stack-auth 0.40.0

Authentication library for CipherStash services
Documentation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404

## [0.40.0] - 2026-07-09


### Miscellaneous

- update Cargo.toml dependencies


### Features

- add AuthError::Custom + from_error_code reconstruction

### Fixes

- export CustomError; reconstruct WORKSPACE_MISMATCH from payload

### Style

- rustfmt reflow in workspace_mismatch_from_payload


### Documentation

- document the typed-error / diagnostic-help contract
- recommend passing the strategy to an SDK, not getToken
- fix cookies.d.ts example for the Result API
- fix wasm-inline.mjs JSDoc for the Result API
- note the instanceof break in the changelog

### Features

- add actionable miette help to AuthError variants
- serialize AuthError across the FFI boundary
- return a Result instead of throwing

### Fixes

- resolve doc + CRAP CI gates on error.rs
- wrap napi static factories via facade classes
- update index.d.ts guard for the Result-typed surface
- mirror help/url onto failure.error on the wasm seam
- always brand the JS error with __authFailure
- guard wasm-inline getToken against a synchronous throw
- harden failure envelope against parse + key collision

### Miscellaneous

- bump vite in /packages/stack-auth/node
- make changesets adoption review-ready (CIP-3278)
- release as 0.41.0, not 1.0.0
- bundle the LICENSE in the published package
- drive the 0.41.0 release via changesets

### Refactoring

- hand-written index.d.ts re-exporter, drop apply-dts script
- derive .d.ts drift set from AuthError::ERROR_CODES
- decompose AuthError into per-error structs
- adopt AuthError::ERROR_CODES for the AuthFailure drift guards
- define AuthError codes as named constants
- route DeviceClientError through AuthError; tidy payload

### Testing

- port re-lock-window cancellation regression test (CIP-3159)
- derive drift-test expected set from error_code() source
- cover all #[diagnostic(help)] variants, not just one
- behavioural guards for the index.d.ts split, not source-text checks
- close coverage gaps in the index.d.ts split guards
- migrate tests, examples and docs to Result; v1.0.0
- close FFI-envelope coverage gaps from PR review
- guard the __CS_FAIL__ sentinel; clean up temp dir
- cover From<DeviceClientError> for the CRAP gate
- cover WORKSPACE_MISMATCH payload end-to-end



### CI

- make the CRAP workflow blocking

### Documentation

- note OidcFederationStrategy INVALID_CRN error-code change
- drop Rustdoc intra-link from binding doc comments

### Features

- add baseUrl override to OidcFederationStrategy (CIP-3246)
- expose base_url override on all auth strategies

### Fixes

- format baseUrl bindings + cover baseUrl override in tests

### Refactoring

- take a workspace CRN in OidcFederationStrategy
- address code-review findings on the CRN change
- durable index.d.ts additions + shared base_url helper

### Testing

- deterministic expiry-crossing refresh test; clear CRAP findings
- cover is_*_at boundaries and failed-refresh expiry path
- assert backwards wall-clock is handled gracefully
- scaffold cargo-fuzz pilot for public string parsers
- assert base_url override beats CS_CTS_HOST
- cover the napi baseUrl seam + the dts normaliser
- close the lopsided baseUrl/normaliser test asymmetries


### CI

- add cargo-crap (CRAP metric) coverage report
- reuse crap:stack-auth mise task in CRAP workflow


### Documentation

- point authorize_dto refresher links at structs

### Features

- OidcFederationStrategy — federate a third-party OIDC JWT into a CTS service token
- verify federated token's workspace in OidcFederationStrategy
- napi + wasm bindings for OidcFederationStrategy

### Miscellaneous

- adopt biome for JS/TS formatting + CI

### Refactoring

- drop audience from OidcFederationStrategy; clarify provider docs
- rename OAuthStrategy to DeviceSessionStrategy


### Documentation

- note InvalidToken alongside WorkspaceMismatch
- add 0.39.0 changelog entry
- refresh AutoStrategy detection-order comment
- note CS_CTS_HOST override on AccessKeyStrategy::new
- align AccessKeyStrategy.create JSDoc

### Features

- AccessKeyStrategy takes workspaceCrn, verifies token

### Fixes

- clippy unnecessary clones + cipherstash-client test prelude
- address PR review + CI failures

### Miscellaneous

- bump @cipherstash/auth to 0.38.0
- sync lockfile + README to 0.38.0

### Refactoring

- relocate bounds to stack-auth, drop legacy ServiceToken

### Testing

- cover WORKSPACE_MISMATCH at FFI boundary
- verify workspace check runs on every get_token call
- reject stored token bound to wrong workspace
- cover AutoStrategy happy path with explicit CRN
- cover AccessKeyStrategy.create happy path
- pin CRN-with-service_name behaviour on AccessKeyStrategy

### Style

- apply rustfmt




### Documentation

- annotate None literal in TokenStore doctest
- document slick API + cookieStore + /cookies entry

### Features

- add TokenStore trait for pluggable token caching
- wire TokenStore into AutoRefresh + AccessKeyStrategy
- AccessKeyStrategy.createWithStore JS-callback bindings
- slick options-object API + cookieStore helper
- add CallbackAuthStrategy for foreign-callback strategies

