Skip to main content

Changelog

v0.1 — initial public release

The first stable cut. Everything below is production-ready and stable per the semver policy.

Auth core

  • Password registration + login with Argon2id hashing.
  • Bcrypt accepted on login for legacy imports; silently rehashed to Argon2id on success.
  • 12-character minimum on new passwords; 1-char minimum on login for backward compatibility.
  • JWT-based access tokens (HS256, default 15-min TTL).
  • Refresh tokens with rotation (default 30-day TTL).
  • Cookie + Bearer transport.
  • CSRF double-submit pattern for cookie auth.

MFA (TOTP)

  • RFC 6238 TOTP enrollment with QR code generation.
  • 10 recovery codes per enrollment, SHA-256 hashed at rest.
  • Step-up assertion via POST /v1/auth/mfa/verify, default 30-min TTL, cached by session family.
  • Login MFA challenge with 5-attempt brute-force lock and 5-minute single-use token.

Passkeys (WebAuthn)

  • W3C WebAuthn Level 2 enrollment + authentication ceremonies via webauthn-rs.
  • Max 10 passkeys per user.
  • Sign-counter clone detection.
  • Email-hinted login. Discoverable-credentials flow planned for v0.2.

OAuth providers

  • Google (OIDC ID-token validation).
  • GitHub (OAuth 2.0 + /user/emails fallback for private profiles).
  • State token + open-redirect defense on redirect_to.

Email flows

  • Email OTP login (passwordless 6-digit codes, 10-minute TTL).
  • Email verification tokens (24-hour TTL).
  • Password reset (1-hour TTL, single-use, revokes all sessions on consume).
  • Always-204 responses on /forgot and /email-otp/request to defeat enumeration.

Sessions

  • List active sessions.
  • Revoke one / revoke all.
  • sign_out_other_sessions flag on password change.
  • Soft revocation (DB flag + cache invalidation).

Trusted browsers

  • "Remember this device" cookie, 30-day TTL.
  • User-Agent binding via fingerprint hash.
  • Skips MFA challenge on subsequent logins.

Organizations / teams / RBAC

  • Single-org-per-user model (many-to-many in v2).
  • 5 default roles: owner, admin, billing, member, viewer.
  • Configurable RBAC matrix via RbacConfig.
  • Owner protection: last-owner demotion / removal refused.
  • Cross-org access blocked via require_org_match.

Invitations

  • Org-scoped invitations with 7-day TTL.
  • Email-delivered tokens; SHA-256 hashed at rest.
  • Preview before accept (public endpoint, no auth).
  • Accept supports new-user create + already-logged-in flows.
  • Resend / revoke.

User profile

  • Read / patch profile.
  • Avatar upload (multipart, 5 MiB cap, JPEG/PNG/GIF/WebP).
  • Avatar delete.
  • Password change with sign_out_other_sessions option.

Audit logs

  • Append-only log of every security-relevant action.
  • No foreign keys (audit trail outlives subjects).
  • Fire-and-forget async pipeline; never blocks the originating request.

Webhooks

  • Outbound HMAC-SHA256 signed events.
  • Timestamp + signature header pattern (Stripe / GitHub style).
  • 4 retries with exponential backoff.

Providers (trait-based)

  • EmailSender: LogOnlySender default. SMTP / Resend / SES bring-your-own.
  • ObjectStorage: LocalFsStorage default. S3 / R2 / GCS bring-your-own.
  • SessionCache: PostgresOnlyCache default. Redis bring-your-own.

CLI

  • identsphere migrate up / down / status / fresh.
  • identsphere export — full tarball dump for portability.

Frontend

  • @identsphere/react v0.1: typed hooks for every endpoint, Axios client with refresh interceptor, route guards.

Distribution

  • Three crates published to crates.io: identsphere-core, identsphere-axum, identsphere-webhooks.
  • One npm package: @identsphere/react.
  • Docker image: ghcr.io/identsphere/server:0.1.

Documentation

  • 40 API endpoint reference pages.
  • Guide section with feature-by-feature deep dives.
  • Per-language integration guides: Rust, React, Python, Node, Go, Ruby, Java, PHP, REST.
  • Deployment guides: Docker, Kubernetes, AWS / GCP / Azure / Fly.io / Railway / Render, Cloudflare Pages (for the docs site itself).
  • Production checklist.

Known limitations

  • No built-in rate limiter; integrate tower-governor or your edge.
  • No discoverable-credentials passkey flow.
  • No SCIM / SAML in OSS (planned premium modules).
  • Audit-log query API: SQL only (premium identsphere-audit-export planned).
  • Many-to-many user / org: v2.
  • Ownership-transfer flow: planned, not in v0.1.

License

  • OSS code: Business Source License 1.1, converts to Apache-2.0 after 4 years from each release.
  • Premium modules (when available): commercial license.