v1.7.1

This release addresses critical security vulnerabilities, improves OTP enforcement, and modernizes the codebase by removing legacy components.

🔒 Security

🛡️ Authentication Vulnerabilities

• Fixed OTP backup code replay vulnerability by preventing reuse of backup codes
• Fixed OTP bypass vulnerability in password change identity authentication
• Restored bearer-token fallback for password change identity verification

🐛 Fixes

🔑 Key Management

• Aligned JWKS tests with encrypted key flow runtime behavior
• Improved signJWT issuer claim handling with proper fallback coverage

🔐 Migration & Enforcement

• Preserved OTP enforcement during force_otp migration process

🧹 Improvements

📚 Documentation & Cleanup

• Removed legacy group surface and references from brochureware documentation
• Removed obsolete legacy groups scope description from user interface

🧪 Tests

✅ Coverage Enhancements

• Added comprehensive signJWT issuer fallback regression tests
• Updated test suite organization specification naming for clarity

Docker

docker pull ghcr.io/puzed/darkauth:v1.7.1

v1.7.0

v1.7.0 introduces enhanced security controls and improved initialization workflows for DarkAuth deployments.

✨ Features

🔐 Security Enhancements

• Added optional email enumeration protection for registration flows to prevent user discovery attacks
• Implemented email enumeration mitigation in login error responses

⚙️ Installation & Configuration

• Added migration-owned default settings for initial deployments
• Implemented RBAC seed data generation during installation process

🛠 Improvements

🔧 API & Admin UI

• Enhanced admin settings API for programmatic configuration management
• Improved organization invite test tolerance for seeded permissions

🧪 Test Coverage

• Extended test suite to cover duplicate registration enumeration scenarios
• Updated demo self-registration to use admin settings API

Docker

docker pull ghcr.io/puzed/darkauth:v1.7.0

v1.6.0

This release introduces email verification capabilities, modernizes role-based access control, and streamlines the authentication experience through improved security handling and legacy code cleanup.

✨ Features

📧 Email Verification

• Added email verification tokens and SMTP services integration to the API
• Implemented email templates and verification flows in admin and user UIs
• Added auth gating for email verification checks

🎨 Dashboard Customization

• Added dashboard settings support for client cards and metadata display
• Enabled client icon uploads and user icon endpoints

🛠 Improvements

🔐 RBAC Modernization

• Migrated from legacy group runtime to organization-scoped role-based access control
• Removed legacy group pages and API surface from admin UI
• Updated OTP and login tests to use organization roles

🎯 UI/UX Enhancements

• Preserved client form state on save errors in admin UI
• Hid login screen until branding and client configuration loads
• Omitted inactive dashboard icon fields on client creation
• Removed unused legacy register page from user UI

🔗 Client Library

• Added repository metadata for npm provenance in darkauth-client
• Improved client publish job stability and version synchronization

🐛 Fixes

🚀 Authentication Flow

• Removed users page refresh action from admin UI
• Fixed OTP login test interactions with organization-based roles
• Removed login error flash during client config verification
• Stabilized auth callback and admin screenshot flows

🧹 Code Cleanup

• Removed legacy group runtime dependencies from API
• Removed deprecated auth settings keys
• Removed fragile client version parsing in release publish job
• Enforced branding-only logo selection in user UI

📄 Release Process

• Fixed release client publish step stability
• Fixed release client version alignment with main release

Docker

docker pull ghcr.io/puzed/darkauth:v1.6.0

v1.5.5

v1.5.5 refines the authentication flow and client management with improved error handling and loading states.

🐛 Fixes

🔐 Admin Interface

• Preserved form state in the client creation flow when validation errors occur
• Excluded inactive dashboard icon fields from client creation payloads to prevent validation failures

🔑 User Authentication

• Removed erroneous login error notifications that appeared during initial client configuration checks
• Deferred login screen display until branding assets and client configuration fully load

🧹 Improvements

✍️ User Experience

• Simplified authorization security note messaging for clarity
• Removed unused legacy user registration page to reduce bundle size

Docker

docker pull ghcr.io/puzed/darkauth:v1.5.5

v1.5.4

This release adds npm provenance support to the DarkAuth client package.

🐛 Fixes

📦 Package Publishing

• Added repository metadata for npm provenance verification to enhance package security and authenticity

Docker

docker pull ghcr.io/puzed/darkauth:v1.5.4

v1.5.3

Improved stability and reliability of the release and client publishing pipeline.

🛠 Improvements

📦 Release Publishing

• Replaced fragile client version parsing in the semantic release publish job with direct use of the semantic release version number
• Enhanced stability of the @darkauth/client package publishing workflow to reduce release failures

Docker

docker pull ghcr.io/puzed/darkauth:v1.5.3

v1.5.2

This release fixes the GitHub Actions release workflow to ensure proper client publishing.

