Skip to content

chore: version packages#5

Closed
github-actions[bot] wants to merge 1 commit into
mainfrom
changeset-release/main
Closed

chore: version packages#5
github-actions[bot] wants to merge 1 commit into
mainfrom
changeset-release/main

Conversation

@github-actions

@github-actions github-actions Bot commented Apr 7, 2026

Copy link
Copy Markdown

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@interline-io/tlv2-auth@0.2.0

Minor Changes

  • #4 691139d Thanks @irees! - Add synchronous Nitro plugin for Cloudflare Workers compatibility with @auth0/auth0-nuxt. Add opt-in autoAppBaseUrl module option that derives auth0 appBaseUrl from the request Host header for branch/preview deploys. Note: autoAppBaseUrl trusts the x-forwarded-proto and Host headers — only enable on platforms where these are set by a trusted edge proxy.

  • #8 03e262f Thanks @irees! - Remove nuxt-csurf from the module. CSRF protection is now the responsibility of consuming applications.

    The API proxy is no longer registered by default. Set proxy: true in module options to enable it.

    The proxy now respects requireLogin — unauthenticated requests return 401 when enabled.

    Fix SSRF vulnerability in proxy target resolution where scheme-relative URLs (e.g. //attacker.com) could redirect requests to arbitrary hosts.

  • #9 8f5f298 Thanks @irees! - Always install auth0-nuxt at build time with placeholder defaults so Auth0 credentials are purely a runtime concern. When NUXT_AUTH0_* env vars are absent, auth gracefully no-ops and users are treated as anonymous.

    Breaking: Module option proxy renamed to proxyEnabled.

    Fix redirect loop when returnTo targets an auth route.

    Ephemeral session secret generation is now dev-only; production requires NUXT_AUTH0_SESSION_SECRET to be set explicitly.

  • #7 603855b Thanks @irees! - Add authPrefix and proxyPrefix module options to configure the URL prefixes for auth routes and the API proxy. Defaults remain /auth and /proxy. CSRF protection on the proxy is now enforced on all HTTP methods (including GET) via Nitro route rules.

Patch Changes

  • #12 45205ff Thanks @irees! - Add opt-in trace logging gated behind TL_LOG=trace. Uses a guard pattern (if (traceEnabled)) to avoid argument evaluation when tracing is off. Covers the auth0 middleware, session endpoint, proxy handler, and SSR auth header injection.

    Enable the proxy in the playground and add a proxy test UI for exercising the full auth flow locally.

  • #13 a45d5f7 Thanks @irees! - Register audience in the auth0 runtimeConfig schema so consuming apps can set NUXT_AUTH0_AUDIENCE without a type error during nuxt build.

    Replace addImportsDir with explicit addImports to eliminate "Duplicated imports" warnings.

  • #15 392dbb0 Thanks @drewda! - Docs: clarify that NUXT_AUTH0_CLIENT_ID must be set at build time even when real credentials are supplied only at runtime (e.g. Cloudflare Pages dashboard). Otherwise, placeholders get baked in and runtime env vars are silently ignored.

  • #23 831c2a6 Thanks @irees! - Fix authenticated proxy requests being rejected by the backend with token is malformed: token contains an invalid number of segments (HTTP 401).

    The auth.server plugin injected Authorization/apikey onto backend requests with Headers.append(). Because the server-side proxy already attaches those headers, the request — which flows through the patched globalThis.fetch — had them appended a second time, comma-joining into Authorization: "Bearer <tok>, Bearer <tok>". Switched both injection paths ($fetch onRequest and the globalThis.fetch override) to Headers.set(), which is idempotent.

    Also stop forwarding the browser session cookie to the backend API in the proxy: it's irrelevant to the API and the encrypted auth0-nuxt session cookie duplicates the JWT.

@github-actions
github-actions Bot force-pushed the changeset-release/main branch 7 times, most recently from 1d9da19 to d027069 Compare April 11, 2026 00:34
@github-actions
github-actions Bot force-pushed the changeset-release/main branch 2 times, most recently from 9777e37 to 9efcccc Compare April 20, 2026 23:16
Copilot AI review requested due to automatic review settings June 18, 2026 22:54
@github-actions
github-actions Bot force-pushed the changeset-release/main branch from 9efcccc to cb472bb Compare June 18, 2026 22:54

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@drewda

drewda commented Jun 24, 2026

Copy link
Copy Markdown
Member

No longer using changesets/changesets to version

@drewda drewda closed this Jun 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants