Update dependencies and enhance webAuth methods to support HTTPS

.snyk

@@ -5,12 +5,12 @@ ignore:
   SNYK-JS-INFLIGHT-6095116:
     - '*':
         reason: No fix available
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-02-02T05:47:18.380Z
   SNYK-JS-BABELHELPERS-9397697:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   SNYK-JS-IMAGESIZE-9634164:
     - '*':
@@ -20,56 +20,56 @@ ignore:
   snyk:lic:npm:lightningcss-win32-x64-msvc:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-linux-x64-musl:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-linux-x64-gnu:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-linux-arm64-musl:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-linux-arm64-gnu:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-linux-arm-gnueabihf:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-freebsd-x64:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-darwin-x64:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-darwin-arm64:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
   snyk:lic:npm:lightningcss-win32-arm64-msvc:MPL-2.0:
     - '*':
         reason: This issue is temporarily ignored while we evaluate alternative dependencies or wait for an update from Expo/Metro.
-        expires: 2025-04-12T09:15:05.191Z
+        expires: 2025-05-12T09:15:05.191Z
         created: 2025-03-12T09:15:05.191Z
 patch: {}

A0Auth0.podspec

@@ -17,7 +17,7 @@ Pod::Spec.new do |s|
   s.requires_arc = true
 
   s.dependency 'React-Core'
-  s.dependency 'Auth0', '2.7.2'
-  s.dependency 'JWTDecode', '3.1.0'
-  s.dependency 'SimpleKeychain', '1.1.0'
+  s.dependency 'Auth0', '2.10'
+  s.dependency 'JWTDecode', '3.2.0'
+  s.dependency 'SimpleKeychain', '1.2.0'
 end

EXAMPLES.md

@@ -8,14 +8,18 @@
   - [Login using MFA with One Time Password code](#login-using-mfa-with-one-time-password-code)
   - [Login with Passwordless](#login-with-passwordless)
   - [Create user in database connection](#create-user-in-database-connection)
+  - [Using HTTPS callback URLs](#using-https-callback-urls)
 - [Management API (Users)](#management-api-users)
   - [Patch user with user_metadata](#patch-user-with-user_metadata)
   - [Get full user profile](#get-full-user-profile)
 - [Organizations](#organizations)
   - [Log in to an organization](#log-in-to-an-organization)
   - [Accept user invitations](#accept-user-invitations)
 - [Bot Protection](#bot-protection)
-- [Domain Switching](#domain-switching)
+  - [Domain Switching](#domain-switching)
+    - [Android](#android)
+    - [iOS](#ios)
+    - [Expo](#expo)
 
 ## Authentication API
 
@@ -70,7 +74,9 @@ auth0.auth
 Custom Schemes can be used for redirecting to the React Native application after web authentication:
 
 ```js
-authorize({}, { customScheme: 'auth0' }).then(console.log).catch(console.error);
+authorize({}, { customScheme: 'YOUR_AUTH0_DOMAIN' })
+  .then(console.log)
+  .catch(console.error);
 ```
 
