Based on Keep a Changelog.
- Handle null values for oauth account email.
- Public and private APIs for oauth account visibility and removal - requires migration to record user email on oauth accounts (#253)
- Sign in with Apple oauth support
- Remove incomplete "provider specific signing key" feature (#250)
- Disallow OAuth linking to an account other than current session's account (#246)
- Replace deprecated gopkg.in/square/go-jose.v2 with github.com/go-jose/go-jose/v3 (#240)
- Beta support for TOTP multi-factor authentication (#220, #230, #231)
- Bump prometheus client to 1.11.1 (#229)
- Bump golang.org/x/crypto to 0.17.0 (#233)
- HMAC notification signatures (#207)
- support inferring default port from configured URL (via #214)
- fix unmarshaling bug in Microsoft OAuth Provider (via #214)
- support for persistent cookies via
REFRESH_TOKEN_EXPLICIT_EXPIRYenv var [#208]
- Usernames may not be passwords [#200]
- ID token contains Session ID claim (
sid) [#205]
- Added
/jwksto both public and private routes [#198]
- Added
last_login_atandpassword_changed_atto Get Account API [#195]
- Support for non-default Redis user [#191]
- Support for TLS connections to Redis with
rediss[#190]
- Update to go 1.17
- Flexible app domains with wildcard matching [#189]
- Support for Redis Sentinel [#181]
- Improved validation for AUTHN_URL and other ENV url values [#178]
- Broken pipe error on Postgres [#174]
- Usernames are now case insensitive on Postgres and SQLite. This requires a migration that can fail if the existing database has unintended duplicates! [#170]
- CORS configuration allows content-type header
- added a timeout to webhook sender
- OAuth through Microsoft [#155]
- endpoint for checking zxcvbn password score [#149]
- option to expire an account's sessions after a password change [#154]
- improvements to constant time comparison in basic auth (thanks @lsmith130)
- Support
Content-Type: application/json[#143] - Support for SameSite property on AuthN session cookie [#147]
- OAuth authentication through Discord [#116]
- Email validations no longer allow misplaced periods in the domain
- Log when rejecting a request for a missing or invalid Origin header [#34]
- Accept PUT HTTP calls on every endpoint accepting PATCH [#104]
- Same-origin requests are now accepted (for browsers that do not send Origin header for same-origin), by falling back to Referer header to determine the application domain that should be selected in the request's context. The Referer header is only consulted when Origin is not set. Since browsers are only permitted to omit Origin header for same-origin requests this behavior should be robust. [#105]
- Query optimizations on private admin endpoints.
- Pre-compute JWK key on RSA key generation and include within private key wrapper type for use by dependees. [#100]
- panic while evaluating some utf8 password characters
- zxcvbn library we use exhibited some deviation from standard (see: nbutton23/zxcvbn-go#20) so switched to https://github.com/trustelem/zxcvbn [#99]
- Passwordless Logins (aka Magic Links) [#71]
- New field:
accounts.last_login_at[#71] - Windows build
- Improved printing for configuration errors
- Uncaught uniqueness violation in
PATCH /account/:id
- connection leak with Postgres adapter [#60]
- OAuth authentication via Facebook, GitHub, and Google [#50]
- PostgreSQL support [#47]
- Improved (simplified) coordination between multiple AuthN servers when synchronizing keys [#44]
- ability to control location of sqlite3 database [#43]
- aggressively short wlock timeout on blob store (could result in competing keys)
- Log the actual client IP when deployed behind a proxy [#38]
- Bind a second port with only public routes [#37]
GET /accounts/:idendpoint [#30]- Airbrake error reporting [#32]
- AuthN version number is now printed on startup
- bug with account archival [#29]
- Recovery of RSA keys from SQLite3 blob store when restarting AuthN
- AuthN can run entirely from SQLite3 (without Redis)
- LogReporter prints more information to associate an error with a request
- Inverted logic in
GET /accounts/available