Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

ember-simple-auth

mainmatter123.4kMIT8.0.0TypeScript support: included

A lightweight library for implementing authentication/authorization with Ember.js applications.

ember-addon

readme

Ember Simple Auth API docs

CI

Discord

  • Ember Simple Auth supports all Ember.js versions starting with 3.28.
  • Doesn't support IE11
  • Node >=16 is required
  • Supports Embroider see our ember-try scenario and test app for guidance.

[!NOTE] Ember Simple Auth was written and is maintained by Mainmatter and contributors. We offer consulting, training, and team augmentation for Ember.js – check out our website to learn more!

Ember Simple Auth

Logo

Ember Simple Auth is a lightweight library for implementing authentication/ authorization with Ember.js applications. It has minimal requirements with respect to application structure, routes etc. With its pluggable strategies it can support all kinds of authentication and authorization mechanisms.

Table of Contents

Basic Information

Usage

Core Feature Guides

Other Guides

Other Resources

What does it do?

  • it maintains a client side session and synchronizes its state across multiple tabs/windows of the application
  • it authenticates the session against the application's own server, external providers like Facebook etc.
  • it is easily customizable and extensible

How does it work?

Ember Simple Auth consists of 3 main building blocks - the session, a session store and authenticators.

The session service is the main interface to the library. It provides methods for authenticating and invalidating the session as well as for setting and reading session data.

The session store persists the session state so that it survives a page reload. It also synchronizes the session state across multiple tabs or windows of the application so that e.g. a logout in one tab or window also results in a logout in all other tabs or windows of the application.

Authenticators authenticate the session. An application can leverage multiple authenticators to support multiple ways of authentication such as sending credentials to the application's own backend server, Facebook, github etc.

Example App

Ember Simple Auth comes with a test app that implements a complete auth solution including authentication against the application's own server as well as Facebook, authorization of Ember Data requests and error handling. Check out that test app for reference. To start it, run

git clone https://github.com/mainmatter/ember-simple-auth.git
cd ember-simple-auth/packages/test-app
pnpm install && ember serve

and go to http://localhost:4200.

Installation

Installing the library is as easy as:

ember install ember-simple-auth

Upgrading from a pre-3.0 release?

The 3.0 release of ember-simple-auth removes previously deprecated code, introducing some breaking changes, but thankfully there is an v3 upgrade guide.

Upgrading to 4.0 release?

The 4.1 release introduced a session#setup that fixes build issues for typescript and embroider users, due to ESA using initializers. Consult with the guide in order to fix them as well as prepare yourself for v5 release which will make it required. v4 upgrade guide.

Upgrading to 7.0 release?

The 7.0 release introduces a breaking change, it no longer automatically provides a session service and a default session-store. You have explicitly import these files instead. Additional semi-breaking change is how classes provided by us are extended. Please see the guide v7 upgrade guide.

Walkthrough

Once the library is installed, import a session service and a session-store inside your application__.

Add app/services/session.js or app/services/session.ts

import Service from 'ember-simple-auth/services/session';

export default class SessionService extends Service {}

Add app/session-stores/application.js or app/session-stores/application.ts

import AdaptiveStore from 'ember-simple-auth/session-stores/adaptive';

export default class SessionStore extends AdaptiveStore {}

Optional Generic Data argument.

import Service from 'ember-simple-auth/services/session';

type Data = {
  authenticated: {
    // Any data your authenticators return
    id: string;
  }
}

export default class SessionService extends Service<Data> {}

then the session service can be injected wherever needed in the application. In order to display login/logout buttons depending on the current session state, inject the service into the respective controller or component and query its isAuthenticated property in the template:

// app/controllers/application.js
import Controller from '@ember/controller';
import { service } from '@ember/service';

export default class ApplicationController extends Controller {
  @service session;

  …
}
{{!-- app/templates/application.hbs --}}
<div class="menu">
  …
  {{#if this.session.isAuthenticated}}
    <a {{on "click" this.invalidateSession}}>Logout</a>
  {{else}}
    {{#link-to 'login'}}Login{{/link-to}}
  {{/if}}
</div>
<div class="main">
  {{outlet}}
</div>

In the invalidateSession action call the session service's invalidate method to invalidate the session and log the user out:

// app/controllers/application.js
import Controller from '@ember/controller';
import { service } from '@ember/service';
import { action } from "@ember/object";

export default class ApplicationController extends Controller {
  @service session;

  …

  @action
  invalidateSession() {
    this.session.invalidate();
  }
}

For authenticating the session, the session service provides the authenticate method that takes the name of the authenticator to use as well as other arguments depending on specific authenticator used. To define an authenticator, add a new file in app/authenticators and extend one of the authenticators the library comes with, e.g.:

// app/authenticators/oauth2.js
import OAuth2PasswordGrant from 'ember-simple-auth/authenticators/oauth2-password-grant';

export default class OAuth2Authenticator extends OAuth2PasswordGrant {}

With that authenticator and a login form like

{{!-- app/templates/login.hbs --}}
<form {{on "submit" this.authenticate}}>
  <label for="identification">Login</label>
  <input id='identification' placeholder="Enter Login" value={{this.identification}} {{on "change" this.updateIdentification}}>
  <label for="password">Password</label>
  <input id='password' placeholder="Enter Password" value={{this.password}} {{on "change" this.updatePassword}}>
  <button type="submit">Login</button>
  {{#if this.errorMessage}}
    <p>{{this.errorMessage}}</p>
  {{/if}}
</form>

the session can be authenticated with the session service's authenticate method:

// app/controllers/login.js
import Controller from '@ember/controller';
import { service } from '@ember/service';
import { action } from "@ember/object";
import { tracked } from "@glimmer/tracking";

export default class LoginController extends Controller {
  @tracked errorMessage;
  @service session;

  @action
  async authenticate(e) {
    e.preventDefault();
    let { identification, password } = this;
    try {
      await this.session.authenticate('authenticator:oauth2', identification, password);
    } catch(error) {
      this.errorMessage = error.error || error;
    }

    if (this.session.isAuthenticated) {
      // What to do with all this success?
    }
  }

  @action
  updateIdentification(e) {
    this.identification = e.target.value;
  }

  @action
  updatePassword(e) {
    this.password = e.target.value;
  }
}

To make a route in the application accessible only when the session is authenticated, call the session service's requireAuthentication method in the respective route's beforeModel method:

// app/routes/authenticated.js
import Route from '@ember/routing/route';
import { service } from '@ember/service';

export default class AuthenticatedRoute extends Route {
  @service session;

  beforeModel(transition) {
    this.session.requireAuthentication(transition, 'login');
  }
}

