Infrastructure/logto

Fork 0

mirror of https://github.com/logto-io/logto.git synced 2024-12-16 20:26:19 -05:00

silverhand-bot ddfa7aa96e

release: version packages (#6197 )

2024-08-08 13:00:14 +08:00

54 KiB

Raw Blame History

Change Log

1.19.0

Minor Changes

6477c6dee: add custom_data to applications

Introduce a new property custom_data to the Application schema. This property is an arbitrary object that can be used to store custom data for an application.

Added a new API to update the custom data of an application:
- PATCH /applications/:applicationId/custom-data
d203c8d2f: support experience data server-side rendering

Logto now injects the sign-in experience settings and phrases into the index.html file for better first-screen performance. The experience app will still fetch the settings and phrases from the server if:
- The server didn't inject the settings and phrases.
- The parameters in the URL are different from server-rendered data.
b188bb161: support multiple app secrets with expiration

Now secure apps (machine-to-machine, traditional web, Protected) can have multiple app secrets with expiration. This allows for secret rotation and provides an even safer experience.

To manage your application secrets, go to Logto Console -> Applications -> Application Details -> Endpoints & Credentials.

We've also added a set of Management APIs (/api/applications/{id}/secrets) for this purpose.

Important

You can still use existing app secrets for client authentication, but it is recommended to delete the old ones and create new secrets with expiration for enhanced security.
62f5e5e0c: support dark favicon

The favicon for the dark theme now can be set in the sign-in experience branding settings.
d56bc2f73: add support for new password digest algorithm argon2d and argon2id

In POST /users, the passwordAlgorithm field now accepts Argon2d and Argon2id.

Users with those algorithms will be migrated to Argon2i upon succussful sign in.
510f681fa: use tsup for building

We've updated some of the packages to use tsup for building. This will make the build process faster, and should not affect the functionality of the packages.

Use minor version bump to catch your attention.

Patch Changes

3a839f6d6: support organization logo and sign-in experience override

Now it's able to set light and dark logos for organizations. You can upload the logos in the organization settings page.

Also, it's possible to override the sign-in experience logo from an organization. Simply add the organization_id parameter to the authentication request. In most Logto SDKs, it can be done by using the extraParams field in the signIn method.

For example, in the JavaScript SDK:
```
import LogtoClient from "@logto/client";

const logtoClient = new LogtoClient(/* your configuration */);

logtoClient.signIn({
  redirectUri: "https://your-app.com/callback",
  extraParams: {
    organization_id: "<organization-id>",
  },
});
```
The value <organization-id> can be found in the organization settings page.

If you could not find the extraParams field in the SDK you are using, please let us know.
Updated dependencies [3a839f6d6]
Updated dependencies [b91ec0cd6]
Updated dependencies [b188bb161]
- @logto/phrases@1.13.0

1.18.0

Minor Changes

87615d58c: support machine-to-machine apps for organizations

This feature allows machine-to-machine apps to be associated with organizations, and be assigned with organization roles.

Console
- Add a new "machine-to-machine" type to organization roles. All existing roles are now "user" type.
- You can manage machine-to-machine apps in the organization details page -> Machine-to-machine apps section.
- You can view the associated organizations in the machine-to-machine app details page.
OpenID Connect grant

The client_credentials grant type is now supported for organizations. You can use this grant type to obtain an access token for an organization.

Management API

A set of new endpoints are added to the Management API:
- /api/organizations/{id}/applications to manage machine-to-machine apps.
- /api/organizations/{id}/applications/{applicationId} to manage a specific machine-to-machine app in an organization.
- /api/applications/{id}/organizations to view the associated organizations of a machine-to-machine app.
061a30a87: support agree to terms polices for Logto’s sign-in experiences
- Automatic: Users automatically agree to terms by continuing to use the service
- ManualRegistrationOnly: Users must agree to terms by checking a box during registration, and don't need to agree when signing in
- Manual: Users must agree to terms by checking a box during registration or signing in
ef21c7a99: support per-organization multi-factor authentication requirement

An organization can now require its member to have multi-factor authentication (MFA) configured. If an organization has this requirement and a member does not have MFA configured, the member will not be able to fetch the organization access token.
b52609a1e: add hasPassword to custom JWT user context
efa884c40: feature: just-in-time user provisioning for organizations

This feature allows users to automatically join the organization and be assigned roles upon their first sign-in through some authentication methods. You can set requirements to meet for just-in-time provisioning.

