All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Fixed issue with mutation field validation throwing an error (#103)
- Fixed issue with social registration not marking users as active if skip activation is enabled (#100)
- Ensure Twitter OAuth credentials are removed from session
- Added setting to skip user activation when registering through social mutations (#100)
firstNameandlastNamehave been migrated tofullNameacross all register and viewer mutations (#101)
- Fixed
updateViewermutation not updating user's name (usefullNameparameter, as above) (#101) - Fixed
deleteAccountmutation not deleting user (#102)
- Added Craft 4 support! (#94) – huge thanks to Brandon Kelly for the PR!
- Added
deleteAccountmutation (#84)
- PHP >8.0 is now required
- Craft >4.0 is now required
- The email verification email is now sent out to users when updating their email via the
updateViewermutation (#90) - When using the JWT returned from a
registermutation to authenticate requests, all requests will throw aPlease activate your accounterror until the account is activated (#83)
- When users register through a social mutation, they now receive an appropriate activation email (if enabled), rather than the set password email (#72)
- Fixed issue with some custom fields breaking user registration mutations
- The password reset required flag is now respected. When a user with this flag set tries to authenticate, a password reset email is sent and an error message is returned (#81, thanks @nstCactus!)
- Fixed migration issue that occurred when setting a password for users with an unverified email (created in the control panel) (#79, thanks @nstCactus!)
- Fixed compatibility issue with Craft 3.7.24 (#85)
- Fixed issue with contextual error messages not being returned (#74)
- Fixed issue with field permissions not always being applied properly
- Fixed migration issue that occurred when not using multiple schemas (#78)
- A
TokenService::parseToken(string $jwt):Tokenmethod that allows parsing a JWT from anywhere, not just theAuthorizationHTTP header (#75, thanks @nstCactus!) - The ability to pass the token as a string to the
TokenService::getUserFromToken()method instead of always getting the token from theAuthorizationHTTP header (#75, thanks @nstCactus!)
- Tokens now store schema references via
schemaNameinstead ofschemaIdto improve cross-environment behaviour (#64, thanks @SayChi!) - Creating new entries via a mutation no longer forces the author to be the current user, if an
authorIdargument is supplied (note: it still respects theRestricted Entry Mutationsplugin settings!) (#63, thanks @cliveportman!)
- Fixed issue with user mutation fields not clearing value if sent as
null(#73, thanks @hendrik-agprop!) - Fixed issue with users not being created as
pendingif 'suspend users by default' was enabled (#77, thanks @Zsavajji!) - Fixed issue with authentication mutations returning
Internal server errorinstead of contextual errors (#74)
- Fixed issue with errors being thrown as
Something went wrong when processing the GraphQL query.instead of contextual errors. E.g. requests with an expired token will now throwInvalid Authorization Header
- Fixed issue with
restrictForbiddenFieldsthrowing errors too eagerly (#71) - Fixed issue with
globalSetqueries sometimes throwing an error (#68)
- Fixed issue with lightswitch values not saving on
updateViewermutation
- Fixed issue with requests sometimes falling back to public schema
- Fixed issue with author-only restrictions sometimes not applying correctly
- Added PHP 8 support (the required minimum PHP version is now 7.4)
- User mutation fields are now typed correctly, allowing improved TypeScript codegen
preferredLanguagefield wasn't available on per user groupregistermutationsusernamefield wasn't available on per user groupregistermutations- Fixed error when trying to save a
tablefield on user mutations - Fixed issue with site permissions not being enforced correctly per user group
- Expired refresh tokens are now hard deleted
- Fixed issue with schema scope not being retrieved from JWT correctly when restricting mutation arguments
- Ensured error codes are consistent when throwing invalid auth header errors
- Fixed issue with schema injection not always resetting session correctly
- Improved field restriction logic and fallbacks
- Fixed issue with
refreshTokenmutation throwing an error (#56 via @GMConsultant)
- Added support for granular (per schema) field permissions – it's now possible to disable fields from being updated via mutations; or being completely private to both mutations and queries. See new
Fieldssection in settings - Added user avatar support – see new
photofield onupdateViewer, sending this argument asnullwill remove the avatar
{warning} BREAKING: This release migrates
deleteCurrentTokenanddeleteAllTokensmutations todeleteRefreshTokenanddeleteRefreshTokens, respectively
- Further improvements to performance by reducing the number of database calls and loops
deleteCurrentTokenanddeleteAllTokensmutations have been migrated todeleteRefreshTokenanddeleteRefreshTokens– due to no longer storing Craft GraphQL tokens, there's no longer a need for a way of deleting them
- Fixed
updateViewermutation error (#54) - Fixed mutations firing twice (#55 via @tam)
- Fixed plugin causing an error with console requests
- Added separate
Service IDandService Secretfields for Sign in with Apple web implementations – if both native and web settings are populated, it is now necessary to pass aplatform(NATIVE/WEB) argument to theappleSignInmutation
- The plugin no longer creates Craft GraphQL tokens – schemas encoded into JWTs are now directly passed into Craft's GraphQL controller! (#29 via @approached)
- Lots of under-the-hood improvements to improve performance by reducing the number of database calls
- Removed unused
JWTGraphQL type
- Fixed
Invalid Authorization Headererror on sites using Apache (#52 and #53 via @GMConsultant)
- Added class method documentation blocks throughout plugin for easier third-party extensibility
- All services are now available as static properties on the plugin instance, i.e.