This will make the route (and all of its subroutes) transition to the login route if the session is not authenticated. Add the login route in the router like this:

// app/router.js
Router.map(function() {
  this.route('login');
});

It is recommended to nest all of an application's routes that require the session to be authenticated under a common parent route:

// app/router.js
Router.map(function() {
  this.route('login');
  this.route('authenticated', { path: '' }, function() {
    // all routes that require the session to be authenticated
  });
});

To prevent a route from being accessed when the session is authenticated (which makes sense for login and registration routes for example), call the session service's prohibitAuthentication method in the respective route's beforeModel method:

// app/routes/login.js
import Route from '@ember/routing/route';
import { service } from '@ember/service';

export default class LoginRoute extends Route {
  @service session;

  beforeModel(transition) {
    this.get('session').prohibitAuthentication('index');
  }
}

The session service also provides the handleAuthentication and handleInvalidation methods for handling authentication and invalidation of the session (which not only happens when the user submits the login form or clicks the logout button but also when the session is authenticated or invalidated in another tab or window of the application). The handleAuthentication method will transition to a configurable route while the handleInvalidation method will reload the page to clear all potentially sensitive data from memory. In order to customize those behaviours, these methods can be overridden when the application defines its own session service that extends the one provided by Ember Simple Auth.

To add authorization information to requests, you can use the session service to check if the session is authenticated and access authentication/authorization data, e.g. a token:

// app/adapters/application.js
import JSONAPIAdapter from '@ember-data/adapter/json-api';
import { computed } from '@ember/object';
import { service } from '@ember/service';

export default class ApplicationAdapter extends JSONAPIAdapter {
  @service session;

  @computed('session.{data.authenticated.access_token,isAuthenticated}')
  get headers() {
    let headers = {};
    if (this.session.isAuthenticated) {
      // OAuth 2
      headers['Authorization'] = `Bearer ${this.session.data.authenticated.access_token}`;
    }

    return headers;
  }
}

The Session Service

The session service is the main interface to the library. It defines the authenticate, invalidate and authorize methods as well as the session events as shown above.

It also provides the isAuthenticated as well as the data properties. The latter can be used to get and set the session data. While the special authenticated section in the session data contains the data that was acquired by the authenticator when it authenticated the session and is read-only, all other session data can be written and will also remain in the session after it is invalidated. It can be used to store all kinds of client side data that needs to be persisted and synchronized across tabs and windows, e.g.:

this.session.set('data.locale', 'de');

Authenticators

Authenticators implement the concrete steps necessary to authenticate the session. An application can leverage several authenticators for different kinds of authentication mechanisms (e.g. the application's own backend server, external authentication providers like Facebook etc.) while the session is only ever authenticated with one authenticator at a time. The authenticator to use is chosen when authentication is triggered via the name it is registered with in the Ember container:

this.session.authenticate('authenticator:some');

Ember Simple Auth comes with 4 authenticators:

To use any of these authenticators in an application, define a new authenticator in app/authenticators, extend if from the Ember Simple Auth authenticator

// app/authenticators/oauth2.js
import OAuth2PasswordGrantAuthenticator from 'ember-simple-auth/authenticators/oauth2-password-grant';

export default class OAuth2Authenticator extends OAuth2PasswordGrantAuthenticator {}

and invoke the session service's authenticate method with the respective name, specifying more arguments as needed by the authenticator:

this.session.authenticate('authenticator:some', data);

Customizing an Authenticator

Authenticators are easily customized by setting the respective properties, e.g.:

// app/authenticators/oauth2.js
import OAuth2PasswordGrantAuthenticator from 'ember-simple-auth/authenticators/oauth2-password-grant';

export default class OAuth2Authenticator extends OAuth2PasswordGrantAuthenticator {
  serverTokenEndpoint = '/custom/endpoint';
}

Implementing a custom Authenticator

Besides extending one of the predefined authenticators, an application can also implement fully custom authenticators. In order to do that, extend the abstract base authenticator that Ember Simple Auth comes with and override the authenticate, restore and (optionally) invalidate methods:

// app/authenticators/custom.js
import Base from 'ember-simple-auth/authenticators/base';

export default class CustomAuthenticator extends Base {
  restore(data) {
    …
  }

  authenticate(options) {
    …
  }

  invalidate(data) {
    …
  }
}

Session Stores

Ember Simple Auth persists the session state via a session store so it survives page reloads. There is only one store per application that can be defined in app/session-stores/application.js:

// app/session-stores/application.js
import Cookie from 'ember-simple-auth/session-stores/cookie';

export default class ApplicationSessionStore extends Cookie {}

If the application does not define a session store, the adaptive store which uses localStorage if that is available or a cookie if it is not, will be used by default. To customize the adaptive store, define a custom store in app/session-stores/application.js that extends it and overrides the properties to customize.

Store Types

Ember Simple Auth comes with 4 stores:

Adaptive Store

The adaptive store stores its data in the browser's localStorage if that is available or in a cookie if it is not; this is the default store.

localStorage Store

The localStorage store stores its data in the browser's localStorage. This is used by the adaptive store if localStorage is available.

The Cookie store stores its data in a cookie. This is used by the adaptive store if localStorage is not available. This store must be used when the application uses FastBoot.

sessionStorage Store

The sessionStorage store stores its data in the browser's sessionStorage. See the Web Storage docs for details on sessionStorage and localStorage. caniuse has up-to-date information on browser support of sessionStorage and localStorage.

Ephemeral Store

The ephemeral store stores its data in memory and thus is not actually persistent. This store is mainly useful for testing. Also the ephemeral store cannot keep multiple tabs or windows in sync as tabs/windows cannot share memory.

