v1.6.26

What's Changed

• chore(deps): bump go.mongodb.org/mongo-driver from 1.13.0 to 1.13.1 by @dependabot in #141
• chore(deps): bump actions/setup-go from 4 to 5 by @dependabot in #140
• chore(deps): bump github/codeql-action from 2 to 3 by @dependabot in #143
• chore(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 by @dependabot in #142
• chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in #144
• chore(deps): bump github.com/pilinux/crypt from 0.0.0 to 0.0.1 by @dependabot in #145
• chore(deps): bump github.com/pilinux/argon2 from 0.6.0 to 0.7.0 by @dependabot in #146

Full Changelog: v1.6.25...v1.6.26

v1.6.25

What's Changed

Bugfix

• use different key prefixes for email verifications (new account registration and updating existing verified email) to avoid key collision in Redis

Improvement

• option to use UUIDv4 for email verification and password recovery codes
• sentry performance tracing
• dependency changed: github.com/onrik/logrus -> github.com/pilinux/logrus
• chore(deps): bump github.com/pilinux/argon2 from 0.5.0 to 0.6.0 by @dependabot in #139

Full Changelog: v1.6.24...v1.6.25

v1.6.24

What's Changed

Improvement

• update error messages
• update return responses
  • for 2FA setup, activation, deactivation, where password is required and user-provided password is wrong --> return 400
  • return same response message for the same cause (keep consistency throughout the codebase)

Full Changelog: v1.6.23...v1.6.24

v1.6.23

What's Changed

Dependencies

• chore(deps): bump github.com/google/uuid from 1.3.1 to 1.4.0 by @dependabot in #134
• chore(deps): bump gorm.io/driver/postgres from 1.5.3 to 1.5.4 by @dependabot in #135
• chore(deps): bump go.mongodb.org/mongo-driver from 1.12.1 to 1.13.0 by @dependabot in #136
• bump github.com/pilinux/argon2 from v0.4.0 to v0.5.0 0fe19a7

Security Fix

• verify that the new email is not used by any user before replacing the current email d061f18
• replace github.com/sec51/twofactor by github.com/pilinux/twofactor fa293b7

Feature

• add flexibility to add more info when sending emails 92d953f
• new function IsProd() to get server mode (dev/prod) 9526e27

Improvement

• when reading env variables, lowercase letters where required c3ab00d

Full Changelog: v1.6.22...v1.6.23

v1.6.22

security update!

• chore(deps): bump golang.org/x/net from 0.12.0 to 0.17.0 by @dependabot in #133

To learn more about it:

• GHSA-4374-p667-p6c8
• GHSA-2wrh-6pvc-2jm9

Full Changelog: v1.6.21...v1.6.22

v1.6.21

dependencies updated

• chore(deps): bump gorm.io/gorm from 1.25.4 to 1.25.5
• chore(deps): bump gorm.io/driver/postgres from 1.5.2 to 1.5.3
• chore(deps): bump gorm.io/driver/mysql from 1.5.1 to 1.5.2
• chore(deps): bump github.com/pilinux/argon2 from 0.3.0 to 0.4.0 by @dependabot in #129
• chore(deps): bump gorm.io/driver/sqlite from 1.5.3 to 1.5.4 by @dependabot in #128

Full Changelog: v1.6.20...v1.6.21

v1.6.20

minor improvement

delete all hashes of active 2FA backup codes (if any) of a user when the user disables 2FA

Full Changelog: v1.6.19...v1.6.20

v1.6.19

improvements

• when aborting from middleware, append abort reasons
• relational database connections
• handle and log database read operation errors
• email delivery process
• use time.Now() throughout the project to select current local time

fix

• HTTP response status codes

feature

• new controller and handler for replacing a user's email address with a new one

CI

• cache and restore only the go.sum files

commits

v1.6.18

major update with full backward-compatibility

• option to save user email in encrypted form at rest
  by setting ACTIVATE_CIPHER=yes and adding a random
  secret to CIPHER_KEY. If there are existing accounts,
  the auth functionality will still work properly. Once
  encryption at rest is enabled and a new user account
  is registered, it is not possible to downgrade to
  insecure plaintext mode.

• option to harden SHA-based hashing algorithm for 2FA
  by setting TWO_FA_DOUBLE_HASH=yes.

• optionally use secrets BLAKE2B_SECRET for blake2b
  hashing.

• if ACTIVATE_CIPHER=yes, ChaCha20-Poly1305 (256-bit)
  is used for email encryption.

• for 2FA keys, AES-256 is used as before.

• a new controller and services are included to generate
  backup codes for 2FA.

• an improved go doc.

compare commits

v1.6.17

new feature

• now it is possible to use secret (optional) when hashing using Argon2id
  by setting value to the new environment variable HASH_SECRET
• [fully backward compatible] for all existing applications in production,
  keeping HASH_SECRET empty will not break the auth functionality

ci

• do static analysis and test build process for all major OS
  (Linux, Mac, Windows) and CPU architectures (arm64, amd64)