v0.31.4

• Added a new API that lets consumers send and validate verification codes for email addresses and phone numbers, without needing to associate those identities to users. Sometimes it's helpful to have this check before assigning it to a user as an 'unvalidated' identity.

v0.31.3

• Add an API for programmatic access to firing off a reset password email. The API supports setting a custom return URL, and can either return a token or send the standard email.

v0.31.2

• Add a12n:user:read-auth-factors privilege for access to the auth-factors endpoint.
• Upgraded to bcrypt v6, nodemailer v7.

v0.31.1

• Include a small summary of the available auth factors on the /user/:id/auth-factor route
• Add helper scripts for seeding the database for maintainers. (@usrrname)

v0.31.0

• Deprecated hasPassword. We now have an authFactors endpoint that has a lot more detail about the kinds of credentials the user has set up.
• API endpoint and HAL form for creating new identities.
• Phone numbers can now be verified via SMS. Currently only AWS SNS is supported. More adapters will follow.

v0.30.1

• If an app has 'uri' set during creation, it's now returned as a me link relationship from the app endpoint.
• Basic-auth headers for OAuth2 token requests are percent-decoded. This was always required for OAuth2, but I missed this at the time.
• Fix: error when creating an App via the REST api and a App URL is specified.
• Add login link on registration page. (@rabiaq123)

v0.30.0

• Users now have a lot of new fields associated to them, allowing you to store full names, adddresses, timezone, preferred language and arbitrary metadata. (@usrrname).
• The user collection is now paginated, and limited to 100 items per page. (@Zen-cronic).
• Added a docker-compose.yml file for quickly setting up a server along with all its dependencies, such as a database and Redis. (@usrrname)
• Tons of documentation upgrades. (@usrrname)
• hasPassword property on users is now deprecated. Use the authFactors endpoint instead. hasPassword will remain available but will be removed from a future version.
• Removed outdated eff-diceware-passphrase dependency. It was breaking the build on arm64 due to old transitive dependencies. We've instead included the EFF wordlist and generate diceware passwords ourselves.
• Reduced docker image from 366MB to 216MB with no loss of functionality.
• The authorization_challenge API now emits too_many_failed_login_attempts when a user tried logging in with incorrect credentials too many times. Before, it emitted invalid_username_or_password which is confusing.
• Limit passwords to 72 characters to avoid issues with bcrypt trunctating the input.
• Fix an issue with lost password not working on MariaDB.

v0.29.0

• OpenID Connect works! The plumbing for this has been in place for some time, but this release supports the /userinfo endpoint and enough parameters from the authorization endpoint to make it work the OIDC clients we've tested.
• The dev server now automatically generates a JWT private key when it's ran for the first time. This enables OpenID Connect to be used without further configuration.
• Auth.js / NextAuth.js support validated. Our implementation had a few bugs, and authjs also had some issues that the server now has workarounds in place for.
• Lots of documentatation fixes and additions. (Thank you @usrrname).
• Workaround for authjs incorrectly encoding colon in Basic Auth with percent-encoding.
• #590: When a OIDC client doesn't provide a nonce, the server encoded the nonce as 'null' in the id token. It should have simply been omitted and this was breaking authjs.
• Added OpenID Connect endpoints to home screen.
• Fixed validation bugs in the OAuth2 app update screen.
• Support for the OIDC /.well-known/openid-configuration endpoint.
• Added 'email', 'phone' and 'name' claims to OpenID id token.
• Support for OpenID Connect 'userinfo' endpoint.
• #596: Support for 'prompt' parameter in OIDC authorize request.
• Support for auth_time in OIDC id_token
• Force users to go through login process after changing their password. Before this change a change-password token was enough to complete login, but this could allow a user to circumvent other authentication factors such as TOTP.
• Added a small HAL form for easily obtaining developer access tokens.
• Added a /me endpoint that always redirects to the currently authenticated user or app.
• Add support for prefer: transclude=item header and ?embed=item query parameter on the /user collection, allowing clients to get the full representation of each user.
• A refresh of the home endpoint, with a few more links to OIDC endpoints.

v0.28.5

• Fix: authorization_challenge was emitting an incorrect error for users logging in with unverified email addresses.

v0.28.4

• Logging with an unverified email is no longer a blocker for the authorization-challenge system. Users can now verify their email address during the login process. (@chelsearoman-ca)
• Adding a friendly error message to devs trying to directly POST to the /login endpoint.
• Refreshed getting started and CONTRIBUTING documents. (@usrrname)
• Added some guides for getting a basic OAuth2 integration up and running using vanilla Javascript.
• Added guide on testing SMTP.