0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-16 20:26:19 -05:00
logto/packages/experience-legacy/CHANGELOG.md
2024-11-22 17:04:11 +08:00

45 KiB
Raw Permalink Blame History

Change Log

1.10.0

Minor Changes

  • 640425414: display support email and website info on experience error pages.

    Added support email and website info to the error pages of the experience app. E.g. when a user tries to access a page that doesn't exist, or when the social session is not found in a social callback page. This will help users to contact support easily when they encounter an error.

    You may configure the support email and website info in the sign-in experience settings page in the Logto console or through the management API.

1.9.0

Minor Changes

  • 262661677: allow link new social identity to an existing user account when registration is disabled.

    Previous behavior

    Sign-in with a social identity that does not have an existing user account will throw an identity_not_exist error. When the registration is disabled, the error message will be shown, the user will not be able to create a new account or link the social identity to an existing account via verified email or phone number.

    Expected behavior

    When the registration is disabled, if a related user account is found, the user should be able to link the social identity to an existing account via a verified email or phone number.

    Updates

    When the registration is disabled:

    • Show identity_not_exist error message if no related user account is found.
    • Automatically link the social identity to the existing account if a related user account is found and social automatic account linking is enabled.
    • Redirect the user to the social link account page if a related user account is found and social automatic account linking is disabled.
    • Hide the register button on the social link account page if the registration is disabled.

    When the registration is enabled:

    • Automatically register a new account with the social identity if no related user account is found.
    • Automatically link the social identity to the existing account if a related user account is found and social automatic account linking is enabled.
    • Redirect the user to the social link account page if a related user account is found and social automatic account linking is disabled.
    • Show the register new account button on the social link account page.

1.8.0

Minor Changes

  • 3a839f6d6: support organization logo and sign-in experience override

    Now it's able to set light and dark logos for organizations. You can upload the logos in the organization settings page.

    Also, it's possible to override the sign-in experience logo from an organization. Simply add the organization_id parameter to the authentication request. In most Logto SDKs, it can be done by using the extraParams field in the signIn method.

    For example, in the JavaScript SDK:

    import LogtoClient from "@logto/client";
    
    const logtoClient = new LogtoClient(/* your configuration */);
    
    logtoClient.signIn({
      redirectUri: "https://your-app.com/callback",
      extraParams: {
        organization_id: "<organization-id>",
      },
    });
    

    The value <organization-id> can be found in the organization settings page.

    If you could not find the extraParams field in the SDK you are using, please let us know.

  • 62f5e5e0c: support app-level branding

    You can now set logos, favicons, and colors for your app. These settings will be used in the sign-in experience when the app initiates the authentication flow. For apps that have no branding settings, the omni sign-in experience branding will be used.

    If organization_id is provided in the authentication request, the app-level branding settings will be overridden by the organization's branding settings, if available.

  • d203c8d2f: support experience data server-side rendering

    Logto now injects the sign-in experience settings and phrases into the index.html file for better first-screen performance. The experience app will still fetch the settings and phrases from the server if:

    • The server didn't inject the settings and phrases.
    • The parameters in the URL are different from server-rendered data.
  • 3bf756f2b: use Vite for transpilation and bundling

    Removed ParcelJS and replaced with Vite. No breaking changes should be expected, but use a minor version bump to catch your attention.

    Important

    The browserlist configuration for @logto/experience and been synced with what is stated in README.md.

  • 62f5e5e0c: support dark favicon

    The favicon for the dark theme now can be set in the sign-in experience branding settings.

1.7.0

Minor Changes

  • 061a30a87: support agree to terms polices for Logtos sign-in experiences

    • Automatic: Users automatically agree to terms by continuing to use the service
    • ManualRegistrationOnly: Users must agree to terms by checking a box during registration, and don't need to agree when signing in
    • Manual: Users must agree to terms by checking a box during registration or signing in
  • 50c35a214: support Google One Tap

    • Conditionally load Google One Tap script if it's enabled in the config.
    • Support callback from Google One Tap.

