All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning
- Fixed an issue where the
AuthPagewas using full-page redirects to navigate to the password reset page if both emailpassword and passwordless were enabled.
- Added the
OAuth2Providerrecipe - Changed the input types and default implementation of
AuthPageHeaderto show the client information in OAuth2 flows - Expanded an error message in
AuthPageto help with common errors
- Now only supporting FDI 3.1 and 4.0 (Node >= 21.0.0)
- All
getRedirectionURLfunctions now also get a newtenantIdFromQueryParamsprop- This is used in OAuth2 + Multi-tenant flows.
- This should be safe to ignore if:
- You are not using those recipes
- You have a custom
getTenantIdimplementation - You are not customizing paths of the pages handled by SuperTokens.
- This is used to keep the
tenantIdquery param during internal redirections between pages handled by the SDK. - If you have custom paths, you should set the tenantId queryparam based on this. (See migrations below for more details)
- Added a new
shouldTryLinkingToSessionUserflag to sign in/up related function inputs:- No action is needed if you are not using MFA/session based account linking.
- If you are implementing MFA:
- Plase set this flag to
false(or leave as undefined) during first factor sign-ins - Please set this flag to
truefor secondary factors. - Please forward this flag to the original implementation in any of your overrides.
- Plase set this flag to
- Changed functions:
EmailPassword:signIn,signUp: both override and callable functions
ThirdParty:getAuthorisationURLWithQueryParamsAndSetState: both override and callable functionredirectToThirdPartyLogin: callable function takes this flag as an optional input (it defaults to false on the backend)
Passwordless:- Functions overrides:
consumeCode,resendCode,createCode,setLoginAttemptInfo,getLoginAttemptInfo - Calling
createCodeandsetLoginAttemptInfotake this flag as an optional input (it defaults to false on the backend)
- Functions overrides:
- Changed the default implementation of
getTenantIdto default to thetenantIdquery parameter (if present) then falling back to the public tenant instead of always defaulting to the public tenant - We now disable session based account linking in the magic link based flow in passwordless by default
- This is to make it function more consistently instead of only working if the link was opened on the same device
- You can override by overriding the
consumeCodefunction in the Passwordless Recipe
Before:
EmailPassword.init({
async getRedirectionURL(context) {
if (context.action === "RESET_PASSWORD") {
return `/reset-password`;
}
return "";
},
});After:
EmailPassword.init({
async getRedirectionURL(context) {
return `/reset-password?tenantId=${context.tenantIdFromQueryParams}`;
},
});You can re-enable linking by overriding the consumeCode function in the passwordless recipe and setting shouldTryLinkingToSessionUser to true.
Passwordless.init({
override: {
functions: (original) => {
return {
...original,
consumeCode: async (input) => {
// Please note that this is means that the session is required and will cause an error if it is not present
return original.consumeCode({ ...input, shouldTryLinkingWithSessionUser: true });
},
};
},
},
});- Fixed an issue where we showed the "continue with passwordless" button during sign-in even if email-based passwordless was disabled by the tenant configuration.
Redesigned the pre-built UI with a modern monochrome aesthetic, creating a cleaner and more unified visual experience. Please double check any custom styles you added still looks good with the new UI.
- Changed a lot of the default styles to fit the new UI
--palette-textTitlechanged fromrgb(34, 34, 34)torgb(0, 0, 0)--palette-textLabelchanged from rgb(34, 34, 34)torgb(0, 0, 0)--palette-textInputchanged fromrgb(34, 34, 34)torgb(0, 0, 0)--palette-textPrimarychanged fromrgb(101, 101, 101)torgb(128, 128, 128)--palette-textLinkchanged fromrgb(0, 118, 255)torgb(0, 122, 255)--palette-textGraychanged fromrgb(128, 128, 128)torgb(54, 54, 54)- Adjusted the layout of the provider buttons. Now:
- The logo is aligned to the left, and the text is centered within the entire button, enhancing visual balance and consistency across different button text lengths.
- The button now has a fixed height of 40px.
- We add an animation to the button when hovering over it if the text is too long.
- Changed the Email Icon used in the "Verify Email" UI
- Changed the SMS Icon used in the "Link sent to phone" UI
- Changed the button arrow icons
- Updated some translation strings to fit the new UI
EMAIL_VERIFICATION_SEND_TITLEPWLESS_LINK_SENT_RESEND_DESC_END_EMAIL
- The prebuilt UI now clears the login attempt info if the stored data doesn't contain all the required properties. This should help migration from a custom UI to the prebuilt UI.
- Changed
redirectToFactorto accept an object instead of multiple arguments. - Changed
redirectToFactorChooserto accept an object instead of multiple arguments. - Made MFA related screens do a success redirection if MFA is already completed and the
stepUpquery param is not set totrue.redirectToFactorChoosernow accepts astepUpoption to set thestepUpquery param.redirectToFactornow accepts astepUpoption to set thestepUpquery param.
- Fixed an issue where the
Sessionrecipe was not allowed in the pre-built UI list (it's still a no-op, but it shouldn't be a type issue)
- Now we only update the session context if the object changes by value. This optimization should help reduce unnecessary re-renders.
- Updated the font and font-weights in the default styles
- We no longer load the Rubik font by default
- Now the error prop should be updated in override components.
- Removes the default
maxAgeInSecondsvalue (previously 300 seconds) in EmailVerification Claim. If the claim value is true andmaxAgeInSecondsis not provided, it will not be refreshed.
- Fixes to e2e test
- Updated SAML third-party provider to use logo based on the provider name
- Now we only update the session context if the object changes by value. This optimization should help reduce unnecessary re-renders.
- Updating publish script to update to the lib on chromatic
- Re-built docs folder
-
Removed
ThirdPartyEmailPasswordandThirdPartyPasswordlessrecipes. -
EmailPasswordrecipe:- Removed embeddable components:
SignInUp,SignInAndUpTheme - Removed overridable components:
EmailPasswordSignIn,EmailPasswordSignInFooter,EmailPasswordSignInHeader,EmailPasswordSignUp,EmailPasswordSignUpFooter,EmailPasswordSignUpHeader - Moved
useShadowDom,defaultToSignUp,privacyPolicyLink,termsOfServiceLinkfrom the config to the root configuration passed toSuperTokens.init.
- Removed embeddable components:
-
Passwordlessrecipe:- Removed embeddable components:
SignInUp - Removed overrideable components:
PasswordlessSignInUpHeader_Override,PasswordlessSignInUpFooter_Override - Removed the
guessInternationPhoneNumberFromInputPhoneNumberconfigurable callback, since now the user sets if they are entering email or a phone number explicitly - Moved
useShadowDom,privacyPolicyLink,termsOfServiceLinkfrom the config to the root configuration passed toSuperTokens.init. - Changed the UX of the contactinfo entry form for
EMAIL_OR_PHONE - Added
defaultToEmailconfiguration option, which decides if the contact info input form starts in the email or phone state if thecontactMethodis set toEMAIL_OR_PHONE
- Removed embeddable components:
-
ThirdPartyrecipe:- Removed embeddable components:
SignInAndUp - Removed overridable components:
ThirdPartySignInAndUpHeader,ThirdPartySignUpFooter - Moved
useShadowDom,privacyPolicyLink,termsOfServiceLinkfrom the config to the root configuration passed toSuperTokens.init.
- Removed embeddable components:
-
Removed
SESSION_ALREADY_EXISTSevent from auth recipes and moved it into theSessionrecipe -
Added new keys to
data-supertokensprops of several elements -
Updated some styles to work with the updated UI structure
-
Renamed translation strings to reflect the new component/UI structure:
EMAIL_PASSWORD_SIGN_IN_FORGOT_PW_LINKinstead ofEMAIL_PASSWORD_SIGN_IN_FOOTER_FORGOT_PW_LINKAUTH_PAGE_HEADER_TITLE_SIGN_IN_AND_UPinstead ofPWLESS_SIGN_IN_UP_HEADER_TITLEandTHIRD_PARTY_SIGN_IN_AND_UP_HEADER_TITLEAUTH_PAGE_HEADER_TITLE_SIGN_INinstead ofEMAIL_PASSWORD_SIGN_IN_HEADER_TITLEAUTH_PAGE_HEADER_SUBTITLE_SIGN_UP_STARTinstead ofEMAIL_PASSWORD_SIGN_IN_HEADER_SUBTITLE_STARTAUTH_PAGE_HEADER_SUBTITLE_SIGN_UP_SIGN_IN_LINKinstead ofEMAIL_PASSWORD_SIGN_IN_HEADER_SUBTITLE_SIGN_UP_LINKAUTH_PAGE_HEADER_SUBTITLE_SIGN_UP_ENDinstead ofEMAIL_PASSWORD_SIGN_IN_HEADER_SUBTITLE_ENDAUTH_PAGE_HEADER_TITLE_SIGN_UPinstead ofEMAIL_PASSWORD_SIGN_UP_HEADER_TITLEAUTH_PAGE_HEADER_SUBTITLE_SIGN_IN_STARTinstead ofEMAIL_PASSWORD_SIGN_UP_HEADER_SUBTITLE_STARTAUTH_PAGE_HEADER_SUBTITLE_SIGN_IN_SIGN_UP_LINKinstead ofEMAIL_PASSWORD_SIGN_UP_HEADER_SUBTITLE_SIGN_IN_LINKAUTH_PAGE_HEADER_SUBTITLE_SIGN_IN_ENDinstead ofEMAIL_PASSWORD_SIGN_UP_HEADER_SUBTITLE_ENDAUTH_PAGE_FOOTER_STARTinstead ofEMAIL_PASSWORD_SIGN_UP_FOOTER_START,PWLESS_SIGN_IN_UP_FOOTER_STARTandTHIRD_PARTY_SIGN_IN_UP_FOOTER_STARTAUTH_PAGE_FOOTER_TOSinstead of:EMAIL_PASSWORD_SIGN_UP_FOOTER_TOS,PWLESS_SIGN_IN_UP_FOOTER_TOSandTHIRD_PARTY_SIGN_IN_UP_FOOTER_TOSAUTH_PAGE_FOOTER_ANDinstead ofEMAIL_PASSWORD_SIGN_UP_FOOTER_AND,PWLESS_SIGN_IN_UP_FOOTER_ANDandTHIRD_PARTY_SIGN_IN_UP_FOOTER_ANDAUTH_PAGE_FOOTER_PPinstead ofEMAIL_PASSWORD_SIGN_UP_FOOTER_PP,PWLESS_SIGN_IN_UP_FOOTER_PPandTHIRD_PARTY_SIGN_IN_UP_FOOTER_PPAUTH_PAGE_FOOTER_ENDinstead ofEMAIL_PASSWORD_SIGN_UP_FOOTER_END,PWLESS_SIGN_IN_UP_FOOTER_ENDandTHIRD_PARTY_SIGN_IN_UP_FOOTER_END
- Added overrideable components:
- General:
AuthPageComponentList,AuthPageHeader,AuthPageFooter.- These can be overridden by using
AuthRecipeComponentsOverrideContextProvider
- These can be overridden by using
Passwordless:PasswordlessContinueWithPasswordless_Override
- General:
- Added new embeddable components:
- General:
AuthPageandAuthPageTheme EmailPassword:SignInTheme,SignUpTheme
- General:
- Added a new
styleprop to the root level config
-
If you were using
ThirdPartyEmailPassword, you should now initThirdPartyandEmailPasswordrecipes separately. The config for the individual recipes are mostly the same, except the syntax may be different. Check our recipe guides for ThirdParty and EmailPassword for more information. -
If you were using
ThirdPartyPasswordless, you should now initThirdPartyandPasswordlessrecipes separately. The config for the individual recipes are mostly the same, except the syntax may be different. Check our recipe guides for ThirdParty and Passwordless for more information.
