fix: resolve null domain handling and v13 lock bug fixes

.snyk

@@ -0,0 +1,59 @@
+# Snyk (https://snyk.io) policy file
+version: v1.25.0
+ignore:
+  SNYK-JS-AUTH0JS-16438973:
+    - '*':
+        reason: >-
+          auth0-js@9.29.0+ uses superagent@10.x which calls new Proxy() at
+          runtime. IE11 does not support the Proxy global and it cannot be
+          polyfilled. Lock v13 maintains IE11 compatibility and must stay on
+          auth0-js@9.28.x (the last version using superagent@7.x).
+        expires: '2027-01-01T00:00:00.000Z'
+  SNYK-JS-DOMPURIFY-16131135:
+    - '*':
+        reason: >-
+          DOMPurify v3 (which fixes this) dropped IE11 support. Lock v13
+          maintains IE11 compatibility and cannot upgrade to v3.
+        expires: '2027-01-01T00:00:00.000Z'
+  SNYK-JS-DOMPURIFY-8722251:
+    - '*':
+        reason: >-
+          DOMPurify v3 (which fixes this) dropped IE11 support. Lock v13
+          maintains IE11 compatibility and cannot upgrade to v3.
+        expires: '2027-01-01T00:00:00.000Z'
+  SNYK-JS-DOMPURIFY-16078387:
+    - '*':
+        reason: >-
+          DOMPurify v3 (which fixes this) dropped IE11 support. Lock v13
+          maintains IE11 compatibility and cannot upgrade to v3.
+        expires: '2027-01-01T00:00:00.000Z'
+  SNYK-JS-DOMPURIFY-15810938:
+    - '*':
+        reason: >-
+          DOMPurify v3 (which fixes this) dropped IE11 support. Lock v13
+          maintains IE11 compatibility and cannot upgrade to v3.
+        expires: '2027-01-01T00:00:00.000Z'
+  SNYK-JS-DOMPURIFY-15874903:
+    - '*':
+        reason: >-
+          DOMPurify v3 (which fixes this) dropped IE11 support. Lock v13
+          maintains IE11 compatibility and cannot upgrade to v3.
+        expires: '2027-01-01T00:00:00.000Z'
+  SNYK-JS-DOMPURIFY-15874905:
+    - '*':
+        reason: >-
+          DOMPurify v3 (which fixes this) dropped IE11 support. Lock v13
+          maintains IE11 compatibility and cannot upgrade to v3.
+        expires: '2027-01-01T00:00:00.000Z'
+  SNYK-JS-DOMPURIFY-15371386:
+    - '*':
+        reason: >-
+          DOMPurify v3 (which fixes this) dropped IE11 support. Lock v13
+          maintains IE11 compatibility and cannot upgrade to v3.
+        expires: '2027-01-01T00:00:00.000Z'
+  SNYK-JS-DOMPURIFY-15371376:
+    - '*':
+        reason: >-
+          DOMPurify v3 (which fixes this) dropped IE11 support. Lock v13
+          maintains IE11 compatibility and cannot upgrade to v3.
+        expires: '2027-01-01T00:00:00.000Z'

package.json

@@ -81,7 +81,6 @@
     "eslint-config-prettier": "^8.8.0",
     "eslint-plugin-react": "^7.32.2",
     "esm": "^3.2.25",
-    "events": "^3.3.0",
     "expect.js": "^0.3.1",
     "flat": "^5.0.2",
     "glob": "^7.1.7",
@@ -132,7 +131,7 @@
     "qs": "^6.10.3",
     "react": "^18.2.0",
     "react-dom": "^18.2.0",
-    "react-transition-group": "^2.2.1",
+    "react-transition-group": "^4.4.5",
     "trim": "^1.0.1",
     "url-join": "^1.1.0",
     "validator": "^13.6.0"
@@ -188,4 +187,4 @@
       "prettier --write"
     ]
   }
-}
+}

