auth0 / lock Goto Github PK

https://github.com/auth0/lock/wiki/Single-Page-Applications

@pose we should add the alternatives with redirect, like the customer who required to set state instead of opening in popup mode.

I'm might be too sleepy and wrong about this 👯

But either way documentation about the topic should be improved and you are THE guy for this.

cc @mgonto

EDIT:

@mgonto created this document https://github.com/auth0/lock/wiki/Types-Of-Applications

Which is quite complete as an explanation.

We should only add code examples.

And make links smaller cc @mgonto

Sometimes you don't want to set any option but you do want to set a callback. For those cases, we could make that if first param is a function, it's a callback not an option.

When an app only has a single enterprise connection, it should show a button to redirect the user to the login page rather than to ask them for their email address, since there is no need for it to discover the home realm.

https://github.com/auth0/lock/wiki/UI-Customization

@gravityonmars anything could be better than that.

Also a few screenshots might be awesome! 💃

Add livereload to grunt build example so it refreshes each time a change is made.

If we have the following code:

widget.show({
  focusInput: false,
  connection: 'Initial-Connection',
  popup: true
}, function (err, profile, token) {
  alert(err);
});

What should happen? A warning should displayed because connection field does not exist as a lock option. The warning should say that what the user must type is connections.

What happens instead? The parameter is silently ignored and you may think that the connection parameter works but it does not.

to options.extraParams as its on docs (or was, or should be...)

• test it fails when wrongly passed #2
• document all allowed extra parameters #3 @mgonto
• move extra parameters array to it's own file/module under options-manager

When we use responseType: code it means that we usually want to get the code in the server and then from that get the accessToken to get info from the user.

When we don't set a callbackURL, it will default to location.href which usually will be the same page, not a callback. That will happen mostly in SPAs. Therefore, I think that if callbackURL isn't provided, we should default to responseType: token

• add i18n messages to widget
• widget design ready?
• tried on ie9
• tried on ie10 (thx @rolodato)
• tried on ie11 (thx @rolodato)
• tried on iOS
• tried on Android
• end documentation with widget screenshots (auth0/docs#185)
• add reusable components to style guide (if any)
• test cases
  • signup
  • change password

Inspiration (how it should look like)

• login ready
  • Add transition (fade-in)
  • Border radius round (like blog)
  • if no picture, do show the previous icon
  • add new parameter to show: gravatar by default it will be true.
  • signup
• design ready
  • tried on ie9
  • tried on ie10*
  • tried on iOS
  • tried on Android Chrome
• documented?
  • added to lock docs
• described test cases
• tried test cases
  • icon: URL
  • icon: false
  • if enterpise connection it should not work
  • if ad connection it should not work
  • if db connection it should not work
  • should work on signup

[*] Animations not working (See #45)

• See if prefix-css (the grunt custom task we use to add a0- to the css classes) can be replaced with a faster alternative (what about https://www.npmjs.org/package/prefix-css-node ?)
• Cache steps or results on grunt process?
• Creating library bundle for browserify, so it only goes through the Auth0 files (and not resolving dependencies' requires).
• Configure watch parameter in browserify.

Right?
/cc @jfromaniello @woloski @pose @siacomuzzi

We are using expect.js for our tests. Many of our tests are using the following type of assertion:

expect(foo).to.exist;
expect(foo).to.not.exist;

But if you take a closer look at expect.js repo, I cannot find a single mention of the keyword exist (I suspect exist could be part of chai assertion framework) . Lots of tests are passing without asserting the required behavior.

https://cloudup.com/cPsK4E3th_K

https://github.com/auth0/lock/wiki/Sending-authentication-parameters#supported-parameters

cc @mgonto @siacomuzzi

When tab focus you can't notice.

Do lock.showSignin. Log into an email associated with a gravatar picture. Then logout and the last time you signed in with message should appear when doing lock.showSignin.

What should happen? Gravatar picture should be displayed when last time you signed in with message is displayed.
What happens instead? No Gravatar picture is displayed at all.

Timing out...

When the connection has requires_username: true, lock should work as follows:

1. Sign in: Ask for "Username or email" + "password". TWO FIELDS.
2. Sign up: Ask for "Username" + "Email" + "password". THREE FIELDS.
3. Password reset: Ask for "Username or email" + "password". TWO FIELDS.

The regex we will use to validate usernames is /^[a-zA-Z0-9_]{1,15}$/

Currently, it's located in index.js. OptionsManager is an option but I'm not convinced.

It always goes back to the same state. For example:

Logging in for the first time:

Going back to showing the widget again:

After trying to log in, it goes back to the same spot but inside a web view:

To reproduce, you can use this in app.js:

function showWidget(e) {
  e.preventDefault();
  widget.signin({ popup: true} , null, function(err, profile, token) {
    if (err) {
      // Error callback
      console.log("There was an error");
      alert("There was an error logging in");
    } else {
      // Success calback

      // Save the JWT token.
      localStorage.setItem('userToken', token);

      // Save the profile
      userProfile = profile;

      $('.login-box').hide();
      $('.logged-in-box').show();
      $('.nickname').text(profile.nickname);
      $('.nickname').text(profile.name);
      $('.avatar').attr('src', profile.picture);
    }
  });
}

$('.btn-login').click(showWidget);

$('#back').click(showWidget);

You also need to add a Back button in index.html:

<input type="button" value="Back" id="back" />

Use the following snippet:

var widget = new Auth0Lock(cid, domain);

widget.show({
  popup: true,
}, function (err, profile, token) {
  alert(err);
});

What should happen? When using the widget and clicking in a social connection popup must be shown. When closing the popup err should be printed (responseType: token is set implicitly).