Patch Changes

  • 136320584: allow skipping manual account linking during sign-in

    You can find this configuration in Console -> Sign-in experience -> Sign-up and sign-in -> Social sign-in -> Automatic account linking.

    When switched on, if a user signs in with a social identity that is new to the system, and there is exactly one existing account with the same identifier (e.g., email), Logto will automatically link the account with the social identity instead of prompting the user for account linking.

1.6.2

Patch Changes

  • cb1a38c40: show global loading icon on page relocate

    This is to address the issue where the user is redirected back to the client after a successful login, but the page is not yet fully loaded. This will show a global loading icon to indicate that the page is still loading. Preventing the user from interacting with the current sign-in page and avoid page idling confusion.

1.6.1

Patch Changes

  • b80934ac5: fix native social sign-in callback

    In a native environment, the social sign-in callback that posts to the native container (e.g. WKWebView in iOS) was wrong.

    This was introduced by a refactor in #5536: It updated the callback path from /sign-in/social/:connectorId to /callback/social/:connectorId. However, the function to post the message to the native container was not updated accordingly.

  • bbd399e15: fix the new user from SSO register hook event not triggering bug

    Issue

    When a new user registers via SSO, the PostRegister interaction hook event is not triggered. PostSignIn event is mistakenly triggered instead.

    Root Cause

    In the SSO post /api/interaction/sso/:connectionId/registration API, we update the interaction event to Register. However, the hook middleware reads the event from interaction session ahead of the API logic, and the event is not updated resulting in the wrong event being triggered.

    In the current interaction API design, we should mutate the interaction event by calling the PUT /api/interaction/event API, instead of updating the event directly in the submit interaction APIs. (Just like the no direct mutation rule for a react state). So we can ensure the correct side effect like logs and hooks are triggered properly.

    All the other sign-in methods are using the PUT /api/interaction/event API to update the event. But when implementing the SSO registration API, we were trying to reduce the API requests and directly updated the event in the registration API which will submit the interaction directly.

    Solution

    Remove the event update logic in the SSO registration API and call the PUT /api/interaction/event API to update the event. This will ensure the correct event is triggered in the hook middleware.

    Action Items

    Align the current interaction API design for now. Need to improve the session/interaction API logic to simplify the whole process.

1.6.0

Minor Changes

  • 7756f50f8: support direct sign-in for sso

  • 2cbc591ff: support direct sign-in

    Instead of showing a screen for the user to choose between the sign-in methods, a specific sign-in method can be initiated directly by setting the direct_sign_in parameter in the OIDC authentication request.

    This parameter follows the format of direct_sign_in=<method>:<target>, where:

    • <method> is the sign-in method to trigger. Currently the only supported value is social.
    • <target> is the target value for the sign-in method. If the method is social, the value is the social connector's target.

    When a valid direct_sign_in parameter is set, the first screen will be skipped and the specified sign-in method will be triggered immediately upon entering the sign-in experience. If the parameter is invalid, the default behavior of showing the first screen will be used.

Patch Changes

  • 5a7204571: skip non-object messages in the native environment

    In the WKWebView of new iOS versions, some script will constantly post messages to the window object with increasing numbers as the message content ("1", "2", "3", ...).

    Ideally, we should check the source of the message with Logto-specific identifier in the event.data; however, this change will result a breaking change for the existing native SDK implementations. Add the isObject check to prevent the crazy messages while keeping the backward compatibility.

1.5.0

Minor Changes

  • 32df9acde: update user consent page to support the new third-party application feature

    • Only show the user consent page if current application is a third-party application, otherwise auto-consent the requested scopes.
    • Add the new fetching API to get the user consent context. Including the application detail, authenticated user info, all the requested scopes and user organizations info (if requested scopes include the organization scope).
    • Add the new user consent interaction API and authorize button. User have to manually authorize the requested scopes for the third-party application before continue the authentication flow.
  • 31e60811d: use Node 20 LTS for engine requirement.

    Note: We mark it as minor because Logto is shipping with Docker image and it's not a breaking change for users.

