fix: add ability to call external endpoints without explicitly allowing them in non webWorker storage modes

[brionmario]

Purpose

This pull request introduces several important updates across the SDKs, focusing on improving security around external API requests and simplifying documentation for better developer experience. The most significant changes are the introduction of the allowedExternalUrls configuration option (replacing resourceServerURLs) for controlling where access tokens can be sent, and the removal of verbose quick start and installation instructions from multiple SDK README files.

Security and Configuration Updates

• Replaced the resourceServerURLs configuration property with allowedExternalUrls in SPAConfig and related interfaces, clarifying its purpose and improving naming consistency. This restricts which external URLs can receive access tokens, especially when using WebWorker storage. (packages/browser/src/__legacy__/models/client-config.ts, packages/javascript/src/models/config.ts) [1] [2]
• Updated all relevant logic in authentication-helper.ts to use allowedExternalUrls instead of resourceServerURLs, ensuring that token attachment and endpoint validation only occur for explicitly allowed URLs when using WebWorker storage. (packages/browser/src/__legacy__/helpers/authentication-helper.ts) [1] [2] [3] [4] [5] [6] [7] [8]

Documentation Simplification

• Removed installation and quick start sections from the README files of @asgardeo/javascript, @asgardeo/node, @asgardeo/express, @asgardeo/nextjs, and @asgardeo/nuxt SDKs. Instead, these now direct users to official guides or warn against direct usage, emphasizing the use of framework-specific SDKs for integrations. (packages/javascript/README.md, packages/node/README.md, packages/express/README.md, packages/nextjs/README.md, packages/nuxt/README.md) [1] [2] [3] [4] [5]

License Notice Update

• Standardized the license notice across all affected README files, now explicitly referencing the Apache License and linking to the LICENSE file. (packages/browser/README.md, packages/javascript/README.md, packages/node/README.md, packages/express/README.md, packages/nextjs/README.md, packages/nuxt/README.md) [1] [2] [3] [4] [5] [6]

These changes enhance the security of token handling, make configuration clearer, and streamline the documentation for easier onboarding and correct usage.

Related Issues

• Fixes bug: can't call external APIs without defining them in resourceServerURLs even when the storage is not webWorker #270

Related PRs

• N/A

Checklist

• Followed the CONTRIBUTING guidelines.
• Manual test round performed and verified.
• Documentation provided. (Add links if there are any)
• Unit tests provided. (Add links if there are any)

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines?
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets?

[asgardeo-github-bot]

🦋 Changeset detected

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.