leodip/goiabada

🐛 Bug Fixes

• Reject authorization code replay ([#66](https://github.com/leodip/goiabada/issues/66)): the token endpoint now detects reuse of an already-redeemed authorization code and
• rejects the request with a dedicated `auth_code_reused` error. Previously, replaying a used code could re-issue tokens. This hardens the authorization-code grant per OAuth 2.0
• §10.5 and OIDC Core §3.1.3.
• Accept cross-origin POST at `/auth/authorize` ([#67](https://github.com/leodip/goiabada/issues/67)): the CSRF middleware no longer rejects cross-origin POSTs to the authorize endpoint. This fixes the OIDC conformance test `oidcc-ensure-post-request-succeeds`. The endpoint already responds only with redirects, so cross-origin POST is the spec-required
• behavior per OIDC Core §3.1.2.1.
• Reject unsupported `request` and `request_uri` parameters ([#68](https://github.com/leodip/goiabada/issues/68)): `/auth/authorize` now rejects the `request` parameter with `request_not_supported` and the `request_uri` parameter with `request_uri_not_supported`, per OIDC Core 1.0 §6.1 / §5.1.2.6. Previously these were silently ignored, which lost any `state` / `nonce` carried inside the request object and failed the OIDC conformance test `oidcc-unsigned-request-object-supported-correctly-or-rejected-as-unsupported`.

✨ Features

• Audit log database persistence ([#58](https://github.com/leodip/goiabada/issues/58)) — audit events can now be written to the database in addition to (or instead of) the console. Includes a configurable retention period, a background worker for cleanup, an Audit log settings admin page, and a paginated Audit log viewer with event-type filtering.
• OIDC `id_token_hint` support ([#61](https://github.com/leodip/goiabada/issues/61)) — the `/auth/authorize` endpoint now validates the `id_token_hint` parameter per OIDC Core 1.0 §3.1.2.1/3.1.2.2: issuer validation, expired-token acceptance, and `sub` matching. Prevents the server from issuing tokens for a different user than the hint specifies.

🐛 Bug Fixes

• Consistent `auth_time` claim across SSO requests ([#60](https://github.com/leodip/goiabada/issues/60)) — fixes a mismatch where two ID tokens issued from the same authenticated session could carry different `auth_time` values, breaking OIDC conformance test `oidcc-max-age-10000`. `AuthenticatedAt` is now propagated correctly from `BumpUserSession` / `StartNewUserSession`.

📦 OIDC `prompt` parameter support ([#57](https://github.com/leodip/goiabada/issues/57))

• Full implementation of the OIDC `prompt` parameter on the `/auth/authorize` endpoint:
• `prompt=none` — Silent authentication. Returns an error if the user is not already authenticated or if consent is required, without displaying any UI.
• `prompt=login` — Forces re-authentication even if the user has an active session.
• `prompt=consent` — Forces the consent screen even if consent was previously granted.
• Combinations — Values can be combined (e.g., `prompt=login consent`), except `none` which must be used alone.
• Advertised in the `/.well-known/openid-configuration` discovery endpoint via `prompt_values_supported`.

📦 Client logo management ([#33](https://github.com/leodip/goiabada/issues/33))

• Clients can now have a logo image displayed on authentication and consent screens:
• Upload, view, and delete logos via the admin console (Logo tab in client settings) or the REST API.
• Public endpoint `GET /client/logo/{clientIdentifier}` serves logos with `ETag` and `Cache-Control` headers for efficient caching.
• Supported formats: JPEG, PNG, GIF, WebP. Max dimensions: 512x512. Max size: 3MB.

📦 Client display settings

• New fields on clients to control how they appear to users during authentication:
• `displayName` — A human-friendly name shown instead of the client identifier. Falls back to the client identifier if empty.
• `description` — A short description shown on auth/consent screens.
• `websiteURL` — A link to the client's website, shown on the consent screen.
• Visibility toggles — `showLogo`, `showDisplayName`, `showDescription`, `showWebsiteURL` control which elements are visible on auth screens.
• Display name can be set during client creation (admin console and API).

📦 System-level entity editing

• System-level clients (`admin-console-client`) and resources (`authserver`) can now be edited with targeted immutability guards:
• Identifiers are protected — cannot be renamed.
• Deletion is blocked — system-level entities cannot be removed.
• All other settings are editable — description, display name, redirect URIs, permissions, etc.
• Built-in permission identifiers on the `authserver` resource (`userinfo`, `manage-account`, `manage`, `admin-read`, `manage-users`, `manage-clients`, `manage-settings`) cannot be renamed or deleted, but new permissions can be added.

