Releases: pilinux/gorest
v1.6.27
What's Changed
- chore(deps): bump github.com/pilinux/crypt from 0.0.1 to 0.0.2 by @dependabot in #148
- chore(deps): bump github.com/pilinux/argon2 from 0.7.0 to 0.8.0 by @dependabot in #149
- chore(deps): bump actions/cache from 3.3.2 to 3.3.3 by @dependabot in #150
- chore(deps): bump actions/cache from 3.3.3 to 4.0.0 by @dependabot in #151
- chore(deps): bump actions/dependency-review-action from 3 to 4 by @dependabot in #152
New Features
- rate limiting (IP-based)
- option to validate origin of the request
Full Changelog: v1.6.26...v1.6.27
v1.6.26
What's Changed
- chore(deps): bump go.mongodb.org/mongo-driver from 1.13.0 to 1.13.1 by @dependabot in #141
- chore(deps): bump actions/setup-go from 4 to 5 by @dependabot in #140
- chore(deps): bump github/codeql-action from 2 to 3 by @dependabot in #143
- chore(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 by @dependabot in #142
- chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in #144
- chore(deps): bump github.com/pilinux/crypt from 0.0.0 to 0.0.1 by @dependabot in #145
- chore(deps): bump github.com/pilinux/argon2 from 0.6.0 to 0.7.0 by @dependabot in #146
Full Changelog: v1.6.25...v1.6.26
v1.6.25
What's Changed
Bugfix
- use different key prefixes for email verifications (new account registration and updating existing verified email) to avoid key collision in Redis
Improvement
- option to use UUIDv4 for email verification and password recovery codes
- sentry performance tracing
- dependency changed:
github.com/onrik/logrus
->github.com/pilinux/logrus
- chore(deps): bump github.com/pilinux/argon2 from 0.5.0 to 0.6.0 by @dependabot in #139
Full Changelog: v1.6.24...v1.6.25
v1.6.24
What's Changed
Improvement
- update error messages
- update return responses
- for 2FA setup, activation, deactivation, where password is required and user-provided password is wrong --> return 400
- return same response message for the same cause (keep consistency throughout the codebase)
Full Changelog: v1.6.23...v1.6.24
v1.6.23
What's Changed
Dependencies
- chore(deps): bump github.com/google/uuid from 1.3.1 to 1.4.0 by @dependabot in #134
- chore(deps): bump gorm.io/driver/postgres from 1.5.3 to 1.5.4 by @dependabot in #135
- chore(deps): bump go.mongodb.org/mongo-driver from 1.12.1 to 1.13.0 by @dependabot in #136
- bump github.com/pilinux/argon2 from v0.4.0 to v0.5.0 0fe19a7
Security Fix
- verify that the new email is not used by any user before replacing the current email d061f18
- replace github.com/sec51/twofactor by github.com/pilinux/twofactor fa293b7
Feature
- add flexibility to add more info when sending emails 92d953f
- new function
IsProd()
to get server mode (dev/prod) 9526e27
Improvement
- when reading env variables, lowercase letters where required c3ab00d
Full Changelog: v1.6.22...v1.6.23
v1.6.22
security update!
- chore(deps): bump golang.org/x/net from 0.12.0 to 0.17.0 by @dependabot in #133
To learn more about it:
Full Changelog: v1.6.21...v1.6.22
v1.6.21
dependencies updated
- chore(deps): bump gorm.io/gorm from 1.25.4 to 1.25.5
- chore(deps): bump gorm.io/driver/postgres from 1.5.2 to 1.5.3
- chore(deps): bump gorm.io/driver/mysql from 1.5.1 to 1.5.2
- chore(deps): bump github.com/pilinux/argon2 from 0.3.0 to 0.4.0 by @dependabot in #129
- chore(deps): bump gorm.io/driver/sqlite from 1.5.3 to 1.5.4 by @dependabot in #128
Full Changelog: v1.6.20...v1.6.21
v1.6.20
minor improvement
delete all hashes of active 2FA backup codes (if any) of a user when the user disables 2FA
Full Changelog: v1.6.19...v1.6.20
v1.6.19
improvements
- when aborting from middleware, append abort reasons
- relational database connections
- handle and log database read operation errors
- email delivery process
- use
time.Now()
throughout the project to select current local time
fix
- HTTP response status codes
feature
- new controller and handler for replacing a user's email address with a new one
CI
- cache and restore only the
go.sum
files
v1.6.18
major update with full backward-compatibility
-
option to save user email in encrypted form at rest
by settingACTIVATE_CIPHER=yes
and adding a random
secret toCIPHER_KEY
. If there are existing accounts,
the auth functionality will still work properly. Once
encryption at rest is enabled and a new user account
is registered, it is not possible to downgrade to
insecure plaintext mode. -
option to harden SHA-based hashing algorithm for 2FA
by settingTWO_FA_DOUBLE_HASH=yes
. -
optionally use secrets
BLAKE2B_SECRET
for blake2b
hashing. -
if
ACTIVATE_CIPHER=yes
, ChaCha20-Poly1305 (256-bit)
is used for email encryption. -
for 2FA keys, AES-256 is used as before.
-
a new controller and services are included to generate
backup codes for 2FA. -
an improved go doc.