v1.5.5

Changes

• Merge pull request #37 from xraph/feat/email-verification-otp (074850f)
• refactor(verification): streamline route option initialization for email verification (c46e0b3)
• feat(verification): implement email verification with OTP and auto-login support (21cbce0)
• fix(verification): set env_id on email verification record (16511db)
• fix(verification): route 6-digit token from authed session to OTP path (52f18a7)
• feat(verification): OTP API + notification wiring; single issue path (cbb987a)
• feat(verification): OTP email verification engine + store (TDD) (c875306)
• feat(account): OTP code primitives for email verification (TDD) (edad4b2)

---

Installation

Go:

go get github.com/xraph/authsome@v1.5.5

npm:

npm install @authsome/client@1.5.5
npm install @authsome/ui-react@1.5.5

Flutter:

dependencies:
  authsome_flutter: ^1.5.5

What's Changed

• Feat/email verification otp by @jaymesC in #37

Full Changelog: v1.5.3...v1.5.5

v1.5.3

Changes

• chore: bumped forge version (f58de45)
• chore: formatted code (2404f76)
• feat: added support for multi email (d7e1ba5)
• fix: update Node.js version to 22 and enable npm provenance for publishing (1d7f500)

---

Installation

Go:

go get github.com/xraph/authsome@v1.5.3

npm:

npm install @authsome/client@1.5.3
npm install @authsome/ui-react@1.5.3

Flutter:

dependencies:
  authsome_flutter: ^1.5.3

Full Changelog: v1.5.1...v1.5.3

v1.5.1

Changes

• refactor: improve error handling and function signatures for consistency across handlers (83154c7)
• fix: update forge dependency to v1.6.6 in go.mod and go.sum (c434f12)
• feat: add cross-tenant session validation and regression test for publishable key mismatch (3c9a9d4)
• chore: formatted codebase (2351540)
• fix: fixed flutter auth bugs (f532346)
• refactor: Improve struct formatting for consistency across handlers (0236405)
• feat: Add riskengine, scim, social, sso, subscription, and vpndetect plugins with contract integration (4502f6d)

---

Installation

Go:

go get github.com/xraph/authsome@v1.5.1

npm:

npm install @authsome/client@1.5.1
npm install @authsome/ui-react@1.5.1

Flutter:

dependencies:
  authsome_flutter: ^1.5.1

Full Changelog: v1.5.0...v1.5.1

v1.5.0

Changes

• fix(cookies): add #nosec comments to clarify security settings in session cookie templates (cd3e055)
• fix(cookies): add #nosec comments to clarify security settings in cookie templates (b67c2fd)
• fix(tests): update HTTP request creation to use context-aware methods across multiple test files (cc72379)
• fix(tests): update HTTP request creation to use context-aware methods in signup tests refactor(cookies): streamline cookie creation in setSessionCookie and deleteSessionCookie functions fix(cookies): return cookie object in SessionCookieTemplate for consistency fix(contributor): simplify error messages in writeFragment function (502616f)
• fix(tests): remove unused request parameter in HTTP handlers (7554c64)
• Refactor error handling and improve code clarity across multiple files (65177e3)
• feat(rbac): add envIDToNamespace function for environment ID conversion (4f43d4a)
• Merge branch 'main' of github.com:xraph/authsome (05f20c7)
• fix(dependencies): update module versions in go.mod and go.sum for compatibility (788432c)
• Merge pull request #32 from xraph/github-fix (a5555c3)
• chore: run formatter after merging main (24bad9f)
• Merge origin/main and resolve conflicts preferring main (42e0027)
• Delete .claude/settings.local.json (b750692)
• chore(settings): removed uselss file (cadeed4)
• fix:ctx param (4190440)
• fix:ci issues (4ab3287)
• fix:fetch github user email (fdd926a)

