8.0.0 (2025-12-09)
⚠ BREAKING CHANGES
-
auth: Token storage format has been extended with new fields
-
fix(auth): clear all token-related fields during logout
- Extend token clearing to include user_id, captcha_token, and captcha_expires_at
- Add user validation for captcha token usage to prevent cross-user token misuse
- Ensure complete cleanup of all authentication-related fields in PikPakService
This addresses potential security issues where residual token data could persist
after logout or cause incorrect behavior with shared captcha tokens across
different user sessions.
- fix(auth): prevent login attempts during rate limit cooldown
Add explicit abort when no valid token is available during cooldown
to prevent bypassing rate limits. Also force fresh captcha token
when using shared tokens from concurrent worker logins to ensure
correct action/meta values.
This addresses the login hammering issue by strictly enforcing
cooldown periods and preventing invalid token reuse.
- pwa: PWA features are production-only and disabled in development
Features
- auth: implement captcha token sharing and rate limit handling (#115) (ee2812e)
- auth: implement distributed login coordination with Redis lock (#114) (5dcc316)