Version 1.12.3

February 25, 2022

Fixed

  • Fixed issue with some custom fields breaking user registration mutations

Version 1.12.2

December 6, 2021

Changed

  • The password reset required flag is now respected. When a user with this flag set tries to authenticate, a password reset email is sent and an error message is returned (#81, thanks @nstCactus!)

Fixed

  • Fixed migration issue that occurred when setting a password for users with an unverified email (created in the control panel) (#79, thanks @nstCactus!)
  • Fixed compatibility issue with Craft 3.7.24 (#85)
  • Fixed issue with contextual error messages not being returned (#74)
  • Fixed issue with field permissions not always being applied properly

Version 1.12.1

November 9, 2021

Fixed

  • Fixed migration issue that occurred when not using multiple schemas (#78)

Version 1.12.0

November 5, 2021

Added

  • A TokenService::parseToken(string $jwt):Token method that allows parsing a JWT from anywhere, not just the Authorization HTTP header (#75, thanks @nstCactus!)
  • The ability to pass the token as a string to the TokenService::getUserFromToken() method instead of always getting the token from the Authorization HTTP header (#75, thanks @nstCactus!)

Changed

  • Tokens now store schema references via schemaName instead of schemaId to improve cross-environment behaviour (#64, thanks @SayChi!)
  • Creating new entries via a mutation no longer forces the author to be the current user, if an authorId argument is supplied (note: it still respects the Restricted Entry Mutations plugin settings!) (#63, thanks @cliveportman!)

Fixed

  • Fixed issue with user mutation fields not clearing value if sent as null (#73, thanks @hendrik-agprop!)
  • Fixed issue with users not being created as pending if 'suspend users by default' was enabled (#77, thanks @Zsavajji!)
  • Fixed issue with authentication mutations returning Internal server error instead of contextual errors (#74)

Version 1.11.5

September 27, 2021

Fixed

  • Fixed issue with errors being thrown as Something went wrong when processing the GraphQL query. instead of contextual errors. E.g. requests with an expired token will now throw Invalid Authorization Header

Version 1.11.4

September 23, 2021

Fixed

  • Fixed issue with restrictForbiddenFields throwing errors too eagerly (#71)
  • Fixed issue with globalSet queries sometimes throwing an error (#68)

Version 1.11.3

August 27, 2021

Fixed

  • Fixed issue with lightswitch values not saving on updateViewer mutation

Version 1.11.2

August 20, 2021

Fixed

  • Fixed issue with requests sometimes falling back to public schema

Version 1.11.1

August 20, 2021

Fixed

  • Fixed issue with author-only restrictions sometimes not applying correctly

Version 1.11.0

August 14, 2021

Added

  • Added PHP 8 support (the required minimum PHP version is now 7.4)

Changed

  • User mutation fields are now typed correctly, allowing improved TypeScript codegen

Fixed

  • preferredLanguage field wasn't available on per user group register mutations
  • username field wasn't available on per user group register mutations
  • Fixed error when trying to save a table field on user mutations
  • Fixed issue with site permissions not being enforced correctly per user group

Version 1.10.3

May 8, 2021

Changed

  • Expired refresh tokens are now hard deleted

Fixed

  • Fixed issue with schema scope not being retrieved from JWT correctly when restricting mutation arguments
  • Ensured error codes are consistent when throwing invalid auth header errors

Version 1.10.2

May 7, 2021

Fixed

  • Fixed issue with schema injection not always resetting session correctly

Version 1.10.0

May 7, 2021

Added

  • Added support for granular (per schema) field permissions – it's now possible to disable fields from being updated via mutations; or being completely private to both mutations and queries. See new Fields section in settings
  • Added user avatar support – see new photo field on updateViewer, sending this argument as null will remove the avatar

Version 1.9.1

May 6, 2021

BREAKING: This release migrates deleteCurrentToken and deleteAllTokens mutations to deleteRefreshToken and deleteRefreshTokens, respectively

