ForbesLindesay Authentication Versions Save

Modular, strongly typed, promise based, independent implementations of various authentication protocols

@authentication/[email protected]

3 years ago

Bug Fixes

  • The SSL check was backwards, preventing this lib being used in production. (#22)

@authentication/[email protected]

3 years ago

Performance Improvements

  • remove unused dependencies (#20)

@authentication/[email protected]

3 years ago

New Features

  • The email is now available as part of the state while on the pass code entry form (#19)

@authentication/[email protected]

3 years ago

Breaking Changes

  • The primary export is now a "hook" instead of a component expecting render props (#18)

    If you prefer a component with render props you can import @authentication/react-passwordless/DefaultForm. The structure of the data passed to render props has been completely re-thought though.

  • The methods for calling the backend have been updated to work with the new version of @authentication/passwordless and are not compatible with the old version. (#18)

@authentication/[email protected]

3 years ago

Breaking Changes

  • The token schema has changed (#18)

    Tokens now look like:

    export default interface Token`State = void> {
      userID: string;
      /**
       * An incrementing integer used for optimistic concurrency
       */
      version: number;
      /**
       * The pass code, that gets sent in the e-mail and entered by
       * the user (or appears as the `code` parameter in "magic" link)
       */
      passCode: string;
      /**
       * The number of attempts remaining before the token is disposed of.
       */
      attemptsRemaining: number;
      /**
       * The time this token was created, represented as milliseconds since
       * the unix epoch.
       */
      created: number;
      /**
       * The time this token expires, represented as milliseconds since the
       * unix epoch.
       */
      expiry: number;
      /**
       * Some arbirary state of your choice. This is a good place to store a
       * redirect URI for after the authentication is complete.
       */
      state: State;
    }
    

    It is very important that you always check token.version when performing update operations, in order to prevent a malicious attacker making more than the expected number of attempts at a single token.

  • Is is now only possible to use the namespaced version of the Store (#18)

    The type for the store is now:

    export interface TokensStore`State = undefined> {
      insert(token: Token`State>): Promise`string>;
      load(tokenID: string): Promise`Token`State> | null>;
      update(
        tokenID: string,
        token: Token`State>,
        oldToken: Token`State>,
      ): Promise`void>;
      remove(tokenID: string): Promise`void>;
    }
    export default interface PasswordlessStore`State = undefined> {
      tokens: TokensStore`State>;
      rateLimit: RateLimitStore`string>;
    }
    
  • createToken now requires {userID, ipAddress, state, sendTokenToUser} as input instead of an express request/response pair. It returns the response expected by react-passwordless, and only gives the secret pass code to the sendTokenTouser function. (#18)

  • verifyPassCode has been split into verifyPassCode and verifyPassCodeFromRequest (#18)

    Both functions need to be given both the tokenID and the passCode as cookies are no longer used to store the tokenID. The verifyPassCodeFromRequest can accept either an express request or a koa context object.

  • Removed support for stores with "transactions" (#17)

    They were often implemented incorrectly, which can lead to security vulnerabilities. It is much safer to enforce that optimistic concurrency is used.

Performance Improvements

  • passCodes are no longer hashed before storage because it was expensive and they are short-lived tokens anyway. (#18)

    This allows us to drop a costly native dependency, and reduces the load on your server considerably.

@authentication/[email protected]

3 years ago

Breaking Changes

  • Renamed the Store TypeScript interface to RateLimitStore (#17)

  • Removed support for stores with "transactions" (#17)

    They were often implemented incorrectly, which can lead to security vulnerabilities. It is much safer to enforce that optimistic concurrency is used.

New Features

  • Added the tryConsume method that returns an object indicating the result of consuming the token, rather than throwing an error. (#18)

Bug Fixes

  • Added type for the default export of @authentication/rate-limit/bucket and @authentication/rate-limit/exponential (#18)

@authentication/[email protected]

3 years ago

Breaking Changes

  • @authentication/generate-passcode/Encoding now has a default export, rather than a named export. (#18)

@authentication/[email protected]

3 years ago

Breaking Changes

  • Add support for using the BASE_URL or BASE_URI environment variable to specify the app's hostname in production. (#16)

@authentication/[email protected]

3 years ago

Breaking Changes

  • Add support for using the BASE_URL or BASE_URI environment variable to specify the app's hostname in production. (#16)

@authentication/[email protected]

3 years ago

Breaking Changes

  • Add support for using the BASE_URL or BASE_URI environment variable to specify the app's hostname in production. (#16)