---

Installation

Go:

go get github.com/xraph/authsome@v1.5.0

npm:

npm install @authsome/client@1.5.0
npm install @authsome/ui-react@1.5.0

Flutter:

dependencies:
  authsome_flutter: ^1.5.0

What's Changed

• Main by @jaymesC in #32

New Contributors

• @jaymesC made their first contribution in #32

Full Changelog: v1.4.2...v1.5.0

v1.4.2

Changes

• fix(script): update version stamping method in prepare-npm-publish.sh to avoid npm workspace issues (92203db)
• feat(dependencies): update package.json to use workspace:* for internal dependencies fix(auth): simplify session refresh logic and improve type handling for passkeys refactor(scripts): streamline npm publish preparation by removing redundant workspace resolution (d6ccfe9)
• fix(extension): wire remote contract contributor in client mode + expose contract server in server mode (e9ed971)
• feat(extension/contract): auth.config query + login-04 form + role gate wiring (5c8b526)
• feat(extension/contract): contribute auth.login + /login route to dashboard contract (2e08361)
• feat(passkey): enhance dashboard settings panel with dynamic settings (855daf2)
• feat(admin): copy user across apps and list roles per-app (b892de4)
• fix(ui-core): fetchClientConfig uses generated client's actual fields (c3e26f4)
• fix(api,sdk): route public-auth by publishable key, never to platform (636c706)
• feat: WithInitialOwnerCount — configurable auto-promotion threshold (default 3) (39c933b)
• fix(service-account): address critical and important code review issues (66d0bcd)
• feat: add first-class ServiceAccount entity with API keys and admin API (6716455)
• fix(admin): enforce platform-owner auth gate and harden last-owner guard (3ad5520)
• feat: platform owner configurability — WithInitialOwners, YAML config, admin API (cf02517)
• fix: remove SuperAdminSlug from IsPlatformRole to prevent auth gate leakage (f96121f)
• fix(rbac): add SuperAdminSlug constant, update IsPlatformRole, and purge duplicate platform-admin roles (4ca9177)
• feat: Enhance admin API for social and SSO management (5443cce)
• fix(mongo): create_authsome_users tolerates pre-existing OLD-shape index (2fa89f8)
• fix(mongo): self-heal grove_migrations decode-corruption on boot (efbb0c6)
• fix(mongo): run migration orchestrator + tolerate index-shape conflicts on boot (900061a)
• fix(store): empty-username unique-index collision + clean error mapping (9fad32f)
• test(engine): pin MFA gate contract for every plugin's AuthMethod (677fac5)
• feat(ui): MFA round-trip via ticket — challenge form completes the sign-in (c4a13f5)
• refactor(engine): SignIn delegates session minting to IssueSession; remove inline gate (277118b)
• feat(mfa): /v1/mfa/challenge accepts ticket and issues session (9ac33dd)
• feat(phone): route verify endpoint through Engine.IssueSession (da8d687)
• feat(sso): route SAML/OIDC callback through Engine.IssueSession (ec0c2c2)
• feat(magiclink): route verify endpoint through Engine.IssueSession (564c7e6)
• feat(social): route OAuth callback through Engine.IssueSession (22bcebc)
• feat(api): map ErrMFARequired to 403 with mfa_ticket + available_methods (5030a7f)
• feat(engine): IssueSession centralized chokepoint with MFA ticket gate (9d8e891)
• docs(superpowers): track auth-security-hardening design spec (3defea3)
• test(dashboard): coverage for PageBase plumbing (a37434e)
• fix(sdkgen): persist Go-SDK lazy app-id discovery in template (42181ed)
• feat(dashboard,extension): plumb PageBase + POST contributor protocol (9085bb2)
• feat(engine): surface mfa_required on client-config (0920995)
• feat(appclientconfig,api): mfa_required override per-app (586f8ad)
• fix(middleware,apikey): clearer ops signals for auth failures (1610be9)
• chore: ignore /specgen + /standalone binaries; track refresh-replay tests (e9b54c9)
• fix(extension): replace removed dashboard.WatchRemoteContributor API (1015375)
• feat(store/mongo): native refresh-token replay detection (e52ee46)
• feat(store/sqlite): native refresh-token replay detection (2ad797c)
• feat(store/postgres): native refresh-token replay detection (a954ac0)
• feat(store): add family_id + revoked_refresh_tokens schema for SQL/Mongo (5ed8f43)
• feat(engine): detect refresh-token replay and revoke session family (cecdfd3)
• feat(store): add refresh-token revocation set + family cascade (8ca131c)