📦 Improvements

• Dockerfile reliability — `curl` commands for downloading `yq` and Tailwind CLI now include `--retry` options for more resilient builds.
• Dependency updates — Go module dependencies updated across all three modules (core, authserver, adminconsole). Test integration app dependencies updated.

📦 Database Migrations

• Four new migrations are included (applied automatically on startup):
• | Migration | Description |
• |-----------|-------------|
• | 000014 | Add `client_logos` table |
• | 000015 | Fix `DATETIME2` precision on MSSQL (MSSQL only) |
• | 000016 | Add `website_url` column to clients |
• | 000017 | Add `display_name` and `description` columns to clients; add `show_logo`, `show_display_name`, `show_description`, `show_website_url` columns |

💥 No breaking changes

• Update to v1.5.0 using your preferred deployment method (Docker images or native binaries). Database migrations will run automatically on first startup.

✨ New Features

• OIDC Claims in ID Tokens - Configurable Behavior (#56)
• Added controls for including OpenID Connect scope claims (email, profile, phone, address) in ID tokens:
• New global setting: `IncludeOpenIDConnectClaimsInIdToken` (default: enabled)
• Per-client override available (default/on/off)
• Claims remain available via `/userinfo` endpoint regardless of setting
• Default behavior matches industry standards (Auth0, Microsoft, Keycloak)
• For strict OIDC Core 5.4 conformance, claims can now be restricted to `/userinfo` only

📦 Improvements

• Developer Experience: Added `make format` target to all modules for consistent code formatting
• Test Organization: Split monolithic test files into focused, maintainable modules:
• `authorize_test.go` (5,597 lines) → 5 focused test files
• `token_test.go` (1,665 lines) → 7 focused test files

📋 Changes

• Applied consistent code formatting across entire codebase
• Database migration 000013 adds new configuration columns (auto-applied on startup)

💥 Breaking Changes

• None - fully backward compatible.

📋 Changes

• Email verification code generation for users, including a new API endpoint (thanks @Joebeurg) #54
• Timezone data generator based on IANA tzdata.
• time/tzdata fallback import for systems lacking OS timezone data. #49
• Documentation updates for profile picture and group attribute REST APIs.
• Dependency updates across the project (including docs Astro/Starlight).
• fix-ownership.sh script (no longer needed).

🐛 Bug fixes

• Fixed AuthContext preservation when session is invalidated (https://github.com/leodip/goiabada/issues/46) - The authorization flow now correctly preserves the AuthContext when a user's session is invalidated mid-flow, preventing authentication failures.

📦 Improvements

• Replaced Mailhog with Mailpit in devcontainer and tests - Mailpit provides a more modern and actively maintained email testing solution.
• Enhanced version management script - Refactored update-versions.sh with an interactive menu for better usability.
• Added Node.js/npm to devcontainer - Enables npm package management for test integration apps.

🧪 Test integration apps

• Updated react-vite demo app - Significant improvements including new TokenInspector component, AdminArea page, improved auth context, and better styling.
• Updated go-webapp test application - Various improvements and updates.
• Updated js-only (browser-based) test application - Improved OAuth2 browser-only integration example.

📦 Dependencies

• Updated dependencies across multiple Go modules and npm packages

📝 Multi-architecture docker images

• Docker images now support both linux/amd64 and linux/arm64 architectures. This enables native support for:
• Intel/AMD x86_64 servers and PCs
• ARM64 devices (Raspberry Pi 4/5, Orange Pi, AWS Graviton, Apple Silicon Macs)
• No more platform mismatch warnings when running on ARM64 devices.
• Thanks for reporting @sehogas

✨ New Features

• 1. Granular API Scopes (#43) - Fine-grained admin authorization with new scopes for precise API access control instead of the single authserver:manage permission
• 2. OAuth2 Implicit Flow - Configurable implicit flow support for legacy clients (response_type=token, id_token, id_token token). Disabled by default, can be enabled globally or per-client
• 4. User Profile Pictures (#18) - Upload/manage profile pictures with OIDC picture claim support:
• Self-service and admin management
• Public /userinfo/picture/{subject} endpoint
• Client-side image cropping with Cropper.js
• Server-side validation (PNG, JPEG, GIF; max 2MB; 64-2000px)
• 5. Configurable PKCE - PKCE can now be configured globally or per-client (required/optional)
• + 2 more

🔒 Security Improvements

• 1. Constant-time client secret comparison - Prevents timing attacks on client authentication
• 2. Timing-safe user enumeration protection - DummyPasswordHash implementation prevents user enumeration via timing analysis
• 3. Improved error handling for redirect URI parsing - Better validation in authorization flows