Customizing the Store

The session store is easily customized by setting the respective properties, e.g.:

// app/session-stores/application.js
import AdaptiveStore from 'ember-simple-auth/session-stores/adaptive';

export default class ApplicationSessionStore extends AdaptiveStore {
  cookieName = 'my-apps-session-cookie';
}

Implementing a custom Store

Besides using one of the predefined session stores, an application can also implement fully custom stores. In order to do that, extend the abstract base session store that Ember Simple Auth comes with and implement the persist, restore and clear methods:

// app/session-stores/application.js
import Base from 'ember-simple-auth/session-stores/base';

export default class ApplicationSessionStore extends Base {
  persist() {
    …
  }

  restore() {
    …
  }
}

FastBoot

Ember Simple Auth works with FastBoot out of the box as long as the Cookie session store is being used. In order to enable the cookie store, define it as the application store:

// app/session-stores/application.js
import CookieStore from 'ember-simple-auth/session-stores/cookie';

export default class ApplicationSessionStore extends CookieStore {}

If you are using the OAuth2PasswordGrantAuthenticator, or DeviseAuthenticator, you must add node-fetch to your list of FastBoot whitelisted dependencies in package.json:

{
  "fastbootDependencies": [
    "node-fetch"
  ]
}

Engines

Ember Simple Auth works with engines out of the box. The host app and any engine(s) share the same session service so they can synchronize the authentication status:

// my-engine/addon/routes/index.js
import Application from '@ember/application';
import loadInitializers from 'ember-load-initializers';

class App extends Application {
  …

  engines = {
    'my-engine': {
      dependencies: {
        services: [
          'session'
        ]
      }
    }
  }
});

…

export default App;

The session can then be authenticated or invalidated from the host app or any of the engines and the state will be synchronized via the service.

One thing to be aware of is that if the authentication route is outside of the engine (e.g. in the host app), it is necessary to use the special transitionToExternal method in the engine to transition to it. That can be done by passing a callback instead of a route name to the session service's requireAuthentication method in that case:

// my-engine/addon/routes/index.js
import Route from '@ember/routing/route';
import { service } from '@ember/service';

export default class IndexRoute extends Route {
  @service session;

  beforeModel(transition) {
    this.get('session').requireAuthentication(transition, () => this.transitionToExternal('login'));
  },
}

Testing

Ember Simple Auth comes with a set of test helpers that can be used in acceptance tests.

Our helpers use the more modern testing syntax and therefore require ember-cli-qunit 4.2.0 or greater or ember-qunit 3.2.0 or greater.

We provide the following helpers:

  • currentSession() returns the current session.
  • authenticateSession(sessionData) authenticates the session asynchronously; the optional sessionData argument can be used to mock the response of an authentication request, to provide a specific authorization token or user data.
  • invalidateSession() invalidates the session asynchronously.

Which can be used as shown in the following example:

import { module, test } from 'qunit';
import { visit, currentURL } from '@ember/test-helpers';
import { setupApplicationTest } from 'ember-qunit';
import { currentSession, authenticateSession, invalidateSession } from 'ember-simple-auth/test-support';

module('Acceptance | app test', function(hooks) {
  setupApplicationTest(hooks);

  test('/login redirects to index if user is alread logged in', async function(assert) {
    await authenticateSession({
      authToken: '12345',
      otherData: 'some-data'
    });
    await visit('/login');

    assert.equal(currentURL(), '/');

    let sessionData = currentSession().get('data.authenticated');
    assert.equal(sessionData.authToken, '12345');
    assert.equal(sessionData.otherData, 'some-data');
  });

  test('/protected redirects to /login if user is not logged in', async function(assert) {
    await invalidateSession();

    await visit('/protected');

    assert.equal(currentURL(), '/login');
  });
});

If you're an ember-mocha user, we can recommend to check out this example from the test suite of ember-simple-auth itself.

License

Ember Simple Auth is developed by and © Mainmatter GmbH and contributors. It is released under the MIT License.

Ember Simple Auth is not an official part of Ember.js and is not maintained by the Ember.js Core Team.

changelog

Changelog

Release (2025-03-31)

  • ember-simple-auth 8.0.0 (major)

:boom: Breaking Change

  • ember-simple-auth
  • Other

:house: Internal

  • ember-simple-auth
    • #2953 Allow @ember/test-waiters@4. Addon dependency maintenance (@Windvis)

Committers: 3

Release (2025-01-20)

ember-simple-auth 7.1.3 (patch)

:bug: Bug Fix

  • ember-simple-auth

Committers: 1

Release (2025-01-13)

ember-simple-auth 7.1.2 (patch)

:bug: Bug Fix

:house: Internal

  • classic-test-app, test-app, test-esa
  • ember-simple-auth

Committers: 2

Release (2025-01-02)

ember-simple-auth 7.1.1 (patch)

:bug: Bug Fix

  • ember-simple-auth, test-app
    • #2909 fix(ember-simple-auth): setting non 'content' fields with #set on ObjectProxy is not reactive. (@BobrImperator)

:memo: Documentation

:house: Internal

  • test-esa

Committers: 2

Release (2024-12-30)

ember-simple-auth 7.1.0 (minor)

:rocket: Enhancement

  • ember-simple-auth, test-app

Committers: 1

Release (2024-12-30)

ember-simple-auth 7.0.0 (major)

:boom: Breaking Change

:rocket: Enhancement

  • ember-simple-auth
  • ember-simple-auth, test-esa

:bug: Bug Fix

:memo: Documentation

:house: Internal

Committers: 5

Release (2024-09-09)

:house: Internal

Committers: 1

Release (2024-09-09)

ember-simple-auth 6.1.0 (minor)

:rocket: Enhancement

  • ember-simple-auth, test-esa
    • #2813 feat: Add scope in restore for OAuth2PasswordGrant (@bpetetot)

:memo: Documentation

:house: Internal

Committers: 2

6.0.0 (2023-08-18)

:boom: Breaking Change

:rocket: Enhancement

:house: Internal

Committers: 3

6.0.0-rc.2 (2023-08-18)

:rocket: Enhancement

:house: Internal

Committers: 2

6.0.0-rc.1 (2023-05-10)

:boom: Breaking Change

:house: Internal

Committers: 2

5.0.0 (2023-03-24)

:boom: Breaking Change

:memo: Documentation

  • Other
  • ember-simple-auth
    • #2239 add docs and test for sameSite attribute in AdaptiveStorage (@makepanic)

:house: Internal

Committers: 9

4.2.2 (2022-04-12)

:bug: Bug Fix

Committers: 1

4.2.1 (2022-03-15)

:bug: Bug Fix

  • ember-simple-auth
    • #2363 Prevent UnhandledPromiseError when restoring the session (@swelham)

Committers: 1

4.2.0 (2022-02-14)

:house: Internal

  • ember-simple-auth
    • #2355 Remove use of keys and merge utils coming from @ember/polyfills (@bertdeblock)
    • #2352 Deprecate Torii authenticator (@marcoow)
    • #2349 Fixed failing unit test - invalidate call revoke endpoint twice. Unit test did not validate it correctly. (@candunaj)
  • classic-test-app, ember-simple-auth, test-app

Committers: 3

4.1.1 (2021-12-09)

