All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning
- Added the OAuth2Provider recipe
- Now only supporting FDI 3.1 and 4.0 (Node >= 21.0.0)
- Added a new
shouldTryLinkingToSessionUserflag to sign in/up related function inputs:- No action is needed if you are not using MFA/session based account linking.
- If you are implementing MFA:
- Plase set this flag to
false(or leave as undefined) during first factor sign-ins - Please set this flag to
truefor secondary factors. - Please forward this flag to the original implementation in any of your overrides.
- Plase set this flag to
- Changed functions:
EmailPassword.signIn,EmailPassword.signUp: both override and callable functionsThirdParty.getAuthorisationURLWithQueryParamsAndSetState: both override and callable functionPasswordless:- Functions overrides:
consumeCode,resendCode,createCode,setLoginAttemptInfo,getLoginAttemptInfo - Calling
createCodeandsetLoginAttemptInfotake this flag as an optional input (it defaults to false)
- Functions overrides:
- Changed the default implementation of
getTenantIdto default to thetenantIdquery parameter (if present) then falling back to the public tenant instead of always defaulting to the public tenant - We now disable session based account linking in the magic link based flow in passwordless by default
- This is to make it function more consistently instead of only working if the link was opened on the same device
- You can override by overriding the
consumeCodefunction in the Passwordless Recipe (see in the Migration guide section below for more information)
You can re-enable linking by overriding the consumeCode function in the passwordless recipe and setting shouldTryLinkingToSessionUser to true.
Passwordless.init({
override: {
functions: (original) => {
return {
...original,
consumeCode: async (input) => {
// Please note that this is means that the session is required and will cause an error if it is not present
return original.consumeCode({ ...input, shouldTryLinkingWithSessionUser: true });
},
};
},
},
});- Changes bundle file names to include a hash.
- Removes the default
maxAgeInSecondsvalue (previously 300 seconds) in EmailVerification Claim. If the claim value is true andmaxAgeInSecondsis not provided, it will not be refreshed.
- Removed ThirdPartyEmailPassword and ThirdPartyPasswordless recipes
- Dropped support for FDI version 1.X
- Added support for FDI version 2.0 and 3.0
- Removed
createCode,resendCodeandconsumeCodefrom the exports ofrecipe/passwordless/utils - Added the
SESSION_ALREADY_EXISTSevent to the session recipe. This is used by our pre-built UI.
-
If you were using
ThirdPartyEmailPassword, you should now initThirdPartyandEmailPasswordrecipes separately. The config for the individual recipes are mostly the same, except the syntax may be different. Check our recipe guides for ThirdParty and EmailPassword for more information. -
If you were using
ThirdPartyPasswordless, you should now initThirdPartyandPasswordlessrecipes separately. The config for the individual recipes are mostly the same, except the syntax may be different. Check our recipe guides for ThirdParty and Passwordless for more information.
The shouldDoInterceptionBasedOnUrl function now returns true:
- If sessionTokenBackendDomain is a valid subdomain of the URL's domain. This aligns with the behavior of browsers when sending cookies to subdomains.
- Even if the ports of the URL you are querying are different compared to the apiDomain's port ot the sessionTokenBackendDomain port (as long as the hostname is the same, or a subdomain of the sessionTokenBackendDomain): #217
- Reduced the number of unnecessary email verification checks by fixing the default values for
refetchTimeOnFalseInSecondsandmaxAgeInSeconds
With this release, we are introducing MultiFactorAuthentication and TOTP, this will let you:
- require (2FA or MFA) during sign in
- make use of our TOTP
Check our guide for more information.
- Added support for FDI 1.19 (Node SDK>= 17.0.0), but keeping support FDI version 1.17 and 1.18 (node >= 15.0.0, golang>=0.13, python>=0.15.0)
- Added the
MultiFactorAuthandTOTPrecipes. To start using them you'll need compatible versions:- Core>=8.0.0
- supertokens-node>=17.0.0
- supertokens-website>=18.0.0
- supertokens-web-js>=0.10.0
- supertokens-auth-react>=0.39.0
- Added
firstFactorsinto the return type ofgetLoginMethodsand removed the enabled flags of different login methods.- For older FDI versions, the firstFactors array will be calculated based on those enabled flags.
