v0.4.4 - 2025-09-19

This patch release fixes a security issue where a malicious user with administrator permissions could set the JWT Secret Key to a masked value like ********, making the JWTs predictable. Big thanks to Rapid7 and @M-GRV for the responsible disclosure, and to @M-GRV for the fix.

What's changed

• fix: Prevent malicious admin from changing JWT Secret Key to masked value. props @M-GRV
• chore: update Composer deps.
• ci: Test compatibility with WordPress 6.8.2.

Full Changelog: 0.4.3...0.4.4

v0.4.3 - 2025-06-07

This minor release fixes a bug when validating allowed origins from different ports on the same domain. It also adds support for WPGraphQL 2.3's new lazy-loading features, resulting in significant performance improvements.

What's Changed

• fix: Compare ports when validating allowed origins. h/t @ahuseyn
• dev: Add support for lazy-loading GraphQL descriptions and deprecation messages.
• chore: Update NPM + Composer dependencies.
• chore: Test compatibility with WordPress 6.8 + WPGraphQL 2.3

Full Changelog: 0.4.2...0.4.3

v0.4.2 - 2025-03-29

This minor release fixes a bug where the deactivation hook was not being loaded correctly, and updates the help links in the admin settings screen to be clickable.

What's changed

• fix: Correctly load deactivation hook.
• fix: Make scope help links clickable in the admin settings screen.
• chore: Update help link for GitHub's list of available scopes. H/t @mommaroodles
• chore: Update NPM + Composer dev-dependencies.

Full Changelog: 0.4.1...0.4.2

v0.4.1 - 2025-02-15

This minor release confirms compatibility with WPGraphQL 2.0 and WordPress 6.7.2.

What's changed

• chore: Test compatibility with WPGraphQL 2.0.0.
• chore: Test compatibility with WordPress 6.7.2.
• chore: Update NPM + Composer dev-dependencies.
• ci: Cleanup tsconfig.json file.

Full Changelog: 0.4.0...0.4.1

v0.4.0 - 2024-12-28

What's Changed

This major release brings a complete overhaul to the Admin settings screen, along with support for configuring Cookies and a new logout mutation for clearing them.

Behind the scenes, we've refactored the Settings handling and storage, updated our Composer/NPM dependencies and build scripts, and bumped our minimum WordPress version to 6.2.

Note

Updating to this release will automatically migrate your existing settings to the new format. However, if you have custom code that interacts with the settings, you may need to update it to reflect the new structure.

Provider Configuration settings have not been changed.

Contributor Notes

Composer and NPM scripts have been updated, alongside the .env.dist file and other environment variables. Please make sure to update your local environment accordingly.

What's changed

• feat!: Refactor Settings handling and storage.
• feat: Add Upgrader class for handling plugin upgrades.
• feat: Refactor admin package.
• feat: Add support for Cookie configuration and logout mutation. Props @alexookah.
• chore!: Bump minimum WordPress version to 6.2.
• chore!: Remove vendor and vendor-prefixed from the repository.
• chore: Update Composer dependencies.
• chore: Update NPM dependencies.
• chore: Update Strauss to v0.19.4.
• ci!: Update CI scripts and commands, docker configuration, and env variables.
• ci: Add workflow to lint JS/TS/CSS files.
• tests!: Update Codeception tests to use wp-browser > v3.5.x.
• ci: Test compatibility with WordPress 6.7.1.
• tests: Format and lint test files.

New Contributors

• @alexookah made their first contribution in #129

Full Changelog: 0.3.1...0.4.0

v0.3.1 - 2024-09-07

This patch releases fixes a bug where descriptions were not being displayed for FormTokenField types in the settings screen. Additionally, we've updated our dependencies to the latest (SemVer-compatibile) versions.

What's Changed

• fix: Display missing help text to FormTokenField types in the settings screen. H/t @alexookah
• dev: Add react-jsx-runtime polyfill for WordPress backwards-compatibility.
• chore: Update Strauss to v0.19.1.
• chore: Update Composer dependencies.
• chore: Update NPM dependencies.
• tests: Fix test helper PSR-4 namespaces.
• ci: Replace docker-compose commands with docker compose.
• ci: Test compatibility with WordPress 6.6.1.

Full Changelog: 0.3.0...0.3.1

v0.3.0 - 2024-04-06

This major release refactors the root files to use the WPGraphQL\Login namespace. It also exposes the authTokenExpiration field in the refreshToken mutation response, improves code quality, adds explicit support for WordPress 6.5.0, and more.

Note

Although this release technically contains breaking changes, these changes are limited to developers directly extending the wp-graphql-headless-login.php, wp-graphql-activation.php, wp-graphql-deactivation.php files, and the WPGraphQL\Login\Main class.
If you are using the plugin as intended, you should not experience any issues when upgrading.