Several configuration options (useShadowDom, defaultToSignUp, privacyPolicyLink, termsOfServiceLink) were moved to the root configuration (the one passed directly to SuperTokens.init) out of recipe specific configs. The function of these props remain identical, the only necessary migration is moving them:
Before:
SuperTokens.init({
appInfo: {
// appInfo
},
recipeList: [
EmailPassword.init({
useShadowDom: false,
signInAndUpFeature: {
defaultToSignUp: true,
signUpForm: {
privacyPolicyLink: "http://example.com",
termsOfServiceLink: "http://example.com",
},
},
}),
Session.init(),
],
});After:
SuperTokens.init({
appInfo: {
// appInfo
},
useShadowDom: false,
defaultToSignUp: true,
privacyPolicyLink: "http://example.com",
termsOfServiceLink: "http://example.com",
recipeList: [EmailPassword.init(), Session.init()],
});The auth page related embeddable components (SignInAndUp, SignInUp) and the related theme components were removed. We instead recommend you to use the new AuthPage component with the appropriate pre-built UI objects and factorsIds set. For more information check the following guide
Before:
import { SignInAndUp } from "supertokens-auth-react/recipe/thirdpartyemailpassword/prebuiltui";
const Component = () => {
const navigate = useNavigate();
return <SignInAndUp navigate={navigate} />;
};After:
import { PasswordlessPreBuiltUI } from "supertokens-auth-react/recipe/passwordless/prebuiltui";
import { AuthPage } from "supertokens-auth-react/ui";
const Component = () => {
const navigate = useNavigate();
return <AuthPage preBuiltUIList={[PasswordlessPreBuiltUI]} factors={["otp-phone"]} navigate={navigate} />;
};Some parts of our default styles have been changed, including some changes to the data-supertokens props added to elements. Since customizations can take many forms we cannot give you exact guidance on how/what needs to change. In almost all cases, no updates should be required, but please check that your custom styles still work as you expect.
- Custom
inputComponents(in sign in/up form fields) now get reference-stable callbacks.
The shouldDoInterceptionBasedOnUrl function now returns true:
- If sessionTokenBackendDomain is a valid subdomain of the URL's domain. This aligns with the behavior of browsers when sending cookies to subdomains.
- Even if the ports of the URL you are querying are different compared to the apiDomain's port ot the sessionTokenBackendDomain port (as long as the hostname is the same, or a subdomain of the sessionTokenBackendDomain): #217
- Changed an internal test script to fix a dependency issue in CI
onFailureRedirectionis no longer allowed to return relative paths.- We now throw an error if
onFailureRedirectionreturns the current URL or path when:- redirecting away from the auth page (
websiteBasePath, usually/auth) when a session already exists, - redirecting after sign in/up,
- redirecting after successful email verification,
- redirecting after a successful MFA factor completion.
- redirecting away from the auth page (
- We now redirect to the factor chooser screen if the MFA claim validator fails even if there is no available next factor. This will always show an access denied screen, which should help debugging.
clearOnSubmitnow only clears the field value if the request returned an error. This is because the form navigates on success, making clearing the field unnecessary (which can lead to confusing UX if the navigation takes too long).- Fixed an issue where
SessionAuthcontents popped in before navigating away if a claim validator failed:- Now we ony set the context if
onFailureRedirectionreturned the current URL. - Now we ony call the navigation function if
onFailureRedirectionreturned something different than the current URL.
- Now we ony set the context if
- Made the
nameproperty optional in custom provider configs for usage withusesDynamicLoginMethods, where the tenant configuration is expected to set the name dynamically.- Note, that not setting the name will make the UI crash if the
usesDynamicLoginMethodsis set tofalseor if the tenant configuration doesn't include a provider list.
- Note, that not setting the name will make the UI crash if the
- Fixes how we fetch the component to render based on the current path to take into account non auth recipes correctly.
- Adds Remix example reference.
With this release, we are introducing MultiFactorAuth and TOTP, this will let you:
- require (2FA or MFA) during sign in
- make use of TOTP (e.g.: Google authenticator) as an MFA challenge
Check our guide for more information.
SUCCESSredirections are now handled by thegetRedirectionURLcallback passed to theSuperTokens.initconfig, instead of the recipe level callbacksisNewPrimaryUseris renamed tocreatedNewUser- Refactored/renamed some styling options (
resetPasswordHeaderTitle->headerTitle withBackButton) - Some default styling has changed related to how fonts/font-weights are applied
- Changed how
headerSubtitleis styled in components:EmailPasswordResetPasswordEmail,EmailPasswordSubmitNewPassword,EmailPasswordSignInHeader,EmailPasswordSignUpHeader - Removed an
ErrorBoundarywrapping all our feature components to make sure all errors are properly catchable by the app - In
supertokens-web-js(which you may also be using), we addedfirstFactorsinto the return type ofgetLoginMethodsand removed the enabled flags of different login methods.- For older FDI versions, the firstFactors array will be calculated based on those enabled flags.
- Renamed
validatorIdin claim validation errors toidto match the backend SDKs
Before:
import SuperTokens, { SuperTokensWrapper, getSuperTokensRoutesForReactRouterDom } from "supertokens-auth-react";
import Passwordless from "supertokens-auth-react/recipe/passwordless";
SuperTokens.init({
appInfo: {
// appInfo
},
recipeList: [
Passwordless.init({
contactMethod: "EMAIL_OR_PHONE",
async getRedirectionURL(context) {
if (context.action === "SUCCESS") {
if (context.isNewRecipeUser) {
// new primary user
} else {
// only a recipe user was created
}
}
return undefined;
},
}),
Session.init(),
],
});After:
import SuperTokens, { SuperTokensWrapper, getSuperTokensRoutesForReactRouterDom } from "supertokens-auth-react";
import Passwordless from "supertokens-auth-react/recipe/passwordless";
SuperTokens.init({
appInfo: {
// appInfo
},
async getRedirectionURL(context, userContext) {
if (context.action === "SUCCESS" && context.newSessionCreated) {
if (context.createdNewUser && context.recipeId === "passwordless") {
// custom logic
}
}
// Returning undefined means we use the default redirection
return undefined;
},
recipeList: [
Passwordless.init({
contactMethod: "EMAIL_OR_PHONE",
}),
Session.init(),
],
});There are 2 types of style changes in this release:
-
Refactored/renamed some styling options. If you didn't add custom styles for the following classes there is no action needed
resetPasswordHeaderTitle: should now be styled usingwithBackButtonheaderSubtitle: now directly includes the text instead of adiv, your styles may require an update to match this change
-
Some default styling has changed related to how fonts/font-weights are applied. This may interact with your own font/sizing settings, if you didn't add font, font-size/weight and size changes to your custom styles, no action should be needed.
Both of the above changes could have subtle interactions with custom styles, so we recommend a quick manual (visual) test to make sure everything still looks right.