 ### Login using MFA with One Time Password code
@@ -154,6 +160,17 @@ auth0.auth
   .catch(console.error);
 ```
 
+### Using HTTPS callback URLs
+
+HTTPS callback URLs provide enhanced security compared to custom URL schemes. They work with Android App Links and iOS Universal Links to prevent URL scheme hijacking:
+
+```js
+auth0.webAuth
+  .authorize({ scope: 'openid profile email' }, { customScheme: 'https' })
+  .then((credentials) => console.log(credentials))
+  .catch((error) => console.log(error));
+```
+
 ## Management API (Users)
 
 ### Patch user with user_metadata

FAQ.md

@@ -261,4 +261,4 @@ If you don't need SSO, consider using `ephemeral sessions` or `SFSafariViewContr
 
 ## 9. How can I prevent the autogenerated redirect_uri from breaking if the applicationId has mixed cases or special characters in it on Android ?
 
-It is recommended to have your applicationId in lower case without special characters to prevent any mismatch with the generated redirect_uri. But in the scenario where you require your applicationId to be of mixed case, to avoid any mismatch , the user can pass a `redirectUri` whihc matches the one provided in the manage dashboard as part of the `AgentLoginOptions` property.
+It is recommended to have your applicationId in lower case without special characters to prevent any mismatch with the generated redirect_uri. But in the scenario where you require your applicationId to be of mixed case, to avoid any mismatch , the user can pass a `redirectUri` which matches the one provided in the manage dashboard as part of the `AgentLoginOptions` property.

README.md

@@ -103,8 +103,6 @@ Take note of this value as you'll be requiring it to define the callback URLs be
 
 > For more info please read the [React Native docs](https://facebook.github.io/react-native/docs/linking.html).
 
-> Whenever possible, Auth0 recommends using `https` scheme with [Android App Links](https://auth0.com/docs/applications/enable-android-app-links) as a secure way to link directly to content within your app. Custom URL schemes can be subject to [client impersonation attacks](https://datatracker.ietf.org/doc/html/rfc8252#section-8.6).
-
 ##### Skipping the Web Authentication setup
 
 If you don't plan to use Web Authentication, you will notice that the compiler will still prompt you to provide the `manifestPlaceholders` values, since the `RedirectActivity` included in this library will require them, and the Gradle tasks won't be able to run without them.
@@ -213,21 +211,112 @@ Go to the [Auth0 Dashboard](https://manage.auth0.com/#/applications), select you
 
 If in addition you plan to use the log out method, you must also add these URLs to the **Allowed Logout URLs**.
 
+> [!NOTE]
+> Whenever possible, Auth0 recommends using [Android App Links](https://developer.android.com/training/app-links) and [Apple Universal Links](https://developer.apple.com/documentation/xcode/allowing-apps-and-websites-to-link-to-your-content) for your callback and logout URLs. Custom URL schemes can be subject to [client impersonation attacks](https://datatracker.ietf.org/doc/html/rfc8252#section-8.6).
+>
+> 💡 If your Android app is using [product flavors](https://developer.android.com/studio/build/build-variants#product-flavors), you might need to specify different manifest placeholders for each flavor.
+
 #### Android
 
+##### Custom Scheme
+
+```text
+{YOUR_APP_PACKAGE_NAME}.auth0://{YOUR_AUTH0_DOMAIN}/android/{YOUR_APP_PACKAGE_NAME}/callback
+```
+
+##### App Link (Recommended):
+
 ```text
-{YOUR_APP_PACKAGE_NAME}.auth0://{AUTH0_DOMAIN}/android/{YOUR_APP_PACKAGE_NAME}/callback
+https://{YOUR_AUTH0_DOMAIN}/android/{YOUR_APP_PACKAGE_NAME}/callback
+```
+
+> Replace {YOUR_APP_PACKAGE_NAME} and {YOUR_AUTH0_DOMAIN} with your actual application package name and Auth0 domain. Ensure that {YOUR_APP_PACKAGE_NAME} is all lowercase.
+
+To enable App Links, set the `auth0Scheme` to `https` in your `build.gradle` file.
+
+```text
+android {
+    defaultConfig {
+        manifestPlaceholders = [auth0Domain: "@string/com_auth0_domain", auth0Scheme: "https"]
+    }
+}
 ```
 
-> Make sure to replace {YOUR_APP_PACKAGE_NAME} and {AUTH0_DOMAIN} with the actual values for your application. The {YOUR_APP_PACKAGE_NAME} value provided should be all lower case.
+This configuration ensures that your app uses https for the callback URL scheme, which is required for Android App Links.
+