What's Changed

• feat: Add the authTokenExpiration field to the refreshToken mutation response. H/t @richardaubin.
• chore!: Add WPGraphQL/RankMath namespace to root-level files ( activation.php, deactivation.php, wp-graphql-rank-math.php ).
• chore: Declare strict_types in all PHP files.
• chore: Update Composer dev-deps and fix newly-surfaced PHPCS smells.
• chore: Lock WPBrowser to v3.5.x to prevent conflicts with Codeception.
• chore: Implement PHPStan strict rules and fix type errors.
• chore: Update WPGraphQL Plugin Boilerplate to v0.1.0.
• ci: Update GitHub Actions to latest versions.
• ci: Test plugin compatibility with WordPress 6.5.0.
• ci: Update Strauss to v0.17.0

Full Changelog: 0.2.0...0.3.0

v0.2.0 - 2024-02-04

This major release bumps the minimum supported WordPress version to 6.0, and the minimum supported WPGraphQL version to 1.14.0. It also fixes a bug when extending the OAuth2Config class.

Note

This release is technically a breaking change, as the Psr dependencies are now prefixed with \WPGraphQL\Login\Vendor.
This class should only be used internally, but if for some reason you're relying on the plugin's bundled Psr classes in your own code, you'll need to update your references.

What's Changed

• fix: Avoid strict-typing League\OAuth2\Client\Provider\AbstractProvider to the \WPGraphQL\Login\Vendor namespace. H/t @pat-flew .
• chore!: Use Strauss to prefix Psr dependencies. This is a breaking change, as the Psr dependencies are now prefixed with \WPGraphQL\Login\Vendor.
• chore!: Bump minimum supported WordPress version to 6.0.
• chore!: Bump minimum supported WPGraphQL version to 1.14.0.
• chore: Refactor Autoloader class for DRYness.
• chore: Update axepress/wp-graphql-cs to latest version and lint.
• chore: Update Composer dependencies to latest.
• chore: Update NPM dependencies for WordPress 6.0+.
• chore: Cleanup CI configuration files.
• ci: Test plugin against WordPress 6.4.3.

New Contributors

• @imjlk made their first contribution in #105

Full Changelog: 0.1.4...0.2.0

v0.1.4 - 2023-10-15

This minor release fixes a bug where the determine_current_user filter was being applied too late in the lifecycle for some plugins. It also better integrates with WPGraphQL for WooCommerce's upcoming release which adds built-in support for the plugin.

We've also upgraded our coding standards and fixed all the resulting issues.

What's Changed

• fix: Apply the determine_current_user filter before the plugin is initialized. H/t @kidunot89 for reporting.
• dev: Refactor autoload handling to WPGraphQL\Login\Autoloader class. Note: this does not remove the vendor/ or vendor-prefixed/ directories from the repository.
• dev: Remove local registration of LoginPayload.customer for WooGraphQL 0.18.2+. Props @kidunot89.
• dev: Deprecate LoginPayload.wooSessionToken in favor of loginPayload.sessionToken (added in WooGraphQL 0.18.2+).
• chore: Update Composer dependencies.
• chore: Update WPGraphQL Coding Standards to v2.0.0-beta and lint.

New Contributors

• @kidunot89 made their first contribution in #91

Full Changelog: 0.1.3...0.1.4

v0.1.3 - 2023-8-20

This release includes a refactored Admin JS package for backwards-compatibility and stability, new features and developer hooks to extend and customize the authentication lifecycle, and a handful of bug fixes.

What's Changed

• feat: Add support for setting a custom scopeSeparator for Generic OAuth2 providers. H/t @martinowren for bringing this up!
• feat: Relocate Admin JS to packages/admin directory, and refactor for backwards-compatibility.
• fix: Correctly set the minimum supported WP version to 5.7. This should have been bumped in v0.0.7, but was missed.
• fix: Let the OAuth2 Provider library handle imploding the scope.
• fix: Use the correct label for the scope setting in the GitHub and LinkedIn provider settings.
• fix: Correctly pass the provider $user_data to the graphql_login_after_successful_login filter. Props @martinowren.
• dev: New actions: graphql_login_after_authenticate, graphql_login_get_user_from_data.
• dev: New filters: graphql_login_authenticated_user_data, graphql_login_pre_get_user_from_data,
  graphql_login_create_user_data.
• dev: Deprecated the graphql_login_mapped_user_data filter in favor of graphql_login_authenticated_user_data.
• chore: Update Composer deps.
• chore: Cleanup PHPCS and PHPStan configurations.
• ci: Set MariaDB to v10.x in GitHub Actions.
• ci: Test against PHP 8.2 and WordPress 6.3.
• docs: Cleanup Action and Filter references.

Full Changelog: 0.1.2...0.1.3