npm - knowless - Versions diffs - 1.1.1 → 1.1.2 - Mend

knowless 1.1.1 → 1.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -30,6 +30,30 @@ v1.0.0 are:
 - Documentation corrections
 - Helper exports that pull existing mechanism back into the library
+## [1.1.2] — 2026-05-03
+Documentation-only release. Adopters were repeatedly missing that
+`auth.loginForm` is an unstyled contract-minimal fallback they
+should override, and that `/login` is also where every silent-miss
+failure (used / expired / sham / malformed token) redirects — so
+the page deserves first-class UI in the host app, not the bundled
+default. No code changes.
+### Documented
+- `GUIDE.md` FAQ — added section "Branding the GET /login page
+  (you almost certainly want to override it)" with the three
+  reasons (brand consistency, silent-miss redirect target, opt-in
+  fallback) and the override pattern. Extended the existing
+  custom-form contract with `next` validation against
+  `baseUrl` + `cookieDomain` and the optional honeypot field name
+  from `cfg.honeypotFieldName`.
+- `knowless.context.md` gotcha #10 — expanded the "operators
+  wanting branding fork the project" note to surface the more
+  common path (skip mounting `auth.loginForm`, serve your own
+  `GET /login`) and call out that `/login` is the silent-miss
+  redirect target.
 ## [1.1.1] — 2026-05-02
 Documentation-only release. Adds the wrong-shape-integration

package/GUIDE.md CHANGED Viewed

@@ -929,7 +929,48 @@ own form, provided it satisfies the handler contract:
   stream itself. A body-parser middleware mounted before `auth.login`
   will silently steal the data (see gotcha #15 in
   [`knowless.context.md`](knowless.context.md)).
-- Optional: include a `next` field for the post-callback redirect URL.
+- Optional: include a `next` field for the post-callback redirect URL
+  (knowless validates `next` against `baseUrl` + `cookieDomain`).
+- Optional but recommended: include the honeypot field using the name
+  from `cfg.honeypotFieldName`.
+### Branding the GET /login page (you almost certainly want to override it)
+Knowless ships `auth.loginForm(req, res)` as a turnkey fallback so
+adopters can wire `GET /login` in one line and have a working magic-link
+form. The page is intentionally unstyled — it's the contract-minimal
+renderer needed to make the flow demonstrable, not a UI you ship to
+end users. Three reasons most adopters override it:
+1. **Brand consistency.** The fallback page has no header, footer, nav,
+   or styling, so users redirected here from elsewhere in your app land
+   on what looks like a different site. That's especially jarring after
+   a sham-token failure (a deliberate part of the silent-miss design —
+   see "Silent miss" in [`knowless.context.md`](knowless.context.md)),
+   where a user clicked a magic link and ended up on a "Sign in" page
+   that looks unrelated to where they started.
+2. **`/login` is load-bearing in the silent-miss contract.** Knowless
+   redirects to `loginPath` on every failure mode that must be
+   indistinguishable from success — used token, expired token, sham
+   token, malformed token. That redirect is correct and required. But
+   it means `/login` is the page users actually land on during
+   anti-enumeration failures, not just the page they navigate to
+   deliberately. It deserves first-class UI in your app.
+3. **`auth.loginForm` is opt-in, not opt-out.** Adopters who never wire
+   the GET route still get a working app — just without a friendly
+   `/login` page. Override it whenever you want your app's chrome on
+   the page. The POST handler can stay as-is (or also be wrapped — for
+   example, plato wraps it for the "we sent a link" confirmation).
+Override pattern (mount your own handler instead of `auth.loginForm`):
+```js
+app.get('/login', (req, res) => renderMyOwnLogin(req, res));
+app.post('/login', auth.login);  // unchanged
+```
+The form just needs to satisfy the contract listed in the previous
+question.
 ### How do I add 2FA / WebAuthn / TOTP?

package/knowless.context.md CHANGED Viewed

@@ -699,7 +699,13 @@ rate-limits) belongs above the library.
 10. **No JavaScript in any HTML page.** The login form, the
     confirmation page, error pages — all static HTML5. Works in
     text-mode browsers (Lynx, w3m). Operators wanting branding
-    fork the project.
+    fork the project — **or, more commonly, skip mounting
+    `auth.loginForm` and serve their own `GET /login`**. The
+    fallback is intentionally a contract-minimal renderer, not a
+    UI to ship. `/login` is also where every silent-miss failure
+    redirects (used / expired / sham / malformed token), so it
+    deserves first-class chrome in the host app. See GUIDE.md
+    § "Branding the GET /login page".
 11. **Process cleanup matters.** `auth.close()` stops the
     sweeper and closes the SQLite handle. Without it, your

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "knowless",
-  "version": "1.1.1",
+  "version": "1.1.2",
   "description": "Small, opinionated, full-stack passwordless auth for Node.js services that don't need to email their users for anything but the sign-in link.",
   "type": "module",
   "main": "./src/index.js",