Changelog

All packages release together at the same version: the five npm packages (@ackplus/nest-auth, -client, -react, -react-native, -contracts) plus nest_auth_flutter on pub.dev. Current stable: 2.2.0.

Upgrading from v1? Follow the v1 → v2 migration guide.
Upgrading within v2 (e.g. 2.0.x → 2.2.x)? It's additive/non-breaking — see Upgrading within v2. Bump every package to the same version.

2.2.0 — ISOLATED fixes, tenant lookup, cleanup

Fixed (ISOLATED tenant scoping): forgot-password, verify-forgot-password-otp, and phone login now scope the account lookup by the resolved tenantId. Previously, when the same email existed in multiple tenants, a reset/login could resolve the wrong account. Reset/verify tokens round-trip the tenant, so links land in the correct isolated tenant.
Added: GET /auth/tenants/lookup?slug= (public) — resolve a tenant slug → id so an ISOLATED login form can supply the right tenantId. Exact-slug only (no enumeration). See Logging in under a tenant (ISOLATED).
Fixed: the request-context middleware wildcard now uses the named form ({*splat}) on Express 5 / path-to-regexp v8, silencing the LegacyRouteConverter warning; Express 4 is unaffected.
Removed: dangling InitializeAdmin request/response DTOs and the IInitializeAdminRequest / IInitializeAdminResponse contracts (no route consumed them).
Docs: corrected the multi-tenancy page — ISOLATED is logical identity isolation in one database (same email = a separate account per tenant; switchTenant disabled; login needs a tenantId). The library does not switch data sources per tenant. New ISOLATED login recipe.

2.1.1 — client-config hooks

Added: AuthClient.getClientConfig() (+ the IClientConfig type) — fetch the backend's public config with no auth.
Added (React): useClientConfig() and useMultiAccountEnabled() — gate UI (e.g. the account switcher) on what the backend actually enables.
Docs: multi-account integrated into the config / client / React reference pages.

Log into several accounts on one client and switch the active one (Gmail/Slack-style). Especially natural in ISOLATED mode, where the same email is a distinct account per tenant.

Backend: opt-in session.allowMultipleAccounts (default false), surfaced on GET /auth/client-config. Cookie mode gains per-account cookies + a non-httpOnly active-account selector and a GET /auth/accounts listing endpoint. The backend was already multi-session; switching is client-side.
Client SDK: AccountManager (header mode — one client per account, namespaced storage) and CookieAccountManager (cookie mode), behind a shared IAccountSwitcher interface.
React SDK: AccountSwitcherProvider (separate from AuthProvider) + useAccountSwitcher / useAccounts / useActiveAccount.
Recipe: Multi-account login & switching.

2.0.4 — `@Public()` works under a global guard

Fixed: NestAuthAuthGuard now honours @Public() (IS_PUBLIC_KEY) — previously a silent no-op. The documented global APP_GUARD + @Public() pattern works; the library's own public routes (/auth/login, /auth/signup, refresh, password reset, SSO callback, client-config) and the admin console are pre-marked, so a global guard no longer 401s login. See Guards.

2.0.3 — Postgres portability & optional peers

Fixed: nest_auth_trusted_devices.revokedAt used datetime, which Postgres rejects (the app couldn't boot). It now uses an inferred, portable type (boots on Postgres, MySQL, SQLite).
Fixed: the optional apple-auth peer is now lazy-loaded — apps that don't install it (or use native Apple sign-in) boot fine. (google-auth-library / fb were already lazy.)

2.0.2 — public-barrel exports

Fixed: Public / IS_PUBLIC_KEY and AuthExceptionFilter are now exported from the package barrel (they were defined but unreachable), plus a new @CurrentUser() decorator and a re-exported CurrentAdmin.
Added: a package exports map; corrected npm description/keywords.

2.0.1 — first stable v2

The first stable release of v2 (the 2.0.0-beta.* line preceded it). See the overview below and the v1 → v2 migration guide.

2.0.0 — What's new (v2 overview)

v2 is a major release: the same NestAuthModule.forRoot() wiring and flat config, but a substantially hardened core, several new capabilities, and complete docs. See the migration guide for breaking changes and how to upgrade.

New capabilities

Passwordless login — email/SMS OTP via passwordless: { enabled, allowSignUp }, with client/React passwordlessSend helpers and a POST /auth/passwordless/send endpoint.
Phone verification — POST /auth/send-phone-verification and POST /auth/verify-phone, backed by a shared OTP flow service.
Platform admin — a first-class, cross-tenant super-admin (platformAccess: { enabled, validate }). See Platform admin portal.
Embedded admin dashboard — a full management UI served at /auth/admin (enable with adminConsole), backed by a documented REST API. No separate install.
GET /auth/me — a guarded current-user endpoint.

Reliability

Atomic user mutations — signup, admin/programmatic create, update, and delete each run in a single transaction. A failing hook, listener, or multi-step write rolls back completely: no partially-created or half-updated users. Lifecycle events fire only after commit.
Full lifecycle hooks — added user.beforeUpdate / afterUpdate / beforeDelete / afterDelete, and the transactional EntityManager is now passed to create/update/delete and onSignup / onLogin hooks so your sync code commits atomically with the user. See the hooks reference.
RBAC events — RoleService and PermissionService now emit ROLE_* / PERMISSION_* created/updated/deleted events so role and permission changes are syncable. See the events reference.

Security hardening

Secrets hashed at rest — API-key secrets, MFA recovery codes, OTP codes, and trusted-device tokens are now stored hashed (and verified with constant-time comparisons). Trusted devices also support explicit revocation. Existing API keys must be regenerated — see the migration guide.
Refresh-token rotation + reuse detection — each refresh issues a new token and rejects a replayed/old one.
Configurable password hashing — bring-your-own password.hash / password.verify, or tune the built-in Argon2 (password.argon2).
OAuth hardening — Google requireVerifiedEmail / multi-audience native id-tokens, Apple native identityToken verification, and GitHub Enterprise endpoint overrides.

Developer experience

Complete API reference — a generated OpenAPI 3.0 spec rendered in the admin console and the docs site.
Real-database tests — the suite runs against a real database with no mocks.
Lighter & modern — dropped the moment dependency; requires Node ≥ 20 and pnpm ≥ 10.

Breaking changes

A focused set: token-TTL config renamed, a few hook/SDK method renames, and the API-key rehash. All of them — with before/after code — are in the v1 → v2 migration guide.

See the release process for how versions are cut and published.

On this page