Changed

  • Further improvements to performance by reducing the number of database calls and loops
  • deleteCurrentToken and deleteAllTokens mutations have been migrated to deleteRefreshToken and deleteRefreshTokens – due to no longer storing Craft GraphQL tokens, there's no longer a need for a way of deleting them

Fixed

  • Fixed updateViewer mutation error (#54)
  • Fixed mutations firing twice (#55 via @tam)
  • Fixed plugin causing an error with console requests

Version 1.9.0

May 4, 2021

Added

  • Added separate Service ID and Service Secret fields for Sign in with Apple web implementations – if both native and web settings are populated, it is now necessary to pass a platform (NATIVE/WEB) argument to the appleSignIn mutation

Changed

  • The plugin no longer creates Craft GraphQL tokens – schemas encoded into JWTs are now directly passed into Craft's GraphQL controller! (#29 via @approached)
  • Lots of under-the-hood improvements to improve performance by reducing the number of database calls
  • Removed unused JWT GraphQL type

Fixed

  • Fixed Invalid Authorization Header error on sites using Apache (#52 and #53 via @GMConsultant)

Misc

  • Added class method documentation blocks throughout plugin for easier third-party extensibility
  • All services are now available as static properties on the plugin instance, i.e. GraphqlAuthentication::$tokenService

Version 1.8.0

April 29, 2021

Added

  • Added preferredLanguage argument to register and updateViewer mutations (#49 via @andrewfairlie)
  • Added username arguments to register and updateViewer mutations. If username isn't set, it will fall back to the user's email address

Changed

  • firstName and lastName are now optional on the register mutation

Fixed

  • Fixed potential issue with queries against the public schema (PR #48 via @tam)
  • Fixed error when sending a malformed JWT (PR #48 via @tam)
  • Fixed potential error when visiting the plugin settings

Version 1.7.0

March 15, 2021

Added

  • Added resendActivation mutation for allowing users to resend an activation email (#43 via @andrewfairlie)
  • Added separate (customisable) response for unactivated users trying to authenticate (#43 via @andrewfairlie)

Fixed

  • Fixed error that occurred when trying to clear expired tokens whilst using PostgreSQL (#42 via @bartroelands)

Version 1.6.1

March 10, 2021

Fixed

  • Fixed issue where the JWT Refresh Tokens sidebar item was showing for non-admins (the page was never accessible, though!)

Version 1.6.0

March 10, 2021

Added

Version 1.5.0

February 24, 2021

Added

  • Added ability to set JWT Secret Key and Social app IDs/secrets via environment variables (thanks to @dorineal for the pull request!)

Version 1.4.4

February 20, 2021

Fixed

  • Fixed issue with users not being activated through the setPassword mutation (#38 via @magicspon)

Version 1.4.3

February 11, 2021

Fixed

  • Fixed issue with tokens being removed before they had expired

Version 1.4.2

February 1, 2021

Changed

  • Improved performance of clearing expired tokens
  • Removed deprecated getUser and updateUser – use viewer and updateViewer instead
  • User types/fragments now need to be spread in authentication responses (see here)

Fixed

  • Fixed issue with entry/category/asset fields not saving on register or updateViewer mutations (#35 via @howells)
  • Fixed compatibility issue with Craft 3.6.x (#36 via @benrnorman)

Version 1.4.1

January 19, 2021

Fixed

  • Fixed issue with refreshToken mutation not always working in production environments

Version 1.4.0

December 30, 2020

Added

  • Added support for Sign in with Apple (#14)
  • Added support for limiting user groups to Craft multi-site sites
  • Added viewer query (#30 via @tam)
  • Added updateViewer mutation (#30 via @tam)

Changed

  • Removed support for non-JWT tokens (note: this is a breaking change)
  • Deprecated getUser query (this will be removed in a future release) (#30 via @tam)
  • Deprecated updateUser mutation (this will be removed in a future release) (#30 via @tam)
  • Improved error handling, production environments now return useful error messages and codes instead of Internal server error (#31 via @tam)

Fixed

  • Fixed issue with authorId restrictions sometimes causing incorrect results to be returned (#34 via @daltonrooney)
  • Fixed issue with users being able to assign themselves schemas, using social mutations (via @daltonrooney)