+#### Enable Android App Links Support
+
+[Android App Links](https://developer.android.com/training/app-links) allow an application to designate itself as the default handler of a given type of link. For example, clicking a URL in an email would open the link in the designated application. This guide will show you how to enable Android App links support for your Auth0-registered application using Auth0's Dashboard.
+
+1.  Go to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/#/applications), and select the name of the application to view.
+
+2.  Scroll to the bottom of the Settings page, and select **Show Advanced Settings**.
+3.  Select Device Settings, provide the [App Package Name and](https://developer.android.com/studio/build/application-id) the SHA256 fingerprints of your app’s signing certificate for your Android application, and select Save Changes.
+    ![android-app-link](assets/android-app-link.png)
+
+> You can use the following command to generate the fingerprint using the Java keytool in your terminal: `keytool -list -v -keystore my-release-key.keystore`
+
+To learn more about signing certificates, see Android's [Sign Your App](https://developer.android.com/studio/publish/app-signing.html) developer documentation.
 
 #### iOS
 
+##### Custom Scheme
+
 ```text
-{PRODUCT_BUNDLE_IDENTIFIER}.auth0://{AUTH0_DOMAIN}/ios/{PRODUCT_BUNDLE_IDENTIFIER}/callback
+{PRODUCT_BUNDLE_IDENTIFIER}.auth0://{YOUR_AUTH0_DOMAIN}/ios/{PRODUCT_BUNDLE_IDENTIFIER}/callback
 ```
 
-> Make sure to replace {PRODUCT_BUNDLE_IDENTIFIER} and {AUTH0_DOMAIN} with the actual values for your application. The {PRODUCT_BUNDLE_IDENTIFIER} value provided should be all lower case.
+##### Universal Link (Recommended):
+
+```text
+https://{YOUR_AUTH0_DOMAIN}/ios/{PRODUCT_BUNDLE_IDENTIFIER}/callback
+```
+
+> Replace `{PRODUCT_BUNDLE_IDENTIFIER}` and `{YOUR_AUTH0_DOMAIN}` with your actual product bundle identifier and Auth0 domain. Ensure that {PRODUCT_BUNDLE_IDENTIFIER} is all lowercase.
+
+#### Configure an associated domain for iOS
+
+> [!IMPORTANT]
+> This step requires a paid Apple Developer account. It is needed to use Universal Links as callback and logout URLs.
+> Skip this step to use a custom URL scheme instead.
+
+##### Configure the Team ID and bundle identifier
+
+Scroll to the end of the settings page of your Auth0 application and open **Advanced Settings > Device Settings**. In the **iOS** section, set **Team ID** to your [Apple Team ID](https://developer.apple.com/help/account/manage-your-team/locate-your-team-id/), and **App ID** to your app's bundle identifier.
+
+![Screenshot of the iOS section inside the Auth0 application settings page](https://github.com/auth0/Auth0.swift/assets/5055789/7eb5f6a2-7cc7-4c70-acf3-633fd72dc506)
+
+This will add your app to your Auth0 tenant's `apple-app-site-association` file.
+
+##### Add the associated domain capability
+
+In Xcode, go to the **Signing and Capabilities** [tab](https://developer.apple.com/documentation/xcode/adding-capabilities-to-your-app#Add-a-capability) of your app's target settings, and press the **+ Capability** button. Then select **Associated Domains**.
+
+![Screenshot of the capabilities library inside Xcode](https://github.com/auth0/Auth0.swift/assets/5055789/3f7b0a70-c36c-46bf-9441-29f98724204a)
+
+Next, add the following [entry](https://developer.apple.com/documentation/xcode/configuring-an-associated-domain#Define-a-service-and-its-associated-domain) under **Associated Domains**:
+
+```text
+webcredentials:YOUR_AUTH0_DOMAIN
+```
+
+<details>
+  <summary>Example</summary>
+
+If your Auth0 Domain were `example.us.auth0.com`, then this value would be:
+
+```text
+webcredentials:example.us.auth0.com
+```
+
+</details>
+
+If you have a [custom domain](https://auth0.com/docs/customize/custom-domains), replace `YOUR_AUTH0_DOMAIN` with your custom domain.
+
+> [!NOTE]
+> For the associated domain to work, your app must be signed with your team certificate **even when building for the iOS simulator**. Make sure you are using the Apple Team whose Team ID is configured in the settings page of your Auth0 application.
+
+Refer to the example of [Using custom scheme for web authentication redirection](https://github.com/auth0/react-native-auth0/blob/master/EXAMPLES.md#using-custom-scheme-for-web-authentication-redirection)
 
 ## Next Steps
 

example/ios/Podfile.lock

@@ -1,12 +1,12 @@
 PODS:
