Changelog
All notable changes to guardo. Follows the Keep a Changelog format.
1.5.0 - Safer call signatures, test ergonomics & dependency security
Added
otp.exposeCodeconfig (defaultfalse) - returns the plaintextcodefromotp.send()(newSendOtpResulttype) so tests can read the OTP without scraping notifier output. Test/dev only. See OTP.INVALID_ARGUMENTerror code.
Changed
logout(),refreshTokens()andlogoutAll()now throwAuthError(INVALID_ARGUMENT) when passed a non-string argument instead of silently doing nothing - e.g.logout({ sessionId })no longer leaves the session live.
Security
- Upgraded nodemailer to
^9.0.1to clear high-severity advisory GHSA-p6gq-j5cr-w38f - it ships by default via the email notifier.
1.3.0 - OAuth / social login
Added
- OAuth module (
auth.oauth) - social login via the authorization-code flow with single-use CSRFstateand PKCE.oauth.start()/oauth.callback()issue the same session + JWT pair as OTP login. See OAuth. - Built-in
GoogleProviderandGithubProvider, plus the generic, pluggableOAuth2Provider(andcreateOAuthProvider()) for any other OAuth 2.0 / OIDC service. oauthconfig oncreateAuth(), theoauth.started/oauth.success/oauth.failedevents, and theOAuthErrorclass withOAUTH_*error codes.
1.2.0 - Event-driven architecture & cookie transport
Added
- Typed lifecycle events (
eventsconfig +GuardoEvents) -login.success,otp.failed,token.reuse_detected, and more. See Events. - httpOnly cookie mode -
cookiesconfig plussetTokenCookies()/clearTokenCookies()middleware helpers. - Fastify middleware:
auth.middleware.fastify(). onNewUserhook to auto-provision users whenresolveUserreturnsnull.- Per-IP rate limiting (
otpSendPerIp,otpVerifyPerIp) via the optionaliponotp.send(). session.listAll()for paginated, cross-user session listing (admin views).- Asymmetric JWT signing via
jwt.algorithm(e.g.RS256).
Changed
VerifyOtpResultnow includes a machine-readablecode(GuardoErrorCode).
1.0.1 - Stability & DX improvements
Fixed
- Ethereal transport silently falls back to console when no internet is available.
timingSafeEqualbuffer-length mismatch on wrong-length OTP input.
Changed
- Export
TokenTypeErrorfrom the main entry point. - Improve error messages for revoked sessions.
1.0.0 - Initial public release
Added
createAuth()factory with full module wiring.- OTP module: generate, hash, send, verify, attempt limiting.
- JWT module: access + refresh token pair with TTL config.
- Session module: multi-device sessions with touch & revoke.
- Express middleware: JWT guard + RBAC
role(). - Next.js Edge middleware + App Router route wrapper.
MemoryStoreandRedisStoreadapters.ConsoleNotifier,NodemailerNotifier,MultiChannelNotifier.- Sliding-window rate limiter for OTP send & verify.
- Full TypeScript types exported from the main entry.
Roadmap: device fingerprinting, risk scoring, and analytics hooks are planned. Watch the GitHub repo for updates.