v0.9.0 - Webhook and Bing your own key (Resend) for Mails

What's Changed

• feat(webhooks): add v0.9.0 webhook system with BullMQ retry by @yash-pouranik in #83
• Feat/v0.9.0 byok mail by @yash-pouranik in #84
• Fix social auth follow-up issues from PR #81 by @Copilot in #85

Full Changelog: v0.8.0...v0.9.0

Social Authentication with GitHub & Google OAuth

Release Date: April 6, 2026

🎉 Highlights

This release introduces Social Authentication with GitHub and Google OAuth support, along with security hardening and accessibility improvements.

---

✨ New Features

Social Authentication

• feat: add GitHub and Google social auth support
  • OAuth 2.0 integration with GitHub and Google providers
  • Secure token exchange flow with one-time rtCode mechanism
  • Automatic account linking when provider email matches existing user
  • Provider callback URLs auto-generated (read-only in dashboard)
  • Encrypted storage for OAuth client secrets

Accessibility

• Added Aria Labels for buttons in CollectionsTable.jsx and DatabaseSidebar.jsx
  • Improved screen reader support for dashboard components

---

🔒 Security Fixes

Social Auth Hardening

• P1: siteUrl required before enabling OAuth

  • Projects must configure Site URL before enabling social auth providers
  • Prevents token redirect to fallback/wrong URLs

• P1: Email collision protection

  • Social login now rejects if email exists but provider email is unverified
  • Prevents duplicate accounts and potential account takeover

• P2: OAuth error forwarding

  • Provider errors (user cancel, OAuth failures) now redirect to frontend callback with ?error=...
  • Frontend can display proper error messages instead of raw JSON

• P3: Exchange endpoint protection

  • /api/userAuth/social/exchange now requires API key verification
  • Enforces project boundary on the most sensitive token exchange step

---

📚 Documentation

• Updated docs/authentication.md with social auth setup guide
• Updated docs/api-reference.md with new social auth endpoints
• Added examples/social-demo/ with working GitHub/Google OAuth example

---

🧪 Testing

• 66 tests passing in public-api
• New tests for:
  • Provider error forwarding
  • Email collision handling
  • Account linking with verified emails

---

⚠️ Breaking Changes

None

---

🔄 Migration Guide

No migration required. New social auth features are opt-in via dashboard configuration.

To enable social auth:

1. Configure Site URL in Project Settings
2. Go to Auth → Social Auth section
3. Add GitHub/Google OAuth credentials
4. Enable the provider

---

@aryansinha1908 - Arial Labels Across Database.jsx (#76)
@Nitin-kumar-yadav1307 - feat: standardize API response format across both apps (#66 )
@yash-pouranik - Social Auth (#81 )

v0.7.0 - The Security & Indexing Update

What's New in v0.7.0

🛡️ Row-Level Security (RLS) Evolution

We've added support for custom Read RLS modes:

• public-read: Perfect for social posts and blogs.
• private: Secure your user-owned data (profiles, settings).
• Automatic backward compatibility for existing owner-write-only rules.

🔑 Database Indexing: Unique Constraints

You can now define fields that must be unique (e.g., email, serial_number) during collection creation in the Dashboard. This ensures data integrity at the database level.

🏗️ Improvements & Bug Fixes

• Synchronized monorepo versioning across all core apps.
• Improved JWT refresh flow with rotating sessions.
• Fixed duplicate key issues in package manifests.
• Documentation updates for new security patterns.

---

Unique Field Constraint by - @Special7ka (Backend) and @copilot (UI)
RLS Upgrade - @yash-pouranik

The BYOS Update (Bring Your Own Storage)

🚀 The BYOS Update (Bring Your Own Storage)

We are thrilled to announce urBackend v0.6.0! This release marks a significant milestone in our journey to give developers complete control over their infrastructure. Say hello to Bring Your Own Storage (BYOS).

✨ New Features

📦 External Storage Integration (S3 & R2)

You are no longer tied to default storage. You can now connect your own enterprise-grade storage providers directly to your projects.

