Releases · ForbesLindesay/authentication

The primary export is now a "hook" instead of a component expecting render props (#18)

If you prefer a component with render props you can import @authentication/react-passwordless/DefaultForm. The structure of the data passed to render props has been completely re-thought though.
The methods for calling the backend have been updated to work with the new version of @authentication/passwordless and are not compatible with the old version. (#18)

Assets 2

22 Jul 18:05

ForbesLindesay

@authentication/[email protected]

a6f52f2

@authentication/[email protected]

Breaking Changes

Renamed the Store TypeScript interface to RateLimitStore (#17)
Removed support for stores with "transactions" (#17)

They were often implemented incorrectly, which can lead to security vulnerabilities. It is much safer to enforce that optimistic concurrency is used.

New Features

Added the tryConsume method that returns an object indicating the result of consuming the token, rather than throwing an error. (#18)

Bug Fixes

Added type for the default export of @authentication/rate-limit/bucket and @authentication/rate-limit/exponential (#18)

Assets 2

22 Jul 22:59

ForbesLindesay

@authentication/[email protected]

42fb3af

@authentication/[email protected]

Performance Improvements

remove unused dependencies (#20)

Assets 2

22 Jul 18:05

ForbesLindesay

@authentication/[email protected]

a6f52f2

@authentication/[email protected]

Breaking Changes

The token schema has changed (#18)

Tokens now look like:

export default interface Token`State = void> {
  userID: string;
  /**
   * An incrementing integer used for optimistic concurrency
   */
  version: number;
  /**
   * The pass code, that gets sent in the e-mail and entered by
   * the user (or appears as the `code` parameter in "magic" link)
   */
  passCode: string;
  /**
   * The number of attempts remaining before the token is disposed of.
   */
  attemptsRemaining: number;
  /**
   * The time this token was created, represented as milliseconds since
   * the unix epoch.
   */
  created: number;
  /**
   * The time this token expires, represented as milliseconds since the
   * unix epoch.
   */
  expiry: number;
  /**
   * Some arbirary state of your choice. This is a good place to store a
   * redirect URI for after the authentication is complete.
   */
  state: State;
}

It is very important that you always check token.version when performing update operations, in order to prevent a malicious attacker making more than the expected number of attempts at a single token.

Is is now only possible to use the namespaced version of the Store (#18)

The type for the store is now:

export interface TokensStore`State = undefined> {
  insert(token: Token`State>): Promise`string>;
  load(tokenID: string): Promise`Token`State> | null>;
  update(
    tokenID: string,
    token: Token`State>,
    oldToken: Token`State>,
  ): Promise`void>;
  remove(tokenID: string): Promise`void>;
}
export default interface PasswordlessStore`State = undefined> {
  tokens: TokensStore`State>;
  rateLimit: RateLimitStore`string>;
}

createToken now requires {userID, ipAddress, state, sendTokenToUser} as input instead of an express request/response pair. It returns the response expected by react-passwordless, and only gives the secret pass code to the sendTokenTouser function. (#18)
verifyPassCode has been split into verifyPassCode and verifyPassCodeFromRequest (#18)

Both functions need to be given both the tokenID and the passCode as cookies are no longer used to store the tokenID. The verifyPassCodeFromRequest can accept either an express request or a koa context object.
Removed support for stores with "transactions" (#17)

They were often implemented incorrectly, which can lead to security vulnerabilities. It is much safer to enforce that optimistic concurrency is used.

Performance Improvements

passCodes are no longer hashed before storage because it was expensive and they are short-lived tokens anyway. (#18)

This allows us to drop a costly native dependency, and reduces the load on your server considerably.

Assets 2