Skip to content

Releases: andregoepel/marten-identity

v1.1.1

Choose a tag to compare

@andregoepel andregoepel released this 03 Jul 02:34
832a743

What's Changed

  • chore: add Claude Code permission allowlist by @andregoepel in #56
  • chore: resolve C# build warnings (naming, redundancy, analyzer cleanup) by @andregoepel in #57
  • chore(deps): bump actions/checkout from 4.3.1 to 7.0.0 by @dependabot[bot] in #58
  • chore(deps): bump actions/setup-dotnet from 4.3.1 to 5.4.0 by @dependabot[bot] in #59
  • Bump the nuget-minor-patch group with 4 updates by @dependabot[bot] in #60

Full Changelog: v1.1.0...v1.1.1

v1.1.0

Choose a tag to compare

@andregoepel andregoepel released this 26 Jun 15:13
a0e1c0c

First stable 1.1 release. Hardens the sign-in flow and the security posture of the library.

Security

  • Sign-in handoff moved into the request body (#40): the single-use handle is POSTed same-origin instead of travelling in the URL — keeping it out of access logs, browser history and Referer, and preventing cross-site sign-in (login CSRF / session fixation). Sets Referrer-Policy: no-referrer.
  • Login fix (#55): the handoff POST no longer trips the host's UseAntiforgery(). These middleware endpoints are guarded by a same-origin check plus the single-use handle; the deferred antiforgery validation is cleared before the form is read, so login works across host render modes (incl. global InteractiveServer + prerender).
  • Default-deny readiness + domain-layer invariants (#41).
  • Unique active role names via a partial unique index.
  • First root user is created with LockoutEnabled = false; root user automatically receives the Administrator role, with a single-root safeguard.

Supply chain

  • SHA-pinned GitHub Actions, NuGet lockfiles with locked-mode CI restore, Testcontainers image pinned by digest, vulnerability scan in CI, Dependabot + auto lockfile sync.

Dependencies

  • Radzen.Blazor 11.x.

Upgrade from 1.0.x is recommended; older versions are deprecated.

v1.1.0-preview3

v1.1.0-preview3 Pre-release
Pre-release

Choose a tag to compare

@andregoepel andregoepel released this 26 Jun 14:07
acbd9cf

What's Changed

  • ci: auto-regenerate packages.lock.json on Dependabot PRs by @andregoepel in #53
  • fix(login): include antiforgery token in the sign-in handoff form by @andregoepel in #54

Full Changelog: v1.1.0-preview2...v1.1.0-preview3

v1.1.0-preview2

v1.1.0-preview2 Pre-release
Pre-release

Choose a tag to compare

@andregoepel andregoepel released this 26 Jun 13:32
d6a51d4

What's Changed

  • feat(security): POST the sign-in handoff in the body, not the URL (#40) by @andregoepel in #52
  • Bump Radzen.Blazor from 10.4.4 to 11.0.4 by @dependabot[bot] in #48
  • Bump the nuget-minor-patch group with 6 updates by @dependabot[bot] in #47

Full Changelog: v1.1.0-preview1...v1.1.0-preview2

v1.1.0-preview1

v1.1.0-preview1 Pre-release
Pre-release

Choose a tag to compare

@andregoepel andregoepel released this 26 Jun 04:12
c70b8cc

What's Changed

  • chore(ci): supply-chain hardening — pin actions, lockfiles, image digest, vuln gate by @andregoepel in #44
  • docs(security): trust boundaries + host obligations (THREAT-MODEL.md) by @andregoepel in #49
  • feat(security): default-deny readiness + domain-layer invariants (#41) by @andregoepel in #50
  • chore(deps): bump actions/setup-dotnet from 4.3.1 to 5.3.0 by @dependabot[bot] in #45
  • chore(deps): bump actions/checkout from 4.3.1 to 7.0.0 by @dependabot[bot] in #46
  • feat(security): unique active role names (partial unique index) by @andregoepel in #51

New Contributors

Full Changelog: v1.0.2...v1.1.0-preview1