Access Token Exposure Control

[tusharpandey13]

Access Token Exposure Control

This PR introduces a security enhancement for controlling access token exposure in browser-based applications, following the OAuth best practices.

Changes

• Added a new configuration option enableAccessTokenEndpoint to the Auth0ClientOptions interface. This boolean flag controls whether the /auth/access-token endpoint is accessible from client applications
• When set to false, it prevents direct exposure of access tokens to browser-based applications, enhancing security
• By default, the value is set to true for backward compatibility
• Added comprehensive documentation about the security implications of exposing access tokens
• Added unit tests for the same.

References

• OAuth 2.0 for Browser-Based Apps - Token Mediating Backend
• OWASP: Token Storage Recommendations

Testing

PASSING

 Test Files  9 passed (9)
      Tests  145 passed (145)
   Start at  01:18:38
   Duration  718ms (transform 268ms, setup 0ms, collect 1.05s, tests 188ms, environment 1ms, prepare 413ms)

How to Test

1. Set enableAccessTokenEndpoint: false in your Auth0 client configuration
2. Verify that attempts to access /auth/access-token from client code fail appropriately
3. Implement server-side proxy endpoints for any resource server interactions
4. Confirm that server-side token usage continues to work as expected

Migration Guide

For applications that need to improve security by adopting the Token Mediating Backend pattern:

1. Update your Auth0 client configuration:

   const auth0 = new Auth0Client({
     // ...your existing config
     enableAccessTokenEndpoint: false
   });

2. Replace client-side API calls using tokens with server-side endpoints:

   • Before: Client makes direct API calls with access tokens
   • After: Client calls your NextJS backend, which uses the token server-side

3. Update any client-side code that depends on direct token access to use server-side proxies instead

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 76.19%. Comparing base (9f2e29d) to head (41101dc).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1979      +/-   ##
==========================================
+ Coverage   76.16%   76.19%   +0.03%     
==========================================
  Files          21       21              
  Lines        1523     1525       +2     
  Branches      242      245       +3     
==========================================
+ Hits         1160     1162       +2     
  Misses        356      356              
  Partials        7        7              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.