github.com/volatiletech/authboss@v2.4.1+incompatible/CHANGELOG.md (about) 1 # Changelog 2 3 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) 4 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). 5 6 ## [2.4.1] - 2020-05-18 7 8 ### Fixed 9 10 Fix a security issue where a user could brute-force a password based on 11 differing responses that are returned from the site when the incorrect password 12 is entered versus the correct password. 13 14 This comes with a slight change in behavior to minimize differences between the 15 code paths of a correct vs incorrect password: The "attempt" time is always 16 bumped in the DB no matter if it was the right or wrong password when being 17 rejected for locking. 18 19 ## [2.4.0] - 2020-02-07 20 21 ### Added 22 23 - Add config option MailNoGoroutine which prevents the modules from using a 24 goroutine to launch the mailer. This is important because the context 25 that it passes from the http request will be cancelled in a race condition 26 and will affect mailer implementations that honor context cancellation. 27 28 ## [2.3.2] - 2020-01-30 29 30 ### Fixed 31 32 - Fix many "lint" type errors (thanks @frederikhors) 33 34 ## [2.3.1] - 2020-01-28 35 36 ### Added 37 38 - Logout events (Before & After) for deletion of a users session 39 (thanks @abelkuruvilla) 40 41 ### Changed 42 43 - Calls to Email() will now merge ctx data from the passed in ctx so it's 44 available in the template, just like calls to Render() (thanks @Gys) 45 46 ### Fixed 47 48 - Fix one of the mocks that were no longer in sync with an interface 49 50 ## [2.3.0] - 2019-03-30 51 52 ### Added 53 54 - Add VerifyPassword method to hide the bcrypt implementation details when 55 authboss consumer code wants to verify the password out of band. 56 - ClientStateResponseWriter now supports the http.Hijacker interface if the 57 underlying ResponseWriter does (thanks @tobias-kuendig) 58 - DelAllSession is a new method called both by Expire and Logout (in addition 59 to still calling DelKnownSession etc. as they do now) to ensure that 60 conforming implementations of ClientStateReadWriter's delete all keys 61 in the session. 62 - Config.Storage.SessionWhitelistKeys has been added in order to allow users 63 to persist session variables past logout/expire. 64 65 ### Fixed 66 67 - Fix bug where user's expiration time did not start until their first 68 request after login. 69 - Fix bug where expired users could perform one request past their expiration 70 - Fix bug with missing imports (thanks @frederikhors) 71 - Fix bug with inverted remember me checkbox logic 72 - Fix validation not happening when user commences recovery 73 74 ### Deprecated 75 76 - Deprecated DelKnownSession for DelAllSession. DelAllSession should be 77 implemented by existing ClientStateReadWriters in order to prevent session 78 values from leaking to a different user post-logout/expire. 79 80 ## [2.2.0] - 2018-12-16 81 82 ### Added 83 84 - Add e-mail confirmation before 2fa setup feature 85 - Add config value TwoFactorEmailAuthRequired 86 - Add a more flexible way of adding behaviors and requirements to 87 authboss.Middleware. This API is at authboss.Middleware2 temporarily 88 until we can make a breaking change. 89 90 ### Fixed 91 92 - Fix a bug where GET /login would panic when no FormValueRedirect is 93 provided. (thanks @rarguelloF) 94 - Fix a bug where lowercase password requirements in the default rules 95 implementation were not being checked correctly (thanks @rarguelloF) 96 - Fix a bug in remember where a user would get half-authed even though they 97 were logged in depending on middleware ordering. 98 - Fix a bug where if you were using lock/remember modules with 2fa they 99 would fail since the events didn't contain the current user in the context 100 as the auth module delivers them. 101 - Fix a bug with 2fa where a locked account could get a double response 102 103 ### Deprecated 104 105 - Deprecate the config field ConfirmMethod in favor of MailRouteMethod. See 106 documentation for these config fields to understand how to use them now. 107 - Deprecate Middleware/MountedMiddleware for Middleware2 and MountedMiddleware2 108 as these new APIs are more flexible. When v3 hits (Mounted)Middleware2 will 109 become just (Mounted)Middleware. 110 - Deprecate RoutesRedirectOnUnauthed in favor of ResponseOnUnauthed 111 112 ## [2.1.1] - 2018-12-10 113 114 ### Security 115 116 - Fix a bug with the 2fa code where a client that failed to log in to a user 117 account got SessionTOTPPendingPID set to that user's pid. That user's pid 118 was used as lookup for verify() method in totp/sms methods before current 119 user was looked at meaning the logged in user could remove 2fa from the 120 other user's account because of the lookup order. 