v0.12.0: What's new?

[pilcrowonpaper]

v0.12.0 is here!

This is another major one - it removes access tokens and refresh tokens and replaces them with a single session id. You still get session rotation but with a simpler mechanism. validateRequestEvent() (formerly validateRequest()) now automatically renews session so no need to worry about session expiration on the client. I'm pretty happy with this update, and it cleaned up a lot of junk from the transition. Hopefully I can now focus more on the small stuff, slowly polishing and maturing the library.

So how does the new sessions work? Session ids are like access tokens, they are connected to a session and it can be used to validate session. But, they can be in multiple states:

Sessions (and their ids) can be in one of 3 states: active, idle, and dead. Active sessions can be used to check the validity of requests and get the current user. These expire after a while, and once they do, they are considered idle. For some period of time, idle sessions can be renewed for a new active session. Idle sessions that have passed that period, however, are considered dead and cannot be used in any way. This makes sure inactive users are logged out, while active user sessions are persisted.

Migration

Make sure to update the adapter to the latest version!

One thing you'd want to do is reset and rebuild the session table. This will log out every user but you won't lose any user data. You can delete the refresh_token table.

Another change that likely affects everyone is the removal setCookie(). createSession() and renewSession() both return setSessionCookie(), which can be used to store the newly created session id.

What's next?

Right now my priority is to update the docs. One thing I'd like to tackle is #130, though I'm still not sure on how to implement it.