Skip to content

Releases: curveball/a12n-server

v0.26.5

30 Oct 05:24
6a59e51
Compare
Choose a tag to compare
  • Developer tokens will now be associated with a client_id if an OAuth2 client was used to generate one. This allows them to be refreshed.
  • A scope can now be specified when creating a developer token.

v0.26.4

28 Oct 21:20
1dc4444
Compare
Choose a tag to compare
  • New: access-token endpoint now returns refresh token.

v0.26.3

28 Oct 20:32
a31c935
Compare
Choose a tag to compare
  • User accounts are now automatically locked after 5 failed login attempts. (@YunhwanJeong).
  • Stricter validation on the 'Create App Client Form.'
  • Looks for database in 'public' searchPath in Postgres. (@Zen-cronic)
  • Fix internal error on user/id route in Postgres. (@Zen-cronic)
  • Generating arbitrary access-tokens is now behind the a12n:access-token:generate privilege instead of just admin. Having the admin privilege still includes this privilege so this is not a backwards compatibility break.
  • Fix: Introspection on developer tokens threw an error.
  • Fix: CSRF error on change password page (@Zen-cronic).

v0.26.2

30 Aug 18:50
4c3f0ad
Compare
Choose a tag to compare
  • Allow admins to auto-generate an intitial 'diceware' password when creating
    new users, which should make onboaring new users and testing easier.
  • Fix CSRF error on register form
  • Fix a bug in the automatic App creation flow

v0.26.1

12 Aug 02:14
b511a53
Compare
Choose a tag to compare
  • Allow users to set up TOTP after registration.
  • Add a new 'auth-factor' API endpoint, which lists all the authentication factors the user has setup. Currently it only supports 'password' and 'totp', but more will be added in the future.
  • Fix test server.

v0.26.0

31 Jul 00:40
3188448
Compare
Choose a tag to compare

New big release in a while!

This release primarily adds support for multiple email/addresses per user and separates the 'active' flag from the 'having validated your email address' flag.

It also introduces experimental support for a draft OAuth2 flow for first-party apps, which (right now) only supports usernames and passwords, and is sure to change over time.. but this will become the main framework for multi-step authentication with all flavours of MFA.

Please note that this release has a few database changes that (depending on your database size) may take a bit to complete. MAKE A BACKUP! I can't stress this enough!

  • BC Break: Previous versions of a12nserver collated the 'active' status of users and whether or not their used email addresses were verified. These two flags are now separate. For a user to log in with their username and password their account must be active (now on by default) and email must be verified. When upgrading to 0.26 all active users will have their email automatically verified.
  • BC Break: When creating users via the API, we no longer accept the 'active' flag. (is now on by default).
  • New! Users can now be associated with multiple email addresses and/or phone numbers.
  • Added support for OAuth 2.0 Multiple Response Type Encoding Practices) aka the "authorization_challenge" flow.
  • Upgraded to Curveball 1.
  • Moved from CommonJS to ESM.
  • Upgraded to Typescript 5.5.
  • Dropped mocha for the built-in Node tester.
  • #494: Add 'public' to Postgres schema search path. (@elaugier)
  • Auto-generate API types from JSON schema.
  • Internal: oauth2-client is renamed to app-client to reduce confusion a bit.
  • Internal: oauth2_codes now remember what grant_type was used to generate the code, plus the redirect_uri.

v0.25.4

26 Feb 17:43
51a8c12
Compare
Choose a tag to compare
  • The 'scope' property on the OAuth2 introspection response was comma-separated when it should have been space-separated.

0.25.3

08 Feb 19:36
76fb658
Compare
Choose a tag to compare
  • Set Content-Type to application/json for password and refresh_token
    operations on the token endpoint.

0.25.2

01 Dec 21:02
0a64313
Compare
Choose a tag to compare

Fixed result of one-time-token if a custom expiry was used.

0.25.1

01 Dec 18:13
b59a3b3
Compare
Choose a tag to compare
  • Clients can now specify how long a one-time-token should be valid for.
  • API clients can now request that one-time-tokens don't expire after use.
  • The client_id is now validated to belong to the curent user when validating one-time-tokens.