|
| 1 | +# Changelog |
| 2 | + |
| 3 | +All notable changes to **awesome-node-auth** are documented in this file. |
| 4 | +Format: [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) · Versioning: [Semantic Versioning](https://semver.org/spec/v2.0.0.html). |
| 5 | + |
| 6 | +--- |
| 7 | + |
| 8 | +## [1.5.0] — 2026-03-18 |
| 9 | + |
| 10 | +### Added |
| 11 | +- **Hybrid Stateful Sessions** (`ISessionStore`) — optional server-side session tracking layered on top of JWT, enabling real-time revocation without invalidating all tokens. |
| 12 | +- **Session validation modes** — `session.checkOn: 'none' | 'refresh' | 'allcalls'`; `allcalls` validates the session on every authenticated request via the auth middleware. |
| 13 | +- **User-facing session endpoints** — `GET /auth/sessions` (list own devices) and `DELETE /auth/sessions/:handle` (revoke a device), both guarded by auth middleware and ownership check. |
| 14 | +- **Atomic session rotation** — on `POST /auth/refresh` the old session handle is revoked and a new one is issued atomically; the `sid` claim in the JWT tracks the handle. |
| 15 | +- **L1/L2 caching helpers** — `RedisSessionStore` (L2 Redis-backed) and `L1CachedSessionStore` (in-process LRU decorator) for high-throughput session validation. |
| 16 | +- **`SESSION_REVOKED` loop protection** — `auth.js` fetch interceptor and Angular HTTP interceptors now detect `code: 'SESSION_REVOKED'` on a 401 and force an immediate local logout instead of looping through refresh retries. |
| 17 | +- **`getActiveSessions()` / `revokeSession(handle)`** in `ng-awesome-node-auth` Angular service for "Manage devices" UI. |
| 18 | +- **`SessionInfo` interface** exported from the Angular library. |
| 19 | + |
| 20 | +### Changed |
| 21 | +- `auth.middleware` updated to perform real-time session validation when `checkOn: 'allcalls'` is configured. |
| 22 | +- JWT payload now includes `sid` (session ID) claim when a `sessionStore` is configured. |
| 23 | +- `auth.js` `refresh()` public method returns `false` immediately for `SESSION_REVOKED` responses. |
| 24 | + |
| 25 | +### Fixed |
| 26 | +- Infinite refresh loop: `refreshResult.success !== false` incorrectly treated `{code:'SESSION_REVOKED'}` (no `success` field) as a successful refresh. |
| 27 | +- Session expiry now reads `session.expiresIn` from `AuthConfig` rather than defaulting to a hard-coded 7-day value. |
| 28 | + |
| 29 | +--- |
| 30 | + |
| 31 | +## [1.4.2] — 2026-03-17 |
| 32 | + |
| 33 | +### Fixed |
| 34 | +- `__Host-` cookies require `Path=/` per the RFC; the refresh-token cookie path was incorrect under certain route prefixes, causing browsers to reject it. |
| 35 | +- Added integration tests for `__Host-` / `__Secure-` cookie path compliance. |
| 36 | + |
| 37 | +--- |
| 38 | + |
| 39 | +## [1.4.1] — 2026-03-17 |
| 40 | + |
| 41 | +### Changed |
| 42 | +- `auth.js` fetch interceptor switched from path-prefix matching to **origin-based credential matching**, preventing credential leakage to unrelated origins (e.g., a LiteLLM proxy on a different port). |
| 43 | + |
| 44 | +### Fixed |
| 45 | +- `auth.js` was inadvertently intercepting requests to third-party origins when running alongside a Docusaurus wiki or AI proxy on the same page. |
| 46 | + |
| 47 | +--- |
| 48 | + |
| 49 | +## [1.4.0] — 2026-03-17 |
| 50 | + |
| 51 | +### Added |
| 52 | +- **Headless UI mode** (`ui.headless: true`) — the built-in UI router serves `auth.js` and CSS assets but returns 404 for HTML pages; ideal for SPAs and wiki integrations that provide their own UI. The `/config` endpoint includes `headless: true` for the client to detect the mode. |
