Releases: curveball/a12n-server
Releases · curveball/a12n-server
v0.25.4
0.25.3
0.25.2
0.25.1
v0.25.0
- Added two privileges for one-time-token use:
a12n:one-time-token:generate
anda12n-one-time-token:exchange
, these both required theadmin
privilege. Theres no bc break here as the originaladmin
privilege still covers these new ones. - It wasn't possible to see a full principal even if a user had
a12n:principal:list
privilege. - Added new privilege for changing passwords:
a12n:user:change-password
. - Introspection endpoint now returns the
exp
,sub
,aud
andiss
properties. - Now returning a 422 for invalid passwords instead of 500.
v0.24.0
New major release! 0.24 introduces some breaking changes, which may affect you:
REDIS_HOST
,REDIS_PORT
,REDIS_USERNAME
andREDIS_PASSWORD
are now deprecated. Instead, you must use a singularREDIS_URI
environment variable that takes the formredis://[username]:[passsword]@[host]:[port]
./group/x/member
endpoints has been removed. These have been marked as deprecated 2.5 years earlier. If you still depended on this endpoint, all the related information can be found on the /group/x endpoint. This endpoint also has operations for modifying the members list.- By default this server will no longer allow new users and apps to see the full list of other users, groups and apps. Any applications relying on this behavior need to give the relevant users the
a12n:principals:list
privilege. To get the old behavior, simply add this privilege to the new$all
group. An privileges added to this group are automatically applied to every user in the system.
Changes since last alpha release:
- Upgrade to Redis 4.
- Improve user audit logging for various OAuth2 flows.
- Use SQLite3 WAL mode for better concurrency.
v0.24.0-alpha.1
- The Docker distribution now runs on Node 20 (upgraded from 16).
- Fixed a 500 error in the OAuth2 password flow.
- Updated to simplewebauthn 8.
v0.24.0-alpha.0
- Update to curveball 0.21
- Refactored the privilege system to make internally easier to use. There should be no end-user effects to this.
- Added a system group principal , which allows admins to set privileges for every user in the system.
- Fix Sqlite startup warning.
- The
/group/x/members
collection and associated operations and links have been removed. This endpoint had been marked deprecated in version 0.19 in May 2021 and is now finally removed. If you still depended on this endpoint, all the related information can be found on the /group/x endpoint. This endpoint also has operations for modifying the members list. - By default this server will no longer allow new users and apps to see the full list of other users, groups and apps. Any applications relying on this behavior need to give the relevant users the
a12n:principals:list
privilege. To get the old behavior, simply add this privilege to the new$all
group. - When a user goes from login to registration, the "continue" link will be remembered.
- The 'password' flow now also tracks apps that are granted access to user accounts
- When using the Redis session backend, CSRF tokens would not get stored correctly, causing some browser operations to fail.
- a12n-server will now report a better process name in linux process lists.
- The server now picks up the
CURVEBALL_ORIGIN
environment variable.
v0.23.1
v0.23.0
The main reason this was released was due to a very scary Knex SQL injection bug that affects MySQL users.
- knex/knex#1227
- https://nvd.nist.gov/vuln/detail/CVE-2016-20018
- https://www.ghostccamm.com/blog/knex_sqli/
Other changes and new features:
- 'scope' wasn't supported yet correctly in the
authorization_code
andimplicit
flows. - Fixed some bugs in the 'active sessions' report, and add columns for
grant_type
, andscope
. - Common types, such
User
,App
,Group
types have been moved tosrc/types.ts
for easier access. - We're now keeping track of which scopes were granted to which apps per user.
- Support for RFC 9068: A standard format for JWT OAuth2 Access Tokens.
- Centralize CSRF token handling (for old browsers).
- Added a new 'add privilege' action, which is helpful for API clients.
- Fix bug: Incorrect url in
Location
header when creating a new user. - #448: Fix 'create group' form.