Releases: ForbesLindesay/authentication
@authentication/[email protected]
Bug Fixes
- The SSL check was backwards, preventing this lib being used in production. (#22)
@authentication/[email protected]
New Features
- The emailis now available as part of the state while on the pass code entry form (#19)
@authentication/[email protected]
Breaking Changes
- 
The primary export is now a "hook" instead of a component expecting render props (#18) If you prefer a component with render props you can import @authentication/react-passwordless/DefaultForm. The structure of the data passed to render props has been completely re-thought though.
- 
The methods for calling the backend have been updated to work with the new version of @authentication/passwordlessand are not compatible with the old version. (#18)
@authentication/[email protected]
Breaking Changes
- 
Renamed the StoreTypeScript interface toRateLimitStore(#17)
- 
Removed support for stores with "transactions" (#17) They were often implemented incorrectly, which can lead to security vulnerabilities. It is much safer to enforce that optimistic concurrency is used. 
New Features
- Added the tryConsumemethod that returns an object indicating the result of consuming the token, rather than throwing an error. (#18)
Bug Fixes
- Added type for the default export of @authentication/rate-limit/bucketand@authentication/rate-limit/exponential(#18)
@authentication/[email protected]
Performance Improvements
- remove unused dependencies (#20)
@authentication/[email protected]
Breaking Changes
- 
The token schema has changed (#18) Tokens now look like: export default interface Token`State = void> { userID: string; /** * An incrementing integer used for optimistic concurrency */ version: number; /** * The pass code, that gets sent in the e-mail and entered by * the user (or appears as the `code` parameter in "magic" link) */ passCode: string; /** * The number of attempts remaining before the token is disposed of. */ attemptsRemaining: number; /** * The time this token was created, represented as milliseconds since * the unix epoch. */ created: number; /** * The time this token expires, represented as milliseconds since the * unix epoch. */ expiry: number; /** * Some arbirary state of your choice. This is a good place to store a * redirect URI for after the authentication is complete. */ state: State; } It is very important that you always check token.versionwhen performing update operations, in order to prevent a malicious attacker making more than the expected number of attempts at a single token.
- 
Is is now only possible to use the namespaced version of the Store(#18)The type for the store is now: export interface TokensStore`State = undefined> { insert(token: Token`State>): Promise`string>; load(tokenID: string): Promise`Token`State> | null>; update( tokenID: string, token: Token`State>, oldToken: Token`State>, ): Promise`void>; remove(tokenID: string): Promise`void>; } export default interface PasswordlessStore`State = undefined> { tokens: TokensStore`State>; rateLimit: RateLimitStore`string>; } 
- 
createTokennow requires{userID, ipAddress, state, sendTokenToUser}as input instead of an express request/response pair. It returns the response expected by react-passwordless, and only gives the secret pass code to thesendTokenTouserfunction. (#18)
- 
verifyPassCodehas been split intoverifyPassCodeandverifyPassCodeFromRequest(#18)Both functions need to be given both the tokenIDand thepassCodeas cookies are no longer used to store thetokenID. TheverifyPassCodeFromRequestcan accept either an express request or a koa context object.
- 
Removed support for stores with "transactions" (#17) They were often implemented incorrectly, which can lead to security vulnerabilities. It is much safer to enforce that optimistic concurrency is used. 
Performance Improvements
- 
passCodesare no longer hashed before storage because it was expensive and they are short-lived tokens anyway. (#18)This allows us to drop a costly native dependency, and reduces the load on your server considerably. 
@authentication/[email protected]
Breaking Changes
- @authentication/generate-passcode/Encodingnow has a default export, rather than a named export. (#18)
@authentication/[email protected]
Breaking Changes
- Add support for using the BASE_URLorBASE_URIenvironment variable to specify the app's hostname in production. (#16)
@authentication/[email protected]
Breaking Changes
- Add support for using the BASE_URLorBASE_URIenvironment variable to specify the app's hostname in production. (#16)
@authentication/[email protected]
New Features
- Initial release (#16)