Email domains

New users will automatically join organizations with just-in-time provisioning if they:
- Sign up with verified email addresses, or;
- Use social sign-in with verified email addresses.
This applies to organizations that have the same email domain configured.

To enable this feature, you can add email domain via the Management API or the Logto Console:
- We added the following new endpoints to the Management API:
  - GET /organizations/{organizationId}/jit/email-domains
  - POST /organizations/{organizationId}/jit/email-domains
  - PUT /organizations/{organizationId}/jit/email-domains
  - DELETE /organizations/{organizationId}/jit/email-domains/{emailDomain}
- In the Logto Console, you can manage email domains in the organization details page -> "Just-in-time provisioning" section.
SSO connectors

New or existing users signing in through enterprise SSO for the first time will automatically join organizations that have just-in-time provisioning configured for the SSO connector.

To enable this feature, you can add SSO connectors via the Management API or the Logto Console:
- We added the following new endpoints to the Management API:
  - GET /organizations/{organizationId}/jit/sso-connectors
  - POST /organizations/{organizationId}/jit/sso-connectors
  - PUT /organizations/{organizationId}/jit/sso-connectors
  - DELETE /organizations/{organizationId}/jit/sso-connectors/{ssoConnectorId}
- In the Logto Console, you can manage SSO connectors in the organization details page -> "Just-in-time provisioning" section.
Default organization roles

You can also configure the default roles for users provisioned via this feature. The default roles will be assigned to the user when they are provisioned.

To enable this feature, you can set the default roles via the Management API or the Logto Console:
- We added the following new endpoints to the Management API:
  - GET /organizations/{organizationId}/jit/roles
  - POST /organizations/{organizationId}/jit/roles
  - PUT /organizations/{organizationId}/jit/roles
  - DELETE /organizations/{organizationId}/jit/roles/{organizationRoleId}
- In the Logto Console, you can manage default roles in the organization details page -> "Just-in-time provisioning" section.
b50ba0b7e: enable backchannel logout support

Enable the support of OpenID Connect Back-Channel Logout 1.0.

To register for backchannel logout, navigate to the application details page in the Logto Console and locate the "Backchannel logout" section. Enter the backchannel logout URL of your RP and click "Save".

You can also enable session requirements for backchannel logout. When enabled, Logto will include the sid claim in the logout token.

For programmatic registration, you can set the backchannelLogoutUri and backchannelLogoutSessionRequired properties in the application oidcClientMetadata object.

Patch Changes

942780fcf: support Google One Tap
- core: GET /api/.well-known/sign-in-exp now returns googleOneTap field with the configuration when available
- core: add Google Sign-In (GSI) url to the security headers
- core: verify Google One Tap CSRF token in verifySocialIdentity()
- phrases: add Google One Tap phrases
- schemas: migrate sign-in experience types from core to schemas
Updated dependencies [6308ee185]
Updated dependencies [15953609b]
Updated dependencies [6308ee185]
Updated dependencies [942780fcf]
Updated dependencies [87615d58c]
Updated dependencies [9f33d997b]
Updated dependencies [061a30a87]
Updated dependencies [ef21c7a99]
Updated dependencies [136320584]
Updated dependencies [efa884c40]
Updated dependencies [b50ba0b7e]
Updated dependencies [d81e13d21]
- @logto/connector-kit@4.0.0
- @logto/phrases@1.12.0
- @logto/phrases-experience@1.7.0

1.17.0

Minor Changes

25d67f33f: create a pre-configured role with Management API access when seeding the database

b5104d8c1: add new webhook events

We introduce a new event type DataHook to unlock a series of events that can be triggered by data updates (mostly Management API):

User.Created
User.Deleted
User.Data.Updated
User.SuspensionStatus.Updated
Role.Created
Role.Deleted
Role.Data.Updated
Role.Scopes.Updated
Scope.Created
Scope.Deleted
Scope.Data.Updated
Organization.Created
Organization.Deleted
Organization.Data.Updated
Organization.Membership.Updated
OrganizationRole.Created
OrganizationRole.Deleted
OrganizationRole.Data.Updated
OrganizationRole.Scopes.Updated
OrganizationScope.Created
OrganizationScope.Deleted
OrganizationScope.Data.Updated

DataHook events are triggered when the data associated with the event is updated via management API request or user interaction actions.

