Skip to content

feat(web): Simplify Setup, Add Session Check & Fix Missing Refresh Token #1303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 18, 2025
Merged

feat(web): Simplify Setup, Add Session Check & Fix Missing Refresh Token #1303

merged 7 commits into from
Sep 18, 2025

Conversation

subhankarmaiti
Copy link
Contributor

@subhankarmaiti subhankarmaiti commented Sep 12, 2025
edited
Loading

This pull request introduces several key improvements to the web platform integration, focusing on simplifying developer setup, enhancing session management, and resolving a common configuration issue.

  • Simplified Web Dependency Management:

    • The @auth0/auth0-spa-js library has been moved from an optional peerDependency to a direct dependency.
    • Benefit: This simplifies the setup process for developers using React Native Web, as they no longer need to manually install a separate package. The required dependency is now bundled with the library.
    • Documentation in MIGRATION_GUIDE.md and REACT_NATIVE_WEB_SETUP.md has been updated to reflect this change.

  • Automatic Silent Authentication on Load:

    • A new checkWebSession() method has been added to the IWebAuthProvider interface.
    • This method is implemented for the web platform to check for an active session with the authorization server on initial load. It leverages auth0-spa-js's checkSession() functionality, which typically uses a silent iframe-based mechanism.
    • Benefit: This improves the user experience by automatically logging in users who have an existing session with Auth0, without requiring a full page redirect.

  • ⚠️ Breaking Change: Default useRefreshTokens Behavior on Web

    • The default value for the useRefreshTokens option in WebAuth0Client has been changed from true to false.
    • Reasoning: This aligns the default behavior with @auth0/auth0-react and prevents out-of-the-box "Missing Refresh Token" errors for users who have not configured Refresh Token Rotation in their Auth0 application settings. This makes the use of refresh tokens an explicit opt-in, leading to a smoother initial setup.
    • Migration: To restore the previous behavior, developers must explicitly pass { useRefreshTokens: true } when initializing the Auth0 client or Auth0Provider.

Fixed

  • Resolves the "Missing Refresh Token" error on the web platform by changing the default useRefreshTokens behavior to false. This aligns the library with the default Auth0 Application settings, preventing errors for new users. Fixes #(5.0.0-beta.4 web support issue #1275).

Testing

  1. Dependency Simplification:

    • Create a new React Native Web project and install react-native-auth0.
    • Verify that you do not need to manually npm install @auth0/auth0-spa-js. The application should build and run correctly.

  2. Silent Session Check:

    • Log into the web application.
    • Close the browser tab and then reopen the application.
    • The user should be automatically logged back in without being redirected, demonstrating that checkWebSession successfully restored the session.

  3. Refresh Token Default:

    • With a default client configuration (no useRefreshTokens option), log in and inspect the credentials. A refresh token should not be present.
    • Initialize the client with useRefreshTokens: true and ensure "Refresh Token Rotation" is enabled in your Auth0 dashboard.
    • Log in again. A refresh token should now be present in the credentials.

Checklist

@subhankarmaiti subhankarmaiti changed the title chore: moved spa js from peer to dependency feat(web): Simplify Web Setup and Add Silent Session Check Sep 18, 2025
@subhankarmaiti subhankarmaiti changed the title feat(web): Simplify Web Setup and Add Silent Session Check feat(web): Simplify Setup, Add Session Check & Fix Missing Refresh Token Sep 18, 2025
@subhankarmaiti subhankarmaiti marked this pull request as ready for review September 18, 2025 10:05
@subhankarmaiti subhankarmaiti requested a review from a team as a code owner September 18, 2025 10:05
@subhankarmaiti subhankarmaiti enabled auto-merge (squash) September 18, 2025 11:51
@subhankarmaiti subhankarmaiti merged commit 6b3e2cf into master Sep 18, 2025
3 checks passed
@subhankarmaiti subhankarmaiti deleted the spa-dependency-change branch September 18, 2025 11:54
NandanPrabhu added a commit that referenced this pull request Sep 29, 2025
@NandanPrabhu
Merge branch 'master' into pr-analyser
4f3a77a 
* master:
  feat: add Claude Code PR Review workflow for enhanced pull request an… (#1317)
  feat: enhance Auth0Provider with platform-specific initialization and error handling (#1313)
  feat(web): Simplify Setup, Add Session Check & Fix Missing Refresh Token (#1303)
  Fix clearSession operation order to prevent premature user state clearing (#1309)
  Release v5.0.0-beta.6 (#1306)
  fix: concurrent credential storage errors by preventing unnecessary state updates (#1302)
  chore(deps): bump actions/checkout from 4 to 5 (#1272)
  chore(deps): bump actions/download-artifact from 4 to 5 (#1294)
  chore(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1 (#1296)
  fix(docs): added back the docs folder (#1291)
  Release v5.0.0-beta.5 (#1290)
  fix(docs): organize exports into namespaces for better typedocs (#1269)
  fix: add missing clearSession native options (#1289)
  fix(android): add pathPrefix to Android manifest for proper App Links functionality (#1288)
  feat: add organization parameter support to resetPassword API (#1286)
  feat(auth): add `saveCredentials` method to `useAuth0` hook (#1285)
  feat: unify and improve error handling across platforms (#1261)
  chore(deps): bump codecov/codecov-action from 5.4.3 to 5.5.0 (#1279)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kailash-b kailash-b kailash-b approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@subhankarmaiti @kailash-b