- Tried to be clear about OAuth2 vs OAuth in all places.
- Allow users to be locked from OAuth logins (if done manually for some
reason other than failed logins)
- Cleaned up some docs and wording around the previously very confusing
(now hopefully only somewhat confusing) oauth2 module.
- This may seems silly but the functionality is shared
between oauth2 and auth with no changes so it makes it nicer
not to have an oauth2/logout route like before
- Add back the feature to log in after password recovery
- Add new storer functionality to mocks
- Add RecoveringServerStorer
- Add RecoverableUser
- Add RecoverStartValuer, RecoverMiddleValuer, RecoverEndValuer
- Change storers to differentiate between tokens (recover vs confirm)
- Change BCryptCost to be a generic module configuration (doesn't belong
to register)
- Add a ClientStateMiddleware that loads the client state into the
request context and prepares a ClientStateResponseWriter for
downstream handlers
- Clean up some of the handling around session and cookie state, for
example don't write if there are no events to be processed
- Redo the Defaultts() method for config to be useful again.
- Prefix LogoutMethod with Auth to be consistent
Discovered many problems with the abstractions along the way
and did small fixes to get to the end of the auth module.
- Use more constants for random strings
- Create forcing functions to deal with the upgrades to different
interfaces
- Replace the old logging mechanisms with a leveled one. This is
important as authboss needs to start saying a lot more about what's
happening in the Info log, which will end up like Debug but that's
okay.
- Replace the error handling mechanisms with something different. This
allows people to define their own error handlers.
- Change changelog format to use keepachangelog standard
- Refactor the config to be made of substructs to help organize all the
pieces
- Add the new interfaces to the configuration
- Clean up module loading (no unnecessary reflection to create new value)
- Change User interface to have a Get/SetPID not E-mail/Username, this
way we don't ever have to refer to one or the other, we just always
assume pid. In the case of Confirm/Recover we'll have to make a GetEmail
or there won't be a way for us to get the e-mail to send to.
- Delete the xsrf nonsense in the core
- Document more things
- Remove module code
- Remove callbacks code
- Remove data makers, flash messages, and context providers in exchange
for middlewares that use context (unwritten)
- Move more implementations (responses, redirector, router) to defaults
package
- Rename key interfaces (again), Storer -> User, StoreLoader ->
ServerStorer (opposite of ClientStateStorer) if this is the last time
I rename these I'll be shocked
- This addresses the problem of having to update multiple times during
one request. It's hard to have a nice interface especially with JWT
because you always end up having to decode the request, encode new
response, write header, then a second write to it comes, and where do
you grab the value from? Often you don't have access to the response
as a "read" structure. So we store it as events instead, and play
those events against the original data right before the response is
written to set the headers.
- Having the default logger set to nil was troublesome because some errors
are hard to detect without a logger. This falls under "sane default"
changes and so should be made.
- Add a new storer specifically for OAuth2 to enable clients to choose
regular database storing OR Oauth2 but not have to have both.
- Stop storing OAuth2 credentials in a combined form inside username.
- Add new events to capture OAuth events just like auth.
- Have pass-through parameters for OAuth init urls, this allows us to
pass additional behavior options (redirects and remember me) as well
as other things that should be present on the page that is redirected
to.
- Context.LoadUser is now OAuth aware.
- Remember's callbacks now include an OAuth check to see if a horribly
packed state variable contains a flag to say that we want to be
remembered.
- Change the OAuth2 Callback to use Attributes instead of that custom
struct to allow people to append whatever attributes they want into
the user that will be saved.
