Releases: nhost/hasura-auth
0.19.3
0.19.2
0.19.1
0.19.0
Minor Changes
-
f7ec32f: Revert #317 (connect directly to postgres)
We are reverting #317 because of issues we found with connections being exhausted on the database side. Having hasura-auth connect directly means that we have to consider/tweak an additional connection pooler. It also makes things a bit more cumbersome, operationally speaking, when provisioning projects in the cloud.
The initial goal of #317 was to allow users to choose the naming convention to use with hasura. We have found that using hasura's run_sql, available through its schema API (https://hasura.io/docs/latest/api-reference/schema-api/run-sql/#schema-run-sql), allows for the same naming flexibility while funneling all connections through the same entry point.
Patch Changes
- 2eadfa9: Fix validation for redirectUrl
0.18.0
Minor Changes
-
45afb45: Stop sending the refresh token in the hash part of the redirection
Originally, hasura-auth was adding the refresh token to the hash part of the redirection urls, but we decided to add it to the query parameters, as the hash was not accessible in SSR pages.
We decided to add the refresh token in both places during a transition period in order to prevent a breaking change with legacy versions of the SDK, that were looking for the refresh token in the hash.
However, since@nhost/[email protected](April), the SDK also finds (and removes) the refresh token in both places.Sending the refresh in the hash has a significant impact on Vue users, as the vue-router is handling routes in the hash part of the url in its own way that conflicts with the urls sent by hasura-auth.
This is a breaking change for clients using previous versions of the SDK, or manually looking for the refresh token in the hash instead of the query parameter
-
d5eed8f: Use SQL instead of GraphQL to interact with the DB
Run DB operations through SQL rather than GraphQL, so the user can pick any Hasura naming convention configuration they want.
As the SQL operations are simpler than the ones generated by Hasura, and as we don't use Hasura anymore to proxy DB operations, it also comes with a slight performance increase.
Hasura-auth now only uses the GraphQL API to generate custom claims.
-
2e15427: Introduce a new
refresh_tokens.refresh_token_hashcolumn.Preparatory work to store refresh tokens as a SHA256 hash.
To avoid a breaking change, the
refresh_tokens.refresh_tokencolumn remains unchanged until the next major release.- The
refresh_tokens.refresh_tokencolumn is now deprecated. - The hashed refresh token is a Postgres stored generated column.
- The internal GraphQL queries are using the hashed refresh token.
- The internal GraphQL mutations are still updating the
refresh_tokencolumn.
When introducing the breaking change, we will:
- Rename
refresh_tokens.refresh_tokentorefresh_tokens.id. - Use the
idcolumn as an identifier. - Remove the
generatedexpression in therefresh_token_hashcolumn. - New refresh tokens will then be saved uniquely as SHA256.
- The
Patch Changes
-
de0b163: Added spanish email templates, thanks @JepriCreations for the contribution
-
b398ae2: A custom claim that is expected to be an array (ie. contains "[]" in its path) will be set to an empty array - instead of being undefined - when its query returns no value.
This allows permissions of the form "something IN X-Hasura-myCustomClaimArray" to work as intended
when the array is empty. -
87a3e96: Added czech email templates, thanks @suplere for the contribution
-
fff9d1f: Added bulgarian email templates, thanks @azlekov for the contribution
-
5a224e6: Improve the logging of the SMTP errors
When an email could not be sent, the logs where too limited. As a result, it was not possible to know the reason why emails could not be sent, nor knowing why hasura-auth was returning an HTTP 500 error.
When an email can't be sent, hasura-auth now adds two more lines to the logs before the standard http log row:
{"address":"127.0.0.1","code":"ESOCKET","command":"CONN","errno":-61,"level":"warn","message":"SMTP error","port":1026,"syscall":"connect"} {"level":"warn","message":"SMTP error context","template":"email-verify","to":"[email protected]"} {"latencyInNs":271000000,"level":"error","message":"POST /signup/email-password 500 271ms","method":"POST","statusCode":500,"url":"/signup/email-password"}
0.17.1
Patch Changes
-
f85e92d: - The default role is now automatically added to the allowed roles.
- The default locale is now automatically added to the allowed locales.
