All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
jwtExpiresAtandrefreshTokenExpiresAtare now returned in milliseconds to make JS validation simpler (this will always end in000as token expiry is stored in seconds in the database)
- Actually fix
Invalid Authorization Headeron queries/mutations against the public schema (#23 via @approached) - Fix issue where tokens decoded from JWTs weren't being passed to the GraphQL API controller properly (#28 via @daltonrooney)
- Ensure
isGraphiqlRequestdetects GraphiQL requests properly (#23 via @approached)
- Much improved documentation!
- Added JWT and refresh token support (#3 thanks to @timkelty)
- Added support for Log in with Twitter
- Added support for Facebook login
- Added ability to customise response and error messages
- Deprecated non-JWT tokens, these will be removed in version
1.4.0. JWTs provide greater flexibility and security
- Fixed an issue where non-user tokens were being restricted (#19 via @menberg)
- Fixed an issue where
family_namemight not be defined in Google Sign-In (#25 via @daltonrooney) - Fixed an issue where the plugin settings screen would error if a deleted schema was assigned to a user group (#26 via @daltonrooney)
- Fixed issue with
AuthGQL type not registering properly in production mode
- Fixed issue with requests against the public schema throwing
Invalid Authorization Header
- Added ability to disable user registration
- Added per user group schema assignment, user group assignment, and granular schema permissions (a
registermutation is added for each group, if enabled) - Added Google Sign-In support (adds a single
googleSignInmutation, or mutations per user group, depending on settings) - Added
SameSitecookie policy control - Added unique, per user caching, to ensure users never see each other's cached queries
- Added a
schemafield to the authentication mutation responses
- Reworked the plugins settings into a tabbed interface
- The
registermutation now listens to therequireEmailVerificationsetting in user settings – creating users in a pending state, and sending an activation email - Tokens are now created using
microtime()instead oftime()to avoid any name conflicts
- Fixed some deprecation errors
- Lots of under-the-hood tidying to make maintenance a lot easier
- Fixed issue with saving token expiry as 'never'
- Fixed issue with trailing commas in function calls causing an error on environments running PHP <7.3
- Fixed issue with
updatePasswordmutation failing validation - Fixed issue with custom fields on users not setting correct values on
registerandupdateUsermutations
- Fixed issue with project config sync throwing
Calling unknown method: craft\console\Request::getBodyParam()
- Improved
isGraphiqlRequestdetection
- Fixed issues with non-user tokens throwing
Invalid Authorization Header. Previously it was always trying to validate queries against user permissions, but this was causing conflicts with tokens that will only be used server-side (i.e. in Next.js SSG requests)
- Added empty fallback to
Craft::$app->getRequest()->getReferrer(), to fix error if referrer is blank
- Fixed issue with
isGraphiqlRequestalways returningtrue, breaking Craft's GraphiQL explorer
- Added support for HTTP-Only cookie tokens, improving security (thanks @timkelty)
- Update
lastLoginDateon users when runningauthenticate/registermutations
- Initial release