v3.5.0 (2023-12-06)
Added
- Add Pushed Authorization Requests #1598 (ewanharris)
v3.4.0 (2023-12-04)
Added
- [SDK-4719] Back-Channel Logout #1590 (adamjmcgrath)
Fixed
- Should get instance of Session in RSCs #1565 (adamjmcgrath)
v3.3.0 (2023-11-13)
Added
- Bail out of static rendering for pages and routes in app dir #1541 (adamjmcgrath)
Fixed
v3.2.0 (2023-10-05)
Added
- Add support for passing a custom http agent #1447 (ryanolson-aumni)
- fix: add missing touchSession for exported function #1461 (benevbright)
Fixed
- withApiAuthRequired callback can return just Response #1476 (adamjmcgrath)
v3.1.0 (2023-08-08)
Added
- Add option to override transaction cookie name and config #1346 (adamjmcgrath)
- Add support for customizing returnTo in middleware #1342 (adamjmcgrath)
Changed
- Move state cookies to under a single cookie #1343 (adamjmcgrath)
Fixed
- Fix for edge cookies delete not supporting domain or path #1341 (adamjmcgrath)
v3.0.1 (2023-07-31)
Fixed
- Fix auth handler types when using custom handlers #1327 (adamjmcgrath)
v3.0.0 (2023-07-25)
Added
- Support for the App Router
- Support for Edge Runtime
- Support for Responses in Middleware
- Support for EOL Node versions 12 and 14 has been removed. See the V3_MIGRATION_GUIDE.md for more details.
v2.7.0 (2023-07-19)
Added
- Support Organization Name #1291 (frederikprijck)
Fixed
- Clean up erroneous cookies when chunk size decreases #1300 (adamjmcgrath)
v3.0.0-beta.3 (2023-06-28)
Added
- [SDK-4319] Add support for Edge runtime #1269 (adamjmcgrath)
- [SDK-4318] Enable responses from custom middleware #1265 (adamjmcgrath)
v2.6.3 (2023-06-26)
Fixed
- Fix for setting custom cookies in
withMiddlewareAuthRequired#1263 (adamjmcgrath)
v3.0.0-beta.2 (2023-06-16)
Fixed
- Fix issue where api wrapper was overwriting session update in api #1255 (adamjmcgrath)
v3.0.0-beta.1 (2023-06-13)
Fixed
- Fix request check in node 16 #1250 (adamjmcgrath)
v2.6.2 (2023-06-09)
Fixed
- Fix for handling chunked cookies in edge runtime #1236 (adamjmcgrath)
v3.0.0-beta.0 (2023-06-08)
Added
- Support for the App Router.
- Support for EOL Node versions 12 and 14 has been removed. See the V3_MIGRATION_GUIDE.md for more details.
v2.6.1 (2023-06-06)
Fixed
- [SDK-4113] Lock down open ended auth route #1212 (adamjmcgrath)
v2.6.0 (2023-05-12)
Added
- Add prefixed url env for preview deploys on middleware #1198 (adamjmcgrath)
v2.5.0 (2023-04-18)
Added
v2.4.0 (2023-03-27)
Added
- Add
autoSave/touchSessionfor rolling session expiry management #1116 (aovens-quantifi)
v2.3.1 (2023-03-17)
Fixed
- Update stateful session cookie expiry on set #1115 (aovens-quantifi)
v2.3.0 (2023-03-16)
Added
- Add AUTH0_LOGOUT env var #1113 (adamjmcgrath)
v2.2.3 (2023-03-13)
Fixed
- [SDK-3887] Always honor auth0Logout config #1104 (adamjmcgrath)
v2.2.2 (2023-03-02)
Fixed
- Fix issue where storeIDToken config not used by getAccessToken #1091 (adamjmcgrath)
v2.2.1 (2023-01-27)
Fixed
- Remove type from export in d.ts files #1037 (ewanharris)
v2.2.0 (2023-01-24)
Added
- [SDK-3862] Add support for JWT client authentication #1029 (ewanharris)
