Skip to content

Releases: teamhanko/hanko

v1.3: Custom OAuth, device trust, stay signed in

17 Dec 08:43
80680a2
Compare
Choose a tag to compare

This update contains a variety of frequently requested features and improvements.

Custom OAuth providers

In addition to the preconfigured providers such as Apple, Google, and GitHub, we have now added the option to configure custom OpenID Connect or OAuth providers so that they appear as “Sign in with...” buttons on the login and registration pages.

Device trust

A new device trust feature offers users the option of not having to perform 2FA again for a certain period of time after successful 2FA. Administrators can specify whether to automatically trust the device, prompt the user to trust the device, or never allow trusted devices and always enforce 2FA.

Stay signed in

This new option can be used to control whether a persistent cookie or a session cookie should be issued when the user is logging in. Persistent cookies (default) remain valid for the set session duration, i.e. the user remains logged in even if the browser is closed. Session cookies are usually deleted when the browser or browser tab is closed, so users have to log in again the next time they visit the app. A third option adds a “Stay signed in” checkbox to the login screen, which allows the user to determine the type of cookie themselves.

Last used indicators

Social SSO buttons (e.g., "Sign in with Google") now display a "Last used" label to help users remember which provider they chose on their last visit and avoid creating redundant accounts. Note that active Account Linking still allows users to change the login method to some extent, but only if the email address matches.

New admin API endpoints

The Admin API has been extended with the following new endpoints:

  • password
    • get
    • create
    • update
    • delete
  • webauthn
    • list
    • get
    • delete
  • otp
    • get
    • delete
  • sessions
    • list
    • create
    • delete

User import improvements

User import functionality has been improved. Now, more user data and credentials can be imported, e.g.:

  • Usernames
  • Passwords (bcrypt hashes)
  • WebAuthn credentials
  • OTP secrets

What's Changed

New Contributors

Full Changelog: backend/v1.2.1...backend/v1.3.2

v1.2: MFA

05 Nov 21:34
65821b1
Compare
Choose a tag to compare

release1 2_small

This release contains Multi-Factor Authentication (MFA) capabilities for Hanko backend and Hanko Elements.

Hanko has been optimized for WebAuthn and passkey authentication from the very beginning. However, the additional implementation of other, potentially weaker authentication methods such as passwords and email passcodes meant that we also had to add MFA (or 2FA). And here it is: TOTP authenticator apps as well as FIDO security key support.

As a bonus feature, we added the option for MFA enrollment during registration and login flows, allowing admins to easily enforce MFA adoption among their user base if required.

TOTP authenticator apps

As the de facto standard for 2FA, the most obvious benefit of Time-based One-Time Passcodes (TOTP) is their universality. Users can choose from a myriad of authentication apps such as Google Authenticator, Microsoft Authenticator and many more to generate the one-time codes – no special hardware required.

Security keys

We just had to support security keys as second factors due to their unmatched security benefits. No other MFA method can protect users as reliably against phishing and most other known account takeover attacks.

What's Changed

Full Changelog: backend/v1.1.0...backend/v1.2.0

v1.1: Sessions

17 Oct 09:21
cf5f3f3
Compare
Choose a tag to compare

release1 1_small

This release introduces server-side sessions as an alternative to the previous approach of just issuing JWTs, and a bunch of smaller improvements and bug fixes.

  • New config options
session:
  server_side:
    enabled: true
    limit: 5
  • Sessions are stored in the DB, the JWT contains the session ID
  • New /sessions endpoint to verify the JWT (instead of retrieving the JWKS and verifying the JWT yourself)
  • Remote session revocation
  • Sessions list in <hanko-profile>

What's Changed

Full Changelog: backend/v1.0.3...backend/v1.1.0

v1.0.2

28 Aug 13:14
453567d
Compare
Choose a tag to compare

Another bug fix release. Most importantly, changing the way DB connections are used during flow transactions to avoid potential deadlocks when a large number of users initiate certain flow actions simultaneously.

What's Changed

Full Changelog: backend/v1.0.1...backend/v1.0.2

v1.0.1

27 Aug 12:13
Compare
Choose a tag to compare

This release contains some important fixes and additions to the recently released Hanko v1.0.

