v1.0.0-rc.2

Please see v1.0.0-rc.3.

v1.0.0-rc.1

Note
For the full release notes of the recent major release, please see v1.0.0-rc.0.

What's Changed

• fix(core): insert id when patch application #3052
• fix(ui): should handle requiredProfile error on bindSocialRelatedUser #3034

Full Changelog: v1.0.0-rc.0...v1.0.0-rc.1

v1.0.0-rc.0

v1.0.0-rc.0 (2023-02-02)

Note
Please welcome our first release candidate! Logto is just a few steps away from general availability.

💥 Breaking changes 💥

• core: remove GET /settings and PATCH /settings API
• core: add GET /configs/admin-console and PATCH /configs/admin-console API
  • /configs/* APIs are config/key-specific now. they may have different logic per key.
• core: officially remove all deprecated /session APIs
• core: use HTTP/2 to serve TLS (HTTPS) connections
• cli: change valid logto db config keys by removing alterationState and adding adminConsole since:
  • OIDC configs and admin console configs are tenant-level configs (the concept of "tenant" can be ignored until we officially announce it)
  • alteration state is still a system-wide config
• for admin access of Machine to Machine applications, now it's required to add scope all for client configs to fetch proper Access Token
  • see 🚝 Interact with Management API for details

🔒 Role-Based Access Control

We are excited to introduce our latest addition to our product, Role-Based Access Control (RBAC). This powerful feature gives administrators the ability to assign specific roles and permissions to users, ensuring they only have access to the resources and functions they need to do their job.

With RBAC, administrators can:

• Define permissions across APIs
• Create custom roles with specific permissions
• Assign roles to users and manage their roles
• Easily manage and update permissions
• Securely validate permissions to protect APIs

Logto takes a major step forward in security and control with easy access management and authorization of sensitive info, ensuring only authorized users have the right to access. This aligns with our vision to provide an open-source identity solution with features for authentication and authorization, and packed with all the features you need.

Note
If you are using Logto SDKs, please upgrade to the latest version to take advantage of RBAC.

Check out our RBAC recipe for a step-by-step guide. Give it a try and let us know what you think!

🏄 Streamlined social sign-in flow

💡 Logto now detects a trusted email (or phone number) from the social account during social sign-in.

• If the email (or phone number) has been registered: Automatically connect the social identity to the existing user account with a single click.
• If the email (or phone number) is not registered: Automatically sync the user profile with the social-provided email (or phone number) if and only if it is marked as a required user profile.

🔢 Send and verify verification codes via Management API

The new Management APIs allow you to reuse connectors to dynamically send and verify verification codes for various purposes, such as validating identity before a user updates their profile or performs a dangerous action.

• Call /api/verification-code to send verification code to a given email or phone
• Call /api/verification-code/verify to verify the code against a given email or phone

↩️ Rollback database alteration state

In case of any issues with the database, you can now use the logto db alteration rollback [target] command to roll back all database schemas to a previous version, for example logto db alteration rollback v1.0.0-beta.19.

v1.0.0-beta.19

v1.0.0-beta.19 (2023-01-06)

• Fixed an alteration scripts issue

For full release notes of the recent major release, please see v1.0.0-beta.18.

v1.0.0-beta.18

Logto New Year Release (v1.0.0-beta.18)

🙋 Hey folks!

For the first day of 2023, we shipped a few things for everybody:

• Web hooks, Advanced search API, New connectors
• Admin console enhancement, Refactored Interaction APIs and Audit logs
• New blog posts

Note
We are currently busy working on the general availability version which includes User profile, RBAC (Role-based access control), and much more!

💥 Breaking change 💥

If you want to perform the original fuzzy user search via Management API, adding % around the keyword is required. E.g.:

Original: GET /users?search=foo
Now: GET /users?search=%foo%

Migration

If you are upgrading from an older version of logto, make sure to go through our Database alteration tutorial.

Feature updates

🪝 Web hooks

With hooks, Logto can enable the next-level extensibility for you to interact with other services in an event-based manner. E.g., do some async jobs after a new user registered.

