Version 2.1.1

• #262 fix: set cookies alongside header when SendJWTHeader is enabled
• #260 fix Content-Type header not being set for error responses
• #258 upgrade go-pkgz/repeater to v2

Version 2.1.0

• #257 update dependencies
• #256 migrate example from chi to stdlib + routegroup
• #255 update dependencies and migrate golangci-lint to v2
• #253 Fix: setAvatar panics when AvatarSaver is a typed nil pointer
• #247 update README links to v2 and fix line numbers
• #243 Update all dependencies to address security vulnerabilities
• #240 Fix golangci-lint v2 reported problems
• #213 Improve provider name handling

Version 2.0.0

We're pleased to announce the release of v2.0.0, a significant update to our authentication library that modernizes the JWT implementation and improves type safety while maintaining API compatibility.

Key Improvements

• JWT Library Upgrade: Updated to use github.com/golang-jwt/jwt/v5 (from v3)
• Modern JWT Token Claims:
  • StandardClaims replaced with RegisteredClaims
  • Time fields changed from int64 to *jwt.NumericDate
  • Id field renamed to ID
  • Audience changed from string to string array
• Improved Type Safety:
  • RefreshCache interface updated with strongly typed values:
    • Get(key string) (value token.Claims, ok bool)
    • Set(key string, value token.Claims)
  • Enhanced type safety across various interfaces and functions

Migration Guide

To migrate from v1 to v2:

1. Update import paths to use /v2 (e.g., github.com/go-pkgz/auth/v2)
2. Update any custom code that accesses token fields to use the new structures
3. If implementing RefreshCache interface, update method signatures

For a real-world migration example, see umputun/remark42#1758.

Core Functionality

All existing functionality remains intact with the same reliable performance:

• Multiple OAuth2 providers (GitHub, Google, Facebook, Microsoft, Twitter, Yandex, Battle.net, Apple, Patreon, Discord, Telegram)
• Secure JWT cookies with XSRF protection
• Direct and verified authentication
• Avatar proxy with various backend options
• Role-based access control
• Highly customizable hooks and middleware

Notable PRs and Commits

• #223: Added Discord OAuth2 Provider
• #205: Updated to JWT v5 library
• #210: Fixed XSRF protections
• #218: Changed Content-Type to plain text for logout and reset endpoints
• #215: Fixed race conditions in Telegram auth tests
• #200: Initial v2 directory structure with modernized JWT implementation

Recommendation

The v2 version is now the actively developed branch, and we recommend using it for all new projects. Version 1.x moves into maintenance mode.

Version 1.25.1

What's Changed

• Bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 in /v2 by @dependabot in #235
• Update golangci-lint to v6 and update configuration settings by @paskal in #236
• Update go modules by @paskal in #237
• Bump golang.org/x/crypto from 0.14.0 to 0.31.0 in /v2 by @dependabot in #238

Full Changelog: v1.25.0...v1.25.1

Version 1.25.0

What's Changed

• feature: Discord OAuth2 Provider by @mgkbadola in #223
• Fix: XSRFIgnoreMethods field not applied during service init by @minchik in #225
• fix typo in README.md by @rehandaphedar in #222
• Remove extra colon in Direct Authentication example by @rehandaphedar in #220
• Sync v2 with v1 and vice versa by @paskal in #226
• Bump golang.org/x/crypto from 0.25.0 to 0.31.0 by @dependabot in #227
• Bump modules and update dependencies by @paskal in #228
• Bump golang.org/x/net from 0.27.0 to 0.33.0 in /v2 by @dependabot in #229

New Contributors

• @rehandaphedar made their first contribution in #222
• @mgkbadola made their first contribution in #223

Full Changelog: v1.24.2...v1.25.0

Version 1.24.2

What's Changed

• Detect and set proper Content-Type for avatars by @paskal in #219

Full Changelog: v1.24.1...v1.24.2

Version 1.24.1

What's Changed

• Fix TestTelegramConfirmedRequest by @cyb3r4nt in #215
• Fix golangci-lint warnings by @cyb3r4nt in #214
• Fix Content-Type at /logout endpoint by @paskal in #218
• docs: Update Apple Auth Provider section of README by @tomy0000000 in #212

New Contributors

• @tomy0000000 made their first contribution in #212

Full Changelog: v1.24.0...v1.24.1

Version 1.24.0

What's Changed

• Set proper "content-type" while calling JwtService.Reset() by @iRay in #203
• Fix registration of dev provider in Service.authMiddleware.Providers by @cyb3r4nt in #201
• Update go modules by @paskal in #206
• Implement XSRFIgnoreMethods by @oalexander6 in #207
• Implement IgnoreXSRFMethods for v2 by @oalexander6 in #210
• Update go modules, youmark/pkcs8 by @paskal in #209
• Update jwt package from v3 to v5 by @paskal in #205
• Add v2 version of the package by @paskal in #200

New Contributors

• @iRay made their first contribution in #203
• @cyb3r4nt made their first contribution in #201
• @oalexander6 made their first contribution in #207

Full Changelog: v1.23.0...v1.24.0

Version 1.23.0

What's Changed

• Remove bluemonday and fix double-escaping by @david-bezero in #184
• Rename github.com/nullrocks/identicon to github.com/rrivera/identicon by @avbasov in #192
• Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 by @dependabot in #198
• Update go modules, CI actions, fix golangci-lint errors by @paskal in #199

New Contributors

• @david-bezero made their first contribution in #184
• @avbasov made their first contribution in #192

Full Changelog: v1.22.1...v1.23.0

Version 1.22.1

What's Changed

• Add possibility to get additional user data (additional scope) by @VladimirZaets in #163
• Bump golang.org/x/net from 0.14.0 to 0.17.0 in /_example by @dependabot in #182
• Add lint exception for test Apple private key by @paskal in #186
• TLS InsecureSkipVerify option by @vladimirdulov in #187
• bump the email module to v0.5.0 version by @vladimirdulov in #191

New Contributors

• @VladimirZaets made their first contribution in #163
• @dependabot made their first contribution in #182
• @vladimirdulov made their first contribution in #187

Full Changelog: v1.22.0...v1.22.1