Skip to content

Latest commit

 

History

History
166 lines (95 loc) · 26.6 KB

File metadata and controls

166 lines (95 loc) · 26.6 KB

@mastra/auth-studio

1.3.0

Minor Changes

Patch Changes

1.3.0-alpha.0

Minor Changes

Patch Changes

1.2.6

Patch Changes

1.2.6-alpha.0

Patch Changes

  • Security remediation for the 2026-06-17 "easy-day-js" supply-chain incident. Patch bump to publish clean versions and move the latest dist-tag forward, superseding the compromised versions that declared the malicious easy-day-js dependency. (#18056)

  • Updated dependencies [77a2351]:

    • @mastra/core@1.43.1-alpha.0

1.2.3

Patch Changes

  • Removed Hono from @mastra/core and auth package runtime dependencies. Auth providers now receive framework-agnostic request types that support standard Request objects and Hono-compatible request shapes. MCP and deployer avoid relying on core-bundled Hono context types at package boundaries. (#17410)

  • Updated dependencies [c973db4, 552285e, 77e686c, ece8dba, e751af2, e2a8380, be3f1cd, a34d9db]:

    • @mastra/core@1.39.0

1.2.3-alpha.0

Patch Changes

  • Removed Hono from @mastra/core and auth package runtime dependencies. Auth providers now receive framework-agnostic request types that support standard Request objects and Hono-compatible request shapes. MCP and deployer avoid relying on core-bundled Hono context types at package boundaries. (#17410)

  • Updated dependencies [c973db4, 552285e, 77e686c, ece8dba, e751af2, e2a8380, be3f1cd, a34d9db]:

    • @mastra/core@1.39.0-alpha.0

1.2.2

Patch Changes

1.2.2-alpha.0

Patch Changes

  • Authentication now refreshes expired server-side sessions transparently, so recoverable token expiry no longer causes unexpected user sign-outs. Only truly expired sessions (e.g. refresh token dead) return a 401. (#15819)

    Server adapters now forward refreshed session cookies consistently, and auth-studio logs session validation and refresh failures to improve diagnostics.

  • Updated dependencies [28caa5b, 7d056b6, 26f1f94]:

    • @mastra/core@1.29.0-alpha.5

1.2.1

Patch Changes

  • Fix session refresh for studio-deployed instances. Sessions now properly refresh when expired, preventing users from being logged out every 5 minutes. (#15024)

  • Fix Bearer token authentication to extract role from /auth/verify response. Previously, CLI tokens created via mastra auth token create would fail permission checks because the role was not being extracted, causing MastraRBACStudio to fall back to empty default permissions. (#15075)

  • Updated dependencies [f32b9e1, 7d6f521, a50d220, 665477b, 4cc2755, ac7baf6, ed425d7, 1371703, 0df8321, 98f8a8b, ba6f7e9, 7eb2596, 1805ddc, fff91cf, 61109b3, 33f1ead]:

    • @mastra/core@1.23.0

1.2.1-alpha.1

Patch Changes

  • Fix Bearer token authentication to extract role from /auth/verify response. Previously, CLI tokens created via mastra auth token create would fail permission checks because the role was not being extracted, causing MastraRBACStudio to fall back to empty default permissions. (#15075)

  • Updated dependencies [1371703, 98f8a8b]:

    • @mastra/core@1.23.0-alpha.5

1.2.1-alpha.0

Patch Changes

  • Fix session refresh for studio-deployed instances. Sessions now properly refresh when expired, preventing users from being logged out every 5 minutes. (#15024)

  • Updated dependencies [ed425d7, ba6f7e9, 7eb2596]:

    • @mastra/core@1.23.0-alpha.0

1.2.0

Minor Changes

  • Add configurable cookie domain support (#14285)
    • Add cookieDomain option to MastraAuthStudioOptions for explicit configuration
    • Support MASTRA_COOKIE_DOMAIN environment variable as fallback
    • Use hostname-based detection for auto-detecting .mastra.ai domain (prevents false positives from malicious URLs)
    • Maintain backward compatibility with existing .mastra.ai auto-detection

Patch Changes

1.2.0-alpha.0

Minor Changes

  • Add configurable cookie domain support (#14285)
    • Add cookieDomain option to MastraAuthStudioOptions for explicit configuration
    • Support MASTRA_COOKIE_DOMAIN environment variable as fallback
    • Use hostname-based detection for auto-detecting .mastra.ai domain (prevents false positives from malicious URLs)
    • Maintain backward compatibility with existing .mastra.ai auto-detection

Patch Changes

1.1.0

Minor Changes

  • Added @mastra/auth-studio — an auth provider for deployed Mastra Studio instances that proxies authentication through the Mastra shared API. (#13163)

    Deployed instances need no secrets — all WorkOS authentication is handled by the shared API. The package provides SSO login/callback flows, session management via sealed cookies, RBAC with organization-scoped permissions, and automatic forced account picker on deploy logins.

Patch Changes

1.1.0-alpha.0

Minor Changes

  • Added @mastra/auth-studio — an auth provider for deployed Mastra Studio instances that proxies authentication through the Mastra shared API. (#13163)

    Deployed instances need no secrets — all WorkOS authentication is handled by the shared API. The package provides SSO login/callback flows, session management via sealed cookies, RBAC with organization-scoped permissions, and automatic forced account picker on deploy logins.

Patch Changes