Patch Changes

1.4.0

Minor Changes

  • 9a7b19e49: Implement the new single sign-on (SSO) interaction flow

    • /single-sign-on/email - The SSO email form page for user to enter their email address.
    • /single-sign-on/connectors - The SSO connectors page for user to select the enabled SSO connector they want to use.
    • Implement the email identifier guard on all the sign-in and registration identifier forms. If the email address is enabled with SSO, redirect user to the SSO flow.

Patch Changes

  • 9421375d7: Bump libphonenumber-js to v1.10.51 to support China 19 started phone numbers. Thanks to @agileago

1.3.0

Minor Changes

  • 6727f629d: feature: introduce multi-factor authentication

    We're excited to announce that Logto now supports multi-factor authentication (MFA) for your sign-in experience. Navigate to the "Multi-factor auth" tab to configure how you want to secure your users' accounts.

    In this release, we introduce the following MFA methods:

    • Authenticator app OTP: users can add any authenticator app that supports the TOTP standard, such as Google Authenticator, Duo, etc.
    • WebAuthn (Passkey): users can use the standard WebAuthn protocol to register a hardware security key, such as biometric keys, Yubikey, etc.
    • Backup codesusers can generate a set of backup codes to use when they don't have access to other MFA methods.

    For a smooth transition, we also support to configure the MFA policy to require MFA for sign-in experience, or to allow users to opt-in to MFA.

1.2.1

Patch Changes

  • 6f5a0acad: fix a bug that prevents user from customizing i18n translations in Sign-in Experience config

1.2.0

Minor Changes

  • e8b0b1d02: feature: password policy

    Summary

    This feature enables custom password policy for users. Now it is possible to guard with the following rules when a user is creating a new password:

    • Minimum length (default: 8)
    • Minimum character types (default: 1)
    • If the password has been pwned (default: true)
    • If the password is exactly the same as or made up of the restricted phrases:
      • Repetitive or sequential characters (default: true)
      • User information (default: true)
      • Custom words (default: [])

    If you are an existing Logto Cloud user or upgrading from a previous version, to ensure a smooth experience, we'll keep the original policy as much as possible:

    The original password policy requires a minimum length of 8 and at least 2 character types (letters, numbers, and symbols).

    Note in the new policy implementation, it is not possible to combine lower and upper case letters into one character type. So the original password policy will be translated into the following:

    • Minimum length: 8
    • Minimum character types: 2
    • Pwned: false
    • Repetitive or sequential characters: false
    • User information: false
    • Custom words: []

    If you want to change the policy, you can do it:

    • Logto Console -> Sign-in experience -> Password policy.
    • Update passwordPolicy property in the sign-in experience via Management API.

    Side effects

    • All new users will be affected by the new policy immediately.
    • Existing users will not be affected by the new policy until they change their password.
    • We removed password restrictions when adding or updating a user via Management API.

Patch Changes

  • f8408fa77: rename the package phrases-ui to phrases-experience
  • f6723d5e2: rename the package ui to experience

1.1.5

Patch Changes

  • c743cef42: Bug fix main flow preview mode should not allow user interaction.

    • Recover the missing preview classname from the preview mode body element

1.1.4

Patch Changes

  • 046a5771b: upgrade i18next series packages (#3733, #3743)

1.1.3

Patch Changes

  • 748878ce5: add React context and hook to app-insights, fix init issue for frontend projects

1.1.2

Patch Changes

  • 352807b16: support setting cloud role name for AppInsights in React

1.1.1

Patch Changes

  • 4945b0be2: Apply security headers

    Apply security headers to logto http request response using (helmetjs)[https://helmetjs.github.io/].

    • crossOriginOpenerPolicy
    • crossOriginEmbedderPolicy
    • crossOriginResourcePolicy
    • hidePoweredBy
    • hsts
    • ieNoOpen
    • noSniff
    • referrerPolicy
    • xssFilter
    • Content-Security-Policy

1.1.0

1.0.3

1.0.2

1.0.1

1.0.0

Major Changes

  • 1c9160112: ### Features

    • Enhanced user search params #2639
    • Web hooks

    Improvements

    • Refactored Interaction APIs and Audit logs
  • 343b1090f: 💥 BREAKING CHANGE 💥 Move /api/phrase API to /api/.well-known/phrases

Minor Changes

  • 343b1090f: ### Simplify the terms of use and privacy policy manual agreement steps for the sign-in flow

    The Terms of Use and Privacy Policy manuel agreement are now removed from the sign-in flow.

