* Added React Hook to client.
* NextAuth.session() is now a universal method.
* Improved cookie support, all cookie names and options can be customised (feature request).
* Updated examples in documentation.
While not all signup flows are complete, basic core functionality is now working.
Users can sign in, have their identify verified and session is created for them in a secure manner.
* Added Session model and schema.
* Added createSession and getSessionByID handlers.
* Added getUserByID handler.
* Added /api/auth/session endpoint which displays info about the current session.
* /api/auth/session endpoint is secure as it requires the HTTP only cookie.
* Remove schema relationship data for now (no value currently and may cause problems if not modeled correctly).
We need to be able to return simple server-side rendered pages for authentication (e.g. signin).
Using Preact means we can use JSX in them while keeping depedancy size small.
Ultimately, these pages should be customizable - both by passing in CSS and by specifying custom URL for page.
Additionally, the babel config has been tweaked to reduce bundle size by minifying assets and stripping comments from built assets.
* Uses typeorm as works with a large number of data stores.
* Compatible with common SQL, document storage & lightweight databases.
* Adapter logic integrated into signup flow but not yet complete.
* Flow not fully complete or tested, but can complete signin journey.
* Does not include source code for adapter (test adapater source currently in client respository while under development).
* Wrapped all calls in promise to avoid early termination of serverless function.
* Callback and Session cookie names and cookie options can now be changed by passing options for them in (feature request from 1.x).
* Redesigned from the ground up for serverless!
* Doesn't require PassportJS or Express!
* Much simpler configuration!
* Interface exposed via single API endpoint.
* Supports both oAuth 1.x and 2.x services.
* Initial commit includes support for signing in with Twitter, Google and GitHub.
Code is functional, but not useable as adapter support (saving user information) is still in progress.
Still to come:
* Support for Facebook, email, and credential authentication flows.
* Adapter support - will provide out of the box support for MongoDB, Elasticsearch and SQL with support for writing custom adapters in a similar style to version 1.x.
* Automated User Acceptance Tests for all auth flows.
* Example usage . In a change from version 1.x a demo will exist in a seperate repository to make it easier to get started.
This version will (probably) not be published, at least not until 2.0 ships in the next few weeks.
This release contains several untested fixes and enhancements that were not in the last released version version of 1.x (1.12.1).
I would like to publish it then, so that it can be archived and available to those still using the 1.x branch after release of 2.0.
* All dependancies updated, including the example to include latest release of Next.js and React.
* Includes fix for Keycloak strategy support and improved oAuth strategy compatibility.
* Includes enhancement for exposing additional parameters when calling getProfile().
* `sessionResave` now defaults to `true`, which ensures sessions always rotate properly.
This can be disabled for special use cases - it does not work well with some Express Session Stores, but for most people it should be fine and should rotate sessions correctly. If set to `false` user sessions are likely to expire prematurely. It is strongly recommended you do not change this from the default setting.
As a side effect, this will case all sessions - including anonymous sessions created when users have connected but not logged in yet - to be saved as a session in the store. This is because the current Cross Site Request Forgery option associates a token with a session in the browser.
If you want to avoid creating anonymous sessions, set `csrf` to `false` to disable CSRF protection; sessions will then only be created when a user signs in. A future update should include the option to implement CSRF using the Double Submit Cookie method so it can be enabled without causing this side effect.
passport-oauth2 calls back with extra parameters if specified - this is based on the number of arguments passed to the callback function when defining the strategy (https://github.com/jaredhanson/passport-oauth2/blob/master/lib/strategy.js). This change exposes that extra parameter. This is useful if users want to store id_token for instance which is available in the _params object.
Add Typescript types by @NickBolles. Not pushing to a new release yet but can't see how it would break anything and I need to catch up with PRs :)
Thanks Nick!
Strategy name in Passoport is not enforced to be all lower case, and it's up to strategy author to pick a name.
So, there's a chance that strategy with mixed case name [exists](https://github.com/exlinc/keycloak-passport/blob/master/index.js#L23)
Without this change such strategies won't work with next-auth.
