Skip to content

πŸš€ Blazor.Auth v2.0

Latest
Latest

Choose a tag to compare

View all tags
@YuriyDurov YuriyDurov released this 05 Feb 15:15
· 20 commits to main since this release
Auth-v2.0.1
f69a7ad

What's Changed

Blazor.Auth has received a major security overhaul!
The library now uses better security standards and practices to ensure your JWTs are secure and protected against potential threats.

The cookies containing your JWTs are now marked as HttpOnly, Secure, and SameSite.

These important security flags ensure that your users' data is protected against common attacks like Cross-Site Scripting (XSS), Man-In-The-Middle (MITM), and Cross-Site Request Forgery (CSRF).

Breaking Changes

  • Blazor.Auth now only allows the use of JWTs in an HTTPS context by default. This behavior can be disabled by setting the DisableSecureCookieFlag option to true in the server part of the application.

    Example:

    builder.AddBlazorAuth<SampleAuthenticationService>(options =>
{
    options.DisableSecureCookieFlag = true;
});

  • IUserService now returns AuthenticationOperationInfo instead of AuthenticationResult in SignInAsync, SignUpAsync and RefreshJwtPairAsync methods. This is a new class similar to AuthenticationResult but without the actual JWTs.

  • IAuthenticationService is now only available in the Server part of the application;

  • AuthenticationStateProvider implementations have been unified into a single class. The differences between rendering environments are now handled by IUserService. AuthenticationStateProvider now relies on IUserService to resolve the user's authentication state;

  • Client-side code now makes an HTTP request in order to resolve the user's authentication state or perform any authentication operation. This change allows the client part of the app to receive access to the user's authentication information, which is now stored in a cookie that is only accessible to the server in the context of an HTTP request made by the user (HttpOnly flag);

  • Authentication operations in interactive server-side rendering now trigger an HTTP request from the client's machine to the server. This allows Blazor server to gain access to the context of an HTTP request made by the user, which is necessary to read and manipulate authentication cookies.

Full Changelog: Auth-v1.1.0...Auth-v2.0.1

Assets 2
Loading