• feat(id,session): add SessionFamilyID for refresh-token replay detection (7ded3e0)
• feat(ui-nextjs): inherit verification + captcha UX from ui-components (95694da)
• feat(ui-vue): wire verification panels and captcha into sign-in/sign-up (c6a6908)
• feat(api,engine): POST /v1/verify-email/resend (enumeration-safe) (73e857c)
• fix(sdkgen): persist 'type' field on TS AuthClientError template (cf24a73)
• feat(ui-components): wire verification panels and captcha into sign-in/sign-up (a431739)
• feat(ui-components): add Cloudflare Turnstile widget (52fd4cf)
• feat(ui-core,ui-react): add email_not_verified and verification_pending auth states (5b7ebb0)
• feat(ui-core): surface backend error type field on AuthClientError (94f6804)
• feat(engine,api,sdk): expose Captcha section on /v1/client-config (38718d2)
• feat(api,sdk): regenerate SDKs with captcha_token field + Phase 2A behavior (6f5193e)
• feat(webhook): canonical signature helpers (X-Authsome-Signature) (05b6690)
• feat(account): NeedsRehash also fires on weakened Argon2/bcrypt parameters (c259899)
• feat(scim): RotateToken with grace window for zero-downtime rotation (269dc27)
• feat(bridge,social): encrypt OAuth provider tokens at rest (AES-256-GCM) (613d5aa)
• feat(api): apply SecurityHeadersForAPI to every JSON route (7f3df66)
• feat(middleware): SecurityHeaders middleware (CSP/HSTS/Frame/Referrer/Permissions) (5cfc458)
• fix(middleware): gate 401 debug_reason on AUTHSOME_DEBUG_AUTH=1 (89573bd)
• feat(organization): atomic cascade delete via per-backend native tx (7d1b2ec)
• feat(social): rate-limit /v1/social/:provider endpoints (753ddc7)
• feat(social): PKCE (S256) + OIDC nonce + per-app state namespacing (d072f98)
• fix(plugins): migrate dashboard form nonces to scoped HMAC variant (b7a638a)
• test(secutil): centralize RelaxAuthDefaults bootstrap helper (c6e2d6e)
• fix(organization): migrate org-create form to scoped nonce (5e88da7)
• fix(social): use template.JSEscapeString for redirect in callback HTML (ed72fc2)
• feat(authsome): __Host- session cookie prefix opt-in + unify cookie config (6dc4182)
• feat(api,extension): apply captcha middleware to auth endpoints (a1069a4)
• feat(middleware): captcha middleware + per-app settings (6ee726a)
• fix(captcha): correct Turnstile action handling, return Result, drop unreachable sentinel (0410781)
• feat(captcha): Verifier interface + Cloudflare Turnstile implementation (5659b66)
• fix(api): map ErrEmailNotVerified to 403 with stable error code (590e273)
• fix(authsome): default SettingRequireEmailVerification to true (cd554e6)
• fix(api): close /v1/signup timing and shape oracles (eb5db00)
• fix(api): /v1/signup no longer leaks email existence (3acf2f4)
• feat(dashboard): require CSRF token on register/login/forgot/setup (461e3f0)
• feat(dashboard): pre-session CSRF token for unauthenticated forms (cb3679d)
• fix(dashboard): Auditor sets Outcome and handles empty actor (9457561)
• feat(dashboard): audit helper + coverage gate (874320a)
• docs(memory store): clarify WithTx snapshot semantics (458351c)
• feat(organization): WithTx-wrapped DeleteOrganization cascade (12a2365)
• fix(organization): canDeleteOrg passes resource TYPE, not instance ID (5235b01)
• feat(organization): authz + audit log for dashboard org delete (aeb3a9f)
• fix(dashboard): length-prefix HMAC inputs in nonceSigner (d40947b)
• feat(dashboard): add HMAC-bound CSRF nonce (session+scope) (072ef0f)
• feat(social): per-app frontend-URL allowlist for OAuth state (f51b640)
• fix(api): /v1/introspect must validate API keys (86000b2)
• fix(social): close backslash and relative-path open-redirect vectors (adaf8fc)
• fix(social): reject absolute redirect URLs without trusted origin (f018a05)
• test: add secutil shared test helpers for security work (d28b9ab)
• Refactor imports and add App ID handling (c62517b)
• feat: implement client mode for dashboard contributor and expose contributor protocol over HTTP (844afa6)
• feat(testutil): add SwitchOrg, SetMemberRole, SessionByToken helpers (b4d1c08)
• test(engine): coverage for SwitchActiveOrg (17221e0)
• feat(api): add POST /v1/me/switch-org for active-org session updates (56e5322)
• feat: implement dynamic email verification setting and update related logic (87bf427)
• feat: add signup_enabled feature to app client configurations (6fb937b)

