Version 0.6.0 of passport has been released, which improves robustness against classes of session fixation attacks. Being a security enhancement, I’d advise upgrading as soon as possible. But first, let’s look at the problem and the enhancements introduced in this release in order to…

This release reverts a change introduced in v0.5.1, with passport.initialize() middleware again extending requests with login(), logIn(), logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions. This now correctly matches the behavior in v0.5.0, with only versions 0.5.1 and 0.5.2…

The initial version of passport-fido2-webauthn has been released! This strategy expands the Passport ecosystem with a strategy capable of strongly authenticating a user in a fully passwordless manner.

Version 1.6.1 of passport-oauth2 has been released. This version responds immediately with an HTTP error in situations when, upon exchanging the authorization code for an access token, the authorization server responds with a successful response, but that response is missing an…

Authentication is in a renaissance period right now, with strong cryptographic credentials becoming available to a wider set of people more quickly than ever before. The traditional web is rolling out WebAuthn, while the emerging Web3 and blockchain communities are innovating with…

After the release of v0.5.1, there were reports of breaking changes. From the perspective of the passport package itself, there should not have been any breakage. After investigating the reports, however, it was confirmed that issues arose when using certain strategies — passport-azure-ad (which is…