Now supports Node 18. Node 14 has reached end-of-life and we recommend upgrading to Node 18 as soon as possible since Node 16 reaches end of life in September 2023.
Upgrading Node is not required to use this update.
Added support to automatically redirect to login after successful registration or password reset for users of the auth-react library.
This is useful when the auth server is on a different domain than the commerce app since browsers block cross-domain cookies, preventing auto-login from working correctly (the BLSID cookie will be blocked).
This is enabled automatically when refresh-token-rotation is enabled.
This can also be enabled directly by passing in enableAutoRedirectToLoginParam to AuthProvider.
The param is named redirectToLogin and should be included in the Admin when setting up AuthorizedClient redirect URIs.
Added support to include redirectToLogin in the returnTo param of registerWithRedirect automatically as well
Added support for using Browser local or session storage to store refresh tokens when refresh token rotation is enabled.
This is to support retrieving an access token when a session cookie (BLSID) is not available, usually only for cross-origin auth situations where the Auth server and frontend apps are on different domains.
According to Auth0, it is acceptable to use browser storage with refresh token rotation as long as re-use detection is implemented, which Broadleaf has: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/#You-Can-Store-Refresh-Token-In-Local-Storage.
This feature is only allowed when using refresh token rotation and not when using silent-auth with iframe.
To enable, pass useRefreshTokens and useSessionStorageForTokenCache or useLocalStorageForTokenCache as true to AuthProvider or AuthClient. Also ensure that useIFrameAsFallbackForRefreshToken is false.
<AuthProvider
key={clientId}
accountId={accountId}
baseURL={https://www.my-auth-server.com}
redirectUri={https://www.my-frontend.com}
clientId={clientId}
credentials
scope="USER CUSTOMER"
useRefreshTokens
usePkce
useIFrameAsFallbackForRefreshToken={false}
useSessionStorageForTokenCache // Session storage should be cleared when the browse closes
useLocalStorageForTokenCache // local storage won't be cleared
>Fixed the returnTo and redirectUri params of registerWithRedirect, changePasswordWithRedirect, and logoutWithRedirect to default to the AuthClient#redirectUri instead of window.location.origin.
AuthClient#redirectUri is set based on an option passed in when instantiating the AuthClient.
If it is not present, it will default to window.location.origin.
Fixed the selected B2B account ID not being included in the auth token cache key.
Most users will not have noticed this as the default token cache is in-memory, so reloading the page would clear it, which is the default behavior of the Next.js Starter when switching accounts.