- DB performance improvements:
- Bump activitypub-express for caching of nodeinfo user counts to improve DB performance
- Add missing index for token validation
- Fixed an issue with SSO automatic username generation where generated usernames could be too long to be valid and would lock up the interstitial form preventing the selection of a shorter one.
- Updated custom identity provider username template interpolation to strip out any restricted characters to ensure the generated username is valid
Breaking: Dockerfile updated to build from Node 18
- node 18 support
- Update activitypub-express to address Mastodon and Hubzilla compatability issues
- Updated dependencies
- SSO login username templates: streamline new user registration via SAML/OIDC by
automatically selecting username using user profile data from the identity provider.
Setting available in Admin UI for adding/editing identity provider clients,
/admin/oidc
- Fix SAML SSO intermittently not redirecting properly in Chrome, leaving popup open after login and failing to return token to opener
- Add user feedback when an SSO client cannot be added due to duplicate domain conflict
- Fix URL Link option for SAML client metadata entry not working
- Fix duplicate local client registration handling
- Updated dependencies
- Dependencies not able to be updated:
- @small-tech/auto-encrypt@4 - requires node at >=18
- migrate-monogo@9 - poorly documented changes; no clear benefit to update
- mongodb@5 - multiple peer dependencies still requiring v4
- oidc-provider@8 - not currently in use, skipped for now
- parse-domain@6 - changed to ESM only, would require refactor for async import
- request - no patch released yet for GHSA-p8p7-x288-28g6
- When using SSO with passEmailToHub, email will now be passed whenever it is available
(i.e. when logging in again via SSO) instead of just on initial login. This can help with
recovery from bad SSO states - just force a logout from the immer
(with
POST /auth/logoutor withlogout(true)from immers-client >=2.16.0) and login again.
- Update undici nested dependency for audit fix
- Additional logging for SSO requests to help debug
- Fixed SSO logins through the account merge flow (with approval e-mail) failing to redirect properly and not completing the login
Includes migration: It's reversible with failsafes to avoid data loss, but backup that database before applying just to be safe
- Added support for login via SAML. SAML clients can be added/edited alongside OIDC clients at
/admin/oidc - Added instructions and guidance for OIDC and SAML client setup in the add client screen at
/admin/oidc - Add OAuth2 clients from other immers to the listing at
/admin/oidc
- Remote clients / identity providers data restructured to all reside in same collection
- Admin api methods updated to new data structyre
- Local dev will now generate self-signed certs automatically, removed obsolete env vars for specifying cert location
- Package updates to resolve all npm audit findings. Includes breaking change to passtportjs with code migrations
- When new users register on your immer, some additional data is now returned in the authorization response to your site:
isNewUser,provider(their login provider if using OIDC elseemail). With immers-client >=2.14.0, this will be available fromimmersClient.sessionInfoafter login (reference). passEmailToHubenvironment config, whentruethe cleartext email is included with the above sessionInfo, and the email data safety message is omitted from the registration page.
- Fix Facebook OIDC by dropping request for currently unused
profilescope from all OIDC authorization requests
- Fix email unable to send when smtpPort is a string
- OpenID Connect account merge: allow OIDC login when an account already exists with that email
- Sends an email to the address to get user authorization for the new provider
- Displays an interstitial page explaining the situation
- User is logged in and proceeds to destination once the email link is clicked
- SMTP OAuth authentication
- Support service acount login (2-legged OAuth) to mail service by specifying
smtpClientandsmtpKeyevironment variables in place ofsmtpPassword
- Support service acount login (2-legged OAuth) to mail service by specifying
- Avatar changes made from profile page correctly reflected on other ActivityPub platforms (immers-client update)
- Update activitypub-express to eliminate unindexed activty.object.object query on Update
- Enable CORS for hub domains for
GET /auth/oidc-providers - Rendering of profile for users with no avatar model
- Unable to click enter AR button on models with long names
- Error with controlled account authorization when multiple redirectUris are registered
- Properly escape custom theme string in server data to prevent rendering issue with newlines
- 🎨 Theme Editor (
/admin/theme) - Choose from 4 base themes and then customize with css custom properties via our live editor - ✏️ Profile editing: Users can now edit their Display name and Bio from the web interface.
- 🚮 Remove avatar: Users can now remove Avatar models from their Avatar collection from the web interface (Does not delete the Avatar).
- Total refactor of the Web client views to use Pico.css instead of aesthetic.css
- Breaking: Many class and hierarchy changes, any existing customCSS will likely need refactoring (or replace via new theme editor)
- Breaking: Default theme is now simple and modern with automatic light and dark modes. If you liked the old theme, check out our new "Web95" theme in the theme editor
- Breaking: Package-lock updated to v2, recommend npm >=7/node 16 for reliable installs.
- Migrated SPA routing to
react-routerto resolve the last peer-dependency conflict - Dockerfile updated to build from Node 16
- Migrated SPA routing to
- Admin routing changed:
/adminnow lists admin views, OIDC client list moved to/admin/oidc
- Fixed the timestamp post link not working for posts from other servers
- Improved OAuth flow: for an authorization request where the user's identity is already known and that user is from another server, skip the local login page and redirect straight to their home login page (still do provider discovery and dynamic client registration along the way).
- Remote logins now possible when using custom login page, as long as user's handle is included in the authorization request query parameters (
me=username[immer.com]). Note this query param is set automatically when using the immers-client's<immers-hud>or when including handle in calls toimmersClient.login()
- fixed broken images in posts displayed in profile if the image url was a Link object
- fixed missing open graph image tag on image post pages
- Proxy logins: Enable users with controlled accounts to still use their portable identities throughout the metaverse.