    • The changes may take effect on all the existing sign-in flows, including password sign-in, social sign-in, and verification-code sign-in.
    • The agreement checkbox in sign-in pages is now replaced with links to the Terms of Use and Privacy Policy pages. Users can still read the agreements before signing in.
    • The manual agreement steps are still mandatory for the sign-up flow. Users must agree to the Terms of Use and Privacy Policy before signing up a new account. Including sign-up with new social identities. The agreement checkbox in sign-up pages remain still.
  • f41fd3f05: Replace passcode naming convention in the interaction APIs and main flow ui with verificationCode.

  • 343b1090f: ### Update the password policy

    Password policy description: Password requires a minimum of 8 characters and contains a mix of letters, numbers, and symbols.

    • min-length updates: Password requires a minimum of 8 characters
    • allowed characters updates: Password contains a mix of letters, numbers, and symbols
      • digits: 0-9
      • letters: a-z, A-Z
      • symbols: !"#$%&'()*+,./:;<=>?@[]^_`{|}~-
    • At least two types of characters are required:
      • letters and digits
      • letters and symbols
      • digits and symbols

    notice: The new password policy is applied to new users or new passwords only. Existing users are not affected by this change, users may still use their old password to sign-in.

  • 343b1090f: ### Add dynamic favicon and html title

    • Add the favicon field in the sign-in-experience branding settings. Users would be able to upload their own favicon. Use local logto icon as a fallback

    • Set different html title for different pages.

      • sign-in
      • register
      • forgot-password
      • logto
  • 343b1090f: Allow admin tenant admin to create tenants without limitation

  • 343b1090f: ## Add iframe modal for mobile platform

    Implement a full screen iframe modal on the mobile platform. As for most of the webview containers, opening a new tab is not allowed. So we need to implement a full screen iframe modal to show the external link page on the mobile platform.

  • 343b1090f: New feature: User account settings page

    • We have removed the previous settings page and moved it to the account settings page. You can access to the new settings menu by clicking the user avatar in the top right corner.
    • You can directly change the language or theme from the popover menu, and explore more account settings by clicking the "Profile" menu item.
    • You can update your avatar, name and username in the profile page, and also changing your password.
    • [Cloud] Cloud users can also link their email address and social accounts (Google and GitHub at first launch).
  • c12717412: ## Smart Identifier Input designed to streamline your sign-in experience

    • Smart Contact Input
    • Smart Identifier Input
    • Intelligent Identifier Input Field

    Content: We have integrated the traditional input fields for username, phone number, and email into a single intelligent input box. This advanced input box automatically identifies the type of characters youre entering, such as an @ sign or consecutive numbers, and provides relevant error feedback. By streamlining the sign-in process, users no longer need to waste time figuring out which button to click to switch their desired login method. This reduces the risk of errors and ensures a smoother sign-in experience.

  • 343b1090f: Implement a country code selector dropdown component with search box. Users may able to quick search for a country code by typing in the search box.

  • 343b1090f: remove the branding style config and make the logo URL config optional

  • c12717412: Customize CSS for Sign-in Experience

    We have put a lot of effort into improving the user sign-in experience and have provided a brand color option for the UI. However, we know that fine-tuning UI requirements can be unpredictable. While Logto is still exploring the best options for customization, we want to provide a programmatic method to unblock your development.

    You can now use the Management API PATCH /api/sign-in-exp with body { "customCss": "arbitrary string" } to set customized CSS for the sign-in experience. You should see the value of customCss attached after <title> of the page. If the style has a higher priority, it should be able to override.

    Note

    Since Logto uses CSS Modules, you may see a hash value in the class property of DOM elements (e.g. a <div> with vUugRG_container). To override these, you can use the $= CSS selector to match elements that end with a specified value. In this case, it should be div[class$=container].

  • 343b1090f: Add custom CSS code editor so that users can apply advanced UI customization.

