v1.8.0

Added

• Support Content-Type: application/json [#143]
• Support for SameSite property on AuthN session cookie [#147]

v1.7.0

Added

• OAuth authentication through Discord [#116]

Fixed

• Email validations no longer allow misplaced periods in the domain

v1.6.0

Added

• Log when rejecting a request for a missing or invalid Origin header [#34]
• Accept PUT HTTP calls on every endpoint accepting PATCH [#104]

Changed

• Same-origin requests are now accepted (for browsers that do not send Origin header for same-origin), by falling back to Referer header to determine the application domain that should be selected in the request's context. The Referer header is only consulted when Origin is not set. Since browsers are only permitted to omit Origin header for same-origin requests this behavior should be robust. [#105]
• Query optimizations on private admin endpoints.
• Pre-compute JWK key on RSA key generation and include within private key wrapper type for use by dependees. [#100]

Fixed

• panic while evaluating some utf8 password characters
• zxcvbn library we use exhibited some deviation from standard (see: nbutton23/zxcvbn-go#20) so switched to https://github.com/trustelem/zxcvbn [#99]

v1.5.0

⚠️ This release includes a mandatory database migration! ⚠️

Added

• Passwordless Logins (aka Magic Links) [#71] - @etruta
• New field: accounts.last_login_at [#71] - @etruta
• Windows build

Changed

• Improved printing for configuration errors

Fixed

• Uncaught uniqueness violation in PATCH /account/:id

v1.4.1

Fixed

• connection leak with Postgres adapter [#60]

v1.4.0

New

Two of the biggest feature requests are going live in this version!

• [#50] OAuth, with initial support for Facebook, GitHub, Google. Check out the Implementing OAuth guide and be sure to provide feedback in Gitter or Issues.
• [#47] PostgreSQL support

v1.3.0

New

• Improved (simplified) coordination between multiple AuthN servers when synchronizing keys [#44]

v1.2.1

Fixed

• ability to control location of sqlite3 database
• aggressively short wlock timeout on blob store (could result in competing keys)

v1.2.0

This release improves deployment in hardened environments:

• Log the actual client IP when deployed behind a proxy [#38]
• Bind a second port with only public routes [#37]

Both features require an ENV variable. My general plan is to maintain backwards compatibility during the 1.x release series using feature flags, then change defaults or consolidate configuration whenever releasing a 2.0.

v1.1.0

New

• GET /accounts/:id endpoint #30
• Airbrake error reporting #32
• AuthN version number is printed in the ready message