- Renamed
validatorIdin claim validation errors toidto match the backend SDKs
If you used to use the enabled flags in getLoginMethods:
Before:
async function checkLoginMethods() {
const loginMethods = await Multitenancy.getLoginMethods();
if (loginMethods.thirdParty.enabled) {
// custom logic
}
if (loginMethods.emailPassword.enabled) {
// custom logic
}
if (loginMethods.passwordless.enabled) {
// custom logic
}
}After:
async function checkLoginMethods() {
const loginMethods = await Multitenancy.getLoginMethods();
if (loginMethods.firstFactors.includes("thirdparty")) {
// custom logic
}
if (loginMethods.firstFactors.includes("emailpassword")) {
// custom logic
}
if (
loginMethods.firstFactors.includes("otp-email") ||
loginMethods.firstFactors.includes("otp-phone") ||
loginMethods.firstFactors.includes("link-email") ||
loginMethods.firstFactors.includes("link-phone")
) {
// custom logic
}
}If you used to use the validatorId prop of validationErrors, you should now use id instead.
Before:
async function checkValidators() {
const validationErrors = await Session.validateClaims();
for (const error of validationErrors) {
console.log(error.validatorId, error.reason);
}
}After:
async function checkValidators() {
const validationErrors = await Session.validateClaims();
for (const error of validationErrors) {
console.log(error.id, error.reason);
}
}- Added
dateprovider.jsbundle file to enable importingDateProvidervia a script tag
- The default
DateProviderimplementation relies onlocalStorage. If your environment lacks support forlocalStorage, you must provide custom implementations for either theDateProviderorlocalStorage.
EmailVerificationClaimnow usesDateProviderto account for clock skew.- Exporting the
DateProviderfrom supertokens-website, that both built-in and custom validators can use instead ofDate.nowto get an estimate of the server clock. - Added the
dateProviderprop to the configuration that can be used to customize the built-inDateProvider. - Added
calculateClockSkewInMillisas an overrideable function to the Session recipe that estimates the time difference between the backend and the client. - Fix "MultiTenancy not initialized" error being thrown instead of "SuperTokens not initialized" when calling recipe methods directly without initializing SuperTokens first.
With this release, we are introducing AccountLinking, this will let you:
- link accounts automatically,
- implement manual account linking flows.
Check our guide for more information.
To use this you'll need compatible versions:
- Core>=7.0.0
- supertokens-node>=16.0.0 (support is pending in other backend SDKs)
- supertokens-website>=17.0.3
- supertokens-web-js>=0.8.0
- supertokens-auth-react>=0.35.0
- Added support for FDI 1.18 (Node SDK>= 16.0.0), but keeping support FDI version1.17 (node >= 15.0.0, golang>=0.13, python>=0.15.0)
- User type has changed across recipes and functions: recipe specific user types have been removed and replaced by a generic one that contains more information
createdNewUserhas been renamed tocreatedNewRecipeUsercreateCode,consumeCode,createPasswordlessCodeandconsumePasswordlessCodecan now return status:SIGN_IN_UP_NOT_ALLOWEDsignInAndUpandthirdPartySignInAndUpcan now return new status:SIGN_IN_UP_NOT_ALLOWEDsendPasswordResetEmailcan now returnstatus: "PASSWORD_RESET_NOT_ALLOWED"signInandemailPasswordSignIncan now returnSIGN_IN_NOT_ALLOWEDsignUpandemailPasswordSignUpcan now returnSIGN_UP_NOT_ALLOWED
We've added a generic User type instead of the old recipe specific ones. The mapping of old props to new in case you are not using account-linking:
user.idstaysuser.iduser.emailbecomesuser.emails[0]user.phoneNumberbecomesuser.phoneNumbers[0]user.thirdPartybecomesuser.thirdParty[0]user.timeJoinedis stilluser.timeJoineduser.tenantIdsis stilluser.tenantIds
- When calling passwordless consumeCode / social login signinup APIs, you can check if a user signed up by:
// Here res refers to the result the function/api functions mentioned above.