If you used to use the enabled flags in getLoginMethods:
Before:
async function checkLoginMethods() {
const loginMethods = await Multitenancy.getLoginMethods();
if (loginMethods.thirdParty.enabled) {
// custom logic
}
if (loginMethods.emailPassword.enabled) {
// custom logic
}
if (loginMethods.passwordless.enabled) {
// custom logic
}
}After:
async function checkLoginMethods() {
const loginMethods = await Multitenancy.getLoginMethods();
if (loginMethods.firstFactors.includes("thirdparty")) {
// custom logic
}
if (loginMethods.firstFactors.includes("emailpassword")) {
// custom logic
}
if (
loginMethods.firstFactors.includes("otp-email") ||
loginMethods.firstFactors.includes("otp-phone") ||
loginMethods.firstFactors.includes("link-email") ||
loginMethods.firstFactors.includes("link-phone")
) {
// custom logic
}
}Before:
import SuperTokens, { SuperTokensWrapper, getSuperTokensRoutesForReactRouterDom } from "supertokens-auth-react";
import Passwordless from "supertokens-auth-react/recipe/passwordless";
SuperTokens.init({
appInfo: {
// appInfo
},
recipeList: [
Passwordless.init({
contactMethod: "EMAIL_OR_PHONE",
onHandleEvent(context) {
if (context.action === "SUCCESS") {
let user = context.user;
if (context.isNewRecipeUser && context.user.loginMethods.length === 1) {
// sign up success
} else {
// sign in success
}
}
},
}),
Session.init(),
],
});After:
import SuperTokens, { SuperTokensWrapper, getSuperTokensRoutesForReactRouterDom } from "supertokens-auth-react";
import Passwordless from "supertokens-auth-react/recipe/passwordless";
SuperTokens.init({
appInfo: {
// appInfo
},
recipeList: [
Passwordless.init({
contactMethod: "EMAIL_OR_PHONE",
onHandleEvent(context) {
if (context.action === "SUCCESS" && context.createdNewSession) {
let user = context.user;
let rid = context.rid;
if (context.isNewRecipeUser && context.user.loginMethods.length === 1) {
// sign up success
} else {
// sign in success
}
}
},
}),
Session.init(),
],
});If you used to use the validatorId prop of validationErrors, you should now use id instead.
Before:
async function checkValidators() {
const validationErrors = await Session.validateClaims();
for (const error of validationErrors) {
console.log(error.validatorId, error.reason);
}
}After:
async function checkValidators() {
const validationErrors = await Session.validateClaims();
for (const error of validationErrors) {
console.log(error.id, error.reason);
}
}- Added support for FDI 1.19 (Node SDK>= 17.0.0), but keeping support FDI version 1.17 and 1.18 (node >= 15.0.0, golang>=0.13, python>=0.15.0)
- Added the
MultiFactorAuthandTOTPrecipes. To start using them you'll need compatible versions:- Core>=8.0.0
- supertokens-node>=17.0.0
- supertokens-website>=18.0.0
- supertokens-web-js>=0.10.0
- supertokens-auth-react>=0.39.0
- Added new MFA related components to Passwordless
- Added new prop
mfaFeatureto recipe configdisableDefaultUI: can be used to disable paths:${websiteBasePath}/mfa/otp-phone,${websiteBasePath}/mfa/otp-emailstyle: is applied on top of normal sign in/up styles on the MFA paths
- New embeddable components:
MfaOtpPhone(by default handling path${websiteBasePath}/mfa/otp-phone)MfaOtpEmail(by default handling path${websiteBasePath}/mfa/otp-email)
- New overrideable components:
PasswordlessMFAHeader_OverridePasswordlessMFAFooter_OverridePasswordlessMFAOTPHeader_OverridePasswordlessMFAOTPFooter_Override
- Please note, that during MFA we re-use the existing overrideable comps for the form section:
PasswordlessEmailForm_OverridePasswordlessPhoneForm_OverridePasswordlessEmailOrPhoneForm_Override
- Added new prop
- Added a
useShadowDomprop to theAccessDeniedScreen - Added an
errorprop to theAccessDeniedScreenthat can be used to describe the reason access is denied. - Added a
footerprop toEmailOrPhoneForm,EmailFormandPhoneFormwhich is used to override the default sign in/up footers in case the component is for MFA - Sign in/up functions can now return new (MFA related) error codes.
- New (MFA related) error codes have been added to the default translation files.
- Updated how we select which login UI to show to take the
firstFactorsconfig value into account (defined in theMultiFactorAuthrecipe or in the tenant information) - The passwordless and thirdpartypasswordless sign in/up screens now respect the firstFactors configuration (defined in the
MultiFactorAuthrecipe or in the tenant information) when selecting the available contact methods. - Added TOTP recipe. For more details please check our guide MFA guide.
- Fixed a font loading issue, that caused apps using the default (Rubik) font to appear with the incorrect font weights
- Added
ridandcreatedNewSessionto events withaction: "SUCCESS"
- Previously, when calling
redirectToAuthwith theredirectBackoption, url fragments(hash) were stripped when redirecting back to the previous page after authentication. This issue has been fixed, and url fragments are preserved along with the query params. For users who employed the workaround of overriding thewindowHandler.location.getSearchfunction to include fragments, it is essential to remove that override before upgrading to this version.
- Fixes types argument in override functions to make
buildernon optional.
- The default
DateProviderimplementation relies onlocalStorage. If your environment lacks support forlocalStorage, you must provide custom implementations for either theDateProviderorlocalStorage.
- Exporting the
DateProviderfrom supertokens-web-js, that both built-in and custom validators can use instead ofDate.nowto get an estimate of the server clock. - Added the
dateProviderprop to the configuration that can be used to customize the built-inDateProvider. - Added
calculateClockSkewInMillisas an overrideable function to the Session recipe that estimates the time difference between the backend and the client.
- Previously, when calling
redirectToAuthwith theredirectBackoption, query parameters were stripped when redirecting back to the previous page after authentication. This issue has been fixed, and now query parameters are preserved as intended.
getRedirectionURLnow supports returningnullto prevent automatic redirection, useful for customizing the behavior after successful sign-in or sign-up. Typically, this is used if you want to embed the sign in / up component in a popup and want to just dismiss the popup post login.
Here's an example of how to use this:
EmailPassword.init({
getRedirectionURL: async (context, userContext) => {
if (context.action === "SUCCESS") {
return null;
}
// Returning undefined falls back to the default redirection strategy
return undefined;
},
});-
getRedirectionURLnow receivesuserContextas the second argument. -
isNewPrimaryUserboolean property has been added toGetRedirectionURLContext. It can be used to check if a new primary user was created particularly in scenarios involving account linking. -
UserContexttype has been changed toRecord<string, unknown>fromany. -
The
PreBuiltUIcomponents now accept anavigateprop, internally utilized by SuperTokens for redirection. This becomes handy when manually rendering the component and desiring client-side navigation instead of a full-page refresh for any redirection. Here's an example usingreact-router-dom@v6:
import { SignInUp } from "supertokens-auth-react/recipe/passwordless/prebuiltui";
import { useNavigate } from "react-router-dom";
function CustomSignInUp() {
const navigate = useNavigate();
return <SignInUp navigate={navigate} />;
}-
userproperty has been removed fromGetRedirectionURLContext.To get theuserobject from backend, you can follow hte instructions here. -
The
CloseTabScreencomponent, previously featured in the passwordless recipe visible when a user signs in from another tab using a magic link, has been removed. Users will continue to see the 'Enter OTP' screen until they refresh. If you were overriding this component usingPasswordlessCloseTabScreen_Override, you no longer need to do so. -
If your workflow involves custom validation, such as Phone Number verification, after signing in, ensure your code aligns with the updated examples found in with-phone-password or with-thirdpartyemailpassword-passwordless.
Changes:
- The need to manually set
props.featureState.successInAnotherTabtofalseto avoid displaying theCloseTabScreencomponent has been eliminated.
- The need to manually set
- Fixes ThirdPartyEmailPassword rendering sign in/up switcher even with disabled email password. Instead it'll now render
SignInAndUpHeader_Overridein this case (overrideable asThirdPartySignInAndUpHeader). OverridingThirdPartyEmailPasswordHeader_Overrideshould still cover all cases. - Added a new prop to
ThirdPartyEmailPasswordHeader_Overrideyou can use to check if email password is enabled.
- Fixes
inputComponentprops to make them non optional. This is in the context of customizing the sign up form to add custom react components.
- EmailPassword and ThirdPartyEmailPassword recipe enhancements:
- Introduced the capability to utilize custom components by exposing
inputComponenttypes. - Allow setting default values in signup/signin form fields.
- Made the
onChangeprop ininputComponentsimpler by removing the need for anidattribute. - Added a feature to customize the "Field is not optional" error message for each form field with the
nonOptionalErrorMsgprop.
- Introduced the capability to utilize custom components by exposing
Following is an example of how to use above features.
EmailPassword.init({
signInAndUpFeature: {
signUpForm: {
formFields: [
{
id: "select-dropdown",
label: "Select Option",
getDefaultValue: () => "option 2",
nonOptionalErrorMsg: "Select dropdown is required",
inputComponent: ({ value, name, onChange }) => (
<select
value={value}
name={name}
onChange={(e) => onChange(e.target.value)}
placeholder="Select Option">
<option value="" disabled hidden>
Select an option
</option>
<option value="option 1">Option 1</option>
<option value="option 2">Option 2</option>
<option value="option 3">Option 3</option>
</select>
),
},
],
},
},
});
ThirdPartyEmailPassword.init({
signInAndUpFeature: {
signUpForm: {
formFields: [
{
id: "terms",
label: "",
optional: false,
getDefaultValue: () => "true",
nonOptionalErrorMsg: "You must accept the terms and conditions",
inputComponent: ({ name, onChange, value }) => (
<div
style={{
display: "flex",
alignItems: "center",
justifyContent: "left",
}}>
<input
value={value}
checked={value === "true"}
name={name}
type="checkbox"
onChange={(e) => onChange(e.target.checked.toString())}></input>
<span style={{ marginLeft: 5 }}>I agree to the terms and conditions</span>
</div>
),
},
],
},
},
});- Updated test expectations to match fix in the node behaviour of the emailVerifyGET endpoint
- Setting
autocompletein passwordless forms for email, phone and OTP
- Fixed shadow dom issue in nextjs dev mode by checking if a shadow root is already attached to the div before creating one.
- Updated dev/start script in netlify example
- fixed using
twitteras id by default in twitter provider.
-
Added new social provider
twitter -
Introduced a new option
logofor thirdparty custom providers to set a custom logo, just like thenameproperty.
Following is an example of how to use this new logo property.
