8.8.0

Full Changelog

Changed

• Update idtoken-verifier #458 (hzalaz)

Fixed

• Fix passwordless inside hosted login page #459 (hzalaz)

8.7.0

Full Changelog

Added

• Adding scope to the parsed hash object #434 (luisrudge)
• Add option to filter iframe events to prevent incorrect events triggering callbacks #432 (aaronchilcott)
• Adding cross-origin-auth sessionless flow #431 (luisrudge)
• Adding new LoginTicket flow (with session) #426 (hzalaz)

Changed

• Sending all /co/authenticate errors to the error callback #443 (luisrudge)
• Fix some examples and docs + using https everywhere #436 (luisrudge)

Fixed

• Add login_ticket to params whitelist #442 (luisrudge)
• Fix decoding base64 string with special characters #440 (luisrudge)
• Fixed issues with overrides not being used #430 (sandrinodimattia)

Change Log

8.6.1

Full Changelog

Fixed

• Fix postMessage handler to handle parsed objects as well #420 (luisrudge)

8.6.0

Full Changelog

Fixed

• Fixed nonce checking on renewAuth method #413 (luisrudge)
• Fixed 'qs' dependency #401 (maxpaj)

8.5.0

Full Changelog

Changed

• Improve jsdocs #393 (hzalaz)

Fixed

• Fixing error handling for when the error comes as a successful response from WinChan #395 (luisrudge)
• Correct spelling mistake in web-auth JSDoc resulting in incorrect autocomplete suggestions #388 (Geeman201)

8.4.0

Full Changelog
Closed issues

• winchanOptions missing parameters #378
• 'Nonce does not match' error when state data contains '=' encoded as %3D #377

Added

• Added possibility to specify custom popup size #379 (artemtool)

Changed

• Whitelist resource owner parameters #386 (hzalaz)
• Only allow to be used in node 6.9 or later #385 (hzalaz)
• Restrict what popupOptions fields are used #383 (hzalaz)
• Replace querystring implementation with qs module #382 (selaux)
• Deprecation warning: webauth.login → webauth.authorize #367 (dtinth)

Fixed

• Pass to popup the needed params for auth #381 (hzalaz)

8.3.0

Full Changelog

Added

• Integration tests #346 (glena)
• Whitelist nonce, state, _csrf and _instate from constructor #345 (glena)
• Added flag to disable id_token verification for legacy clients #341 (glena)
• Popup no owp #337 (glena)

Changed

• Remove warnings around refreshing session #353 (hzalaz)
• Updated passwordless start jsdocs #340 (glena)

Fixed

• Only parse cordova callback hash #370 (hzalaz)

8.2.0

Full Changelog

Added

• Plugins support + cordova plugin #333 (glena)

Fixed

• popup.authorize should not require redirectURI when using OWP #336 (glena)

8.1.3

Full Changelog

Fixed

• Fix case convertion of null values #329 (glena)

8.1.2

Full Changelog

Fixed

• Fixed params whitelist for authorize endpoint #324 (glena)