- Configuration option to alter session cookie id
- Support custom Activity vocabulary extensions via
additionalContextconfig option
Urgent update: Your SSL certificates may not be able to renew until you apply this update
- Updated auto-encrypt dependency to fix error generating certificates.
Includes migration. Backup database before starting your server with this update. If using immers-app update scripts, a backup will be generated for you.
Includes new index. Activitypub-Express udpate indlude a new index added for nested object updates, expect a one-time longer than usual restart time when applying this update (server may not show any logs during this time)
- Adds 2 new collections to users to get aggregated inbox/outbox Arrive activities for recent, unique destinations from your history (/u/username/destinations) or your friends' history (/u/username/friendsDestinations).
- New destinations tabs on user profile pages display destination history
- Support uploading files with Create activities.
- When discovering avatars from other immers, the files can now be uploaded to and served from the users' home immer to ensure they can CORS fetch it from anywhere they go and that it remains available even if the source server does not.
- Uses MongoDB GridFS for file storage, so no additional configuration is required.
- See
ImmersClient.createAvatarfor a convenience wrapper or/mediaendpoint (which follows ActivityPub standard) for direct use. - Stored files are automatically deleted when the related post is removed with a
"Delete"activity - New environment variable setting
maxUploadSize, default 20 Mb
- OpenGraph tags added to profile and activity pages to provide previews when links are shared on other social sites.
<Model-Viewer>now used for avatar or other 3D model previews, including interactive social previews on sites that support Twitter Player Cards (e.g. Mastodon)- Sharing your profile page link, e.g. https://immers.space/u/datatitian, will show a preview of your current avatar
- Include the specified favicon in the
/o/immerobject that represents this immer - Each user can now receive live streaming updates to multiple clients simultaneously when logged into more than one immer at once
- New Avatars tab displays avatar collection and allows chanding current avatar
- New destinations tabs on user profile pages display destination history
- Friends list now updates in real time
- Can now display individual activities or objects when navigating to their IRI
- New expanded location post view with image previews for destination tabs and individual activity pages
- Long posts text will now wrap instead of stretching the interface
- Post media is scaled to fit on small displays
- Improve how handles are inserted when clicking immer links to prevent sharing links with your handle
- Immer links now include the destination immer's icon if available
- Deep links in user profiles will redirect if the tab isn't available intead of erroring
- Incrementally porting over to use ImmersClient
- Yanked due to error in migration script. If you deployed this, restore from backup or use
migrate-mongo downto reverse the migration
- OpenID Connect client. Users can now login to your immer using any OpenID Connect identity provider instead of a password. OIDC providers can be automatically discovered based on user's immer domain entered on the login screen or manually configured. See docs.
- Initial admin interface. Set new
adminEmailenvironment variable to designate the account that can access/admin - Admin interface: OpenID Connect Clients. Add, edit, and delete OIDC clients. Choose which clients get their own special login button.
- New
blocked-updatesocket event fires whenever a user's blocklist chagnes (users added or removed)
- Reorganized
auth.jsintooauthClient.js,oauthServer.js, andresourceServer.js. No api changes. friendsendpoint now filters out any activity from users that have been blockedfriends-updatesocket event now fires when blocklist changes- Unblocking can be achieved by sending an Undo with the actor IRI as the object if you don't have the original Block activity IRI handy (via updated activitypub-express)
- Include pending, outgoing friends requests in response from
/u/:actor/friendsendpoint. In these activities, theobjectfield will be populated with the requestee actor object - this may break existing code that expectsactorto be populated with an object as is the case with all other activities in this response
- Support for multiple
hubdomains, each will be enabled for CORS and OAuth client redirectURIs - Added keyboard 'Enter' handling for Immers handle and password fields on login.
- Added ability for authorized service accounts to obtain tokens on behalf of users via 2-legged OAuth JWT exchange. More info
- New socket event
outbox-updatefires with activities posted to the user's outbox
- Skip waiting for user input and automatically redirect to home immer when opening the login view and the user's handle is already known and the user is from a different immer.
- When public registration is disabled,
/auth/usercan still be POSTed when a service account JWT is provided as a bearer token - Password is no longer required for
/auth/userPOST (direct login will not be possible for the user account unless a password is set later)
- Fix incorrect package lock breaking signature verification on incoming messages
- New configuration options
enablePublicRegistrationandenableClientRegistrationthat can be altered to limit access to your immer (default behavior remains unchanged)
- Fix an issue causing migrations to fail if a system user was in use
- Fix system users not have full immers actor config
- Dependency update to fix audit alert
- Support more database setups (Mongo Atlas, credentials) by changing db config to use full connection string via
dbStringenv var (keep backwards compat fordbHost/dbName/dbPortconfig)
- Fix issue with federated delivery not resuming after migration
- Update stale dependencies and resolve most audit issues
- Finally on to Parcel v2 (had to change out the HTML sanitizer for it to work)
- New federation feature: nodeinfo standard is implemented to allow discovery of server and features from other servers/crawlers
- New features: proxy services. Both the ActivityPub standard POST proxy (for AP objects) and a more general GET proxy to help with CORS
- Migration: update actor's
endpointswithproxyURlandOAuthAuthorization;streamswithblocklist
See GitHub releases for previous versions release notes