knowless 1.1.2 → 1.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +32 -0
- package/GUIDE.md +20 -7
- package/knowless.context.md +19 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -30,6 +30,38 @@ v1.0.0 are:
|
|
|
30
30
|
- Documentation corrections
|
|
31
31
|
- Helper exports that pull existing mechanism back into the library
|
|
32
32
|
|
|
33
|
+
## [1.1.3] — 2026-05-03
|
|
34
|
+
|
|
35
|
+
Documentation-only release. Surfaces a partial enumeration leak
|
|
36
|
+
in the default `failureRedirect` fallback that previously read as
|
|
37
|
+
"Mode-A only" guidance but actually applies to every adopter.
|
|
38
|
+
POST /login is built to make valid/invalid/rate-limited responses
|
|
39
|
+
indistinguishable (timing equivalence, sham tokens, sham-recipient
|
|
40
|
+
mailing, identical response shapes); the link-click stage extends
|
|
41
|
+
that contract, but the default `failureRedirect` cascade points at
|
|
42
|
+
`loginPath` (typically `/login`) — so a user clicking a sham link
|
|
43
|
+
lands on a "Sign in" page and immediately knows the link was
|
|
44
|
+
rejected, defeating the POST-stage work. plato wraps knowless with
|
|
45
|
+
`failureRedirect: '/'` for exactly this reason. No code changes.
|
|
46
|
+
|
|
47
|
+
### Documented
|
|
48
|
+
|
|
49
|
+
- `GUIDE.md` Step-4 callout — replaced the narrow "Mode-A
|
|
50
|
+
heads-up" with a broader "set `failureRedirect: '/'` — it's
|
|
51
|
+
part of the silent-miss contract, not just a UX knob"
|
|
52
|
+
guidance, with the reasoning chain (POST-stage work, link-
|
|
53
|
+
click extension, leak-free landing) and the explicit opt-in
|
|
54
|
+
for adopters who want "try again" UX (`failureRedirect:
|
|
55
|
+
cfg.loginPath`). plato cited as the reference adopter.
|
|
56
|
+
- `GUIDE.md` config-table row for `failureRedirect` —
|
|
57
|
+
expanded the cell to lead with the silent-miss framing
|
|
58
|
+
rather than the Mode-A 404 framing.
|
|
59
|
+
- `knowless.context.md` `failureRedirect` comment in the
|
|
60
|
+
options block — flagged the default as a leak, pointer to
|
|
61
|
+
the new gotcha.
|
|
62
|
+
- `knowless.context.md` gotcha #20 — full silent-miss
|
|
63
|
+
contract write-up with the trade-off and reference adopter.
|
|
64
|
+
|
|
33
65
|
## [1.1.2] — 2026-05-03
|
|
34
66
|
|
|
35
67
|
Documentation-only release. Adopters were repeatedly missing that
|
package/GUIDE.md
CHANGED
|
@@ -384,12 +384,25 @@ and `startLogin` would compute. The bare `deriveHandle` re-export
|
|
|
384
384
|
takes pre-normalized input; use the instance method unless you
|
|
385
385
|
have a specific reason to call the lower-level primitive.
|
|
386
386
|
|
|
387
|
-
> **
|
|
388
|
-
>
|
|
389
|
-
> `
|
|
390
|
-
>
|
|
391
|
-
>
|
|
392
|
-
>
|
|
387
|
+
> **Set `failureRedirect: '/'` — it's part of the silent-miss
|
|
388
|
+
> contract, not just a UX knob.** The default falls back to
|
|
389
|
+
> `loginPath` (typically `/login`). That's a partial enumeration
|
|
390
|
+
> leak: `POST /login` goes to significant lengths to make
|
|
391
|
+
> valid/invalid/rate-limited submissions indistinguishable
|
|
392
|
+
> (timing equivalence, sham tokens, sham-recipient mailing,
|
|
393
|
+
> identical response shapes) — but if a user clicks a sham or
|
|
394
|
+
> expired magic link and lands on a "Sign in" page, they
|
|
395
|
+
> immediately know the link was rejected, defeating the work the
|
|
396
|
+
> POST stage did. The leak-free landing is the same page any
|
|
397
|
+
> logged-out visitor sees on first arrival — usually `/`. Mode-A
|
|
398
|
+
> adopters have an extra reason: the default `failureRedirect`
|
|
399
|
+
> cascade points at `/login`, a route Mode A doesn't serve, so
|
|
400
|
+
> expired/replayed clicks 302 to a 404. Reference: plato wraps
|
|
401
|
+
> knowless with `failureRedirect: '/'` for this reason.
