All Versions
Latest Version
Avg Release Cycle
143 days
Latest Release
209 days ago

Changelog History
Page 1

  • v3.0.2 Changes

    September 17, 2020

    ๐Ÿ”’ Security fix but also a behavior change that could hurt depending on your usage of redirects. Please see the changelog for details as well as this PR: #309

  • v3.0.1 Changes

    August 25, 2020

    โž• Added

    • โž• Add the ability to carry query string parameters in the redirection to and away from the login page.
  • v3.0.0 Changes

    July 03, 2020

    ๐Ÿšš Move to Go modules. No other changes.

  • v2.4.1 Changes

    May 18, 2020

    ๐Ÿ›  Fixed

    ๐Ÿ›  Fix a security issue where a user could brute-force a password based on differing responses that are returned from the site when the incorrect password is entered versus the correct password.

    This comes with a slight change in behavior to minimize differences between the code paths of a correct vs incorrect password: The "attempt" time is always โฌ†๏ธ bumped in the DB no matter if it was the right or wrong password when being rejected for locking.

  • v2.4.0 Changes

    February 07, 2020

    โž• Added

    • โž• Add config option MailNoGoroutine which prevents the modules from using a goroutine to launch the mailer. This is important because the context that it passes from the http request will be cancelled in a race condition and will affect mailer implementations that honor context cancellation.
  • v2.3.2 Changes

    January 30, 2020

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fix many "lint" type errors (thanks @frederikhors)
  • v2.3.1 Changes

    January 28, 2020

    โž• Added

    • Logout events (Before & After) for deletion of a users session (thanks @abelkuruvilla)

    ๐Ÿ”„ Changed

    • ๐Ÿ”€ Calls to Email() will now merge ctx data from the passed in ctx so it's available in the template, just like calls to Render() (thanks @Gys)

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fix one of the mocks that were no longer in sync with an interface
  • v2.3.0 Changes

    March 30, 2019

    โž• Added

    • โž• Add VerifyPassword method to hide the bcrypt implementation details when authboss consumer code wants to verify the password out of band.
    • ๐Ÿ‘ ClientStateResponseWriter now supports the http.Hijacker interface if the underlying ResponseWriter does (thanks @tobias-kuendig)
    • DelAllSession is a new method called both by Expire and Logout (in addition to still calling DelKnownSession etc. as they do now) to ensure that conforming implementations of ClientStateReadWriter's delete all keys in the session.
    • Config.Storage.SessionWhitelistKeys has been added in order to allow users to persist session variables past logout/expire.

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fix bug where user's expiration time did not start until their first request after login.
    • ๐Ÿ›  Fix bug where expired users could perform one request past their expiration
    • ๐Ÿ›  Fix bug with missing imports (thanks @frederikhors)
    • ๐Ÿ›  Fix bug with inverted remember me checkbox logic
    • ๐Ÿ›  Fix validation not happening when user commences recovery

    ๐Ÿ—„ Deprecated

    • ๐Ÿ—„ Deprecated DelKnownSession for DelAllSession. DelAllSession should be implemented by existing ClientStateReadWriters in order to prevent session values from leaking to a different user post-logout/expire.
  • v2.2.0 Changes

    December 16, 2018

    โž• Added

    • โž• Add e-mail confirmation before 2fa setup feature
    • โž• Add config value TwoFactorEmailAuthRequired
    • โž• Add a more flexible way of adding behaviors and requirements to authboss.Middleware. This API is at authboss.Middleware2 temporarily until we can make a breaking change.

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fix a bug where GET /login would panic when no FormValueRedirect is provided. (thanks @rarguelloF)
    • ๐Ÿ›  Fix a bug where lowercase password requirements in the default rules implementation were not being checked correctly (thanks @rarguelloF)
    • ๐Ÿ›  Fix a bug in remember where a user would get half-authed even though they were logged in depending on middleware ordering.
    • ๐Ÿ›  Fix a bug where if you were using lock/remember modules with 2fa they would fail since the events didn't contain the current user in the context as the auth module delivers them.
    • ๐Ÿ›  Fix a bug with 2fa where a locked account could get a double response

    ๐Ÿ—„ Deprecated

    • ๐Ÿ‘€ Deprecate the config field ConfirmMethod in favor of MailRouteMethod. See documentation for these config fields to understand how to use them now.
    • ๐Ÿ—„ Deprecate Middleware/MountedMiddleware for Middleware2 and MountedMiddleware2 as these new APIs are more flexible. When v3 hits (Mounted)Middleware2 will become just (Mounted)Middleware.
    • ๐Ÿ—„ Deprecate RoutesRedirectOnUnauthed in favor of ResponseOnUnauthed
  • v2.1.1 Changes

    December 10, 2018

    ๐Ÿ”’ Security

    • ๐Ÿ›  Fix a bug with the 2fa code where a client that failed to log in to a user account got SessionTOTPPendingPID set to that user's pid. That user's pid was used as lookup for verify() method in totp/sms methods before current user was looked at meaning the logged in user could remove 2fa from the other user's account because of the lookup order.