v4.0.0 - HttpOnly Cookie Auth

Breaking Changes

• POST /auth/login — was GET with query params, now POST with JSON body {"email": "...", "returnUrl": "..."}
• POST /auth/confirm — was GET with query params, now POST with JSON body {"code": "...", "email": "..."}
• POST /auth/refresh — reads refresh_token cookie automatically, no longer accepts {"token": "..."} in body
• Refresh error responses return 401 instead of 500/400
• Go module path changed from github.com/revittco/fsa/v3 to github.com/revittco/fsa/v4

What's New

• RefreshToken handler reads token from HttpOnly cookie instead of JSON body, fixing the 15-minute logout bug (JS can't read HttpOnly cookies)
• Login and ConfirmCode switch from GET+query params to POST+JSON body, preventing email/code exposure in logs and browser history
• Configurable RefreshPath on CookieConfig for projects mounting routes behind a prefix (defaults to /auth/refresh)
• Guard against panic when ReturnUrls config is empty and no returnUrl is sent

Migration

Update your import path:

// Before
import "github.com/revittco/fsa/v3"

// After
import "github.com/revittco/fsa/v4"

Update your frontend to send POST requests with JSON bodies for /auth/login and /auth/confirm, and remove any manual refresh_token handling (the cookie is now sent automatically).

v3.0.0 - Security Improvements

Breaking Changes

This is a major version release (v3.0.0). Consumers must update their code:

• Refresh endpoint: GET /auth/refresh?token=xxx → POST /auth/refresh with {"token": "xxx"}
• Token handling: Tokens returned as cookies, not in response body
• Frontend changes: Add credentials: 'include' to fetch calls, add X-CSRF-Token header for POST/PUT/DELETE
• Go version: Requires Go 1.26+

New Features

• CSRF protection: CSRFMiddleware and SetCSRFCookie for state-changing requests
• Cookie auth: Middleware accepts tokens from cookies (with header fallback)
• Logout endpoint: POST /auth/logout clears token cookies
• Input validation: returnUrl validated against allowed list
• URL encoding: Email and code parameters properly encoded in login links

Configuration

New optional config fields:

• CookieConfig - Domain, Secure, SameSite settings
• CSRFConfig - Cookie name, header name, token length

---

See #21 for full implementation details.

v2.1.0

What's Changed

• change package to revittco by @elliothllm in #20

Full Changelog: v2.0.6...v2.1.0

v2.0.6

What's Changed

• deps(jwt): upgrade jwt to v4.5.2 by @elliothllm in #18

Full Changelog: v2.0.5...v2.0.6

v2.0.5

What's Changed

• fix bug for adding id to claims by @elliothllm in #17

Full Changelog: v2.0.3...v2.0.5

v2.0.4

What's Changed

• put user id on access token by @elliothllm in #16

Full Changelog: v2.0.2...v2.0.4

v2.0.3

What's Changed

• put user id on access token by @elliothllm in #16

Full Changelog: v2.0.2...v2.0.3

v2.0.2

put uuid on user claims jwt (#15)

v2.0.0

What's Changed

• feat(package): rename to fsa by @revitteth in #12
• feat(package): bump version by @revitteth in #13

Full Changelog: v1.0.2...v2.0.0

v1.0.2

What's Changed

• added brand and brandlink to email template by @elliothllm in #11

Full Changelog: v1.0.1...v1.0.2