What's Changed

• fix(crypto): switch AES-CFB to AES-GCM with HKDF key derivation [C1+H3] by @lakhansamani in #543
• fix(parsers): validate host headers to prevent injection [C2] by @lakhansamani in #544
• fix(token): add reserved claim blocklist for custom scripts [C3] by @lakhansamani in #545
• fix(cookie): make HttpOnly unconditional on all cookies [C4] by @lakhansamani in #546
• fix(oauth): verify Apple ID token signature via OIDC [C5] by @lakhansamani in #547
• fix(graphql): add SSRF protection to _test_endpoint [C6] by @lakhansamani in #548
• fix(token): verify JWT algorithm in parse keyfunc [H1] by @lakhansamani in #550
• fix(token): use safe type assertions for JWT claims [H2] by @lakhansamani in #551
• fix(token): fix bearer extraction case-sensitivity bug [H4] by @lakhansamani in #552
• fix(token): reduce session and refresh token lifetimes [H5] by @lakhansamani in #553
• fix(arangodb): parameterize AQL query in UpdateUsers [H6] by @lakhansamani in #554
• fix(graphql): constant-time admin secret comparison [H7] by @lakhansamani in #555
• fix(cassandra): enable TLS verification [H8+L6] by @lakhansamani in #556
• fix(crypto): RSA 4096, DecryptRSA error handling, b64 naming [L1+L2+L5] by @lakhansamani in #566
• fix(graphql): add query complexity limit [H10] by @lakhansamani in #558
• feat(middleware): add CSRF protection [H11] by @lakhansamani in #559
• fix(crypto): use crypto/rand for HMAC key generation [M3] by @lakhansamani in #560
• fix(sql): disable GORM AllowGlobalUpdate [M6] by @lakhansamani in #561
• fix(email): explicit TLS ServerName for SMTP [M10] by @lakhansamani in #563
• fix: template.JS XSS, GitHub name bug, POST logout [M11+L7+L9] by @lakhansamani in #564
• fix(schemas): exclude password hash from JSON serialization [M9] by @lakhansamani in #562
• fix(graphql): prevent user enumeration via error messages [M12] by @lakhansamani in #565
• fix(storage): implement DeleteSession for SQL and ArangoDB [M5] by @lakhansamani in #567
• feat(security): add per-IP rate limiting with Redis + in-memory support by @lakhansamani in #568
• fix(security): use constant-time comparison for client secret and OTP by @lakhansamani in #569
• fix(security): prevent HMAC key leak in JWKS and fix redirect URI wildcard by @lakhansamani in #570
• fix(security): add security headers, fix CORS credentials, set SameSite on admin cookie by @lakhansamani in #573
• fix(security): add SSRF protection, HMAC signatures, and response limit for webhooks by @lakhansamani in #572
• fix(security): use html/template for email rendering to prevent SSTI by @lakhansamani in #574
• fix(security): reduce cookie max-age, sanitize errors, replace panic with error by @lakhansamani in #575
• fix(security): harden Dockerfiles - secure defaults, signal handling, healthcheck by @lakhansamani in #576
• fix(security): enhance client ID audit logging and CSRF origin validation by @lakhansamani in #577
• fix(security): add 5-second execution timeout for custom access token scripts by @lakhansamani in #571
• fix(security): update MongoDB driver and fix compilation issues by @lakhansamani in #578
• fix(security): validate redirect_uri to prevent open redirect attacks by @lakhansamani in #579
• fix(tests+security): custom script timeout tests, client-id metric, test fixes, ArangoDB hardening by @lakhansamani in #580
• Fix/CVE 2026 34986 go jose go OIDC by @lakhansamani in #581
• security: normalize login error messages to prevent user enumeration (#6) by @lakhansamani in #583
• security: reject query response_mode for token flows; harden GET /logout against CSRF (#9, #10) by @lakhansamani in #589
• security: add HTTP server timeouts, graceful shutdown, and security headers (#11, #12, #13) by @lakhansamani in #588
• security: GraphQL depth/complexity/alias limits and disable GET transport (#14) by @lakhansamani in #584
• security: prevent SSRF DNS rebinding by dialing validated IP directly (#3) by @lakhansamani in #582
• security: harden CSRF Origin check and CORS credentials handling (#5, #16) by @lakhansamani in #585
• security: require admin secret at startup and add configurable refresh token lifetime (#1, #15) by @lakhansamani in #586
• security: fix rate limiter bypass, error swallowing, race, window math (#2, #4, #17, #18) by @lakhansamani in #587
• security: hash OTPs and encrypt TOTP secrets at rest with idempotent migration (#7, #8) by @lakhansamani in #590
• feat(oidc)!: phase 1 spec conformance fixes (with /userinfo breaking change) by @lakhansamani in #591
• feat(oidc): phase 2 — standard params, ID token claims, logout polish by @lakhansamani in #592
• feat(oidc): phase 3 — introspection, hybrid flows, JWKS multi-key, back-channel logout by @lakhansamani in #593
• chore: slim CLAUDE.md to reference skills + 3 agents by @lakhansamani in #601
• fix: 12 logical issues across HTTP handlers and GraphQL modules by @lakhansamani in #602
• fix(oauth): RFC-compliant PKCE, redirect_uri validation, and security hardening by @lakhansamani in #603
• fix(oidc): Enterprise IdP compatibility — RFC-compliant errors, auth_time, TTL, discovery by @lakhansamani in #604
• feat: migrate admin dashboard from Chakra UI to shadcn/ui + Tailwind CSS by @lakhansamani in #605
• fix(security): introspect auth bypass, backchannel SSRF, session rollover by @lakhansamani in #606

