Automatic intended-URL storage on unauthorized redirects

10.1.0 (2026-04-09)

The session guard's error handler now calls withIntendedUrl and withQs when redirecting unauthenticated users to the login page, so the current URL is automatically stored in the session. After login you can redirect users back to where they were heading without any manual wiring.

Intended-URL storage applies to GET navigational requests (including Inertia) and is skipped for AJAX and non-GET requests or when no route is matched. Query strings are forwarded to the login redirect.

Features

• store intended URL when redirecting unauthenticated users to login (aaf8a06)

Full Changelog: v10.0.0...v10.1.0

Simplified withAuthFinder, new helpers and bug fixes

10.0.0 (2026-02-25)

Features

• add deleteAll method on access token provider (#260) (a2efc9c)
• add validatePassword method to throw error when password is invalid (ce6b53b)
• make withAuthFinder mixin accept hash manager and make options optional (7ebc10e)
• add checkUsing method (#257) (7ad0436)

Bug Fixes

• emit event session logout before update local data (46d19f6)

What's Changed

• feat: allow to pass custom guard to check method by @aadamcik in #257
• fix: emit event session logout before update local data by @ad-momo in #259
• feat: add deleteAll method on access token provider by @radiumrasheed in #260

New Contributors

• @ad-momo made their first contribution in #259
• @radiumrasheed made their first contribution in #260

Full Changelog: v9.4.2...v10.0.0

Add deleteAll method on TokensProvider

10.0.0-next.6 (2026-01-27)

Features

• add deleteAll method on access token provider (#260) (a2efc9c)

What's Changed

• feat: add deleteAll method on access token provider by @radiumrasheed in #260

New Contributors

• @radiumrasheed made their first contribution in #260

Full Changelog: v10.0.0-next.5...v10.0.0-next.6

Add deleteAll method on TokensProvider

9.6.0 (2026-01-27)

Features

• add deleteAll method on access token provider (#260) (2c72627)

Full Changelog: v9.5.1...v9.6.0

Add user.validatePassword via the AuthMixin

10.0.0-next.5 (2026-01-22)

Features

• add validatePassword method to throw error when password is invalid (ce6b53b)

Full Changelog: v10.0.0-next.4...v10.0.0-next.5

Flash error message using the error key

10.0.0-next.4 (2026-01-21)

Features

• flash error using error property (83bb92d)

Full Changelog: v10.0.0-next.3...v10.0.0-next.4

Update dependencies

10.0.0-next.3 (2025-12-19)

Full Changelog: v10.0.0-next.2...v10.0.0-next.3

Simplify usage of `withAuthFinder` mixin

10.0.0-next.2 (2025-10-27)

Not a big change, but small things matter too. The withAuthFinder mixin also accepts the hash manager and will use the default driver. Also, the config has been made optional to use sane defaults.

FROM

const AuthFinder = withAuthFinder(() => hash.use('scrypt'), {
  uids: ['email'],
  passwordColumnName: 'password',
})

export default class User extends compose(
  BaseModel,
  AuthFinder,
) {
}

TO

export default class User extends compose(
  BaseModel,
  withAuthFinder(hash),
) {
}

Features

• make withAuthFinder mixin accept hash manager and make options optional (7ebc10e)

Full Changelog: v10.0.0-next.1...v10.0.0-next.2

Make sure the user is defined in the session logout event

10.0.0-next.1 (2025-10-20)

Bug Fixes

• emit event session logout before update local data (46d19f6)

What's Changed

• fix: emit event session logout before update local data by @ad-momo in #259

New Contributors

• @ad-momo made their first contribution in #259

Full Changelog: v10.0.0-next.0...v10.0.0-next.1

Make sure the user is defined in the session logout event

9.5.1 (2025-10-20)

Bug Fixes

• emit event session logout before update local data (028945c)

Full Changelog: v9.5.0...v9.5.1