Changelog

Release history

Every release, with what changed and why. Kotauth follows semantic versioning.

AddedImprovedChangedFixedSecurity
v1.19.2
June 22, 2026
Current release
Changed

Two root compose files (docker-compose.yml + docker-compose.prod.yml) replace six that lived under docker/

Changed

External-DB overlay replaced by DB_URL in .env; demo overlay replaced by KAUTH_DEMO_MODE=true in .env

Improved

All deployment guidance moved to docs; comments stripped from Dockerfile, Caddyfile, and compose files

v1.19.1
June 22, 2026
Added

File-based secret injection (*_FILE convention) for KAUTH_SECRET_KEY, DB_PASSWORD, KAUTH_REDIS_PASSWORD, KAUTH_BOOTSTRAP_ADMIN_PASSWORD, and KAUTH_BOOTSTRAP_API_KEYS

Added

Gradle dependency locking: gradle.lockfile pins the resolved dependency graph, CI verifies on every PR

Added

Dependabot enabled for weekly alerts on Gradle deps, GitHub Actions, and Docker base images

v1.19.0
June 19, 2026
Security

HMAC chain over audit log: each row carries prev_hash and row_hash via HMAC-SHA256 keyed by KAUTH_SECRET_KEY; tampering or reordering breaks the chain

Added

New verify-audit-chain CLI command detects tampered or reordered audit rows

Fixed

Audit log details now use kotlinx.serialization, fixing silent JSON corruption from hand-concatenated strings

Fixed

Multi-audience token introspection: AccessTokenClaims.aud widened to support array format

v1.18.0
June 17, 2026
Added

RFC 8707 Resource Indicators for client_credentials grant: audience-targeted M2M tokens with aud bound to the requested resource

Added

APIs registry (admin: /settings/apis): workspace-scoped CRUD for audience identifiers

Added

Per-client "Authorized APIs" screen with checkbox authorization and Discovery metadata advertising resource_indicators_supported: true

Security

Unknown or unauthorized resources return RFC 8707 invalid_target 400 instead of a silently-broad token

v1.17.0
June 17, 2026
Added

All 8 transactional email types localized: verification, magic link, password reset, account locked, invite, password changed, SMTP test, and OTP

Added

Email templates render in the workspace defaultLocale with per-key English fallback

Security

Trusted proxy opt-in (KAUTH_TRUSTED_PROXY): prevents rate-limit bypass via header spoofing

Security

JWT issuer enforcement: tokens issued by one tenant are rejected by another

Security

Open redirect prevention: post-login redirect_uri validated against registered values

Security

PKCE S256 code verifier comparison uses constant-time equality

Security

Server response header suppressed from HTTP responses

Security

Login error normalization with timing equalization prevents user enumeration

v1.16.0
June 17, 2026
Security

Container ships non-root (UID 10001) with no-new-privileges, cap_drop: ALL, and read-only filesystem

Security

TOTP replay protection: each code is single-use per enrollment; lockout after configurable failed attempts

Fixed

Theme CSS variable validation prevents injection of arbitrary values via workspace settings

Improved

Login error timing equalized across password and TOTP verification paths

v1.15.0
June 15, 2026
Changed

AdminService split into AuthManagementService, UserAdminService, and WorkspaceAdminService

Changed

UserSelfServiceService split into UserProfileService and UserSecurityService

Improved

Detekt ratchet tightened: complexity and coupling rules enforced in CI

v1.14.1
June 12, 2026
Security

BREAKING: Default admin credential removed. A random password is generated on first boot and logged once to stdout.

v1.14.0
June 11, 2026
Security

BREAKING: Refresh token endpoint now requires client authentication (client_id + client_secret for confidential clients)

Security

BREAKING: Introspection and revocation endpoints require client authentication per RFC 7662 / RFC 7009

Added

Refresh-token replay detection with full session-family revocation on reuse

Added

Account lockout with configurable threshold and admin unlock UI

v1.13.0
May 26, 2026
Added

Hosted Email OTP login: browser-driven two-step passwordless authentication (enter email, receive 6-digit code, sign in)

Added

Per-tenant toggle for Email OTP via workspace settings

Added

send-otp / verify-otp admin API primitives for programmatic passwordless onboarding

Security

Cross-challenge lockout defense: per-tenant OTP attempt threshold with constant-time response posture

v1.12.1
May 26, 2026
Fixed

Bootstrap API key prefix mismatch: kauth_{slug}_ now consistently applied at generation and validation

Fixed

Redirect-URI validation tightened: exact match required, trailing-slash variants rejected

Improved

OpenAPI spec updated with OTP send/verify endpoints and audit log filter documentation

Improved

Audit log filter groups surfaced in admin UI for cleaner event category browsing

v1.12.0
May 25, 2026
Added

Client default roles: per-application roles automatically assigned to users who self-register through an OAuth application

Added

Registration Defaults card in admin console with dropdown and role management table

Added

Cross-client privilege-escalation guard: roles from other applications cannot be assigned as defaults

v1.11.0
May 23, 2026
Added

Transactional email branding: per-tenant brand name, color, logo URL, support email, and from display name

Added

All 8 transactional email templates inherit workspace branding automatically

Added

Branding editor card in workspace settings with live preview

v1.10.0
May 12, 2026
Added

Admin impersonation: act as any user without knowing their password, with RFC 8693 act claim in the session token

Added

Dual-session model: admin session stays active underneath the impersonated session

Security

Cascade revocation: revoking the admin session also terminates the impersonated session

v1.9.0
May 8, 2026
Added

AI-native MCP server (@kotauth/mcp): 33 tools across 8 domains exposed via Model Context Protocol

Added

Scope-based access control on every MCP tool: API key grants only the permissions you choose

Added

One-command connect: npx @kotauth/mcp