Detalhes do pacote

@schibsted/account-sdk-browser

schibsted6.8kMIT5.2.3

Schibsted account SDK for browsers

readme (leia-me)

logo

Build Status Code coverage Snyk

Schibsted account SDK for browsers

Welcome! This is the home of the Schibsted account JavaScript SDK for use by any website that wishes to use Schibsted account to sign up and log in users. Use it to generate URLs for your site's "Log in" button, query the logged-in status of your users, and to check whether they have access to products and subscriptions, etc.

Getting started

This sdk mainly communicates with a service named Session Service, which is available on brand domains (i.e. id.vg.no) to avoid Third-Party Cookie request.

Since browsers started to block Third-Party Cookies, your top domain from local machine needs to match your Session Service top domain. Otherwise, the Session Service cookie will be a third-party cookie and will not be sent with a XHR request.

The same applies to cross scheme requests. The Session Service is hosted on https and therefore you need to run your site with HTTPS locally.

For example if your pre domain is pre.sdk-example.com, and it uses id.pre.sdk-example.com Session Service domain, your local domain should be local.sdk-example.com.

  1. Do npm install --save @schibsted/account-sdk-browser
  2. Use this library as you would any other npm module: import { Identity, Monetization, Payment } from '@schibsted/account-sdk-browser' With CommonJS it is possible to require the modules Identity, Monetization and Payment by appending /identity, /monetization' or /payment'.
  3. Build your site as you prefer. This library uses modern JavaScript syntax (including async/await and other ES2017 and WHATWG features) by default. We recommend that you do any transpilation yourself for the browser versions you need to cater to. See this paragraph for info about our Babel-ified version and info about polyfills.
  4. Initiate the SDK and provide at least clientId, env and sessionDomain.

If this is for a new site and there is no sessionDomain yet, contact support to initiate the process.

Migration to 5.x.x (ITP)

Follow the migration guide.

Simplified login widget

  1. Ensure that your site has no site specific terms and conditions in the Schibsted account login flow.
  2. Define rules for when and how often the simplified login prompt should be shown to unique users on your site. How you do this is up to you, but we recommend starting with showing the prompt once per user before potentially increasing this frequency over time.
  3. Set up a function to check if users landing on your domain is logged in to your site.
  4. If the user is not logged-in to your site, call the showSimplifiedLoginWidget function. The showSimplifiedLoginWidget accepts the same params as login function (state is required, it might be string or async function). If the simplified login prompt is to be loaded, showSimplifiedLoginWidget will return true.
  5. Set up a way to store information about which users have been shown the simplified login prompt. How you do this is up to you, but one way is to use localStorage. Use this information to execute on the rules defined in #2.

Example project

There is an example that demonstrates how the SDK can be used. The code is here, and you can see it live here. You have a use-case that we haven't thought of? Ask us to add it by creating an issue.

You can use that code as inspiration or just fork and play with it. The account-sdk-browser NPM module is used for authenticating the user with Schibsted account. Take a look at how the SDK is initialized.

When a user wants to log in to your site, you direct them to a UI flow hosted by Schibsted Account. We authenticate the user and redirect them back to your site. This final redirect back to your site is performed in accordance with the OAuth2 specification. This means we pass a code in the query string of that redirect URI. You can use that code on your site's backend, along with your client credentials (client ID and secret), to obtain an Access Token (AT) and a Refresh Token (RT). You should not send the AT (and never the RT!) to the browser. Instead, keep them on the server side and associate them with the specific user session. This allows you to call Schibsted Account APIs on behalf of that user.

Events

The SDK fires events when something we deem interesting is happening. For example the Identity class emits some events when the user is logged in or logged out. This SDK uses a familar interface that's very similar to Node's EventEmitter. The most important methods are .on(eventName, listener) (to subscribe to an event) and .off(eventName, listener) (to unsubscribe to an event).