Management API triggered events

API endpoint	Event
POST /users	User.Created
DELETE /users/:userId	User.Deleted
PATCH /users/:userId	User.Data.Updated
PATCH /users/:userId/custom-data	User.Data.Updated
PATCH /users/:userId/profile	User.Data.Updated
PATCH /users/:userId/password	User.Data.Updated
PATCH /users/:userId/is-suspended	User.SuspensionStatus.Updated
POST /roles	Role.Created, (Role.Scopes.Update)
DELETE /roles/:id	Role.Deleted
PATCH /roles/:id	Role.Data.Updated
POST /roles/:id/scopes	Role.Scopes.Updated
DELETE /roles/:id/scopes/:scopeId	Role.Scopes.Updated
POST /resources/:resourceId/scopes	Scope.Created
DELETE /resources/:resourceId/scopes/:scopeId	Scope.Deleted
PATCH /resources/:resourceId/scopes/:scopeId	Scope.Data.Updated
POST /organizations	Organization.Created
DELETE /organizations/:id	Organization.Deleted
PATCH /organizations/:id	Organization.Data.Updated
PUT /organizations/:id/users	Organization.Membership.Updated
POST /organizations/:id/users	Organization.Membership.Updated
DELETE /organizations/:id/users/:userId	Organization.Membership.Updated
POST /organization-roles	OrganizationRole.Created, (OrganizationRole.Scopes.Updated)
DELETE /organization-roles/:id	OrganizationRole.Deleted
PATCH /organization-roles/:id	OrganizationRole.Data.Updated
POST /organization-scopes	OrganizationScope.Created
DELETE /organization-scopes/:id	OrganizationScope.Deleted
PATCH /organization-scopes/:id	OrganizationScope.Data.Updated
PUT /organization-roles/:id/scopes	OrganizationRole.Scopes.Updated
POST /organization-roles/:id/scopes	OrganizationRole.Scopes.Updated
DELETE /organization-roles/:id/scopes/:organizationScopeId	OrganizationRole.Scopes.Updated

User interaction triggered events

User interaction action	Event
User email/phone linking	User.Data.Updated
User MFAs linking	User.Data.Updated
User social/SSO linking	User.Data.Updated
User password reset	User.Data.Updated
User registration	User.Created

76fd33b7e: support default roles for users

Patch Changes

Updated dependencies [e04d9523a]
Updated dependencies [0c70d65c7]
Updated dependencies [76fd33b7e]
- @logto/phrases@1.11.0
- @logto/core-kit@2.5.0

1.16.0

Minor Changes

21bb35b12: refactor the definition of hook event types
- Add DataHook event types. DataHook are triggered by data changes.
- Add "interaction" prefix to existing hook event types. Interaction hook events are triggered by end user interactions, e.g. completing sign-in.
e8c41b164: support organization custom data

Now you can save additional data associated with the organization with the organization-level customData field by:
- Edit in the Console organization details page.
- Specify customData field when using organization Management APIs.

Patch Changes

Updated dependencies [5b03030de]
Updated dependencies [21bb35b12]
Updated dependencies [3486b12e8]
- @logto/phrases@1.10.1
- @logto/shared@3.1.1

1.15.0

Minor Changes

abffb9f95: full oidc standard claims support

We have added support for the remaining OpenID Connect standard claims. Now, these claims are accessible in both ID tokens and the response from the /me endpoint.

Additionally, we adhere to the standard scopes - claims mapping. This means that you can retrieve most of the profile claims using the profile scope, and the address claim can be obtained by using the address scope.

For all newly introduced claims, we store them in the user.profile field.

![Note] Unlike other database fields (e.g. name), the claims stored in the profile field will fall back to undefined rather than null. We refrain from using ?? null here to reduce the size of ID tokens, since undefined fields will be stripped in tokens.
2cbc591ff: add oidc params variables and types
- Add ExtraParamsKey enum for all possible OIDC extra parameters that Logto supports.
- Add FirstScreen enum for the first_screen parameter.
- Add extraParamsObjectGuard guard and ExtraParamsObject type for shaping the extra parameters object in the OIDC authentication request.
cc01acbd0: Create a new user through API with password digest and corresponding algorithm

Patch Changes

951865859: ## Resolve third-party app's /interaction/consent endpoint 500 error

Reproduction steps
- Create an organization scope with an empty description and assign this scope to a third-party application.
- Login to the third-party application and request the organization scope.
- Proceed through the interaction flow until reaching the consent page.
- An internal server error 500 is returned.
Root cause

For the /interaction/consent endpoint, the organization scope is returned alongside other resource scopes in the missingResourceScopes property.