const isNewUser = res.createdNewRecipeUser && res.user.loginMethods.length === 1;
- When calling the emailpassword sign up API, you can check if a user signed up by:
const isNewUser = res.user.loginMethods.length === 1;
- Fixed
clientTypeusage inthirdpartypasswordless
- Fixed
clientTypeusage inthirdpartyemailpasswordandthirdpartypasswordless
- Removed unused tenant id param from
isEmailVerifiedandsendVerificationEmailrequests
- Multitenancy recipe
- Added an overrideable
getTenantIdFromURLto multiple recipes - Optional
clientTypeconfig in the input forSuperTokens.initfunction, that is used by thirdparty and multitenancy recipes.
- Only supporting FDI 1.17
- Backend SDKs have to be updated first to a version that supports multi-tenancy for thirdparty
- supertokens-node: >= 15.0.0
- supertokens-golang: >= 0.13.0
- supertokens-python: >= 0.15.0
- In ThirdParty recipe,
- Changed signatures of the functions
getAuthorisationURLWithQueryParamsAndSetState - Removed functions -
setStateAndOtherInfoToStorage,getAuthorisationURLFromBackend,generateStateToSendToOAuthProvider,verifyAndGetStateOrThrowError,getAuthCodeFromURL,getAuthErrorFromURL,getAuthStateFromURL
- Changed signatures of the functions
- In ThirdPartyEmailpassword recipe,
- Changed signatures of the functions
getAuthorisationURLWithQueryParamsAndSetState - Removed functions -
setStateAndOtherInfoToStorage,getAuthorisationURLFromBackend,generateStateToSendToOAuthProvider,verifyAndGetStateOrThrowError,getAuthCodeFromURL,getAuthErrorFromURL,getAuthStateFromURL
- Changed signatures of the functions
- In ThirdPartyPasswordless recipe,
- Changed signatures of the functions
getThirdPartyAuthorisationURLWithQueryParamsAndSetState - Removed functions -
setThirdPartyStateAndOtherInfoToStorage,getAuthorisationURLFromBackend,generateThirdPartyStateToSendToOAuthProvider,verifyAndGetThirdPartyStateOrThrowError,getThirdPartyAuthCodeFromURL,getThirdPartyAuthErrorFromURL,getThirdPartyAuthStateFromURL
- Changed signatures of the functions
- Updates dependencies and backend config for the vue with-thirdpartyemailpassword example app
Before:
const authUrl = await ThirdPartyEmailPassword.getAuthorisationURLWithQueryParamsAndSetState({
providerId: "google",
authorisationURL: `${websiteDomain}/auth/callback/google`,
});
After:
const authUrl = await ThirdPartyEmailPassword.getAuthorisationURLWithQueryParamsAndSetState({
thirdPartyId: "google",
frontendRedirectURI: `${websiteDomain}/auth/callback/google`,
});
Before:
const authUrl = await ThirdPartyEmailPassword.getAuthorisationURLWithQueryParamsAndSetState({
providerId: "apple",
authorisationURL: `${websiteDomain}/auth/callback/apple`,
});
After:
const authUrl = await ThirdPartyEmailPassword.getAuthorisationURLWithQueryParamsAndSetState({
thirdPartyId: "apple",
frontendRedirectURI: `${websiteDomain}/auth/callback/apple`,
redirectURIOnProviderDashboard: `${apiDomain}/auth/callback/apple`
});
- Re-export getGlobalClaimValidators function from supertokens-website
- Re-export PrimitiveArrayClaimConfig & PrimitiveClaimConfig from supertokens-website
- Remove EmailVerificationClaimClass constructor's updateContextOnIsVerifiedFalse prop
- Update to web-js interface version
- Updated supertokens website dependency, which made SessionClaimValidator a type instead of an abstract class
- Only supporting FDI 1.16
- Updated
supertokens-websitedependency that requires a backend SDK update to:- supertokens-node: >= 13.0.0
- supertokens-python: >= 0.12.0
- supertokens-golang: >= 0.10.0
- Renamed configuration options:
sessionScoperenamed tosessionTokenFrontendDomaincookieDomainrenamed tosessionTokenBackendDomain
- Added support for authorizing requests using the
Authorizationheader instead of cookies- Added
tokenTransferMethodconfig option - Check out https://supertokens.com/docs/thirdpartyemailpassword/common-customizations/sessions/token-transfer-method for more information
- Added
- Re-exporting
cookieHandler,windowHandlerandsessionClaimValidatorStorefrom supertokens-website.