Fixed
- withMiddlewareAuthRequired returnTo should be a relative url #1028 (adamjmcgrath)
- Infer user exists if WithPageAuthRequired page is rendered #1014 (adamjmcgrath)
v2.1.0 (2023-01-11)
Added
- SDK-3807 Add custom session stores #993 (adamjmcgrath)
v2.0.1 (2022-12-09)
Fixed
- afterCallback return type fix #954 (alexmalev)
- fix/rerenders: useMemo to avoid unnecessary rerenders #945 (stavros-liaskos)
v2.0.0 (2022-12-01)
-
Refactor session lifecycle #787 (adamjmcgrath)
-
Rearrange exports for RSC and add experimental RSC route to example #913 (adamjmcgrath)
-
Improved callback errors #835 (adamjmcgrath)
-
Prevent mixing named exports and own instances #825 (adamjmcgrath)
-
Allow to override the user prop in server-side rendered pages #800 (Widcket)
-
Return 204 from /api/auth/me when logged out #791 (Widcket)
Added
-
Next.js Middlware support #815 (adamjmcgrath)
-
Add testing utility for generating session cookies #816 (Widcket)
-
Add updateUser #855 (adamjmcgrath)
-
Add support for configuring the built-in handlers #826 (Widcket)
-
Add support for configuring the default handlers #840 (Widcket)
-
Add logout options #877 (adamjmcgrath)
-
At error cause to AT error when it's from a failed grant #878 (adamjmcgrath)
-
Default error handler #823 (adamjmcgrath)
-
Allow response customization in afterCallback #838 (adamjmcgrath)
See V2 Migration Guide for full details.
v2.0.0-beta.4 (2022-11-18)
- Rearrange exports for RSC and add experimental RSC route to example #913 (adamjmcgrath)
Fixed
- WithMiddlewareAuthRequired should return 401 for /api routes #909 (adamjmcgrath)
v2.0.0-beta.3 (2022-11-08)
Fixed
- Fix edge cookie support for Next < 13.0.1 #900 (adamjmcgrath)
v2.0.0-beta.2 (2022-11-02)
Added
- At error cause to AT error when it's from a failed grant #878 (adamjmcgrath)
- Add logout options #877 (adamjmcgrath)
Fixed
- Fix for new req.cookie interface #894 (adamjmcgrath)
v2.0.0-beta.1 (2022-10-21)
Fixed
- status getter is not enumerable so needs to be added to NextResponse #875 (adamjmcgrath)
v2.0.0-beta.0 (2022-10-11)
- Change updateUser to updateSession #855 (adamjmcgrath)
- Add support for configuring the default handlers #840 (Widcket)
- Allow response customization in afterCallback #838 (adamjmcgrath)
- Improved callback errors #835 (adamjmcgrath)
- Add support for configuring the built-in handlers #826 (Widcket)
- Prevent mixing named exports and own instances #825 (adamjmcgrath)
- Default error handler #823 (adamjmcgrath)
- Fix intermittent build issues #818 (adamjmcgrath)
- Add testing utility for generating session cookies #816 (Widcket)
- Next.js Middlware support #815 (adamjmcgrath)
- Fix v1 cookie tests #810 (adamjmcgrath)
- Do not store the ID token by default #809 (Widcket)
- Allow to override the user prop in server-side rendered pages #800 (Widcket)
- Improve API docs #796 (Widcket)
- Return 204 from /api/auth/me when logged out #791 (Widcket)
- Refactor session lifecycle #787 (adamjmcgrath)
- Improve errors #782 (Widcket)
See V2 Migration Guide for full details.