In the consentInfoResponseGuard, we utilize the resource Scopes zod guard to validate the missingResourceScopes property. However, the description field in the resource scope is mandatory while organization scopes'description is optional. An organization scope with an empty description will not pass the validation.

Solution

Alter the resource scopes table to make the description field nullable. Related Scope zod guard and the consentInfoResponseGuard will be updated to reflect this change. Align the resource scopes table with the organization scopes table to ensure consistency.
Updated dependencies [5758f84f5]
Updated dependencies [57d97a4df]
Updated dependencies [abffb9f95]
Updated dependencies [746483c49]
Updated dependencies [57d97a4df]
Updated dependencies [cc01acbd0]
Updated dependencies [57d97a4df]
Updated dependencies [2c10c2423]
- @logto/phrases@1.10.0
- @logto/connector-kit@3.0.0
- @logto/core-kit@2.4.0
- @logto/phrases-experience@1.6.1
- @logto/shared@3.1.0

1.14.0

1.13.1

1.13.0

Minor Changes

a2ce0be46: add tenant role enum and scope enum
31e60811d: use Node 20 LTS for engine requirement.

Note: We mark it as minor because Logto is shipping with Docker image and it's not a breaking change for users.
32df9acde: update Logto application schemas to support the new third-party application feature (Logto as IdP)
- Applications table alteration. Add new column is_third_party to indicate if the application is a third-party application.
- Create new table application_user_consent_resource_scopes to store the enabled user consent resource scopes for the third-party application.
- Create new table application_user_consent_organization_scopes to store the enabled user consent organization scopes for the third-party application.
- Create new table application_user_consent_user_scopes to store the enabled user consent user scopes for the third-party application.
- Create new table application_user_consent_organizations to store the user granted organizations for the third-party application.
- Create new table application_sign_in_experiences to store the application level sign-in experiences for the third-party application.

Patch Changes

9089dbf84: upgrade TypeScript to 5.3.3
Updated dependencies [acb7fd3fe]
Updated dependencies [9089dbf84]
Updated dependencies [04ec78a91]
Updated dependencies [32df9acde]
Updated dependencies [31e60811d]
Updated dependencies [570a4ea9e]
Updated dependencies [570a4ea9e]
Updated dependencies [6befe6014]
- @logto/shared@3.1.0
- @logto/connector-kit@2.1.0
- @logto/language-kit@1.1.0
- @logto/phrases-experience@1.6.0
- @logto/core-kit@2.3.0
- @logto/phrases@1.9.0

1.12.0

Minor Changes

9a7b19e49: Add single sign-on (SSO) table and schema definitions
- Add new sso_connectors table, which is used to store the SSO connector data.
- Add new user_sso_identities table, which is used to store the user's SSO identity data received from IdP through a SSO interaction.
- Add new single_sign_on_enabled column to the sign_in_experiences table, which is used to indicate if the SSO feature is enabled for the sign-in experience.
- Define new SSO feature related types

Patch Changes

3e92a2032: refactor: add user ip to webhook event payload
Updated dependencies [9a7b19e49]
Updated dependencies [becf59169]
Updated dependencies [b4f702a86]
Updated dependencies [9a7b19e49]
- @logto/phrases@1.8.0
- @logto/core-kit@2.2.1
- @logto/phrases-experience@1.5.0

1.11.0

Minor Changes

6727f629d: feature: introduce multi-factor authentication

We're excited to announce that Logto now supports multi-factor authentication (MFA) for your sign-in experience. Navigate to the "Multi-factor auth" tab to configure how you want to secure your users' accounts.

In this release, we introduce the following MFA methods:
- Authenticator app OTP: users can add any authenticator app that supports the TOTP standard, such as Google Authenticator, Duo, etc.
- WebAuthn (Passkey): users can use the standard WebAuthn protocol to register a hardware security key, such as biometric keys, Yubikey, etc.
- Backup codes：users can generate a set of backup codes to use when they don't have access to other MFA methods.
For a smooth transition, we also support to configure the MFA policy to require MFA for sign-in experience, or to allow users to opt-in to MFA.

