Releases: curveball/a12n-server
Releases · curveball/a12n-server
v0.26.5
v0.26.4
v0.26.3
- User accounts are now automatically locked after 5 failed login attempts. (@YunhwanJeong).
- Stricter validation on the 'Create App Client Form.'
- Looks for database in 'public' searchPath in Postgres. (@Zen-cronic)
- Fix internal error on user/id route in Postgres. (@Zen-cronic)
- Generating arbitrary access-tokens is now behind the
a12n:access-token:generate
privilege instead of justadmin
. Having theadmin
privilege still includes this privilege so this is not a backwards compatibility break. - Fix: Introspection on developer tokens threw an error.
- Fix: CSRF error on change password page (@Zen-cronic).
v0.26.2
v0.26.1
v0.26.0
New big release in a while!
This release primarily adds support for multiple email/addresses per user and separates the 'active' flag from the 'having validated your email address' flag.
It also introduces experimental support for a draft OAuth2 flow for first-party apps, which (right now) only supports usernames and passwords, and is sure to change over time.. but this will become the main framework for multi-step authentication with all flavours of MFA.
Please note that this release has a few database changes that (depending on your database size) may take a bit to complete. MAKE A BACKUP! I can't stress this enough!
- BC Break: Previous versions of a12nserver collated the 'active' status of users and whether or not their used email addresses were verified. These two flags are now separate. For a user to log in with their username and password their account must be active (now on by default) and email must be verified. When upgrading to 0.26 all active users will have their email automatically verified.
- BC Break: When creating users via the API, we no longer accept the 'active' flag. (is now on by default).
- New! Users can now be associated with multiple email addresses and/or phone numbers.
- Added support for OAuth 2.0 Multiple Response Type Encoding Practices) aka the "authorization_challenge" flow.
- Upgraded to Curveball 1.
- Moved from CommonJS to ESM.
- Upgraded to Typescript 5.5.
- Dropped mocha for the built-in Node tester.
- #494: Add 'public' to Postgres schema search path. (@elaugier)
- Auto-generate API types from JSON schema.
- Internal: oauth2-client is renamed to app-client to reduce confusion a bit.
- Internal:
oauth2_codes
now remember what grant_type was used to generate the code, plus theredirect_uri
.