v0.23.1

• Fix 500 error on /authorize endpoint when using Sqlite
• Fix CSRF error on create user form

v0.23.0

The main reason this was released was due to a very scary Knex SQL injection bug that affects MySQL users.

• knex/knex#1227
• https://nvd.nist.gov/vuln/detail/CVE-2016-20018
• https://www.ghostccamm.com/blog/knex_sqli/

Other changes and new features:

• 'scope' wasn't supported yet correctly in the authorization_code and implicit flows.
• Fixed some bugs in the 'active sessions' report, and add columns for grant_type, and scope.
• Common types, such User, App, Group types have been moved to src/types.ts for easier access.
• We're now keeping track of which scopes were granted to which apps per user.
• Support for RFC 9068: A standard format for JWT OAuth2 Access Tokens.
• Centralize CSRF token handling (for old browsers).
• Added a new 'add privilege' action, which is helpful for API clients.
• Fix bug: Incorrect url in Location header when creating a new user.
• #448: Fix 'create group' form.

v0.22.0

Warning note for upgraders. This release has a database migration on the oauth2_tokens table. For most users this is the largest table, some downtime may be expected while the server runs its migrations.

• #425: Using a client_secret is now supported with authorization_code, and it's read from either the request body or HTTP Basic Authorization header.
• The service now keeps track when issuing access tokens, whether those tokens have used a client_secret or not, which grant_type was used to issue them and what scopes were requested. This work is done to better support OAuth2 scopes in the future, and eventually OpenID Connect.
• Fixed broken 'principal uri' in introspection endpoint response.
• OAuth2 service is almost entirely rewritten.
• The number of tokens issued is now displayed on the home page.
• Large numbers are now abbreviated with K and M.
• #426: Updated to Curveball 0.20.
• #427: Typescript types for the database schema are now auto-generated with mysql-types-generator.

v0.21.3

• It's now possible to generate a URI that completely takes a developer through the setup process for creating an OAuth2 client, with all values pre-filled. This makes it very easy for a developer to get their environment up and running without having to know all kinds of OAuth2 details (@AminDhouib).
• Fixed getting no feedback after changing group members. (@AminDhouib)
• Fixed the 'authenticated-as' link in the a12n-server home document; it had an extra slash.
• If you hit an authenticated page after login, you are now redirected back to that page after login.
• The /register endpoint can now take a ?continue= uri parameter, making it possible to redirect back to any application after registering.

v0.21.2

Also adding 'schemas' to the NPM package.

v0.21.1

Added missing .env.defaults file to NPM package. This is required for npx @curveball/a12n-server to work.

v0.21.0

• New! Start a fresh a12nserver just by running npx @curveball/a12n-server
• #412: Fixed a few more PostgreSQL bugs (@AminDhouib)
• #407: Users can be added to groups again with their relative URI (@AminDhouib)
• #399: When trying to add a new OAuth2 client with an existing client_id,
  the server will now emit a 409 instead of a 500 error. (@AminDhouib)
• The requirePkce flag was not respected when creating a new OAuth2 client.

v0.20.4

• #397: Add REDIS_PASSWORD environment variable to support password-protected redis servers. (@mihok)
• #398: Allow the HTTP/1.1 KeepAlive timeout to be configured using the KEEP_ALIVE_TIMEOUT_MS environment variable. (@pschwyter)
• #400: Fix bug in the 'create app' form.
• #402: Add form for editing settings on OAuth2 clients.
• #401: Add schemas for user, app and group endpoints.

v0.20.3

0.20 is here, bringing a number of improvements and changes. This version is alpha, which means that some things might still change before the final release. You're encouraged to test this out, but it's not yet ready for production.

Change since last Alpha release

• Fix: Remove broken settings from the read-only settings page.

Changes since 0.19

• Now requires Node 16.
• Postgres support! (@mihok)
• Experimental sqlite support.
• Migrated all database access to Knex.
• Database migrations are now automatically run on startup, making upgrades a lot easier.
• Support for the /.well-known/jwks.json endpoint, allowing clients to discover JWT public keys.
• OAuth2 secrets are now prefixed with the secret-token: uri scheme, allowing github and other systems to detect possible commits of secret data.
• A new settings panel for admins, allowing admins to see exactly which settings have been applied. This is currently read-only.
• .env.defaults is no longer automatically loaded. The file still exists but its only purpose is to provide a template for developers to copy to .env.
• Updated 'create group' and 'create app' forms to be simpler.
• Show the public url when starting the server instead of just the TCP port.
• #382: Fix buggy email layout.
• Automatically open a debug connection on port 9339 when running with
  make start-dev. (@pschwyter)

v0.20.2

0.20 is here, bringing a number of improvements and changes. This version is alpha, which means that some things might still change before the final release. You're encouraged to test this out, but it's not yet ready for production.

Change since last Alpha release

• Fix: Parsing HTTP Basic header containing a : in the password. This is
  heavily used in server-to-server oauth2 flows. (@pschwyter)
• Automatically open a debug connection on port 9339 when running with
  make start-dev. (@pschwyter)

🛳️ Ahoi from Halifax! 🛳️

Changes since 0.19

• Now requires Node 16.
• Postgres support! (@mihok)
• Experimental sqlite support.
• Migrated all database access to Knex.
• Database migrations are now automatically run on startup, making upgrades a lot easier.
• Support for the /.well-known/jwks.json endpoint, allowing clients to discover JWT public keys.
• OAuth2 secrets are now prefixed with the secret-token: uri scheme, allowing github and other systems to detect possible commits of secret data.
• A new settings panel for admins, allowing admins to see exactly which settings have been applied. This is currently read-only.
• .env.defaults is no longer automatically loaded. The file still exists but its only purpose is to provide a template for developers to copy to .env.
• Updated 'create group' and 'create app' forms to be simpler.
• Show the public url when starting the server instead of just the TCP port.
• #382: Fix buggy email layout.
• Automatically open a debug connection on port 9339 when running with
  make start-dev. (@pschwyter)