Identity

Let's start with a bit of example code:

Example

import { Identity } from '@schibsted/account-sdk-browser'

const identity = new Identity({
    clientId: '56e9a5d1eee0000000000000',
    redirectUri: 'https://awesomenews.site', // ensure it's listed in selfservice
    env: 'PRE', // Schibsted account env. A url or a special key: 'PRE', 'PRO', 'PRO_NO', 'PRO_FI' or 'PRO_DK'
    sessionDomain: 'https://id.awesomenews.site', // client-configured session-service domain
})

async function whenSiteLoaded() {
    const loginContainer = document.getElementById('login-container')
    if (await identity.isLoggedIn()) {
        const user = await identity.getUser()
        const span = document.createElement('span')
        span.textContent = `Hello ${user.givenName}`
        loginContainer.appendChild(span)
    } else {
        loginContainer.innerHTML = '<button class="login-button">Log in</button>'
    }
}

function userClicksLogIn() {
    identity.login({ state: 'some-random-string-1234-foobar-wonky-pig' })
}

Regarding state

This parameter is an OpenID Connect parameter (described in this paragraph in the spec). It's formatted as an opaque string. This means you can send anything that can be serialized to a string. In practice, we have good experience sending something like a JSON value like a base64-url-encoded value — it's just an easy way to avoid browsers or backends messing with special characters.

But as a trivial example, if you call Identity.login(..) with params redirectUri=https://site.com&state=article%3D1234 — then at the end of the authentication flow, the user will be sent back to your redirectUri, and the state parameter will be forwarded along with the auth code parameter.

It is recommended that you provide a unique identifier as part of the state, to prevent CSRF attacks. For example this can be accomplished by:

  1. Your backend generates random token: 1234abcd, saves it in some tokenCache, and forwards to your browser frontend
  2. Your frontend calls Identity.login with state = base64Urlencode({ token: '1234abcd', article: '1234', ... })
  3. When auth flow completes, the user is redirected back to your site. Then, your backend sees the query parameters code (which it can exchange for OAuth tokens for the user) and state
  4. Your backend can do decodedState = base64Urldecode(query.state) and then verify that its tokenCache.contains(decodedState.token). If that fails, then possibly a CSRF attack was attempted. If successful, remove the token from the tokenCache so the same token can't be used again, and continue to show decodedState.article

Authentication methods

Although Schibsted account abstracts away the details of how the users sign up or log in, it's worth mentioning that your end users have a few ways to log in:

  • Username & password: pretty self-explanatory; users register using an email address and a self-chosen password
  • Passwordless - email: here, the users enter their email address and receive a one-time code that they can use to log in
  • Multifactor authentication: first client indicates which methods should be preferred, later these will be included (if fulfilled) in AMR claim of IDToken

The default is username & password. If you wish to use one of the passwordless login methods, the login() function takes an optional parameter called acrValues (Authentication Context Class Reference). The acrValues parameter with multifactor authentication can take following values:

  • eid - authentication using BankID (for DEV and PRE environments you can choose between country specific solution by specifying eid-no or eid-se instead)
  • otp-email - passwordless authentication using code sent to registered email
  • password - force password authentication (even if user is already logged in)
  • otp - authentication using registered one time code generator (https://tools.ietf.org/html/rfc6238)
  • sms - authentication using SMS code sent to phone number
  • password otp sms - those authentication methods might be combined

The classic way to authenticate a user, is to send them from your site to the Schibsted account domain, let the user authenticate there, and then have us redirect them back to your site. If you prefer, we also provide a popup that you can use. In this method, the authentication happens on a separate popup window and at the end of the auth flow. We recommend that you make the popup send a signal to your main page — using postMessage or something similar — to indicate that the user is logged in. If the popup window fails to open, it'll automatically fall back to the redirect flow. The SDK Example project mentioned above demonstrates how it can work. Again, you can see sdk-example if you want a working example.

Is the user logged in?

Schibsted account relies on browser cookies to determine whether a user is recognized as logged in. The SDK provides functions that can be used to check if the user that's visiting your site is already a Schibsted user or not.

  • Identity#isLoggedIn tells you if the user that is visiting your site is already logged in to Schibsted account or not.
  • Identity#isConnected tells you if the user is connected to your client. A user might have isLoggedIn=true and at the same time isConnected=false if they have logged in to Schibsted account, but not accepted terms and privacy policy for your site.

If you've lately changed your terms & conditions, maybe the user still hasn't accepted them. In that case they are considered not connected. In that case, if they click "Log in" from your site, we will just ask them to accept those terms and redirect them right back to your site.

