| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README.md | 2026-05-10 | 871 Bytes | |
| Version 2.1.3 source code.tar.gz | 2026-05-10 | 317.5 kB | |
| Version 2.1.3 source code.zip | 2026-05-10 | 389.0 kB | |
| Totals: 3 Items | 707.5 kB | 0 | |
Security: large hardening wave covering log/credential leaks, OAuth/Apple validation, and email-confirmation replay protection. Credit to @paskal.
Changes since v2.1.2
- [#289] close service-level typed-nil store + adapter-author guidance
- [#287] bind dev oauth and custom-server to localhost by default
- [#286] never expose bot token in avatar URL
- [#285] don't log email body, log size instead
- [#284] redact tokens from exchange-response debug log
- [#283] go fix ./...
- [#282] backport "from" redirect validator to v1 (sibling of [#275])
- [#281] one-shot consumption of email confirmation tokens
- [#280] validate id_token iss and aud on Sign in with Apple
- [#279] don't log admin password on basic-auth failure
- [#276] caveat that email proves control, not stable identity
Full Changelog: https://github.com/go-pkgz/auth/compare/v2.1.2...v2.1.3