v0.17.0

Minor Changes

• 951349b: Optionally conceal sensitive error messages

  Introduce a new AUTH_CONCEAL_ERRORS environment variable that conceals error messages to avoid leaking indirect information about users e.g. a user is registered in the application or a given password is invalid.

  It is disabled by default.

Patch Changes

• d3fe853: Preserve the Oauth session between the initial request and the callback

  Fixes nhost/nhost#1353

• 9c25b1f: Ability to set test phone numbers for phone auth

  This can be used without any provider set. When sign in via phone auth using a test phone number is invoked the SMS message with the verification code will be available trough the logs.
  This way you can also test your SMS templates.

v0.16.2

Patch Changes

• e0949d7: Try the first characters of the Oauth user profile's locale

  Some Oauth providers returns locales. But it can be en-GB whereas hasura-auth only accepts locales coded in two characters.
  It now tries to validate the two first characters of the user profile locale against the list of allowed locales.

• e0949d7: Don't fail WorkOS transformation when the user profile is incorrect

  When not configuring WorkOS correctly, the raw_attributes of the user profile could be null. This fix avoids returning an error when accessing properties of this object that would be null.

• e0949d7: Correct validation of custom locale and redirect urls in Oauth routes

v0.16.1

Patch Changes

• 42d7ce8: Fix Oauth redirection

v0.16.0

Minor Changes

• 09478c4: Allow patterns in allowed urls

  AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS now accepts wildcard and other micromatch patterns in AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS.

  To match https://(random-subdomain).vercel.app:

  AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS=https://*.vercel.app
  

  As a result:

  # Correct
  https://bob.vercel.app
  https://anything.vercel.app
  
  # Incorrect
  https://sub.bob.vercel.app
  http://bob.vercel.app
  https://vercel.app
  

  It is possible to use other patterns, for instance:

  • to allow both http and https:

  AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS=http?(s)://website.com
  

  • to allow any port:

  AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS=http://website.com?(:{1..65536})
  

• 4d16514: Fix Twitter provider (close #100)

• c6daab9: Synchronise AUTH_USER_DEFAULT_ALLOWED_ROLES and AUTH_USER_DEFAULT_ROLE with the database
  When starting the server, all the roles defined in AUTH_USER_DEFAULT_ALLOWED_ROLES and AUTH_USER_DEFAULT_ROLE are upserted into the auth.roles
  table

• 4d16514: Use Grant
  Hasura Auth was relying on PassportJS and numerous npm packages to orchestrate each Oauth provider. The code became complex to maintain, and it became more and more difficult to add new providers.
  Providers are noew defined in one single file so it is easier to add new ones.

Patch Changes

• 4d16514: Fetch the user locale when available (Discord, Google, LinkedIn, WorkOS)
• 4d16514: Fetch avatar url from BitBucket
• 4d16514: Fetch display name from the Strava provider
• c6daab9: Redirect Oauth errors or cancellations
  When a user cancelled their authentication in the middle of the Oauth choregraphy, they were falling back to an error on the Hasura Auth callback endpoint.
  Hasura Auth now parses the error and redirect the user to the client url, with error details as query parameters.
• 4d16514: The service starts when a provider is incorrectly configured. Instead, the endpoint fails with a standard error. The error is logged (warn level)
• 4d16514: Fetch the email verification status when available (Apple, BitBucket, Discord, GitHub, Google)
• c6daab9: Preserve the case in redirectTo options, and case-insensitive validation
  The redirectTo values were transformed into lower case. It now validates regardless of the case, and preserve the original value.
• c6daab9: Return Have I Been Pwned error message
  Hasura Auth now returns the reason why the password is not compliant with HIBP.
• c6daab9: Log error when failing to apply Hasura metadata
• c6daab9: Tell why Hasura can't be reached
  When starting, Hasura Auth waits for Hasura to be ready. Hasura Auth now logs the reason why Hasura can't be reached.
• 4d16514: Enforce Oauth scopes required by hasura-auth
  Custom scopes set as environment variables don't replace the scopes that are required by Hasura-auth to function. They are appended instead.
• c6daab9: Increase OTP secret entropy to 256 bits

Release 0.15.0

0.15.0 (2022-10-18)

Bug Fixes

• 🐛 capture and log unhandled errors (c1f82c4)
• 🐛 remove wrong email-template warning (8972912), closes #168
• use the metadata column in custom claims (179d96a)

Features

• 🎸 Improve logging (4bccab8)
• 🎸 improve metadata application and startup time (728f35b)

Release 0.14.0

0.14.0 (2022-10-07)

Features

• provider: add azure ad provider (c7247cc)## 0.13.2 (2022-09-28), thanks @yannickglt for the contribution

Release 0.13.2

0.13.2 (2022-09-28)

Bug Fixes

• drop authenticators inconsistency safely (5939bd8)

Release 0.13.1

0.13.1 (2022-09-27)

Bug Fixes

• don't drop inconsistencies when applying Hasura metadata (3744152)# 0.13.0 (2022-09-23)

Release 0.13.0

0.13.0 (2022-09-23)

Features

• Webauthn signup endpoints (8982a49)# 0.12.0 (2022-09-16)

Bug Fixes

• Fetch profile from WorkOS oauth connection (b49d4f7)
• Use client hostname as RP ID (2371fdc)

Refactoring

• Rename authenticators to security keys in the DB and GraphQL schemas

Release 0.12.0

0.12.0 (2022-09-16)

Bug Fixes

• 🐛 deprecate AUTH_EMAIL_TEMPLATE_FETCH_URL (4067c03)
• 🐛 don't add custom claims when null/undefined values (7a129f6)
• 🐛 don't break reditection with redirectTo and params (3e55b9e), closes #233

Features

• sms: support for templates for the sms message (#217) (e99ec64)