Skip to content

Releases: ForbesLindesay/authentication

@authentication/passwordless@2.0.2

26 Jul 01:32
@ForbesLindesay ForbesLindesay
@authentication/passwordless@2.0.2
194bbc6
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
@authentication/passwordless@2.0.2 Latest
Latest

Bug Fixes

  • The SSL check was backwards, preventing this lib being used in production. (#22)
Assets 2

@authentication/react-passwordless@2.1.0

22 Jul 22:02
@ForbesLindesay ForbesLindesay
@authentication/react-passwordless@2.1.0
2cb6b70
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
@authentication/react-passwordless@2.1.0

New Features

  • The email is now available as part of the state while on the pass code entry form (#19)
Assets 2

@authentication/react-passwordless@2.0.0

22 Jul 18:05
@ForbesLindesay ForbesLindesay
@authentication/react-passwordless@2.0.0
a6f52f2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
@authentication/react-passwordless@2.0.0

Breaking Changes

  • The primary export is now a "hook" instead of a component expecting render props (#18)

    If you prefer a component with render props you can import @authentication/react-passwordless/DefaultForm. The structure of the data passed to render props has been completely re-thought though.

  • The methods for calling the backend have been updated to work with the new version of @authentication/passwordless and are not compatible with the old version. (#18)

Assets 2

@authentication/rate-limit@1.0.0

22 Jul 18:05
@ForbesLindesay ForbesLindesay
@authentication/rate-limit@1.0.0
a6f52f2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
@authentication/rate-limit@1.0.0

Breaking Changes

  • Renamed the Store TypeScript interface to RateLimitStore (#17)

  • Removed support for stores with "transactions" (#17)

    They were often implemented incorrectly, which can lead to security vulnerabilities. It is much safer to enforce that optimistic concurrency is used.

New Features

  • Added the tryConsume method that returns an object indicating the result of consuming the token, rather than throwing an error. (#18)

Bug Fixes

  • Added type for the default export of @authentication/rate-limit/bucket and @authentication/rate-limit/exponential (#18)
Assets 2

@authentication/passwordless@2.0.1

22 Jul 22:59
@ForbesLindesay ForbesLindesay
@authentication/passwordless@2.0.1
42fb3af
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
@authentication/passwordless@2.0.1

Performance Improvements

  • remove unused dependencies (#20)
Assets 2

@authentication/passwordless@2.0.0

22 Jul 18:05
@ForbesLindesay ForbesLindesay
@authentication/passwordless@2.0.0
a6f52f2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
@authentication/passwordless@2.0.0

Breaking Changes

  • The token schema has changed (#18)

    Tokens now look like:

    export default interface Token`State = void> {
  userID: string;
  /**
   * An incrementing integer used for optimistic concurrency
   */
  version: number;
  /**
   * The pass code, that gets sent in the e-mail and entered by
   * the user (or appears as the `code` parameter in "magic" link)
   */
  passCode: string;
  /**
   * The number of attempts remaining before the token is disposed of.
   */
  attemptsRemaining: number;
  /**
   * The time this token was created, represented as milliseconds since
   * the unix epoch.
   */
  created: number;
  /**
   * The time this token expires, represented as milliseconds since the
   * unix epoch.
   */
  expiry: number;
  /**
   * Some arbirary state of your choice. This is a good place to store a
   * redirect URI for after the authentication is complete.
   */
  state: State;
}

    It is very important that you always check token.version when performing update operations, in order to prevent a malicious attacker making more than the expected number of attempts at a single token.

  • Is is now only possible to use the namespaced version of the Store (#18)

    The type for the store is now:

    export interface TokensStore`State = undefined> {
  insert(token: Token`State>): Promise`string>;
  load(tokenID: string): Promise`Token`State> | null>;
  update(
    tokenID: string,
    token: Token`State>,
    oldToken: Token`State>,
  ): Promise`void>;
  remove(tokenID: string): Promise`void>;
}
export default interface PasswordlessStore`State = undefined> {
  tokens: TokensStore`State>;
  rateLimit: RateLimitStore`string>;
}

  • createToken now requires {userID, ipAddress, state, sendTokenToUser} as input instead of an express request/response pair. It returns the response expected by react-passwordless, and only gives the secret pass code to the sendTokenTouser function. (#18)

  • verifyPassCode has been split into verifyPassCode and verifyPassCodeFromRequest (#18)

    Both functions need to be given both the tokenID and the passCode as cookies are no longer used to store the tokenID. The verifyPassCodeFromRequest can accept either an express request or a koa context object.

  • Removed support for stores with "transactions" (#17)

    They were often implemented incorrectly, which can lead to security vulnerabilities. It is much safer to enforce that optimistic concurrency is used.

Performance Improvements

  • passCodes are no longer hashed before storage because it was expensive and they are short-lived tokens anyway. (#18)

    This allows us to drop a costly native dependency, and reduces the load on your server considerably.

Assets 2

@authentication/generate-passcode@2.0.0

22 Jul 18:05
@ForbesLindesay ForbesLindesay
@authentication/generate-passcode@2.0.0
a6f52f2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
@authentication/generate-passcode@2.0.0

Breaking Changes

  • @authentication/generate-passcode/Encoding now has a default export, rather than a named export. (#18)
Assets 2

@authentication/twitter@1.0.0

21 Jul 16:50
@ForbesLindesay ForbesLindesay
@authentication/twitter@1.0.0
54e716a
Compare
Choose a tag to compare
@authentication/twitter@1.0.0

Breaking Changes

  • Add support for using the BASE_URL or BASE_URI environment variable to specify the app's hostname in production. (#16)
Assets 2

@authentication/tumblr@1.0.0

21 Jul 16:50
@ForbesLindesay ForbesLindesay
@authentication/tumblr@1.0.0
54e716a
Compare
Choose a tag to compare
@authentication/tumblr@1.0.0

Breaking Changes

  • Add support for using the BASE_URL or BASE_URI environment variable to specify the app's hostname in production. (#16)
Assets 2

@authentication/request-url@1.0.0

21 Jul 16:50
@ForbesLindesay ForbesLindesay
@authentication/request-url@1.0.0
54e716a
Compare
Choose a tag to compare
@authentication/request-url@1.0.0

New Features

  • Initial release (#16)
Assets 2