Skip to content

Releases: curveball/a12n-server

v0.24.0-alpha.1

05 Oct 18:44
52edd3a
Compare
Choose a tag to compare
v0.24.0-alpha.1 Pre-release
Pre-release
  • The Docker distribution now runs on Node 20 (upgraded from 16).
  • Fixed a 500 error in the OAuth2 password flow.
  • Updated to simplewebauthn 8.

v0.24.0-alpha.0

04 Oct 23:27
522ecb8
Compare
Choose a tag to compare
v0.24.0-alpha.0 Pre-release
Pre-release
  • Update to curveball 0.21
  • Refactored the privilege system to make internally easier to use. There should be no end-user effects to this.
  • Added a system group principal , which allows admins to set privileges for every user in the system.
  • Fix Sqlite startup warning.
  • The /group/x/members collection and associated operations and links have been removed. This endpoint had been marked deprecated in version 0.19 in May 2021 and is now finally removed. If you still depended on this endpoint, all the related information can be found on the /group/x endpoint. This endpoint also has operations for modifying the members list.
  • By default this server will no longer allow new users and apps to see the full list of other users, groups and apps. Any applications relying on this behavior need to give the relevant users the a12n:principals:list privilege. To get the old behavior, simply add this privilege to the new $all group.
  • When a user goes from login to registration, the "continue" link will be remembered.
  • The 'password' flow now also tracks apps that are granted access to user accounts
  • When using the Redis session backend, CSRF tokens would not get stored correctly, causing some browser operations to fail.
  • a12n-server will now report a better process name in linux process lists.
  • The server now picks up the CURVEBALL_ORIGIN environment variable.

v0.23.1

29 Mar 18:48
540f80f
Compare
Choose a tag to compare
  • Fix 500 error on /authorize endpoint when using Sqlite
  • Fix CSRF error on create user form

v0.23.0

12 Jan 06:26
4552837
Compare
Choose a tag to compare

The main reason this was released was due to a very scary Knex SQL injection bug that affects MySQL users.

Other changes and new features:

  • 'scope' wasn't supported yet correctly in the authorization_code and implicit flows.
  • Fixed some bugs in the 'active sessions' report, and add columns for grant_type, and scope.
  • Common types, such User, App, Group types have been moved to src/types.ts for easier access.
  • We're now keeping track of which scopes were granted to which apps per user.
  • Support for RFC 9068: A standard format for JWT OAuth2 Access Tokens.
  • Centralize CSRF token handling (for old browsers).
  • Added a new 'add privilege' action, which is helpful for API clients.
  • Fix bug: Incorrect url in Location header when creating a new user.
  • #448: Fix 'create group' form.

v0.22.0

27 Sep 21:08
e72873a
Compare
Choose a tag to compare

Warning note for upgraders. This release has a database migration on the oauth2_tokens table. For most users this is the largest table, some downtime may be expected while the server runs its migrations.

  • #425: Using a client_secret is now supported with authorization_code, and it's read from either the request body or HTTP Basic Authorization header.
  • The service now keeps track when issuing access tokens, whether those tokens have used a client_secret or not, which grant_type was used to issue them and what scopes were requested. This work is done to better support OAuth2 scopes in the future, and eventually OpenID Connect.
  • Fixed broken 'principal uri' in introspection endpoint response.
  • OAuth2 service is almost entirely rewritten.
  • The number of tokens issued is now displayed on the home page.
  • Large numbers are now abbreviated with K and M.
  • #426: Updated to Curveball 0.20.
  • #427: Typescript types for the database schema are now auto-generated with mysql-types-generator.

v0.21.3

10 Aug 01:29
b6492a4
Compare
Choose a tag to compare
  • It's now possible to generate a URI that completely takes a developer through the setup process for creating an OAuth2 client, with all values pre-filled. This makes it very easy for a developer to get their environment up and running without having to know all kinds of OAuth2 details (@AminDhouib).
  • Fixed getting no feedback after changing group members. (@AminDhouib)
  • Fixed the 'authenticated-as' link in the a12n-server home document; it had an extra slash.
  • If you hit an authenticated page after login, you are now redirected back to that page after login.
  • The /register endpoint can now take a ?continue= uri parameter, making it possible to redirect back to any application after registering.

v0.21.2

27 Jul 18:22
effd37f
Compare
Choose a tag to compare

Also adding 'schemas' to the NPM package.

v0.21.1

27 Jul 16:54
2378c73
Compare
Choose a tag to compare

Added missing .env.defaults file to NPM package. This is required for npx @curveball/a12n-server to work.

v0.21.0

27 Jul 16:49
31e2630
Compare
Choose a tag to compare
  • New! Start a fresh a12nserver just by running npx @curveball/a12n-server
  • #412: Fixed a few more PostgreSQL bugs (@AminDhouib)
  • #407: Users can be added to groups again with their relative URI (@AminDhouib)
  • #399: When trying to add a new OAuth2 client with an existing client_id,
    the server will now emit a 409 instead of a 500 error. (@AminDhouib)
  • The requirePkce flag was not respected when creating a new OAuth2 client.

v0.20.4

20 Jun 04:03
43441b3
Compare
Choose a tag to compare
  • #397: Add REDIS_PASSWORD environment variable to support password-protected redis servers. (@mihok)
  • #398: Allow the HTTP/1.1 KeepAlive timeout to be configured using the KEEP_ALIVE_TIMEOUT_MS environment variable. (@pschwyter)
  • #400: Fix bug in the 'create app' form.
  • #402: Add form for editing settings on OAuth2 clients.
  • #401: Add schemas for user, app and group endpoints.