- Refactored and centralized abstract cache system, supporting redis/valkey and memory stores.
- Email identities can now be verified in the admin UI and via the API.
- Update @curveball/browser, which fixes an issue with submitting HTML forms that don't use GET or POST.
- #555: Another fix for launching the a12nserver npx script. (@Zen-cronic)
- Schemas misspelled as 'schema'. Sorry for all the releases, I dont know to do a clean test of npx without doing a release first, so the feedback loop is change->release->test.
- Copy simplewebauthn browser bundle into assets directory for easier distribution.
- Fix missing entries in files section in package.json, preventing the "npx @curveball/a12n-server" tool from working.
- Fix HTTP/500 error when requesting a developer access token.
authorization_challenge
now supports a TOTP challenge step!- Refactored logging system. Less ugly now with fewer enums!
authorization_challenge
clients can now specifyremote_addr
anduser_agent
, so the server can keep accurate logs of the users' browser that's trying to authenticate.- Return the correct 'ttl' value for a verification-token.
- Instead of 1 generic error with a few parameters, the server now emits
invididual error codes for each kind of error that may be emitted from the
authorization_challenge endpoint. This is change is based on examples in more
recent drafts and should simplify the process for clients a bit. This is a BC
break for
authorization_challenge
. - Renamed
login_failed
event topassword-check-failed
. - Added events:
password-check-succes
,totp-success
,login-challenge-started
,login-challenge-success
- Updated Curveball dependencies.
CURVEBALL_TRUSTPROXY
should now work as expected.
- Updated Curveball dependencies
- Developer tokens will now be associated with a client_id if an OAuth2 client was used to generate one. This allows them to be refreshed.
- A scope can now be specified when creating a developer token.
- New: access-token endpoint now returns refresh token.
- User accounts are now automatically locked after 5 failed login attempts. (@YunhwanJeong).
- Stricter validation on the 'Create App Client Form.'
- Looks for database in 'public' searchPath in Postgres. (@Zen-cronic)
- Fix internal error on user/id route in Postgres. (@Zen-cronic)
- Generating arbitrary access-tokens is now behind the
a12n:access-token:generate
privilege instead of justadmin
. Having theadmin
privilege still includes this privilege so this is not a backwards compatibility break. - Fix: Introspection on developer tokens threw an error.
- Fix: CSRF error on change password page (@Zen-cronic).
- Allow admins to auto-generate an intitial 'diceware' password when creating new users, which should make onboaring new users and testing easier.
- Fix CSRF error on register form
- Fix a bug in the automatic App creation flow
- Allow users to set up TOTP after registration.
- Add a new 'auth-factor' API endpoint, which lists all the authentication factors the user has setup. Currently it only supports 'password' and 'totp', but more will be added in the future.
- Fix test server.
New big release in a while! This release primarily adds support for multiple email/addresses per user and separates the 'active' flag from the 'having validated your email address' flag. It also introduces experimental support for a draft OAuth2 flow for first-party apps, which (right now) only supports usernames and passwords, and is sure to change over time.. but this will become the main framework for multi-step authentication with all flavours of MFA. Please note that this release has a few database changes that (depending on your database size) may take a bit to complete. MAKE A BACKUP! I can't stress this enough!
- BC Break: Previous versions of a12nserver collated the 'active' status of users and whether or not their used email addresses were verified. These two flags are now separate. For a user to log in with their username and password their account must be active (now on by default) and email must be verified. When upgrading to 0.26 all active users will have their email automatically verified.
- BC Break: When creating users via the API, we no longer accept the 'active' flag. (is now on by default).
- New! Users can now be associated with multiple email addresses and/or phone numbers.
- Added support for OAuth 2.0 Multiple Response Type Encoding Practices) aka the "authorization_challenge" flow.
- Upgraded to Curveball 1.
- Moved from CommonJS to ESM.
- Upgraded to Typescript 5.5.
- Dropped mocha for the built-in Node tester.
- #494: Add 'public' to Postgres schema search path. (@elaugier)
- Auto-generate API types from JSON schema.
- Internal: oauth2-client is renamed to app-client to reduce confusion a bit.
- Internal:
oauth2_codes
now remember what grant_type was used to generate the code, plus theredirect_uri
.
- The 'scope' property on the OAuth2 introspection response was comma-separated when it should have been space-separated.
- Set Content-Type to application/json for
password
andrefresh_token
operations on the token endpoint.
- Fixed result of one-time-token if a custom expiry was used.
- Clients can now specify how long a one-time-token should be valid for.
