chadtmiller.com
+15
CHANGELOG.md
+15
CHANGELOG.md
···
6
6
7
7
## [Unreleased]
8
8
9
+
## [0.5.0] - 2026-01-08
10
+
11
+
### Added
12
+
13
+
- **Direct OAuth authorization** without requiring Pushed Authorization Requests (PAR)
14
+
- `/oauth/authorize` now accepts direct query parameters (client_id, redirect_uri, code_challenge, etc.)
15
+
- Creates authorization request record on-the-fly, same as PAR flow
16
+
- DPoP binding deferred to token exchange time for direct auth flows
17
+
- Matches official AT Protocol PDS behavior
18
+
19
+
### Changed
20
+
21
+
- AS metadata: `require_pushed_authorization_requests` now `false`
22
+
- Extracted `validateAuthorizationParameters()` helper shared between PAR and direct auth
23
+
9
24
## [0.4.0] - 2026-01-08
10
25
11
26
### Added
+1
-1
package.json
+1
-1
package.json
+1
-1
src/pds.js
+1
-1
src/pds.js
···
32
32
// โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
33
33
34
34
// PDS version (keep in sync with package.json)
35
-
const VERSION = '0.4.0';
35
+
const VERSION = '0.5.0';
36
36
37
37
// CBOR primitive markers (RFC 8949)
38
38
const CBOR_FALSE = 0xf4;