| 53 | +- `window.AwesomeNodeAuth` singleton with a public `refresh()` API, exposing token refresh to external scripts without re-entrant loops. |
| 54 | + |
| 55 | +--- |
| 56 | + |
| 57 | +## [1.3.0] — 2026-03-14 |
| 58 | + |
| 59 | +### Added |
| 60 | +- **CSRF cookie-tossing protection** — CSRF cookie now uses `__Host-` prefix (`__Secure-` when `secure` is true but running under a subdomain), preventing subdomain cookie-tossing attacks. |
| 61 | +- **`ng-awesome-node-auth` Angular library** — first official Angular integration guide with `AuthService`, `authInterceptor` (CSRF + refresh queue), `APP_INITIALIZER`, and SSR support. |
| 62 | +- **Built-in UI documentation** — comprehensive reference for the zero-dependency HTML/CSS/JS login UI. |
| 63 | +- **Admin panel platform settings** — configurable per-platform feature flags exposed through the admin UI. |
| 64 | +- MCP server tools: `get_mailer_integration`, `get_sms_integration`, `get_ui_customization`, `get_email_templates`, `get_ng_awesome_node_auth`. |
| 65 | + |
| 66 | +### Fixed |
| 67 | +- `__Host-` / `__Secure-` CSRF and access-token cookie prefix handling in `auth.js`, Angular interceptors, and MCP server. |
| 68 | + |
| 69 | +--- |
| 70 | + |
| 71 | +## [1.2.x] — 2026-03-10 to 2026-03-11 |
| 72 | + |
| 73 | +### Added |
| 74 | +- **Built-in UI** (`<apiPrefix>/ui/`) — zero-dependency HTML/CSS/JS login, register, forgot-password, and reset-password pages served directly by the library. |
| 75 | +- Live preview and full customization of the built-in UI (background color, card color, logo, background image) via the admin panel. |
| 76 | +- CSS custom properties (`--auth-bg-color`, `--auth-card-bg`, etc.) for theme overrides. |
| 77 | +- Spinner and improved loading states in the built-in login page. |
| 78 | +- 87 unit tests for `auth.js` browser client API. |
| 79 | +- `window.AwesomeNodeAuth` documented browser client API. |
| 80 | + |
| 81 | +### Fixed |
| 82 | +- `refreshToken` path auto-derivation now works correctly relative to `apiPrefix`. |
| 83 | +- Admin UI XSS/escape bug in dashboard string interpolation. |
| 84 | +- Asset loading and auth routing prefix hierarchy. |
| 85 | + |
| 86 | +--- |
| 87 | + |
| 88 | +## [1.1.x] — 2026-02-21 to 2026-03-07 |
| 89 | + |
| 90 | +### Added |
| 91 | +- **Email verification** — three modes: `none` (disabled), `lazy` (grace period configurable), `strict` (login blocked until verified). |
| 92 | +- **Change email** — `PATCH /auth/change-email` with re-verification flow. |
| 93 | +- **Change password** — `PATCH /auth/change-password`. |
| 94 | +- **Admin panel** — HTML-based admin dashboard at `/admin/` with user listing, filtering, pagination, batch operations, and per-user detail view; tabs for metadata, roles, tenants, linked accounts, API keys, webhooks. |
| 95 | +- **User metadata** (`IUserMetadataStore`) — arbitrary per-user key/value store surfaced in `/me` and admin panel. |
| 96 | +- **Roles & permissions** (`IRolesPermissionsStore`) — RBAC with optional tenant scope; roles/permissions returned in `/me`. |
| 97 | +- **Session management** (`ISessionStore`) — interface for listing and revoking sessions; optional `POST /auth/sessions/cleanup` for cron-based expiry. |
| 98 | +- **Multi-tenancy** (`ITenantStore`) — isolated multi-tenant applications with tenant-scoped roles. |
| 99 | +- **Account deletion** — `DELETE /auth/account` self-service endpoint with full cleanup hooks. |