src/__tests__/connection/enterprise/__snapshots__/hrd_screen.test.js.snap

@@ -1,5 +1,34 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
+exports[`HRDScreen Component renders correctly when enterprise domain is undefined 1`] = `
+<div
+  data-__type="hrd_pane"
+  data-header={
+    <p>
+      Login with your corporate credentials. []
+    </p>
+  }
+  data-i18n={
+    {
+      "str": [Function],
+    }
+  }
+  data-model={
+    Immutable.Map {
+      "id": "__lock-id__",
+      "i18n": Immutable.Map {
+        "strings": Immutable.Map {
+          "enterpriseLoginIntructions": "Login with your corporate credentials.",
+          "enterpriseActiveLoginInstructions": "Please enter your corporate credentials at %s.",
+        },
+      },
+    }
+  }
+  data-passwordInputPlaceholder=" []"
+  data-usernameInputPlaceholder=" []"
+/>
+`;
+
 exports[`HRDScreen Component renders correctly when there is an enterprise domain 1`] = `
 <div
   data-__type="hrd_pane"
@@ -57,3 +86,61 @@ exports[`HRDScreen Component renders correctly when there is no enterprise domai
   data-usernameInputPlaceholder=" []"
 />
 `;
+
+exports[`HRDScreen Component uses fallback message when enterprise domain is empty string 1`] = `
+<div
+  data-__type="hrd_pane"
+  data-header={
+    <p>
+      Login with your corporate credentials. []
+    </p>
+  }
+  data-i18n={
+    {
+      "str": [Function],
+    }
+  }
+  data-model={
+    Immutable.Map {
+      "id": "__lock-id__",
+      "i18n": Immutable.Map {
+        "strings": Immutable.Map {
+          "enterpriseLoginIntructions": "Login with your corporate credentials.",
+          "enterpriseActiveLoginInstructions": "Please enter your corporate credentials at %s.",
+        },
+      },
+    }
+  }
+  data-passwordInputPlaceholder=" []"
+  data-usernameInputPlaceholder=" []"
+/>
+`;
+
+exports[`HRDScreen Component uses fallback message when enterprise domain is whitespace only 1`] = `
+<div
+  data-__type="hrd_pane"
+  data-header={
+    <p>
+      Login with your corporate credentials. []
+    </p>
+  }
+  data-i18n={
+    {
+      "str": [Function],
+    }
+  }
+  data-model={
+    Immutable.Map {
+      "id": "__lock-id__",
+      "i18n": Immutable.Map {
+        "strings": Immutable.Map {
+          "enterpriseLoginIntructions": "Login with your corporate credentials.",
+          "enterpriseActiveLoginInstructions": "Please enter your corporate credentials at %s.",
+        },
+      },
+    }
+  }
+  data-passwordInputPlaceholder=" []"
+  data-usernameInputPlaceholder=" []"
+/>
+`;

src/__tests__/connection/enterprise/hrd_screen.test.js

@@ -49,4 +49,41 @@ describe('HRDScreen Component', () => {
     const Component = getComponent();
     expectComponent(<Component model={lock} i18n={i18nProp} />).toMatchSnapshot();
   });
+
+  it('renders correctly when enterprise domain is undefined', () => {
+    require('connection/enterprise').enterpriseDomain.mockImplementation(() => undefined);
+    const Component = getComponent();
+    expectComponent(<Component model={lock} i18n={i18nProp} />).toMatchSnapshot();
+  });
+
+  it('does not show "undefined" in message when enterprise domain is undefined', () => {
+    require('connection/enterprise').enterpriseDomain.mockImplementation(() => undefined);
+    const { str } = i18nProp;
+
+    // Should use the fallback message without domain placeholder
+    const expectedMessage = str('enterpriseLoginIntructions');
+    expect(expectedMessage).toContain('Login with your corporate credentials.');
+    expect(expectedMessage).not.toContain('undefined');
+  });
+
+  it('does not show "undefined" in message when enterprise domain is null', () => {
+    require('connection/enterprise').enterpriseDomain.mockImplementation(() => null);    
+    const { str } = i18nProp;
+    // Should use the fallback message without domain placeholder  
+    const expectedMessage = str('enterpriseLoginIntructions');
+    expect(expectedMessage).toContain('Login with your corporate credentials.');
+    expect(expectedMessage).not.toContain('undefined');
+  });
+
+  it('uses fallback message when enterprise domain is empty string', () => {
+    require('connection/enterprise').enterpriseDomain.mockImplementation(() => '');
+    const Component = getComponent();
+    expectComponent(<Component model={lock} i18n={i18nProp} />).toMatchSnapshot();
+  });
+
+  it('uses fallback message when enterprise domain is whitespace only', () => {
+    require('connection/enterprise').enterpriseDomain.mockImplementation(() => '   ');
+    const Component = getComponent();
+    expectComponent(<Component model={lock} i18n={i18nProp} />).toMatchSnapshot();
+  });
 });