🔧 Improvements

🚀 Release Process

• Fixed release workflow configuration to align client package publishing with release version

Docker

docker pull ghcr.io/puzed/darkauth:v1.5.2

v1.5.1

This release introduces per-client access token TTL configuration and substantially hardens authentication, session management, and client configuration handling.

✨ Features

🔐 Access Token Management

• Added per-client access token TTL configuration to customize token lifetimes by client

🛠 Improvements

🔐 Authentication & Sessions

• Refreshed admin session TTL during session checks to maintain active sessions
• Moved first-party refresh tokens to HttpOnly cookies and implemented auto-renewal
• Defaulted first-party authentication to user client and resolved runtime client ID correctly
• Gated auth-code refresh token issuance by client grant types to enforce security boundaries

🎨 Admin UI & Branding

• Enforced branding-only logo selection to prevent misconfigurations
• Improved branding preview and theme handling for consistent visual representation
• Aligned JWKS key state display with API responses
• Removed redundant back and refresh actions from admin interface

🔧 Client Configuration

• Implemented structured client scopes and unified client create/edit workflows
• Displayed client scope descriptions in consent flow for improved transparency
• Removed deprecated auth settings keys to simplify configuration

🛡 Security & Cookies

• Scoped refresh-cookie rotation to first-party cookie transport
• Preserved auth preview mode throughout login flow for consistent testing

🐛 Fixes

🔐 Session & Token Management

• Fixed auth callback flow stability and admin screenshot generation
• Aligned API user auth tests with cookie-based refresh token flow
• Removed deprecated admin refresh TTL setting that caused configuration conflicts
• Removed dead refresh and legacy auth fields that polluted client configurations

🎨 UI Stability

• Stabilized auth callback and admin screenshot flows under concurrent requests
• Fixed theme handling in branding preview mode

🔍 API Responses

• Returned not found for unknown scope-description client requests to prevent leaking scope metadata

📦 Infrastructure

🚀 Node.js Compatibility

• Removed strip-only-incompatible TypeScript class syntax for Node 24 support
• Enabled running server on Node 24 without pm2

📚 Documentation

• Aligned refresh token documentation with current token refresh grant implementation

Docker

docker pull ghcr.io/puzed/darkauth:v1.5.1

v1.5.0

DarkAuth v1.5.0 brings comprehensive security hardening, session management refactoring, and significant improvements to admin controls and documentation.

✨ Features

🔐 Security & Session Management

• Added atomic auth code and refresh token redemption with single-use enforcement
• Implemented refresh token client binding and cryptographic hashing for enhanced token security
• Migrated to HttpOnly cookie-based sessions for first-party authentication flows
• Added per-grant-type token refresh gating to restrict refresh token issuance by client capabilities
• Enforced strict zero-knowledge hash binding for authorize finalize operations

📋 Admin & Configuration

• Added per-client access token TTL configuration for flexible token expiration policies
• Implemented admin list endpoints with pagination bounds and structured query schemas
• Introduced organization-scoped RBAC with roles, permissions, and member management
• Added client dashboard icons and metadata with admin API endpoints for icon uploads
• Enabled structured client scope descriptions with display in consent flows

🎨 User Experience

• Added dashboard card settings and user actions in admin and user interfaces
• Introduced tags with sidebar filtering and shared filter state in demo application
• Implemented version-aware changelog viewer with update banner in admin UI
• Enhanced OIDC nonce binding in authorization code flow with persistent nonce emission
• Added OAuth denial flow handling with reason propagation to logged-out screens

📚 Documentation & Infrastructure

• Refreshed documentation layout and visual styling in brochureware
• Added comprehensive docs route map and reference pages
• Implemented native TypeScript runtime support for Node.js 24
• Removed pm2 dependency for Docker deployments with direct Node.js execution
• Stabilized demo app OAuth flows and improved token handling

🔄 SDK & Client Libraries

• Updated darkauth-client to version 0.2.1 with support for non-ZK callback and session flows
• Added client credentials grant support for users management endpoints

🐛 Fixes

🔐 Authentication & Authorization

• Fixed auth callback flows to stabilize admin screenshot generation
• Corrected authorization code redemption to enforce atomic single-use consumption
• Resolved scope-descriptions endpoint 404 for unknown clients
• Fixed PKCE validation with constant-time challenge comparison
• Gated login form when configured client is unavailable

🍪 Session & Cookie Handling

• Namespaced user refresh cookies to avoid admin session ambiguity
• Scoped refresh-cookie rotation to first-party cookie transport only
• Preserved auth preview mode throughout login flow
• Improved admin session TTL refresh during security checks
• Enforced automatic session failure after three consecutive refresh failures