:bug: Bug Fix

  • ember-simple-auth
    • #2341 add annotation to deprecations so Ember deprecate fn does not complain (@BryanCrotaz)

:memo: Documentation

  • ember-simple-auth

:house: Internal

  • ember-simple-auth
    • #2345 Fixed failing unit test - ember/object get function was removed from source code so I have changed unit test accordingly (@candunaj)
    • #2348 Fixed quietly failing unit test because server returned nothing (@candunaj)
    • #2344 In some tests was thrown undefined. (@candunaj)
    • #2342 Fixed 3 readonly tests. (@candunaj)
  • Other

Committers: 3

4.1.0 (2021-10-29)

:rocket: Enhancement

Committers: 1

4.0.2 (2021-10-06)

:house: Internal

  • ember-simple-auth
  • classic-test-app, ember-simple-auth, test-app

Committers: 2

4.0.1 (2021-09-24)

:memo: Documentation

:house: Internal

  • classic-test-app, ember-simple-auth, test-app

Committers: 2

4.0.0 (2021-09-08)

:boom: Breaking Change

:memo: Documentation

:house: Internal

Committers: 8

3.1.0 (2021-01-29)

:bug: Bug Fix

  • ember-simple-auth
    • #2263 Fix empty object check in _renew() cookie session store (@reidab)

:memo: Documentation

:house: Internal

  • Other
  • ember-simple-auth, test-app

Committers: 3

v3.1.0-beta.1 (2020-10-09)

:rocket: Enhancement

  • ember-simple-auth

:bug: Bug Fix

  • ember-simple-auth
    • #2234 Unset attemptedTransition on invalidation (@marcoow)
    • #2215 fix: Incorrect path to fetch the routeAfterAuthentication property in the config object (@LuisAverhoff)

:memo: Documentation

:house: Internal

  • ember-simple-auth
  • ember-simple-auth, test-app
  • classic-test-app, ember-simple-auth, test-app

Committers: 6

v3.1.0-beta.0 (2020-06-05)

:rocket: Enhancement

:memo: Documentation

:house: Internal

Committers: 5

v3.0.0 (2020-02-10)

:boom: Breaking Change

:rocket: Enhancement

:memo: Documentation

:house: Internal

Committers: 8

v2.1.0 (2019-10-31)

:rocket: Enhancement

:bug: Bug Fix

Committers: 2

v2.0.0 (2019-10-29)

:boom: Breaking Change

:rocket: Enhancement

:bug: Bug Fix

  • #1919 Don't schedule token refresh checks in FastBoot (@trek)

:memo: Documentation

:house: Internal

Committers: 7

v1.9.2 (2019-07-18)

:rocket: Enhancement

  • #1900 Rename _router property to _authRouter to avoid conflicts (@backspace)

:house: Internal

Committers: 2

v1.9.1 (2019-07-12)

:house: Internal

  • #1895 CI: Remove v prefix from version tag constraint (@Turbo87)

Committers: 1

v1.9.0 (2019-07-12)

:rocket: Enhancement

  • #1885 oauth2-password-grant: Convert tokenRefreshOffset to a native getter (@Turbo87)
  • #1886 session-stores/cookie: Convert private volatile properties to methods (@Turbo87)

:bug: Bug Fix

  • #1817 Fix "Use of merge" deprecation warning in oauth2-password-grant when... (@arnebit)

:memo: Documentation

:house: Internal

Committers: 9

v1.8.2

  • Support for ember-cookies 0.4.0 which clears a deprecation, see #1746.

This release would not have been possible without the contributions by @jessica-jordan, @Alonski and @marcoow. Thanks a lot!

v1.8.1

  • Additional patch fix for deprecation warning for Evented#off method on Ember 3.6+, see #1725

This release would not have been possible without the contributions by @MichalBryxi and @richard-viney. Thanks a lot!

v1.8.0

  • Fixes deprecation warning for Evented#off method on Ember 3.6+, see #1722
  • Support for ember-fetch 6.0+, see #1713
  • Fixes error handling for the Torii authenticator, making errors throw as expected if a Promise is rejected, see #1696
  • Updates ember-try test scenarios with Ember 3.0, see this commit

This release would not have been possible without the contributions by @marcoow, @mike-north, @jfschaff, @geekygrappler, @quaertym, @runspired, @kevinansfield, @drewchandler, @andreyfel, @Turbo87, @MichalBryxi and @richard-viney. Thanks a lot! ✨

v1.7.0

  • The baseURL configuration property is now deprecated; use the rootURL property instead, see #1597.
  • ESA works with ember-fetch@"^2.1.0 || ^3.0.0 || ^4.0.0 || ^5.0.0" now, see

    1608.

  • Session events are now bound to methods on the application route correctly, see #1604.
  • The repeated isFastBoot properties used in various places in the codebase have been replaced with a computed property macro, see #1623.
  • The broccoli-file-creator dependency has been raised to ^2.0.0, see

    1636.

  • The API docs and README habe been improved for greater clarity and better examples, see #1583, #1591, #1631, #1598.
  • The dummy app now implements remember-me functionality, see #1606.

v1.6.0

  • Authorizers are now deprecated, see #1532. For more information on the deprecation, refer to the deprecation guide.
  • The session service's invalidate method can now be called when the session is already invalidated, and would simply do nothing in that case, see #1555.
  • The previously removed ember-simple-auth instance initializer has been added again which fixes a regression in applications that relied on its existence, see #1565.
  • Usage of the private beginPropertyChanges/endPropertyChanges methods has been removed, see #1554.

v1.5.1

  • Session restoration is now setup in an initializer (vs. an instance initializer), see #1547.
  • The new acceptance test helpers introduced with 1.5.0 no longer need to manually set up the router (which was using private API), see #1548.

v1.5.0

  • The acceptance test helpers no longer rely on the global wait test helper, see #1516.
  • A new set of acceptance test helpers was introduced that is imported from the ember-simple-auth module namespaces and supports Ember's new testing model, see #1536.
  • The ember-cookies dependency now allows ^0.1.0 as well as ^0.2.0, see

    1538.

v1.4.2

  • The broken warn() method on the cookie session store has been fixed, see #1502.
  • The event listener on the local-storage session store is correctly removed, see #1498.

v1.4.1

  • The fastboot-app-server dependency has been removed, see #1446.
  • The torii authenticator will no longer override the session data with the data returned from the torii provider when restoring the session, see #1310.
  • Ember.testing is no longer destructured which could cause problems with recent ember-qunit/ember-cli-qunit/ember-test-helpers versions, see

    1477.

