Skip to content

v4.1.0

Choose a tag to compare

View all tags
@brunocmoreira brunocmoreira released this 04 Jun 03:04
· 14 commits to main since this release
v4.1.0
fbb8746

Rhino 4.1.0

Domain-aware route groups

Route groups can declare a domain to scope their routes to a host — literal
(admin.example.com) or parameterized ({organization}.example.com) for
subdomain multitenancy. Combines with prefix; parameterized domains feed
organization resolution.

Route group conflict validation

Boot-time validation throws when two route groups would silently shadow each
other (same prefix + intersecting host-set + overlapping models), with a clear
message and remediation.

Group-aware auth, membership & lifecycle hooks (opt-in)

  • Group membership on user_roles via a nullable route_group column
    (NULL = wildcard), gated by enforce_group_membership. When on, a request's
    group requires a matching membership (else 403) and permissions resolve
    from the matching row.
  • Group-aware auth — groups with auth: true register their own auth route
    set; the legacy auth endpoints are preserved.
  • Invitations carry the route group; accept populates the membership.
  • Lifecycle hooks run after each auth action and may reject, revoking the
    just-issued token. afterPasswordRecover rejection is swallowed to prevent
    email enumeration.

All new behavior is opt-in — with the flags off, behavior is unchanged.

Assets 2
Loading