From ddf9621ea0035ba4e97319e16a7f0483aa526ee3 Mon Sep 17 00:00:00 2001 From: Hernan Alvarado Date: Thu, 18 Dec 2025 15:42:59 -0500 Subject: [PATCH 1/2] chore(release): bump package versions - `@aura-stack/auth` - `@aura-stack/jose` --- packages/core/CHANGELOG.md | 48 ++++++++++++++++++++++++++++++++++++-- packages/jose/CHANGELOG.md | 12 ++++++++-- 2 files changed, 56 insertions(+), 4 deletions(-) diff --git a/packages/core/CHANGELOG.md b/packages/core/CHANGELOG.md index 8202ce37..b28a4ce1 100644 --- a/packages/core/CHANGELOG.md +++ b/packages/core/CHANGELOG.md @@ -9,8 +9,52 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +--- + +## [0.1.0] - 2025-12-28 + ### Added -- Added support for the `error` and `error_description` properties to standardize error handling in accordance with the [OAuth 2.0 RFC (section 5.2)](https://datatracker.ietf.org/doc/html/rfc6749#section-5.2). These fields are used to describe errors returned by the application or by third‑party authorization servers. [#2](https://github.com/aura-stack-ts/auth/pull/2) +- Added the `User` and `Session` types for user management. The `/session` endpoint now returns a `Session` object with `user` and `expires` fields, and the OAuth entry points re-export the types used by OAuth profiles. [#36](https://github.com/aura-stack-ts/auth/pull/36) + +- Added support to build the user session from the OAuth provider `profile` function. The `/session` endpoint returns an object with `user` and `expires` fields. [#35](https://github.com/aura-stack-ts/auth/pull/35) + +- Introduced the experimental `trustedProxyHeaders` configuration to infer the request origin from proxy headers such as `X-Forwarded-Proto`, `X-Forwarded-Host`, and `Forwarded`. [#34](https://github.com/aura-stack-ts/auth/pull/34) + +- Added the `X (Twitter)` OAuth provider to the supported integrations in Aura Auth. [#33](https://github.com/aura-stack-ts/auth/pull/33) + +- Added the `Spotify` OAuth provider to the supported integrations in Aura Auth. [#32](https://github.com/aura-stack-ts/auth/pull/32) + +- Introduced the optional `AURA_AUTH_SALT` environment variable for HKDF salting when deriving keys for signing and encryption JWTs and CSRF tokens. [#30](https://github.com/aura-stack-ts/auth/pull/30) + +- Added the `GitLab` OAuth provider to the supported integrations in Aura Auth. [#28](https://github.com/aura-stack-ts/auth/pull/28) + +- Added the `Discord` OAuth provider to the supported integrations in Aura Auth. [#27](https://github.com/aura-stack-ts/auth/pull/27) + +- Added the `Figma` OAuth provider to the supported integrations in Aura Auth. [#26](https://github.com/aura-stack-ts/auth/pull/26) + +- Added the `Bitbucket` OAuth provider to the supported integrations in Aura Auth. [#25](https://github.com/aura-stack-ts/auth/pull/25) + +- Introduced the `basePath` configuration option in `createAuth` to set a custom base path for locating the Aura Auth instance; the default remains `/auth`. [#24](https://github.com/aura-stack-ts/auth/pull/24) + +- Introduced the `secret` configuration option in `createAuth` to override the `AURA_AUTH_SECRET` environment variable by providing the secret directly. [#22](https://github.com/aura-stack-ts/auth/pull/22) + +- Added support for the `redirect_to` search parameter in `/signIn/:oauth` and `/signOut` endpoints to redirect users after completion. This overrides `Referer` and `Origin` when inferring where to redirect. [#20](https://github.com/aura-stack-ts/auth/pull/20) + +- Implemented `createDeriveKey` from `@aura-stack/jose` for HKDF-based key derivation so the original secret is never used directly for signing or encryption. [#16](https://github.com/aura-stack-ts/auth/pull/16) + +- Added the `/csrfToken` endpoint for CSRF token generation via signed JWTs with unpredictable values. The `/signOut` endpoint requires a valid `csrfToken` or the request is rejected. [#14](https://github.com/aura-stack-ts/auth/pull/14) + +- Added validations to mitigate open redirect attacks by validating `Referer` and `Origin` headers and allowing only matching origins and relative redirect paths. [#12](https://github.com/aura-stack-ts/auth/pull/12) + +- Added support for **PKCE (Proof Key for Code Exchange)** in the OAuth authorization workflows (`/authorization` and `/access_token`) with `code_challenge`, `code_challenge_method` (only `256`), and `code_verifier`, following [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636). [#11](https://github.com/aura-stack-ts/auth/pull/11) + +- Introduced the `cookie` configuration option in `createAuth` to manage cookie name, prefixes (`__Secure-`, `__Host-`), and cookie options, following [Cookie HTTP State Management](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html). [#10](https://github.com/aura-stack-ts/auth/pull/10) + +- Implemented