Patch Changes

Updated dependencies [6727f629d]
- @logto/phrases@1.7.0
- @logto/phrases-experience@1.4.0

1.10.1

Patch Changes

46d0d4c0b: convert private signing key type from string to JSON object, in order to provide additional information such as key ID and creation timestamp.
Updated dependencies [87df417d1]
Updated dependencies [d24aaedf5]
- @logto/phrases@1.6.0
- @logto/connector-kit@2.0.0
- @logto/shared@3.0.0

1.10.0

Patch Changes

Updated dependencies [2c340d379]
- @logto/core-kit@2.2.0

1.9.2

Patch Changes

18181f892: standardize id and secret generators
- Remove buildIdGenerator export from @logto/shared
- Add generateStandardSecret and generateStandardShortId exports to @logto/shared
- Align comment and implementation of buildIdGenerator in @logto/shared
  - The comment stated the function will include uppercase letters by default, but it did not; Now it does.
- Use generateStandardSecret for all secret generation
Updated dependencies [18181f892]
- @logto/shared@3.0.0
- @logto/core-kit@2.1.2

1.9.1

Patch Changes

Updated dependencies [6f5a0acad]
- @logto/phrases-experience@1.3.1
- @logto/core-kit@2.1.1

1.9.0

Minor Changes

e8b0b1d02: feature: password policy

Summary

This feature enables custom password policy for users. Now it is possible to guard with the following rules when a user is creating a new password:
- Minimum length (default: 8)
- Minimum character types (default: 1)
- If the password has been pwned (default: true)
- If the password is exactly the same as or made up of the restricted phrases:
  - Repetitive or sequential characters (default: true)
  - User information (default: true)
  - Custom words (default: [])
If you are an existing Logto Cloud user or upgrading from a previous version, to ensure a smooth experience, we'll keep the original policy as much as possible:

The original password policy requires a minimum length of 8 and at least 2 character types (letters, numbers, and symbols).

Note in the new policy implementation, it is not possible to combine lower and upper case letters into one character type. So the original password policy will be translated into the following:
- Minimum length: 8
- Minimum character types: 2
- Pwned: false
- Repetitive or sequential characters: false
- User information: false
- Custom words: []
If you want to change the policy, you can do it:
- Logto Console -> Sign-in experience -> Password policy.
- Update passwordPolicy property in the sign-in experience via Management API.
Side effects
- All new users will be affected by the new policy immediately.
- Existing users will not be affected by the new policy until they change their password.
- We removed password restrictions when adding or updating a user via Management API.
17fd64e64: Support region option for s3 storage
5d78c7271: Add type field to roles schema.

type can be either 'User' or 'MachineToMachine' in our case, this change distinguish between the two types of roles. Roles with type 'MachineToMachine' are not allowed to be assigned to users and 'User' roles can not be assigned to machine-to-machine apps. It's worth noting that we do not differentiate by scope (or permission in Admin Console), so a scope can be assigned to both the 'User' role and the 'MachineToMachine' role simultaneously.

Patch Changes

f8408fa77: rename the package phrases-ui to phrases-experience
f6723d5e2: rename the package ui to experience
Updated dependencies [e8b0b1d02]
Updated dependencies [f8408fa77]
Updated dependencies [f6723d5e2]
Updated dependencies [310698b0d]
- @logto/phrases@1.5.0
- @logto/phrases-experience@1.3.0
- @logto/core-kit@2.1.0
- @logto/shared@2.0.1

1.8.0

Patch Changes

0b519e548: allow non-http origins for application CORS

1.7.0

Minor Changes

5ccdd7f31: Record daily active users

1.6.0

Minor Changes

ecbecd8e4: various application improvements
- Show OpenID Provider configuration endpoint in Console
- Configure "Rotate Refresh Token" in Console
- Configure "Refresh Token TTL" in Console

Patch Changes

Updated dependencies [e9c2c9a6d]
Updated dependencies [ecbecd8e4]
- @logto/core-kit@2.0.1
- @logto/phrases@1.4.1

1.5.0

Minor Changes

2cab3787c: Add cloudflare configurations to system
73666f8fa: Provide new features for webhooks