• AWS S3 Support: Connect any AWS S3 bucket with full region support.
• Cloudflare R2 Support: Full compatibility with Cloudflare's S3-compatible R2 storage.
• Provider-Specific Validation: A new dynamic configuration system that ensures your keys, buckets, and endpoints are correctly set up.

🔌 Storage Adapter Architecture

We've re-engineered our internal storage engine using the Adapter Pattern. This means:

• Seamlessly switch between Supabase, S3, and R2 without changing a single line of your application logic.
• Consistent API experience across all providers (.upload(), .remove(), .list(), .getPublicUrl()).

🛠️ Improvements & Refinements

• Encrypted-at-Rest Configs: All external credentials (Access Keys, Secret Keys) are now fully encrypted using AES-256-GCM before being stored in our database.
• Smart Cache Invalidation: Updated the storageRegistry to automatically flush and re-initialize storage clients whenever project settings are updated. No more stale connections!
• CDN Domain Support: Added publicUrlHost field allowing you to map your own Custom Domains or CDNs (CloudFront/Cloudflare) to your storage assets.
• Enhanced UI Experience:
  • The Project Settings dashboard now features a dynamic form that swaps fields based on the selected provider.
  • Added "Required vs Optional" indicators specifically tailored for S3 vs R2 requirements.
• S3 Protocol Compatibility: Implemented forcePathStyle: true ensuring 100% compatibility with R2 endpoints and self-hosted S3 solutions like MinIO.

🐛 Bug Fixes

• Fixed a critical "wanted vs got" integrity mismatch in package-lock.json causing CI/CD failures.
• Fixed an S3 prefix bug where listing the root directory would incorrectly append a trailing slash.
• Corrected UI typos in the Storage Configuration labels.

---

💡 What's next?

With Storage and Databases already customizable, we are looking into expanding our SDK ecosystem. Stay tuned!

Full Changelog: View on GitHub

urBackend v0.5.0 — Public Auth Refresh Token Flow

Summary

This release adds a secure refresh-token lifecycle for public-api user authentication, with rotation, replay protection, and logout session revocation.

---

What’s New

• ✅ Added POST /api/userAuth/refresh-token
• ✅ Added POST /api/userAuth/logout
• ✅ Added Redis-backed refresh session store with:
  • tokenId, projectId, userId, tokenHash
  • rotatedFrom, rotatedTo
  • isUsed, revokedAt, expiresAt, lastUsedAt
• ✅ Refresh token rotation on each successful refresh
• ✅ Replay detection and session-chain revocation on token reuse
• ✅ Multi-tenant secret handling via projectId-based project lookup
• ✅ Rate checks for refresh attempts (IP, token, user)
• ✅ Mobile/non-browser support using x-refresh-token

---

Developer Experience

• Extracted refresh/session logic into:
  • apps/public-api/src/utils/refreshToken.js
• Kept controller flow cleaner and easier to maintain.

---

Docs Updated

• docs/authentication.md
• docs/api-reference.md
• Added note: token is a backward-compat alias; use accessToken.

---

Environment Variables (new optional)

• PUBLIC_AUTH_ACCESS_TOKEN_TTL (default: 15m)
• PUBLIC_AUTH_REFRESH_TOKEN_TTL_SECONDS (default: 604800)

---

Validation

• npm run test --workspace=public-api ✅
• npm run build ✅

urBackend v0.4.0 — RLS Rollout & Auth Hardening

v0.4.0

---

Highlights

• ✅ Row Level Security (RLS) for collection writes (owner-write-only)
• ✅ Publishable-key write guardrails (pk_live writes require RLS + user JWT)
• ✅ Automatic owner injection on create when owner field is missing
• ✅ users collection protection on generic data API (/api/data/users* blocked)
• ✅ Auth schema validation hardening for users (email + password required string fields)

---

Security Improvements

• Added robust owner mismatch blocking for write operations
• Added schema key normalization hardening (including hidden/BOM character edge cases)
• Added safer users schema sanitation for mongoose subdocuments
• Prevented public generic access to users via data routes

