auth0-samples / auth0-angularjs-samples Goto Github PK

Seeds projects are using an oudated version of the dependency auth0-js
Latest auth0-js version 8.9.2

Description:
Some vulnerabilities are showing up in all AngularJS Samples.

(AUTH-4127)
Samples using outdated version of auth0-js and @uirouter/angularjs.

oidcConformant option is commented in 05-Authorization sample. (AUTH-3769)

After successfully logging in I click the "profile" button and it loads an empty profile. I then refresh the page and it appears, also shows if I navigate away and then return to profile. (No console errors)

(AUTH-4045)
Samples using outdated version of angular-ui-router (0.4.2 when up-to-date version is 1.0.3)

When we hit the profile page (secure page) , without logging in, it is not redirecting to login page, instead JS error is thrown saying token is null

The API calls included in the Angular.js quickstart due to the difference in IP between the execution in localhost and on docker, the "API_URL" variable should be transfered to the .env file to centralize that configuration.

In the Readme.md file, the instructions say:

"cd 04-Calling-an-API"

But, the folder name is "04-authorization"

AUTH-3812

There should be a specified instruction for when the user executes the app through docker in order to properly configure the callback_url, this variable comes prepopulated when the sample's downloaded as:

http://localhost:3000/callback

but the app doesn't run by default in the localhost address, to find out the ip of the docker machine(running "docker-machine ip" on the command prompt will display the correct IP), the callback_url should match this IP in this way:

http://+docker-machine-ip+:3000/callback

When I'm trying to log in using username-password-authentication, I received 401 Unauthorized, but I'm sure that credentials is correct.

Also when I'm trying to use google-oauth2 connection, it logs my Success login with different email but in reality nothing happens, I'm still having You are not logged in! Please Log In to continue. (other social connections works simmilar, logs my Success login, but nothing happens on client)

Seeds projects are using an oudated version of the dependencies:

• express-> latest version: 4.16
• express-jwt -> latest version: 5.3

AUTH-3812

Hello,

I implemented the custom login form but when I press the login button that is supposed to show the login form I receive the following error:

Error: username option is required
    at attribute (auth0.js:268)
    at Object.check (auth0.js:295)
    at Authentication.login (auth0.js:2864)
    at Object.login (auth.service.js:14)
    at fn (eval at compile (angular.js:15358), <anonymous>:4:208)
    at callback (angular.js:26994)
    at ChildScope.$eval (angular.js:18161)
    at ChildScope.$apply (angular.js:18261)
    at HTMLButtonElement.<anonymous> (angular.js:26999)
    at defaultHandlerWrapper (angular.js:3734)

Login function in my AuthService:

function login(username, password) {
  angularAuth0.client.login({
    realm: 'Username-Password-Authentication',
    username: username,
    password: password,
  }, function(err, authResult) {
    if (err) {
      console.log(err);
      alert('Error: ' + err.description + '. Check the console for further details.');
      return;
    }
    if (authResult && authResult.idToken) {
      setSession(authResult);
      $state.go('home');
    }
  });
}

When running the sample for 04-authorization, during the "Ping" for "Call Private" in the server console I get the following deprecated message.

AUTH-3812

(AUTH-3830)
I've tried to use 02-Custom-Login-Form sample, but received error even after I've registered new account. Here is video demonstration. But in logs it's all good.

Also you can see webauth.redirect.loginWithCredentials will be soon deprecated, use webauth.authorize instead. warning.

Here is my current setup after a couple days of determining auth0-lock 10.11.0 requires auth0.js:

      lock.on('authenticated', function (authResult) {
            store.set('id_token', authResult.idToken);
            lock.getProfile(authResult.idToken, function (error, profile) {
                if (error) {
                    return console.log(error);
                }
                store.set('profile', profile);
            });
            authManager.authenticate();
            ...
        });

Since version 9, both token and profile were transmitted in the same request.

I've asked the initial question here: auth0/angular-jwt#157

I have 2 clients set up, one for the Angular 1 SPA, and one for the Python/Flask API. Both set to HS256.

When logging in via the hosted page, the callback to my SPA is in seemingly in the correct format:

https://myapp.com/callback#access_token=NLcH4l337-d-8D7x&expires_in=7200&token_type=Bearer&state=g02VgjgHLGU.ZDFBEEF1S5Fj5El8ZI8X&id_token=abc.xyz.def

However, the SPA sends (what I'm told) an opaque token to my API:

Authorization: Bearer NzmWR9AfD40PEYfC

Please let me know where in my travels I might have made the wrong turn. Thanks!

When runing npm install you get a Warning that "angular-ui-router" has been renamed and you should update package.json

AUTH-3812

(AUTH-3831)
After login in using 03-user-profile sample, I've received infinite loading and error (same error with 01-basic login too):

Also there is warning that parameters are not allowed on the /authorize

The lock's version is outdated on the index.html of the following samples:

• 01-Basic-Login
• 03-User-Profile
• 04-Calling-API
• 05-Authorization

As shown on the following picture:

Ticket: AUTH-3812

After download the Sample project, the parameters AUTH0-AUDIENCE in

• \03-calling-an-api.env
• \03-calling-an-api\auth0-variables.js
• \04-authorization.env
• \04-authorization\auth0-variables.js
• \05-token-renewal\auth0-variables.js

Are not propely prepopulated.

I was logged in with a US account and this parameter in all the previously mentioned files was populated with a EU account URL (also mine).

AUTH-3812

The error message displayed by the API included in the sample doesn't have the proper format:

This is shown while calling the /api/private endpoint

I'm trying the AngularJS example (from download, not Github).
After social login, I get redirected back to
http://localhost:3000/callback#access_token=<redacted>&expires_in=7200&token_type=Bearer&state=<redacted>
and just see a spinning wheel.
Every login adds another cookie as well, e.g. here after 3 login attempts:

No errors in the console.

Chrome Version 72.0.3626.121 (Official Build) (64-bit)
MacOS Mojave 10.14.3 (18D109)

Am I doing something wrong?
(It worked once before, and I made no changes to the code.)