Changelog

Changelog

All notable changes to guardo. Follows the Keep a Changelog format.

1.5.0 - Safer call signatures, test ergonomics & dependency security

Added

  • otp.exposeCode config (default false) - returns the plaintext code from otp.send() (new SendOtpResult type) so tests can read the OTP without scraping notifier output. Test/dev only. See OTP.
  • INVALID_ARGUMENT error code.

Changed

  • logout(), refreshTokens() and logoutAll() now throw AuthError (INVALID_ARGUMENT) when passed a non-string argument instead of silently doing nothing - e.g. logout({ sessionId }) no longer leaves the session live.

Security

  • Upgraded nodemailer to ^9.0.1 to clear high-severity advisory GHSA-p6gq-j5cr-w38f - it ships by default via the email notifier.

1.3.0 - OAuth / social login

Added

  • OAuth module (auth.oauth) - social login via the authorization-code flow with single-use CSRF state and PKCE. oauth.start() / oauth.callback() issue the same session + JWT pair as OTP login. See OAuth.
  • Built-in GoogleProvider and GithubProvider, plus the generic, pluggable OAuth2Provider (and createOAuthProvider()) for any other OAuth 2.0 / OIDC service.
  • oauth config on createAuth(), the oauth.started / oauth.success / oauth.failed events, and the OAuthError class with OAUTH_* error codes.

Added

  • Typed lifecycle events (events config + GuardoEvents) - login.success, otp.failed, token.reuse_detected, and more. See Events.
  • httpOnly cookie mode - cookies config plus setTokenCookies() / clearTokenCookies() middleware helpers.
  • Fastify middleware: auth.middleware.fastify().
  • onNewUser hook to auto-provision users when resolveUser returns null.
  • Per-IP rate limiting (otpSendPerIp, otpVerifyPerIp) via the optional ip on otp.send().
  • session.listAll() for paginated, cross-user session listing (admin views).
  • Asymmetric JWT signing via jwt.algorithm (e.g. RS256).

Changed

  • VerifyOtpResult now includes a machine-readable code (GuardoErrorCode).

1.0.1 - Stability & DX improvements

Fixed

  • Ethereal transport silently falls back to console when no internet is available.
  • timingSafeEqual buffer-length mismatch on wrong-length OTP input.

Changed

  • Export TokenTypeError from the main entry point.
  • Improve error messages for revoked sessions.

1.0.0 - Initial public release

Added

  • createAuth() factory with full module wiring.
  • OTP module: generate, hash, send, verify, attempt limiting.
  • JWT module: access + refresh token pair with TTL config.
  • Session module: multi-device sessions with touch & revoke.
  • Express middleware: JWT guard + RBAC role().
  • Next.js Edge middleware + App Router route wrapper.
  • MemoryStore and RedisStore adapters.
  • ConsoleNotifier, NodemailerNotifier, MultiChannelNotifier.
  • Sliding-window rate limiter for OTP send & verify.
  • Full TypeScript types exported from the main entry.

Roadmap: device fingerprinting, risk scoring, and analytics hooks are planned. Watch the GitHub repo for updates.