supertokens-web-js - npm Package Versions

[0.14.0] - 2024-10-07

• Added the OAuth2Provider recipe

Breaking changes

• Now only supporting FDI 3.1 and 4.0 (Node >= 21.0.0)
• Added a new shouldTryLinkingToSessionUser flag to sign in/up related function inputs:
  • No action is needed if you are not using MFA/session based account linking.
  • If you are implementing MFA:
    • Plase set this flag to false (or leave as undefined) during first factor sign-ins
    • Please set this flag to true for secondary factors.
    • Please forward this flag to the original implementation in any of your overrides.
  • Changed functions:
    • EmailPassword.signIn, EmailPassword.signUp: both override and callable functions
    • ThirdParty.getAuthorisationURLWithQueryParamsAndSetState: both override and callable function
    • Passwordless:
      • Functions overrides: consumeCode, resendCode, createCode, setLoginAttemptInfo, getLoginAttemptInfo
      • Calling createCode and setLoginAttemptInfo take this flag as an optional input (it defaults to false)
• Changed the default implementation of getTenantId to default to the tenantId query parameter (if present) then falling back to the public tenant instead of always defaulting to the public tenant
• We now disable session based account linking in the magic link based flow in passwordless by default
  • This is to make it function more consistently instead of only working if the link was opened on the same device
  • You can override by overriding the consumeCode function in the Passwordless Recipe (see in the Migration guide section below for more information)

Migration guide

Session based account linking for magic link based flows

You can re-enable linking by overriding the consumeCode function in the passwordless recipe and setting shouldTryLinkingToSessionUser to true.

Passwordless.init({
    override: {
        functions: (original) => {
            return {
                ...original,
                consumeCode: async (input) => {
                    // Please note that this is means that the session is required and will cause an error if it is not present
                    return original.consumeCode({ ...input, shouldTryLinkingWithSessionUser: true });
                },
            };
        },
    },
});

[0.13.1] - 2024-10-08

• Changes bundle file names to include a hash.

[0.13.0] - 2024-07-10

Breaking Changes

• Removes the default maxAgeInSeconds value (previously 300 seconds) in EmailVerification Claim. If the claim value is true and maxAgeInSeconds is not provided, it will not be refreshed.

[0.12.0] - 2024-05-24

Breaking Changes

• Removed ThirdPartyEmailPassword and ThirdPartyPasswordless recipes
• Dropped support for FDI version 1.X
• Added support for FDI version 2.0 and 3.0
• Removed createCode, resendCode and consumeCode from the exports of recipe/passwordless/utils
• Added the SESSION_ALREADY_EXISTS event to the session recipe. This is used by our pre-built UI.

Migration guide

• If you were using ThirdPartyEmailPassword, you should now init ThirdParty and EmailPassword recipes separately. The config for the individual recipes are mostly the same, except the syntax may be different. Check our recipe guides for ThirdParty and EmailPassword for more information.

• If you were using ThirdPartyPasswordless, you should now init ThirdParty and Passwordless recipes separately. The config for the individual recipes are mostly the same, except the syntax may be different. Check our recipe guides for ThirdParty and Passwordless for more information.

[0.11.0] - 2024-05-09

Breaking changes

The shouldDoInterceptionBasedOnUrl function now returns true:

• If sessionTokenBackendDomain is a valid subdomain of the URL's domain. This aligns with the behavior of browsers when sending cookies to subdomains.
• Even if the ports of the URL you are querying are different compared to the apiDomain's port ot the sessionTokenBackendDomain port (as long as the hostname is the same, or a subdomain of the sessionTokenBackendDomain): #217

[0.10.1] - 2024-04-08

Fixes

• Reduced the number of unnecessary email verification checks by fixing the default values for refetchTimeOnFalseInSeconds and maxAgeInSeconds

[0.10.0] - 2024-03-03

Overview

Introducing multi-factor authentication

With this release, we are introducing MultiFactorAuthentication and TOTP, this will let you:

• require (2FA or MFA) during sign in
• make use of our TOTP

Check our guide for more information.

Changes

• Added support for FDI 1.19 (Node SDK>= 17.0.0), but keeping support FDI version 1.17 and 1.18 (node >= 15.0.0, golang>=0.13, python>=0.15.0)
• Added the MultiFactorAuth and TOTP recipes. To start using them you'll need compatible versions:
  • Core>=8.0.0
  • supertokens-node>=17.0.0
  • supertokens-website>=18.0.0
  • supertokens-web-js>=0.10.0
  • supertokens-auth-react>=0.39.0

Breaking changes

• Added firstFactors into the return type of getLoginMethods and removed the enabled flags of different login methods.
  • For older FDI versions, the firstFactors array will be calculated based on those enabled flags.
• Renamed validatorId in claim validation errors to id to match the backend SDKs

Migration guide

getLoginMethods interface change

If you used to use the enabled flags in getLoginMethods:

Before:

async function checkLoginMethods() {
    const loginMethods = await Multitenancy.getLoginMethods();
    if (loginMethods.thirdParty.enabled) {
        // custom logic
    }
    if (loginMethods.emailPassword.enabled) {
        // custom logic
    }
    if (loginMethods.passwordless.enabled) {
        // custom logic
    }
}

After:

async function checkLoginMethods() {
    const loginMethods = await Multitenancy.getLoginMethods();
    if (loginMethods.firstFactors.includes("thirdparty")) {
        // custom logic
    }
    if (loginMethods.firstFactors.includes("emailpassword")) {
        // custom logic
    }

    if (
        loginMethods.firstFactors.includes("otp-email") ||
        loginMethods.firstFactors.includes("otp-phone") ||
        loginMethods.firstFactors.includes("link-email") ||
        loginMethods.firstFactors.includes("link-phone")
    ) {
        // custom logic
    }
}

Renamed validatorId

If you used to use the validatorId prop of validationErrors, you should now use id instead.

Before:

async function checkValidators() {
    const validationErrors = await Session.validateClaims();
    for (const error of validationErrors) {
        console.log(error.validatorId, error.reason);
    }
}

After:

async function checkValidators() {
    const validationErrors = await Session.validateClaims();
    for (const error of validationErrors) {
        console.log(error.id, error.reason);
    }
}

[0.9.1] - 2024-02-07

Changes

• Added dateprovider.js bundle file to enable importing DateProvider via a script tag

[0.9.0] - 2024-01-18

Breaking Changes

• The default DateProvider implementation relies on localStorage. If your environment lacks support for localStorage, you must provide custom implementations for either the DateProvider or localStorage.

Changes

• EmailVerificationClaim now uses DateProvider to account for clock skew.
• Exporting the DateProvider from supertokens-website, that both built-in and custom validators can use instead of Date.now to get an estimate of the server clock.
• Added the dateProvider prop to the configuration that can be used to customize the built-in DateProvider.
• Added calculateClockSkewInMillis as an overrideable function to the Session recipe that estimates the time difference between the backend and the client.
• Fix "MultiTenancy not initialized" error being thrown instead of "SuperTokens not initialized" when calling recipe methods directly without initializing SuperTokens first.