  • The fastboot-tests and guides directories are no longer distributed with the npm package, see #1470.
  • The OAuth 2.0 authenticator will now reject correctly for responses with an invalid (non-JSON) response body, see #1487, #1442.
  • The cookie that stores the session cookie's expiration time is now cleared when that time is set to null, see #1463.

v1.4.0

  • A new session store has been added that is based on sessionStorage, see

    1392.

  • Several documentation errors and typos have been fixed, see #1393, #1372,

    1374, #1366, #1346.

v1.3.0

  • ESA now uses ember-fetch instead of ember-network. ember-fetch is better maintained than ember-network and seems to emerge as the community-agreed-upon standard for a FastBoot compliant fetch polyfill; see #1288.
  • A new OAuth 2.0 authenticator that implements the OAuth 2.0 "Implicit Grant" has been added, along with a route mixin that makes it easy to use it; see #1252.
  • ESA now depends on ember-cli-babel ^6.0.0, allowing host applications to take advantage of Ember CLI's new targets feature, see #1295.
  • The DataAdapterMixin now allows overriding the handleResponse method in a way that bypasses ESA's built in logic to invalidate the session on 401 responses while still being able to call _super to invoke the base authenticator's logic; see #1290.

v1.2.2

  • The session is now correctly restored when running Ember 2.13, see #1267.
  • The mechanism that triggers authentication in the AuthenticatedRouteMixin is now encapsulated in the (overridable) triggerAuthentication method, see

    1278.

  • The ember-cookies dependency has been upgraded to 0.0.13, see #1281.

v1.2.1

  • Arguments passed to the session service's invalidate method will now be passed on to the authenticator's invalidate method along with the session data, see #1093.
  • The generators for the torii authenticator will now generate a valid file, including an Ember import, see #1216.
  • The cookie session store now allows defining the cookie path, see #1201.
  • The cookie session store will now correctly rewrite the cookie when the cookie domain or expiration time change but the cookie name remains unchanged, see #1234.
  • The AuthenticatedRouteMixin and UnauthenticatedRouteMixin will no longer return the return value of transitionTo from their beforeModel methods, see #1247.
  • A deprecation caused by a call to Ember.warn without a warning id has been fixed, see #1250.
  • The cookie session store will now correctly restore its expiration time from the expiration time cookie if present, see #1257.
  • Some parts of the documentation have been improved, see #1253, #1259, #1254.

v1.2.0

  • The deprecated bind method from jQuery has been replaced with on, see #1184.
  • The development dependencies have been updated and unused dependencies have been removed, see #1182, #1161, #1183.
  • JSHint has been replaced with ESLint, see #1185, #1186.

v1.2.0-beta.2

  • The getOwner function is now read from the Ember object instead of importing it from ember-getowner-polyfill which fixes a deprecation, see

    1124.

  • Transitions are no longer aborted in the AuthenticatedRouteMixin and UnauthenticatedRouteMixin which was simply unnecessary, see #1126.
  • There is now an assertion checking that a valid authorizer has been passed to the session's authorize method, see #1132.
  • The attempted transition is now being stored in a cookie when Ember Simple Auth intercepts a transition and redirects to the login route in the AuthenticatedRouteMixin so that the transition can be retried in the browser, see #1136.
  • The ember-cookies dependency has been updated to 0.0.11 which fixes a deprecation, see #1153.
  • Ember Simple Auth now longer uses Ember.K, see #1166.
  • Deprecated ways to use Ember's deprecations which caused a deprecation themselves have been fixed, see #1170.
  • There is now a warning when a cookieExpirationTime lower than 90 seconds is set as that will lead to problems with Ember Simple Auth's session time extension mechanism, see #1160.
  • Several parts of the documentation have been fixed and a new guide on implementing authentication with github has been added, see #1143, #1142,

    1121, #1139.

v1.2.0-beta.1

  • Ember Simple Auth now supports FastBoot out-of-the-box (when using the cookie session store), see #1035.
  • Ember CLI's new rootURL setting is now used correctly, see #1070.
  • The cookie session store will now rewrite its cookies when any of its configurable properties (like cookie name) change, see #1056.
  • The DataAdapterMixin now also overrides the headersForRequest method which makes it behave correctly with Ember Data 1.7 and above, see #1033.
  • Configurable routes like the login route etc. are now configured via overriding properties of the respective route mixins instead of settings in config/environment.js, see #985.
  • The OAuth 2.0 Passwort Grant authenticator now allows to define custom headers to be sent with authentication requests, see #1018.
  • Authenticators can now reject with the server response when requests fail, see #1012.
  • Server responses are now validated before authenticators resolve authentication, see #957.
  • The offset that the OAuth 2.0 Password Grant authenticator uses when refreshing access tokens is now defined in an (overridable) property, see

    840.

  • The default cookie names that the cookie session store uses are now compliant with RFC 2616, see #978.

v1.1.0

There were no changes since 1.1.0-beta.5.

v1.1.0-beta.5

  • The session will now ignore session store events when it is currently authenticating or restoring, see #965.

v1.1.0-beta.4

  • A critical bug in the cookie store causing an immediate logout after logging in has been fixed, see #931.
  • A deprecation in Ember.js 2.5.0 was fixed, see #941.
  • The versions of Ember CLI used to build and develop the addon itself have been updated to the latest release versions, see #936.
  • The README, API docs and contribution guidelines have been improved, see

    954, #947.

v1.1.0-beta.3

  • The ember-cli-is-package-missing package was added as a dependency (previously it was only a dev dependency), fixing a bug that occurred when running the new generators, see #913.
  • A regression in the cookie store was fixed causing a transition to the routeAfterAuthentication after session restoration, see #915.
  • The code base now consistently overrides the init method instead of relying on on('init', … which results in easier to understand and maintain code, see #917.

v1.1.0-beta.2

  • The silent-error package was added as a dependency (previously it was only a dev dependency), fixing a bug that occurred when running the new generators, see #911.
  • The API docs for token expiration and refresh were improved, see #921.
  • Lots of Ember Simple Auth's internal where cleaned up to take more advantage of Babel in order to make the code more concise and easier to maintain, see

    905.

v1.1.0-beta.1

  • Session Stores are now asynchronous. Synchronous session stores will still work but are now deprecated and will be removed in Ember Simple Auth 2.0, see

    714, #717.