The most important changes are:

  • Added webhook support to Flow API
  • Username property is now included when retrieving the user from the SDK or the admin API
  • Fixed a potential concurrency issue when new flows are created

What's Changed

Full Changelog: backend/v1.0.0...backend/v1.0.1

Hanko 1.0

08 Aug 14:15
d734785
Compare
Choose a tag to compare

release1 0_small

We are excited to release Hanko 1.0 today. After two years in Beta, the new Hanko is more user-friendly, more customizable and more mature than all previous releases in almost all areas and finally deserves the 1.0 version number.

Highlights

Options, options, options

  • Identifiers and auth methods can be enabled individually and freely combined, no more implicit settings
  • Optional passwords that can be deleted by the user, i.e. give users the choice to select a password or a passkey as their preferred authentication method
  • Smooth migration of existing users, e.g. transition from a password-based system to passkeys, without overburdening all users at once

Usernames

  • Usernames are now supported as identifiers, in addition to email addresses
  • Emails and usernames can also be used simultaneously

Privacy

  • Configurations that use the email identifier and require email verification now effectively prevent email enumeration, enabling a fully privacy-preserving implementation of login and registration
  • A setting to disable "privacy mode" for situations where explicit feedback to the user (e.g. "An account using this email address already exists.") is more important than privacy is planned for a future release

Dedicated login and registration flows

  • Login and registration flows have been separated to present only relevant actions to the user, e.g. "Sign in with a passkey" makes no sense for a user who wants to register a new account
  • Introducing new elements <hanko-login> and <hanko-registration> that can be placed on separate pages, e.g. /login and /registration
  • Combined <hanko-auth> element is still available, allowing users to toggle between login and registration on the same page

Introducing the all-new Flow API

This version contains a new API, which we call Flow API (#1532). With the previous RESTful API of the Hanko backend, it had become very complex to extend the functionality of Hanko. This was mainly due to the fact that most of the state handling was done in Hanko Elements and each endpoint had to be called in a specific order to work properly. The Flow API takes over this complexity completely in the backend and thus enables us to further develop the Hanko system at a higher speed than ever before.

  • This 1.0 release includes the Flow API as well as the completely redesigned Hanko Elements to match the Flow API
  • Flow API consists of three new endpoints: /registration, /login, and /profile
  • A number of new email templates have been introduced to provide better context for users
  • Old API endpoints handling login and registration will be deprecated, but will continue to work for the foreseeable future to allow a smooth transition to the Flow API
  • A frontend SDK and documentation for the creation of custom frontends for the Flow API will follow shortly

New config options

Flow API supports much more granular settings to control the login and registration flows. The following is a sample configuration containing the most important new settings:

debug: false
convert_legacy_config: false

email:
  enabled: true
  optional: false
  acquire_on_registration: true
  acquire_on_login: true
  require_verification: true
  use_as_login_identifier: true
  use_for_authentication: true
  limit: 5
  max_length: 100
  passcode_ttl: 300

username:
  enabled: false
  optional: true
  acquire_on_registration: true
  acquire_on_login: false
  use_as_login_identifier: true
  min_length: 3
  max_length: 32

password:
  enabled: true
  optional: false
  acquire_on_registration: always
  acquire_on_login: never
  recovery: true
  min_length: 8

passkey:
  enabled: true
  optional: true
  acquire_on_registration: always
  acquire_on_login: always
  user_verification: preferred
  attestation_preference: direct
  limit: 10

Migration

Config

With the introduction of the new configuration parameters, some old parameters have become obsolete and the new parameters should be used in future if the default values are not sufficient (default values have not changed):

Old New
emails.max_num_of_addresses email.limit
emails.require_verification email.require_verification
passcode.ttl email.passcode_ttl
smtp email_delivery.smtp
passcode.email.from_name email_delivery.from_name
passcode.email.from_address email_delivery.from_address
password.min_password_length password.min_length
webauthn.user_verification passkey.user_verification
webauthn.timeout webauthn.timeouts.registration
webauthn.timeout webauthn.timeouts.login

Old config files can still be used, but the convert_legacy_config parameter must be set to true.

Caution

Some of the new configuration parameters are not compatible with older versions of Hanko Elements (< v1.0). To ensure smooth operation, Hanko Elements v1.0 or higher should be used with the new configuration parameters.

