This release improves deployment in hardened environments:

• Log the actual client IP when deployed behind a proxy [#38]
• Bind a second port with only public routes [#37]

Both features require an ENV variable. My general plan is to maintain backwards compatibility during the 1.x release series using feature flags, then change defaults or consolidate configuration whenever releasing a 2.0.

New

• GET /accounts/:id endpoint #30
• Airbrake error reporting #32
• AuthN version number is printed in the ready message

Fixes

• bug with account archival [#29]

Fixed

• Recovery of RSA keys from SQLite3 blob store when restarting AuthN

Alright, I'm calling it! Here's the 1.0 release.

New

• Redis is optional! AuthN can run entirely from a SQLite database, ideal for dev and self-contained environments.
• LogReporter includes a bit more information to associate an error with a request.

Fixed

• Inverted logic in GET /accounts/available

Fixed

• Regression in CORS configuration

New

• GET /metrics [#18]
• Revoke refresh tokens when archiving and locking an account [#17]
• Root HTML doc [#12]

Fixed

• nil panic when logging in with unknown username and no password

Release candidate for v1.0!

Incompatible Changes

I've tried to make any incompatible changes together, to minimize impact on production users. These need to happen before 1.0 though. There's no better time.

• SECRET_KEY_BASE is now stretched into a 128-bit key, to defeat brute guessing. This will invalidate existing password reset tokens, session tokens, and access tokens.
• Session tokens now have an additional scope claim. This invalidates existing session tokens.
• Refresh tokens now expire after a 30-day timeout, by default. Existing tokens are unaffected, except that all of them have been expired by the above changes. They'll be cleaned out of Redis eventually.

New

• webhooks will retry for up to nearly two minutes
• CSRF now depends on checking Origin instead of Referer. This should be a sidegrade.

New

• JSON logging for background events like key rotation and webhook delivery
• configurable notification for changed passwords

Fixed

• silenced a pointless error when attempting to reset unknown or locked account's password

Bugfixes for password reset webhooks:

• include certificates for https
• omit auth credentials from error reports

New:

• PATCH /account may be used to change usernames. This is helpful if usernames are emails and the host app receives a new email address that should be synchronized.
• POST /password will now require a currentPassword param for logged-in password changes. In order to accomplish a seamless upgrade, please update and deploy [email protected] first. This will begin sending currentPassword, which can be safely ignored by [email protected].

The AuthN Server written in Go now meets and exceeds the feature set of the Rails version. Update docker images from keratin/authn to keratin/authn-server to make the switch. Testing has been performed to verify that the Go and Ruby versions are wire- and data- compatible, given the same configuration. If that proves to not be true, it is a fixable bug and may be backported to this v0.7 release branch.

New

• Error reporting harness, with initial integration for Sentry