We support three events in this version: PostRegister, PostSignIn and PostResetPassword. Check out 🪝 Web hooks for the concept explained and detailed usage.

⚙️ Advanced search API

Management API is a programmatic way to communicate with Logto. We redesigned the user search API to make it powerful for advanced search requests.

Now you can designate one or multiple search fields as well as the match mode. For example, you can search users that:

• Name starts with “Alice”, case-sensitive; or
• Email includes “Alice”, case-insensitive.

Exact search is also supported, e.g., search users that name is exactly “John Wick”. See Advanced user search for details.

🔗 Connectors

Logto is built on open standards, and we believe they can eliminate enormous gaps in software development. From this version, Logto supports creating multiple connectors based on the same open standard: OAuth 2.0 or OpenID Connect; We call them “standard connectors”.

We are developing more standard connectors like SAML and LDAP. Feel free to let us know your needs!

Besides, we’d like to highlight our community contributors:

• @kentio contributed AWS SES connector
• @StringKe contributed Tencent SMS and Feishu (Lark) connector

Thank you!

Enhancement

💻 Admin Console enhancement to streamline the set up process

💡 We revisited the Logto admin console UI and give it a fresh look! The goal of this is to make the admin console more intuitive and aesthetically pleasing, which ends up helping developers more efficiently perform the tasks.

Now you can feel the following enhancement as follows:

• Responsive design improvement We optimized responsive design to ensure that the interface looks great on different screen sizes.
• Simplification of the layout We have streamlined the layout of the interface, organizing the content in a more logical and intuitive way. This makes it easier for our developers to navigate the interface and find what they are looking for.
• Fixed the non-intuitive interaction behaviors we changed the saving interaction and make it a section-level behavior, which avoiding seeing too many double check alerts. We wish to provide a more secure developer experience when making configuration.

Please check it out and explore, and let us know how you feel! 😉

🧑‍🚀 Refactored Interaction APIs and Audit logs

Due to the increased flexibility and complexity of Sign-in experience, and to provide even more auditable and structured logs for user interactions, we decided to refactor our Interaction APIs with the logging mechanism; The original session APIs are deprecated from now.

Note
This API change does not affect the end-user Sign-in experience.

Audit logs become fine-categorized by the new key definitions, and payloads are optimized for behavior tracing. Check out the “Audit logs” tab in Admin console to feel the change.

Blog posts

• The design considerations for a seamless sign-in experience (Second Chapter) Learn more about our design thinking and decision making philosophies
• Migrate a 60k LOC TypeScript (NodeJS) repo to ESM and testing become 4x faster A practical series of our engineering efforts on module system migration

v1.0.0-beta.17

1.0.0-beta.17 (2022-12-13)

• Fix a bug to correctly show the "Forgot password" button during sign-in experience when only SMS connector is configured.

Update 2022-12-30

Now GitHub release also has built-in connectors available.

v1.0.0-beta.16

1.0.0-beta.16 (2022-11-30)

Note
This release is a hot-fix based on v1.0.0-beta.14.

Bug fix

Unblock the "Continue" flow for some end-users (fixes #2555)

Users could get stuck during sign-in when email or phone is the sign-up identifier (required), but they don't have one in Logto.

Connectors

If you enabled email or SMS connector, please add the "Continue" template to make sure "Forgot password" works.

Please upgrade connectors as well to get the latest connector template for "Continue" flow configuration. Or you can go to the connectors repo to read the latest README.

Feel free to jump into our Discord server if you meet any issues.

v1.0.0-beta.14

1.0.0-beta.14 (2022-11-16)

Bug fix

🙇 Fix an issue that the CLI cannot find database alteration scripts but Logto is failed to start.

Before restarting Logto, use npx @logto/cli db alt deploy to deploy the latest database alterations.