Features
- Manage webhooks via the Admin Console
- Securing webhooks by validating signature
- Allow to enable/disable a webhook
- Track recent execution status of a webhook
- Support multi-events for a webhook
Updates
- schemas: add name, events, signingKey, and enabled fields to the hook schema
- core: change the user-agent value from Logto (https://logto.io) to Logto (https://logto.io/) in the webhook request headers
- core: deprecate event field in all hook-related APIs, use events instead
- core: deprecate retries field in the HookConfig for all hook-related APIs, now it will fallback to 3 if not specified and will be removed in the future
- core: add new APIs for webhook management
  - GET /api/hooks/:id/recent-logs to retrieve recent execution logs(24h) of a webhook
  - POST /api/hooks/:id/test to test a webhook
  - PATCH /api/hooks/:id/signing-key to regenerate the signing key of a webhook
- core: support query webhook execution stats(24h) via GET /api/hooks/:id and GET /api/hooks/:id by specifying includeExecutionStats query parameter
- console: support webhook management
268dc50e7: Support setting default API Resource from Console and API
- New API Resources will not be treated as default.
- Added PATCH /resources/:id/is-default to setting isDefault for an API Resource.
  - Only one default API Resource is allowed per tenant. Setting one API default will reset all others.
fa0dbafe8: Add custom domain support

Patch Changes

497d5b526: Support updating sign-in identifiers in user details form
- Admin can now update user sign-in identifiers (username, email, phone number) in the user details form in user management.
- Other trivial improvements and fixes, e.g. input field placeholder, error handling, etc.
Updated dependencies [268dc50e7]
Updated dependencies [fa0dbafe8]
Updated dependencies [497d5b526]
- @logto/phrases@1.4.0

1.4.0

Minor Changes

5d6720805: add config alwaysIssueRefreshToken for web apps to unblock OAuth integrations that are not strictly conform OpenID Connect.

when it's enabled, Refresh Tokens will be always issued regardless if prompt=consent was present in the authorization request.

Patch Changes

Updated dependencies [5d6720805]
- @logto/phrases@1.3.0

1.3.1

1.3.0

Patch Changes

beb6ebad5: ## Add min length 1 type guard for all string typed db schema fields

Update the @logto/schemas zod guard generation method to include a min length of 1 for all the required string typed db fields.

1.2.3

1.2.2

1.2.1

1.2.0

Patch Changes

457cb2822: Adding social connectors will now mark the related get-started action item as completed.
Updated dependencies [ae6a54993]
Updated dependencies [206fba2b5]
Updated dependencies [4945b0be2]
Updated dependencies [c5eb3a2ba]
Updated dependencies [5553425fc]
Updated dependencies [30033421c]
- @logto/phrases@1.2.0
- @logto/phrases-ui@1.2.0
- @logto/shared@2.0.0
- @logto/core-kit@2.0.0
- @logto/connector-kit@1.1.1

1.1.0

Patch Changes

Updated dependencies [f9ca7cc49]
Updated dependencies [37714d153]
Updated dependencies [f3d60a516]
Updated dependencies [5c50957a9]
Updated dependencies [e9e8a6e11]
- @logto/phrases@1.1.0
- @logto/phrases-ui@1.1.0

1.0.7

Patch Changes

5b4da1e3d: force bump to fix npm publishment

1.0.1

Patch Changes

621b09ba1: force version bump

1.0.0

Major Changes

c12717412: Decouple users and admins

💥 BREAKING CHANGES 💥

Logto was using a single port to serve both normal users and admins, as well as the web console. While we continuously maintain a high level of security, it’ll still be great to decouple these components into two separate parts to keep data isolated and provide a flexible infrastructure.

From this version, Logto now listens to two ports by default, one for normal users (3001), and one for admins (3002).
- Nothing changed for normal users. No adaption is needed.
- For admin users:
  - The default Admin Console URL has been changed to http://localhost:3002/console.
  - To change the admin port, set the environment variable ADMIN_PORT. For instance, ADMIN_PORT=3456.
  - You can specify a custom endpoint for admins by setting the environment variable ADMIN_ENDPOINT. For example, ADMIN_ENDPOINT=https://admin.your-domain.com.
  - You can now completely disable admin endpoints by setting ADMIN_DISABLE_LOCALHOST=1 and leaving ADMIN_ENDPOINT unset.
  - Admin Console and admin user data are not accessible via normal user endpoints, including localhost and ENDPOINT from the environment.
  - Admin Console no longer displays audit logs of admin users. However, these logs still exist in the database, and Logto still inserts admin user logs. There is just no convenient interface to inspect them.
  - Due to the data isolation, the numbers on the dashboard may slightly decrease (admins are excluded).
If you are upgrading from a previous version, simply run the database alteration command as usual, and we'll take care of the rest.

