v1.2.0

What's new

PostgreSQL-backed session store

Sessions are now persisted in PostgreSQL using connect-pg-simple. A background job automatically purges stale sessions, preventing unbounded table growth over time.

Breaking change: SESSION_SECRET is now a required environment variable. The service will refuse to start without it. Generate a value with openssl rand -base64 48 and add it to your deployment before upgrading.

OpenID Connect (OIDC) SSO

Single sign-on via OpenID Connect is now fully supported. Once configured, a provider sign-in button appears on the login screen alongside the existing email/password form. OIDC configuration is managed through the admin config API — no service restart is required after changing settings.

New endpoints:

Method	Path	Auth	Description
GET	/oidc/enabled	Public	Returns whether OIDC is configured
GET	/login/oidc	Public	Initiates the OIDC authorization flow (redirects to provider)
GET	/login/oidc/callback	Public	Handles the provider redirect callback and issues tokens
GET	/config	Admin	Retrieve the full authentication configuration including OIDC settings
GET	/config/public	Public	Retrieve sanitized config (oidcEnabled, oidcProviderName, signupEnabled)
PATCH	/config	Admin	Update authentication configuration including OIDC credentials

Improvements

• Refactored authentication strategies to use the Passport strategy pattern, making it straightforward to add additional providers in future releases
• Improved error logging for OIDC authentication exceptions to aid debugging of provider misconfiguration

Breaking changes

SESSION_SECRET is now required. The service will not start without it.

Upgrade notes

1. Generate a session secret: openssl rand -base64 48
2. Add SESSION_SECRET to your environment (add APP_URL for OIDC redirect URL generation)
3. The session table is created automatically on first startup
4. See the updated Getting Started guide for a revised docker-compose.yml

Full Changelog: v1.1.1...v1.2.0

v1.1.1

What's Changed

New Features

• Health check endpoint – Added GET /health for liveness/readiness probes
• Dedicated role update use case – Introduced UpdateUserRoleUseCase with a corrected return type

Bug Fixes

• Fixed CryptoGateway missing from AppConfigModule causing JwtTokenGateway dependency failure
• Fixed startup errors and user data serialization issues

Improvements

• Added DomainExceptionFilter for consistent domain error handling, with test coverage
• New typed domain exceptions for auth and user domains

Developer Experience

• Added devcontainer with Docker Compose for local development with hot reloading

Full Changelog: v1.1.0...v1.1.1

What's Changed

• feat: add admin guard to user management endpoints (#6) by @ryan-bezold in #10
• feat: add signup enabled/disabled toggle endpoints (#7) by @ryan-bezold in #11
• feat: grant ADMIN role to first user on sign-up (#8) by @ryan-bezold in #12
• feat: add PATCH /users/:id/role endpoint for admins (#9) by @ryan-bezold in #13
• fix: resolve startup errors and user data serialization issues by @ryan-bezold in #14

Full Changelog: v1.0.0...v1.1.1

v1.1.0

What's New

Docker Support

The authentication service is now containerized and ready for production deployment via Docker.

Registration Control

• GET /config (public) — returns auth configuration including whether sign-up is enabled.
• PATCH /config (admin only) — allows admins to toggle registration on/off.
• Sign-up requests rejected with 403 Forbidden when registration is disabled.
• New auth_config database table seeded with registration enabled by default.

Admin User Creation

Administrators can now create new user accounts directly through the API.

Role Management

• First registered user is automatically assigned the ADMIN role.
• PATCH /users/:id/role endpoint added for role management (admin only).
• All user endpoints are now auth-guarded (JWT required).
• Passwords are no longer returned in user API responses.

Fixes

• Fixed startup crash caused by missing CryptoGateway in AppConfigModule.
• Fixed first user not receiving ADMIN role — Result.isSuccess was implemented as !!value, which returns false for falsy values like 0 (empty database).
• Fixed sign-up always failing with "User not found" — the failure handler was incorrectly re-throwing a not-found result during email uniqueness check.
• Fixed build error in AdminCreateUserUseCase caused by an incompatible interface constraint.
• Removed unused import causing CI lint failures.

Refactor

• Failure is now an abstract class with code and message fields; GenericFailure replaces plain new Failure(message) usages.
• Result now stores an explicit success boolean instead of deriving it from !!value.
• Result.success() / Result.failure() renamed to Result.ok() / Result.fail().
• isSuccess and isFailure converted from property getters to methods.
• The .on() pattern removed in favour of explicit if/else checks.

Full Changelog: v1.0.0...v1.1.0

v1.0.0

What's Changed

• Added Login/Signup functionality
• Added user creation/management for administrators