🐛 Bug Fixes & Compliance

• 1. RFC 6749 compliant error responses - Detailed error codes and WWW-Authenticate headers for client authentication failures
• 2. Refresh token scope compliance - Refresh tokens now match original scope per RFC 6749
• 3. AMR claim format fix - Now correctly returns JSON array per OIDC Core 1.0 Section 2
• 4. Session ACR/AMR step-up fix - Centralized ACR comparison logic for proper step-up authentication
• 5. Removed typ claim from ID token - Satisfies OIDC conformance suite requirements
• 6. auth_time handling - Properly set based on current authentication completion in implicit flow

📋 Changes

• Added complete OpenAPI 3.0 specification accessible at {authserver-base-url}/openapi.yaml for automatic client generation and API testing tools integration
• Complete REST API documentation with step-by-step setup instructions
• Removed internal base URL configuration for admin console and streamlined environment variable documentation
• Admin console permissions have been migrated from adminconsole resource to authserver resource
• Migration 000005_move_adminconsole_permissions will execute automatically
• Applies to all database types (MySQL, PostgreSQL, SQL Server, SQLite)
• Recommendation: backup your database before upgrading!

📋 Changes

• goiabada-setup CLI tool: new interactive command line setup wizard to help users configure and deploy Goiabada with Docker Compose and Kubernetes. No more complicated two-staged bootstraps.
• New documentation site: migrated from Mkdocs to Astro Starlight with improved UX
• Updated dependency modernc.org/libc to v1.67.1
• Improved GitHub Actions workflows with Go module caching for faster builds

📦 Architecture improvements

• Admin console refactoring: The admin console previously communicated with the database directly. In this release, it now communicates with the auth server using secure HTTP calls (OAuth2), ensuring only the auth server accesses the database directly. This separation of concerns improves security and scalability.
• Enhanced session management: Introduced a new Chunked Cookie Store for improved HTTP session handling, enabling support for larger session data with automatic chunking and metadata management.

✨ New features

• Dynamic Client Registration (RFC 7591) https://github.com/leodip/goiabada/issues/24 . Added standards-compliant Dynamic Client Registration, allowing OAuth2 clients to self-register programmatically. Good for MCP servers and native applications. Thanks @katesclau for the suggestion!
• 'nbf' (Not Before) claim https://github.com/leodip/goiabada/issues/25 . JWT tokens now include the nbf claim (defaulting to the same value as iat) for improved token validation and security. Thanks @Henelik for the suggestion!

🐛 Bug fixes

• Session deletion handling https://github.com/leodip/goiabada/issues/26 . Fixed session deletion to properly trigger logout for current sessions, ensuring users are immediately logged out when their sessions are removed. Thanks @mur4s4m3 for reporting!

📦 Maintenance

• Dependency updates: Updated all dependencies to their latest versions, including Go 1.25.4, Tailwind CSS 4.1.12, DaisyUI 5.5.5, and PostgreSQL 18.3
• ---

💥 ⚠️ Breaking Changes - Migration from v1.1 to v1.2

• Version 1.2 requires configuration changes for existing installations. Follow these migration steps carefully before upgrading.
• Before upgrading to v1.2:
• Backup your database (important for rollback if needed).
• Plan for brief downtime. Users will be logged out during upgrade.
• Prepare environment variable changes (detailed below).

📦 Step-by-step migration guide

• Version 1.2 requires four new session keys (previously stored in the database). Generate them using OpenSSL:
• ```
• openssl rand -hex 64
• openssl rand -hex 32
• openssl rand -hex 64
• openssl rand -hex 32
• ```
• Save these keys. You'll add them to your configuration in the next steps.
• + 56 more

📋 Changes

• Fixed a bug where the application crashed when admin was searching for members of a group.
• Improved error message when there's a panic.
• Added integration tests.
• Bumped dependencies.
• Other minor UI/text updates.

📋 Changes

• Removed GORM. It's a great library, but it was causing issues while I was trying to add support to Microsoft SQL server. Some of the update statements generated by GORM were huge, and the MSSQL engine was unable to process them. I think having control over the generated SQL is more important than the development convenience given by GORM.
• Added an HTTP rate limiter, to enhance security against brute force attacks.
• Improved errors output in the console log. They will now show the stack trace, to help with troubleshooting.
• Replaced the HTML sanitization library for better protection against XSS.
• Introduced max length for password, and max string length for some user-agent strings, for security (thanks @aboyadzhiev).
• Updated docs.
• Added more integration tests.
• Bumped dependencies.
• + 1 more

📋 Changes

• Fixing a bug in the Audit code where user self-registration was causing a panic.

📋 Changes

• GORM http session store
• SQLite database support
• Better defaults for environment variables
• Better support for running Goiabada outside of a container
• Increased test coverage
• Bumped dependencies versions
• Updated docs

📋 Changes

• Added support to use Goiabada with http (testing and development)
• Bumped package versions and DaisyUI version
• Updated docs