Merge pull request #42 from mt-kenny/test/remove-default-code-verifier

[AK-414] Make PKCE as optional

Author: mt-kenny

dist/index.js

@@ -67,6 +67,7 @@ mtLinkSdk.init(clientId, options);
 ### authorize
 
 OAuth authorization method to request guest consent to access data via the [Link API](https://getmoneytree.com/au/link/about).<br /><br />
+For [security reasons](https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#why-you-should-never-use-the-implicit-flow-again) we removed support for implicit flow. We have opted for the [PKCE](https://auth0.com/docs/flows/concepts/auth-code-pkce)/[code grant](https://www.oauth.com/oauth2-servers/access-tokens/authorization-code-request/) flow.<br /><br />
 Guest login is required for this SDK to work, by default we will show the login screen and redirect the guest to the consent screen after they log in (Redirection happens immediately if they are currently logged in; you may pass the [forceLogout option](#authorize_option_force_logout) to force the guest to log in, even if they have an active session.)<br /><br />
 You may also choose to display the sign up form by default by passing the [authAction option](#authorize_option_auth_action).
 
@@ -84,7 +85,7 @@ mtLinkSdk.authorize(options);
 | options.scopes | string <p><strong>OR</strong></p> string[] | false | Value set during `init`.<p><strong>OR</strong></p>`guest_read` | Access scopes you're requesting. This can be a single scope, or an array of scopes.<br /><br />Currently supported scopes are:<br />`guest_read`, `accounts_read`, `points_read`, `point_transactions_read`, `transactions_read`, `transactions_write`, `expense_claims_read`, `categories_read`, `investment_accounts_read`, `investment_transactions_read`, `notifications_read`, `request_refresh`, `life_insurance_read`. |
 | options.redirectUri | string | false | Value set during `init`. | OAuth redirection URI, refer [here](https://www.oauth.com/oauth2-servers/redirect-uris/) for more details.<br /><br /><strong>NOTE:</strong> This function will throw an error if this value is undefined <strong>and</strong> no default value was provided in the [init options](?id=api-init_options). |
 | options.state | string | false | Value set during `init`.<p><strong>OR</strong></p>Randomly generated [uuid](<https://en.wikipedia.org/wiki/Universally_unique_identifier#Version_4_(random)>). | Refer [here](https://auth0.com/docs/protocols/oauth2/oauth-state) for more details.<br /><br /><strong>NOTE:</strong> Make sure to set this value explicitly if your server generates an identifier for the OAuth authorization request so that you can use to acquire the access token after the OAuth redirect occurs. |
-| options.codeVerifier | string | false | Value set during `init`.<p><strong>OR</strong></p>Randomly generated [uuid](<https://en.wikipedia.org/wiki/Universally_unique_identifier#Version_4_(random)>). | For [security reasons](https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#why-you-should-never-use-the-implicit-flow-again) we removed support for implicit flow. We have opted for the [PKCE](https://auth0.com/docs/flows/concepts/auth-code-pkce)/[code grant](https://www.oauth.com/oauth2-servers/access-tokens/authorization-code-request/) flow.<p>We only support SHA256, therefore this `codeVerifier` will be used to generate the `code_challenge` using the SHA256 hash algorithm. [Click here](https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce) for more details.</p><strong>NOTE:</strong> Make sure to set this value explicitly if your server generates an identifier for the OAuth authorization request so that you can use to acquire the access token after the OAuth redirect occurs. |
+| options.codeVerifier | string | false | Value set during `init`. | We only support SHA256, therefore this `codeVerifier` will be used to generate the `code_challenge` using the SHA256 hash algorithm. [Click here](https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce) for more details.</p><strong>NOTE:</strong> Make sure to set this value explicitly if your server generates an identifier for the OAuth authorization request so that you can use to acquire the access token after the OAuth redirect occurs. |
 | <span id="authorize_option_force_logout">options.forceLogout</span> | boolean | false | `false` | Force existing guest session to logout and call authorize with a clean state. |
 | options.country | `AU`, ` JP` | false | Value set during `init`. | Server location for the guest to login or sign up. If you wish to restrict your guest to only one country, make sure to set this value.<br /><br /><strong>NOTE:</strong> For apps created after 2020-07-08, the sign up form will display a country selection dropdown for the guest to select a country when this value is undefined or invalid. |
 

docs/README.md

@@ -67,8 +67,8 @@ export default function authorize(
     response_type: 'code',
     scope: constructScopes(scopes),
     redirect_uri: redirectUri,
-    code_challenge: codeChallenge,
-    code_challenge_method: codeVerifier && 'S256',
+    code_challenge: codeChallenge || undefined,
+    code_challenge_method: codeVerifier ? 'S256' : undefined,
     state,
     country,
     locale,

src/api/authorize.ts

@@ -84,8 +84,8 @@ export default function onboard(storedOptions: StoredOptions, options: OnboardOp
     response_type: 'code',
     scope: constructScopes(scopes),
     redirect_uri: redirectUri,
-    code_challenge: codeChallenge,
-    code_challenge_method: codeVerifier && 'S256',
+    code_challenge: codeChallenge || undefined,
+    code_challenge_method: codeVerifier ? 'S256' : undefined,
     state,
     country,
     locale,

src/api/onboard.ts

@@ -30,7 +30,7 @@ export class MtLinkSdk {
   public storedOptions: StoredOptions = {
     mode: 'production',
     state: storage.get('state') || uuid(),
-    codeVerifier: storage.get('codeVerifier') || uuid(),
+    codeVerifier: storage.get('codeVerifier') || '',
   };
 
   public init(clientId: string, options: InitOptions = {}): void {