What happens instead? As responseType: code is the default the callback is not being executed.

This is how the widget inside phonegap looks on Samsung Galaxy S3:

I've previously logged in with Github so the following is shown. However, I just deactivated that service, so it shouldn't be shown at all as "Last signed in"

• Animation support on IE
• Check if there is an animation cancel so we don't need the fallback timer.

As shown in this issue: #18 it may be a good idea to perform validations on options parameters in order to avoid typos and Lock not working as expected.

As @jfromaniello suggests:

I like an exception thrown, this will help also when depreciating an option, etc. Instead of silently failing.

Json schema will be the way to go,

• move 500 to a constant and align it to the .animation.fast's animation-duration.
• Add a _.debounce to onemailinput handler.
  • signin
  • signup
• Make the change of logo only when succeeding loading the image (probably, preload it somewhere else) when {icon: 'http://....'} This has been solved by the _.dobounce
• ~~ When erasing the whole email in some cases the picture converts to a square.~~ Cannot reproduce, but fixed some related bug.

Add to grunt cdn send warnings of source code options that don't match documented options in wiki. On that way, we can keep documentation updated.

Use the following snippet:

widget.show({
  focusInput: false,
  closable: false,
  connections: ['adconn', 'adconn2'],
  responseType: 'token',
  callbackURL: 'http://localhost:3000'
});

What should happen? An email and password lock should be displayed where user can enter their emails. Then deciding on the email domain that the user has input, it should display the HRD mode.

What happens instead? The following screenshot:

(translated from chat conversation, please correct if wrong)

We must make sure that npm/browserify still works:

There is a transform https://github.com/auth0/lock/blob/master/package.json#L65 . The css should be present in the generated tgz when doing npm publish. A way to deal with that would be having .gitignore y .npmignore, ignoring it on git pero but not in npm.

Once Auth0 Lock is finally officially released:

• Add deprecation notice to Auth0 Widget (latest release).
• Add to Auth0 Widget README a link to Auth0 Lock migration docs.
• Deprecate auth0-widget.js npm
• Deprecate auth0-widget.js bower

WIP

The user story will be:

1. User writes their email.
2. While the user press enter or clicks on signin, we search throughout the connections if there is one of them registered with the email suffix and its type is AD Connector (for instance, @mydomain.com).
3. lock launches new mode (adldap) (or shall we re-use signin mode @cristiandouce ?)
4. This new state has username instead of email and it can write the password there. The new screen has not forgotten email or signup. Only a cancel button to go to the previous state.
5. When they enter the credentials and clicks on access it should use the selected ad/ldap connection sending username and password. There should not be a redirect as it happens today. It should work as a DB connection.

• Try with an enterprise connection.
• Implement escape key to leave HRD. No escape for now.
• What happens if my domain is really large?
  • #25
  • add to tittle field of the access button the full domain name.
  • add overflow and text-overflow (for ellipsis)
• Implement new UI (as shown in #lock)
• show top label when there is only one ad connection. This is error prone as the connection may have multiple domain aliases. Not doing for now.
• Code Cleanup

tasks

• widget login ready?
• documented?
• updated widget docs
  • [1]
• updated auth0-configuration No lock yet.
• updated auth0-vagrant No lock yet.
• Contacted people who wanted that feature

Create a migration guide form Auth0 Widget.

Topics to include:

• Changes in the initialization.
• Changes in show parameters.
• Changes in events.

It can be found here: https://github.com/auth0/lock/wiki/Migration-Guide

• Get work reviewed by @cristiandouce

I tried to load this using webpack but I did not very very far due to not knowing what loaders it would require...
Any advice?

When any of these requests fail or time out, Lock will never finish loading and no error message is shown:

• https://TENANT.auth0.com/user/ssodata?ldaps=1&client_id=CLIENT_ID&cbx=__auth0jp0
• https://s3.amazonaws.com/assets.auth0.com/client/CLIENT_ID.js?t1411149795204

This situation should be handled and appropriate error messages should be shown.

Please notify: [email protected]

Update ticket:
https://auth0.groovehq.com/groove_client/mailboxes/5383/filters/56251/tickets/2596749

Right now, we show the World Domination message when the callback is missing and the user is trying a Social IdP. However, if the user tries to do a regular Username/Password Auth, a CORS error is thrown.

We should parse the s3 information to see if theres a callbackURL. If there's not and no callback is set to handle the success of the login, then we should show a message sayingPlease add currentURL as a CallbackURL on your application settings`.

Thanks!

Confirmation emails should be resent (or at least prompted) when users try to register a preexisting account with an unconfirmed email, only when email verification is turned on for that application.

Useful to validate some signup conditions for example: https://ask.auth0.com/t/prevent-the-creation-of-a-user-in-a-rule/115