82 lines (40 loc) · 4.73 KB

Changelog

4.0.1 (2026-04-23)

Bug Fixes

persist authenticationMethod in sealed session cookie (#410) (a8f7def)

4.0.0 (2026-04-23)

⚠ BREAKING CHANGES

Upgrade @workos-inc/node to v9 (#407)
set minimum Node.js version to 22.11.0 (#408)

Miscellaneous Chores

set minimum Node.js version to 22.11.0 (#408) (c394669)
Upgrade @workos-inc/node to v9 (#407) (0183951)

3.0.1 (2026-04-20)

Bug Fixes

isolate concurrent PKCE flows to prevent cookie clobbering (#403) (3740a83)
set PKCE cookie in ensureSignedIn server action flow (#406) (a55bb64)

3.0.0 (2026-03-25)

⚠ BREAKING CHANGES

add OAuth state verification on callback to prevent CSRF attacks (#388)

Features

add OAuth state verification on callback to prevent CSRF attacks (#388) (ebef6e7)
middleware: add authkitProxy and handleAuthkitProxy aliases for proxy.ts (#384) (4c3f27b)

Bug Fixes

actions: catch TokenRefreshError in refreshAccessTokenAction to prevent 500s (#383) (5c46c39)
auth: return signInUrl from server actions to avoid CORS errors (#386) (7d52400)
harden PKCE/CSRF for v3.0.0 release (#398) (8054829)

2.17.0 (2026-03-13)

Features

Automatically pass claim nonce for unclaimed environments (#389) (67dfc92)

2.16.1 (2026-03-13)

Bug Fixes

make PKCE opt-in to avoid breaking custom middleware proxies (#392) (9e09fcb)

2.16.0 (2026-03-11)

Features

add PKCE support for OAuth 2.1 compliance (#374) (de01c7f)

Bug Fixes

improve compatibility with non-Next.js environments (#378) (734311a)
resolve Dependabot security alerts (#380) (519dccf)

2.15.0 (2026-02-25)

Features

Add returnTo option to getSignInUrl and getSignUpUrl functions (#375) (fc75708)