- Fix a race when quickly refreshing a page or using redirects that refresh the page.
-
Expose function reference types
SignInAction
andSignOutAction
for the benefit of other client implementations (Svelte, Solid, etc.). As with all APIs in the library these are not stable and may change until this library reaches 1.0. -
Add a platform check in the recommended
ConvexAuthProvider
use for React Native in docs. -
Fix auth refresh silent failure for React Native. This has been a slippery issue, if you use Convex Auth in a React Native app please let us know if this fixes for you.
-
Add support for custom OAuth callback and sign-in URLs
-
Next.js middleware function
isAuthenticated
fails more loudly; previously it returned false in the case of a Convex backend that didn't expose an endpoint calledauth:isAuthenticated
, now it throws an error. This should help people with the migration required for 0.0.76.
- Fix syntax of an import to work with convex-test.
-
BREAKING: A change in the logic for isAuthenticated for Next.js: it now involves a server-side check. Update your auth.ts file by adding a new
isAuthenticated
endpoint to the list of exported Convex functions, likeexport const { auth, signIn, signOut, store, isAuthenticated } = convexAuth(...
If you're not using Next.js, you should still add this named export as it's the new suggested set of publicly exposed endpoints, but nothing should break if you don't.
-
Potentially breaking: For NextJS, switched to
path-to-regexp
6.3.0 to avoid ReDoS vulnerability. That version, while protected from the vulnerability, has less expressive RegEx pattern support. If you are usingcreateRouteMatcher
in middleware, it might not match some patterns that were previously available in the 0.7.x series. See the docs for supported patterns: https://www.npmjs.com/package/path-to-regexp/v/6.3.0. -
Upgraded to
@auth/core
0.37.3. You may need upgrade @auth/core to "~0.37.3". -
Updated OAuth integration docs for supported providers (available at https://labs.convex.dev/auth/config/oauth).
- BREAKING:
convexAuthNextjsToken()
andisAuthenticatedNextjs()
now return promises so must beawait
ed. - Support for Next.js 15.
- Update convex peer dependency to ^1.17.0
- Fix to header propagation in Next.js middleware
- Update Password provider to separate password requirement validation from
custom profile information
- Breaking If using Password with a custom profile to enforce password
requirements, you must now implement
validatePasswordRequirements
- Breaking If using Password with a custom profile to enforce password
requirements, you must now implement
- Update implementation of refresh tokens reuse Note: After upgrading to
this version, downgrading will require migrating the
authRefreshTokens
table to drop theparentRefreshTokenId
field. - Add configuration for cookie age in Next.js middleware
- Upgrade + pin
@auth/core
to 0.36.0 to avoid issues with mismatched types
- Fix bug with setting auth cookies on Next.js response
- Improve error handling when calling Convex auth functions from Next.js
- Add a 10s reuse window for refresh tokens
Note: After upgrading to this version, downgrading will require migrating
the authRefreshTokens
table to drop the firstUsedTime
field.
- Fix exported type for
signIn
fromconvexAuth
- [Next.js] Propagate auth cookies in middleware follow up
- Introduce
convexAuth.isAuthenticated()
andconvexAuth.getToken()
in favor ofisAuthenticatedNextJs()
andconvexAuthNextJsToken()
for middleware.
- [Next.js] Propagate auth cookies in middleware
- [Next.js] Match auth routes to proxy to Convex with and without trailing slash
- Add verbose logging to Next.js middleware
- Fix issue with re-entrant
fetchAccessToken
with a mutex
Previous versions are documented in git history.