v0.15.1

• Fixed an issue where the broker was unable to make outgoing HTTPS requests because of a missing feature rustls for the reqwest crate.
• Enabled default features charset and system-proxy for crate reqwest. This should help outgoing HTTP(S) requests when Portier is deployed behind a proxy.

v0.15.0

• Upgraded AWS-LC, fixing three security issues: GHSA-jchq-39cv-q4wj, GHSA-frmv-5gcm-jwxh, GHSA-cfwj-9wp5-wqvp
• Upgraded the bytes crate, fixing one security issue: GHSA-434x-w66g-qw3r
• Upgraded the toml crate, which adds new .toml file syntax features, per the TOML 1.1 specification. This should have minimal impact on existing installations. See the TOML changelog for details.
• In the default Rustls configuration, TLS certification verification now uses the rustls-platform-verifier crate, instead of rustls-native-certs. This should have minimal impact on existing installations. See the rust-platform-verifier README for details on differences.
• The minimum supported Rust compiler version has been raised to 1.89. This only affects you when building from source.

v0.14.0

• An extra confirmation step was added to prevent newer email scanners from consuming the login link. When the user starts and completes the login on the same device, this step is skipped using a session cookie. The cookie can be customized or disabled using a new setting device_cookie_ttl.
• The 'Login' button on the email code form now switches to a disabled state on form submit, to prevent accidental multiple clicks. (by @jimdigriz)
• If allowed_origins is not set (indicating all origins are allowed), CORS now also allows all origins. (by @jimdigriz)
• Added a Vary: Origin response header to fix user agent caching with multiple relying parties using CORS. (by @jimdigriz)
• Added a new setting csp to customize the Content-Security-Policy response header. (by @jimdigriz)

v0.13.0

• The Redis storage backend now requires a server that supports the RESP3 protocol. (Redis >= 6.0)
• The Redis pubsub code has been reworked and no longer creates a separate connection to Redis, instead reusing the main connection using RESP3.
• An experimental option cors_ttl has been added, which can be used to add CORS headers to broker responses.
• The minimum supported Rust compiler version has been raised to 1.83. This only affects you when building from source.

v0.12.1

• It is now possible to retry the email code entry form.
• Validation of redirect_uri in the OAuth authorization code flow could result in false negatives in some cases, when input does not match a reserialized version of the URL. For example, a URL without a path like https://example.com would always be rejected on the POST /token request, because during the POST /auth request it was parsed and stored as https://example.com/ (trailing slash), and no longer compared equal. This is now fixed.

v0.12.0

• The minimum supported Rust compiler version has been raised to 1.77. This only affects you when building from source.
• Windows builds for this release are built using the new Rust 1.81.0 compiler, which incorporates the standard library fix for CVE-2024-43402. This advisory is low severity for Portier, because Portier only executes trusted commands, such as generate_rsa_command and sendmail_command.

v0.11.0

• Added a French translation. (Thanks @daniel-g-gagnon!)
• Improved Accept-Language matching: when the user requests an unknown regional variant (e.g. nl-BE), the primary language subtag is now also matched (e.g. nl).
• Improved email address input validation. This primarily affects testing scenarios, where Portier may now reject configuration and input where an email address doesn't contain a top-level domain (e.g.foobar@localhost).

v0.10.1

• Outgoing emails now include the X-Auto-Response-Suppress: All header to prevent automatic replies from Microsoft Exchange servers.

v0.10.0

• The rsa feature and crate dependency have been removed. The broker now generates RSA keypairs using AWS Libcrypto (which was already a dependency).
• The broker no longer uses HTTP 2 for outgoing requests, only HTTP 1.x. This reduces dependencies, and HTTP 2 has little benefit for the few small outgoing requests made by the broker.
• Timeouts for outgoing HTTP requests have been fixed and are now configurable. The defaults should be fine in most cases, but see config.toml.dist if you do need to change these timeouts.
• Discovery now proceeds in the background if discovery_timeout expires. The HTTP requests are still subject to their individual timeouts, but this allows cache to warm for future authentication requests, while discovery_timeout guarantees a certain response time.
• Portier now sends a List-Id email header, intended to disable auto-responders on the receiver.
• Authentication requests should no longer be double counted in /metrics.
• Portier now sends a systemd 'stopping' notification when it begins shutdown. (This code was already present, but broken.)

v0.9.2

• This releases upgrades Rustls to address the advisory RUSTSEC-2024-0336.