Ver. 0.9.6

Welcome back!
We're now releasing meiliNG version 0.9.6! 🥳
This version fixes a WebAuthn bug on some frontend implementations

What's new?

• Fixed WebAuthn verification logic to work with some frontend implementations that doesn't include { "type": "public-key" } in the challengeResponse.

Ver. 0.9.5

Welcome back!
We're now releasing meiliNG version 0.9.5! 🥳

This is a hotfix release for 0.9.4, which is broken due to unwanted upgrade to fastify@4.

What's new?

Migrated to Fastify 4

Ver. 0.9.4 (BROKEN)

Welcome back!
We're now releasing meiliNG version 0.9.4! 🥳

This fixes several bugs from v0.9.3, and does not contain breaking changes.

What's new?

2FA Bug Fix (again)

Fixed the bug that validation logic that didn't allow string type challengeResponse.
This is fixed. on this time.

Package upgrade

• fastify
• @xmldom/xmldom
  was upgraded to mitigate some vulns alerted by GitHub Advisory.

Ver. 0.9.3

Welcome back!
We're now releasing meiliNG version 0.9.3! 🥳

What's new?

Initial configuration script

The stub yarn configure command to configure initial database of meiliNG is now here!
It is still a stub, but you can now setup meiliNG without manually configuring with Prisma Studio.

2FA Bug Fix

Fixed the bug that validation logic that didn't allow string type challengeResponse.
This fixes phone/email 2FA bug.

Added admin endpoints for permission configuration

Stub endpoints for permissions crud is now available.

Ver. 0.9.2

Welcome back!
We're now releasing meiliNG version 0.9.2! 🥳

What's new?

Hotfix Release

This version of meiliNG fixes a serious/security vuln due to implementation of wrong logic flow on skip2FA.
Affected versions: v0.9.1.

If you are using v0.9.1, upgrade as soon as possible.

Ver. 0.9.1

Welcome back!
We're now releasing meiliNG version 0.9.1! 🥳

What's new?

• You can now use skip2FA to skip 2FA on this session.

Ver. 0.9.0

Welcome back! It's been a long time.
We're now releasing meiliNG version 0.9.0! 🥳

This version introduces a lot of breaking changes and underlying code change.

What's new?

• Major rewrite on how errors are handled.
• Fastify Errors are now properly handled in meiliNG's format.
• Developer mode now helps with your debug with detailed stacktrace on your response
• Added sentry support!
• Experimental "Swagger"/"OpenAPI 3.0" support.
• /v1/admin/sessions/count endpoint is now implemented!
• Fixed a bug on id_token generation that did not provide key id on JWT itself.
• added user-land CRUD operation for e-mail and phone
• Fixed isPrimary property was not properly handled via addPhone function call. oops.
• Two Factor authentication now reached stable!
• TOTP and WebAuthn Support!
• Fixed several bugs on PGP signature 2FA flow
• Rate limiting will now issued faster without DB query with runtime rate-limit cache
  (Special Thanks to someone DDoS-attacked our backend 🤦🏻, should done this from beginning)
• administrative login support to specific session with /v1/admin/auth/login. This can be used for custom login flows such as oAuth2/SAML2 integration with third-party.
• Mitigated potential prisma query injection vulnerability that @kjsman pointed out. Thanks!
• Mitigated potential prototype pollution vulnerability that @kjsman pointed out
• Fixed admin endpoints can not process GET queries if the query contains numeric characters only
• Fixed /v1/admin/users/:userId/phones and /v1/admin/users/:userId/phones/:phoneId endpoints not working properly (no response, querying wrong db)
• Fixed a bug that "Deleted" users could not be looked up via User.getDetailInfo.
• Fixed a bug that /v1/admin endpoints return undefined on /v1/admin/users endpoint when deleted user occurrs
• Fixed a bug that lead to unable to lookup any "Deleted" users via admin endpoints
• Fixed obsolete eslint version
• Updated Target Typescript version to 4.7.4
• Updated Prisma to 4.1.1

---

Now that's a-lotta-features!

The following features are now deployed and available on Stella IT Accounts.
Thank you for choosing meiliNG!

Ver. 0.8.4

Welcome back!
We're now releasing Meiling Gatekeeper version 0.8.4! 🥳

This version introduces some security patches.
upgrade as soon as possible!

What's new?

• patched probable vulnerability for JWT algorithm confusion on ID Token Endpoint - reported by @kjsman
• /v1/admin/users/:userId/authns previously did not handle createdAt properly.
• Fixed keygen.js on JWT algorithm selection - @kdhkr
• isVerified property is now properly ignored on /v1/admin/users/:userId/phones.

Thank you for choosing Meiling Gatekeeper.
See you on next release!

Ver. 0.8.3

• Updated dependencies
• Fixed /v1/admin/users POST endpoint which did NOT fixed at previous attempt - @Baw-Appie

Ver. 0.8.2

This version fixes /v1/admin/users POST endpoint not properly processing properly - reported by @Baw-Appie.
Also, this version fixes Utils.isNotBlank unable to process undefined properly.