121 122 ## [2.1.0] - 2018-10-28 123 124 ### Added 125 126 - Add Config option to defaults.HTTPRedirector to allow it to coerce redirect 127 response codes to http.StatusOK to help make more regular APIs. 128 - Add Config option for MailRoot. This is a URL that overrides the typical 129 URL building using Root/MountPath that recover and confirm do to enable 130 creating mail links to a different location than where the API is hosted. 131 - Add a configuration option that allows confirm to change the method type 132 it expects since in an API setting a GET is strange as there is body details. 133 134 ### Changed 135 136 - defaults.HTTPRedirector now always responds with a "status": "success" 137 when responding to an API unless there's a failure. 138 - defaults.JSONRenderer now renders a "status": "success" or "status": "failure" 139 based on the presence of known failure keys (configurable, defaults to 140 standard Authboss HTMLData errors). 141 142 ### Fixed 143 144 - Fix a bug where content-types like 'application/json;charset=utf-8' would 145 not trigger api responses in the default responder. 146 - Fix LoadCurrentUser error handling, it was swallowing errors when users were 147 not logged in, changed to be consistent, now returns ErrUserNotFound just like 148 CurrentUser. 149 - Fix a bug where EventAuth and EventAuthFailure were not being fired in the 150 2fa modules which would stop users from becoming locked on 2fa failures 151 or logging in without being confirmed. 152 153 ## [2.0.0] - 2018-09-03 154 155 ### Added 156 157 - Add sms2fa and totp2fa packages so users can use two factor authentication 158 - Add twofactor package to enable 2fa recovery codes for sms2fa and totp2fa 159 - Add OTP module so users can create one time passwords and use them to log in. 160 - Add more documentation about how RegisterPreserveFields works so people 161 don't have to chase the godocs to figure out how to implement it. 162 163 ### Changed 164 165 - authboss.Middleware now has boolean flags to provide more control over 166 how unathenticated users are dealt with. It can now redirect users to 167 the login screen with a redirect to the page they were attempting to reach 168 and it can also protect against half-authed users and users who have 169 not authenticated with two factor auth. 170 171 ### Fixed 172 173 - Ensure all uses of crypto/rand.Read are replaced by io.ReadFull(rand.Reader) 174 to ensure that we never get a read that's full of zeroes. This was a bug 175 present in a uuid library, we don't want to make the same mistake. 176 177 ## [2.0.0-rc6] - 2018-08-16 178 179 - LoadClientStateMiddleware no longer panics when LoadClientState fails. 180 Instead it logs error messages and gives a 500 server error to users instead 181 of returning no response from the server at all due to panic. 182 183 ### Fixed 184 185 - Fix a bug where LoadClientState could return a nil request if the state 186 returned nil instead of falling through. 187 - Fix Middlewares link in README 188 - Fix error message when forgetting authboss.LoadClientStateMiddleware to 189 be a bit more indicative of what the problem might be. 190 191 ## [2.0.0-rc5] - 2018-07-04 192 193 ### Changed 194 195 - The upstream golang.org/x/oauth2 library has changed it's API, this fixes 196 the breakage. 197 198 ## [2.0.0-rc4] - 2018-06-27 199 200 ### Changed 201 202 - RememberingServerStorer now has context on its methods 203 204 ## [2.0.0-rc3] - 2018-05-25 205 206 ### Changed 207 208 - Recover and Confirm now use split tokens 209 210 The reason for this change is that there's a timing attack possible 211 because of the use of memcmp() by databases to check if the token exists. 212 By using a separate piece of the token as a selector, we use memcmp() in 213 one place, but a crypto constant time compare in the other to check the 214 other value, and this value cannot be leaked by timing, and since you need 215 both to recover/confirm as the user, this attack should now be mitigated. 216 217 This requires users to implement additional fields on the user and rename 218 the Storer methods. 219 220 ## [2.0.0-rc2] - 2018-05-14 221 222 Mostly rewrote Authboss by changing many of the core interfaces. This release 223 is instrumental in providing better support for integrating with many web frameworks 224 and setups. 