feat: update jose and openid-client
#3039
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
|
Docs will have to be updated to reflect this change. |
2 tasks
balazsorban44
pushed a commit
that referenced
this pull request
Apr 5, 2022
* docs: Update JWT docs to reflect JWE changes in v4 This PR #3039 changed the defaults for JWT tokens to be encrypted by default (JWE). We have conflicting documentation across the docs site and readme. Additionatlly this PR #3783 made providing a secret required in production via NEXTAUTH_SECRET or an option. * Missed a reference * Update docs/docs/faq.md Co-authored-by: Nico Domino <yo@ndo.dev> * Update docs/docs/faq.md Co-authored-by: Nico Domino <yo@ndo.dev> Co-authored-by: Nico Domino <yo@ndo.dev>
mnphpexpert
added a commit
to mnphpexpert/next-auth
that referenced
this pull request
Sep 2, 2024
Updates the `jose` and `openid-client` packages. BREAKING CHANGE: The `jwt` option has been simplified and the NextAuth.js issued JWT is now encrypted by default. If you want to override the defaults, you can still use the `encode` and `decode` functions. These are advanced options and they should only be used if you know what you are doing. The default secret generation has been removed in this PR, which will be added back in a separate one. Remember, that is only for developer convenience, it is **highly** recommended to always create your own secret for production.
mnphpexpert
added a commit
to mnphpexpert/next-auth
that referenced
this pull request
Sep 2, 2024
* docs: Update JWT docs to reflect JWE changes in v4 This PR nextauthjs#3039 changed the defaults for JWT tokens to be encrypted by default (JWE). We have conflicting documentation across the docs site and readme. Additionatlly this PR nextauthjs#3783 made providing a secret required in production via NEXTAUTH_SECRET or an option. * Missed a reference * Update docs/docs/faq.md Co-authored-by: Nico Domino <yo@ndo.dev> * Update docs/docs/faq.md Co-authored-by: Nico Domino <yo@ndo.dev> Co-authored-by: Nico Domino <yo@ndo.dev>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@balazsorban44 as discussed previously, updates
openid-client to v5.x (c73c0c9)
Fairly painless update, changes to providers
jose to v4.x (78f0919)
This removes most of the jwt options as we discussed, the session is now a JWT in JWE syntax. The secret used is always derived from the secret passed in, warnings were removed. Compression before encryption was removed as doing so leaks information about the plaintext.
Both of these libraries have an engines entry which is now also reflected in package.json