---

Installation

Go:

go get github.com/xraph/authsome@v1.4.2

npm:

npm install @authsome/client@1.4.2
npm install @authsome/ui-react@1.4.2

Flutter:

dependencies:
  authsome_flutter: ^1.4.2

Full Changelog: v1.4.1...v1.4.2

v1.4.1

Changes

• chore: update dependencies to version 1.4.1 for multiple packages and bump confy to v0.5.0 (7d31747)

---

Installation

Go:

go get github.com/xraph/authsome@v1.4.1

npm:

npm install @authsome/client@1.4.1
npm install @authsome/ui-react@1.4.1

Flutter:

dependencies:
  authsome_flutter: ^1.4.1

Full Changelog: v1.4.0...v1.4.1

v1.4.0

Changes

• chore: update dependencies in pnpm-lock.yaml to version 1.4.0 for ui components, core, and react (7c0b2e6)
• feat: add LICENSE and README files for authsome_core, authsome_flutter, and authsome_flutter_ui; update API paths in Go SDK and service logic (72f9a87)
• feat: add README.md and dashboard preview image; update package versions to 1.4.0 across multiple packages (406cd34)
• feat: add session auto-refresh settings and JWT security options (1f2269f)
• feat: add custom signup fields and validation to client config (fd1188c)
• feat: add UpdateEnvironmentSettingsRequest for PATCH /environments/:envId/settings (b0cad6c)
• feat: update operation IDs in RBAC routes for consistency and clarity (fe71a3a)

---

Installation

Go:

go get github.com/xraph/authsome@v1.4.0

npm:

npm install @authsome/client@1.4.0
npm install @authsome/ui-react@1.4.0

Flutter:

dependencies:
  authsome_flutter: ^1.4.0

Full Changelog: v1.3.0...v1.4.0

v1.3.0

Changes

• refactor: remove gosec linter suppressions for integer overflow and sign count validations (6f92e1f)
• feat: update package versions to 1.0.0 and add package-lock.json for TypeScript client (07e4096)
• feat: enhance dashboard and settings UI with improved spacing and layout (ee50319)
• refactor: remove unused Footer component from HomePage (49964fe)
• feat: add enterprise section with feature cards for SSO, SCIM, and more (02b62af)
• refactor: replace httptest with http.NewRequestWithContext in registry tests (54364bf)
• feat: enhance release workflow with module selection and improve dry run handling (a993b9a)
• refactor: update nonce generation and improve test request context handling (129786c)
• fix: correct return type in GetOpenAPISpec and align struct field formatting in types.go (e485224)
• refactor: streamline Flutter dependency management in CI workflows (498fae1)
• feat: add AuthSome SDK for TypeScript and Go (e11e498)
• refactor: update handler return types to use pointers for compatibility with Forge (b3c0945)
• feat: enhance CI/CD workflows, add Flutter and npm release processes, and improve package metadata (5d52a2a)
• Refactor subscription plugin: streamline audit and relay methods, update response types, and enhance error handling (6b91c11)
• refactor: improve error handling and remove unused functions in SCIM plugin (a81e0de)
• Refactor error handling and improve code clarity (6507c33)
• Refactor import statements across multiple files to maintain consistency and improve readability (6fd3701)
• feat(session): add cookie configuration settings for session management (67b2957)
• feat(settings): implement in-memory and nil stores for settings management (b782f12)
• feat: add account management features with password handling and verification (91fc235)

---

Installation

Go:

go get github.com/xraph/authsome@v1.3.0

npm:

npm install @authsome/client@1.3.0
npm install @authsome/ui-react@1.3.0

Flutter:

dependencies:
  authsome_flutter: ^1.3.0

Full Changelog: https://github.com/xraph/authsome/commits/v1.3.0