---

Dashboard & UX Improvements

• RLS controls moved to cleaner modal/dialog flow
• Better owner field guidance in UI
• Users schema setup UX improved with auth-focused preset path
• Reduced false-positive warnings in auth setup flow

---

Documentation Updates

• Updated docs for pk_live behavior under RLS
• Clarified users should be managed via /api/userAuth/*
• Added quick RLS verification/testing guidance

---

Validation Summary

• Build passed
• Web dashboard lint passed
• Public API test suite passed (including RLS write authorization coverage)

---

Breaking / Behavioral Notes

• pk_live write behavior is now policy-driven and stricter by default.
• User-management requests should use /api/userAuth/*; direct /api/data/users* is intentionally blocked.

v0.3.0: The Microservices Monorepo Update

Welcome to the biggest architectural update in urBackend history! We have completely rewritten our foundation to transition from a single monolithic backend to a highly scalable NPM Workspaces Monorepo.

🔥 Major Architectural Changes

• Monolith Deprecated: The old legacy-backend has been completely removed in favor of a modern, independent microservices architecture.
• NPM Workspaces Setup: The entire repository is now structured using npm workspaces for seamless dependency sharing and local execution via cleanly separated apps/* and packages/* directories.
• Shared Core Library (@urbackend/common): All Mongoose models, Express middlewares, Redis queues, and database configurations have been extracted into a central packages/common component to strictly enforce DRY principles.

🏗️ New Services Introduced

• dashboard-api (Control Plane): A dedicated, secure backend isolated for the SaaS admin panel. It exclusively handles project creation, API key rolling, and developer authentication.
• public-api (Data Plane): A highly scalable, decoupled backend handling all project-related public data routing, schema validation, and Supabase storage requests via API keys.

🛠️ Developer Experience & DevOps

• Concurrent Dev Mode: Boot the whole stack! Running npm run dev at the root directly powers up the React frontend (web-dashboard), dashboard-api, and public-api simultaneously with colored logging.
• Advanced Docker Orchestration: Fully containerized environment. A single docker-compose up spins up MongoDB, Redis, and both API microservices equipped with properly cached, multistage Dockerfiles.
• Isolated Rate Limiting: Dedicated rate limiting and robust error catchers deployed independently for public and admin routes.

---

Upgrade Note for Contributors:
Please run a fresh npm install at the root directory to properly symlink the new workspaces before starting the development server.

The Dynamic Infrastructure Update

Release v0.2.0 — The DX, Security & Infrastructure Revolution 🚀

Overview
Following our Genesis launch, we're taking urBackend to the next level. This massive platform update hands ultimate control over to developers through our new BYO (Bring Your Own) DB architecture, revolutionizes the Developer Experience (DX), and fortifies our security systems from the ground up.

✨ Key Features & Updates

1. Bring Your Own Database (BYOD) 🗄️

• Your Database, Your Rules: Bypass our shared infrastructure. You can now seamlessly connect your own external MongoDB URI directly to your project.
• Data Privacy: Your project's collections and dynamic schemas will be routed and stored entirely on your own external DB, keeping your users' data in your total control.

2. Dual API Keys & Granular RBAC 🔑

• Publishable vs Secret: Completely replaced the single API key system. Projects now issue a Publishable Key (pk_live_) safe for frontends, and a Secret Key (sk_live_) for secure server-side operations.
• Strict Guardrails: Data-destructive endpoints will now physically block requests if a Publishable key is used.

3. Fortified Infrastructure & Security 🔒

• CORS Allowed Domains: Implemented strict Origin header validations. Your Publishable keys will automatically reject requests (403 Forbidden) originating from un-whitelisted domains, stopping quota theft.
• Dynamic Auth Setup: Toggling Auth intelligently manages state and strictly blocks activation until a proper users collection is defined.
• Brute-Force Protection: Added a designated authLimiter to prevent credential stuffing. JWTs now explicitly expire in 7 days, and OTP attempts are capped.
• IDOR Patches: Comprehensive audit to fix Insecure Direct Object Reference vulnerabilities. Developers can only modify resources they strictly own.
• Docker Hardening: Backend containers now run as non-root users, keeping internal database/cache ports completely isolated.

