v1.7.0 (2022-01-06)
Added
- Include message body in 302 responses #564 (michielvangendt)
Fixed
- Honor configured sameSite in transient cookies so you can login to iframe using 'none' #571 (adamjmcgrath)
- Cookies with samesite=none must have the secure attr set #570 (adamjmcgrath)
- Improve types in server-side withPageAuthRequired #554 (misoton665)
v1.6.2 (2021-12-16)
Fixed
- Fix issue where error reporting wrong instanceof #543 (adamjmcgrath)
Security
- Enforce configured host on user supplied returnTo #557 (adamjmcgrath)
v1.6.1 (2021-10-13)
Fixed
v1.6.0 (2021-10-11)
Added
- [SDK-2818] Export error classes #508 (adamjmcgrath)
- [SDK-2529] Add ability to pass custom params to refresh grant and code exchange #507 (adamjmcgrath)
- [SDK-2813] Add afterRefresh hook #506 (adamjmcgrath)
Fixed
1.5.0 (2021-07-14)
Added
1.4.2 (2021-06-24)
Fixed
- Fix reflected XSS from the callback handler's error query parameter CVE-2021-32702 (adamjmcgrath)
1.4.0 (2021-06-03)
Added
withPageAuthRequired
CSR now addsuser
to wrapped component props #405 (adamjmcgrath)
Fixed
- env var substitutions now means you can define
AUTH0_BASE_URL
fromVERCEL_URL
innext.config.js
#404 (adamjmcgrath)
1.3.1 (2021-05-05)
Fixed
- Use
window.location.toString()
as the defaultreturnTo
value #370 (Widcket) returnTo
should be encoded as it contains url unsafe chars #365 (adamjmcgrath)
1.3.0 (2021-03-26)
Added
- Organizations support #343 (adamjmcgrath)
1.2.0 (2021-03-10)
Added
- Export
UserContext
for overriding default hook initialisation behaviour #325 (adamjmcgrath)
Fixed
1.1.0 (2021-02-24)
Added
Fixed
- Chunked cookies should not exceed browser max #301 (adamjmcgrath)
- Cleanup unused cookies when switching between chunked and unchunked #303 (adamjmcgrath)
- New tokens should be applied to existing session after handleProfile #307 (adamjmcgrath)
1.0.0 (2021-02-15)
New features
- New suite of frontend tools:
useUser
hook andUserProvider
to simplify checking and managing the user’s logged in state on the client.withPageAuthRequired
higher order component to protect client side routes.
- New
handleAuth
feature to reduce the amount of boilerplate required to set up the server side authentication handlers. - Simpler server side API where creation of an SDK instance is handled by the SDK.
Breaking changes
For a full list of breaking changes and migration guide, checkout the V1_MIGRATION_GUIDE.md
1.0.0-beta.2 (2021-02-11)
Additions
- Added
afterRefetch
hook option tohandleProfile
to modify the session after refetching it.
1.0.0-beta.1 (2021-02-03)
Additions
- Added a new way to configure the custom profile url. Now it can be configured with an environment variable as well.
Changes
- The way to configure the custom login url has changed. Instead of passing it in every call to
withPageAuthRequired
now it can be configured with an environment variable. - The Vercel configuration docs have been updated with the latest guidance.
Fixes
- Fixed a logout issue related to custom IdPs.
1.0.0-beta.0 (2021-01-14)
Install
npm install @auth0/nextjs-auth0@beta
New features
- New suite of frontend tools:
useUser
hook andUserProvider
to simplify checking and managing the user’s logged in state on the client.withPageAuthRequired
higher order component to protect client side routes.
- New
handleAuth
feature to reduce the amount of boilerplate required to set up the server side authentication handlers. - Simpler server side API where creation of an SDK instance is handled by the SDK.
Breaking changes
For a full list of breaking changes and migration guide, checkout the V1_MIGRATION_GUIDE.md
Changes
- AggregateError#message from
Issuer.discover
includes stack trace #236 (adamjmcgrath) - Prevent caching the
/me
request #233 (adamjmcgrath) - Added error handling to useUser [SDK-2236] #229 (Widcket)
- Rename loading to isLoading #222 (Widcket)
- Prepare application to be deployable with Vercel #218 (frederikprijck)
- Added withCSRAuthRequired HOC [SDK-2120] #209 (Widcket)
- [SDK-2057] Express mw tests #191 (adamjmcgrath)
- Add withAuth HOC [SDK-2120] #189 (Widcket)
- Add frontend hook tests [SDK-2117] #188 (Widcket)
- Add frontend hook CH: Added #187 (Widcket)
v0.16.0 (2020-08-19)
- Updating dependencies with security issues
- Added the ability to force refreshing the
access_token
(#147)
v0.15.0 (2020-07-13)
- Improve redirect URI validation when double forward slashes are provided (commit)
- Fix double encoding issue of
postLogoutRedirectUri
when using a different OIDC IdP (#127) - Keep previously set cookies in the
callbackHandler
(#133)
v0.14.0 (2020-07-08)
- Allow overriding the
returnTo
setting when signing out a user (in thelogoutHandler
)
v0.13.0 (2020-05-15)
- Updated handlers to use
NextApiRequest
andNextApiResponse
- Automatically redirect to what is provided in the redirectTo querystring parameter, eg:
/api/login?redirectTo=/profile
v0.12.0 (2020-05-11)
- Support end_session_endpoint (#102)
- Allow full control over the state generation
- Allow full control over the session creation
v0.11.0 (2020-03-31)
- Make options optional in handlers (#78)
- Add domain when clearing cookie (#79)
- Add redirectTo support (#81)
v0.10.0 (2020-01-10)
- Add support to refetch the user in the profile handler.
v0.9.0 (2020-01-08)
- Make
options
on the login handler optional
v0.8.0 (2020-01-08)
- Improved TypeScript types
- Added support to automatically refresh access tokens
v0.7.0 (2019-12-18)
- Add support for
SameSite
and set toLax
by default to mitigate CSRF attacks.
v0.6.0 (2019-12-18)
- Add support for the
cookieDomain
option which allows you to share the session across subdomains. - Fix the interface for the
handleLogin
method. - Support sending a custom
state
to Auth0.
v0.5.0 (2019-10-14)
- Added support for custom authorization parameters in the Login handler
v0.4.0 (2019-10-10)
- Rename the
httpClient
tooidcClient
setting to support more OIDC related settings. - Added support for
id_token
leeway for when the time on your server is running behind on Auth0. - Improve handling of
Secure
cookies. Don't forceSecure
cookies when running on localhost (to fix issues related tonext start
)
v0.3.0 (2019-10-09)
- Fixed issue related to
audience
not being passed to the/authorize
request - Rename
useAuth0
toinitAuth0
to clear any confusion about React Hooks (this SDK does not provide a hook) - Added a new handler to require authentication on API routes.
v0.2.0 (2019-09-25)
- Added support for
storeRefreshToken
to persist therefresh_token
in the session - Added prettier
- Removed the need build time configuration
v0.1.0 (2019-09-17)
Initial release.