v1.9.2 (2022-10-07)
Added
- Fix updates to session not reflected in async
getServerSideProps#843 (adamjmcgrath)
v1.9.1 (2022-06-16)
Fixed
- Add Props and Query to GetServerSidePropsWrapper type #731 (adamjmcgrath)
v1.9.0 (2022-05-20)
Added
- [SDK-3332] Constrain session lifecycle to
withPageAuthrequiredto avoid Next warning #664 (adamjmcgrath)
v1.8.0 (2022-05-04)
Added
- Add some useful props to the callback error #625 (adamjmcgrath)
- Update to next 12 #612 (adamjmcgrath)
Fixed
- Fix Fast Refresh for WithPageAuthRequired #653 (adamjmcgrath)
- Handle request errors on
useUserhook [SDK-3227] #639 (Widcket) - Add default to PageRoute type parameter #632 (grantbdev)
- throw if you try to refresh with no rt #624 (adamjmcgrath)
- Should be able to set rollingDuration as false (when rolling is false) #623 (adamjmcgrath)
- Fix types in client-side
withPageAuthRequired#574 (slaypni)
v1.7.0 (2022-01-06)
Added
- Include message body in 302 responses #564 (michielvangendt)
Fixed
- Honor configured sameSite in transient cookies so you can login to iframe using 'none' #571 (adamjmcgrath)
- Cookies with samesite=none must have the secure attr set #570 (adamjmcgrath)
- Improve types in server-side withPageAuthRequired #554 (misoton665)
v1.6.2 (2021-12-16)
Fixed
- Fix issue where error reporting wrong instanceof #543 (adamjmcgrath)
Security
- Enforce configured host on user supplied returnTo #557 (adamjmcgrath)
v1.6.1 (2021-10-13)
Fixed
v1.6.0 (2021-10-11)
Added
- [SDK-2818] Export error classes #508 (adamjmcgrath)
- [SDK-2529] Add ability to pass custom params to refresh grant and code exchange #507 (adamjmcgrath)
- [SDK-2813] Add afterRefresh hook #506 (adamjmcgrath)
Fixed
1.5.0 (2021-07-14)
Added
1.4.2 (2021-06-24)
Fixed
- Fix reflected XSS from the callback handler's error query parameter CVE-2021-32702 (adamjmcgrath)
1.4.0 (2021-06-03)
Added
withPageAuthRequiredCSR now addsuserto wrapped component props #405 (adamjmcgrath)
Fixed
- env var substitutions now means you can define
AUTH0_BASE_URLfromVERCEL_URLinnext.config.js#404 (adamjmcgrath)
1.3.1 (2021-05-05)
Fixed
- Use
window.location.toString()as the defaultreturnTovalue #370 (Widcket) returnToshould be encoded as it contains url unsafe chars #365 (adamjmcgrath)
1.3.0 (2021-03-26)
Added
- Organizations support #343 (adamjmcgrath)
1.2.0 (2021-03-10)
Added
- Export
UserContextfor overriding default hook initialisation behaviour #325 (adamjmcgrath)
Fixed
1.1.0 (2021-02-24)
Added
Fixed
- Chunked cookies should not exceed browser max #301 (adamjmcgrath)
- Cleanup unused cookies when switching between chunked and unchunked #303 (adamjmcgrath)
- New tokens should be applied to existing session after handleProfile #307 (adamjmcgrath)
1.0.0 (2021-02-15)
New features
- New suite of frontend tools:
useUserhook andUserProviderto simplify checking and managing the user’s logged in state on the client.withPageAuthRequiredhigher order component to protect client side routes.
- New
handleAuthfeature to reduce the amount of boilerplate required to set up the server side authentication handlers. - Simpler server side API where creation of an SDK instance is handled by the SDK.
Breaking changes
For a full list of breaking changes and migration guide, checkout the V1_MIGRATION_GUIDE.md
1.0.0-beta.2 (2021-02-11)
Additions
- Added
afterRefetchhook option tohandleProfileto modify the session after refetching it.
1.0.0-beta.1 (2021-02-03)
Additions
- Added a new way to configure the custom profile url. Now it can be configured with an environment variable as well.
Changes
- The way to configure the custom login url has changed. Instead of passing it in every call to
withPageAuthRequirednow it can be configured with an environment variable. - The Vercel configuration docs have been updated with the latest guidance.