Caution

The new configuration parameters email.enabled, email.use_for_authentication and passkey.enabled also disable the REST API endpoints if set to false, but Hanko Elements before v1.0 does not know how to deal with that and will throw an error.

Frontend

Events

  • onAuthFlowCompleted events have been removed (use onSessionCreated instead)
  • onSessionCreated contains the session JWT, but not the user ID anymore

Check session state

The element will no longer check if a session has already been established, and the "You're already logged in" page has been removed. This change was necessary to enable re-authentication in future versions. You can check if a user is already logged in using the following code:

import {register} from "https://cdn.jsdelivr.net/npm/@teamhanko/hanko-elements/dist/elements.js"

const {hanko} = await register("https://...");

if (hanko.session.isValid()) {
	// user is already logged in
} else {
	// show auth component
}

What's Changed

New Contributors

Full Changelog: backend/v0.12.0...backend/v1.0.0

v0.12: Sign in with LinkedIn

03 Jul 08:53
0c9e2f5
Compare
Choose a tag to compare

Highlights

  • LinkedIn is now available as 3rd-party identity provider.

What's Changed

  • chore(deps): bump golang.org/x/oauth2 from 0.19.0 to 0.20.0 in /backend by @dependabot in #1454
  • chore(deps): bump golang.org/x/text from 0.14.0 to 0.15.0 in /backend by @dependabot in #1455
  • chore(deps): bump github.com/go-playground/validator/v10 from 10.19.0 to 10.20.0 in /backend by @dependabot in #1449
  • chore(deps): bump golang.org/x/crypto from 0.22.0 to 0.23.0 in /backend by @dependabot in #1456
  • feat(thirdparty): add linkedin to social providers by @shentschel in #1463
  • chore(deps): bump github.com/go-playground/validator/v10 from 10.20.0 to 10.21.0 in /backend by @dependabot in #1475
  • chore(deps): bump github.com/rs/zerolog from 1.32.0 to 1.33.0 in /backend by @dependabot in #1465
  • chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 in /backend by @dependabot in #1469
  • chore(deps): bump golang.org/x/text from 0.15.0 to 0.16.0 in /backend by @dependabot in #1481
  • chore(deps): bump golang.org/x/oauth2 from 0.20.0 to 0.21.0 in /backend by @dependabot in #1480
  • feat(saml): make getting providers from metadata non-panic by @shentschel in #1464
  • fix: improve passcode email text by @FlxMgdnz in #1170
  • fix: mail renderer tests after text updates by @lfleischmann in #1489
  • chore(deps): bump github.com/go-playground/validator/v10 from 10.21.0 to 10.22.0 in /backend by @dependabot in #1487
  • chore(deps): bump goreleaser/goreleaser-action from 5 to 6 by @dependabot in #1486
  • chore(deps): bump golang.org/x/crypto from 0.23.0 to 0.24.0 in /backend by @dependabot in #1478
  • chore(deps): bump docker/build-push-action from 5 to 6 by @dependabot in #1494
  • chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 in /backend by @dependabot in #1493
  • chore(deps): bump github.com/lestrrat-go/jwx/v2 from 2.0.21 to 2.1.0 in /backend by @dependabot in #1497

Full Changelog: backend/v0.11.0...backend/v0.12.0

v0.11: Sign in with Microsoft, custom email sending

29 Apr 16:02
2f3d4f0
Compare
Choose a tag to compare

Highlights

  • Microsoft is now available as 3rd-party identity provider. Admins can set up a "Sign in with Microsoft" authentication option for users in the backend config. Both personal and work accounts are supported. Learn more here.
  • Custom email sending is now supported by a new webhook and the option to disable email sending through the Hanko backend. Apps can subscribe to the webhook and implement their own email sending (e.g. passcode emails).

What's Changed

Full Changelog: backend/v0.10.2...backend/v0.11.0

v0.10.2

10 Apr 14:43
7c3af05
Compare
Choose a tag to compare

Highlights

  • Fix that ensures email JWT claim is present on user creation.
  • Change that sets the default Passkey/WebAuthn attestation conveyance preference from 'none' to 'direct' for better AAGUID handling on Windows.