ThirdPartyPasswordless.init({
signInUpFeature: {
providers: [
ThirdPartyPasswordless.Google.init(),
ThirdPartyPasswordless.Apple.init(),
{
id: "discord",
name: "Discord",
logo: <svg
xmlns="http://www.w3.org/2000/svg"
height="1em"
viewBox="0 0 640 512"
>
<path d="M524.531,69.836a1.5,1.5,0,0,0-.764-.7A485.065,485.065,0,0,0,404.081,32.03a1.816,1.816,0,0,0-1.923.91,337.461,337.461,0,0,0-14.9,30.6,447.848,447.848,0,0,0-134.426,0,309.541,309.541,0,0,0-15.135-30.6,1.89,1.89,0,0,0-1.924-.91A483.689,483.689,0,0,0,116.085,69.137a1.712,1.712,0,0,0-.788.676C39.068,183.651,18.186,294.69,28.43,404.354a2.016,2.016,0,0,0,.765,1.375A487.666,487.666,0,0,0,176.02,479.918a1.9,1.9,0,0,0,2.063-.676A348.2,348.2,0,0,0,208.12,430.4a1.86,1.86,0,0,0-1.019-2.588,321.173,321.173,0,0,1-45.868-21.853,1.885,1.885,0,0,1-.185-3.126c3.082-2.309,6.166-4.711,9.109-7.137a1.819,1.819,0,0,1,1.9-.256c96.229,43.917,200.41,43.917,295.5,0a1.812,1.812,0,0,1,1.924.233c2.944,2.426,6.027,4.851,9.132,7.16a1.884,1.884,0,0,1-.162,3.126,301.407,301.407,0,0,1-45.89,21.83,1.875,1.875,0,0,0-1,2.611,391.055,391.055,0,0,0,30.014,48.815,1.864,1.864,0,0,0,2.063.7A486.048,486.048,0,0,0,610.7,405.729a1.882,1.882,0,0,0,.765-1.352C623.729,277.594,590.933,167.465,524.531,69.836ZM222.491,337.58c-28.972,0-52.844-26.587-52.844-59.239S193.056,219.1,222.491,219.1c29.665,0,53.306,26.82,52.843,59.239C275.334,310.993,251.924,337.58,222.491,337.58Zm195.38,0c-28.971,0-52.843-26.587-52.843-59.239S388.437,219.1,417.871,219.1c29.667,0,53.307,26.82,52.844,59.239C470.715,310.993,447.538,337.58,417.871,337.58Z" />
</svg>,
...- Split some test suites into multiple files to help with test parallelization
- Test fixes for backend SDK CI
With this release, we are introducing AccountLinking, this will let you:
- link accounts automatically,
- implement manual account linking flows.
Check our guide for more information.
To use this you'll need compatible versions:
- Core>=7.0.0
- supertokens-node>=16.0.0 (support is pending in other backend SDKs)
- supertokens-website>=17.0.3
- supertokens-web-js>=0.8.0
- supertokens-auth-react>=0.35.0
- Added support for FDI 1.18 (Node SDK>= 16.0.0), but keeping support FDI version1.17 (node >= 15.0.0, golang>=0.13, python>=0.15.0)
- User type has changed across recipes and functions: recipe specific user types have been removed and replaced by a generic one that contains more information
createdNewUserhas been renamed tocreatedNewRecipeUsercreateCode,consumeCode,createPasswordlessCodeandconsumePasswordlessCodecan now return status:SIGN_IN_UP_NOT_ALLOWEDsignInAndUpandthirdPartySignInAndUpcan now return new status:SIGN_IN_UP_NOT_ALLOWEDsendPasswordResetEmailcan now returnstatus: "PASSWORD_RESET_NOT_ALLOWED"signInandemailPasswordSignIncan now returnSIGN_IN_NOT_ALLOWEDsignUpandemailPasswordSignUpcan now returnSIGN_UP_NOT_ALLOWED- The context param of
getRedirectionURLgets an optionaluserprop (it's always defined ifcreatedNewRecipeUseris set to true) - Added new language translation keys
- We've added error messages for all of the above error statuses. Please see the new UI here. You can change the text using the language translation feature
We've added a generic User type instead of the old recipe specific ones. The mapping of old props to new in case you are not using account-linking:
user.idstaysuser.iduser.emailbecomesuser.emails[0]user.phoneNumberbecomesuser.phoneNumbers[0]user.thirdPartybecomesuser.thirdParty[0]user.timeJoinedis stilluser.timeJoineduser.tenantIdsis stilluser.tenantIds
- When calling passwordless consumeCode / social login signinup APIs, you can check if a user signed up by:
// Here res refers to the result the function/api functions mentioned above.
const isNewUser = res.createdNewRecipeUser && res.user.loginMethods.length === 1;
- When calling the emailpassword sign up API, you can check if a user signed up by:
const isNewUser = res.user.loginMethods.length === 1;
- In
getRedirectionURL
EmailPassword.init({ // This looks the same for other recipes
// Other config options.
async getRedirectionURL(context) {
if (context.action === "SUCCESS") {
if (context.isNewRecipeUser && context.user.loginMethods.length === 1) {
// new primary user
} else {
// only a recipe user was created
}
}
return undefined;
}
})
- In
onHandleEvent:
EmailPassword.init({ // This looks the same for other recipes
// Other config options.
onHandleEvent(context: EmailPasswordOnHandleEventContext) {
if (context.action === "SUCCESS") {
if (context.isNewRecipeUser && context.user.loginMethods.length === 1) {
// new primary user
} else {
// only a recipe user was created
}
}
},
})
- Fixed the SDK trying to merge the providers from the tenant config if the third party login method is disabled.
- Delaying the initial
getDynamicLoginMethodsuntil the first feature/routing component renders - Added a spinner that shows up if
usesDynamicLoginMethodsis true andgetDynamicLoginMethodstakes longer than 200ms - Updated with-one-login-many-subdomains example to match the create-supertokens-app-example
- Added a new optional parameter to
getSuperTokensRoutesForReactRouterDomto support embedded routes - Added Active Directory, Okta, Linked In, Boxy SAML, Google Workspaces providers
- Added name prop to buttonComponent
- Added thirdparty login with popup window
- Added Multitenancy recipe
- Improved typing of
getClaimValue - Optional
clientTypeconfig in the input forSuperTokens.initfunction, that is used by thirdparty and multitenancy recipes. - Optional
usesDynamicLoginMethodsconfig in the input forSuperTokens.initfunction, which makes the SDK check the backend to see which recipes should be enabled - Added an overrideable
getTenantIdFromURLto multiple recipes
-
Only supporting FDI 1.17
-
Backend SDKs have to be updated first to a version that supports multi-tenancy for thirdparty
- supertokens-node: >= 15.0.0
- supertokens-golang: >= 0.13.0
- supertokens-python: >= 0.15.0
-
In ThirdParty recipe,
-
Changed signatures of the functions
getAuthorisationURLWithQueryParamsAndSetStateimport { getAuthorisationURLWithQueryParamsAndSetState } from 'supertokens-auth-react/recipe/thirdparty'; getAuthorisationURLWithQueryParamsAndSetState({ - providerId: "google", + thirdPartyId: "google", - authorisationURL: "http://localhost/auth/callback/google", + frontendRedirectURI: "http://localhost/auth/callback/google", }); -
Removed functions -
setStateAndOtherInfoToStorage,getAuthorisationURLFromBackend,generateStateToSendToOAuthProvider,verifyAndGetStateOrThrowError,getAuthCodeFromURL,getAuthErrorFromURL,getAuthStateFromURL
-
-
In ThirdPartyEmailpassword recipe,
-
Changed signatures of the functions
getAuthorisationURLWithQueryParamsAndSetStateimport { getAuthorisationURLWithQueryParamsAndSetState } from 'supertokens-auth-react/recipe/thirdpartyemailpassword'; getAuthorisationURLWithQueryParamsAndSetState({ - providerId: "google", + thirdPartyId: "google", - authorisationURL: "http://localhost/auth/callback/google", + frontendRedirectURI: "http://localhost/auth/callback/google", }); -
Removed functions -
setStateAndOtherInfoToStorage,getAuthorisationURLFromBackend,generateStateToSendToOAuthProvider,verifyAndGetStateOrThrowError,getAuthCodeFromURL,getAuthErrorFromURL,getAuthStateFromURL
-
-
In ThirdPartyPasswordless recipe,
-
Changed signatures of the functions
getThirdPartyAuthorisationURLWithQueryParamsAndSetStateimport { getAuthorisationURLWithQueryParamsAndSetState } from 'supertokens-auth-react/recipe/thirdpartypasswordless'; getAuthorisationURLWithQueryParamsAndSetState({ - providerId: "google", + thirdPartyId: "google", - authorisationURL: "http://localhost/auth/callback/google", + frontendRedirectURI: "http://localhost/auth/callback/google", }); -
Removed functions -
setThirdPartyStateAndOtherInfoToStorage,getAuthorisationURLFromBackend,generateThirdPartyStateToSendToOAuthProvider,verifyAndGetThirdPartyStateOrThrowError,getThirdPartyAuthCodeFromURL,getThirdPartyAuthErrorFromURL,getThirdPartyAuthStateFromURL
-
- CSS change to fix the responsiveness of the default
AccessDeniedscreen
- Introduce
onFailureRedirectionandshowAccessDeniedOnFailureon claims and validators to make handling session claim validation failures easier - Added an
accessDeniedScreenprop toSessionAuth. The component passed as this prop is rendered if a claim validator (withshowAccessDeniedOnFailureset to true) fails. - Added a styleable
AccessDeniedScreento provide a useful default for the aboveaccessDeniedScreenprop. - Update to web-js interface version
- Updated supertokens-web-js dependency, which made SessionClaimValidator a type instead of an abstract class
- Added
textGrayto the palette variables (used in the default access denied screen) - Now the email verification feature component will never render
SendVerifyEmailwithout a session
- Fixed the types for EmailVerification.init to not require a config to be passed.