GraphqlAuthentication::$tokenService
- Added
preferredLanguageargument toregisterandupdateViewermutations (#49 via @andrewfairlie) - Added
usernamearguments toregisterandupdateViewermutations. If username isn't set, it will fall back to the user's email address
firstNameandlastNameare now optional on theregistermutation
- Fixed potential issue with queries against the public schema (PR #48 via @tam)
- Fixed error when sending a malformed JWT (PR #48 via @tam)
- Fixed potential error when visiting the plugin settings
- Added
resendActivationmutation for allowing users to resend an activation email (#43 via @andrewfairlie) - Added separate (customisable) response for unactivated users trying to authenticate (#43 via @andrewfairlie)
- Fixed error that occurred when trying to clear expired tokens whilst using PostgreSQL (#42 via @bartroelands)
- Fixed issue where the
JWT Refresh Tokenssidebar item was showing for non-admins (the page was never accessible, though!)
- Added
activateUsermutation for activating users who have received a Craft activation email (#41 via @andrewfairlie and @magicspon)
- Added ability to set JWT Secret Key and Social app IDs/secrets via environment variables (thanks to @dorineal for the pull request!)
- Fixed issue with users not being activated through the
setPasswordmutation (#38 via @magicspon)
- Fixed issue with tokens being removed before they had expired
- Improved performance of clearing expired tokens
- Removed deprecated
getUserandupdateUser– useviewerandupdateViewerinstead - User types/fragments now need to be spread in authentication responses (see here)
- Fixed issue with entry/category/asset fields not saving on
registerorupdateViewermutations (#35 via @howells) - Fixed compatibility issue with Craft 3.6.x (#36 via @benrnorman)
- Fixed issue with
refreshTokenmutation not always working in production environments
- Added support for Sign in with Apple (#14)
- Added support for limiting user groups to Craft multi-site sites
- Added
viewerquery (#30 via @tam) - Added
updateViewermutation (#30 via @tam)
- Removed support for non-JWT tokens (note: this is a breaking change)
- Deprecated
getUserquery (this will be removed in a future release) (#30 via @tam) - Deprecated
updateUsermutation (this will be removed in a future release) (#30 via @tam) - Improved error handling, production environments now return useful error messages and codes instead of
Internal server error(#31 via @tam)
- Fixed issue with
authorIdrestrictions sometimes causing incorrect results to be returned (#34 via @daltonrooney) - Fixed issue with users being able to assign themselves schemas, using social mutations (via @daltonrooney)
jwtExpiresAtandrefreshTokenExpiresAtare now returned in milliseconds to make JS validation simpler (this will always end in000as token expiry is stored in seconds in the database)
- Actually fix
Invalid Authorization Headeron queries/mutations against the public schema (#23 via @approached) - Fix issue where tokens decoded from JWTs weren't being passed to the GraphQL API controller properly (#28 via @daltonrooney)
- Ensure
isGraphiqlRequestdetects GraphiQL requests properly (#23 via @approached)
- Much improved documentation!
- Added JWT and refresh token support (#3 thanks to @timkelty)
- Added support for Log in with Twitter
- Added support for Facebook login
- Added ability to customise response and error messages
- Deprecated non-JWT tokens, these will be removed in version
1.4.0. JWTs provide greater flexibility and security
- Fixed an issue where non-user tokens were being restricted (#19 via @menberg)
- Fixed an issue where
family_namemight not be defined in Google Sign-In (#25 via @daltonrooney) - Fixed an issue where the plugin settings screen would error if a deleted schema was assigned to a user group (#26 via @daltonrooney)
- Fixed issue with
AuthGQL type not registering properly in production mode
- Fixed issue with requests against the public schema throwing
Invalid Authorization Header
- Added ability to disable user registration
- Added per user group schema assignment, user group assignment, and granular schema permissions (a
registermutation is added for each group, if enabled) - Added Google Sign-In support (adds a single
googleSignInmutation, or mutations per user group, depending on settings) - Added
SameSitecookie policy control - Added unique, per user caching, to ensure users never see each other's cached queries
- Added a
schemafield to the authentication mutation responses
- Reworked the plugins settings into a tabbed interface
- The
registermutation now listens to therequireEmailVerificationsetting in user settings – creating users in a pending state, and sending an activation email - Tokens are now created using
microtime()instead oftime()to avoid any name conflicts
- Fixed some deprecation errors
- Lots of under-the-hood tidying to make maintenance a lot easier
- Fixed issue with saving token expiry as 'never'
- Fixed issue with trailing commas in function calls causing an error on environments running PHP <7.3
- Fixed issue with
updatePasswordmutation failing validation - Fixed issue with custom fields on users not setting correct values on
registerandupdateUsermutations
- Fixed issue with project config sync throwing
Calling unknown method: craft\console\Request::getBodyParam()
- Improved
isGraphiqlRequestdetection
- Fixed issues with non-user tokens throwing
Invalid Authorization Header. Previously it was always trying to validate queries against user permissions, but this was causing conflicts with tokens that will only be used server-side (i.e. in Next.js SSG requests)
- Added empty fallback to
Craft::$app->getRequest()->getReferrer(), to fix error if referrer is blank
- Fixed issue with
isGraphiqlRequestalways returningtrue, breaking Craft's GraphiQL explorer
- Added support for HTTP-Only cookie tokens, improving security (thanks @timkelty)
- Update
lastLoginDateon users when runningauthenticate/registermutations
- Initial release