Added

• Support Content-Type: application/json [#143]
• Support for SameSite property on AuthN session cookie [#147]

Added

• OAuth authentication through Discord [#116]

Fixed

• Email validations no longer allow misplaced periods in the domain

Added

• Log when rejecting a request for a missing or invalid Origin header [#34]
• Accept PUT HTTP calls on every endpoint accepting PATCH [#104]

Changed

• Same-origin requests are now accepted (for browsers that do not send Origin header for same-origin), by falling back to Referer header to determine the application domain that should be selected in the request's context. The Referer header is only consulted when Origin is not set. Since browsers are only permitted to omit Origin header for same-origin requests this behavior should be robust. [#105]
• Query optimizations on private admin endpoints.
• Pre-compute JWK key on RSA key generation and include within private key wrapper type for use by dependees. [#100]

Fixed

• panic while evaluating some utf8 password characters
• zxcvbn library we use exhibited some deviation from standard (see: https://github.com/nbutton23/zxcvbn-go/issues/20) so switched to https://github.com/trustelem/zxcvbn [#99]

⚠️ This release includes a mandatory database migration! ⚠️

Added

• Passwordless Logins (aka Magic Links) [#71] - @etruta
• New field: accounts.last_login_at [#71] - @etruta
• Windows build

Changed

• Improved printing for configuration errors

Fixed

• Uncaught uniqueness violation in PATCH /account/:id

Fixed

• connection leak with Postgres adapter [#60]

New

Two of the biggest feature requests are going live in this version!

• [#50] OAuth, with initial support for Facebook, GitHub, Google. Check out the Implementing OAuth guide and be sure to provide feedback in Gitter or Issues.
• [#47] PostgreSQL support

New

• Improved (simplified) coordination between multiple AuthN servers when synchronizing keys [#44]

Fixed

• ability to control location of sqlite3 database
• aggressively short wlock timeout on blob store (could result in competing keys)

This release improves deployment in hardened environments:

• Log the actual client IP when deployed behind a proxy [#38]
• Bind a second port with only public routes [#37]

Both features require an ENV variable. My general plan is to maintain backwards compatibility during the 1.x release series using feature flags, then change defaults or consolidate configuration whenever releasing a 2.0.

New

• GET /accounts/:id endpoint #30
• Airbrake error reporting #32
• AuthN version number is printed in the ready message

Fixes

• bug with account archival [#29]

Fixed

• Recovery of RSA keys from SQLite3 blob store when restarting AuthN

Alright, I'm calling it! Here's the 1.0 release.

New

• Redis is optional! AuthN can run entirely from a SQLite database, ideal for dev and self-contained environments.
• LogReporter includes a bit more information to associate an error with a request.

Fixed

• Inverted logic in GET /accounts/available

Fixed

• Regression in CORS configuration

New

• GET /metrics [#18]
• Revoke refresh tokens when archiving and locking an account [#17]
• Root HTML doc [#12]

Fixed

• nil panic when logging in with unknown username and no password

Release candidate for v1.0!

Incompatible Changes

I've tried to make any incompatible changes together, to minimize impact on production users. These need to happen before 1.0 though. There's no better time.

• SECRET_KEY_BASE is now stretched into a 128-bit key, to defeat brute guessing. This will invalidate existing password reset tokens, session tokens, and access tokens.
• Session tokens now have an additional scope claim. This invalidates existing session tokens.
• Refresh tokens now expire after a 30-day timeout, by default. Existing tokens are unaffected, except that all of them have been expired by the above changes. They'll be cleaned out of Redis eventually.

New

• webhooks will retry for up to nearly two minutes
• CSRF now depends on checking Origin instead of Referer. This should be a sidegrade.

New

• JSON logging for background events like key rotation and webhook delivery
• configurable notification for changed passwords

Fixed

• silenced a pointless error when attempting to reset unknown or locked account's password

Bugfixes for password reset webhooks:

• include certificates for https
• omit auth credentials from error reports

New:

• PATCH /account may be used to change usernames. This is helpful if usernames are emails and the host app receives a new email address that should be synchronized.
• POST /password will now require a currentPassword param for logged-in password changes. In order to accomplish a seamless upgrade, please update and deploy [email protected] first. This will begin sending currentPassword, which can be safely ignored by [email protected].

The AuthN Server written in Go now meets and exceeds the feature set of the Rails version. Update docker images from keratin/authn to keratin/authn-server to make the switch. Testing has been performed to verify that the Go and Ruby versions are wire- and data- compatible, given the same configuration. If that proves to not be true, it is a fixable bug and may be backported to this v0.7 release branch.

New

• Error reporting harness, with initial integration for Sentry