- Changed email verification index.tsx to use index.ts instead so that auto generated docs add it.
- Fixed with-thirdpartyemailpassword-passwordless apps overwritten button's width
- Fixed supertokens-auth-react/ui import referencing .js file instead of .d.ts causing ts issue
- Made Session.validateClaims argument optional
- Eliminated the need for duplicate
initcall for non-react applications that use pre-built UI. See the issue - Split/separate pre-built UI components from its recipe to reduce bundle sizes for apps that do not use pre-built UI
- Added thirdparty login with popup window example
This version also initializes the web-js SDK. If you previously did that manually, you can remove/replace it with the auth-react init call.
From this version forward, the recommended way to use this SDK, even with Angular and Vue, is to initialize auth-react in the root component. Importing supertokens-auth-react will not pull React into your main bundle; only importing the prebuiltui modules will.
For more details, check out our quick setup guides for angular and vue.
import SuperTokens, { SuperTokensWrapper, getSuperTokensRoutesForReactRouterDom } from "supertokens-auth-react";
import Passwordless from "supertokens-auth-react/recipe/passwordless";
// .... other imports
SuperTokens.init({
appInfo: {
// appInfo
},
recipeList: [
Passwordless.init({
contactMethod: "EMAIL_OR_PHONE",
}),
Session.init(),
],
});
<SuperTokensWrapper>
<div className="App">
<Router>
<div className="fill">
<Routes>
{/* This shows the login UI on "/auth" route */}
{getSuperTokensRoutesForReactRouterDom(require("react-router-dom"))}
// ... other routes
</Routes>
</div>
<Footer />
</Router>
</div>
</SuperTokensWrapper>;Should become
import SuperTokens, { SuperTokensWrapper } from "supertokens-auth-react";
import { getSuperTokensRoutesForReactRouterDom } from "supertokens-auth-react/ui";
import Passwordless from "supertokens-auth-react/recipe/passwordless";
import { PasswordlessPreBuiltUI } from "supertokens-auth-react/recipe/passwordless/prebuiltui";
// .... other imports
SuperTokens.init({
appInfo: {
// appInfo
},
recipeList: [
Passwordless.init({
contactMethod: "EMAIL_OR_PHONE",
}),
Session.init(),
],
});
<SuperTokensWrapper>
<div className="App">
<Router>
<div className="fill">
<Routes>
{/* This shows the login UI on "/auth" route for Passwordless recipe */}
{getSuperTokensRoutesForReactRouterDom(require("react-router-dom"), [PasswordlessPreBuiltUI])}
// ... other routes
</Routes>
</div>
<Footer />
</Router>
</div>
</SuperTokensWrapper>;import React from "react";
import SuperTokens, { SuperTokensWrapper } from "supertokens-auth-react";
class App extends React.Component {
render() {
if (SuperTokens.canHandleRoute()) {
// This renders the login UI on the /auth route
return SuperTokens.getRoutingComponent();
}
return <SuperTokensWrapper>{/*Your app*/}</SuperTokensWrapper>;
}
}Should become
import { SuperTokensWrapper } from "supertokens-auth-react";
import { canHandleRoute, getRoutingComponent } from "supertokens-auth-react/ui";
import { PasswordlessPreBuiltUI } from "supertokens-auth-react/recipe/passwordless/prebuiltui";
class App extends React.Component {
render() {
if (canHandleRoute([PasswordlessPreBuiltUI])) {
// This renders the login UI on the /auth route
return getRoutingComponent([PasswordlessPreBuiltUI]);
}
return <SuperTokensWrapper>{/*Your app*/}</SuperTokensWrapper>;
}
}- Added new social providers(Gitlab, Discord, Bitbucket)
- Switched dependency away from the removed/unpublished
mocha-split-testspackage
- Fix unsupported engine warning for npm v9
- Updates dependency versions for
supertokens-auth-reactandsupertokens-nodefor all example apps - Initialises the Dashboard recipe for all example apps
- Keep redirectToPath's query params while redirecting to it from auth
- Update example apps after header based auth
- Add ordering for imports
- Force consistent type imports
- Fixed all buttons to have pointer cursor on hover.
- Fixed component override propagation into sub-recipe only feature components (i.e., ThirdPartySignInAndUpCallbackTheme_Override in thirdpartyemailpassword)
- Updated
supertokens-web-jsdependency that requires a backend SDK update to:- supertokens-node: >= 13.0.0
- supertokens-python: >= 0.12.0
- supertokens-golang: >= 0.10.0
- Renamed configuration options:
sessionScoperenamed tosessionTokenFrontendDomaincookieDomainrenamed tosessionTokenBackendDomain
- Added support for authorizing requests using the
Authorizationheader instead of cookies- Added
tokenTransferMethodconfig option - Check out https://supertokens.com/docs/thirdpartyemailpassword/common-customizations/sessions/token-transfer-method for more information
- Added
- Prefilling the phone number input with the dial code if default country is set.
- Fixed guessing internation phone number in passwordless with EMAIL_OR_PHONE contact method if the number starts with a valid country dial code
- Updated many dependencies to fix warnings during install
- Updated our build process to use rollup as a bundler
- Removed dependency on emotion/chroma
- Updated to styling through plain CSS instead of objects/emotion. Check https://supertokens.com/docs/thirdpartyemailpassword/common-customizations/styling/changing-style for more info
- Removed palette option, colors are now customizable through setting CSS variables in styles. Check https://supertokens.com/docs/thirdpartyemailpassword/common-customizations/styling/changing-colours for more info
- Moved
supertokens-web-jsintodevDependencies. If using npm version 6, you also need to install it withnpm i --save supertokens-web-js. Later versions install it automatically. - The default phone number input changed in passwordless and thirdpartypasswordless recipe (switched to using
intl-tel-input)
Before:
SuperTokens.init({
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "...",
},
recipeList: [
ThirdPartyEmailPassword.init({
style: {
container: {
fontFamily: "cursive",
},
},
}),
Session.init(),
],
});After:
SuperTokens.init({
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "...",
},
recipeList: [
ThirdPartyEmailPassword.init({
style: `
[data-supertokens~=container] {
font-family: cursive;
}
`,
}),
Session.init(),
],
});Before:
SuperTokens.init({
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "...",
},
recipeList: [
ThirdPartyEmailPassword.init({
palette: {
background: "#333",
inputBackground: "#292929",
textTitle: "white",
textLabel: "white",
textPrimary: "white",
error: "#ad2e2e",
textInput: "#a9a9a9",
textLink: "#a9a9a9",
},
}),
Session.init(),
],
});After:
SuperTokens.init({
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "...",
},
recipeList: [
ThirdPartyEmailPassword.init({
style: `
[data-supertokens~=container] {
--palette-background: 51, 51, 51;
--palette-inputBackground: 41, 41, 41;
--palette-inputBorder: 41, 41, 41;
--palette-textTitle: 255, 255, 255;
--palette-textLabel: 255, 255, 255;
--palette-textPrimary: 255, 255, 255;
--palette-error: 173, 46, 46;
--palette-textInput: 169, 169, 169;
--palette-textLink: 169, 169, 169;
}
`,
}),
Session.init(),
],
});- Moved component override config into a recipe specific provider component
SuperTokens.init({
recipeList: [
EmailPassword.init({
override: {
components: {
EmailPasswordSignIn_Override: ({ DefaultComponent, ...props }) => {
return (
<div>
<img src="octocat.jpg" />
<DefaultComponent {...props} />
</div>
);
},
},
},
}),
],
});Components override would move to override provider component's prop:
import EmailPassword, { EmailPasswordComponentsOverrideProvider } from "supertokens-auth-react/recipe/emailpassword";
SuperTokens.init({
recipeList: [EmailPassword.init()],
});
function App() {
return (
<SuperTokensWrapper>
<EmailPasswordComponentsOverrideProvider
components={{
EmailPasswordSignIn_Override: ({ DefaultComponent, ...props }) => {
return (
<div>
<img src="octocat.jpg" />
<DefaultComponent {...props} />
</div>
);
},
}}>
{/* The rest of JSX */}
</EmailPasswordComponentsOverrideProvider>
</SuperTokensWrapper>
);
}
export default App;- Created test for the sign up attempt using duplicate email
- Trailing slash is added to URL when going back to "Sign In" from "Forgot Password" for consistency (fixes #625)
- Changed styles for social login buttons
- Updated test to match new behaviour of the website SDK - not rethrowing refresh errors during
doesSessionExist
getClaimValuefunction inside Session recipe - exposed because web-js exposes it too.
- Makes input userContext optional in
validateClaimsfunction in Session recipe
- Updated passwordless login to first try calling the API if it could guess a valid international phone number
- Cleaned up some warnings shown in the console
- Fixes an issue where pre api hooks would not work correctly when calling recipe functions directly
- Adding an interceptor for XMLHttpRequest by default upon initializing SuperTokens
- Marked
addAxiosInterceptorsas deprecated - Request interception can now be disabled by adding
superTokensDoNotDoInterceptionto the hash of the request (works as a queryparam as well)
- Made the header of the third party sign in/up form overrideable
- Fixed the error message shown if a network error occured while consuming a link in passwordless
- Now clearing the OTP input field in passwordless after submit (as it was intended)
- Fixed a case where SessionAuth could get stuck in an infinite loop
- Fixed some css related error logs appearing in console
- Fixes how our CI testing procedure (alway using latest)
- Fixes parameter type for Passwordless
consumeCode
- Adds
redirectToAuthto props of the overrideableSendVerifyEmailcomponent
- Redirecting to auth when opening the default UI on
/auth/verify-emailwith an unknown/deleted user instead of showing an empty screen - In case an error is thrown during loading session information/claim validation,
sessionContextwill now containdoesSessionExist: falseinstead of throwing an error
- Adds Session claims support and
UserRoleClaim,PermissionClaimandEmailVerificationClaim - Added
overrideGlobalClaimValidatorsanddoRedirectiontoSessionAuthprops - Added
validateClaims,useClaimValueandgetInvalidClaimsFromResponseto theSessionrecipe - Added
API_INVALID_CLAIMevent to theSessionrecipe - Export for
EmailVerificationrecipe - Added "OPTIONAL" mode for the
EmailVerificationrecipe
- Fixed typing of
onSuccessprop on passwordlessSignInUpProps - Fixed some full-page redirect that happened even when using react-router-dom
- Fixed rare error in an edge case where
getSuperTokensRoutesForReactRouterDomwas used by a sub-component ofSessionAuth
- Only supporting FDI 1.15
- Backend SDKs have to be updated first to a version that supports session claims before enabling EmailVerification!
