v1.0.0

Full Changelog

Added

• Allow to opt-out from sending SDK Telemetry #78 (adamjmcgrath)

Changed

• Change the default session duration to 1 day #80 (adamjmcgrath)

Fixed

• Fix case where APP_SESSION_SECRET is set and appSession is not #74 (adamjmcgrath)
• Fix cookie options case #76 (adamjmcgrath)

v0.8.1

Full Changelog

Fixed

• Remove returnTo parameter for logout #72 (joshcanhelp)

v0.8.0

Full Changelog

This release contains a breaking change for all applications. Please see the PR below for migration info.

Changed

• App session settings #68 (joshcanhelp)

v0.7.0

Full Changelog

Added

• Update TS defs for config functions #65 (joshcanhelp)
• Register Express as a peer dependency #63 (stevehobbsdev)
• Add custom state handling #60 (joshcanhelp)

Changed

• Merge seperate config schemas #57 (joshcanhelp)
• Update hapi to v16 and fix breaking changes #56 (joshcanhelp)
• Update hapi/joi to 15.x; update other deps to minor/patch #51 (joshcanhelp)

Fixed

• Additional allowed cookieOptions #53 (joshcanhelp)
• Fix TS definition for appSessionSecret #52 (joshcanhelp)
• Fix post logout redirect, add config for default #40 (balazsorban44)

v.0.6.0

Full Changelog

Breaking changes in this release:

This release includes important changes to user session and token handling which will require an update for all applications.

First, a new, required configuration key - appSessionSecret- has been added. The value here will be used to generate keys which are in turn used to encrypt the user identity returned from the identity provider. This encrypted and signed identity is stored in a cookie and used to populate the req.openid.user property, as before. This key should be set to either a secure, random value to use this built-in session or false to provide your own custom application session handling. A value for this can be generated with openssl like so:

❯ openssl rand -hex 32
f334eb9ee5898101f90047ec46f18c2f4c082f5eeef109920d6b0fc5b79b6f29

As part of these changes, a session middleware is no longer required for this library. One can be added and used for application session and tokens (see above and below, respectively) but initialization will no longer fail if one is not present.

Additionally, tokens returned from the identity provider will no longer be stored in a session middleware automatically. If your application requires access, refresh, or ID tokens to be retrieved and stored (not just the user identity), you will need to provide a method for that storage in version 0.6.0 and beyond. See our examples page for guidance.

Closed issues

• "legacySameSiteCookie" for auth config params is not yet available in the typings file. #44
• Validate configured routes #21

Added

• Add path validation #47 (joshcanhelp)
• Add typescript defs new config #46 (joshcanhelp)
• Add SameSite support #39 (joshcanhelp)
• Add custom callback handling #37 (joshcanhelp)
• Add body parser to login and callback route #33 (davidpatrick)

Changed

• Change session and token handling #42 (joshcanhelp)

v0.5.0

Full Changelog

Closed issues

• Removal of automatic refresh #11

Added

• Add configurable HTTP options #29 (joshcanhelp)
• add typescript types #27 (jbarrus)
• Add telemetry to HTTP requests #23 (joshcanhelp)
• feat: allow custom login and logout paths #14 (joshcanhelp)

Changed

• Update default leeway and re-write API documentation #30 (joshcanhelp)

v0.4.0

Full Changelog

Important note: This release bumps the minimum Node version required to ^10.13.0.

Closed issues

• GetUser #10
• Thoughts on user info endpoint? #7

Changed

• feat: bump openid-client #12 (panva)

Removed

• Remove debugging callbacks #17 (joshcanhelp)