v0.17.2

• Added a /user/:id/password endpoint. This allows an admin to easily
  change a user's password.

v0.17.1

• updated simplewebauthn dependencies to the latest version.
• switched to 'indirect' attestation-type by default, allowing anomimized
  attestations to be used.
• it's now possible to set the value for the cors allow-origin option. by
  default it's enabled, but if cors.alloworigin is supplied, this can be
  overridden.

v0.17.0

• Privileges assigned to groups are now inherited by all users who are part of
  that group, allowing the use of groups as 'roles'.
• Added a /user/by-href/:href endpoint, allowing API clients to look up
  users by their 'identity' like their email address.
• Added a hasPassword property to each user. This is only visible on 'your
  own' user or if you are an admin.
• The /token-exchange endpoint for one-time tokes now requires a client_id
  parameter, similar to OAuth2 endpoints.
• Fixed a number of internal APIs that let people generate passwords for non-
  user principals, or oauth2 credentails for groups. Everything is a bit
  stricter.
• Internally, 'users', 'apps' and 'groups' are now more often referred to by
  the name 'principal'. Before, these 3 categories of things were also referred
  to as 'user'. This migration is not complete, but it's a big first step.
  Eventually we'll have separate API roots for each of these.

v0.16.0

• Added a login.defaultRedirect option. This setting allows an admin to
  specify where users should be redirected to after they log in.
• Added a 'one time token' API, allowing privileged clients to exchange tokens
  with regular OAuth2 access tokens. This is useful for custom implementations
  of 'lost password' features.
• Added an 'active sessions' API. This API lists all currently active
  access/refresh tokens for a user.
• Added an 'access token' endpoint, allowing you to generate a new access
  token if you had an already valid session.

v0.15.5

• Another re-release to try and make Github npm packages function.

v0.15.4

• This package is now published on npm under @curveball/a12n-server.

v0.15.3

• Re-releasing to for Github auto-publishing npm packages.

v0.15.2

• Added one-time-token API, allowing clients to get temporary login tokens for
  use with lost-password emails, invite emails.

v0.15.1

• When updating the list group members, it's now possible to specify members
  by using absolute URIs.
• Updated to latest curveball APIs

v0.15.0

• Added a 'first run' interface. If no users exist in the system at all,
  a12nserver will now drop you in a 'create admin user' interface, making the
  initial setup a LOT simpler.
• Updated the 'create oauth2 credentials' form to be more userfriendly.
• Fixed OAuth2 error responses.
• Added APIs for replacing the member list of a group (PUT).
• Added API for adding a member to a group (POST).
• Improved some of the installation instructions.
• Added a link from the users page back to the users list.