| 100 | +- **CSRF protection** — double-submit cookie pattern, opt-in via `csrf.enabled`. |
| 101 | +- **Bearer token strategy** — `X-Auth-Strategy: bearer` header enables JSON body token delivery instead of HttpOnly cookies. |
| 102 | +- **Custom JWT claims** — `buildTokenPayload` callback for injecting project-specific claims. |
| 103 | +- **Provider parameter in mailer** — pass the auth provider to email templates. |
| 104 | +- `IUserStore.updateLastLogin()` optional method. |
| 105 | +- Rate limiter support on `GET /me` and other sensitive endpoints via `RouterOptions.rateLimiter`. |
| 106 | +- NestJS, Next.js, MySQL/MariaDB, and MongoDB integration examples in `examples/`. |
| 107 | + |
| 108 | +### Fixed |
| 109 | +- Admin dashboard HTML interpolation escaping. |
| 110 | +- Refresh token cookie path bug. |
| 111 | +- Login verification issues distinguishing SMS/magic-link direct login from 2FA mode. |
| 112 | +- `deleteUser` implementation. |
| 113 | + |
| 114 | +--- |
| 115 | + |
| 116 | +## [1.0.x] — 2026-02-21 |
| 117 | + |
| 118 | +### Added (Initial Release) |
| 119 | +- **Core JWT authentication** — access + refresh token pair, HttpOnly cookie delivery. |
| 120 | +- **Local strategy** — email/password login with bcrypt hashing. |
| 121 | +- **Password reset** — `POST /auth/forgot-password` + `POST /auth/reset-password` with time-limited tokens. |
| 122 | +- **OAuth 2.0** — Google and GitHub strategies; `GenericOAuthStrategy` base class for custom providers; `success_redirect_path` in OAuth state. |
| 123 | +- **Magic links** — passwordless email login; first magic-link also counts as email verification. |
| 124 | +- **SMS OTP** — phone-number verification via one-time codes. |
| 125 | +- **TOTP 2FA** — time-based OTP compatible with Google Authenticator / Authy; `require2FA` flag per user. |
| 126 | +- **`IUserStore` interface** — single decoupling point to any database. |
| 127 | +- **`MailerService`** — HTTP transport mailer with Italian and English templates for password reset, magic links, email verification. |
| 128 | +- **Express auth router** — all endpoints pre-wired at a configurable `apiPrefix`. |
| 129 | +- **`auth.middleware()`** — JWT verification middleware accepting cookie or `Authorization: Bearer`. |
| 130 | +- **`POST /auth/register`** — optional registration endpoint via `onRegister` callback. |
| 131 | +- **`GET /auth/me`** — user profile endpoint. |
| 132 | +- **Rate limiter hook** — `RouterOptions.rateLimiter` integration point. |
| 133 | +- Full TypeScript types and exported interfaces. |
| 134 | + |
| 135 | +--- |
| 136 | + |
| 137 | +## [1.6.x and later] — Beyond this CHANGELOG |
| 138 | + |
| 139 | +Refer to the [GitHub Releases](https://github.com/nik2208/node-auth/releases) page for future versions. |
| 140 | + |
| 141 | +--- |
| 142 | + |
| 143 | +## Version History Quick Reference |
| 144 | + |
| 145 | +| Version | Date | Theme | |
| 146 | +|---|---|---| |
| 147 | +| 1.0.x | 2026-02-21 | Initial release — JWT, Local, OAuth, Magic Links, SMS, TOTP | |
| 148 | +| 1.1.x | 2026-02-21–03-07 | Email verification, admin panel, metadata, RBAC, multi-tenancy, account mgmt | |
| 149 | +| 1.2.x | 2026-03-10–11 | Built-in UI, CSS theming, admin UI customization, browser client tests | |
| 150 | +| 1.3.0 | 2026-03-14 | CSRF cookie-tossing protection, Angular library, MCP tools expansion | |
| 151 | +| 1.4.x | 2026-03-17 | Headless UI mode, origin-based fetch interceptor, `__Host-` cookie path fix | |
| 152 | +| 1.5.0 | 2026-03-18 | Hybrid stateful sessions, device management API, SESSION_REVOKED loop fix | |
0 commit comments