From c9d594cdd094675d48085c07a9e1242322336806 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 29 Jun 2026 16:41:03 +0000 Subject: [PATCH] chore: update version and changelog --- .changeset/harden-magic-link-otp.md | 14 ----------- .changeset/login-methods-env-config.md | 11 --------- .changeset/oauth-provider-config-defaults.md | 8 ------ CHANGELOG.md | 26 ++++++++++++++++++++ package.json | 2 +- 5 files changed, 27 insertions(+), 34 deletions(-) delete mode 100644 .changeset/harden-magic-link-otp.md delete mode 100644 .changeset/login-methods-env-config.md delete mode 100644 .changeset/oauth-provider-config-defaults.md diff --git a/.changeset/harden-magic-link-otp.md b/.changeset/harden-magic-link-otp.md deleted file mode 100644 index d0df703..0000000 --- a/.changeset/harden-magic-link-otp.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -'seamless-auth-api': patch ---- - -Harden and regression-test the magic link and OTP sign-in flows. - -- Magic link: polling while waiting now returns `204` (no body) instead of `500`, - fixing the broken starter sign-in; removed dead device-binding code from verify - (binding is enforced at the poll step); the post-session write is awaited. -- OTP: the verify endpoints are now rate-limited; OTPs are stored and compared - hashed-only (the transitional plaintext fallback is removed); post-session writes - are awaited. -- CI: formatting is enforced (`prettier --check`) and coverage thresholds are - ratcheted so these flows cannot silently regress. diff --git a/.changeset/login-methods-env-config.md b/.changeset/login-methods-env-config.md deleted file mode 100644 index efba088..0000000 --- a/.changeset/login-methods-env-config.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -'seamless-auth-api': patch ---- - -Env-mapped system config (e.g. `LOGIN_METHODS`) now takes effect over -migration-seeded defaults. Previously the login-policy migration hard-seeded -`login_methods` and `bootstrapSystemConfig` only seeded missing rows, so the env -var was permanently ignored. Now bootstrap re-applies env values over config that -was never changed through the admin API (`updatedBy IS NULL`), admin edits record -`updatedBy` so they are preserved, and a migration re-applies env to existing -un-edited rows. diff --git a/.changeset/oauth-provider-config-defaults.md b/.changeset/oauth-provider-config-defaults.md deleted file mode 100644 index 4e77d60..0000000 --- a/.changeset/oauth-provider-config-defaults.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -'seamless-auth-api': patch ---- - -Apply OAuthProviderConfigSchema defaults to providers configured via OAUTH_PROVIDERS. The -env value was parsed with a raw JSON.parse, so per-provider fields like subjectJsonPath and -emailJsonPath stayed undefined and OAuth profile extraction failed with a generic -"OAuth login failed". The OAuth callback now also logs the underlying error. Fixes #49. diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ce04c5..9199b1d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,31 @@ # seamless-auth-api +## 0.2.2 + +### Patch Changes + +- 03651ba: Harden and regression-test the magic link and OTP sign-in flows. + - Magic link: polling while waiting now returns `204` (no body) instead of `500`, + fixing the broken starter sign-in; removed dead device-binding code from verify + (binding is enforced at the poll step); the post-session write is awaited. + - OTP: the verify endpoints are now rate-limited; OTPs are stored and compared + hashed-only (the transitional plaintext fallback is removed); post-session writes + are awaited. + - CI: formatting is enforced (`prettier --check`) and coverage thresholds are + ratcheted so these flows cannot silently regress. + +- 3292605: Env-mapped system config (e.g. `LOGIN_METHODS`) now takes effect over + migration-seeded defaults. Previously the login-policy migration hard-seeded + `login_methods` and `bootstrapSystemConfig` only seeded missing rows, so the env + var was permanently ignored. Now bootstrap re-applies env values over config that + was never changed through the admin API (`updatedBy IS NULL`), admin edits record + `updatedBy` so they are preserved, and a migration re-applies env to existing + un-edited rows. +- 6b6f1e6: Apply OAuthProviderConfigSchema defaults to providers configured via OAUTH_PROVIDERS. The + env value was parsed with a raw JSON.parse, so per-provider fields like subjectJsonPath and + emailJsonPath stayed undefined and OAuth profile extraction failed with a generic + "OAuth login failed". The OAuth callback now also logs the underlying error. Fixes #49. + ## 0.2.1 ### Patch Changes diff --git a/package.json b/package.json index 60b8d3d..ff420af 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "seamless-auth-api", - "version": "0.2.1", + "version": "0.2.2", "description": "Seamless Auth API - A web application server for supporting a Seamless Auth server instance.", "main": "index.js", "type": "module",