   - A0Auth0 (4.4.0):
-    - Auth0 (= 2.7.2)
-    - JWTDecode (= 3.1.0)
+    - Auth0 (= 2.10)
+    - JWTDecode (= 3.2.0)
     - React-Core
-    - SimpleKeychain (= 1.1.0)
-  - Auth0 (2.7.2):
-    - JWTDecode (~> 3.1)
-    - SimpleKeychain (~> 1.1)
+    - SimpleKeychain (= 1.2.0)
+  - Auth0 (2.10.0):
+    - JWTDecode (= 3.2.0)
+    - SimpleKeychain (= 1.2.0)
   - boost (1.84.0)
   - DoubleConversion (1.1.6)
   - fast_float (6.1.4)
@@ -16,7 +16,7 @@ PODS:
   - hermes-engine (0.77.0):
     - hermes-engine/Pre-built (= 0.77.0)
   - hermes-engine/Pre-built (0.77.0)
-  - JWTDecode (3.1.0)
+  - JWTDecode (3.2.0)
   - RCT-Folly (2024.11.18.00):
     - boost
     - DoubleConversion
@@ -1619,7 +1619,7 @@ PODS:
     - ReactCommon/turbomodule/bridging
     - ReactCommon/turbomodule/core
     - Yoga
-  - SimpleKeychain (1.1.0)
+  - SimpleKeychain (1.2.0)
   - SocketRocket (0.7.1)
   - Yoga (0.0.0)
 
@@ -1845,16 +1845,16 @@ EXTERNAL SOURCES:
     :path: "../node_modules/react-native/ReactCommon/yoga"
 
 SPEC CHECKSUMS:
-  A0Auth0: 1a9d69121ff2455486a2a4ddc40c4f36585e5260
-  Auth0: 28cb24cb19ebd51f0b07751f16d83b59f4019532
+  A0Auth0: c54e2b28344e08ab2387986d00f2a418044fdbf9
+  Auth0: 2876d0c36857422eda9cb580a6cc896c7d14cb36
   boost: 7e761d76ca2ce687f7cc98e698152abd03a18f90
   DoubleConversion: cb417026b2400c8f53ae97020b2be961b59470cb
   fast_float: 06eeec4fe712a76acc9376682e4808b05ce978b6
   FBLazyVector: 2bc03a5cf64e29c611bbc5d7eb9d9f7431f37ee6
   fmt: a40bb5bd0294ea969aaaba240a927bd33d878cdd
   glog: eb93e2f488219332457c3c4eafd2738ddc7e80b8
   hermes-engine: 1f783c3d53940aed0d2c84586f0b7a85ab7827ef
-  JWTDecode: 3eaab1e06b6f4dcbdd6716aff09ba4c2104ca8b7
+  JWTDecode: 7dae24cb9bf9b608eae61e5081029ec169bb5527
   RCT-Folly: e78785aa9ba2ed998ea4151e314036f6c49e6d82
   RCTDeprecation: f5c19ebdb8804b53ed029123eb69914356192fc8
   RCTRequired: 6ae6cebe470486e0e0ce89c1c0eabb998e7c51f4
@@ -1915,7 +1915,7 @@ SPEC CHECKSUMS:
   ReactCodegen: c08a5113d9c9c895fe10f3c296f74c6b705a60a9
   ReactCommon: 1bd2dc684d7992acbf0dfee887b89a57a1ead86d
   RNScreens: b32d0d59b53acb574fa795a9343591ef4e7ab7c2
-  SimpleKeychain: f8707c8e97b38c6a6e687b17732afc9bcef06439
+  SimpleKeychain: 768cf43ae778b1c21816e94dddf01bb8ee96a075
   SocketRocket: d4aabe649be1e368d1318fdf28a022d714d65748
   Yoga: 78d74e245ed67bb94275a1316cdc170b9b7fe884
 

ios/A0Auth0.m

@@ -51,11 +51,11 @@ - (dispatch_queue_t)methodQueue
 }
 
 RCT_EXPORT_METHOD(webAuth:(NSString *)scheme redirectUri:(NSString *)redirectUri state:(NSString *)state nonce:(NSString *)nonce audience:(NSString *)audience scope:(NSString *)scope connection:(NSString *)connection maxAge:(NSInteger)maxAge organization:(NSString *)organization invitationUrl:(NSString *)invitationUrl  leeway:(NSInteger)leeway ephemeralSession:(BOOL)ephemeralSession safariViewControllerPresentationStyle:(NSInteger)safariViewControllerPresentationStyle additionalParameters:(NSDictionary *)additionalParameters resolver:(RCTPromiseResolveBlock)resolve rejecter:(RCTPromiseRejectBlock)reject) {
-    [self.nativeBridge webAuthWithState:state redirectUri:redirectUri nonce:nonce audience:audience scope:scope connection:connection maxAge:maxAge organization:organization invitationUrl:invitationUrl leeway:leeway ephemeralSession:ephemeralSession safariViewControllerPresentationStyle:safariViewControllerPresentationStyle additionalParameters:additionalParameters resolve:resolve reject:reject];
+    [self.nativeBridge webAuthWithScheme:scheme state:state redirectUri:redirectUri nonce:nonce audience:audience scope:scope connection:connection maxAge:maxAge organization:organization invitationUrl:invitationUrl leeway:leeway ephemeralSession:ephemeralSession safariViewControllerPresentationStyle:safariViewControllerPresentationStyle additionalParameters:additionalParameters resolve:resolve reject:reject];
 }
 
 RCT_EXPORT_METHOD(webAuthLogout:(NSString *)scheme federated:(BOOL)federated redirectUri:(NSString *)redirectUri resolver:(RCTPromiseResolveBlock)resolve rejecter:(RCTPromiseRejectBlock)reject) {
-    [self.nativeBridge webAuthLogoutWithFederated:federated redirectUri:redirectUri resolve:resolve reject:reject];
+    [self.nativeBridge webAuthLogoutWithScheme:scheme federated:federated redirectUri:redirectUri resolve:resolve reject:reject];
 }
 
 RCT_EXPORT_METHOD(resumeWebAuth:(NSString *)url resolver:(RCTPromiseResolveBlock)resolve rejecter:(RCTPromiseRejectBlock)reject) {