v0.3.0

Minor Changes

• #158 b26f7ff Thanks @mattzcarey! - Add clientIdMetadataDocumentEnabled option to make CIMD (Client ID Metadata Document) support explicitly opt-in. Previously, CIMD auto-enabled when the global_fetch_strictly_public compatibility flag was present, which could cause crashes for servers where URL-shaped client_ids hit bot-protected endpoints. When not enabled (the default), URL-formatted client_ids now fall through to standard KV lookup instead of throwing.

• #144 49a1d24 Thanks @mattzcarey! - Add revokeExistingGrants option to completeAuthorization() that revokes existing grants for the same user+client after creating a new one. Defaults to true, fixing infinite re-auth loops when props change between authorizations (issue #34). Set to false to allow multiple concurrent grants per user+client.

  Revoke tokens and grant when an authorization code is reused, per RFC 6749 §10.5. This prevents authorization code replay attacks by invalidating all tokens issued from the first exchange.

  Breaking behavior change: Previously, re-authorizing the same user+client created an additional grant, leaving old tokens valid. Now, old grants are revoked by default. If your application relies on multiple concurrent grants per user+client, set revokeExistingGrants: false to preserve the old behavior.

Patch Changes

• #164 4b640a3 Thanks @pnguyen-atlassian! - Include client_secret_expires_at and client_secret_issued_at in dynamic client registration responses when a client_secret is issued, per RFC 7591 §3.2.1.

• #165 9cce070 Thanks @mattzcarey! - Use Promise.allSettled instead of Promise.all for best-effort grant revocation in completeAuthorization(), ensuring all grants are attempted even if one fails.