    • Users can check the real time preview of the CSS via SIE preview on the right side.
  • 2168936b9: Sign-in Experience v2

    We are thrilled to announce the release of the newest version of the Sign-in Experience, which includes more ways to sign-in and sign-up, as well as a framework that is easier to understand and more flexible to configure in the Admin Console.

    When compared to Sign-in Experience v1, this versions capability was expanded so that it could support a greater variety of flexible use cases. For example, now users can sign up with email verification code and sign in with email and password.

    We hope that this will be able to assist developers in delivering a successful sign-in flow, which will also be appreciated by the end users.

  • 343b1090f: ### Add custom content sign-in-experience settings to allow insert custom static html content to the logto sign-in pages

    • feat: combine with the custom css, give the user the ability to further customize the sign-in pages
  • fdb2bb48e: Streamlining the social sign-up flow

    • detect trusted email (or phone number) from the social account
      • email (or phone number) has been registered: automatically connecting the social identity to the existing user account with a single click
      • email (or phone number) not registered: automatically sync up the user profile with the social provided email (or phone) if and only if marked as a required user profile.
  • f41fd3f05: Replace the sms naming convention using phone cross logto codebase. Including Sign-in Experience types, API paths, API payload and internal variable names.

Patch Changes

  • 51f527b0c: bug fixes

    • core: fix 500 error when enabling app admin access in console
    • ui: handle required profile errors on social binding flow
  • 343b1090f: ## Implement a lite version of set password form.

    To simplify the effort when user set new password, we implement a lite version of set password form.

    The lite version of set password form only contains only one field password. It will be used if and only if the forgot-password feature is enabled (password can be reset either by email and phone).

    If you do not have any email or sms service enabled, we still use the old version of set password form which contains two fields: password and confirm password.

  • 38970fb88: Fix a Sign-in experience bug that may block some users to sign in.

  • 02cc9abd8: Fix a bug to show forgot password when only SMS connector is configured

  • 343b1090f: - Add Power By Logto Signature to the main-flow pages

1.0.0-rc.3

1.0.0-rc.2

Minor Changes

  • c12717412: ## Smart Identifier Input designed to streamline your sign-in experience

    • Smart Contact Input
    • Smart Identifier Input
    • Intelligent Identifier Input Field

    Content: We have integrated the traditional input fields for username, phone number, and email into a single intelligent input box. This advanced input box automatically identifies the type of characters youre entering, such as an @ sign or consecutive numbers, and provides relevant error feedback. By streamlining the sign-in process, users no longer need to waste time figuring out which button to click to switch their desired login method. This reduces the risk of errors and ensures a smoother sign-in experience.

  • c12717412: Customize CSS for Sign-in Experience

    We have put a lot of effort into improving the user sign-in experience and have provided a brand color option for the UI. However, we know that fine-tuning UI requirements can be unpredictable. While Logto is still exploring the best options for customization, we want to provide a programmatic method to unblock your development.

    You can now use the Management API PATCH /api/sign-in-exp with body { "customCss": "arbitrary string" } to set customized CSS for the sign-in experience. You should see the value of customCss attached after <title> of the page. If the style has a higher priority, it should be able to override.

    Note

    Since Logto uses CSS Modules, you may see a hash value in the class property of DOM elements (e.g. a <div> with vUugRG_container). To override these, you can use the $= CSS selector to match elements that end with a specified value. In this case, it should be div[class$=container].

1.0.0-rc.1

Patch Changes

  • 51f527b0: bug fixes

    • core: fix 500 error when enabling app admin access in console
    • ui: handle required profile errors on social binding flow

1.0.0-rc.0

Minor Changes

  • f41fd3f0: Replace passcode naming convention in the interaction APIs and main flow ui with verificationCode.

  • fdb2bb48: Streamlining the social sign-up flow

    • detect trusted email (or phone number) from the social account
      • email (or phone number) has been registered: automatically connecting the social identity to the existing user account with a single click
      • email (or phone number) not registered: automatically sync up the user profile with the social provided email (or phone) if and only if marked as a required user profile.
  • f41fd3f0: Replace the sms naming convention using phone cross logto codebase. Including Sign-in Experience types, API paths, API payload and internal variable names.