Logging out

If you want to log the user out of Schibsted account, you can call Identity#logout. This will remove the Schibsted account brand session. User will still be logged into Schibsted account.

Monetization

The preferred method for checking whether a user has access to a product/subscription is Monetization#hasAccess. It requires using Session Service, and supports both Schibsted account productId's and Zuora feature id's.

Example

import { Monetization } from '@schibsted/account-sdk-browser'

const monetization = new Monetization({
    clientId: '56e9a5d1eee0000000000000',
    redirectUri: 'https://awesomenews.site', // ensure it's listed in selfservice
    sessionDomain: 'https://id.aweseome.site', // client-configured session-service domain
    env: 'PRE', // Schibsted account env. A url or a special key: 'PRE', 'PRO' or 'PRO_NO'
});

try {
    // Check if the user has access to a a particular product
    const userId = await identity.getUserId();
    const data = await monetization.hasAccess([productId], userId);
    alert(`User has access to ${productId}? ${data.entitled}`)
} catch (err) {
    alert(`Could not query if the user has access to ${productId} because ${err}`)
}

Payment

This class provides methods for paying with a so-called paylink, buying a product, getting links to pages for redeeming voucher codes, reviewing payment history, and more.

Example

import { Payment } from '@schibsted/account-sdk-browser'

const paymentSDK = new Payment({
    clientId: '56e9a5d1eee0000000000000',
    redirectUri: 'https://awesomenews.site', // ensure it's listed in selfservice
    env: 'PRE', // Schibsted account env. A url or a special key: 'PRE', 'PRO' or 'PRO_NO'
})

// Get the url to paymentSDK with paylink
const paylink = '...'
const paylinkUrl = paymentSDK.purchasePaylinkUrl(paylink)

// Or another example --- pay with paylink in a popup
paymentSDK.payWithPaylink(paylink)

Appendix

Polyfills

This SDK uses modern JavaScript features. If you support older browsers, you should use a tool like babel to transform the JavaScript as needed. However, since certain teams have deployment pipelines where it's difficult to do their own transpilation, we do provide some opt-in es5 files as well:

  1. @schibsted/account-sdk-browser/es5: Include both Identity, Monetization and Payment.
  2. @schibsted/account-sdk-browser/es5/global: Include both Identity, Monetization and Payment. In addition, add them as variables to the global window object.
  3. @schibsted/account-sdk-browser/es5/identity, @schibsted/account-sdk-browser/es5/monetization or @schibsted/account-sdk-browser/es5/payment can be used to only include each class by itself.

But then regardless of whether you use the es5 versions or not, you might need to polyfill certain things that might be missing in the browsers you wish to support. A quick test using IE11 showed that we needed polyfills for Promise, URL, Object.entries, fetch, Number.isFinite and Number.isInteger.

Cookies

There are some cookies used by Schibsted account. They should all be considered opaque on the browser side. Nevertheless, here is a short description of them.

  1. The autologin cookie (often called 'the remember-me-cookie'): The cookie name in the production environments is vgs_email, because reasons (on PRE, it is called spid-pre-data). It's a JSON string that's encoded using the standard encodeURIComponent() function and is an object that contains two pieces of information that's important:
    • remember: if set to true, the user chose to be remembered and this means we usually support auto-login (that is, if you call the Schibsted account hassession service, and no session can be found in the session database, it will automatically create a new one for the user so that they don't have to authenticate again. If it is false, it should be interpreted as the user does not want to be automatically logged in to any site when their session expires
    • v: the version number
  2. The session cookies: Cookie names in production environments are identity, and SPID_SE or SPID_NO. It contains:
    • user: an object (if it's missing, a call to hassession will return a 401 with a UserException that says No session found)
      • userId identifies the user. We use this property to compare "old" user with "new" user and fire events that indicate that the user has changed
      • is_logged_in indicates if the user is logged in
    • user_tags: a map that contains some flags about the user; namely:
      • is_logged_in indicates if the user is logged in (this seems to be a duplicate of a property with a similar name in the parent user object)
      • terms: a map of term ids that indicate if they've been accepted by the user.
    • referer (yep, missing the double "rr"..): If this is missing, a call to hassession will return a 401 with a UserException that says No session found.

