* All dependancies updated, including the example to include latest release of Next.js and React.
* Includes fix for Keycloak strategy support and improved oAuth strategy compatibility.
* Includes enhancement for exposing additional parameters when calling getProfile().
* `sessionResave` now defaults to `true`, which ensures sessions always rotate properly.
This can be disabled for special use cases - it does not work well with some Express Session Stores, but for most people it should be fine and should rotate sessions correctly. If set to `false` user sessions are likely to expire prematurely. It is strongly recommended you do not change this from the default setting.
As a side effect, this will case all sessions - including anonymous sessions created when users have connected but not logged in yet - to be saved as a session in the store. This is because the current Cross Site Request Forgery option associates a token with a session in the browser.
If you want to avoid creating anonymous sessions, set `csrf` to `false` to disable CSRF protection; sessions will then only be created when a user signs in. A future update should include the option to implement CSRF using the Double Submit Cookie method so it can be enabled without causing this side effect.
* Added Babel Pollyfill to the next-auth client and rollup config.
* Client longer relies on ES6 features and so works in Internet Explorer (support for which had been dropped was was conflicting with newerver version of webpack when building isomorphic libraries).
* Example client now has slightly better example of how to handle the callback screen for browsers that don’t have JavaScript enabled.
You can use a custom object to define paths to white list or set it to `false` if you don't want CSRF protection (or want to apply your own).
* Refactored session support to custom session objects to be returned to clients.
* Migrated to rollup from webpack, as webpack no longer generates working isomorphic code in latest versions.
* The webpack generated client was also causing an error in Internet Explorer 11 (Microsoft Edge was and still is working fine).
* There are _still_ breaking issues in Internet Explorer 11 with the example project (cause TBD), but it no longer crashes the app, so fallback of server side rendering still works.
* Hotifx for release 1.8.3 which was a broken release (!)
* This release includes a downgrade from webpack 4.7 to webpack 3.11 (the latest release of 3.x)
* Example upgraded to latest versions of Next.js 6.0 and React/React DOM 16.3
The downgrade of webpack is due to breaking changes in webpack. Webpack 4.7 builds do not work as universal builds (that can run in web, webworker and node.js).
There is no fix or apparent workaround for this in webpack presently, but a fix has been suggested in an issue linked to in this thread: https://github.com/webpack/webpack/issues/6525
When calling update() after…
1. Invalidating a one time use emailToken (after use).
2. Unlinking an oAuth account.
…it now passes a third option, indicating the property that was deleted from the object (or that should have been):
e.g.
* `functions.update(user, null, { delete: 'emailToken' })`
* `functions.update(user, null, { delete: 'facebook' })`
* `functions.update(user, null, { delete: 'google' })`
* `functions.update(user, null, { delete: 'twitter' })`
This is to make it easier to integrate with databases like Mongoose.
It's needed because if you pass a Mongoose object it will *not let* the key be deleted by NextAuth, so you will have to check for this third pararam in your .update() function and use Mongoose specific commands to unset the field for the user.
* Resolves#18 by providing an easy way to define a custom credentials based sign in end point and use it with NextAuth.
The NextAuth client explicitly supports this option and an new example in example/pages/credentials.js shows how to use it (it’s super easy to use and and you can pass any fields you like to it).
Note that this does not explicitly allow a localStrategy to be defined but provides the same ability to define a custom auth hook - allowing custom localStrategies would probably be a footgun and likely generate support requests (as it’s more complicated to implement) so I’m inclined to keep it simple for everyone.
* Resolves#20 by passing the req to email sign in method (useful for things like language and hostname detection).
* If you do not pass a sendSignInEmail() or signIn() functions (or set them to null) then the routes for these will not be created, so that they are easy to disable.
The module `isomorphic-fetch` is required by `next-auth/client` (but should not be bundled in as the code also needs to run server side, which is why it’s listed an an external in the webpack config).
This update moves the dependancy on it from devDependancies into dependancies, which is where it should be (as is required in production as well). You would already get a warning if you didn’t have it installed, but now you you don’t need to explicitly include it.
* Fixes bug in v1.6.0 with the return reponse (for those extending NextAuth), it was returning an empty response after refactoring.
* The instance of Express is now returned in ‘expressApp’, the value ‘express’ now contains Express library being referenced (making it easier to use it for things like creating static routes).
* Removed depdancy for cookie parser (resolves#15).
* Example now uses Next.js 5.0.
* Pruned unused dependancies.
* Fixed missing depdendancies for example project.
* Resolved issue with missing dependancies for building the client lib.
* Now trust proxies running in front when they say they are running the site over SSL (e.g. Heroku, nginx, AWS, etc).
* Now uses secure cookies on HTTPS enabled sites.
The oAuth profile for a service is now passed to update() and insert() when signing in via oAuth (or linking accounts).
e.g. `update(user, oAuthProfile)` and `insert(user, oAuthProfile)`
This provides a way to also capture oAuth provider specific fields, such as avatar, location, organisation, etc. as needed.
Thanks to @gielcobben for raising this.