- supertokens-node: >= 12.0
- supertokens-golang: >= 0.9
- supertokens-python: >= 0.11
- EmailVerification recipe is now not initialized as part of auth recipes. You can add it to the recipe list as
EmailVerification.initlike other recipes. - Removed
OFFfrom possibleEmailVerificationrecipe modes, default is updated toREQUIRED. - Moved email verification related styling options, events, overrides, pre-api hooks and redirection contexts into the
EmailVerificationrecipe. You should configure them while initializing theEmailVerificationrecipe. - Removed recipe specific auth wrapper components. You should use
SessionAuthinstead. - Removed email verification methods from auth recipes. You should now call them on the
EmailVerificationrecipe directly. requireAuthnow defaults to true inSessionAuthto match the behavior of the removed recipe specific wrappers.- Removed
redirectToLoginfromSessionAuth. - Moved
redirectToAuthto SuperTokens out of auth recipes. You should now callSuperTokens.redirectToAuth()instead. In this functionredirectBackdefaults totrue. - Removed
SIGN_IN_AND_UPaction fromGetRedirectionURLContextof auth recipes. This should now be handled by passing agetRedirectionURLtoSuperTokens.initthat handles a context with theTO_AUTHaction.
SuperTokens.init({
// Normal init conf...
recipeList: [
EmailPassword.init({
getRedirectionURL: (context) => {
if (context.action === "SIGN_IN_AND_UP") {
// This handler should be moved to the SuperTokens.init level
return "/auth";
}
// All email verification related context should be now handled in the config of the EmailVerification recipe
},
onHandleEvent: () => {
// Handle email verification related events here in the onHandleEvent of the EmailVerification config
},
preAPIHook: (context) => {
// Move email verification related pre-API hooks into the preAPIHook of the EmailVerification config
},
postAPIHook: (context) => {
// Move email verification related post-API hooks into the postAPIHook of the EmailVerification config
}
emailVerificationFeature: {
mode: "REQUIRED",
// Any other props here should be moved into the config of the EmailVerification recipe
},
override: {
emailVerificationFeature: {
// These overrides should be moved into the config of the EmailVerification recipe
}
}
}),
]
})Should become:
SuperTokens.init({
// Normal init conf...
getRedirectionURL: (context) => {
if (context.action === "TO_AUTH") {
// Move handling the SIGN_IN_AND_UP action here
return "/auth";
}
},
recipeList: [
EmailVerification.init({
mode: "REQUIRED",
// Props from emailVerificationFeature of the EmailPassword.init config should be moved here.
override: {
// The overrides from emailVerificationFeature in the overrides of the EmailPassword config should be moved here
},
getRedirectionURL: (context) => {
// Move handling email verification related redirects here
},
onHandleEvent: () => {
// Handle email verification related events here
},
preAPIHook: (context) => {
// Move email verification related pre-API hooks here
},
postAPIHook: (context) => {
// Move email verification related post-API hooks here
},
}),
EmailPassword.init({}),
],
});function ProtectedHomeComponent() {
return (
<EmailPasswordAuth>
<Home />
</EmailPasswordAuth>
);
}Should become:
function ProtectedHomeComponent() {
return (
<SessionAuth>
<Home />
</SessionAuth>
);
}- We now ignore errors thrown while sending verification emails on mount as intended
- Calls the trim function for email and phone number validation in passwordless and emailpassword based recipes.
- Added
getRedirectURLconfiguration option to third-party providers. This can be used to set where the user is redirected back during the callback.
- SuperTokens components can now throw in case the server goes down. We advise adding an ErrorBoundary to provide a meaningful error screen. Please check here: https://reactjs.org/docs/error-boundaries.html
- Input colors now follow
inputBackgroundandtextInputeven while being pre-filled
- Updates
supertokens-nodeversion in example apps
- Makes the input argument for
consumePasswordlessCodein ThirdPartyPasswordless optional.
- Fixed clearing errors when switching between sign in & up in thirdpartyemailpassword
- Sign in/up components now take a
redirectOnSessionExistsprop that controls if it redirects away if a session exists on mount. Defaults to true. - Adds unit tests to make sure that recipe functions are exported correctly
- Fixes styling issue for login with github
- Updated
react-scriptsin all examples - Updated READMEs for example apps, removed information that is no longer relevant.
- Fixed capitalization of GitHub on the UI (fixes #539)
- Fixes prop passing when custom theme is used with the feature components
- Updates supabase example app to use supertokens-auth-react version 0.24
- Updates grammar for "Something went wrong" error text.
- Additional tests for
getRedirectionURL
- Update
supertokens-web-jsdependency version
- Fixes #523
- Fixes an issue where
userContextwould not get passed correctly forThirdPartyPasswordlessrecipe
- Added
SuperTokensWrapperintended to wrap around whole applications, providing a session context
- Made auth wrappers SSR compatible
- Added
loadingto the session context. Please check if the session context is still loading before using other props.loadingis always false inside components wrapped byAuthWrappers withrequireAuth=true
Following is an example of how your components may have to change. If you had components like this:
// .... other imports
import SuperTokens, { getSuperTokensRoutesForReactRouterDom, SuperTokensWrapper } from "supertokens-auth-react";
import { useSessionContext } from "supertokens-auth-react/recipe/session";
import { ThirdPartyEmailPasswordAuth } from "supertokens-auth-react/recipe/thirdpartyemailpassword";
function Component() {
const sessionContext = useSessionContext();
return <div className="fill">{sessionContext.doesSessionExist ? "logged in" : "logged out"}</div>;
}
SuperTokens.init({
/* config... */
});
function App() {
return (
<div className="App">
<Router>
<div className="fill">
<Routes>
{getSuperTokensRoutesForReactRouterDom(require("react-router-dom"))}
<Route
path="/some-path"
element={
<ThirdPartyEmailPasswordAuth requireAuth={true}>
{/*
In this case, Component will always display logged in.
If doesSessionExist is false after the session is loaded, the user is redirected to the login screen
*/}
<Component />
</ThirdPartyEmailPasswordAuth>
}
/>
<Route
path="/"
element={
<ThirdPartyEmailPasswordAuth requireAuth={false}>
<Component />
</ThirdPartyEmailPasswordAuth>
}
/>
</Routes>
</div>
</Router>
</div>
);
}It'd look like this after the update:
// .... other imports
import SuperTokens, { getSuperTokensRoutesForReactRouterDom, SuperTokensWrapper } from "supertokens-auth-react";
import { useSessionContext } from "supertokens-auth-react/recipe/session";
import { ThirdPartyEmailPasswordAuth } from "supertokens-auth-react/recipe/thirdpartyemailpassword";
function Component() {
const sessionContext = useSessionContext();
if (sessionContext.loading === true) {
// You could display a loading screen here, but session context loading is very fast
// so returning null is better in most cases to avoid content popping in and out
return null;
}
return <div className="fill">{sessionContext.doesSessionExist ? "logged in" : "logged out"}</div>;
}
SuperTokens.init({
/* config is unchanged */
});
function App() {
return (
<div className="App">
<SuperTokensWrapper>
<Router>
<div className="fill">
<Routes>
{getSuperTokensRoutesForReactRouterDom(require("react-router-dom"))}
<Route
path="/some-path"
element={
<ThirdPartyEmailPasswordAuth requireAuth={true}>
{/*
In this case, Component will never hit the loading === true branch.
It will only be rendered if `loading === false && doesSessionExist === true`
If doesSessionExist is false after the session is loaded, the user is redirected to the login screen
*/}
<Component />
</ThirdPartyEmailPasswordAuth>
}
/>
<Route path="/" element={<Component />} />
</Routes>
</div>
</Router>
</SuperTokensWrapper>
</div>
);
}- Adds an example app with Vue + React
- Updates to supertokens-web-js version to reflect interface change in
cookieHandler - Updates angular example app to use
supertokens-web-js
- Fixed dropdown interactivity of the country dropdown of the phone number input
- Added memoization to reduce unnecessary rerenders of phone number input sub-components
- Disabled smart-caret to fix a caret positioning bug on android phones in phone number input
- [CI]: Changes dependency for node SDK in integration tests so that tests pass when using node 14
- Showing a confirmation button before consuming a passwordless link if there is no stored login attempt info or if it doesn't match the link
- Showing a confirmation button before consuming an email verification token if there is no active session to prevent mail scanners validating the email address
- Adds an example app with Email Verification with OTP
- Changes in the Reset Password Email Sent success screen in
emailpasswordandthirdpartyemailpasswordrecipes- Updated text of the success message displayed
- Updated text of the 'Resend' button which redirects user back to Reset Password form
- Update supertokens-web-js dependency version
- Added new tests for checking general error handling
- Refactors example apps to not import from build directories
- fixes to angular example app
- Not importing helpers from
tslib
- The reset password form has a back button which takes the user back to the 'Sign in' form in
emailpasswordandthirdpartyemailpasswordrecipes. - Back button in the reset password email sent success screen that redirects user to the 'Sign In' form in
emailpasswordandthirdpartyemailpasswordrecipe. - Support for FDI 1.14
- The reset password form has a back button which takes the user back to the 'Sign in' form in
emailpasswordandthirdpartyemailpasswordrecipes.
