v1.1.0
First stable 1.1 release. Hardens the sign-in flow and the security posture of the library.
Security
- Sign-in handoff moved into the request body (#40): the single-use handle is POSTed same-origin instead of travelling in the URL — keeping it out of access logs, browser history and
Referer, and preventing cross-site sign-in (login CSRF / session fixation). SetsReferrer-Policy: no-referrer. - Login fix (#55): the handoff POST no longer trips the host's
UseAntiforgery(). These middleware endpoints are guarded by a same-origin check plus the single-use handle; the deferred antiforgery validation is cleared before the form is read, so login works across host render modes (incl. globalInteractiveServer+ prerender). - Default-deny readiness + domain-layer invariants (#41).
- Unique active role names via a partial unique index.
- First root user is created with
LockoutEnabled = false; root user automatically receives the Administrator role, with a single-root safeguard.
Supply chain
- SHA-pinned GitHub Actions, NuGet lockfiles with locked-mode CI restore, Testcontainers image pinned by digest, vulnerability scan in CI, Dependabot + auto lockfile sync.
Dependencies
- Radzen.Blazor 11.x.
Upgrade from 1.0.x is recommended; older versions are deprecated.