Skip to content

v1.1.0

Choose a tag to compare

@andregoepel andregoepel released this 26 Jun 15:13
a0e1c0c

First stable 1.1 release. Hardens the sign-in flow and the security posture of the library.

Security

  • Sign-in handoff moved into the request body (#40): the single-use handle is POSTed same-origin instead of travelling in the URL — keeping it out of access logs, browser history and Referer, and preventing cross-site sign-in (login CSRF / session fixation). Sets Referrer-Policy: no-referrer.
  • Login fix (#55): the handoff POST no longer trips the host's UseAntiforgery(). These middleware endpoints are guarded by a same-origin check plus the single-use handle; the deferred antiforgery validation is cleared before the form is read, so login works across host render modes (incl. global InteractiveServer + prerender).
  • Default-deny readiness + domain-layer invariants (#41).
  • Unique active role names via a partial unique index.
  • First root user is created with LockoutEnabled = false; root user automatically receives the Administrator role, with a single-root safeguard.

Supply chain

  • SHA-pinned GitHub Actions, NuGet lockfiles with locked-mode CI restore, Testcontainers image pinned by digest, vulnerability scan in CI, Dependabot + auto lockfile sync.

Dependencies

  • Radzen.Blazor 11.x.

Upgrade from 1.0.x is recommended; older versions are deprecated.