the `/signOut` endpoint for session revocation, following the [OAuth 2.0 Token Revocation](https://datatracker.ietf.org/doc/html/rfc7009) specification. [#9](https://github.com/aura-stack-ts/auth/pull/9) + +- Added support for the `OAuthUserProfile` object in the `/session` response, including `sub`, `email`, `name`, `image`, `integrations`, and `version`. Introduced the `redirect_to` cookie to replace the previous `original_uri` cookie. [#8](https://github.com/aura-stack-ts/auth/pull/8) + +- Added support for the `error` and `error_description` properties to standardize error handling in accordance with [OAuth 2.0 RFC 6749 §5.2](https://datatracker.ietf.org/doc/html/rfc6749#section-5.2). These fields describe errors returned by the application or by third-party authorization servers. [#2](https://github.com/aura-stack-ts/auth/pull/2) -- Introduced the `@aura-stack/auth` package which implements the OAuth workflow and exposes the `/signIn/:provider`, `/callback/:provider`, and `/session` endpoints. The package uses `@aura-stack/router` to define routes and is configured via `createAuth`, which accepts OAuth provider configurations and includes a default GitHub provider for convenience. [#1](https://github.com/aura-stack-ts/auth/pull/1) +- Introduced the `@aura-stack/auth` package, which implements the OAuth workflow and exposes the `/signIn/:provider`, `/callback/:provider`, and `/session` endpoints. The package uses `@aura-stack/router` to define routes via `createAuth`, includes OAuth provider configuration, and ships with a default GitHub provider. [#1](https://github.com/aura-stack-ts/auth/pull/1) diff --git a/packages/jose/CHANGELOG.md b/packages/jose/CHANGELOG.md index 2e39eb23..af52143b 100644 --- a/packages/jose/CHANGELOG.md +++ b/packages/jose/CHANGELOG.md @@ -9,8 +9,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +--- + +## [0.1.0] - 2025-12-28 + ### Added -- Reconsidered the package's purpose and renamed it from `@aura-stack/session` to `@aura-stack/jose`. The package now focuses on implementing standardized processes for [signing (JWS)](https://datatracker.ietf.org/doc/html/rfc7515), [encrypting (JWE)](https://datatracker.ietf.org/doc/html/rfc7516), and [handling JWTs](https://datatracker.ietf.org/doc/html/rfc7519). This provides robust utilities for creating, signing, encrypting, verifying, and decrypting JWTs through a clear, modular API. [#3](https://github.com/aura-stack-ts/auth/pull/3) +- Added salting support to `deriveKey` and `createDeriveKey` for HKDF-based key derivation from a secret value. [#30](https://github.com/aura-stack-ts/auth/pull/30) + +- Introduced `deriveKey` and `createDeriveKey` for HKDF (HMAC-based Extract-and-Expand Key Derivation Function) so applications can derive multiple independent keys from a single secret without using the original secret directly. [#15](https://github.com/aura-stack-ts/auth/pull/15) + +- Renamed the package from `@aura-stack/session` to `@aura-stack/jose` to focus on standardized JWT workflows: [signing (JWS)](https://datatracker.ietf.org/doc/html/rfc7515), [encrypting (JWE)](https://datatracker.ietf.org/doc/html/rfc7516), and [handling JWTs](https://datatracker.ietf.org/doc/html/rfc7519). The package now offers modular utilities to create, sign, encrypt, verify, and decrypt JWTs. [#3](https://github.com/aura-stack-ts/auth/pull/3) -- Introduced the `@aura-stack/session` package to manage signed and encrypted JWTs via `encode` and `decode` functions, and to manage sessions using cookie helpers `setCookie` and `getCookie`. [#1](https://github.com/aura-stack-ts/auth/pull/1) +- Introduced the `@aura-stack/session` package to manage signed and encrypted JWTs via `encode` and `decode`, and to manage sessions with cookie helpers `setCookie` and `getCookie`. [#1](https://github.com/aura-stack-ts/auth/pull/1) From 48724da955975bda73b97dbea0aa5d373c9e116e Mon Sep 17 00:00:00 2001 From: Hernan Alvarado Date: Thu, 18 Dec 2025 15:57:41 -0500 Subject: [PATCH 2/2] chore: bump packages --- packages/core/package.json | 2 +- packages/jose/package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/core/package.json b/packages/core/package.json index b4ba2915..2aa63c2b 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -1,6 +1,6 @@ { "name": "@aura-stack/auth", - "version": "0.1.0-rc.10", + "version": "0.1.0", "private": false, "type": "module", "description": "Core auth for @aura-stack/auth", diff --git a/packages/jose/package.json b/packages/jose/package.json index bc78c551..39c63a5f 100644 --- a/packages/jose/package.json +++ b/packages/jose/package.json @@ -1,6 +1,6 @@ { "name": "@aura-stack/jose", - "version": "0.1.0-rc.1", + "version": "0.1.0", "private": false, "type": "module", "description": "JOSE utilities for @aura-stack/auth",