2.66.0 (2026-03-29)
Features
- add audit logging for admin authentication events (0ea15d4)
- add passkey (WebAuthn) authentication for admin login (a39b362)
- always use persistent sessions and support remember-me for passkey login (6a6fc74)
- show curl example for service account OAuth2 apps (4ab5eda)
Bug Fixes
- broken Handlebars script tag, Okta session fall-through, login rate limiting, and passkey schema validation (01e5721)
- clear passkey credentials on CLI password reset and document remember-me behavior (35f7f00)
- do not prefill login username field (59835a8)
- harden passkey auth, IMAP sync error handling, and login form UX (c16b983)
- harden passkey authentication with validation, rate limits, and audit logging (75dd289)
- login page divider logic, select() log level, and missing trailing newlines (97ff93e)
- normalize copy across login and security pages (60e132a)
- normalize sign-in/sign-out copy to sentence case (1ccfb16)
- per-IP passkey rate limiting and credential ownership check (2455cbe)
- prevent message event loss during IMAP sync under heavy load (ceb139b)
- prevent open redirects via next parameter and require password for passkey registration (0e7f52a)
- prevent unhandled promise rejections during mailbox sync (e6174de)
- reject OAuth2 grants with missing Google granular consent scopes (3f277d1)
- remove password hash from error logs and update passkey description copy (d28dd16)
- remove unnecessary min-height from login form (f16940d)
- resolve OAuth2 provider for delegated Outlook accounts (f35c816)
- update client-side Handlebars to 4.7.9 and harden passkey input validation (882891c)
- upgrade handlebars to 4.7.9 to resolve prototype pollution vulnerability (452f5f5)
Performance Improvements
- optimize mailbox listing for accounts with many folders (a39e5f7)