Skip to content

v1.0.0-rc1

Pre-release
Pre-release
Compare
Choose a tag to compare
@cainlevy cainlevy released this 21 Oct 20:41
· 516 commits to main since this release
v1.0.0-rc1
b23bde8

Release candidate for v1.0!

Incompatible Changes

I've tried to make any incompatible changes together, to minimize impact on production users. These need to happen before 1.0 though. There's no better time.

  • SECRET_KEY_BASE is now stretched into a 128-bit key, to defeat brute guessing. This will invalidate existing password reset tokens, session tokens, and access tokens.
  • Session tokens now have an additional scope claim. This invalidates existing session tokens.
  • Refresh tokens now expire after a 30-day timeout, by default. Existing tokens are unaffected, except that all of them have been expired by the above changes. They'll be cleaned out of Redis eventually.

New

  • webhooks will retry for up to nearly two minutes
  • CSRF now depends on checking Origin instead of Referer. This should be a sidegrade.
Assets 2
Loading