src/__tests__/connection/enterprise/matchConnection.test.js

@@ -0,0 +1,50 @@
+import I from 'immutable';
+import { matchConnection } from '../../../connection/enterprise';
+
+jest.mock('core/index', () => ({
+  connections: jest.fn()
+}));
+
+describe('matchConnection', () => {
+  afterEach(() => jest.resetAllMocks());
+
+  it('does not throw when enterprise connection has no domains field (key absent)', () => {
+    const { connections } = require('core/index');
+
+    // Tenant omits the domains field entirely
+    connections.mockReturnValue(
+      I.fromJS([{ name: 'samlp-connection', strategy: 'samlp', type: 'enterprise' }])
+    );
+
+    const m = I.fromJS({ id: '__lock__' });
+
+    expect(() => matchConnection(m, 'test@example.com')).not.toThrow();
+    expect(matchConnection(m, 'test@example.com')).toBeFalsy();
+  });
+
+  it('does not throw when enterprise connection has domains explicitly set to null', () => {
+    const { connections } = require('core/index');
+
+    // Tenant returns domains: null
+    connections.mockReturnValue(
+      I.fromJS([{ name: 'samlp-connection', strategy: 'samlp', type: 'enterprise', domains: null }])
+    );
+
+    const m = I.fromJS({ id: '__lock__' });
+
+    expect(() => matchConnection(m, 'test@example.com')).not.toThrow();
+    expect(matchConnection(m, 'test@example.com')).toBeFalsy();
+  });
+
+  it('matches a connection when the email domain is in the domains list', () => {
+    const { connections } = require('core/index');
+
+    connections.mockReturnValue(
+      I.fromJS([{ name: 'samlp-connection', strategy: 'samlp', type: 'enterprise', domains: ['example.com'] }])
+    );
+
+    const m = I.fromJS({ id: '__lock__' });
+
+    expect(matchConnection(m, 'user@example.com')).toBeTruthy();
+  });
+});

src/__tests__/i18n.test.js

@@ -59,8 +59,11 @@ describe('i18n', () => {
       };
       const m = Immutable.fromJS({ i18n: { strings } });
       const html = i18n.html(m, 'test');
-      expect(html.props.dangerouslySetInnerHTML.__html).not.toMatch(/javascript:alert/);
-      expect(html.props.dangerouslySetInnerHTML.__html).toEqual('<img href="1" src="1">');
+      const sanitized = html.props.dangerouslySetInnerHTML.__html;
+      expect(sanitized).not.toMatch(/javascript:alert/);
+      expect(sanitized).toMatch(/src="1"/);
+      expect(sanitized).toMatch(/href="1"/);
+      expect(sanitized).toMatch(/<img[^>]*>/);
     });
 
     it('should allow target=_blank with noopener noreferrer attributes', () => {

src/connection/enterprise.js

@@ -79,7 +79,7 @@ export function matchConnection(m, email, strategies = []) {
   const target = emailDomain(email);
   if (!target) return false;
   return l.connections(m, 'enterprise', ...strategies).find(x => {
-    return x.get('domains').contains(target);
+    return (x.get('domains') || List()).contains(target);
   });
 }
 
@@ -108,7 +108,7 @@ export function isADEnabled(m) {
 
 export function findADConnectionWithoutDomain(m, name = undefined) {
   return l.connections(m, 'enterprise', 'ad', 'auth0-adldap').find(x => {
-    return x.get('domains').isEmpty() && (!name || x.get('name') === name);
+    return (x.get('domains') || List()).isEmpty() && (!name || x.get('name') === name);
   });
 }
 

src/connection/enterprise/hrd_screen.jsx

@@ -11,7 +11,7 @@ const Component = ({ i18n, model }) => {
 
   var headerText;
 
-  if (domain !== null) {
+  if (domain && domain.trim()) {
     headerText = i18n.str('enterpriseActiveLoginInstructions', domain);
   } else {
     headerText = i18n.str('enterpriseLoginIntructions');

src/core/actions.js

@@ -242,7 +242,8 @@ function logInError(id, fields, error, localHandler = (_id, _error, _fields, nex
         'rule_error',
         'lock.unauthorized',
         'invalid_user_password',
-        'login_required'
+        'login_required',
+        'too_many_attempts'
       ];
 
       if (errorCodesThatEmitAuthorizationErrorEvent.indexOf(errorCode) > -1) {

src/core/web_api/p2_api.js

@@ -40,7 +40,7 @@ class Auth0APIClient {
       responseMode: opts.responseMode,
       responseType: opts.responseType,
       leeway: opts.leeway || 60,
-      plugins: opts.plugins || [new CordovaAuth0Plugin()],
+      plugins: opts.plugins || (typeof CordovaAuth0Plugin === 'function' ? [new CordovaAuth0Plugin()] : []),
       overrides: webAuthOverrides(opts.overrides),
       _sendTelemetry: opts._sendTelemetry === false ? false : true,
       _telemetryInfo: telemetry,