Releasing

Tags are pushed to NPM via Travis. To release a new version, run in master

$ npm version <major|minor|patch>

which will run the test, update version in package.json, commit, tag the commit and push.

LICENSE

Copyright (c) 2024 Schibsted Products & Technology AS

Licensed under the MIT License

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

changelog (log de mudanças)

Changelog

5.2.3 (2025-04-24)

5.2.2 (2025-04-23)

5.2.1 (2025-04-22)

4.7.7 (2023-11-29)

4.7.6 (2023-11-29)

4.7.5 (2023-10-09)

4.7.4 (2023-09-08)

  • Ignore malformed session storage objects
  • Cleanup ReadMe

4.7.3 (2023-07-19)

  • Ignore malformed session storage objects
  • Upgrade NodeJS used to build package from version 12 to 18

4.7.2 (2023-01-31)

  • Update path to Schibsted account profile pages.

v4.7.1 (2023-01-24)

  • Add support for eID Finland

v4.7.0 (2022-10-27)

  • Add locale support in the Simplified Login widget

v4.6.0 (2022-02-23)

New features

  • Add eid, eid-no and eid-se to valid acrValues

v4.5.3 (2021-11-26)

Fixes

  • Fix SimplifiedLoginWidgetLoginOptions typo

v4.5.2 (2021-11-26)

Fixes

  • Fix SimplifiedLoginWidgetLoginOptions

v4.5.1 (2021-11-19)

Fixes

  • .d.ts files publishing

v4.5.0 (2021-09-29)

New features

  • Add Danish env

Fixes

  • options param in showSimplifiedLoginWidget function is optional in Typescript now

v4.4.0 (2021-06-24)

New features

  • Added optional options param to showSimplifiedLoginWidget function, allowing to specify widget encoding

v4.3.0 (2020-12-16)

New features

  • Add not you? button to simplified login widget

v4.2.1 (2020-18-11)

Fixes

  • Fix TS issues

v4.2.0 (2020-11-09)

New features

  • Add Finnish env

v4.1.0 (2020-11-03)

New features

  • Add .d.ts files

v4.0.0 (2020-09-03)

Breaking changes

  • sessionDomain is required
  • Removed siteSpecificLogout param- there is no option to disable site specific logout
  • hasSession does not accept autologin param anymore
  • Drop hasProduct and hasSubscription functions- replaced by hasAccess

New features

  • Add 2FA Support- new acrValues: sms, otp, password
  • logSettings function

Changes

  • babel has been updated to ^7.11

v3.4.0 (2020-04-28)

Changes

  • showSimplifiedLoginWidget accepts async function as state param - will be called only if user click log in
  • Support for pulse providerId in simplified login widget

New features

  • Added clearCachedAccessResult and clearCachedUserSession methods

v3.3.0 (2020-04-07)

New features

  • hasAccess - function that check if you have access to productsIds

v3.2.0 (2020-03-19)

Fixes

  • Cache 400 http responses from session service

New features

  • showSimplifiedLoginWidget - function that loads and displays simplified login widget

v3.1.1 (2020-02-20)

Changes

  • Use sessionStorage as identity cache instead of localStorage

v3.1.0 (2020-02-06)

Changes

  • Enable siteSpecificLogout by default

v3.0.7 (2019-11-12)

Fixes

  • Refactor hasSession to fix ie11 bug

v3.1.0-rc (2019-10-02)

Semi-breaking ish changes

  • Enable site specific logout by default- it is experimental feature for now

Fixes

  • Update PublicUserData type description

v3.0.6 (2019-09-18)

New features

  • New method getUserContextData
  • siteSpecificLogout flag (default false). When enabled, logout will logout user from local session-service, but not from Schibsted Account

v3.0.5 (2019-05-23)

Fixes

  • Do not display ITP dialog when session service is enabled
  • Mark purchasePaylinkUrl as depracated

v3.0.4 (2019-03-14)

Fixes

  • Use reject in hasSession promiseFn

v3.0.3 (2019-01-28)

Changes

  • Add oneStepLogin option to login function. If set to true username and password will be display on one page
  • Introduce purchasePromoCodeProductFlowUrl- function returns url for zuora subscription flow

v3.0.2 (2018-12-11)