- Removes
setCookieSyncandgetCookieSyncfrom the interface forcookieHandlerwhen callingSuperTokens.init
- Exposes more functions from each recipe.
- Updates the dependency version of supertokens-auth-react for example apps
- Updated typescript to latest
- Using tsconfig to set jsx import source instead of pragma comments
- Updated react-shadow
- Clearing errors when switching between sign-in and up
- Updated typescript to latest
- Using tsconfig to set jsx import source instead of pragma comments
- Updated react-shadow
- Updates the example app for ThirdPartyEmailPassword + Passwordless login with SuperTokens
- Adds new tests for testing resend code button in passwordless recipe
- Only running React 16 tests on CircleCI (when an explicit envvar is set)
- Adds a SuperTokens + Supabase example app
- Adds an example app with svelte
- Adds phone number and password demo app
- Adds an example app with Angular + React
- Now using parallel builds
- Screenshotting failed tests
- Exporting test results
- The return type of
userin the following functions to include information returned by the third party providersignInAndUpfunction for ThirdParty recipethirdPartySignInAndUpfunction for the ThirdPartyEmailPassword recipethirdPartySignInAndUpfunction for the ThirdPartyPasswordless recipe
- All recipe functions now accept an additional parameter
userContext, learn more about this by visiting the advanced cusotmisations section in the documentation - All UI components exported by the SDK now accept an additional
userContextprop, learn more about this by visiting the advanced cusotmisations section in the documentation - Exports more recipe functions for emailverification recipe to allow them to be called without using the pre-built UI. Newly exported functions:
verifyEmail,sendVerificationEmail - Exports all emailverification recipe functions from emailpassword, thirdparty, thirdpartyemailpassword and thirdpartypasswordless recipes.
- Exports more recipe functions for emailpassword recipe to allow them to be called without using the pre-built UI. Newly exported functions:
submitNewPassword,sendPasswordResetEmail,signUp,signIn,doesEmailExist. - Exports more recipe functions for thirdparty recipe to allow them to be called without using the pre-built UI. Newly exported functions:
getAuthorisationURLWithQueryParamsAndSetState,signInAndUp. - Exports emailpassword and thidparty recipe functions from thirdpartyemailpassword recipe to allow them to be called without using the pre-built UI. Also exports
redirectToThirdPartyLoginfrom thirdpartyemailpassword recipe. - Exports more recipe functions for passwordless recipe to allow them to be called without using the pre-built UI. Newly exported functions:
createCode,resendCode,consumeCode,doesEmailExist,doesPhoneNumberExist - Exports more recipe functions for thirdpartypasswordless recipe to allow them to be called without using the pre-built UI. Newly exported functions:
redirectToThirdPartyLogin,thirdPartySignInAndUp,createCode,resendCode,consumeCode,doesPasswordlessUserEmailExist,doesPasswordlessUserPhoneNumberExist - Changes recipe functions for email verification recipe (this is breaking change if you use the override feature):
verifyEmail-> No longer acceptstokenas a parameter, instead it callsgetEmailVerificationTokenFromURLgetEmailVerificationTokenFromURL-> NEW FUNCTION
- Changes recipe functions for email password recipe (this is breaking change if you use the override feature):
submitNewPassword-> No longer acceptstokenas a parameter, instead callsgetResetPasswordTokenFromURLgetResetPasswordTokenFromURL-> NEW FUNCTION
- Changes recipe functions for third party recipe (this is breaking change if you use the override feature):
getOAuthState-> RENAMED TOgetStateAndOtherInfoFromStoragesetOAuthState-> RENAMED TOsetStateAndOtherInfoToStoragegetOAuthAuthorisationURL-> RENAMED TOgetAuthorisationURLFromBackendgetAuthorisationURLWithQueryParamsAndSetState-> NEW FUNCTIONgenerateStateToSendToOAuthProvider-> NEW FUNCTIONverifyAndGetStateOrThrowError-> NEW FUNCTIONgetAuthCodeFromURL-> NEW FUNCTIONgetAuthErrorFromURL-> NEW FUNCTIONgetAuthStateFromURL-> NEW FUNCTIONredirectToThirdPartyLogin-> REMOVED (usegetAuthorisationURLWithQueryParamsAndSetStateinstead). NOTE: If you call this function yourself the SDK will no longer auto-redirect, you will need to redirect to the result url manually.
- Changes recipe funtions for third party email password recipe (this is breaking change if you use the override feature):
- Changes for email password functions explained above
- Changes for third party functions explained above
signInAndUp-> REMOVED, this function has been split into 3 new functions for simplicity (explained below)emailPasswordSignUp-> NEW FUNCTIONemailPasswordSignIn-> NEW FUNCTIONthirdPartySignInAndUp-> NEW FUNCTION
- Changes recipe functions for passwordless recipe (this is breaking change if you use the override feature):
getLinkCodeFromURL-> NEW FUNCTIONgetPreAuthSessionIdFromURL-> NEW FUNCTION
- Changes recipe functions for thirdpartpasswordless recipe : (this is breaking change if you use the override feature):
- Changes for third party functions explained above
- Changes for passwordless recipe explained above
clearLoginAttemptInfo-> RENAMED TOclearPasswordlessLoginAttemptInfo
- Session recipe now uses supertokens-web-js internally (previously used supertokens-website)
- All recipes now include a
postAPIHookconfiguration parameter that can be used to respond to network actions. - General error handling for email verification components
- Updates function return types for all recipes to allow for custom API response handling when calling recipe functions manually
- All recipe functions now return an object which contains a
statusfield along with other properties (instead of returning a boolean directly for example), to make function return types more consistent across recipes - Updates signatures for functions exported from recipe/index to accept objects instead of params directly, to make function signatures consistent across all recipes
- Recipe config parameter
disableDefaultImplementationhas been renamed todisableDefaultUIto make the name more accurate to the effect the property has. This is applicable only if you are using the SDK with custom UI and disabling the pre-built UI that SuperTokens provides.
- Function return types now include a
fetchResponsefield for any function that makes a network request. If you override functions and return a custom object you will need to update your code to include afetchResponsefield that should be a clone of the original response object (Refer to this page)
For example if your override looks like this:
import SuperTokens from "supertokens-auth-react";
import EmailPassword from "supertokens-auth-react/recipe/emailpassword";
SuperTokens.init({
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "..."
},
recipeList: [
EmailPassword.init({
override: {
functions: (originalImplementation) => {
return {
...originalImplementation,
signIn: async function (input) {
let response = makeNetworkRequest();
// TODO: some custom logic
return {
status: "OK",
user: {...},
};
},
}
},
}
})
]
});You will need to modify the function like this:
...
signIn: async function (input) {
let response = makeNetworkRequest();
// TODO: some custom logic
return {
status: "OK",
user: {...},
fetchResponse: response.clone()
};
},
...NOTE: If you use the originalImplementation in your overrides, you can access fetchResponse from the returned object
import SuperTokens from "supertokens-auth-react";
import EmailPassword from "supertokens-auth-react/recipe/emailpassword";
SuperTokens.init({
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "..."
},
recipeList: [
EmailPassword.init({
override: {
functions: (originalImplementation) => {
return {
...originalImplementation,
signIn: async function (input) {
let response = await originalImplementation.signIn(input);
// TODO: some custom logic
return {
status: "OK",
user: {...},
fetchResponse: response.fetchResponse;
};
// OR return the default implementation
// return await originalImplementation.signIn(input)
},
}
},
}
})
]
});- All recipe functions now return an object instead of returning properties directly. For example:
async function isEmailVerified(input): Promise<boolean> {...}Now returns
async function isEmailVerified(input): Promise<{
status: "OK",
isVerified: boolean,
fetchResponse: Response, // Refer to point above
}> {...}- Adds an example app with emailpassword + vercel
- Reverts version of react-select dependency
- Fixed support for react 18 strict mode
- Updated react dependency to react 18
- Added tests for react 18 and 16.
- Changed how linking is done for tests apps
- Changed e2e tests to not query test oauth provider when fetching profile info - since they are rate limited.
- Adds debug logging
- Now updating the session context when the access token payload is updated
- Updated supertokens-webiste dependency to ^11.0.0
- An example app with emailpassword + vercel
- A new config property
cookieHandlerthat allows for custom handling when the SDK reads/writes cookies - A new config property
windowHandlerthat allows for custom handling when the SDK uses any functions from the Window API. - An example app with thirdpartypasswordless + Electron
- Makes error message for changing of props in
SessionAuthmore clear. - Freezes dependency lib versions since sometimes there can be unexpected changes in those that break our UI.
- Uses PropsWithChildren to define the type of the children props
- Fixed FormBase behavior when mounted multiple times (NextJS issue)
- Now using parallel builds
- Screenshotting failed tests
- Exporting test results
- Refactor to the URL for the powered by component displayed on the auth forms
- ThirdParty+Passwordless recipe
- Adds 3 retries to mocha tests
- Removed footer prop from
PasswordlessEmailForm,PasswordlessPhoneFormandPasswordlessEmailOrPhoneFormoverridable components.
- Reworked feature components with several changes in state handling
- Component override keys changed (all ending in
_Overridenow) - Removed
ThirdPartyEmailPasswordSignInAndUpFormoverrideable component (now reusing overrides of the email password recipe)
- Fixed default translation strings for passwordless sign-in/up form labels
- Uses React.useMemo instead of useEffect in routing component to make first render non null
- Adds test for third party with email verification
- Fixes normalisation of thirdparty config to also normalise email verification config.
