Passport.js

Authentication is in a renaissance period right now, with strong cryptographic credentials becoming available to a wider set of people more quickly than ever before. The traditional web is rolling out WebAuthn, while the emerging Web3 and blockchain communities are innovating with…

The initial version of passport-fido2-webauthn has been released! This strategy expands the Passport ecosystem with a strategy capable of strongly authenticating a user in a fully passwordless manner.

Version 0.6.0 of passport has been released, which improves robustness against classes of session fixation attacks. Being a security enhancement, I’d advise upgrading as soon as possible. But first, let’s look at the problem and the enhancements introduced in this release in order to…

This release reverts a change introduced in v0.5.1, with passport.initialize() middleware again extending requests with login(), logIn(), logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions. This now correctly matches the behavior in v0.5.0, with only versions 0.5.1 and 0.5.2…

After the release of v0.5.1, there were reports of breaking changes. From the perspective of the passport package itself, there should not have been any breakage. After investigating the reports, however, it was confirmed that issues arose when using certain strategies — passport-azure-ad (which is…

This release continues the work started by v0.5.0, and simplifies the application-level middleware needed to configure Passport. In particular, passport.initialize() is no longer required. The only middleware that would typically be used at the application-level is now passport.session(), which is…

Version 1.6.1 of passport-oauth2 has been released. This version responds immediately with an HTTP error in situations when, upon exchanging the authorization code for an access token, the authorization server responds with a successful response, but that response is missing an…

This release improves Passport’s internals to avoid monkey patching Node.js core modules. In prior versions of Passport, the IncomingMessage class of the HTTP module was patched, adding login(), logIn(), logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions to the prototype. While…

Following up on yesterday’s release of passport-oauth2 version 1.6.0, which introduced application-level state storage, the same capability is now available in passport-oauth1 version 1.2.0.