Changes

  • Add possibility to set SP_ID cookie domain with enableVarnishCookie function param

v3.0.1 (2018-11-06)

Fixes

  • Fix LOCAL SDRN namespace
  • Silent error on Object.assign in SDKError for ios 9
  • Update jest

v3.0.0 (2018-10-15)

Fixes

  • Fix LOCAL SDRN namespace

v3.0.0 (2018-10-15)

Removed rc

Fixes

  • fix typeof in clearVarnishCookie

v3.0.0-rc.21 (2018-10-10)

Semi-breaking ish changes

  • Monetization functions hasProduct and hasSubscription didn't list @throws in the docs, even though there was always a chance of those functions throwing SDKError if anything went wrong during a network call. Also, the spId parameter is back to being a required parameter, since it's used when caching results (and without it, cache data could in theory span different users)

Fixes

  • Monetization functions hasProduct and hasSubscription now fall back to calling the Schibsted account backend if a call to the session-service fails with a 400 error (meaning a session-cookie is not present).

Changes

  • Monetization functions hasProducts and hasSubscription now caches both failures (for 10 seconds) and successes (for 1 hour)

v3.0.0-rc.20 (2018-10-09)

Fixes

  • Setting a Varnish cookie (the SP_ID cookie) will now be done with a top-level domain as the domain value. So if done from some.sub.site.example, we will use domain=site.example. Thanks to @olekenneth for fixing it

v3.0.0-rc.19 (2018-09-28)

Breaking changes

  • If you are using the session-service, calls to Identity.hasSession will not return the obsolete userStatus or id fields (the numeric userId and the uuid fields are still returned).
  • Calling Identity.hasSession multiple times will now cause only one network call. While this call is running, other calls to Identity.hasSession will simply wait for that call to complete, and then they will all resolve to the same result

New features

  • We can communicate with the session-service instead of Schibsted account in Identity.hasSession, Monetization.hasProduct and Monetization.hasSubscription (quick howto; to opt into this, add a param sessionDomain: 'https://id.site.example' to the constructor for Identity and Monetization)

v3.0.0-rc.18 (2018-09-18 — second one today, yay 🎉)

Breaking changes

  • The Identity.logout() function is no longer an async function, and now does a full-page redirect to the Schibsted account domain to log the user out. This is because we can't trust that the XHR way of logging people out will work for Safari 12 users. Sorry for the breaking change, but at least it works in a consistent way. It now also takes a parameter redirectUri that defaults to the redirectUri from the Identity constructor. The browser will be redirected there after Schibsted account has logged the user out

v3.0.0-rc.17 (2018-09-18)

Fixes

  • Varnish cookie fixes: 1) The localstorage item was wrongly cleared when calling Identity.enableVarnishCookie(), and 2) The varnish cookie was not removed correctly when calling Identity.logout().

v3.0.0-rc.16 (2018-09-14)

Fixes

  • ITP: Set the z-index of the ITP dialog to a "zooper high value" to 🤞🏼 ensure 🤞🏼 that it hovers above the main site content

v3.0.0-rc.15 (2018-09-06)

New features

  • Support for new Identity.login parameters: tag, teaser and maxAge
  • ITP: There are explicit methods in Identity for users that don't use the login method. See the docs for showItpModalUponReturning and suppressItpModal if you're interested

Breaking changes (ish)

  • The Identity.loginUrl method used to take a lot of arguments, and with this release it was about to become even more (with the added tag, teaser and maxAge params mentioned above). This release changes the signature to have a single options object instead of the argument list. In this case we made it backwards-compatible, so it won't break (YET!) if you continue using an argument list. Beware though, that passing a list of arguments is considered DEPRECATED as of now
  • The es5 folder now contains both minified and unminified code. The minified ones have the .min.js suffix. Before, only minified files were published, so if you're using those, you might suddenly have bigger files than you did before. Sorry.. 🤷🏼‍

Fixes

  • #76 — Login on Chrome/iOS should now work once again

v3.0.0-rc.14 (2018-09-03)

Changes

  • The only change is adding a typings file to the es5 folder. There are no functional changes from rc.13

v3.0.0-rc.13 (2018-08-31)

