Skip to content

v1.0.1

Choose a tag to compare

View all tags
@MichaelSowah MichaelSowah released this 13 Jun 16:49
· 3 commits to main since this release
v1.0.1
f838ae2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

[1.0.1] - 2026-06-13

Fixed

  • Require a purpose-bound, single-use reset token for POST /auth/reset-password; POST /auth/verify-otp now returns that token when called with purpose=password_reset, closing the email-only password reset takeover path.
  • Revoke active framework sessions for the user after a successful password reset.
  • Add route-level rate limits to POST /auth/forgot-password and POST /auth/reset-password.
  • Cap failed 2FA PIN attempts per challenge and consume the challenge after repeated wrong codes.
  • Read and consume file-based OTP fallback records during OTP verification.
  • Guard password reset token consumption with an atomic consumed marker and log when session revocation cannot run because the session store is not bound.
  • Hard-deny additional sensitive account fields (two_factor_secret, remember_token, provider_id) from profile projection.
  • Align 2FA route registration and service defaults on auth.two_factor.enabled.
  • Keep SAML/LDAP provisioning writes within the canonical users and profiles schemas.
Assets 2
Loading