v0.26.1

• Allow users to set up TOTP after registration.
• Add a new 'auth-factor' API endpoint, which lists all the authentication factors the user has setup. Currently it only supports 'password' and 'totp', but more will be added in the future.
• Fix test server.

v0.26.0

New big release in a while!

This release primarily adds support for multiple email/addresses per user and separates the 'active' flag from the 'having validated your email address' flag.

It also introduces experimental support for a draft OAuth2 flow for first-party apps, which (right now) only supports usernames and passwords, and is sure to change over time.. but this will become the main framework for multi-step authentication with all flavours of MFA.

Please note that this release has a few database changes that (depending on your database size) may take a bit to complete. MAKE A BACKUP! I can't stress this enough!

• BC Break: Previous versions of a12nserver collated the 'active' status of users and whether or not their used email addresses were verified. These two flags are now separate. For a user to log in with their username and password their account must be active (now on by default) and email must be verified. When upgrading to 0.26 all active users will have their email automatically verified.
• BC Break: When creating users via the API, we no longer accept the 'active' flag. (is now on by default).
• New! Users can now be associated with multiple email addresses and/or phone numbers.
• Added support for OAuth 2.0 Multiple Response Type Encoding Practices) aka the "authorization_challenge" flow.
• Upgraded to Curveball 1.
• Moved from CommonJS to ESM.
• Upgraded to Typescript 5.5.
• Dropped mocha for the built-in Node tester.
• #494: Add 'public' to Postgres schema search path. (@elaugier)
• Auto-generate API types from JSON schema.
• Internal: oauth2-client is renamed to app-client to reduce confusion a bit.
• Internal: oauth2_codes now remember what grant_type was used to generate the code, plus the redirect_uri.

v0.25.4

• The 'scope' property on the OAuth2 introspection response was comma-separated when it should have been space-separated.

0.25.3

• Set Content-Type to application/json for password and refresh_token
  operations on the token endpoint.

0.25.2

Fixed result of one-time-token if a custom expiry was used.

0.25.1

• Clients can now specify how long a one-time-token should be valid for.
• API clients can now request that one-time-tokens don't expire after use.
• The client_id is now validated to belong to the curent user when validating one-time-tokens.

v0.25.0

• Added two privileges for one-time-token use: a12n:one-time-token:generate and a12n-one-time-token:exchange, these both required the admin privilege. Theres no bc break here as the original admin privilege still covers these new ones.
• It wasn't possible to see a full principal even if a user had a12n:principal:list privilege.
• Added new privilege for changing passwords: a12n:user:change-password.
• Introspection endpoint now returns the exp, sub, aud and iss properties.
• Now returning a 422 for invalid passwords instead of 500.

v0.24.0

New major release! 0.24 introduces some breaking changes, which may affect you:

• REDIS_HOST, REDIS_PORT, REDIS_USERNAME and REDIS_PASSWORD are now deprecated. Instead, you must use a singular REDIS_URI environment variable that takes the form redis://[username]:[passsword]@[host]:[port].
• /group/x/member endpoints has been removed. These have been marked as deprecated 2.5 years earlier. If you still depended on this endpoint, all the related information can be found on the /group/x endpoint. This endpoint also has operations for modifying the members list.
• By default this server will no longer allow new users and apps to see the full list of other users, groups and apps. Any applications relying on this behavior need to give the relevant users the a12n:principals:list privilege. To get the old behavior, simply add this privilege to the new $all group. An privileges added to this group are automatically applied to every user in the system.

Changes since last alpha release:

• Upgrade to Redis 4.
• Improve user audit logging for various OAuth2 flows.
• Use SQLite3 WAL mode for better concurrency.

v0.24.0-alpha.1

• The Docker distribution now runs on Node 20 (upgraded from 16).
• Fixed a 500 error in the OAuth2 password flow.
• Updated to simplewebauthn 8.

v0.24.0-alpha.0

• Update to curveball 0.21
• Refactored the privilege system to make internally easier to use. There should be no end-user effects to this.
• Added a system group principal , which allows admins to set privileges for every user in the system.
• Fix Sqlite startup warning.
• The /group/x/members collection and associated operations and links have been removed. This endpoint had been marked deprecated in version 0.19 in May 2021 and is now finally removed. If you still depended on this endpoint, all the related information can be found on the /group/x endpoint. This endpoint also has operations for modifying the members list.
• By default this server will no longer allow new users and apps to see the full list of other users, groups and apps. Any applications relying on this behavior need to give the relevant users the a12n:principals:list privilege. To get the old behavior, simply add this privilege to the new $all group.
• When a user goes from login to registration, the "continue" link will be remembered.
• The 'password' flow now also tracks apps that are granted access to user accounts
• When using the Redis session backend, CSRF tokens would not get stored correctly, causing some browser operations to fail.
• a12n-server will now report a better process name in linux process lists.
• The server now picks up the CURVEBALL_ORIGIN environment variable.