Full Changelog: 2.2.0...2.2.1

What's Changed

• security: normalize login error messages to prevent user enumeration (#6) by @lakhansamani in #583
• security: reject query response_mode for token flows; harden GET /logout against CSRF (#9, #10) by @lakhansamani in #589
• security: add HTTP server timeouts, graceful shutdown, and security headers (#11, #12, #13) by @lakhansamani in #588
• security: GraphQL depth/complexity/alias limits and disable GET transport (#14) by @lakhansamani in #584
• security: prevent SSRF DNS rebinding by dialing validated IP directly (#3) by @lakhansamani in #582
• security: harden CSRF Origin check and CORS credentials handling (#5, #16) by @lakhansamani in #585
• security: require admin secret at startup and add configurable refresh token lifetime (#1, #15) by @lakhansamani in #586
• security: fix rate limiter bypass, error swallowing, race, window math (#2, #4, #17, #18) by @lakhansamani in #587
• security: hash OTPs and encrypt TOTP secrets at rest with idempotent migration (#7, #8) by @lakhansamani in #590
• feat(oidc)!: phase 1 spec conformance fixes (with /userinfo breaking change) by @lakhansamani in #591
• feat(oidc): phase 2 — standard params, ID token claims, logout polish by @lakhansamani in #592
• feat(oidc): phase 3 — introspection, hybrid flows, JWKS multi-key, back-channel logout by @lakhansamani in #593

Full Changelog: 2.2.1-rc.1...2.2.1-rc.2

What's Changed

• Fix/CVE 2026 34986 go jose go OIDC by @lakhansamani in #581

Full Changelog: 2.2.1-rc.0...2.2.1-rc.1

What's Changed

• fix(crypto): switch AES-CFB to AES-GCM with HKDF key derivation [C1+H3] by @lakhansamani in #543
• fix(parsers): validate host headers to prevent injection [C2] by @lakhansamani in #544
• fix(token): add reserved claim blocklist for custom scripts [C3] by @lakhansamani in #545
• fix(cookie): make HttpOnly unconditional on all cookies [C4] by @lakhansamani in #546
• fix(oauth): verify Apple ID token signature via OIDC [C5] by @lakhansamani in #547
• fix(graphql): add SSRF protection to _test_endpoint [C6] by @lakhansamani in #548
• fix(token): verify JWT algorithm in parse keyfunc [H1] by @lakhansamani in #550
• fix(token): use safe type assertions for JWT claims [H2] by @lakhansamani in #551
• fix(token): fix bearer extraction case-sensitivity bug [H4] by @lakhansamani in #552
• fix(token): reduce session and refresh token lifetimes [H5] by @lakhansamani in #553
• fix(arangodb): parameterize AQL query in UpdateUsers [H6] by @lakhansamani in #554
• fix(graphql): constant-time admin secret comparison [H7] by @lakhansamani in #555
• fix(cassandra): enable TLS verification [H8+L6] by @lakhansamani in #556
• fix(crypto): RSA 4096, DecryptRSA error handling, b64 naming [L1+L2+L5] by @lakhansamani in #566
• fix(graphql): add query complexity limit [H10] by @lakhansamani in #558
• feat(middleware): add CSRF protection [H11] by @lakhansamani in #559
• fix(crypto): use crypto/rand for HMAC key generation [M3] by @lakhansamani in #560
• fix(sql): disable GORM AllowGlobalUpdate [M6] by @lakhansamani in #561
• fix(email): explicit TLS ServerName for SMTP [M10] by @lakhansamani in #563
• fix: template.JS XSS, GitHub name bug, POST logout [M11+L7+L9] by @lakhansamani in #564
• fix(schemas): exclude password hash from JSON serialization [M9] by @lakhansamani in #562
• fix(graphql): prevent user enumeration via error messages [M12] by @lakhansamani in #565
• fix(storage): implement DeleteSession for SQL and ArangoDB [M5] by @lakhansamani in #567
• feat(security): add per-IP rate limiting with Redis + in-memory support by @lakhansamani in #568
• fix(security): use constant-time comparison for client secret and OTP by @lakhansamani in #569
• fix(security): prevent HMAC key leak in JWKS and fix redirect URI wildcard by @lakhansamani in #570
• fix(security): add security headers, fix CORS credentials, set SameSite on admin cookie by @lakhansamani in #573
• fix(security): add SSRF protection, HMAC signatures, and response limit for webhooks by @lakhansamani in #572
• fix(security): use html/template for email rendering to prevent SSTI by @lakhansamani in #574
• fix(security): reduce cookie max-age, sanitize errors, replace panic with error by @lakhansamani in #575
• fix(security): harden Dockerfiles - secure defaults, signal handling, healthcheck by @lakhansamani in #576
• fix(security): enhance client ID audit logging and CSRF origin validation by @lakhansamani in #577
• fix(security): add 5-second execution timeout for custom access token scripts by @lakhansamani in #571
• fix(security): update MongoDB driver and fix compilation issues by @lakhansamani in #578
• fix(security): validate redirect_uri to prevent open redirect attacks by @lakhansamani in #579
• fix(tests+security): custom script timeout tests, client-id metric, test fixes, ArangoDB hardening by @lakhansamani in #580