What's Changed

  • fix(jwt): add updated email on user create by @shentschel in #1416
  • chore(deps): bump github.com/jackc/pgconn from 1.14.1 to 1.14.3 in /backend by @dependabot in #1380
  • chore(deps): bump jose from 4.15.4 to 4.15.5 in /frontend by @dependabot in #1385
  • chore(deps): bump softprops/action-gh-release from 1 to 2 by @dependabot in #1389
  • chore(deps): bump github.com/jackc/pgx/v4 from 4.18.1 to 4.18.2 in /backend by @dependabot in #1391
  • chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 in /backend by @dependabot in #1395
  • chore(deps): bump github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible in /backend by @dependabot in #1402
  • chore(deps): bump github.com/go-sql-driver/mysql from 1.7.1 to 1.8.1 in /backend by @dependabot in #1410
  • chore(deps): bump follow-redirects from 1.15.4 to 1.15.6 in /docs by @dependabot in #1399
  • chore(deps): bump follow-redirects from 1.15.4 to 1.15.6 in /frontend by @dependabot in #1400
  • chore(deps): bump webpack-dev-middleware from 5.3.3 to 5.3.4 in /docs by @dependabot in #1406
  • chore(deps-dev): bump webpack-dev-middleware from 5.3.3 to 5.3.4 in /frontend by @dependabot in #1405
  • Update README.md by @FlxMgdnz in #1408
  • chore(deps): bump express from 4.18.1 to 4.19.2 in /docs by @dependabot in #1413
  • chore(deps): bump express from 4.18.2 to 4.19.2 in /frontend by @dependabot in #1414
  • chore(deps): bump peaceiris/actions-gh-pages from 3 to 4 by @dependabot in #1422
  • Roadmap updates by @FlxMgdnz in #1411
  • chore(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 in /backend by @dependabot in #1425
  • chore(deps): bump github.com/go-webauthn/webauthn from 0.10.1 to 0.10.2 in /backend by @dependabot in #1426
  • chore(deps): bump golang.org/x/oauth2 from 0.18.0 to 0.19.0 in /backend by @dependabot in #1428
  • enhance(webauthn): change default attestation mode by @shentschel in #1421
  • chore: update versions to v0.10.2 by @lfleischmann in #1430

Full Changelog: backend/v0.10.1...backend/v0.10.2

v0.10.1

27 Mar 16:10
315c9aa
Compare
Choose a tag to compare

Highlights

  • Email claim added to session JWT, allowing developers to quickly retrieve the user's primary email address
  • New Social SSO provider: Discord

What's Changed

  • chore(deps): bump github.com/go-playground/validator/v10 from 10.17.0 to 10.18.0 in /backend by @dependabot in #1342
  • chore: update debug dockerfile by @lfleischmann in #1352
  • chore(webhooks): improve webhook docs by @shentschel in #1351
  • feat(thirdparty): add discord provider by @lfleischmann in #1353
  • fix(webhooks): fix HasEvent logic by @shentschel in #1355
  • chore(deps): bump github.com/lestrrat-go/jwx/v2 from 2.0.19 to 2.0.20 in /backend by @dependabot in #1358
  • chore(deps-dev): bump ip from 2.0.0 to 2.0.1 in /frontend by @dependabot in #1359
  • Roadmap updated by @FlxMgdnz in #1363
  • feat(webhooks): add webhooks trigger to thirdparty auth by @shentschel in #1367
  • chore(deps): bump golang.org/x/crypto from 0.19.0 to 0.21.0 in /backend by @dependabot in #1378
  • chore(deps): bump github.com/go-playground/validator/v10 from 10.18.0 to 10.19.0 in /backend by @dependabot in #1377
  • chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 in /backend by @dependabot in #1375
  • chore(deps): bump github.com/gomodule/redigo from 1.8.9 to 1.9.2 in /backend by @dependabot in #1365
  • chore(deps): bump golang.org/x/oauth2 from 0.17.0 to 0.18.0 in /backend by @dependabot in #1379
  • chore(deps): bump github.com/lestrrat-go/jwx/v2 from 2.0.20 to 2.0.21 in /backend by @dependabot in #1386
  • chore(deps): bump github.com/lestrrat-go/jwx/v2 from 2.0.19 to 2.0.21 in /quickstart by @dependabot in #1387
  • Fix links in README.md by @wttw in #1407
  • feat(jwt): add email claim to session JWT by @shentschel in #1404

New Contributors

Full Changelog: backend/v0.10.0...backend/v0.10.1