  • Ember Simple auth now comes with blueprints for creating authenticators and authorizers, see #879.
  • The requests that the devise authenticator makes can now be customized with additional options, see #886.
  • The default for (Ember Simple Auth's internal) baseURL property is now '', see #881.
  • browserify is now only enabled for Ember Simple Auth's own tests, fixing potential problems in apps, see #833.
  • When the authenticator fails to restore the session with an error, that error will now be logged, see #829.
  • When invalidating a torii session, the session data will now be passed to the torii provider, see #808.
  • ember-getowner-polyfill is now include in Ember Simple Auth's dependencies so that applications don't have to install it explicitly, see #806.
  • Ember Simple Auth will no longer trigger a deprecation regarding use of the container property, see #894, #804, #796.
  • The DataAdapterMixin will now only invalidate the session on 401 responses when it is actually currently authenticated, see #722.

v1.0.1

  • A bug in the mechanism that forwards events from the internal session through the session service was fixed, see #736, #730.
  • The documentation and assertions for the torii authenticator was fixed, see #734, #735.
  • A typo in the documentation was fixed, see #738.

v1.0.0

Ember Simple Auth 1.0.0 changes a lot of external API, a large part of these changes being breaking changes. Because of that this changelog entry does not mark these breaking changes individually but merely offers an overview of what has changed.

  • Ember Simple Auth is now compatible with all Ember version starting with 1.12.0.
  • Ember Simple Auth is only available as an Ember CLI Addon - the globalized and bower distributions are no longer maintained.
  • The session is no longer injected into routes and controllers but instead exposed as a service. The service has most of the methods that the session had before. The session can also no longer be extended. Instead either extend the session service or add another service that uses the session service to provide additional functionality.
  • Auto-authorization of all AJAX request has been dropped. All authorization now has to be initiated explicitly via the session service's authorize method. There is the new DataAdapterMixin that can be used to simply authorize all Ember Data requests.
  • All authenticators and authorizers the application uses now have to be defined in app/authenticators and app/authorizers respectively while in most cases they will simply inherit one of the predefined authenticators/ authorizers. Also configuration of authenticators and authorizers is no longer done via config/environment.js but instead by overriding properties in the extended authenticators/authorizers.
  • The ApplicationRouteMixin now maps the session events to the sessionAuthenticated and sessionInvalidated methods instead of the actions from previous versions.
  • The default session store is now the adaptive store that will use localStorage if available and a cookie otherwise. When testing, Ember Simple Auth will always use the ephemeral store.
  • The test helpers now take the application instance as the first argument and must be imported explicitly in the respective test.
  • The session is now restored in the application route's beforeModel method instead of in an initializer.

v0.8.0

  • Correctly initialize the session's content, see #556.

v0.8.0-beta.3

  • Fixed a bug related to the mechanism for automatic translation of session events to route actions leaking state, see #544.
  • Fixed a bug where non-secure session data would get lost after a reload, see

    534.

  • Ember Simple Auth does not explicitly set the container on the session anymore as that's already set by the container itself when creating the object, see #520.

v0.8.0-beta.2

  • Ember Simple Auth now uses the application's register and inject methods instead of the container's, see #462.
  • A bug in the OAuth 2.0 authorizer was fixed that prevented requests from actually being authorized, see #483.
  • Changed the way the test helpers are loaded to prevent JSHint errors, see

    478.

  • Better implementation for detection of changes in the session store, see

    469.

v0.8.0-beta.1

  • [BREAKING] The devise package's identificationAttributeName property now defaults to email, see #456.
  • The secure session data is now stored under the special key secure, see

    414. This makes sure that the session isn't cleared completely on logout but

    only the secure key instead. This is a [BREAKING] change if you're using a custom authorizer as that must fetch the token etc. from the session's secure key now.
  • The cookie session store will now only expire on inactivity - as long as the session is active, the cookie's expiration time will frequently be updated, see #451.
  • The LoginControllerMixin and AuthenticationControllerMixin mixins are now deprecated. The invalidateSession and authenticateSession actions in the ApplicationRouteMixin mixin have been deprecated as well. authenticateSession is replaced by the new sessionRequiresAuthentication action, see #467.
  • The AuthenticatedRouteMixin mixin will now correctly return upstream beforeModel promises, see #464.

v0.7.3

  • [BREAKING] The name of the token attribute used by the devise authenticator and authorizer is now token by default, see #394.
  • [BREAKING] The devise authenticator will now send the user's identification for the configured identificationAttributeName instead of always using email, see #403.
  • The crossOriginWhitelist now supports whitelisting all subdomains of a specific domain, see #398.
  • The docs for defining custom authenticators have been improved, see #399.
  • The tests will now run against the newest versions of Ember, Ember.js, jQuery and handlebars.
  • The examples now run with handlebars 2.0.0 and jQuery 2.1.3.
  • The Google+ example has been fixed so that it will always prompt the user for approval, see #412.
  • The template for the API docs was updated so that it works with the newest handlebars version.

v0.7.2

  • The session's authenticate method now accepts an arbitrary list of arguments to pass to the authenticator's authenticate method which also allows to pass options to torii providers, see #371.
  • With the move away from controllers/views and towards components, the session is now injected into components as well, see #364.
  • The OAuth 2.0 authenticator now handles access scopes, see #363.
  • ApplicationRouteMixin will now send actions to the current route if available or the initial transition, see #367.
  • Added a new currentSession() helper to the Ember Simple Auth Testing package that provides access to the current session, see #359.
  • Fixed clearing of cookie and localStorage stores, see #349.
  • The ajaxPrefilter and ajaxError handlers were cleaned up.

v0.7.1

  • The localStorage session store now correctly reads its configuration from the Configuration object and in turn can be configured in config/environment.js in Ember CLI projects, see #340.

v0.7.0

  • [BREAKING]: The Devise authorizer now sends the session token as user_token instead of token for consistency.
  • The session store can store nested objects now, see #321.
  • The property names for user_token and user_email are now configurable for the Devise authenticator/authorizer, see #319.
  • The ApplicationRouteMixin's sessionInvalidationSucceeded action will no longer reload the page in testing mode, see #333.
  • The cookie session store now has a cookieDomain setting that can be used if e.g. the session needs to be shared across subdomains, see #332.
  • The AMD distribution has been fixed so that it doesn't depend on any specific global objects anymore, see #325, #323.
  • Removed the insecure connection warning as it never actually triggers when it actually should, see #318.
  • The crossOriginWhitelist setting can now be set to ['*'] to allow requests to all domains, see #309.
  • The global ajaxPrefilter and ajaxError hooks will now be setup only once which fixes some problems in testing mode.

