v1.0.2

Fixes

• bug with account archival [#29]

v1.0.1

Fixed

• Recovery of RSA keys from SQLite3 blob store when restarting AuthN

v1.0.0

Alright, I'm calling it! Here's the 1.0 release.

New

• Redis is optional! AuthN can run entirely from a SQLite database, ideal for dev and self-contained environments.
• LogReporter includes a bit more information to associate an error with a request.

Fixed

• Inverted logic in GET /accounts/available

v1.0.0-rc3

Fixed

• Regression in CORS configuration

v1.0.0-rc2

New

• GET /metrics [#18]
• Revoke refresh tokens when archiving and locking an account [#17]
• Root HTML doc [#12]

Fixed

• nil panic when logging in with unknown username and no password

v1.0.0-rc1

Release candidate for v1.0!

Incompatible Changes

I've tried to make any incompatible changes together, to minimize impact on production users. These need to happen before 1.0 though. There's no better time.

• SECRET_KEY_BASE is now stretched into a 128-bit key, to defeat brute guessing. This will invalidate existing password reset tokens, session tokens, and access tokens.
• Session tokens now have an additional scope claim. This invalidates existing session tokens.
• Refresh tokens now expire after a 30-day timeout, by default. Existing tokens are unaffected, except that all of them have been expired by the above changes. They'll be cleaned out of Redis eventually.

New

• webhooks will retry for up to nearly two minutes
• CSRF now depends on checking Origin instead of Referer. This should be a sidegrade.

v0.9.0

New

• JSON logging for background events like key rotation and webhook delivery
• configurable notification for changed passwords

Fixed

• silenced a pointless error when attempting to reset unknown or locked account's password

v0.8.1

Bugfixes for password reset webhooks:

• include certificates for https
• omit auth credentials from error reports

v0.8.0

New:

• PATCH /account may be used to change usernames. This is helpful if usernames are emails and the host app receives a new email address that should be synchronized.
• POST /password will now require a currentPassword param for logged-in password changes. In order to accomplish a seamless upgrade, please update and deploy [email protected] first. This will begin sending currentPassword, which can be safely ignored by [email protected].

Golang version of AuthN server enters Beta

The AuthN Server written in Go now meets and exceeds the feature set of the Rails version. Update docker images from keratin/authn to keratin/authn-server to make the switch. Testing has been performed to verify that the Go and Ruby versions are wire- and data- compatible, given the same configuration. If that proves to not be true, it is a fixable bug and may be backported to this v0.7 release branch.

New

• Error reporting harness, with initial integration for Sentry