|
|
402
|
+
> Adopters who genuinely want a "try again" UX after failure
|
|
403
|
+
> can opt in explicitly with `failureRedirect: cfg.loginPath`,
|
|
404
|
+
> but understand you're trading the silent-miss guarantee at
|
|
405
|
+
> the link-click stage for that UX.
|
|
393
406
|
|
|
394
407
|
### Step 5: Pre-seed users (closed-registration mode, default)
|
|
395
408
|
|
|
@@ -808,7 +821,7 @@ Full options table:
|
|
|
808
821
|
| `trustedProxies` | no | `['127.0.0.1', '::1']` | IPs allowed to set `X-Forwarded-For`. |
|
|
809
822
|
| `shamRecipient` | no | `null@knowless.invalid` | Where sham mail goes (your MTA must discard it). |
|
|
810
823
|
| `sweepIntervalMs` | no | `300000` | Sweeper tick (5 min default). |
|
|
811
|
-
| `failureRedirect` | no | (= `loginPath`) | Where /auth/callback failures redirect. **Mode-A adopters
|
|
824
|
+
| `failureRedirect` | no | (= `loginPath`) | Where /auth/callback failures (expired / used / sham / malformed token) redirect. **Set this to `'/'` (or any logged-out landing).** Default falls back to `loginPath`, which is a silent-miss leak: a user who clicks a sham/expired link and lands on a "Sign in" page knows the link was rejected, defeating the anti-enumeration work done at POST /login. Part of the silent-miss contract, not a UX knob. Mode-A adopters who don't mount `loginForm` *also* hit a 404 with the default. Opt back into the "try again" UX by passing `loginPath` explicitly if you understand the trade. |
|
|
812
825
|
| `store` | no | (built-in `node:sqlite`) | Inject your own store implementation. |
|
|
813
826
|
| `mailer` | no | (built-in nodemailer) | Inject your own mailer. |
|
|
814
827
|
|
package/knowless.context.md
CHANGED
|
@@ -114,7 +114,7 @@ const auth = knowless({
|
|
|
114
114
|
linkPath: '/auth/callback',
|
|
115
115
|
verifyPath: '/verify',
|
|
116
116
|
logoutPath: '/logout',
|
|
117
|
-
failureRedirect: null, // null → loginPath
|
|
117
|
+
failureRedirect: null, // null → loginPath (LEAK — set '/'; see gotcha #20)
|
|
118
118
|
|
|
119
119
|
// --- Mail / SMTP ---
|
|
120
120
|
smtpHost: 'localhost',
|
|
@@ -770,6 +770,24 @@ rate-limits) belongs above the library.
|
|
|
770
770
|
return shape. Don't wrap `startLogin` in something that surfaces
|
|
771
771
|
the branch to the caller; that re-opens the enumeration oracle.
|
|
772
772
|
|
|
773
|
+
20. **`failureRedirect` is part of the silent-miss contract.**
|
|
774
|
+
Default falls back to `loginPath` — a partial enumeration
|
|
775
|
+
leak. POST /login goes to significant lengths to keep
|
|
776
|
+
valid/invalid/rate-limited submissions indistinguishable
|
|
777
|
+
(timing, sham tokens, sham-recipient mailing, identical
|
|
778
|
+
response shapes), and the link-click stage extends that
|
|
779
|
+
contract: real tokens issue a session + redirect to
|
|
780
|
+
`nextUrl`; failures (expired, used, sham, malformed) go to
|
|
781
|
+
`failureRedirect`. If that's `/login`, a user who clicks a
|
|
782
|
+
sham link lands on a "Sign in" page and immediately knows
|
|
783
|
+
the link was rejected — defeating the POST-stage work. Set
|
|
784
|
+
`failureRedirect: '/'` (or any route a logged-out visitor
|
|
785
|
+
would see on first arrival) so a sham click is
|
|
786
|
+
indistinguishable from a never-clicked link. Adopters who
|
|
787
|
+
genuinely want a "try again" UX after failure opt back in
|
|
788
|
+
explicitly with `failureRedirect: cfg.loginPath`. plato is
|
|
789
|
+
the reference adopter for the leak-free wiring.
|
|
790
|
+
|
|
773
791
|
## Constraints
|
|
774
792
|
|
|
775
793
|
- **Node 20+** -- targeting LTS; tested on Node 22
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "knowless",
|
|
3
|
-
"version": "1.1.
|
|
3
|
+
"version": "1.1.3",
|
|
4
4
|
"description": "Small, opinionated, full-stack passwordless auth for Node.js services that don't need to email their users for anything but the sign-in link.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./src/index.js",
|