Skip to content

Commit 03cbf06

Browse files
committed
1.5.0 - added session validation
1 parent ae0b3e1 commit 03cbf06

28 files changed

Lines changed: 4230 additions & 2943 deletions

CHANGELOG.md

Lines changed: 152 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,152 @@
1+
# Changelog
2+
3+
All notable changes to **awesome-node-auth** are documented in this file.
4+
Format: [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) · Versioning: [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
5+
6+
---
7+
8+
## [1.5.0] — 2026-03-18
9+
10+
### Added
11+
- **Hybrid Stateful Sessions** (`ISessionStore`) — optional server-side session tracking layered on top of JWT, enabling real-time revocation without invalidating all tokens.
12+
- **Session validation modes**`session.checkOn: 'none' | 'refresh' | 'allcalls'`; `allcalls` validates the session on every authenticated request via the auth middleware.
13+
- **User-facing session endpoints**`GET /auth/sessions` (list own devices) and `DELETE /auth/sessions/:handle` (revoke a device), both guarded by auth middleware and ownership check.
14+
- **Atomic session rotation** — on `POST /auth/refresh` the old session handle is revoked and a new one is issued atomically; the `sid` claim in the JWT tracks the handle.
15+
- **L1/L2 caching helpers**`RedisSessionStore` (L2 Redis-backed) and `L1CachedSessionStore` (in-process LRU decorator) for high-throughput session validation.
16+
- **`SESSION_REVOKED` loop protection**`auth.js` fetch interceptor and Angular HTTP interceptors now detect `code: 'SESSION_REVOKED'` on a 401 and force an immediate local logout instead of looping through refresh retries.
17+
- **`getActiveSessions()` / `revokeSession(handle)`** in `ng-awesome-node-auth` Angular service for "Manage devices" UI.
18+
- **`SessionInfo` interface** exported from the Angular library.
19+
20+
### Changed
21+
- `auth.middleware` updated to perform real-time session validation when `checkOn: 'allcalls'` is configured.
22+
- JWT payload now includes `sid` (session ID) claim when a `sessionStore` is configured.
23+
- `auth.js` `refresh()` public method returns `false` immediately for `SESSION_REVOKED` responses.
24+
25+
### Fixed
26+
- Infinite refresh loop: `refreshResult.success !== false` incorrectly treated `{code:'SESSION_REVOKED'}` (no `success` field) as a successful refresh.
27+
- Session expiry now reads `session.expiresIn` from `AuthConfig` rather than defaulting to a hard-coded 7-day value.
28+
29+
---
30+
31+
## [1.4.2] — 2026-03-17
32+
33+
### Fixed
34+
- `__Host-` cookies require `Path=/` per the RFC; the refresh-token cookie path was incorrect under certain route prefixes, causing browsers to reject it.
35+
- Added integration tests for `__Host-` / `__Secure-` cookie path compliance.
36+
37+
---
38+
39+
## [1.4.1] — 2026-03-17
40+
41+
### Changed
42+
- `auth.js` fetch interceptor switched from path-prefix matching to **origin-based credential matching**, preventing credential leakage to unrelated origins (e.g., a LiteLLM proxy on a different port).
43+
44+
### Fixed
45+
- `auth.js` was inadvertently intercepting requests to third-party origins when running alongside a Docusaurus wiki or AI proxy on the same page.
46+
47+
---
48+
49+
## [1.4.0] — 2026-03-17
50+
51+
### Added
52+
- **Headless UI mode** (`ui.headless: true`) — the built-in UI router serves `auth.js` and CSS assets but returns 404 for HTML pages; ideal for SPAs and wiki integrations that provide their own UI. The `/config` endpoint includes `headless: true` for the client to detect the mode.
53+
- `window.AwesomeNodeAuth` singleton with a public `refresh()` API, exposing token refresh to external scripts without re-entrant loops.
54+
55+
---
56+
57+
## [1.3.0] — 2026-03-14
58+
59+
### Added
60+
- **CSRF cookie-tossing protection** — CSRF cookie now uses `__Host-` prefix (`__Secure-` when `secure` is true but running under a subdomain), preventing subdomain cookie-tossing attacks.
61+
- **`ng-awesome-node-auth` Angular library** — first official Angular integration guide with `AuthService`, `authInterceptor` (CSRF + refresh queue), `APP_INITIALIZER`, and SSR support.
62+
- **Built-in UI documentation** — comprehensive reference for the zero-dependency HTML/CSS/JS login UI.
63+
- **Admin panel platform settings** — configurable per-platform feature flags exposed through the admin UI.
64+
- MCP server tools: `get_mailer_integration`, `get_sms_integration`, `get_ui_customization`, `get_email_templates`, `get_ng_awesome_node_auth`.
65+
66+
### Fixed
67+
- `__Host-` / `__Secure-` CSRF and access-token cookie prefix handling in `auth.js`, Angular interceptors, and MCP server.
68+
69+
---
70+
71+
## [1.2.x] — 2026-03-10 to 2026-03-11
72+
73+
### Added
74+
- **Built-in UI** (`<apiPrefix>/ui/`) — zero-dependency HTML/CSS/JS login, register, forgot-password, and reset-password pages served directly by the library.
75+
- Live preview and full customization of the built-in UI (background color, card color, logo, background image) via the admin panel.
76+
- CSS custom properties (`--auth-bg-color`, `--auth-card-bg`, etc.) for theme overrides.
77+
- Spinner and improved loading states in the built-in login page.
78+
- 87 unit tests for `auth.js` browser client API.
79+
- `window.AwesomeNodeAuth` documented browser client API.
80+
81+
### Fixed
82+
- `refreshToken` path auto-derivation now works correctly relative to `apiPrefix`.
83+
- Admin UI XSS/escape bug in dashboard string interpolation.
