GraphQL Authentication

Fixed

• Reverted some mutation removals from the public schema (#162)

Fixed

• Fixed queries failing after upgrading to Craft 5.6+ Thanks @brandonkelly for the PR! (#161)
• Removed irrelevant queries/mutations from showing on the public schema, when users are unauthenticated (44b751)

Fixed

• Loosened lcobucci/jwt dependency requirements (#152)

Fixed

• Loosened lcobucci/jwt dependency requirements (#152)

Added

• Added Craft 5 support (#149)
• Added option to disable password verification when using deleteAccount mutation (#133)

Fixed

• Element query executed before Craft is fully initialized (#140)
• Inefficiency in authenticate mutation (#137)
• Fixed issue with forgottenPassword mutation sending emails for suspended users (#134)

Added

• Added 2FA support! See the docs (#118)

Fixed

• Fixed issue with public mutations throwing null $user errors. Thanks @robinbeatty for the PR! (#125)

Added

• Added ability to skip activation status on incoming requests (useful for multi-step registration flows) (#83)
• Added ability to assign JWTs to the public schema (#122)
• Added editable messages for account locked and account cooldown authentication errors (#121)

Fixed

• Fixed issue with users sometimes being permanently granted Control Panel access (#120)
• Fixed issue with field permissions falling back to the public schema when passing Bearer tokens (#119)

Added

• Added 'magic link' authentication! To get started, enable it in your plugin settings and see the docs (#107)

Fixed

• Fixed issue with settings breadcrumb being hardcoded to /settings (#117)

Added

• Added support for Microsoft OAuth sign in
• Added deleteSocialAccount mutation, for deleting password-less accounts. Throws an error if run on an account with a password (#110)

Fixed

• Fixed issue with accounts not automatically activating (#114, thanks @Stalex89!)
• Fixed issue with plugin's field restrictions not applying to public schema (#109, thanks @Zsavajji!)

Fixed

• Fixed issue with mutation field validation throwing an error (#103)
• Fixed issue with social registration not marking users as active if skip activation is enabled (#100)

Misc

• Ensure Twitter OAuth credentials are removed from session

Added

• Added setting to skip user activation when registering through social mutations (#100)

Changed

• firstName and lastName have been migrated to fullName across all register and viewer mutations (#101)

Fixed

• Fixed updateViewer mutation not updating user's name (use fullName parameter, as above) (#101)
• Fixed deleteAccount mutation not deleting user (#102)

Added

• Added Craft 4 support! (#94) – huge thanks to Brandon Kelly for the PR!
• Added deleteAccount mutation (#84)

Changed

• PHP >8.0 is now required
• Craft >4.0 is now required
• The email verification email is now sent out to users when updating their email via the updateViewer mutation (#90)
• When using the JWT returned from a register mutation to authenticate requests, all requests will throw a Please activate your account error until the account is activated (#83)

Fixed

• When users register through a social mutation, they now receive an appropriate activation email (if enabled), rather than the set password email (#72)

Fixed

• Fixed issue with some custom fields breaking user registration mutations

Changed

• The password reset required flag is now respected. When a user with this flag set tries to authenticate, a password reset email is sent and an error message is returned (#81, thanks @nstCactus!)

Fixed

• Fixed migration issue that occurred when setting a password for users with an unverified email (created in the control panel) (#79, thanks @nstCactus!)
• Fixed compatibility issue with Craft 3.7.24 (#85)
• Fixed issue with contextual error messages not being returned (#74)
• Fixed issue with field permissions not always being applied properly

Fixed

• Fixed migration issue that occurred when not using multiple schemas (#78)

Added

• A TokenService::parseToken(string $jwt):Token method that allows parsing a JWT from anywhere, not just the Authorization HTTP header (#75, thanks @nstCactus!)
• The ability to pass the token as a string to the TokenService::getUserFromToken() method instead of always getting the token from the Authorization HTTP header (#75, thanks @nstCactus!)

Changed

• Tokens now store schema references via schemaName instead of schemaId to improve cross-environment behaviour (#64, thanks @SayChi!)
• Creating new entries via a mutation no longer forces the author to be the current user, if an authorId argument is supplied (note: it still respects the Restricted Entry Mutations plugin settings!) (#63, thanks @cliveportman!)

