Skip to content

Changelog

This changelog covers all notable changes to SpartanAuth and the Login Widget, grouped by date.

  • Security: Added stronger origin protections to enhance security.
  • Dashboard: Bulk user import now supports drag-and-drop file upload
  • Dashboard: Clear guidance added to the bulk import form explaining exactly when an invite email will be sent to imported users
  • Added a script for generating changelogs automatically
  • Auth: Users are now automatically marked as verified after a successful social login
  • Dashboard: Client secret input fields no longer use the browser’s password type, improving copy/paste usability
  • Docs: Added PostHog analytics to the documentation site
  • Login Widget v1.2.1: Updated vulnerable dependencies
  • Login Widget v1.2.0: Social login options are now available on the invite screen
  • Login Widget v1.1.1: Added ability to hide social login buttons per sector
  • Login Widget v1.1.0: Added frosted glass loading overlay during authentication
  • Login page: Social login buttons are now hidden for non-default sectors
  • Docs: Pinned all documentation site dependency versions for reproducible builds
  • Docs: Published full API Reference with descriptions for every endpoint
  • Docs: Aligned branding across the documentation site
  • Documentation site launched at docs.spartanauth.com
  • Dashboard: Added links to documentation throughout the interface
  • Dashboard: Added sector selection flow to login
  • Login Widget v1.0.3: Fixed a compatibility issue with LastPass
  • Login Widget v1.0.2: The invite widget has been merged into the login widget — the standalone invite widget is now deprecated
  • Login Widget v1.0.2: Added loading state while handling OAuth callbacks
  • Dashboard: Protected views now require authentication before they can be accessed
  • Dashboard: Various frontend usability improvements
  • Login Widget v1.0.1: Buttons are now disabled during loading states to prevent double-submissions
  • Auth: Added structured logging for all authentication flows
  • Comms: Fixed email error messages to include the sector ID for easier debugging
  • Dashboard: Sector admins can now edit their sector’s information directly
  • Dashboard: Added AI coding skills integration
  • Login Widget: MFA enrollment is now supported from within the login flow
  • Login Widget v1.0.0: Initial stable release
  • Auth: GitHub social login added
  • Auth: Fixed an edge case with the default redirect URI
  • Auth: Google and Apple social login support added (OAuth 2.0 / OIDC)
  • Dashboard: Social provider configuration UI added
  • Login Widget: Added password reset flow
  • Login Widget: Per-sector passkey (WebAuthn) support
  • Login Widget: OTP (one-time password) login flow added with styled dropdown selector
  • Login Widget: Invite acceptance and resend invite flows added
  • Dashboard: User list view rebuilt to match the visual design; users can now be created directly from the list
  • Dashboard: Full sector management UI — create, edit, delete, filter, and paginate sectors
  • Dashboard: Sector management moved to its own dedicated page with a loading animation
  • Dashboard: List sectors endpoint wired up full-stack
  • Dashboard: Prevent deletion of the default sector
  • Dashboard: Added a reminder prompt when deleting a sector to also remove its users
  • Dashboard: Initial login page and dashboard UI setup
  • Dashboard: Style improvements and z-index fixes on the login page
  • Tokens: Added expiration enforcement for all issued tokens
  • Docs: Added LibSQL migration path documentation and session management thoughts
  • Datastores: Switched to the libsql dual driver for improved LibSQL support
  • Auth: Added WebAuthn key removal endpoint
  • Auth: OTP secrets are now cleaned up when an OTP authenticator is removed
  • Auth: Added cleanup routines for expired OTP records and timing attack mitigations
  • Datastores: OTP storage fully working with LibSQL
  • Auth: WebAuthn listing endpoint added
  • Datastores: WebAuthn fully working with LibSQL
  • Datastores: Full LibSQL implementation complete for all data operations
  • Security: Added self sign-up configuration to sector security settings; groundwork for audit logging
  • Auth: Improved user creation flow with better validation and password handling
  • Comms: Custom email and SMS templates now supported for OTP messages
  • Dashboard: Sector security settings management (get and update)
  • API: Added GetProfile endpoint
  • API: Added OTP endpoints; added checks for whether self sign-up is allowed
  • Auth: OTP challenge flow fully implemented (begin and verify)
  • Auth: Refactored challenge interface; removed legacy HOTP/TOTP endpoints
  • Auth: Email service integrated with sector configuration; refactored communication package
  • Comms: Email functionality fully implemented; SMS service stub added for future use
  • API: Full sector CRUD (create, read, update, delete)
  • API: User profile create, update, and soft-delete operations
  • Auth: WebAuthn (passkey) login working end-to-end
  • Auth: WebAuthn registration working end-to-end
  • Auth: Switched WebAuthn to HTTP handlers for a simpler architecture
  • Auth: JWT generation and validation working; CORS support added for frontend apps
  • Auth: WebAuthn profile management
  • Foundation: Sectors model established; initial installation logic on first boot
  • Auth: Token generation and validation; auth middleware added
  • Foundation: gRPC handlers and challenge service scaffolded
  • Foundation: Security settings storage and service
  • Foundation: Multi-database support (PostgreSQL, MariaDB, LibSQL); password hashing; profile management; initial gRPC server