Fixes
- Fixed a logout issue related to custom IdPs.
1.0.0-beta.0 (2021-01-14)
Install
npm install @auth0/nextjs-auth0@betaNew features
- New suite of frontend tools:
useUserhook andUserProviderto simplify checking and managing the user’s logged in state on the client.withPageAuthRequiredhigher order component to protect client side routes.
- New
handleAuthfeature to reduce the amount of boilerplate required to set up the server side authentication handlers. - Simpler server side API where creation of an SDK instance is handled by the SDK.
Breaking changes
For a full list of breaking changes and migration guide, checkout the V1_MIGRATION_GUIDE.md
Changes
- AggregateError#message from
Issuer.discoverincludes stack trace #236 (adamjmcgrath) - Prevent caching the
/merequest #233 (adamjmcgrath) - Added error handling to useUser [SDK-2236] #229 (Widcket)
- Rename loading to isLoading #222 (Widcket)
- Prepare application to be deployable with Vercel #218 (frederikprijck)
- Added withCSRAuthRequired HOC [SDK-2120] #209 (Widcket)
- [SDK-2057] Express mw tests #191 (adamjmcgrath)
- Add withAuth HOC [SDK-2120] #189 (Widcket)
- Add frontend hook tests [SDK-2117] #188 (Widcket)
- Add frontend hook CH: Added #187 (Widcket)
v0.16.0 (2020-08-19)
- Updating dependencies with security issues
- Added the ability to force refreshing the
access_token(#147)
v0.15.0 (2020-07-13)
- Improve redirect URI validation when double forward slashes are provided (commit)
- Fix double encoding issue of
postLogoutRedirectUriwhen using a different OIDC IdP (#127) - Keep previously set cookies in the
callbackHandler(#133)
v0.14.0 (2020-07-08)
- Allow overriding the
returnTosetting when signing out a user (in thelogoutHandler)
v0.13.0 (2020-05-15)
- Updated handlers to use
NextApiRequestandNextApiResponse - Automatically redirect to what is provided in the redirectTo querystring parameter, eg:
/api/login?redirectTo=/profile
v0.12.0 (2020-05-11)
- Support end_session_endpoint (#102)
- Allow full control over the state generation
- Allow full control over the session creation
v0.11.0 (2020-03-31)
- Make options optional in handlers (#78)
- Add domain when clearing cookie (#79)
- Add redirectTo support (#81)
v0.10.0 (2020-01-10)
- Add support to refetch the user in the profile handler.
v0.9.0 (2020-01-08)
- Make
optionson the login handler optional
v0.8.0 (2020-01-08)
- Improved TypeScript types
- Added support to automatically refresh access tokens
v0.7.0 (2019-12-18)
- Add support for
SameSiteand set toLaxby default to mitigate CSRF attacks.
v0.6.0 (2019-12-18)
- Add support for the
cookieDomainoption which allows you to share the session across subdomains. - Fix the interface for the
handleLoginmethod. - Support sending a custom
stateto Auth0.
v0.5.0 (2019-10-14)
- Added support for custom authorization parameters in the Login handler
v0.4.0 (2019-10-10)
- Rename the
httpClienttooidcClientsetting to support more OIDC related settings. - Added support for
id_tokenleeway for when the time on your server is running behind on Auth0. - Improve handling of
Securecookies. Don't forceSecurecookies when running on localhost (to fix issues related tonext start)
v0.3.0 (2019-10-09)
- Fixed issue related to
audiencenot being passed to the/authorizerequest - Rename
useAuth0toinitAuth0to clear any confusion about React Hooks (this SDK does not provide a hook) - Added a new handler to require authentication on API routes.
v0.2.0 (2019-09-25)
- Added support for
storeRefreshTokento persist therefresh_tokenin the session - Added prettier
- Removed the need build time configuration
v0.1.0 (2019-09-17)
Initial release.