Note

DID YOU KNOW

Under the hood, we use the powerful Postgres feature Row-Level Security to isolate admin and user data.
1c9160112: Packages are now ESM.
f41fd3f05: drop settings table and add systems table

BREAKING CHANGES
- core: removed GET /settings and PATCH /settings API
- core: added GET /configs/admin-console and PATCH /configs/admin-console API
  - /configs/* APIs are config/key-specific now. they may have different logic per key
- cli: change valid logto db config keys by removing alterationState and adding adminConsole since:
  - OIDC configs and admin console configs are tenant-level configs (the concept of "tenant" can be ignored until we officially announce it)
  - alteration state is still a system-wide config

Minor Changes

343b1090f: Add demo social connectors for new tenant
f41fd3f05: Replace passcode naming convention in the interaction APIs and main flow ui with verificationCode.
343b1090f: ### Add dynamic favicon and html title
- Add the favicon field in the sign-in-experience branding settings. Users would be able to upload their own favicon. Use local logto icon as a fallback
- Set different html title for different pages.
  - sign-in
  - register
  - forgot-password
  - logto
343b1090f: Allow admin tenant admin to create tenants without limitation
343b1090f: ### Add privacy policy url

In addition to the terms of service url, we also provide a privacy policy url field in the sign-in-experience settings. To better support the end-users' privacy declaration needs.
343b1090f: Add sessionNotFoundRedirectUrl tenant config
- User can use this optional config to designate the URL to redirect if session not found in Sign-in Experience.
- Session guard now works for root path as well.
343b1090f: remove the branding style config and make the logo URL config optional
1c9160112: ### Features
- Enhanced user search params #2639
- Web hooks
Improvements
- Refactored Interaction APIs and Audit logs
343b1090f: ### Add custom content sign-in-experience settings to allow insert custom static html content to the logto sign-in pages
- feat: combine with the custom css, give the user the ability to further customize the sign-in pages
f41fd3f05: Replace the sms naming convention using phone cross logto codebase. Including Sign-in Experience types, API paths, API payload and internal variable names.

Patch Changes

e63f5f8b0: Bump connector kit version to fix "Continue" issues on sending email/sms.
38970fb88: Fix a Sign-in experience bug that may block some users to sign in.
343b1090f: Seed data for cloud
- cli!: remove oidc option for database seed command as it's unused
- cli: add hidden --cloud option for database seed command to init cloud data
- cli, cloud: appending Redirect URIs to Admin Console will deduplicate values before update
- move UrlSet and GlobalValues to @logto/shared
7fb689b73: Fix version lifecycle script
2d45cc3e6: Update alteration script names after versioning
Updated dependencies [343b1090f]
Updated dependencies [343b1090f]
Updated dependencies [c12717412]
Updated dependencies [68f2d56a2]
Updated dependencies [343b1090f]
Updated dependencies [343b1090f]
Updated dependencies [343b1090f]
Updated dependencies [38970fb88]
Updated dependencies [c12717412]
Updated dependencies [343b1090f]
Updated dependencies [c12717412]
Updated dependencies [343b1090f]
Updated dependencies [343b1090f]
Updated dependencies [1c9160112]
Updated dependencies [343b1090f]
Updated dependencies [1c9160112]
- @logto/phrases-ui@1.0.0
- @logto/phrases@1.0.0
- @logto/connector-kit@1.1.0
- @logto/core-kit@1.1.0

1.0.0-rc.1

Major Changes

c12717412: Decouple users and admins

💥 BREAKING CHANGES 💥

Logto was using a single port to serve both normal users and admins, as well as the web console. While we continuously maintain a high level of security, it’ll still be great to decouple these components into two separate parts to keep data isolated and provide a flexible infrastructure.