- API clients can now request that one-time-tokens don't expire after use.
- The client_id is now validated to belong to the curent user when validating one-time-tokens.
- Fixed result of one-time-token if a custom expiry was used.
- Added two privileges for one-time-token use:
a12n:one-time-token:generate
anda12n-one-time-token:exchange
, these both required theadmin
privilege. Theres no bc break here as the originaladmin
privilege still covers these new ones. - It wasn't possible to see a full principal even if a user had
a12n:principal:list
privilege. - Added new privilege for changing passwords:
a12n:user:change-password
. - Introspection endpoint now returns the
exp
,sub
,aud
andiss
properties. - Now returning a 422 for invalid passwords instead of 500.
- Upgrade to Redis 4.
- Improve user audit logging for various OAuth2 flows.
- Use SQLite3 WAL mode for better concurrency.
- The Docker distribution now runs on Node 20 (upgraded from 16).
- Fixed a 500 error in the OAuth2 password flow.
- Updated to simplewebauthn 8.
- Update to curveball 0.21
- Refactored the privilege system to make internally easier to use. There should be no end-user effects to this.
- Added a system group principal , which allows admins to set privileges for every user in the system.
- Fix Sqlite startup warning.
- The
/group/x/members
collection and associated operations and links have been removed. This endpoint had been marked deprecated in version 0.19 in May 2021 and is now finally removed. If you still depended on this endpoint, all the related information can be found on the /group/x endpoint. This endpoint also has operations for modifying the members list. - By default this server will no longer allow new users and apps to see the
full list of other users, groups and apps. Any applications relying on this
behavior need to give the relevant users the
a12n:principals:list
privilege. To get the old behavior, simply add this privilege to the new$all
group. - When a user goes from login to registration, the "continue" link will be remembered.
- The 'password' flow now also tracks apps that are granted access to user accounts
- When using the Redis session backend, CSRF tokens would not get stored correctly, causing some browser operations to fail.
- a12n-server will now report a better process name in linux process lists.
- The server now picks up the
CURVEBALL_ORIGIN
environment variable.
- Fix 500 error on /authorize endpoint when using Sqlite
- Fix CSRF error on create user form
- Update knex. Knex had a massive SQL injection vulnerability.
- 'scope' wasn't supported yet correctly in the
authorization_code
andimplicit
flows. - Fixed some bugs in the 'active sessions' report, and add columns for
grant_type
, andscope
. - Common types, such
User
,App
,Group
types have been moved tosrc/types.ts
for easier access. - We're now keeping track of which scopes were granted to which apps per user.
- Support for RFC 9068: A standard format for JWT OAuth2 Access Tokens.
- Centralize CSRF token handling (for old browsers).
- Added a new 'add privilege' action, which is helpful for API clients.
- Fix bug: Incorrect url in
Location
header when creating a new user. - #448: Fix 'create group' form.
Warning note for upgraders. This release has a database migration on the
oauth2_tokens
table. For most users this is the largest table, some downtime
may be expected while the server runs its migrations.
- #425: Using a
client_secret
is now supported withauthorization_code
, and it's read from either the request body or HTTP Basic Authorization header. - The service now keeps track when issuing access tokens, whether those tokens
have used a
client_secret
or not, whichgrant_type
was used to issue them and what scopes were requested. This work is done to better support OAuth2 scopes in the future, and eventually OpenID Connect. - Fixed broken 'principal uri' in introspection endpoint response.
- OAuth2 service is almost entirely rewritten.
- The number of tokens issued is now displayed on the home page.
- Large numbers are now abbreviated with
K
andM
. - #426: Updated to Curveball 0.20.
- #427: Typescript types for the database schema are now auto-generated with
mysql-types-generator
.
- It's now possible to generate a URI that completely takes a developer through the setup process for creating an OAuth2 client, with all values pre-filled. This makes it very easy for a developer to get their environment up and running without having to know all kinds of OAuth2 details (@AminDhouib).
- Fixed getting no feedback after changing group members. (@AminDhouib)
- Fixed the 'authenticated-as' link in the a12n-server home document; it had an extra slash.
- If you hit an authenticated page after login, you are now redirected back to that page after login.
- The
/register
endpoint can now take a?continue=
uri parameter, making it possible to redirect back to any application after registering.
- Adding
schemas
and.env.defaults
to the NPM package.
