Changelog
All notable changes to Aero2 are documented here.
v0.3.0 — 2026-02-15
Added
- Comprehensive documentation site with external/internal split
- Security model documentation
- Interactive tools: Token Inspector, PKCE Generator, Auth Flow Visualizer
Changed
- Documentation restructured into developer-facing and contributor sections
v0.2.1 — 2026-02-10
Added
- Client secret secure display with copy-to-clipboard and auto-mask
- JWKS endpoint caching with ETag support for conditional requests
- Content Security Policy for SPA pages
- Permissions-Policy header restricting unused browser features
- Open redirect prevention on login and OAuth callback pages
Changed
- CSRF middleware now rejects cookie-authenticated requests missing both Origin and Referer headers
- CORS configuration fails closed in production when ALLOWED_ORIGINS is not set
- User sessions are proactively revoked when an admin disables a user account
v0.2.0 — 2026-02-01
Added
- Full admin dashboard with user management, role management, client management, IdP configuration
- Audit log viewer with filtering and search
- Dark mode with system preference detection
- Toast notification system
- Profile dropdown with session info
- Pagination component for all list views
- Search and filter controls for user list
- Bulk actions (enable, disable, delete) for user management
v0.1.0 — 2026-01-15
Added
- OIDC Provider with Authorization Code + PKCE flow
- OAuth2 Relying Party supporting GitHub and Google
- RS256-signed JWT tokens (access, ID, refresh, session)
- OIDC Discovery endpoint
- JWKS endpoint with automatic key rotation
- Token revocation and refresh token rotation
- Role-based access control (RBAC) with custom roles and permissions
- Audit logging for security events
- Admin API for users, clients, roles, identity providers
- Session management with secure HttpOnly cookies
- React frontend with Vite