- Updated website dependency, which added
getWindowUnsafeto the WindowHandlerInterface. This function should return the raw window object.
- Adding an interceptor for XMLHttpRequest by default upon initializing SuperTokens
- Marked
addAxiosInterceptorsas deprecated - Request interception can now be disabled by adding
superTokensDoNotDoInterceptionto the hash of the request (works as a queryparam as well)
- Make the UserRoleClaim and PermissionClaim never expire by default (you can still use the
maxAgeInSecondsparam of validators to check expiration)
- Fix type of parameter for
Passwordless.consumeCode
- Session claims related types/classes and the
validateClaims&getClaimValuefunctions - Added
getInvalidClaimsFromResponseto the SessionClass to help parsing responses with invalid claim errors - Added
API_INVALID_CLAIMevent to the Session recipe - Added
UserRoleClaimandPermissionClaim
- Only supporting FDI 1.15
- Backend SDKs have to be updated first to a version that supports session claims before enabling EmailVerification!
- supertokens-node: >= 12.0
- supertokens-golang: >= 0.9
- supertokens-python >= 0.11
- EmailVerification recipe is now not initialized as part of auth recipes. You can add it to the recipe list as
EmailVerification.initlike other recipes. - Removed
verifyEmail,sendVerificationEmailandisEmailVerifiedfrom auth recipes. These should now be called on theEmailVerificationrecipe - Moved email verification related events, overrides, pre-api hooks and redirection contexts into the
EmailVerificationrecipe. You should configure them while initializing theEmailVerificationrecipe. - Fix typing of
consumeCodein the passwordless recipe
SuperTokens.init({
// Normal init conf...
recipeList: [
EmailPassword.init({
preAPIHook: (context) => {
// Move email verification related pre-API hooks into the preAPIHook of the EmailVerification config
},
postAPIHook: (context) => {
// Move email verification related post-API hooks into the postAPIHook of the EmailVerification config
}
override: {
emailVerificationFeature: {
// These overrides should be moved into the config of the EmailVerification recipe
}
}
}),
]
})Should become:
SuperTokens.init({
// Normal init conf...
recipeList: [
EmailVerification.init({
// Props from emailVerificationFeature of the EmailPassword.init config should be moved here.
override: {
// The overrides from emailVerificationFeature in the overrides of the EmailPassword config should be moved here
},
preAPIHook: (context) => {
// Move email verification related pre-API hooks here
},
postAPIHook: (context) => {
// Move email verification related post-API hooks here
},
}),
EmailPassword.init({}),
],
});- Makes the input argument for
consumePasswordlessCodein ThirdPartyPasswordless optional.
- Refactors the way the SDK exports recipe functions and utilities
- Corrects error message thrown from ThirdParty recipe if its init function is not called.
- Fixes an issue with webpack configuration that resulted in custom window and cookie handlers to not get initialised correctly
- Fixes an issue where
Passwordless.consumeCodewas not honoring the API spec
- Updates supertokens-website dependency to reflect change in cookieHandler interface
- New FDI support (1.14)
- Removes
setCookieSyncandgetCookieSyncfrom the interface forcookieHandlerwhen callingSuperTokens.init - Updates dependency version for supertokens website to support General Error handling
- Minor changes
- Initial Release