### Fixes

- zeroize JSON-serialised tokens; add assertion messages
- drop private intra-doc link to crate::refresher
- log JsTokenStore callback rejections (CIP-3114)
- scope `web-sys` to the wasm32 target
- Zeroize JsTokenStore JSON + default cookieStore to Secure
- drop redundant self:: link targets in module docs
- address PR #1959 review feedback

### Miscellaneous

- migrate napi platform sub-packages to peerDependencies optional
- regenerate index.d.ts; preserve manual AuthError block

### Refactoring

- release state mutex during TokenStore load; tighten comments
- extract save_refreshed_token + install_refreshed_token helpers
- rename callback helpers to *Fn, split into auth/store modules




### Documentation

- document why TokenResultPayload uses String

### Features

- wasm-bindgen sibling crate for Supabase Edge (Layer 3.5)
- make runtime work in Supabase Edge

### Fixes

- address Copilot review feedback + patch Dockerfiles

### Refactoring

- wasm32 support — cfg-gate filesystem and Send bounds
- 🚨 address review feedback on Layer 3 PR
- dedupe error code mapping + tighten bindings
- scope down to AccessKeyStrategy



### Miscellaneous

- release v0.34.1-alpha.2


### Miscellaneous

- release
- use explicit versions for cipherstash-client and stack-auth


### Miscellaneous

- updated the following local packages: cts-common, cts-common, stack-profile, zerokms-protocol


### Documentation

- 📝 add TypeScript example for AutoStrategy usage
- 📝 add CHANGELOG.md for @cipherstash/auth
- 📝 add INVALID_CRN to changelog error codes
- 📝 demonstrate whoami (subject/workspace) in examples
- 📝 update CHANGELOG with whoami fields and security notes

### Features

- ✨ expose auth strategies in @cipherstash/auth Node bindings
- ✨ add subject() and workspace_id() to ServiceToken
- add multi-workspace profile support (CIP-2942)
- require workspace to exist before switching

### Fixes

- 🩹 add INVALID_CRN error code and deduplicate zerokms_url
- 🔒️ derive OpaqueDebug on TokenResult to prevent token leaks
- 🔒️ derive OpaqueDebug on AutoStrategyOptions
- update integration tests for workspace-scoped profiles
- hard-error on token persistence failure, strengthen test assertions
- use npm install instead of npm ci in integration test tasks

### Miscellaneous

- 🔖 bump @cipherstash/auth to 0.35.0
- 🔧 regenerate index.d.ts from napi build
- release

### Refactoring

- ♻️ restructure stack-auth-node tests to follow conventions
- simplify workspace store usage

### Testing

- ✅ add unit tests for exposed auth strategies

### Style

- 💄 fix cargo fmt formatting
- 🎨 remove redundant comments from examples


### Documentation

- 📝 add TypeScript example for AutoStrategy usage
- 📝 add CHANGELOG.md for @cipherstash/auth
- 📝 add INVALID_CRN to changelog error codes
- 📝 demonstrate whoami (subject/workspace) in examples
- 📝 update CHANGELOG with whoami fields and security notes

### Features

- ✨ expose auth strategies in @cipherstash/auth Node bindings
- ✨ add subject() and workspace_id() to ServiceToken

### Fixes

- 🩹 add INVALID_CRN error code and deduplicate zerokms_url
- 🔒️ derive OpaqueDebug on TokenResult to prevent token leaks
- 🔒️ derive OpaqueDebug on AutoStrategyOptions

### Miscellaneous

- 🔖 bump @cipherstash/auth to 0.35.0
- 🔧 regenerate index.d.ts from napi build

### Refactoring

- ♻️ restructure stack-auth-node tests to follow conventions

### Testing

- ✅ add unit tests for exposed auth strategies

### Style

- 💄 fix cargo fmt formatting
- 🎨 remove redundant comments from examples
# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

### Features

- add provisionDeviceClient Node.js binding and tests

### Fixes

- lock file
- add User-Agent header, rename to device_client, surface errors

### Miscellaneous

- clean up test imports and simplify mise task

### Refactoring

- extract device client provisioning from CLI into stack-auth
- rename provisionDeviceClient to bindClientDevice


### Documentation

- add README for stack-auth and include it as module docs
- add README for @cipherstash/auth npm package

### Fixes

- remove blank line to satisfy cargo fmt
- update vitaminc imports for 0.1.0-pre4.2 module restructure


### Documentation

- 📝 move token refresh docs and mermaid diagram to public AuthStrategy trait

### Fixes

- 🐛 fix race condition in get_token() when token expires during refresh

### Testing

- ✅ restructure auto_refresh tests into nested scenario modules


### Documentation

- 📝 fix AutoStrategy docs to reference CS_WORKSPACE_CRN not CS_REGION

### Features

- add AutoStrategyBuilder, Option<T> KeyProvider, and SecretKey::from_hex

### Fixes

- 🔥 remove unreleased AutoStrategy::new() deprecated method
- 🩹 remove unnecessary bytes.clone() and improve MissingWorkspaceCrn message
- 🩹 address PR review feedback

### Refactoring

- ♻️ replace with_region with with_workspace_crn and add