Full Changelog: 2.2.0...2.2.1-rc.0

Full Changelog: 2.1.0...2.2.0

What's Changed

• feat: add Prometheus metrics, health checks, and readiness endpoints by @lakhansamani in #528

Full Changelog: 2.1.0...2.2.0

What's Changed

• feat: structured audit logging system by @lakhansamani in #537
• refactor: consolidate audit logging into internal/audit provider by @lakhansamani in #541
• fix: prevent open redirect in redirect_uri validation by @lakhansamani in #542

Full Changelog: 2.0.1...2.1.0

What's Changed

• fix: parameterize CQL/N1QL queries to prevent injection by @lakhansamani in #500
• Fix/validate redirect uri by @lakhansamani in #502
• fix: prevent OAuth account pre-hijacking via unverified email linking by @lakhansamani in #503

Full Changelog: 2.0.0...2.0.1

What's Changed

• 📝 docs(self hosting): Add deployment link for Alibaba Cloud by @LYH-RAIN in #464
• fix: consistent ClientID assignment, close #470 by @localnerve in #472
• v2 optimise performance + security by @lakhansamani in #466
• chore: fix mail verification by @lakhansamani in #475
• fix: use JWTPublicKey for ECDSA token parsing by @lakhansamani in #487
• test: add missing test coverage for admin queries and edge cases by @lakhansamani in #498
• fix: respect isStrongPasswordDisabled in password validator by @lakhansamani in #488
• fix: use crypto/rand for OTP generation by @lakhansamani in #489
• fix: use constant-time comparison for admin secret by @lakhansamani in #490
• fix: add revoked user check to VerifyEmail and VerifyOTP by @lakhansamani in #491
• fix: correct boolean condition for password change in UpdateProfile by @lakhansamani in #493
• fix: add OTP expiration check in ResetPassword by @lakhansamani in #494
• fix: use zero-length slice with capacity for EmailTemplates by @lakhansamani in #496
• fix: validate roles in VerifyEmail HTTP handler by @lakhansamani in #497
• fix: correct verification request expiry logic in Login by @lakhansamani in #492
• fix: check verificationRequest.Identifier for login method in VerifyEmail by @lakhansamani in #495
• fix: OAuth2/OIDC standards compliance for HTTP handlers by @lakhansamani in #499

New Contributors

• @LYH-RAIN made their first contribution in #464
• @localnerve made their first contribution in #472

Full Changelog: 1.4.4...2.0.0

What's Changed

• fix: use JWTPublicKey for ECDSA token parsing by @lakhansamani in #487
• test: add missing test coverage for admin queries and edge cases by @lakhansamani in #498
• fix: respect isStrongPasswordDisabled in password validator by @lakhansamani in #488
• fix: use crypto/rand for OTP generation by @lakhansamani in #489
• fix: use constant-time comparison for admin secret by @lakhansamani in #490
• fix: add revoked user check to VerifyEmail and VerifyOTP by @lakhansamani in #491
• fix: correct boolean condition for password change in UpdateProfile by @lakhansamani in #493
• fix: add OTP expiration check in ResetPassword by @lakhansamani in #494
• fix: use zero-length slice with capacity for EmailTemplates by @lakhansamani in #496
• fix: validate roles in VerifyEmail HTTP handler by @lakhansamani in #497
• fix: correct verification request expiry logic in Login by @lakhansamani in #492
• fix: check verificationRequest.Identifier for login method in VerifyEmail by @lakhansamani in #495

Full Changelog: 2.0.0-rc.5...2.0.0-rc.6

Full Changelog: 2.0.0-rc.4...2.0.0-rc.5

• Fix default root args