Skip to content

Access token, Refresh Token flow changed.

Choose a tag to compare

View all tags
@opticSquid opticSquid released this 04 Jul 10:17
· 32 commits to main since this release
v2.3.2
efba4fe
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Change Log

  • All routes which can be accessed by normal user has been moved to /auth base route. So, now
    • Signup
    • Verify
    • Login
    • Trust Device
    • Renew
      these all routes come under /auth base route.
  • When logging in or renewing token,
    • accessToken is now sent as a part of response body
    • refresh-token is sent as a HTTP only cookie, max age set at expiration of the token and path set to renew token path.
    • this is done so that when renew token request is sent browser automatically attaches the cookie to the request without the intervention of the client.
    • the cookie is set to http only so that client side javascript can not read it.
    • the cookie is set to SameSite: Strict so that this token can not be passed to other sites.

Main Branch History

Full Changelog: v2.2.1...v2.3.2

Contributors

opticSquid
Assets 2
Loading