Previously, it was explicitly required to add the
meandAUTH_USER_DEFAULT_ROLEroles toAUTH_USER_DEFAULT_ALLOWED_ROLES. They are now automatically added toAUTH_USER_DEFAULT_ALLOWED_ROLES.Before:
AUTH_USER_DEFAULT_ROLE=user AUTH_USER_DEFAULT_ALLOWED_ROLES=user,me,otherNow, the following configuration will also work:
AUTH_USER_DEFAULT_ROLE=user AUTH_USER_DEFAULT_ALLOWED_ROLES=otherBoth syntaxes will allow the roles
user,me, andother.Similarly, it is no longer a requirement to add the value of
AUTH_LOCALE_DEFAULTto theAUTH_LOCALE_ALLOWED_LOCALES.Before:
AUTH_LOCALE_DEFAULT=en AUTH_LOCALE_ALLOWED_LOCALES=en,frNow, the following configuration will also work:
AUTH_LOCALE_DEFAULT=en AUTH_LOCALE_ALLOWED_LOCALES=en,frBoth syntaxes will allow the locales
enandfr. -
02da92a: Allow WorkOS organization/domain/connection from the query parameters
The Grant
dynamicparameter was not correctly set. Moreover, the Oauth routes were usingexpress.useinstead ofexpress.all. As a result. the routes defined for${OAUTH_ROUTE}/:providerwhere also matching an url like${OAUTH_ROUTE}/:provider/callback, although they shouldn't have.
v0.17.0
Minor Changes
-
951349b: Optionally conceal sensitive error messages
Introduce a new
AUTH_CONCEAL_ERRORSenvironment variable that conceals error messages to avoid leaking indirect information about users e.g. a user is registered in the application or a given password is invalid.It is disabled by default.
Patch Changes
-
d3fe853: Preserve the Oauth session between the initial request and the callback
Fixes nhost/nhost#1353
-
9c25b1f: Ability to set test phone numbers for phone auth
This can be used without any provider set. When sign in via phone auth using a test phone number is invoked the SMS message with the verification code will be available trough the logs.
This way you can also test your SMS templates.
v0.16.2
Patch Changes
-
e0949d7: Try the first characters of the Oauth user profile's locale
Some Oauth providers returns locales. But it can be
en-GBwhereas hasura-auth only accepts locales coded in two characters.
It now tries to validate the two first characters of the user profile locale against the list of allowed locales. -
e0949d7: Don't fail WorkOS transformation when the user profile is incorrect
When not configuring WorkOS correctly, the
raw_attributesof the user profile could be null. This fix avoids returning an error when accessing properties of this object that would be null. -
e0949d7: Correct validation of custom locale and redirect urls in Oauth routes
v0.16.1
v0.16.0
Minor Changes
-
09478c4: Allow patterns in allowed urls
AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLSnow accepts wildcard and other micromatch patterns inAUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS.To match
https://(random-subdomain).vercel.app:AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS=https://*.vercel.appAs a result:
# Correct https://bob.vercel.app https://anything.vercel.app # Incorrect https://sub.bob.vercel.app http://bob.vercel.app https://vercel.app
It is possible to use other patterns, for instance:
- to allow both http and https:
AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS=http?(s)://website.com- to allow any port:
AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS=http://website.com?(:{1..65536}) -
c6daab9: Synchronise
AUTH_USER_DEFAULT_ALLOWED_ROLESandAUTH_USER_DEFAULT_ROLEwith the database
When starting the server, all the roles defined inAUTH_USER_DEFAULT_ALLOWED_ROLESandAUTH_USER_DEFAULT_ROLEare upserted into theauth.roles
table -
4d16514: Use Grant
Hasura Auth was relying on PassportJS and numerous npm packages to orchestrate each Oauth provider. The code became complex to maintain, and it became more and more difficult to add new providers.
Providers are noew defined in one single file so it is easier to add new ones.
Patch Changes
- 4d16514: Fetch the user locale when available (Discord, Google, LinkedIn, WorkOS)
- 4d16514: Fetch avatar url from BitBucket
- 4d16514: Fetch display name from the Strava provider
- c6daab9: Redirect Oauth errors or cancellations
When a user cancelled their authentication in the middle of the Oauth choregraphy, they were falling back to an error on the Hasura Auth callback endpoint.
Hasura Auth now parses the error and redirect the user to the client url, with error details as query parameters. - 4d16514: The service starts when a provider is incorrectly configured. Instead, the endpoint fails with a standard error. The error is logged (warn level)
- 4d16514: Fetch the email verification status when available (Apple, BitBucket, Discord, GitHub, Google)
- c6daab9: Preserve the case in
redirectTooptions, and case-insensitive validation
TheredirectTovalues were transformed into lower case. It now validates regardless of the case, and preserve the original value. - c6daab9: Return Have I Been Pwned error message
Hasura Auth now returns the reason why the password is not compliant with HIBP. - c6daab9: Log error when failing to apply Hasura metadata
- c6daab9: Tell why Hasura can't be reached
When starting, Hasura Auth waits for Hasura to be ready. Hasura Auth now logs the reason why Hasura can't be reached. - 4d16514: Enforce Oauth scopes required by hasura-auth
Custom scopes set as environment variables don't replace the scopes that are required by Hasura-auth to function. They are appended instead. - c6daab9: Increase OTP secret entropy to 256 bits