v0.6.7

  • The Ember CLI Addons will now use the project's configuration as defined in config/environment.js and do not depend on window.ENV anymore, see [mainmatter/ember-cli-simple-auth#21]https://github.com/mainmatter/ember-cli-simple-auth/issues/21.
  • All configuration data is now held in configuration objects for the OAuth 2.0, cookie store and devise extension libraries as well.

v0.6.6

This release fixes the Ember CLI Addon packages that were (again) published incorrectly to npm...

v0.6.5

  • [BREAKING]: The OAuth 2.0 authenticator's serverTokenRevocationEndpoint property has been renamed to serverTokenRevocationEndpoint ("k" to "c").
  • The new UnauthenticatedRouteMixin mixin can be used for routes that do not allow the session to be authenticated like the login route, see #236.
  • The localStorage store's localStorageKey property can now be configured, see #300.
  • The AuthenticatedRouteMixin and UnauthenticatedRouteMixin will now check for infinite redirection loops, see #293.
  • The cookie store now sets path=/ for its cookies so that there is only one Ember Simple Auth cookie per application, see #288.
  • The browserified distribution does not correctly export the test helpers, see

    283.

  • authorizationFailed will now only be triggered for requests that were actually authenticate by Ember Simple Auth, see #271.
  • Fixed a bug that prevented the browserified version from being used in older versions of Internet Explorer, see #266.

v0.6.4

  • The new package ember-simple-auth-testing was added that contains test helpers that simplify testing of authenticated routes, e.g.:

    test('a protected route is accessible when the session is authenticated', function() {
  expect(1);
  authenticateSession(); // <--
  visit('/protected');

  andThen(function() {
    equal(currentRouteName(), 'protected');
  });
});

  • Ember Simple Auth now allows to define a custom session class which e.g. makes adding custom methods to the session much simpler, e.g.:

    App.CustomSession = SimpleAuth.Session.extend({
  account: function() {
    var accountId = this.get('account_id');
    if (!Ember.isEmpty(accountId)) {
      return this.container.lookup('store:main').find('account', accountId);
    }
  }.property('account_id')
});
…
container.register('session:custom', App.CustomSession);
…
window.ENV['simple-auth'] = {
  session: 'session:custom',
}

  • A race condition was fixed that could have broken synchronization of multiple tabs or windows, see #254. The stores will now only store one cookie, one localStorage key etc. holding a JSON representation of the session's data instead of one cookie, localStorage key etc. per property. This change includes 2 breaking changes:

    • The cookie store's cookieNamePrefix property is now just cookieName as there's only one cookie now.
    • The localStorage store's keyPrefix property is now just key as there's only one key now.
  • The session will now persist custom content that is assigned manually without the authenticator, see #260.
  • A bug was fixed that caused session events to trigger multiple action invocations when the application was started via a deep link to an authenticated route, see #257.
  • The AMD distribution does no longer require the Ember global but will try to require it with require('ember') if the global does not exist, see #255.

  • The used Ember Simple Auth libraries and their respective will now be logged on application startup together with the Ember core libraries, e.g.:

    [Debug] DEBUG: -------------------------------
[Debug] DEBUG: Ember                       : 1.6.1
[Debug] DEBUG: Handlebars                  : 1.0.0
[Debug] DEBUG: jQuery                      : 1.9.1
[Debug] DEBUG: Ember Simple Auth           : 0.6.4
[Debug] DEBUG: Ember Simple Auth OAuth 2.0 : 0.6.4
[Debug] DEBUG: -------------------------------

  • The LoginControllerMixin's authenticate action now returns the promise returned by the session so that controllers can use that to handle successful authentication or authentication errors, e.g.:

    App.LoginController = Ember.Controller.extend(SimpleAuth.LoginControllerMixin, {
  authenticator: 'simple-auth-authenticator:oauth2-password-grant',
  actions: {
    authenticate: function() {
      this._super().then(function() {
        // authentication succeeded
      },
      function(error) {
        // authentication failed
      });
    }
  }
});

  • Fixed a bug where the OAuth 1.0 authenticator would not try to refresh the token on restore in some situations, see #249.

v0.6.3

  • added new extension library Ember Simple Auth Torii
  • Added support for OAuth 2.0 token revocation in the Ember Simple Auth OAuth 2.0 extension library, see #228
  • The browserified distribution does not export the setup function anymore, see #235.
  • All standard Ember methods that are defined in the mixins will now call this._super, see #232.

v0.6.2

  • The crossOriginWhitelist is now loaded from window.ENV correctly, see

    218.

v0.6.1

  • [BREAKING] All factory properties that previously had a "Factory" suffix have been renamed to not include the suffix anymore. If you're currently setting storeFactory or authorizerFactory in the configuration be sure to change these to store and authorizer. Also change authenticatorFactory in the login controller to authenticator.
  • The file names of the download distribution have been changed to have the "ember-" prefix again.

v0.6.0

  • [BREAKING] Ember Simple Auth's SimpleAuth object is no longer attached to the Ember global but is now a global itself (in the browserified distribution that exports that global). When you were referring to e.g. Ember.SimpleAuth.ApplicationRouteMixin you now have to change that to just SimpleAuth.ApplicationRouteMixin.
  • [BREAKING] The "namespace" for all components that Ember Simple Auth registers in Ember's container has been changed from 'ember-simple-auth-' to just 'simple-auth-'.
  • [BREAKING] The names of the distributed files has changed from "ember-simple-auth-…" to "simple-auth-…".
  • [BREAKING] The requirement for defining an initializer and call SimpleAuth.setup in that has been dropped. Ember Simple Auth will now setup itself once it is loaded. Existing Ember Simple Auth initializers should be removed.
  • [BREAKING] As SimpleAuth.setup was removed there now is a new way to configure Ember Simple Auth. Instead of passing configuration values to the setup method, these values are now defined on window.ENV['simple-auth'] (and window.ENV['simple-auth-oauth'] etc. for the extension libraries). See the API Docs for Configuration for more information.
  • [BREAKING] All underscores have been replaced with dashes in filenames. This only affects users that were using the AMD build.
  • [BREAKING] The AMD builds are no longer distributed in the 'amd/' subfolder but in the root level along with the browserified versions.
  • The ApplicationRouteMixin now subscribes to the session's events in the beforeModel method, see #199.
  • Added documentation on how to disable server sessions when using the Devise extension library, see #204.
  • The authorizer will not be used if it is destroyed already, see #191.
  • The check for cross origin requests has been simplified, see #190.
  • Most of the examples in the READMEs and API docs have been rewritten to focus on Ember CLI and ES6 modules instead of the browserified distribution.
  • The cookie store example now implements "remember me" functionality.
  • There is a new example that uses the AMD distribution.

v0.5.3

  • fixed the AMD build so it does not depend on the Ember.SimpleAuth global, see

    183.

