feat(auth): harden authentication with argon2 passwords and rotating hashed refresh tokens
This commit is contained in:
@@ -1,5 +1,14 @@
|
||||
# Changelog
|
||||
|
||||
## 2026-04-20 - 1.17.0 - feat(auth)
|
||||
harden authentication with argon2 passwords and rotating hashed refresh tokens
|
||||
|
||||
- replace SHA-256 password hashing with argon2 while preserving verification and upgrade support for legacy hashes
|
||||
- rotate refresh tokens on JWT refresh, detect token reuse, and invalidate compromised sessions
|
||||
- store refresh and transfer tokens as hashes with one-time transfer token validation and expiry
|
||||
- persist refresh tokens separately on the client so sessions can recover and refresh without embedding tokens in JWTs
|
||||
- add authentication tests covering password verification, legacy hash migration, refresh token rotation, reuse detection, and one-time transfer tokens
|
||||
|
||||
## 2026-01-29 - 1.16.0 - feat(dev)
|
||||
add local development docs, update tswatch preset and add Playwright screenshots
|
||||
|
||||
|
||||
Reference in New Issue
Block a user