_VERSION="${{ github.event.inputs.version }}"
+        run: |
           echo "vtag=${PACKAGE_VERSION}" >> $GITHUB_ENV
           echo "vtag=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT
 

.github/workflows/release.yml

@@ -15,8 +15,22 @@ permissions:
 ### TODO: Also remove `npm-release` workflow from this repo's .github/workflows folder once the repo is public.
 
 jobs:
+  rl-scanner:
+    uses: ./.github/workflows/rl-secure.yml
+    with:
+      node-version: 18 ## depends if build requires node else we can remove this.
+      artifact-name: 'auth0-angular.tgz' ## Will change respective to Repository 
+    secrets:
+      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
   release:
     uses: ./.github/workflows/npm-release.yml
+    needs: rl-scanner ## this is important as this will not let release job to run until rl-scanner is done
     with:
       node-version: 18
       require-build: true

.github/workflows/rl-secure.yml

@@ -0,0 +1,67 @@
+name: RL-Secure Workflow
+
+on:
+  workflow_call:
+    inputs:
+      node-version: ## depends if build requires node else we can remove this.
+        required: true
+        type: string
+      artifact-name:
+        required: true
+        type: string
+    secrets:
+      RLSECURE_LICENSE:
+        required: true
+      RLSECURE_SITE_KEY:
+        required: true
+      SIGNAL_HANDLER_TOKEN:
+        required: true
+      PRODSEC_TOOLS_USER:
+        required: true
+      PRODSEC_TOOLS_TOKEN:
+        required: true
+      PRODSEC_TOOLS_ARN:
+        required: true
+
+jobs:
+  rl-scanner:
+    name: Run Reversing Labs Scanner
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
+    runs-on: ubuntu-latest
+    outputs:
+      scan-status: ${{ steps.rl-scan-conclusion.outcome }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build package
+        uses: ./.github/actions/build
+        with:
+          node: ${{ inputs.node-version }}
+
+      - name: Create tgz build artifact
+        run: |
+          tar -czvf ${{ inputs.artifact-name }} *
+
+      - id: get_version
+        uses: ./.github/actions/get-version
+
+      - name: Run RL Scanner
+        id: rl-scan-conclusion
+        uses: ./.github/actions/rl-scanner
+        with:
+          artifact-path: "$(pwd)/${{ inputs.artifact-name }}"
+          version: "${{ steps.get_version.outputs.version }}"
+        env:
+          RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+          RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+          SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+          PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+          PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+          PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
+      - name: Output scan result
+        run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV

.github/workflows/semgrep.yml

@@ -2,7 +2,7 @@ name: Semgrep
 
 on:
   merge_group:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -20,15 +20,8 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
 jobs:
-  authorize:
-    name: Authorize
-    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: true
 
   run:
-    needs: authorize # Require approval before running on forked pull requests
 
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest

.github/workflows/snyk.yml

@@ -3,7 +3,7 @@ name: Snyk
 on:
   merge_group:
   workflow_dispatch:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -21,15 +21,8 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
 jobs:
-  authorize:
-    name: Authorize
-    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: true
 
   check:
-    needs: authorize
 
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest

.github/workflows/test.yml

@@ -67,7 +67,7 @@ jobs:
         run: npm run test:ci
 
       - name: Upload coverage
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # pin@5.4.3
 
   lint:
     needs: build # Require build to complete before running tests

FAQ.md

@@ -11,6 +11,7 @@
 7. [Using the SDK with Angular Universal](#7-using-the-sdk-with-angular-universal)
 8. [Retrieving and refreshing a token](#8-retrieving-and-refreshing-a-token)
 9. [When using localOnly logout, the user is getting logged in again](#9-when-using-localonly-logout-the-user-is-getting-logged-in-again)
+9. [Skip the Auth0 login page?](#10-skip-the-auth0-login-page)
 
 ## 1. User is not logged in after page refresh
 
@@ -288,3 +289,35 @@ providers: [
     }
   ],
 ```
+
+## 10. Skip the Auth0 login page
+
+When integrating with third party providers such as Google or Microsoft, being redirected to Auth0 before being redirected to the corresponding provider can be sub-optimal in terms of user-experience.
+If you only have a single connection enabled, or you know up front how the user wants to authenticate, you can set the `connection` parameter when calling `loginWithRedirect()` or `loginWithPopup()`:
+
+```
+this.auth.loginWithRedirect({
+  // ...
+  authorizationParams: {
+    connection: 'connection_logical_identifier'
+  }
+})
+```
+
+Doing so for connections such as Google or Microsoft, would automatically redirect you to them instead of showing the Auth0 login page first.
+
+Additionally, if you are using our AuthGuard, you may want it to pick up the same connection when it would redirect for login. To do so, you should provide the `connection` property when configuring Auth0:
+
+```
+bootstrapApplication(AppComponent, {
+  providers: [
+    provideAuth0({ 
+      authorizationParams: { 
+        connection: 'connection_logical_identifier' 
+      }
+    }),
+  ]
+});
+```
+
+ℹ️ You can find the connection's logical identifier as the **connection name** in the connection settings in the Auth0 dashboard for your tenant.