* Added email verification adapater methods
* Added support on sign in page for email providers
* Added check email page
* Added SMTP transport to send email messages
Includes refactoring of model and handlers for the email verification flow.
Brings them into line with other methods.
Not refactoring other getUser* methods at this time as may be helpful for them to be explicit about what will be passed.
* Renamed 'Session ID' to 'Session Token'.
* Applies to model, functions and default cookie name.
* This avoids confusion by seperating it from 'id' property in session model.
* Updated documentation
* `lint` and `lint:fix` now seperate scripts
* Fixed simple linting issues
Still some linter errors as the email sign up flow is a work in progress.
Twitch recently made breaking changes to their oAuth API.
It no longer works like other oAuth 2 providers. The documentation for it is extensive, but poor quality.
This update still has intermittant problems, but as far as I can make out the problem is the API; they have completed their roll out to 100% but it's still failing sometimes.
* Run `npm run lint` to find (and where possible, fix) linting issues.
* Includes some minor refactoring, including directory structure for adapters and models, so that code for an adapter and the models for it sit together.
Background:
I've added elint to try and ensure a consistent style and to uncover hidden bugs.
I don't actually care much about what the rules are, it's just helpful to have a baseline.
If it's hard to get code to be compliant, I would rather we just disable a rule in that block of code until we can figure it out and am totally fine with that.
I'd much prefer that than the chore of maintaining a custom set of rules, which is why I just picked Standard JS.
Unfortunately, there is quite a lot that doesn't match the Standard JS format at this point, so this is going to be a big PR.
The file size has gone down in quite a few places, which is nice. I think it may have uncovered potential bugs.
I've run through the flow and everything seems to work as before, though it took some debugging after refactoring.
I have not yet added eslint to a commit hook and am in two minds about that.
This is an open source project and I'd like to make it easy to maintain, but also to have as low a barrier to entry as possible for contributors.
I'm happy to go with encouraging folks to run the linter and try to fix errors they find and to take on the work of wrangling any issues myself.
This error page will be used to handle display all errors to the client.
There will be an option to provide a custom error page URL.
Update includes some tweaks to CSS.
* Should database compatability issues with the model.
* Session expiry dates are still not enforced in client.
* All cookies are still sesison cookies and expire when the browser is closed.
* AccessToken expiry has been removed for now.
These are all know issues and intended behaviour for now, and will be addressed before release.
* Logic now centralized to avoid duplicaiton across multiple routes.
* Improved validation of query params.
* Also checks and cookie values as mitigation against cookie hijacking.
* CSRF token is verified first.
* If token doesn't match, redirect client to signout URL to prompt for confirmation.
* `deleteSessionById()` not yet implemented in default adapter, so does not work.
* Identified area for reafactoring around callbackUrl behaviour.
Improves security and defence against bad actors by adding a hash that uses the secret as a salt and checking it on every request (and overriding the cookie with a new secure one if the check fails.)
* Sets site name + api route now prior to sign in so avalible sooner.
* Improved next-auth/client logic for server side session handling.
* next-auth/client now checks regular and `__Secure-` prefixed cookies.
While it is still somewhere between an alpha and a beta am publishing to NPM to facilitate further testing.
The software is not ready for use yet!
While belived to be functional there are no formal tests and only casual manual testing has been done.
Features such as logout and session expiry checks have not yet been implemented.
