Lumina Finance v0.7.1
v0.7.1 is here! This release is all about protecting your account: two-factor authentication with authenticator apps and passkeys, recovery codes, a proper password reset flow over email, a proper change password flow (revolutionary, I know!), and single sign-on through your own identity provider. It also brings a collapsible sidebar, a brand new date field, and another round of interface polish.
Note
Always remember to backup your data before upgrading!
Important
If you experience an issue where the frontend is blank/glitching after an upgrade, please try to clear the cookies and cache of your browser (for Lumina Finance specifically). This is a known issue and a fix has been introduced in this release, but it requires one last hard refresh to make this stick :)
Two-Factor Authentication
You can now secure your account with a second factor, managed from the new security section in Settings. Enrol an authenticator app or a passkey, and save the recovery codes that are generated alongside so a lost device never locks you out permanently. Two-factor setup is also offered right after signup so new accounts can start protected from day one, and sensitive actions like changing your password or managing your factors now ask you to re-verify first.
Passkeys
Passkeys are supported end to end. Use one as a passwordless sign-in on the login page, as your second factor, or as the quick way to confirm sensitive changes. Passkeys can be added, renamed, and removed from Settings, and signup now suggests a passkey first during two-factor enrolment since it is the most phishing-resistant option.
Single Sign-On
Lumina Finance can now sign you in through any standards-compliant OpenID Connect provider, such as Authentik or Authelia, configured through docker/.env. Existing accounts can link a provider from the security settings and keep both sign-in methods, and if a provider sign-in matches an existing email you are guided through a password confirmation so the two accounts are linked rather than duplicated. Accounts created through a provider start without a password and can set one later from Settings to unlock password-based features.
Password Reset
Forgot your password? The sign-in page now has a reset flow that emails you a secure link. If two-factor is enabled, the reset also asks for your second factor, so an email inbox alone is never enough to take over an account. Email is delivered through your own SMTP server configured in docker/.env, and when no SMTP host is set the message is printed to the application log instead, which is handy for testing. Signup also now enforces and displays the password strength policy up front.
Interface & Interactions
The desktop sidebar can now collapse into a pinned icon rail to give your data more room. Native date inputs have been replaced with a segmented date field and calendar popover that looks and behaves the same across Safari, Chrome, and Firefox. Transaction rows and date groups animate in and out as you filter and edit, modals lock the page behind them and keep their backdrops readable, and a broad pass of smaller interaction fixes rounds out the release.
Picking Up New Versions
Some of you may have noticed that after an upgrade, the app could keep showing the previous version until a hard refresh. The frontend now checks for a new build before reusing what the browser has cached, so a normal reload after upgrading always brings in the latest version. This fix takes effect for future upgrades, so one last hard refresh may be needed after moving to this release.
Deployment
The compose stack now reads all of its settings from docker/.env, and the new email delivery and single sign-on settings are documented there. The encryption key that protects secrets at rest is generated and persisted automatically on first start, so no manual key management is needed, and if a key you supply yourself ever disagrees with the one already stored, the app refuses to start rather than risk unreadable secrets. Restoring a database backup is also safer now, as row-level security policies are re-applied automatically when the container starts.
Database Migration
This release includes database migrations for two-factor credentials, recovery codes, passkeys, password reset tokens, and single sign-on providers and identities. An automatic migration will be performed when the application starts, and we don't anticipate any issues. However, please back up your data before updating just in case.
What's Changed
- Expand authentication: password reset, authenticator app, passkeys, recovery codes, and step-up by @OKok-3 in #105
- Complete the password reset flow with email delivery and two-factor protection by @OKok-3 in #106
- Fix stale test fixtures failing the frontend build by @OKok-3 in #107
- fix: revalidate frontend index.html so browsers pick up new builds by @OKok-3 in #108
- App visual and interaction refinements by @OKok-3 in #109
- Implement OIDC single sign-on by @OKok-3 in #110
- refactor: drop redundant compose env passthrough in favour of env_file by @OKok-3 in #111
- feat: offer passkey setup first during signup 2FA enrolment by @OKok-3 in #112
- refactor: simplify webauthn relying party name configuration by @OKok-3 in #113
- chore: add demo data seed and screenshot and video capture tooling by @OKok-3 in #114
- fix: fail fast when configured and persisted encryption keys conflict by @OKok-3 in #115
Full Changelog: v0.6.1...v0.7.1