authn-server

What's Changed

• oauth: get signing key from provider by @AlexCuse in https://github.com/keratin/authn-server/pull/236
• CI: update maintained actions to eliminate node warnings by @AlexCuse in https://github.com/keratin/authn-server/pull/237
• chore: migrate deprecated ioutil usage to io package by @AlexCuse in https://github.com/keratin/authn-server/pull/238
• chore: use github.com/go-jose/go-jose/v3 over deprecated square package by @AlexCuse in https://github.com/keratin/authn-server/pull/240
• Remove duplicate print of PUBLIC_PORT by @cornerman in https://github.com/keratin/authn-server/pull/242
• Bugfix: authn initiates user login upon connection attempt by @diegosperes in https://github.com/keratin/authn-server/pull/246
• Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 by @dependabot in https://github.com/keratin/authn-server/pull/244
• prepare 1.18.1 by @AlexCuse in https://github.com/keratin/authn-server/pull/247

New Contributors

• @cornerman made their first contribution in https://github.com/keratin/authn-server/pull/242
• @diegosperes made their first contribution in https://github.com/keratin/authn-server/pull/246

Full Changelog: https://github.com/keratin/authn-server/compare/v1.18.0...v1.18.1

Added

• Usernames may not be passwords [#200]
• ID token contains Session ID claim (sid) [#205]

Added

• Added /jwks to both public and private routes [#198]

Added

• Support for non-default Redis user [#191]
• Support for TLS connections to Redis with rediss [#190]

Added

• Update to go 1.17
• Flexible app domains with wildcard matching [#189]

Added

• Support for Redis Sentinel [#181]

Fixed

• Improved validation for AUTHN_URL and other ENV url values [#178]

Fixed

• Broken pipe error on Postgres [#174]

Fixed

• Usernames are now case insensitive on Postgres and SQLite. This requires a migration that can fail if the existing database has unintended duplicates! [#170]

Fixed

• CORS configuration allows content-type header

Fixed

• added a timeout to webhook sender

Added

• OAuth through Microsoft [#155]

Added

• endpoint for checking zxcvbn password score [#149]
• option to expire an account's sessions after a password change [#154]

Fixed

• improvements to constant time comparison in basic auth (thanks @lsmith130)

Added

• Support Content-Type: application/json [#143]
• Support for SameSite property on AuthN session cookie [#147]

Added

• OAuth authentication through Discord [#116]

Fixed

• Email validations no longer allow misplaced periods in the domain

Added

• Log when rejecting a request for a missing or invalid Origin header [#34]
• Accept PUT HTTP calls on every endpoint accepting PATCH [#104]

Changed

• Same-origin requests are now accepted (for browsers that do not send Origin header for same-origin), by falling back to Referer header to determine the application domain that should be selected in the request's context. The Referer header is only consulted when Origin is not set. Since browsers are only permitted to omit Origin header for same-origin requests this behavior should be robust. [#105]
• Query optimizations on private admin endpoints.
• Pre-compute JWK key on RSA key generation and include within private key wrapper type for use by dependees. [#100]

Fixed

• panic while evaluating some utf8 password characters
• zxcvbn library we use exhibited some deviation from standard (see: https://github.com/nbutton23/zxcvbn-go/issues/20) so switched to https://github.com/trustelem/zxcvbn [#99]

⚠️ This release includes a mandatory database migration! ⚠️

Added

• Passwordless Logins (aka Magic Links) [#71] - @etruta
• New field: accounts.last_login_at [#71] - @etruta
• Windows build

Changed

• Improved printing for configuration errors

Fixed

• Uncaught uniqueness violation in PATCH /account/:id

Fixed

• connection leak with Postgres adapter [#60]

New

Two of the biggest feature requests are going live in this version!

• [#50] OAuth, with initial support for Facebook, GitHub, Google. Check out the Implementing OAuth guide and be sure to provide feedback in Gitter or Issues.
• [#47] PostgreSQL support

New

• Improved (simplified) coordination between multiple AuthN servers when synchronizing keys [#44]

Fixed

• ability to control location of sqlite3 database
• aggressively short wlock timeout on blob store (could result in competing keys)