54 lines (26 loc) · 3.15 KB

Changelog

3.0.0 (2026-03-25)

⚠ BREAKING CHANGES

add OAuth state verification on callback to prevent CSRF attacks (#388)

Features

add OAuth state verification on callback to prevent CSRF attacks (#388) (ebef6e7)
middleware: add authkitProxy and handleAuthkitProxy aliases for proxy.ts (#384) (4c3f27b)

Bug Fixes

actions: catch TokenRefreshError in refreshAccessTokenAction to prevent 500s (#383) (5c46c39)
auth: return signInUrl from server actions to avoid CORS errors (#386) (7d52400)
harden PKCE/CSRF for v3.0.0 release (#398) (8054829)

2.17.0 (2026-03-13)

Features

Automatically pass claim nonce for unclaimed environments (#389) (67dfc92)

2.16.1 (2026-03-13)

Bug Fixes

make PKCE opt-in to avoid breaking custom middleware proxies (#392) (9e09fcb)

2.16.0 (2026-03-11)

Features

add PKCE support for OAuth 2.1 compliance (#374) (de01c7f)

Bug Fixes

improve compatibility with non-Next.js environments (#378) (734311a)
resolve Dependabot security alerts (#380) (519dccf)

2.15.0 (2026-02-25)

Features

Add returnTo option to getSignInUrl and getSignUpUrl functions (#375) (fc75708)