Fixes

  • The "Safari 12 ITP2 workaround" from v3.0.0-rc.11 had a bug where we passed the wrong query parameter to the ITP dialog, so the dialog then failed to post a message back to the parent page. In conclusion; calls to Identity.hasSession would still fail 😭.

v3.0.0-rc.12 (2018-08-30)

This release is identical to rc.11 but includes index.d.ts in the npm package.

v3.0.0-rc.11 (2018-08-30)

New features

  • Initial support for Safari 12. For users of this browser, there could be issues related to Intelligent Tracking Prevention (ITP) v2. For the people who experience it, it would be impossible to detect whether you're logged in or not from a given site (because cookies to Schibsted account would be blocked because it's a third party). The Apple way to solve this, is to call requestStorageAccess from an iframe, and let the user choose "Allow" in a scary Safari dialog. Then cookies will once more be allowed to go to that third party. This SDK will now work around this by showing a friendlier dialog before calling requestStorageAccess so people are hopefully more inclined to click "Allow".

v3.0.0-rc.10 (2018-08-10)

Fixes

  • #68 — Cache was not cleared after calling Identity.logout() or Identity.enableVarnishCache

v3.0.0-rc.9 (2018-08-08)

Fixes

  • Upgraded regenerator-runtime to fix this CSP issue (courtesy of @henninga)
  • #64 — This issue was fixed in two ways. First, by changing the implementation so we set the Varnish cookie on every call to hasSession (before we didn't do so when a hasSession returned cached data). Second, we introduced an optional parameter expiresIn on the Identity.enableVarnishCookie where you can override the default expiry of the Varnish cookie.
  • #54 — Ensure that we clear the Varnish cookie when a user logs out.

v3.0.0-rc.8 (2018-07-17)

Fixes

v3.0.0-rc.7 (2018-07-11)

Fixes

  • There was a caching issue that caused a flood of requests to the Schibsted account hasSession endpoint. This is fixed in this release. Please update ASAP!
  • The Payment.purchaseCampaignFlowUrl function used to have null as a default parameter for some parameters that were required. This signature has been updated to match the documentation

Other changes

  • Documentation updates

v3.0.0-rc.6 (2018-06-25)

Breaking changes

  • The Identity.agreementUrl has been removed. This function called an endpoint on the Schibsted account backend that will be removed due to GDPR, and so it makes no sense to keep it in the SDK.

Other fixes

  • Some (mostly trivial) documentation polish here and there

v3.0.0-rc.5 (2018-06-21)

Breaking changes

  • The 'visitor' concept is being removed both from the Schibsted account backend and thus also from the SDKs. This means that Identity.getVisitorId and all references to visitor including the emitting of the visitor event is removed in this version. If you depend on it, now's the time to stop doing that.

Fixes

  • The ES5 global file should now work correctly. Yeah — before, I once again failed to fix it, by not making sure that the symbol regeneratorRuntime was bound to the window globally before loading Identity, Monetization and Payment. Third time's the charm, though 🤞🏼
  • Both Identity.getUserId and Identity.getUserUuid now behave according to their documentation, which is to say that they reject the returned Promise if the user is logged in, but not connected to this merchant.
  • Two functions, Identity.accountUrl and Identity.phonesUrl did not take a redirectUri parameter, causing the Schibsted account backend to render a default Back to [Site] link on that web page. Now you should be able to pick any valid redirect uri here.

v3.0.0-rc.4 (2018-05-29)

Fixes

  • #37 — The files in the es5 directory have been rewritten to CommonJS syntax (yes, like in the good 'ol days). I still don't fully understand what was happening here, but at least now it seems like it works for people
  • #40 — Events are now emitted from Identity when a call to hasSession() used a cached value
  • #41 — References to the global window have all been wrapped in functions, so that it can be loaded in Server-side rendering contexts
  • The caching could fail if the cache time in milliseconds were greater than 2^31 - 1 (just under 25 days). This has been fixed by capping the cache time to that maximum value

Changes

  • Documentation for the Identity class has been updated

v3.0.0-rc.3 (2018-05-14)