- New! Start a fresh a12nserver just by running
npx @curveball/a12n-server
- #412: Fixed a few more PostgreSQL bugs (@AminDhouib)
- #407: Users can be added to groups again with their relative URI (@AminDhouib)
- #399: When trying to add a new OAuth2 client with an existing
client_id
, the server will now emit a 409 instead of a 500 error. (@AminDhouib) - The
requirePkce
flag was not respected when creating a new OAuth2 client.
- #398: Allow the HTTP/1.1 KeepAlive timeout to be configured using the
KEEP_ALIVE_TIMEOUT_MS
environment variable. (@pschwyter) - #397: Add
REDIS_PASSWORD
environment variable to support password-protected redis servers. (@mihok) - #400: Fix bug in the 'create app' form.
- #402: Add form for editing settings on OAuth2 clients.
- #401: Add schemas for user, app and group endpoints.
- Hide database settings from 'settings page'.
- Released with Alpha tag.
- Fix: Parsing HTTP Basic header containing a
:
in the password. This is heavily used in server-to-server oauth2 flows. (@pschwyter) - Automatically open a debug connection on port 9339 when running with
make start-dev
. (@pschwyter)
🛳️ Ahoi from Halifax! 🛳️
- Released with Alpha tag.
MYSQL_PORT
andMYSQL_HOST
were ignored. These settings now exist for backwards compatibility, but the backwards compatibility settings had a bug.
- Released with Alpha tag.
- Now requires Node 16.
- Postgres support! (@mihok)
- Experimental sqlite support.
- Migrated all database access to Knex.
- Database migrations are now automatically run on startup, making upgrades a lot easier.
- Support for the
/.well-known/jwks.json
endpoint, allowing clients to discover JWT public keys. - OAuth2 secrets are now prefixed with the
secret-token:
uri scheme, allowing github and other systems to detect possible commits of secret data. - A new settings panel for admins, allowing admins to see exactly which settings have been applied. This is currently read-only.
.env.defaults
is no longer automatically loaded. The file still exists but its only purpose is to provide a template for developers to copy to.env
.- Updated 'create group' and 'create app' forms to be simpler.
- Show the public url when starting the server instead of just the TCP port.
- #382: Fix buggy email layout.
- This release reinstates the v0.19.10 changes after
@curveball/browser
received an updated logo.
- This release rolls back the 'app logo' feature. The default setting has cosmetic bugs.
- Add app logo to login, registration, lost-password pages.
- The 'Change password' form now lives on
/change-password
instead of/changepassword
for consistency with other routes. - Small fixes (Bad Gateway copyright notice, copy changes + new cancel button on reset password page).
- Update dependencies.
- Halloween theme. Automatically enabled the last week of October.
- #295: Improved validation for
identity
field on users, groups and apps.
- Don't show 'remove member' form on groups if there are no members.
- The 'create member' API can now also read links from HAL bodies.
- Group members are now sorted alphabetically by 'nickname'.
- Updated dependencies.
- This release was botched, do not upgrade to this.
- This version was never released.
- Fix link to schema collection on home document.
- Add Curl to Docker image as it's a common health check tool.
- Fix a bug that preventing using
PATCH on /group/:id
in the HAL browser.
- Make sure that the
/health
endpoint also gets logged correctly.
- Fix: bug in JSON schema for group members. Inconsistent property names.
- Renamed userHref to memberHref.
- Fix: bug in JSON schema for editing group members.
- @curveball/validator had a critical bug that caused error handling to break for validation errors.
- Redesigned home page.
- A drastically smaller Docker image. The uncompressed image size dropped from 1.2G to 267M due to the use of multi-stage builds.
- Apps now appear in
/app
and no longer in/user
. - Groups now appear in
/group
and no longer in/user
. - HAL forms for adding and removing members to groups.
- Renamed 'users' to 'principals' in many places in the source, including database tables.
- Clean up line endings from
JWT_PRIVATE_KEY
if they are not in the expected format. This will make it work better with at least AWS Secure Parameter Store / ECS / Lambda. - First steps to integrating json-schema in a12nserver.
updatePassword
now supports creating a password without having an existing password.
- Activating users did not correctly check for "admin" privileges. This is now fixed.
- Added support for
PUT
on/users/123
- Allowing users to be activated using the
token-exchange
API.
- Url decode the 'href' on the
/user/byhref
endpoint. - Make the 'privilege policy' textarea bigger.
- Added UIs for editing user information. (@mihok)
- Added preliminary support for JWT bearer tokens (draft-ietf-oauth-access-token-jwt-12).
- Added a new markdown-based home document, which will be a bit more user- friendly for non-devs.