src/i18n/af.js

@@ -39,7 +39,8 @@ export default {
       'bad.phone_number': 'Die telefoonnommer is ongeldig',
       'lock.fallback': 'Jammer, iets het verkeerd gegaan',
       invalid_captcha: "Los die uitdagingsvraag om te verifieer dat u nie 'n robot is nie.",
-      invalid_recaptcha: "Kies die merkblokkie om te verifieer dat u nie 'n robot is nie."
+      invalid_recaptcha: "Kies die merkblokkie om te verifieer dat u nie 'n robot is nie.",
+      too_many_attempts: 'Jou rekening is geblok nadat daar te veel keer probeer inteken is.'
     },
     signUp: {
       invalid_password: 'Wagwoord is ongeldig.',

src/i18n/ar.js

@@ -43,7 +43,8 @@ export default {
       'bad.phone_number': 'رقم الهاتف غير صالح.',
       'lock.fallback': 'المعذرة، حصل خطأ ما.',
       invalid_captcha: 'حل سؤال التحدي للتحقق من أنك لست روبوت.',
-      invalid_recaptcha: 'حدد مربع الاختيار للتحقق من أنك لست روبوتًا.'
+      invalid_recaptcha: 'حدد مربع الاختيار للتحقق من أنك لست روبوتًا.',
+      too_many_attempts: 'تم حظر حسابك بعد عدة محاولات متتالية للدخول.'
     },
     signUp: {
       invalid_password: 'كلمة المرور غير صالحة.',

src/i18n/az.js

@@ -44,7 +44,8 @@ export default {
       'bad.phone_number': 'Telefon nömrəsi düzgün deyil',
       'lock.fallback': 'Üzr istəyirik, səhv oldu',
       invalid_captcha: 'Daxil etdiyiniz mətn səhv idi. <br /> Lütfən, yenidən cəhd edin.',
-      invalid_recaptcha: 'Robot olmadığınızı təsdiqləmək üçün onay qutusunu seçin.'
+      invalid_recaptcha: 'Robot olmadığınızı təsdiqləmək üçün onay qutusunu seçin.',
+      too_many_attempts: 'Çox sayda giriş cəhdi nəticəsində hesabınız bloklandı.'
     },
     signUp: {
       invalid_password: 'Şifrə yanlışdır.',

src/i18n/bg.js

@@ -45,7 +45,8 @@ export default {
       'bad.phone_number': 'Телефонният номер е невалиден',
       'lock.fallback': 'Съжаляваме, възникна грешка',
       invalid_captcha: 'Решете задачата, за да се уверим, че не сте робот.',
-      invalid_recaptcha: 'Поставете отметка, за да се уверим, че не сте робот.'
+      invalid_recaptcha: 'Поставете отметка, за да се уверим, че не сте робот.',
+      too_many_attempts: 'Вашият акаунт е блокиран след множество последователни опити да влезете в профила си.'
     },
     signUp: {
       invalid_password: 'Паролата е невалидна.',

src/i18n/ca.js

@@ -46,7 +46,8 @@ export default {
       'bad.phone_number': 'El número de telèfon no és vàlid',
       'lock.fallback': 'Quelcom ha fet fallida',
       invalid_captcha: 'Resoleu la pregunta de desafiament per verificar que no sou un robot.',
-      invalid_recaptcha: 'Seleccioneu la casella de verificació per verificar que no sou un robot.'
+      invalid_recaptcha: 'Seleccioneu la casella de verificació per verificar que no sou un robot.',
+      too_many_attempts: "Hi ha hagut massa intents consecutius fallits d'inici de sessió, i se us ha bloquejat l'accés."
     },
     signUp: {
       invalid_password: 'La contrasenya no és vàlida.',

src/i18n/cs.js

@@ -44,7 +44,8 @@ export default {
       'bad.phone_number': 'Telefonní číslo je neplatné',
       'lock.fallback': 'Je nám líto, něco se pokazilo',
       invalid_captcha: 'Vyřešte úlohu, abychom ověřili, že nejste robot.',
-      invalid_recaptcha: 'Zaškrtněte políčko, abychom ověřili, že nejste robot.'
+      invalid_recaptcha: 'Zaškrtněte políčko, abychom ověřili, že nejste robot.',
+      too_many_attempts: 'Váš účet byl zablokován z důvodu velkého počtu pokusů o přihlášení.'
     },
     signUp: {
       invalid_password: 'Heslo je neplatné.',