4. Advanced Dynamic Schemas & Query Engine v1 📦

• Deep Nesting Support: Full schema support for Object (nested JSON structures), Array (lists), and Ref (relational linking between collections).
• Advanced Querying: Added powerful filtering operators (_gt, _lt, _gte, _lte), sort=field:order indexing, and robust pagination logic (page/limit) to the core Data API.

5. Revamped Dashboard & Data Management 🪪

• Dynamic User Forms: The Auth page automatically reads your custom users schema and generates native inputs (Text, Number, Boolean) for custom fields—replacing the legacy JSON editor.
• Secure Admin Controls: Send secure OTPs, reset user passwords, and manage profiles directly from the admin dashboard without ever exposing password hashes to the frontend.
• Database Redesign: Completely redesigned Database UI featuring a streamlined navigation sidebar, optimized record tables, and powerful Row Action drawers for complex objects/arrays.

6. Official GitBook Documentation & Brand Refresh 📖

• GitBook Integration: We have completely migrated to a modular structure for our official docs. Check out the new guides at docs.urbackend.bitbros.in.
• Docker Self-Hosting Engine: Added a robust docker-compose.yml to spin up the entire urBackend ecosystem locally or on a VPS in a single command.

🛠️ Noteworthy Bug Fixes

• Double OTP Patch: Resolved an issue resulting in duplicate OTP emails during developer signups.
• Cache Integrity: Fixed a Redis caching bug where raw Mongoose documents were corrupting application state and flags on page refreshes.
• Analytics Stability: Implemented persistent database-backed global visit counters for accurate landing page analytics across server restarts.
• Safe Resource Teardown: Safe Project Deletion now ensures external databases and storage buckets (Supabase) are securely ignored during project destruction.

What's Changed

• Feat/api security updates by @yash-pouranik in #34
• docs: refactor README, offload API docs, and implement unique Cyber N… by @yash-pouranik in #35
• feat: implement major auth system upgrade with dynamic forms and enha… by @yash-pouranik in #36
• Feat/docs and branding by @yash-pouranik in #37
• Feat/minor by @tejaavula076 in #21 #21
• Refactor/UI by @muktijain in #22 #22
• Refactor/DB-UI @KushagraJaiswar02 #23 #23
• Refactor/Collection-UI by @Nitin-kumar-yadav1307 #27 #27

Full Changelog: v0.1.0...v0.2.0

v0.1.0: MVP Launch - Stop Writing Boilerplate

Release v0.1.0 — The Genesis Update 🚀

Overview
I am excited to announce the first stable release of urBackend! urBackend is an open-source Backend-as-a-Service (BaaS) platform designed to help frontend developers skip the repetitive tasks of backend development. With this release, you can set up a production-ready backend infrastructure in seconds.

✨ Key Features

• Instant NoSQL Database: Create collections and manage JSON data through a visual dashboard. Powered by dynamic Mongoose models that adapt to your schema on the fly.
• Built-in Authentication: Ready-to-use User Management including Sign-up, Login (JWT-based), and Profile management without writing any auth logic.
• Integrated Cloud Storage: Seamless file and image uploads managed via Supabase storage with public CDN links.
• Project Dashboard: A unified interface to manage multiple projects, define schemas, and monitor data.
• Developer Analytics: Real-time monitoring of API traffic and usage limits via interactive charts.
• Security First: API Key-based access control to protect your data and prevent unauthorized access.

🛠️ Tech Stack

• Backend: Node.js & Express.
• Database: MongoDB with a custom dynamic schema engine.
• Storage: Supabase.
• Frontend: React (Vite), Tailwind CSS, and Recharts.

📖 Quick Start

• Create a Project on the urBackend Dashboard.
• Define your Schema (Collections and Columns).
• Get your API Key from the Project Settings.
• Start fetching: Use our REST endpoints to push or pull data immediately.

🤝 Contributing
This is just the beginning. Check out our CONTRIBUTING.md to see how you can help us build the future of BaaS.