🎨 Branding & Theming

• Enforced branding-only logo selection in user-ui and API validation
• Improved branding preview rendering and theme application
• Aligned refresh documentation with token refresh grant implementation

🔧 Client Configuration

• Unified client create and edit flows with structured scope support
• Defaulted first-party authentication to user client with runtime client ID resolution
• Removed deprecated auth settings keys and admin refresh TTL settings
• Cleaned up dead refresh fields and legacy authentication code paths
• Aligned user endpoint refresh token tests with issued client bindings

🛠 Infrastructure & Runtime

• Removed TypeScript class syntax incompatible with Node.js 24 strip-only transforms
• Fixed Docker environment variable parsing for NODE_OPTIONS
• Corrected Node transform flag propagation through pm2 runtime arguments
• Included workspace metadata for in-container database migrations
• Improved router and migration error logging with execution context

📋 API & Endpoints

• Fixed client icon endpoints exposure on admin API routes
• Resolved authorize finalize binding without schema drift in ZK flows
• Removed retry flow from refresh-token endpoint
• Persisted export key before authorize navigation to prevent loss
• Restored OAuth access_denied reason propagation on deny

🛠 Improvements

⚙️ Code Quality & Architecture

• Streamlined installation user experience with simplified configuration flow
• Aligned admin authentication helpers with cookie-based session management
• Extracted and reusable client seed and secret validation helpers
• Improved admin tables and row action implementations
• Applied code formatting and linting across packages

🎨 Visual Polish

• Enhanced demo application theme behavior and dashboard visuals
• Improved tooltip styling in admin-ui
• Refined branding preview and theme selection flows

📦 Build & Release

• Implemented semantic versioning with automated changelog generation
• Added build metadata passing for app version and commit hash in Docker builds
• Configured release architecture for native architecture builds

🧪 Tests

✅ Security & Auth Flows

• Added comprehensive coverage for client scopes and authentication edge cases
• Implemented tests for atomic auth code consumption and redemption races
• Added PKCE verifier and challenge validation path coverage
• Created OIDC nonce authorization code flow tests with binding enforcement
• Covered refresh token hashing, rotation, and single-use enforcement

🔄 Session & Token Management

• Added users endpoint client secret authentication coverage
• Implemented refresh token retention tests on server errors
• Covered dashboard client icon behavior in admin interface
• Added zero-knowledge nonce flow tests with required drk_hash binding

🚫 Error Handling

• Added OAuth deny flow and logged-out demo gating coverage
• Implemented user authentication error and edge case tests

📝 Documentation

📖 Security & Token Hardening

• Documented atomic auth code redemption in API specs and brochureware
• Added detailed refresh token hardening documentation covering hashing and client binding
• Created comprehensive refresh token grant-type gating documentation
• Documented logout behavior after consecutive refresh failures
• Strengthened security auditor review guidance for release validation

🔐 SDK & Integration

• Documented zero-knowledge and non-ZK authentication flows in darkauth-client
• Added admin member endpoints documentation with list query details
• Updated agent guidance and administrative documentation

📦 Release Management

• Preserved whitepaper publishing dates when content remains unchanged
• Simplified AGENTS completion checklist for maintainers

Docker

docker pull ghcr.io/puzed/darkauth:v1.5.0

v1.4.7

DarkAuth v1.4.7 strengthens session security, improves UX, and adds support for Node.js 24.

✨ Features

🔐 Session Management

• Implemented first-party HttpOnly cookie-based refresh token transport with automatic session renewal
• Added client scope descriptions in OIDC consent flows for improved user transparency
• Gated auth-code refresh token issuance by configured client grant types

📋 Admin & Dashboard

• Added dashboard card settings and client-specific user actions
• Introduced client dashboard icon metadata with user icon endpoints
• Unified client creation and editing workflows with structured scope management

⚡ Performance

• Enabled Node.js 24 runtime support by removing incompatible TypeScript class syntax
• Streamlined installation UX with simplified auth session flows

🛠 Improvements

🖥 User Interface

• Auto-submit OTP entry when six digits are complete for faster authentication
• Preserved export-key recovery workflows and refresh token continuity during migrations

🔧 Platform Support

• Updated TypeScript compilation for Node.js 24 compatibility
• Enabled direct Node.js execution without pm2 for simpler deployments

🧪 Tests

📊 Coverage

• Added test coverage for client scopes and OIDC edge cases
• Fixed screenshot test authentication regressions with cookie-based sessions
• Aligned admin authentication helpers with new cookie session patterns

📦 Dependencies

🔄 Updates

• Replaced internal md-to-pdf workspace dependency in brochureware
• Standardized cookie session authentication and CSRF protection across API and UI packages

Docker

docker pull ghcr.io/puzed/darkauth:v1.4.7