Fixed

• Fixed issue with user mutation fields not clearing value if sent as null (#73, thanks @hendrik-agprop!)
• Fixed issue with users not being created as pending if 'suspend users by default' was enabled (#77, thanks @Zsavajji!)
• Fixed issue with authentication mutations returning Internal server error instead of contextual errors (#74)

Fixed

• Fixed issue with errors being thrown as Something went wrong when processing the GraphQL query. instead of contextual errors. E.g. requests with an expired token will now throw Invalid Authorization Header

Fixed

• Fixed issue with restrictForbiddenFields throwing errors too eagerly (#71)
• Fixed issue with globalSet queries sometimes throwing an error (#68)

Fixed

• Fixed issue with lightswitch values not saving on updateViewer mutation

Fixed

• Fixed issue with requests sometimes falling back to public schema

Fixed

• Fixed issue with author-only restrictions sometimes not applying correctly

Added

• Added PHP 8 support (the required minimum PHP version is now 7.4)

Changed

• User mutation fields are now typed correctly, allowing improved TypeScript codegen

Fixed

• preferredLanguage field wasn't available on per user group register mutations
• username field wasn't available on per user group register mutations
• Fixed error when trying to save a table field on user mutations
• Fixed issue with site permissions not being enforced correctly per user group

Changed

• Expired refresh tokens are now hard deleted

Fixed

• Fixed issue with schema scope not being retrieved from JWT correctly when restricting mutation arguments
• Ensured error codes are consistent when throwing invalid auth header errors

Fixed

• Fixed issue with schema injection not always resetting session correctly

Changed

• Improved field restriction logic and fallbacks

Fixed

• Fixed issue with refreshToken mutation throwing an error (#56 via @GMConsultant)

Added

• Added support for granular (per schema) field permissions – it's now possible to disable fields from being updated via mutations; or being completely private to both mutations and queries. See new Fields section in settings
• Added user avatar support – see new photo field on updateViewer, sending this argument as null will remove the avatar

BREAKING: This release migrates deleteCurrentToken and deleteAllTokens mutations to deleteRefreshToken and deleteRefreshTokens, respectively

Changed

• Further improvements to performance by reducing the number of database calls and loops
• deleteCurrentToken and deleteAllTokens mutations have been migrated to deleteRefreshToken and deleteRefreshTokens – due to no longer storing Craft GraphQL tokens, there's no longer a need for a way of deleting them

Fixed

• Fixed updateViewer mutation error (#54)
• Fixed mutations firing twice (#55 via @tam)
• Fixed plugin causing an error with console requests

Added

• Added separate Service ID and Service Secret fields for Sign in with Apple web implementations – if both native and web settings are populated, it is now necessary to pass a platform (NATIVE/WEB) argument to the appleSignIn mutation

Changed

• The plugin no longer creates Craft GraphQL tokens – schemas encoded into JWTs are now directly passed into Craft's GraphQL controller! (#29 via @approached)
• Lots of under-the-hood improvements to improve performance by reducing the number of database calls
• Removed unused JWT GraphQL type

Fixed

• Fixed Invalid Authorization Header error on sites using Apache (#52 and #53 via @GMConsultant)

Misc

• Added class method documentation blocks throughout plugin for easier third-party extensibility
• All services are now available as static properties on the plugin instance, i.e. GraphqlAuthentication::$tokenService

Added

• Added preferredLanguage argument to register and updateViewer mutations (#49 via @andrewfairlie)
• Added username arguments to register and updateViewer mutations. If username isn't set, it will fall back to the user's email address

Changed

• firstName and lastName are now optional on the register mutation

Fixed

• Fixed potential issue with queries against the public schema (PR #48 via @tam)
• Fixed error when sending a malformed JWT (PR #48 via @tam)
• Fixed potential error when visiting the plugin settings

Added

• Added resendActivation mutation for allowing users to resend an activation email (#43 via @andrewfairlie)
• Added separate (customisable) response for unactivated users trying to authenticate (#43 via @andrewfairlie)

Fixed

• Fixed error that occurred when trying to clear expired tokens whilst using PostgreSQL (#42 via @bartroelands)

Fixed

• Fixed issue where the JWT Refresh Tokens sidebar item was showing for non-admins (the page was never accessible, though!)

Added

• Added activateUser mutation for activating users who have received a Craft activation email (#41 via @andrewfairlie and @magicspon)

Added

• Added ability to set JWT Secret Key and Social app IDs/secrets via environment variables (thanks to @dorineal for the pull request!)