84+
- Asset loading and auth routing prefix hierarchy.
85+
86+
---
87+
88+
## [1.1.x] — 2026-02-21 to 2026-03-07
89+
90+
### Added
91+
- **Email verification** — three modes: `none` (disabled), `lazy` (grace period configurable), `strict` (login blocked until verified).
92+
- **Change email**`PATCH /auth/change-email` with re-verification flow.
93+
- **Change password**`PATCH /auth/change-password`.
94+
- **Admin panel** — HTML-based admin dashboard at `/admin/` with user listing, filtering, pagination, batch operations, and per-user detail view; tabs for metadata, roles, tenants, linked accounts, API keys, webhooks.
95+
- **User metadata** (`IUserMetadataStore`) — arbitrary per-user key/value store surfaced in `/me` and admin panel.
96+
- **Roles & permissions** (`IRolesPermissionsStore`) — RBAC with optional tenant scope; roles/permissions returned in `/me`.
97+
- **Session management** (`ISessionStore`) — interface for listing and revoking sessions; optional `POST /auth/sessions/cleanup` for cron-based expiry.
98+
- **Multi-tenancy** (`ITenantStore`) — isolated multi-tenant applications with tenant-scoped roles.
99+
- **Account deletion**`DELETE /auth/account` self-service endpoint with full cleanup hooks.
100+
- **CSRF protection** — double-submit cookie pattern, opt-in via `csrf.enabled`.
101+
- **Bearer token strategy**`X-Auth-Strategy: bearer` header enables JSON body token delivery instead of HttpOnly cookies.
102+
- **Custom JWT claims**`buildTokenPayload` callback for injecting project-specific claims.
103+
- **Provider parameter in mailer** — pass the auth provider to email templates.
104+
- `IUserStore.updateLastLogin()` optional method.
105+
- Rate limiter support on `GET /me` and other sensitive endpoints via `RouterOptions.rateLimiter`.
106+
- NestJS, Next.js, MySQL/MariaDB, and MongoDB integration examples in `examples/`.
107+
108+
### Fixed
109+
- Admin dashboard HTML interpolation escaping.
110+
- Refresh token cookie path bug.
111+
- Login verification issues distinguishing SMS/magic-link direct login from 2FA mode.
112+
- `deleteUser` implementation.
113+
114+
---
115+
116+
## [1.0.x] — 2026-02-21
117+
118+
### Added (Initial Release)
119+
- **Core JWT authentication** — access + refresh token pair, HttpOnly cookie delivery.
120+
- **Local strategy** — email/password login with bcrypt hashing.
121+
- **Password reset**`POST /auth/forgot-password` + `POST /auth/reset-password` with time-limited tokens.
122+
- **OAuth 2.0** — Google and GitHub strategies; `GenericOAuthStrategy` base class for custom providers; `success_redirect_path` in OAuth state.
123+
- **Magic links** — passwordless email login; first magic-link also counts as email verification.
124+
- **SMS OTP** — phone-number verification via one-time codes.
125+
- **TOTP 2FA** — time-based OTP compatible with Google Authenticator / Authy; `require2FA` flag per user.
126+
- **`IUserStore` interface** — single decoupling point to any database.
127+
- **`MailerService`** — HTTP transport mailer with Italian and English templates for password reset, magic links, email verification.
128+
- **Express auth router** — all endpoints pre-wired at a configurable `apiPrefix`.
129+
- **`auth.middleware()`** — JWT verification middleware accepting cookie or `Authorization: Bearer`.
130+
- **`POST /auth/register`** — optional registration endpoint via `onRegister` callback.
131+
- **`GET /auth/me`** — user profile endpoint.
132+
- **Rate limiter hook**`RouterOptions.rateLimiter` integration point.
133+
- Full TypeScript types and exported interfaces.
134+
135+
---
136+
137+
## [1.6.x and later] — Beyond this CHANGELOG
138+
139+
Refer to the [GitHub Releases](https://github.com/nik2208/node-auth/releases) page for future versions.
140+
141+
---
142+
143+
## Version History Quick Reference
144+
145+
| Version | Date | Theme |
146+
|---|---|---|
147+
| 1.0.x | 2026-02-21 | Initial release — JWT, Local, OAuth, Magic Links, SMS, TOTP |
148+
| 1.1.x | 2026-02-21–03-07 | Email verification, admin panel, metadata, RBAC, multi-tenancy, account mgmt |
149+
| 1.2.x | 2026-03-10–11 | Built-in UI, CSS theming, admin UI customization, browser client tests |
150+
| 1.3.0 | 2026-03-14 | CSRF cookie-tossing protection, Angular library, MCP tools expansion |
151+
| 1.4.x | 2026-03-17 | Headless UI mode, origin-based fetch interceptor, `__Host-` cookie path fix |
152+
| 1.5.0 | 2026-03-18 | Hybrid stateful sessions, device management API, SESSION_REVOKED loop fix |

CODE_OF_CONDUCT.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
## Our Pledge
44

5-
We as contributors and maintainers of **awesome-node-auth** pledge to make participation in our project and community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socioeconomic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
5+
We as contributors and maintainers of **node-auth** pledge to make participation in our project and community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socioeconomic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
66

77
## Our Standards
88

CONTRIBUTING.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ src/ Library source (TypeScript)
1919
tests/ Vitest test suite
2020
wiki/ Docusaurus documentation site
2121
mcp-server/ Companion MCP server (hosted service)
22-
demo/ StackBlitz-compatible demo app
22+
demo/ Collection of demo applications (express-vanilla, nestjs, nextjs, etc.)
2323
examples/ Integration examples
2424
```
2525

0 commit comments

Comments
 (0)