v1.1.0

[1.1.0] - 2026-06-14

Added

• Typed response DTOs TwoFactorChallengeData and OtpDispatchData, returned from the
  two-factor challenge and OTP-dispatch endpoints. Response envelopes remain byte-identical
  via HasResponseMessage.

Changed

• Migrated OpenAPI documentation to the framework 1.57.0 reflect generator. Route
  documentation (summaries, query parameters, request-body fields and response codes)
  is now expressed as typed #[ApiOperation], #[QueryParam] and #[ApiResponse]
  attributes on the controller methods; the now-inert route-file docblocks were removed.
  Docs-only — no runtime behaviour changes.
• Raised the minimum framework requirement to ^1.57.0.

v1.0.1

[1.0.1] - 2026-06-13

Fixed

• Require a purpose-bound, single-use reset token for POST /auth/reset-password; POST /auth/verify-otp now returns that token when called with purpose=password_reset, closing the email-only password reset takeover path.
• Revoke active framework sessions for the user after a successful password reset.
• Add route-level rate limits to POST /auth/forgot-password and POST /auth/reset-password.
• Cap failed 2FA PIN attempts per challenge and consume the challenge after repeated wrong codes.
• Read and consume file-based OTP fallback records during OTP verification.
• Guard password reset token consumption with an atomic consumed marker and log when session revocation cannot run because the session store is not bound.
• Hard-deny additional sensitive account fields (two_factor_secret, remember_token, provider_id) from profile projection.
• Align 2FA route registration and service defaults on auth.two_factor.enabled.
• Keep SAML/LDAP provisioning writes within the canonical users and profiles schemas.

v1.0.0 — Identity, accounts & read endpoints

First release of glueful/users — the first-party identity store and account
lifecycle for Glueful — now including config-driven account read endpoints.

Endpoints

• GET /me — authenticated principal's account + nested profile (always on).
• GET /users/{uuid} — another user's account + public profile. Off by default
  (USERS_USER_LOOKUP_ENABLED=true), requires users.read.
• GET /users — paginated list + nested public profile. Off by default
  (USERS_USER_LOOKUP_ENABLED=true and USERS_USER_LIST_ENABLED=true), requires
  users.read. Supports ?page/?per_page (clamped), per-item ?fields=, and
  ?filter[...]/?sort/?search over username + profile name.

Also in 1.0.0 (foundation)

• First-party user store (users + profiles) and UserRepository.
• Identity seam (UserProvider → core UserProviderInterface).
• Account-lifecycle endpoints (/auth email verification + password recovery).
• Email-PIN two-factor authentication (/2fa, TWO_FACTOR_ENABLED).

Highlights

• Safe by default — per-audience exposable columns, hard denylist
  (password/deleted_at/user_uuid), custom profiles columns opt-in only.
• Field selection — prune-only REST dot-paths; disallowed fields omitted (never a
  400); all-disallowed → {}.
• List safety — single LEFT JOIN (no N+1); soft-deleted profiles never affect
  membership or ordering; email filtering gated; status not filterable by default.

Configuration

Env	Default	Effect
USERS_USER_LOOKUP_ENABLED	false	Enables GET /users/{uuid}
USERS_USER_LIST_ENABLED	false	Enables GET /users (also needs lookup on)
USERS_USER_LIST_ALLOW_EMAIL_FILTER	false	Allow email in list filter/search

Exposable columns are configured in config/users.php (copy into your app's config/
to override).

Requirements

• PHP 8.3+
• glueful/framework ^1.50.1
• glueful/email-notification (suggested) for password-reset / verification delivery

Full changelog: see CHANGELOG.md.