Releases: andregoepel/marten-identity
Releases · andregoepel/marten-identity
Release list
v1.1.1
What's Changed
- chore: add Claude Code permission allowlist by @andregoepel in #56
- chore: resolve C# build warnings (naming, redundancy, analyzer cleanup) by @andregoepel in #57
- chore(deps): bump actions/checkout from 4.3.1 to 7.0.0 by @dependabot[bot] in #58
- chore(deps): bump actions/setup-dotnet from 4.3.1 to 5.4.0 by @dependabot[bot] in #59
- Bump the nuget-minor-patch group with 4 updates by @dependabot[bot] in #60
Full Changelog: v1.1.0...v1.1.1
v1.1.0
First stable 1.1 release. Hardens the sign-in flow and the security posture of the library.
Security
- Sign-in handoff moved into the request body (#40): the single-use handle is POSTed same-origin instead of travelling in the URL — keeping it out of access logs, browser history and
Referer, and preventing cross-site sign-in (login CSRF / session fixation). SetsReferrer-Policy: no-referrer. - Login fix (#55): the handoff POST no longer trips the host's
UseAntiforgery(). These middleware endpoints are guarded by a same-origin check plus the single-use handle; the deferred antiforgery validation is cleared before the form is read, so login works across host render modes (incl. globalInteractiveServer+ prerender). - Default-deny readiness + domain-layer invariants (#41).
- Unique active role names via a partial unique index.
- First root user is created with
LockoutEnabled = false; root user automatically receives the Administrator role, with a single-root safeguard.
Supply chain
- SHA-pinned GitHub Actions, NuGet lockfiles with locked-mode CI restore, Testcontainers image pinned by digest, vulnerability scan in CI, Dependabot + auto lockfile sync.
Dependencies
- Radzen.Blazor 11.x.
Upgrade from 1.0.x is recommended; older versions are deprecated.
v1.1.0-preview3
What's Changed
- ci: auto-regenerate packages.lock.json on Dependabot PRs by @andregoepel in #53
- fix(login): include antiforgery token in the sign-in handoff form by @andregoepel in #54
Full Changelog: v1.1.0-preview2...v1.1.0-preview3
v1.1.0-preview2
What's Changed
- feat(security): POST the sign-in handoff in the body, not the URL (#40) by @andregoepel in #52
- Bump Radzen.Blazor from 10.4.4 to 11.0.4 by @dependabot[bot] in #48
- Bump the nuget-minor-patch group with 6 updates by @dependabot[bot] in #47
Full Changelog: v1.1.0-preview1...v1.1.0-preview2
v1.1.0-preview1
What's Changed
- chore(ci): supply-chain hardening — pin actions, lockfiles, image digest, vuln gate by @andregoepel in #44
- docs(security): trust boundaries + host obligations (THREAT-MODEL.md) by @andregoepel in #49
- feat(security): default-deny readiness + domain-layer invariants (#41) by @andregoepel in #50
- chore(deps): bump actions/setup-dotnet from 4.3.1 to 5.3.0 by @dependabot[bot] in #45
- chore(deps): bump actions/checkout from 4.3.1 to 7.0.0 by @dependabot[bot] in #46
- feat(security): unique active role names (partial unique index) by @andregoepel in #51
New Contributors
- @dependabot[bot] made their first contribution in #45
Full Changelog: v1.0.2...v1.1.0-preview1