Fixes

  • #38 — Source maps are now included for generated ES5 files
  • #22 — Documented that varnish cookies need an Origin that is !== localhost for the logic to work in most (all?) browsers
  • #21 — Fix documentation issue on Monetization.hasProduct and Monetization.hasSubscription

Changes

  • Documentation (the main README.md file) has been updated to point to the SDK Example project in case people might want to go look at it
  • Be more explicit about the browsers supported in our ES5 generated files. In package.json for those who are curious

v3.0.0-rc.2 (2018-04-30)

Fixes

  • #31 — Our internal helper function urlMapper now doesn't perform calls like new URL('PRE') without first checking if 'PRE' is a key in our url map object. This should ensure that outdated browsers like IE11 (that require a polyfill for WHATWG URL) don't get flustered in this scenario.

v3.0.0-rc.1 (2018-04-24)

Breaking changes

  • #24 — Change from CommonJS to ES Modules syntax (that is — change from require/module.exports to using import/export syntax). Yeah, this is a change that touched basically all the files in the whole project, but shouldn't really change the usage much. It is a breaking change for some people using the CommonJS format. If you find yourself in this group, your change should be:

    // from when you were using rc.0 or older:
const Identity = require('@schibsted/account-sdk-browser/identity')

// to now, using rc.1:
const { Identity } = require('@schibsted/account-sdk-browser/identity')

    If you already used the syntax const { Identity } = require('@schibsted/account-sdk-browser') (that is — not the bundle-optimized version), then no change should be necessary

Fixes

  • #23 — The Identity.logout() docs should now be up to date
  • An internal usage of fetch was failing and has been fixed. It could cause the Identity.logout() function to not clear all of its cookies. In the worst case, this could in turn cause the browser to be confused about whether a user was logged in or not

Changes

  • The documentation has been updated to have more details about how redirectUri is different between the old 2.x versions of the SDK and this 3.x version. Also, a section on the OpenID Connect parameter state has been added

v3.0.0-rc.0 (2018-04-10)

Breaking changes

  • The function Identity.getUserUuidId is renamed to Identity.getUserUuid. This was a typo in the previous function name that was not detected until now :-/
  • The function Identity.getSpId now returns string|null instead of string|undefined.

Fixes

  • The Identity class now clears its internal cache if enableVarnishCookie() is called. Previously, calling hasSession after calling enableVarnishCookie would re-use any cached value and thus skip setting the varnish cookie.

Changes

  • The function Identity.getVisitorId is now marked async in the codebase. It always returned a Promise, so functionally it does the same as before. Syntax has just been modernised.

v3.0.0-beta.7 (2018-04-03)

Fixes

  • Webpack options needed tweaking, so -beta.6 didn't work at all. The code in this version is otherwise identical to -beta.6, so the build.sh script has the only change.

v3.0.0-beta.6 (2018-04-03) — removed from npm, didn't work

New features

  • ES5 generation has been added. This is an opt-in feature, so a user can do:

    // Either 1)
const Account = require('@schibsted/account-sdk-browser');
// ... or 2)
const Account = require('@schibsted/account-sdk-browser/es5');

// The shortcuts work as well (if you only want Identity stuff, for instance):
const Identity = require('@schibsted/account-sdk-browser/es5/identity');

Changes

  • Removed parcel-bundler and started using webpack instead. This was done to ease the production of ES5 code

v3.0.0-beta.5 (2018-03-21)

Fixes

  • An issue where Identity.hasSession would call the backend server(s) with a wrong autologin parameter has been fixed. This could potentially cause the user to not be auto-logged-in when they were supposed to be

v3.0.0-beta.4 (2018-03-19)

New features

  • There is only one change in this release, and that is the addition of a loginHint parameter on the Indentity.login() and Identity.loginUrl() functions. This enables the caller to pre-fill the user identifier (email or phone number)

v3.0.0-beta.3 (2018-03-16)

Fixes

  • Issue #8 is fixed by not relying on URLSearchParams to create query strings.

v3.0.0-beta.2 (2018-03-09)

This release has only one notable change, and it is the fix from this PR so we correctly fall back to calling SPiD when a call to the hasSession service fails with a LoginException. Thanks to Terje Andersen who found and helped to identify this issue.

v3.0.0-beta.1 (2018-03-06)

This is the initial public release. Hello, world!