225 226 ### Added 227 228 - v2 Upgrade guide (tov2.md) 229 230 - API/JSON Support 231 232 Because of the new abstractions it's possible to implement body readers, 233 responders, redirectors and renderers that all speak JSON (or anything else for that 234 matter). There are a number of these that exist already in the defaults package. 235 236 ### Changed 237 238 - The core functionality of authboss is now delivered over a set of interfaces 239 240 This change was fairly massive. We've abstracted the HTTP stack completely 241 so that authboss isn't really doing things like issuing template renderings, 242 it's just asking a small interface to do it instead. The reason for doing this 243 was because the previous design was too inflexible and wouldn't integrate nicely 244 with various frameworks etc. The defaults package helps fill in the gaps for typical 245 use cases. 246 247 - Storage is now done by many small interfaces 248 249 It became apparent than the old reflect-based mapping was a horrible solution 250 to passing data back and forth between these structs. So instead we've created a 251 much more verbose (but type safe) set of interfaces to govern which fields we need. 252 253 Now we can check that our structs have the correct methods using variable declarations 254 and there's no more confusion about how various types map back and forth inside the 255 mystical `Bind` and `Unbind` methods. 256 257 The downside to this of course is it's incredibly verbose to create a fully featured 258 model, but I think that the benefits outweigh the downsides (see bugs in the past about 259 different types being broken/not supported/not working correctly). 260 261 - Support for context.Context is now much better 262 263 We had a few pull requests that kind of shoved context.Context support in the sides 264 so that authboss would work in Google App Engine. With this release context is 265 almost everywhere that an external system would be interacted with. 266 267 - Client State management rewritten 268 269 The old method of client state management performed writes too frequently. By using a 270 collection of state change events that are later applied in a single write operation at 271 the end, we make it so we don't get duplicate cookies etc. The bad thing about this is 272 that we have to wrap the ResponseWriter. But there's an UnderlyingResponseWriter 273 interface to deal with this problem. 274 275 - Validation has been broken into smaller and hopefully nicer interfaces 276 277 Validation needs to be handled by the BodyReader's set of returned structs. This punts 278 validation outside of the realm of Authboss for the most part, but there's still 279 helpful tools in the defaults package to help with validation if you're against writing 280 rolling your own. 281 282 - Logout has been broken out into it's own module to avoid duplication inside login/oauth2 283 since they perform the same function. 284 285 - Config is now a nested struct, this helps organize the properties a little better (but 286 I hope you never mouse over the type definition in a code editor). 287 288 ### Removed 289 290 - Notable removal of AllowInsecureLoginAfterConfirm 291 292 ### Fixed 293 294 - Fix bug where e-mail with only a textbody would send blank e-mails 295 296 ### Deprecated 297 298 - Use of gopkg.in, it's no longer a supported method of consuming authboss. Use 299 manual vendoring, dep or vgo. 300 301 ## [1.0.0] - 2015-08-02 302 ### Changed 303 This change is potentially breaking, it did break the sample since the supporting struct was wrong for the data we were using. 304 305 **Lock:** The documentation was updated to reflect that the struct value for AttemptNumber is indeed an int64. 306 **Unbind:** Previously it would scrape the struct for the supported types (string, int, bool, time.Time, sql.Scanner/driver.Valuer) 307 and make them into a map. Now the field list will contain all types found in the struct. 308 **Bind:** Before this would only set the supported types (described above), now it attempts to set all values. It does check to ensure 309 the type in the attribute map matches what's in the struct before assignment. 310 311 ## 2015-04-01 Refactor for Multi-tenancy 312 ### Changed 313 This breaking change allows multiple sites running off the same code base to each use different configurations of Authboss. To migrate 314 your code simply use authboss.New() to get an instance of Authboss and all the old things that used to be in the authboss package are 315 now there. See [this commit to the sample](https://github.com/volatiletech/authboss-sample/commit/eea55fc3b03855d4e9fb63577d72ce8ff0cd4079) 316 to see precisely how to make these changes.