1.0.0-beta.19

1.0.0-beta.18

Major Changes

  • 1c916011: ### Features

    • Enhanced user search params #2639
    • Web hooks

    Improvements

    • Refactored Interaction APIs and Audit logs

1.0.0-beta.17

Patch Changes

  • 02cc9abd: Fix a bug to show forgot password when only SMS connector is configured

1.0.0-beta.16

Patch Changes

  • 38970fb8: Fix a Sign-in experience bug that may block some users to sign in.

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

Minor Changes

  • 2168936b: Sign-in Experience v2

    We are thrilled to announce the release of the newest version of the Sign-in Experience, which includes more ways to sign-in and sign-up, as well as a framework that is easier to understand and more flexible to configure in the Admin Console.

    When compared to Sign-in Experience v1, this versions capability was expanded so that it could support a greater variety of flexible use cases. For example, now users can sign up with email verification code and sign in with email and password.

    We hope that this will be able to assist developers in delivering a successful sign-in flow, which will also be appreciated by the end users.

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

1.0.0-beta.12 (2022-10-19)

Note: Version bump only for package @logto/ui

1.0.0-beta.11 (2022-10-19)

Features

Bug Fixes

  • console: remove connector id and prevent text overflow (#2072) (05b5025)
  • ui: fix ut (9ea6a8c)
  • ui: revert color token changes in ui as it uses different design system (489e2b3)

1.0.0-beta.10 (2022-09-28)

Features

Bug Fixes

  • bump react sdk and essentials toolkit to support CJK characters in idToken (2f92b43)
  • ui: align mobile input outline (#1991) (c9ba198)

1.0.0-beta.9 (2022-09-07)

Features

  • add Portuguese translation (f268ecb)

Bug Fixes

  • console,ui: fix locale guard issue in settings page (e200578)

1.0.0-beta.8 (2022-09-01)

Note: Version bump only for package @logto/ui

1.0.0-beta.6 (2022-08-30)

Note: Version bump only for package @logto/ui

1.0.0-beta.5 (2022-08-19)

Note: Version bump only for package @logto/ui

1.0.0-beta.4 (2022-08-11)

Bug Fixes

1.0.0-beta.3 (2022-08-01)

Features

1.0.0-beta.2 (2022-07-25)

Bug Fixes

  • ui: fix some firefox standout bug (#1615) (4ce6bd8)
  • ui: protect window.location xss (#1639) (34b465c)
  • ui: should clear prev passcode input when click on backspace (#1660) (7dfbc30)

1.0.0-beta.1 (2022-07-19)

Features

  • ui: add submit input to all the sign-in & register forms (#1587) (0c0c83c)

Bug Fixes

  • ui: fix no-restrict-syntax in ui (#1559) (816ce9f)
  • ui: format phone number with country calling code (#1551) (c6384be)

1.0.0-beta.0 (2022-07-14)

Bug Fixes

1.0.0-alpha.4 (2022-07-08)

Bug Fixes

1.0.0-alpha.3 (2022-07-07)

Bug Fixes

1.0.0-alpha.2 (2022-07-07)

Bug Fixes

1.0.0-alpha.1 (2022-07-05)

Note: Version bump only for package @logto/ui

1.0.0-alpha.0 (2022-07-04)

Note: Version bump only for package @logto/ui

0.1.2-alpha.5 (2022-07-03)

Note: Version bump only for package @logto/ui

0.1.2-alpha.4 (2022-07-03)

Note: Version bump only for package @logto/ui

0.1.2-alpha.3 (2022-07-03)

Note: Version bump only for package @logto/ui

0.1.2-alpha.2 (2022-07-02)

Note: Version bump only for package @logto/ui

0.1.2-alpha.1 (2022-07-02)

Note: Version bump only for package @logto/ui

0.1.2-alpha.0 (2022-07-02)

Note: Version bump only for package @logto/ui

0.1.1-alpha.0 (2022-07-01)

Features

Bug Fixes