v0.30.1

• If an app has 'uri' set during creation, it's now returned as a me link relationship from the app endpoint.
• Basic-auth headers for OAuth2 token requests are percent-decoded. This was always required for OAuth2, but I missed this at the time.
• Fix: error when creating an App via the REST api and a App URL is specified.
• Add login link on registration page. (@rabiaq123)

v0.30.0

• Users now have a lot of new fields associated to them, allowing you to store full names, adddresses, timezone, preferred language and arbitrary metadata. (@usrrname).
• The user collection is now paginated, and limited to 100 items per page. (@Zen-cronic).
• Added a docker-compose.yml file for quickly setting up a server along with all its dependencies, such as a database and Redis. (@usrrname)
• Tons of documentation upgrades. (@usrrname)
• hasPassword property on users is now deprecated. Use the authFactors endpoint instead. hasPassword will remain available but will be removed from a future version.
• Removed outdated eff-diceware-passphrase dependency. It was breaking the build on arm64 due to old transitive dependencies. We've instead included the EFF wordlist and generate diceware passwords ourselves.
• Reduced docker image from 366MB to 216MB with no loss of functionality.
• The authorization_challenge API now emits too_many_failed_login_attempts when a user tried logging in with incorrect credentials too many times. Before, it emitted invalid_username_or_password which is confusing.
• Limit passwords to 72 characters to avoid issues with bcrypt trunctating the input.
• Fix an issue with lost password not working on MariaDB.

v0.29.0

• OpenID Connect works! The plumbing for this has been in place for some time, but this release supports the /userinfo endpoint and enough parameters from the authorization endpoint to make it work the OIDC clients we've tested.
• The dev server now automatically generates a JWT private key when it's ran for the first time. This enables OpenID Connect to be used without further configuration.
• Auth.js / NextAuth.js support validated. Our implementation had a few bugs, and authjs also had some issues that the server now has workarounds in place for.
• Lots of documentatation fixes and additions. (Thank you @usrrname).
• Workaround for authjs incorrectly encoding colon in Basic Auth with percent-encoding.
• #590: When a OIDC client doesn't provide a nonce, the server encoded the nonce as 'null' in the id token. It should have simply been omitted and this was breaking authjs.
• Added OpenID Connect endpoints to home screen.
• Fixed validation bugs in the OAuth2 app update screen.
• Support for the OIDC /.well-known/openid-configuration endpoint.
• Added 'email', 'phone' and 'name' claims to OpenID id token.
• Support for OpenID Connect 'userinfo' endpoint.
• #596: Support for 'prompt' parameter in OIDC authorize request.
• Support for auth_time in OIDC id_token
• Force users to go through login process after changing their password. Before this change a change-password token was enough to complete login, but this could allow a user to circumvent other authentication factors such as TOTP.
• Added a small HAL form for easily obtaining developer access tokens.
• Added a /me endpoint that always redirects to the currently authenticated user or app.
• Add support for prefer: transclude=item header and ?embed=item query parameter on the /user collection, allowing clients to get the full representation of each user.
• A refresh of the home endpoint, with a few more links to OIDC endpoints.

v0.28.5

• Fix: authorization_challenge was emitting an incorrect error for users logging in with unverified email addresses.

v0.28.4

• Logging with an unverified email is no longer a blocker for the authorization-challenge system. Users can now verify their email address during the login process. (@chelsearoman-ca)
• Adding a friendly error message to devs trying to directly POST to the /login endpoint.
• Refreshed getting started and CONTRIBUTING documents. (@usrrname)
• Added some guides for getting a basic OAuth2 integration up and running using vanilla Javascript.
• Added guide on testing SMTP.

v0.28.3

• Login challenge now prefers TOTP challenge over Email OTP by default.
• Fix admin logout.
• Cosmetic fixes in email templalates.
• Fix bug in password reset form.
• User can now override the a12n-server application title via the APP_NAME environment variable.

v0.28.2

• Add a new privilege for managing user identities. Before this change it was required to have the 'admin' privilege to do this.
• Verify response endpoint is now exposed as a form on the identity resource.
• It's now possible to mark an identity as an MFA identity when verifying using the 'enableMfa' property.

v0.28.1

• Fix a timing bug when using Redis as the kv store.

v0.28.0

• #563: Users can now enter a code sent to them by email as a one-time-password. This feature has been added to the authorizion_challege / first party auth API but is not yet exposed to the admin interface.
• Refactored and centralized abstract cache system, supporting redis/valkey and memory stores.
• Email identities can now be verified in the admin UI and via the API.
• Allow authorization_challenge to be preselected in 'new client'
• Add button in admin UI to enable/disable MFA for a specific email identity.
• Dropped support for Node 16, which is EOL.

v0.27.6

• Update @curveball/browser, which fixes an issue with submitting HTML forms that don't use GET or POST.