  • Added an example for the devise extension library, see #188.
  • Cleaned up the AMD structure so it can better be used with ember-cli, see

    189 (all files export the default export now).

v0.5.2

  • The ApplicationRouteMixin now uses the configured session property name, see #184.
  • The ApplicationRouteMixin will not try to invalidate a session that is not authenticated and thus cannot be invalidated, see #185.

v0.5.1

  • The OAuth 2.0 authenticator does not schedule automatic token refreshs in the test environment anymore, see #181.

v0.5.0

  • Using any of the mixins is now completely optional; Ember Simple Auth will work without the mixins as well (see example 9).
  • The session's authorizationFailed event will now be triggered for any failed XHRs and not only for those made in routes' model hooks.
  • Fixed the Devise authenticator's restore method, see #171
  • The AuthenticationControllerMixin's authenticate action now returns the promise that's returned from the session's authenticate action.
  • The authenticator's 'updated' event was renamed to 'sessionDataUpdated'.
  • The store's 'updated' event was renamed to 'sessionDataUpdated'.
  • The API docs now include the events an object might trigger.
  • The tests now run with the latest Ember and jQuery versions.

v0.4.0

  • [BREAKING] Ember Simple Auth's factories are now registered with "namespaced" names with Ember's container to avoid conflicts, see #159; this requires all references to these factories (e.g. authenticatorFactory in controllers to be prepended with 'ember-simple-auth-').
  • [BREAKING] Ember.SimpleAuth.Authorizers.Devise now sends the user's token and email address in one header that's compatible to Rails' token auth module
  • [BREAKING] Ember.SimpleAuth.Authenticators.Devise now sends the (configurable) resource name for session authentication, see #157
  • The name of the property that Ember.SimpleAuth injects the session with into routes and controllers can now be customized, see #159
  • fixed Ember.SimpleAuth.Utils.isSecureUrl so that it checks the passed URL not the current location
  • improved the instructions for server side setup for ember-simple-auth-devise, see #155

v0.3.1

  • Fixed a bug where the arguments from session events were not passed to router actions.

v0.3.0

  • Ember Simple Auth has been split up into a base library and a set of extension libraries - the OAuth 2.0 authenticator/authorizer, the cookie session store as well as the new Devise authenticator/authorizer now reside in their own extension libraries so everybody can include only what they need. If you're currently using the OAuth 2.0 authenticator and/or authorizer, you now need to include the ember-simple-auth-oauth2.js file in your app! If you're using the Cookie store you need to include ember-simple-auth-cookie-store.js.
  • the new Devise authenticator and authorizer have been added, see README there.
  • it is now optional to specify an authorizer; if none is specified no requests will be authorized. If you're currently using an authorized be sure to specify it for Ember.SimpleAuth.setup now, e.g.:
    Ember.SimpleAuth.setup(container, application, {
  authorizerFactory: 'authorizer:oauth2-bearer'
});
  • the session is no longer injected into models and views - it was probably not working for both for some time anyway and it was also not a good idea to do it in the first place as anything related to the session should be managed by the routes and controllers; see #122.
  • the authenticator's update event is now handled correctly so that it might lead to the session being invalidated, see #121.
  • examples have been updated
  • the OAuth 2.0 authenticator will now try to refresh an expired token on refresh and only reject when that fails, see #102

v0.2.1

  • removed check for identification and password being present in LoginControllerMixin so an error is triggered with the server's response
  • serve both examples and tests with grunt dev_server task
  • README improvements
  • improved examples

v0.2.0

  • Ember Simple Auth now reloads the application's root page on logout so all sensitive in-memory data etc. gets cleared - this also works across tabs now, see #92
  • the OAuth 2.0 authenticator rejects restoration when the access token is known to have expired, see #102
  • the store is not updated unnecessarily anymore, see #97
  • the library is now built with grunt, uses ES6 modules and is tested with mocha - all Ruby dependencies have been removed
  • added warnings when credentials/tokens etc. are transmitted via insecure connections (HTTP)

v0.1.3

  • fixed synchronization of stores, see #91

v0.1.2

  • Ember.SimpleAuth.setup now expects the container and the application as arguments (Ember.SimpleAuth.setup(container, application);)
  • the authenticator to use is now looked up via Ember's container instead of the class name which fixes all sorts of problems especially when using Ember AppKit with the new ES6 modules lookup
  • the examples will now always build a new release of Ember Simple Auth when starting
  • origin validation now works in IE, see #84

v0.1.1

  • use absolute expiration times for tokens, see #76
  • fix for cross origin check in IE, see #72
  • make sure errors bubble up, see #79
  • added documentation for customizing/extending the library

v0.1.0

The Big Rewrite™, see the README and the release notes.

The main changes are:

  • all code that is specific to concrete authentication/authorization mechanisms was moved into strategy classes (see e.g. Authenticators.OAuth2, Authorizers.OAuth2)
  • instead of persisting the session in cookies, the default store is now localStorage
  • Ember.SimpleAuth.setup does not expect the container as first argument anymore, now takes only the application object
  • the terms login/logout were replaced by session authentication/session invalidation
  • OAuth 2.0 client authentication was removed from the default library as it does not really work for public clients

v0.0.11

  • fixed cross origin check for Firefox (which doesn't implement location.origin), see #41

v0.0.10

  • fixed problem that broke integration tests, see #38 and #39

v0.0.9

  • don't periodically refresh data stored in cookie in testing mode, see #35
  • support for client id and client secret, see, #36

v0.0.8

  • clear password on login, see #29
  • fixed prevention of sending Authorization header with cross-origin requests
  • added Ember.SimpleAuth.crossOriginWhitelist to also sent Authorization header with configured cross-origin requests

v0.0.7

  • use session cookies to store the session properties (see #30)

v0.0.6

  • added API docs

v0.0.5

  • fixed #21

v0.0.4

  • made the library compliant to RFC 6749
  • added the application route mixin with login, logout, loginSucceeded, loginFailed actions
  • added callbacks for use with external OpenID/OAuth providers
  • more examples
  • added automatic token refreshing

v0.0.3

  • changed header to standard Authorization instead of the custom header, see

    15

v0.0.2

  • fixed content type of POST /session request to be application/json, see #13

v0.0.1

initial release