- Added UI for setting privileges. (@mihok)
- All secret tokens are now URL-safe and generated non-blocking.
- Throw a 404 when trying to access the 'active sessions' page for a group-principal.
- Added a
/user/:id/password
endpoint. This allows an admin to easily change a user's password.
- Updated
simplewebauthn
dependencies to the latest version. - Switched to 'indirect' attestation-type by default, allowing anomimized attestations to be used.
- It's now possible to set the value for the CORS
Allow-Origin
option. By default it's enabled, but ifcors.allowOrigin
is supplied, this can be overridden.
- Privileges assigned to groups are now inherited by all users who are part of that group, allowing the use of groups as 'roles'.
- Added a
/user/by-href/:href
endpoint, allowing API clients to look up users by their 'identity' like their email address. - Added a
hasPassword
property to each user. This is only visible on 'your own' user or if you are an admin. - The
/token-exchange
endpoint for one-time tokes now requires aclient_id
parameter, similar to OAuth2 endpoints. - Fixed a number of internal APIs that let people generate passwords for non- user principals, or oauth2 credentails for groups. Everything is a bit stricter.
- Internally, 'users', 'apps' and 'groups' are now more often referred to by the name 'principal'. Before, these 3 categories of things were also referred to as 'user'. This migration is not complete, but it's a big first step. Eventually we'll have separate API roots for each of these.
- Added a
login.defaultRedirect
option. This setting allows an admin to specify where users should be redirected to after they log in. - Added a 'one time token' API, allowing privileged clients to exchange tokens with regular OAuth2 access tokens. This is useful for custom implementations of 'lost password' features.
- Added an 'active sessions' API. This API lists all currently active access/refresh tokens for a user.
- Added an 'access token' endpoint, allowing you to generate a new access token if you had an already valid session.
- Another re-release to try and make Github npm packages function.
- This package is now published on npm under
@curveball/a12n-server
.
- Re-releasing to for Github auto-publishing npm packages.
- Added one-time-token API, allowing clients to get temporary login tokens for use with lost-password emails, invite emails.
- When updating the list group members, it's now possible to specify members by using absolute URIs.
- Updated to latest curveball APIs
- Added a 'first run' interface. If no users exist in the system at all, a12nserver will now drop you in a 'create admin user' interface, making the initial setup a LOT simpler.
- Updated the 'create oauth2 credentials' form to be more userfriendly.
- Fixed OAuth2 error responses.
- Added APIs for replacing the member list of a group (
PUT
). - Added API for adding a member to a group (
POST
). - Improved some of the installation instructions.
- Added a link from the users page back to the users list.
- Now supports Redis as a backend for session storage, which should make this server a lot better when load balanced on several machines.
- Updating dependencies
- #214:
continue
url was not being respected in the logout flow.
- Updated all dependencies, fixing a highlight.js security issue.
- Small tweaks to home document.
- Now requires Node 14, due to the use of
fs/promises
. - The 'logout' feature will now expire any OAuth2 codes and tokens if they were initiated by the current browser session.
- The 'logout' endpoint now has support for a
continue
query parameter, to let the user get redirected back to a new endpoint after logout. - Now using an 'ip to country' database to figure out where users are logging in from, to aid with intrusion detection features if these ever land.
- A new system that will warn the user and prevent starting if some of the database patches have not been applied.
- New database patches! Apply them before starting the new version.
- New tags for semver versions on hub.docker.io.
- Ability to specify a 'continue' URI when logging out.
dotenv
anddotenv-defaults
were incorrectly marked as dev dependencies.
dotenv
is used for setting environment variables in development environments.- Added an API and simple interface for seeing OAuth2 clients and adding new ones.
- Fixed a bug related to the OAuth2
authorization_code
flow that prevented completing the process if the user used an incorrect password the first time.
- Redirect check was broken.
- Fixed Webauthn origin/host auto-detect.
- Docker build can now fully run without a pre-existing development environment.
- Public Docker Image: https://hub.docker.com/r/curveballjs/a12n-server
- WebauthN and TOTP MFA are now enabled by default.
- No longer using
unpkg
for browser dependencies. - Upgraded from
hal-browser
to@curveball/browser
. - Better error messaging in the OAuth2 flow when a
redirect_uri
is incorrect.
- Support for WebauthN / Yubikeys (@mhum)
- Logging in is now a multi-step process, with 2FA (Webauthn/Yubikey/TOTP) as the second step. (@mhum)
- It's now possible to setup 2FA during registration. (@mhum)
/validate-bearer
and/validate-totp
endpoints have been removed.- Support for OAuth2 PKCE (@mhum)
- tslint -> eslint
- Typescript 4.