From this version, Logto now listens to two ports by default, one for normal users (3001), and one for admins (3002).
- Nothing changed for normal users. No adaption is needed.
- For admin users:
  - The default Admin Console URL has been changed to http://localhost:3002/console.
  - To change the admin port, set the environment variable ADMIN_PORT. For instance, ADMIN_PORT=3456.
  - You can specify a custom endpoint for admins by setting the environment variable ADMIN_ENDPOINT. For example, ADMIN_ENDPOINT=https://admin.your-domain.com.
  - You can now completely disable admin endpoints by setting ADMIN_DISABLE_LOCALHOST=1 and leaving ADMIN_ENDPOINT unset.
  - Admin Console and admin user data are not accessible via normal user endpoints, including localhost and ENDPOINT from the environment.
  - Admin Console no longer displays audit logs of admin users. However, these logs still exist in the database, and Logto still inserts admin user logs. There is just no convenient interface to inspect them.
  - Due to the data isolation, the numbers on the dashboard may slightly decrease (admins are excluded).
If you are upgrading from a previous version, simply run the database alteration command as usual, and we'll take care of the rest.

Note

DID YOU KNOW

Under the hood, we use the powerful Postgres feature Row-Level Security to isolate admin and user data.

Patch Changes

Updated dependencies [c12717412]
Updated dependencies [c12717412]
Updated dependencies [c12717412]
- @logto/phrases@1.0.0-rc.1
- @logto/phrases-ui@1.0.0-rc.1

1.0.0-rc.0

Major Changes

f41fd3f0: drop settings table and add systems table

BREAKING CHANGES
- core: removed GET /settings and PATCH /settings API
- core: added GET /configs/admin-console and PATCH /configs/admin-console API
  - /configs/* APIs are config/key-specific now. they may have different logic per key
- cli: change valid logto db config keys by removing alterationState and adding adminConsole since:
  - OIDC configs and admin console configs are tenant-level configs (the concept of "tenant" can be ignored until we officially announce it)
  - alteration state is still a system-wide config

Minor Changes

f41fd3f0: Replace passcode naming convention in the interaction APIs and main flow ui with verificationCode.
f41fd3f0: Replace the sms naming convention using phone cross logto codebase. Including Sign-in Experience types, API paths, API payload and internal variable names.

1.0.0-beta.18

Patch Changes

df9e98dc: Fix version lifecycle script

1.0.0-beta.17

Major Changes

1c916011: Packages are now ESM.

Minor Changes

1c916011: ### Features
- Enhanced user search params #2639
- Web hooks
Improvements
- Refactored Interaction APIs and Audit logs

Patch Changes

Updated dependencies [1c916011]
Updated dependencies [1c916011]
- @logto/phrases@1.0.0-beta.17
- @logto/phrases-ui@1.0.0-beta.17

1.0.0-beta.16

Patch Changes

38970fb8: Fix a Sign-in experience bug that may block some users to sign in.
Updated dependencies [38970fb8]
- @logto/phrases@1.0.0-beta.16

1.0.0-beta.15

Patch Changes

Bump connector kit version to fix "Continue" issues on sending email/sms.

1.0.0-beta.14

Patch Changes

2d45cc3e: Update alteration script names after versioning

1.0.0-beta.13

Patch Changes

Updated dependencies [68f2d56a]
- @logto/phrases@1.0.0-beta.13
- @logto/phrases-ui@1.0.0-beta.13

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

1.0.0-beta.12 (2022-10-19)

Bug Fixes

add tables to schemas files (582f3d6)
handle versioning when no next-*.ts found (#2202) (61336df)
make packages public (e24fd04)

1.0.0-beta.11 (2022-10-19)

Features

cli: db alteration deploy command (a5280a2)
cli: db seed oidc command (911117a)
cli: get/set db config key (0eff1e3)

Bug Fixes

add redirectURI validation on frontend & backend (#1874) (4b0970b)
alteration script in dev (9ebb3dd)

1.0.0-beta.10 (2022-09-28)

Features

core,schemas: add phrases schema and GET /custom-phrases/:languageKey route (#1905) (7242aa8)
core,schemas: migration deploy cli (#1966) (7cc2f4d)
core,schemas: use timestamp to version migrations (bb4bfd3)
core: add POST /session/forgot-password/{email,sms}/send-passcode (#1963) (af2600d)
core: add POST /session/forgot-password/{email,sms}/verify-passcode (#1968) (1ea39f3)
core: add POST /session/forgot-password/reset (#1972) (acdc86c)
core: machine to machine apps (cd9c697)
schemas: add logto configs table (#1940) (577ca48)