- passwordless demo app
- Adds example app with Hasura
- Adds example app with thirdpartyemailpassword showcasing setting password after email verification
- Translateable components
- Refactored some more pure components into functional
- Feature components now provide a stable modified recipe implementation as a prop instead of getter
-
Added
defaultCountryto passwordless config input in theEMAIL_OR_PHONEcase -
add workflow to verify if pr title follows conventional commits
- swapped out the PureComponent to functional + memo in the files i came across
- removed the explicit JSX.Element return type, they can be inferred and would probably be better as-is.
- Sends an empty JSON body in email verification token generate API since the content type is application/json + enforces that at least an empty JSON body must be sent in all API calls to the backend.
- Fix sample code in docs which gives error "multiple children were provided"
- Does not modify react router dom object. Instead, we create a new object which contains react-router-dom + custom navigation function.
- Removed SuperTokensBranding from the oauth callback screen
- Makes custom social provider button be a JSX element or a function
- Changes powered by link to point to
https://supertokens.com?campaign=poweredby
- Extracts away AuthRecipe into one with email verification and one without email verification
- Updated the reset password form to match the single input forms of passwordless (showing label, removed placeholder and autofocus)
- Using the default label and no placeholder for the reset password email form instead of the ones configured for the signup form
- Removed ":" from labels
- Adds new CSS class for provider button (like
providerGoogle,providerAppleetc..) which super seedsproviderButton. - Added a branding element to sign-in/up
- Passwordless recipe
- Prevents checking of if route can be handled by supertokens on each rerender.
getRoutingComponentnow returnsJSX.Element | nullinstead ofJSX.Element | undefined- Removed ":" from labels
- Adds new CSS class for provider button (like
providerGoogle,providerAppleetc..) which super seedsproviderButton. So if you are usingproviderButtonto change CSS, then you should add a!importantto it.
- Removes @emotion/cache from dependencies since
@emotion/reactalready depends on it.
- Rendering of UI in firefox with nextjs: #354
- Issuer where custom provider buttons would not render text in the center of the button
- Issue where custom button styling would not reflect for hover and active states
- Issuer where custom styling would not reflect in forgot password or email verification flows
- Styling for social login provider buttons
- Compatibility with FDI 1.11
- Compatibility with react router dom v6
- Removed circular dependencies
- Added circular dependency checking into CI/pre-commit hooks
- Uses supertokens-js-override from npm
- Fixes issue two in supertokens/supertokens-node#199
- Adds FDI 1.10 as supported
- Does not set
redirect_urithird party authorisation URL if it's already set by the backend. - Adds an optional
clientIdinput to providers to be sent during thesigninupAPI.
- Uses non arrow functions in api and recipe interface impl to allow for "true" inheritance in override: supertokens/supertokens-node#199
- Uses
bind(this)when calling original implementation - Added bundle size checking for PRs
- Renames
getJWTPayloadSecurelytogetAccessTokenPayloadSecurely
- Version of supertokens-website dependency (to version
^9.0.0). It was a breaking change in that, which implies a breaking change here too.
- Disabled source map generation
- Added prop-types as a peer dependency
- New FDI 2.9
- Support for testing non node JS backend SDK with end to end tests written here.
- Update to supertokens-website dependency version
- Updated the typings of the
UNAUTHORISEDevent to include the newsessionExpiredOrRevokedproperty.
- Added option to apply styling to all components: #312
- Not loading Rubik font in the library if the user has defined a font to use: #303
- Saving of success event post sign up / in, so that it can be fired post email verification: #315
- Fixes custom styling of the OAuth callback screen
- Persisting theme choice in test application
- Fixes extra semicolon at the end of thirdparty sign in up component.
- Fixes typescript issue with default imports. (Related to #297)
- Handles
Uncaught ReferenceError: process is not definedduring getting if testing or not.
- Styling issues with SVG icons
- In
emailVerificationAuth, querying for is email verified only if a session exists - A few test app issues
- If visiting auth page with session already existing, then we respect redirectTo query param
- Uses
useRefhook when usingwithRouterso that the underlying component is not unmounted. - If
redirectToPathis "", and we are not using react-router-dom, then we redirect to/, otherwise we might be stuck in an infinite redirect loop.
- Uses
SessionAuthfor all our components: #241 - Creates an
AuthWidgetWrappercomponent that will redirect login UI if already logged in
- Allows for
SessionAuthto be inside anotherSessionAuth. - Updates session context on session changes: #228
onSessionExpiredoptional prop onSessionAuth,EmailPasswordAuth,ThirdPartyAuthandThirdPartyEmailPasswordAuth
-
If a component is wrapped in an auth wrapper with
requiredAuth={true}, andonSessionExpiredis not provided, then the user will be automatically redirected to the login screen in case of session expiry. -
The components override API has changed from
(DefaultComponent) => (props) => React.Elementto({ DefaultComponent, …props }) => React.Element.
- Normalisation of thirdpartyemailpassword input
- Allows zero thirdparty providers to be passed into thirdpartyemailpassword
- Respects
disableEmailPasswordconfig provided to thirdpartyemailpassword
- Makes
signInAndUpFeatureconfig optional inthirdpartyemailpassword.init
- Ability to override recipe functions to customize the behavior of feature components.
- Refactors code to:
- Make types simpler.
- Remove components folder from AuthRecipeModule, and puts them in the themes of the respective recipes.
- Uses redirectToAuth everywhere instead of calling redirect manually.
- Adds additional props / config to Session and EmailVerification recipe to make them more isolated
- Passes recipe to feature components directly, as opposed to recipeId
- In session recipe, we remove
setAuth0APIandgetAuth0API - Removes
GET_REDIRECTION_URLfrom the possible action types forgetRedirectionURL. - Changes
redirectToAuthto take an object and addsredirectBackparam, which can be used to indicate if the user should be redirected to the current page. - Removes
getRefreshURLDomainfunction from session recipe. - Moves
SIGN_OUTeven and pre API hook into the Session recipe. - Change to type of
preAPIHookfunction - Uses supertokens-website version >= 8.0
- Changed
SIGN_IN,SIGN_UPPre API hook action toEMAIL_PASSWORD_SIGN_IN,EMAIL_PASSWORD_SIGN_UPorTHIRD_PARTY_SIGN_IN_UP
- State update post unmounting when using EmailVerification wrapper.
- Allow specifying of
cookieDomainin config to add interceptors to multiple API subdomain: supertokens/supertokens-website#58
- Respects case sensitive when redirecting post login: #252
- Support for sessions if used within an iframe: supertokens/supertokens-website#53
- Update to supertokens-website dependency version
- Fixes #220
- When using
getSuperTokensRoutesForReactRouterDom, use it likegetSuperTokensRoutesForReactRouterDom(require("react-router-dom")) - Config value
useReactRouterDomis no longer required. React router dom is enabled only if the user usesgetSuperTokensRoutesForReactRouterDom.
- Uses frontend set cookies instead of localstorage so that sub domain session works on Safari
- Sends
ridon each request - acts as a CSRF protection measure (see https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#use-of-custom-request-headers) - Refreshes session if the frontend set cookies are deleted (due to privacy features in Safari).
- New FDI 1.8
- Adds
apiGatewayPathinappInfo. Related to supertokens/supertokens-core#234
- Ability to send custom error messages from signinup API for thirdparty login to show in the UI. Fixes issue supertokens/supertokens-core#233
- Exports
SessionAuthwrapper - Adds
requireAuthboolean to all Auth wrappers to protect pages optionally - Creates a session context that is passed to child components for easy access to session info.
getUserIdanddoesSessionExistreturningPromises
- Signout function from session
- Compatibility with FDI 1.7
- Adds
redirectToAuthfunction for all auth recipes
- Removed type dependency on History
- Fix URL Normalisation with "/.netlify/functions/api".
- Fix Path Normalisation with "/.netlify/functions/api" given as apiBasePath
- Third Party & Email Password recipe
- Update preAPIHook type from
({RequestInit, action}) => Promise<RequestInit>to({url, RequestInit, action}) => Promise<RequestInit | {RequestInit, url}>
- Third Party recipe with Google/Github/Facebook/Apple
- Introduce AuthRecipeModule to abstract common functions (hooks, signout, isEmailVerified)
- Email Verification as a recipe
- Email Password context from
{action: "SIGN_IN_COMPLETE" | "SIGN_UP_COMPLETE"}to{action: "SUCCESS", isNewUser: boolean}
- Fix react-router-dom issue with EmailPasswordAuth in NextJS.
- Supertokens config
useReactRouterDom.
- Compare window.location.origin to websiteDomain for redirection => useful for multitenancy
- Fix websiteBasePath = "/" routing issue.
- Fix getRedirectionURL hook type
- No redirectToPath in email verification screen
- Redirect to intended page post authentication
- Use tsconfig to compile instead of babel
- Success/Error ticks displayed in input
- Show password displayed in inputs
- Better password manager handling
- Remove autofill browser styling
- User Facing typescript definitions
- setState race condition for redirecting to auth page on successful signup
- Examples folder
- Input border radius from 8 to 6px
- Input padding from 20 to 16px
- Input background colour from 1 to 0.25 opacity on focus
- Add focus state box shadow
- Show password icon only when password is not empty
- Fix width when wrapped in flex container
- Fix right input padding
- Mobile responsiveness
- Email Verification Feature
- Show/Hide password
- Success tick
- Design revamp
- Remove generalErrorBackground
- Button ripple effect on click
- Button colour change on hover
- Upgrade to Emotion v11 and react-shadow v19
- Fix conflicting dependencies with npm link
- No Shadow DOM for Internet Explorer
- Made config optional when calling init for recipes
- Better error message for SSR.
- Add margin bottom for general Errors.
- Move react-router-dom to optional dependencies.
- Form validation on blur
- verify if email exists on blur during signup
- Autocomplete email and password
- Move error/success ticks to leave space for password managers
DefaultToSignUpconfig and default widget to sign up form.
- Remove all styles from feature wrapper
- Email and password implementation
- Session implementation