All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Fixes base_path config option not being observed when running
supertokens list - Adds base_path normalization logic
- Changed default
--with_argon2_hashing_pool_sizeinhashingCalibrateCLI command to 1.
- Adds github action for running tests against in memory db.
- Adds github action for checking if "Run tests" action was completed (to run in PRs)
- Fixes how config values are changed during tests.
- Adds 60 mins timeout to github action jobs
- Moves deleting user metadata to happen before deleting the actual user.
- Adds support for argon2 hashing.
- Adds colours to CLI output (in case of errors).
password_hashing_algargon2_iterationsargon2_memory_kbargon2_parallelismargon2_hashing_pool_sizebcrypt_log_rounds
supertokens hashingCalibrate: Used to calibrate argon2 and bcrypt passing hashing params.
- Fixes memory leak during testing.
- Updated plugin interface version
- Adds usermetadata recipe
- Update CONTRIBUTING.md with instructions for gitpod setup
- Added
user_metadatatable
- Updated plugin interface version
- Fixed ResultSet instances to avoid Memory Leaks
- Fixed supertokens#373: Catching
StorageTransactionLogicExceptionin transaction helper function for retries
- Supporting CDI v2.12
- Adding the
userIdto the reponse ofrecipe/user/password/reset - Adds support for providing base path for all APIs: supertokens/supertokens-node#252
- Add workflow to verify if pr title follows conventional commits
base_path- default is""(No base path)
- Added Passwordless recipe ( with unit test coverage )
- Adds new tables for passwordless:
passwordless_usersthat stores the users of the passwordless recipepasswordless_devicesthat stores devices/information about passwordless login attemptspasswordless_codesthat stores the codes each device can consume to finish the login process
- New recipeId in
/usersresponse with a corresponding new user type
- Delete user endpoint
- Issue with JWT expiry always being lower than expected
- Modulus and exponent for JsonWebKeys are now sent as unsigned when fetching public keys from the /jwt/jwks.json endpoint. Both values are url encoded without any padding.
- JWT creation logic to add a
issclaim only if none is provided
- New config values
password_reset_token_lifetimeandemail_verification_token_lifetime: supertokens#297 - Added support for multiple access token signing keys: supertokens#305
- Updated CDI version
- Added a table to store access token signing keys into SQL schema, called
session_access_token_signing_keys - New JWT recipe to create JWT tokens using SuperTokens
- New table
jwt_signing_keysadded to store keys used by the JWT recipe
- Explicitly adds UTF-8 compatible conversion when encoding / decoding base64 strings.
- Issue with verifying refresh token throwing an unauthorised exception due to a db connection error.
- Sends far ahead jwt signing key expiry time in case updating them is disabled: supertokens#304
- Changes JWT signing key update interval to not be limited to 720 hours
- Logs non "OK" status code from APIs for debugging purposes.
- Always throws unauthorised response if refresh token is not valid - previously it was throwing a 500 error in case it was not properly base 64 encoded.
- Make emailverificaiton tables take a generic userId: supertokens#258
- Adds new count and pagination APIs: supertokens#259
- Adds new API to get session data, and deprecates older one to get session and JWT payload separately: supertokens#255
- Removed
isVerifiedboolean from thirdparty sign in up API as per CDI spec 2.8, and hence does not do email verification in this API either. Also related to supertokens#295
- Add
GET /recipe/users/[email protected]endpoint for ThirdParty recipe to fetch all users with given email - Add new emailverification APIs for remove tokens and unverify email.
- Add
PUT /recipe/userfor emailpassword recipe to change user's password or email.
NullPointerExceptionthat is thrown inAccessTokenSigningKey.javaclass when thekeyInfoobject is accessed in parallel after the signing key has expired: supertokens#282
test_modeto the options for running the core so that it can be run in test mode whilst being tested by the backend SDK.- Adds
jwtSigningPublicKeyandjwtSigningPublicKeyExpiryTimeto API response when returningTRY_REFRESH_TOKENfrom session verify.
- Uses Open JDK 15.0.1
- Extracted email verification into its own recipe
- ThirdParty recipe API
- Normalises email by making it all lower case
- Changes in handshake API
- Changes in config
- Changes in session create, verify and refresh APis
- Used rowmapper for in memory db
- Adds email verification APIs
- Adds user pagination APIs
- Adds timeJoined to whenever a user object is returned from an API
- Makes Hello API do a db query as well for better status checking
- Changes as per CDI 2.4: supertokens/core-driver-interface#1
- In memory db uses the SQL interface
- Emailpassword recipe functions and APIs
- Deprecates the need for a separate SQLite repo (since the in mem one already exists within the core)
- Issue #84 - Correct access token signing key expiry not being sent by APIs
- Fixed issue of docker image hanging when run in foreground
- Updates the access token if blacklisting is switched on and the JWT payload has been changed somehow
- API key support
- JWT Api Key Rotation
- Compatibility with the inefficient method for handling refresh tokens.
- CSRF check in refresh API
- set csrf config to
falseby default - compatibility with CDI 2.3
- When regenerating session, uses old access tokens' parentRefreshTokenHash1 instead of null
- Optimises refresh token to not store old tokens in the database
- removes the need for a license key
- removes API Pings
- Makes default session expiry status code 401
- Makes default refresh API path "/session/refresh"
- Compatibility with CDI 2.2. Makes
cookie_domaindefault value to not set, so that it will work with any API - Makes sameSite = lax by default
- If licenseKey is missing, then dependency jars are downloaded in DEV mode
- Makes license Apache 2.0
- Changes how versioning works to make it per API call.
- Supports CDI 2.1
- Forcing of no in memory database flag to start command on Linux fixed
- Uses in memory database in dev mode if database is not configured
- Removes the need to specify dev / production when running the start command
- Compatibility with CDI 2.0
- API versions
- SameSite cookie option
- Updating of JWT payload
- Session expired status code configuration
- Partial lmrt support
- Compatibility with NoSQL databases like MongoDB
- Setting sameSite cookie option. However, this is not usable in this release.
- Adds #!/bin/bash in scripts
- Allow for an unlimited number of SuperTokens instances in production mode
- License changes to reflect the above