- Compatible with Typescript strict mode.
- Update all dependencies
PUBLIC_URI
is now correctly being auto-detected if it was not set in the environment in standalone mode.- Improved error messaging when the server fails to start.
- Now using
@curveball/accesslog
, which also colorizes CLI output when viewed on a terminal. - A list of privileges are now returned from the 'introspect' endpoint.
- An error will be thrown when the server is used as a middleware (instead of
standalone) and no
PUBLIC_URI
environment variable is set.
- Added user links to accessToken
- Added user links URL to introspect for 'authenticated-as' link
- bad release, please ignore
- Bug fix. For curveball-session shouldn't have been dev dependency.
- Added a
/privileges
endpoint to easily find out what kind of privileges are used in the system. - The server now has an
admin
privilege, which is required to create new users or find information about other users. - Users that are not yet marked
active
now show up in the/users
collection, but still can't log in. - The session cookie now uses
SameSite: Lax
, which means that users will see login screens less often.
- Support for the
/.well-known/change-password
endpoint, as defined in RFC8615. - Fixed a bug that could cause the TOTP field to not be rendered, even if it's required.
- Fixed a bug where users weren't getting activated using the "Create user" form.
- Last release broke the OAuth2 authorization endpoint.
- Support for a new user type: 'group'. Groups can contain users and will in a future release allow roles to be created with privileges that can be applied to entire groups.
- TOTP can now be set to 'required', 'optional' and 'disabled' via a server- wide flag.
- OAuth2 access, refresh and authorization code expiry times are now configurable.
- Better design for notifications vs. error messages.
- It's now possible for an admin to create new users via an API or form.
- It's now possible to authenticate with the a12nserver via a Bearer token, allowing clients to directly call a12nserver APIs.
- The OAuth2 login flow now also shows the lost password and registration links, if they were enabled.
- Fix a small bug in the
/introspect
endpoint. Successful responses were not returning.
- Fixed a small CSS layout bug on login.
- /introspect endpoint now doesn't require login.
- Added a 'lost password' feature that uses email for validating using accounts.
- The audit log now tracks the 'User agent'.
- Better autocomplete hints on the login and registration form for password managers.
- Fixed a bug in authenticating via OAuth2
- New design! Thank you @ikbensiep
- Change password feature
- TOTP is now also no longer a requirement for OAuth2 sign-ins. It's only optional if TOTP was not set up by a user.
- Support for RFC7662 Token Introspection.
- Login form will now have a link to the registration screen, if registration was enabled.
- Small design tweaks in Login screen.
- BC break: Links such as
sa:logout
,sa:token
,sa:validate-bearer
now all have theirsa:
prefix dropped. - The 'validate-bearer' endpont is now deprecated, as the the token introspection endpoint has the same features.
- Update all dependencies.
- Added a 'confirm password' field during registeration.
- TOTP is now optional if no TOTP token was set for a user.
- Added a registration form
- Added a simple settings system.
- Now using
@curveball/problem
for error handling. - Added support for resource-specific privileges, allowing users to store privileges based on arbitrary urls.
- Added a user log with all login attempts
- Switched to
@curveball/controller
for all controllers, simplifying the source a bit. - Better installation documentation.
- A database bug: not enough space for creating OAuth2 clients that have access to many grant types.
- An expired refresh token should return
invalid_grant
and notinvalid_request.
- Default refresh token lifetime is now set to 6 hours.
- Removed a duplicated validator.
- When a token is being refreshed, but the refresh_token is invalid, we're now sending back a standard OAuth2 error response.
refresh_token
can now be used without a client secret.authorization_code
no longer requires a client secret.authorization_code
grant now returns a refresh token.- The token endpoint now returns cors headers.
- Default port is
8531
. - Added a 'Getting started' guide.
- Added all database schemas to set up a new server.
- The
password
grant type is now supported. - Refreshing tokens now works.
- The
allowed_grant_types
is now actively enforced for every client. - Returning correct OAuth2 error responses for more internal errors.
- If an unrecognized client_id was provided, the server returned a
404
error. This has been changed to400
.
- Fixed a bug that would cause sessions to be forgotten with every request.
- Removed a bunch of debug code.
- Added a few missing files from npm distribution.
- Updated dependencies.
- The entire application now also exposes itself as a middleware, so it can be customized and integrated into other curveball apps.
- First public version