Fixed

• Fixed issue with users not being activated through the setPassword mutation (#38 via @magicspon)

Fixed

• Fixed issue with tokens being removed before they had expired

Changed

• Improved performance of clearing expired tokens
• Removed deprecated getUser and updateUser – use viewer and updateViewer instead
• User types/fragments now need to be spread in authentication responses (see here)

Fixed

• Fixed issue with entry/category/asset fields not saving on register or updateViewer mutations (#35 via @howells)
• Fixed compatibility issue with Craft 3.6.x (#36 via @benrnorman)

Fixed

• Fixed issue with refreshToken mutation not always working in production environments

Added

• Added support for Sign in with Apple (#14)
• Added support for limiting user groups to Craft multi-site sites
• Added viewer query (#30 via @tam)
• Added updateViewer mutation (#30 via @tam)

Changed

• Removed support for non-JWT tokens (note: this is a breaking change)
• Deprecated getUser query (this will be removed in a future release) (#30 via @tam)
• Deprecated updateUser mutation (this will be removed in a future release) (#30 via @tam)
• Improved error handling, production environments now return useful error messages and codes instead of Internal server error (#31 via @tam)

Fixed

• Fixed issue with authorId restrictions sometimes causing incorrect results to be returned (#34 via @daltonrooney)
• Fixed issue with users being able to assign themselves schemas, using social mutations (via @daltonrooney)

Changed

• jwtExpiresAt and refreshTokenExpiresAt are now returned in milliseconds to make JS validation simpler (this will always end in 000 as token expiry is stored in seconds in the database)

Fixed

• Actually fix Invalid Authorization Header on queries/mutations against the public schema (#23 via @approached)
• Fix issue where tokens decoded from JWTs weren't being passed to the GraphQL API controller properly (#28 via @daltonrooney)

Fixed

• Ensure isGraphiqlRequest detects GraphiQL requests properly (#23 via @approached)

Added

• Much improved documentation!
• Added JWT and refresh token support (#3 thanks to @timkelty)
• Added support for Log in with Twitter
• Added support for Facebook login
• Added ability to customise response and error messages

Changed

• Deprecated non-JWT tokens, these will be removed in version 1.4.0. JWTs provide greater flexibility and security

Fixed

• Fixed an issue where non-user tokens were being restricted (#19 via @menberg)
• Fixed an issue where family_name might not be defined in Google Sign-In (#25 via @daltonrooney)
• Fixed an issue where the plugin settings screen would error if a deleted schema was assigned to a user group (#26 via @daltonrooney)

Fixed

• Fixed issue with Auth GQL type not registering properly in production mode

Fixed

• Fixed issue with requests against the public schema throwing Invalid Authorization Header

Added

• Added ability to disable user registration
• Added per user group schema assignment, user group assignment, and granular schema permissions (a register mutation is added for each group, if enabled)
• Added Google Sign-In support (adds a single googleSignIn mutation, or mutations per user group, depending on settings)
• Added SameSite cookie policy control
• Added unique, per user caching, to ensure users never see each other's cached queries
• Added a schema field to the authentication mutation responses

Changed

• Reworked the plugins settings into a tabbed interface
• The register mutation now listens to the requireEmailVerification setting in user settings – creating users in a pending state, and sending an activation email
• Tokens are now created using microtime() instead of time() to avoid any name conflicts

Fixed

• Fixed some deprecation errors

Misc

• Lots of under-the-hood tidying to make maintenance a lot easier

Fixed

• Fixed issue with saving token expiry as 'never'

Fixed

• Fixed issue with trailing commas in function calls causing an error on environments running PHP <7.3

Fixed

• Fixed issue with updatePassword mutation failing validation
• Fixed issue with custom fields on users not setting correct values on register and updateUser mutations

Fixed

• Fixed issue with project config sync throwing Calling unknown method: craft\console\Request::getBodyParam()

Improved

• Improved isGraphiqlRequest detection

Fixed

• Fixed issues with non-user tokens throwing Invalid Authorization Header. Previously it was always trying to validate queries against user permissions, but this was causing conflicts with tokens that will only be used server-side (i.e. in Next.js SSG requests)

Fixed

• Added empty fallback to Craft::$app->getRequest()->getReferrer(), to fix error if referrer is blank

Fixed

• Fixed issue with isGraphiqlRequest always returning true, breaking Craft's GraphiQL explorer

Added

• Added support for HTTP-Only cookie tokens, improving security (thanks @timkelty)

Added

• Update lastLoginDate on users when running authenticate/register mutations

Added

• Initial release