Version 1.3.3

December 10, 2020

Changed

  • jwtExpiresAt and refreshTokenExpiresAt are now returned in milliseconds to make JS validation simpler (this will always end in 000 as token expiry is stored in seconds in the database)

Version 1.3.2

December 8, 2020

Fixed

  • Actually fix Invalid Authorization Header on queries/mutations against the public schema (#23 via @approached)
  • Fix issue where tokens decoded from JWTs weren't being passed to the GraphQL API controller properly (#28 via @daltonrooney)

Version 1.3.1

December 7, 2020

Fixed

  • Ensure isGraphiqlRequest detects GraphiQL requests properly (#23 via @approached)

Version 1.3.0

December 6, 2020

Added

  • Much improved documentation!
  • Added JWT and refresh token support (#3 thanks to @timkelty)
  • Added support for Log in with Twitter
  • Added support for Facebook login
  • Added ability to customise response and error messages

Changed

  • Deprecated non-JWT tokens, these will be removed in version 1.4.0. JWTs provide greater flexibility and security

Fixed

  • Fixed an issue where non-user tokens were being restricted (#19 via @menberg)
  • Fixed an issue where family_name might not be defined in Google Sign-In (#25 via @daltonrooney)
  • Fixed an issue where the plugin settings screen would error if a deleted schema was assigned to a user group (#26 via @daltonrooney)

Version 1.2.2

December 1, 2020

Fixed

  • Fixed issue with Auth GQL type not registering properly in production mode

Version 1.2.1

December 1, 2020

Fixed

  • Fixed issue with requests against the public schema throwing Invalid Authorization Header

Version 1.2.0

November 26, 2020

Added

  • Added ability to disable user registration
  • Added per user group schema assignment, user group assignment, and granular schema permissions (a register mutation is added for each group, if enabled)
  • Added Google Sign-In support (adds a single googleSignIn mutation, or mutations per user group, depending on settings)
  • Added SameSite cookie policy control
  • Added unique, per user caching, to ensure users never see each other's cached queries
  • Added a schema field to the authentication mutation responses

Changed

  • Reworked the plugins settings into a tabbed interface
  • The register mutation now listens to the requireEmailVerification setting in user settings – creating users in a pending state, and sending an activation email
  • Tokens are now created using microtime() instead of time() to avoid any name conflicts

Fixed

  • Fixed some deprecation errors

Misc

  • Lots of under-the-hood tidying to make maintenance a lot easier

Version 1.1.8

November 14, 2020

Fixed

  • Fixed issue with saving token expiry as 'never'

Version 1.1.7

November 13, 2020

Fixed

  • Fixed issue with trailing commas in function calls causing an error on environments running PHP <7.3

Version 1.1.6

November 11, 2020

Fixed

  • Fixed issue with updatePassword mutation failing validation
  • Fixed issue with custom fields on users not setting correct values on register and updateUser mutations

Version 1.1.5

November 10, 2020

Fixed

  • Fixed issue with project config sync throwing Calling unknown method: craft\console\Request::getBodyParam()

Version 1.1.4

November 9, 2020

Improved

  • Improved isGraphiqlRequest detection

Version 1.1.3

November 9, 2020

Fixed

  • Fixed issues with non-user tokens throwing Invalid Authorization Header. Previously it was always trying to validate queries against user permissions, but this was causing conflicts with tokens that will only be used server-side (i.e. in Next.js SSG requests)

Version 1.1.2

November 9, 2020

Fixed

  • Added empty fallback to Craft::$app->getRequest()->getReferrer(), to fix error if referrer is blank

Version 1.1.1

November 9, 2020

Fixed

  • Fixed issue with isGraphiqlRequest always returning true, breaking Craft's GraphiQL explorer

Version 1.1.0

November 4, 2020

Added

  • Added support for HTTP-Only cookie tokens, improving security (thanks @timkelty)

Version 1.0.1

November 3, 2020

Added

  • Update lastLoginDate on users when running authenticate/register mutations

Version 1.0.0

November 3, 2020

Added

  • Initial release