Cause

We just changed our publish to changesets and it didn't run the version script during version bumping. See #2461 for details.

v1.0.0-beta.13

1.0.0-beta.13 (2022-11-15)

Note
If you are experience some database alteration issue when upgrading to this version, please directly upgrade to v1.0.0-beta.14.

💥 Breaking change 💥

Now Logto uses the case-insensitive strategy for matching emails. Note we still store them in raw values for better email deliveries, thus it will affect the existing emails that have the identical lowercased address.

Feel free to contact us if this issue blocks the upgrade.

Sign-in Experience v2

We are thrilled to announce the release of the newest version of the Sign-in Experience, which includes more ways to sign-in and sign-up, as well as a framework that is easier to understand and more flexible to configure in the Admin Console.

When compared to Sign-in Experience v1, this version’s capability was expanded so that it could support a greater variety of flexible use cases. For example, now users can sign up with email verification code and sign in with email and password.

Besides, the forgot password flow will automatically appear when conditions meet.

We hope that this will be able to assist developers in delivering a successful sign-in flow, which will also be appreciated by the end users.

CLI

Rotate your private or secret key

We add a new command db config rotate <key> to support key rotation via CLI.

When rotating, the CLI will generate a new key and prepend to the corresponding key array. Thus the old key is still valid and the service will use the new key for signing.

Run logto db config rotate help for detailed usage.

Trim the private or secret key you don't need

If you want to trim one or more out-dated private or secret key(s) from the config, use the command db config trim <key>. It will remove the last item (private or secret key) in the array.

You may remove the old key after a certain period (such as half a year) to allow most of your users have time to touch the new key.

If you want to remove multiple keys at once, just append a number to the command. E.g. logto db config trim oidc.cookieKeys 3.

Run logto db config trim help for detailed usage.

I18n

Thanks @lukashass for adding German language.

Add user suspend API endpoint

Use PATCH /api/users/:userId/is-suspended to update a user's suspended state, once a user is suspended, all refresh tokens belong to this user will be revoked.

Suspended users will get an error toast when trying to sign in.

Contributors

@ihsanguldur @alexgaribay @abellion @djyde

v1.0.0-beta.12

1.0.0-beta.12 (2022-10-19)

We’re super excited to announce some new capabilities in this release that will make Logto more accessible to developers and users all around the world. Get a taste of them and tell us what you think!

Migrate from previous versions

Here, we debut the new CLI and switch OIDC configurations from using environment variables to the database. Updating the Logto core necessitates the following two procedures:

1. Execute npx @logto/cli db alteration deploy 1.0.0-beta.12 to finish updating the database schema.
2. Migrate the OIDC configurations by following Migrate configs from env.

Note
For Docker image users: now DB_URL_DEFAULT has been changed to DB_URL.

Sign-in Experience i18n

The warm reception Logto has received since its initial release in July has resulted in numerous language contributions from the community. This motivates us to localize and tailor the sign-in process even more.

Now, we're ecstatic to announce that Logto Sign-in Experience has full support for i18n, which means your products can reach a wider global audience and offer more personalized and contextualized options for all users.

• We have 6 predefined languages to choose from, all of which were created by our international community and can be modified to your liking.
• Support for up to 113 language tags, allowing you to use your own translation in order to reach the vast majority of countries worldwide.

The admin console already includes this functionality. The "Language" section of the Sign-in Experience tab is where you'll be able to rapidly set up and manage your keys and custom values.

CLI: Exclusively for Logto

Combating with complicated commands? That's not how we roll. So we're bringing some friendly little things to keep the elegance going even in the command line.

If you're trying to install Logto on your machine, skip the long, scary install command. It now reads:

npm init @logto

And you are all set. Check out Using CLI for a detailed explanation of how to use Logto CLI.

Contributors

• @julian-hartl contribute to Flutter SDK
• @akoenig implement Remix SDK
• @Olyno init the CLI project #1885
• @b4s36t4 init the fix of redirect URI validation #1874
• @FlurryNight add tooltip vertical align support #2032
• @lukashass use icon svg files with parcel svg transformer #2047

Thank you! 💗