All notable changes to the AuthKit authentication library will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Full API documentation in README with request/response examples
- Complete Copilot development instructions for module maintainers
- Contribution guidelines with module-specific setup instructions
- Enhanced SECURITY.md with vulnerability reporting procedures
- Troubleshooting and FAQ sections in documentation
- TypeScript type definitions for all public APIs
- Improved error handling and error message consistency
- Enhanced JWT payload structure documentation
- Optimized admin route filtering capabilities
- Updated CONTRIBUTING.md with module-specific requirements
- Translation of Italian text in Copilot instructions to English
- JWT refresh token validation edge cases
- Admin decorator permission checking
- Added security best practices section to documentation
- Documented JWT secret rotation procedures
- Enhanced password reset token expiration guidelines
- Support for Facebook OAuth provider
- Microsoft Entra ID OAuth with JWKS verification
- Role-based permission management system
- Admin routes for user, role, and permission management
- User banning/unbanning functionality
- Refresh token implementation now uses JWT instead of database storage
- Password change now invalidates all existing refresh tokens
- User model now supports optional jobTitle and company fields
- OAuth provider token validation improvements
- Email verification token expiration handling
- Microsoft tenant ID configuration flexibility
- Email verification requirement before login
- Password reset functionality with JWT-secured reset links
- Resend verification email feature
- User profile endpoint (
GET /api/auth/me) - Account deletion endpoint (
DELETE /api/auth/account) - Auto-generated usernames when not provided (fname-lname format)
- Authentication flow now requires email verification
- User model schema restructuring for better organization
- Improved password hashing with bcryptjs
- Implemented httpOnly cookies for refresh token storage
- Added password change tracking with
passwordChangedAttimestamp - Enhanced input validation on all auth endpoints
- JWT refresh token implementation
- Token refresh endpoint (
POST /api/auth/refresh-token) - Automatic token refresh via cookies
- Configurable token expiration times
- Access token now shorter-lived (15 minutes by default)
- Refresh token implementation for better security posture
- JWT payload structure refined
- Token expiration validation during refresh
- Google OAuth provider integration
- OAuth mobile exchange endpoints (ID Token and Authorization Code)
- OAuth web redirect flow with Passport.js
- Automatic user registration for OAuth providers
- Authentication controller refactored for OAuth support
- Module configuration to support multiple OAuth providers
- Google ID Token validation implementation
- Authorization Code exchange with PKCE support
- Initial release of AuthKit authentication library
- Local authentication (email + password)
- User registration and login
- JWT access token generation and validation
- Role-Based Access Control (RBAC) system
- Admin user management routes
- Email service integration (SMTP)
- Host app independent - uses host app's Mongoose connection
- Seed service for default roles and permissions
- Admin decorator and authenticate guard
- Local auth strategy with password hashing
- JWT-based authentication
- Role and permission models
- Default admin, user roles with configurable permissions
- Email sending capability for future notifications
- Clean Architecture implementation
- Production-ready error handling
- Two-factor authentication (2FA) support
- API key authentication for service-to-service communication
- Audit logging for security-critical operations
- Session management with concurrent login limits
- OpenID Connect (OIDC) provider support
- Breaking change: Restructure module exports for better tree-shaking
- Migration guide for v1.x → v2.0.0
- Rate limiting built-in helpers
- Request signing and verification for webhooks
- Enhanced logging with structured JSON output
- Support for more OAuth providers (LinkedIn, GitHub)
For version support timeline and security updates, please refer to the SECURITY.md policy.
For issues, questions, or contributions, please visit: https://github.com/CISCODE-MA/AuthKit