teamhanko/hanko backend/v1.5.0

v1.5: Privacy settings, HTML emails, improved sessions

on GitHub

This release contains new features and a handful of important bug fixes.

Privacy settings

Two new settings have been added to control whether the disclosure of information about user accounts should be accepted for the sake of usability:

• showAccountExistenceHints: When registering or trying to log in, feedback is displayed indicating whether or not an email address already exists (e.g. “The email is already taken.” or “The email address is unknown.”). When disabled, the system hides this information and behaves identically in both cases to avoid disclosing information about existing email addresses (this has previously been the default behavior).
• onlyShowActualLoginMethods: Only display the authentication methods that are actually available to a user during the sign-in process (e.g. after the user enters an e-mail address as the identifier in the sign-in form, only prompt the user for a password if they actually have one). If disabled, all theoretically possible authentication options are always displayed to avoid disclosing information about existing email addresses (this has previously been the default behavior).

Please note: Full protection against email enumeration attacks is only provided if both settings, “Show account existence hints” and “Hide unavailable login methods” are disabled. Please note that this may result in a poorer user experience, as users will no longer receive direct feedback if, for example, they have entered an incorrect email address, or if they are suggested the option to enter a password even though they do not have one.

HTML emails

This version adds support for HTML email rendering and delivery alongside plain text emails. The changes ensure that both plain text and HTML versions of passcode and notification emails are generated and sent, improving email formatting and readability across different clients. We will further improve the styling of the HTML emails in a future patch.

Improved session handling in Hanko Elements

• Session management overhaul
  • Added periodic session validation with customizable intervals.
  • Added inter-tab communication for session events.
  • Enhanced tracking of window focus and visibility to ensure session validation occurs only in active tabs, improving performance.
• Session created event updates
  • Removed optional jwt field and deprecated expirationSeconds.
  • Token claims are now included in "session-created-event" and shared across tabs/windows.
  • The JWT remains accessible via the session cookie if httpOnly is set to false.
• Deprecation notice
  • Deprecated hanko.session.is_valid() (now blocking, mimics await hanko.sessionClient.validate()).
  • Recommend using non-blocking hanko.sessionClient.validate() instead.
• Local storage optimization
  • Eliminated the need to store the JWT to the local storage.

Updated Go version

Hanko is now using Go version 1.24. Please note this if you want to compile the Hanko backend code.

What's Changed

• fix: create session in DB for old endpoints by @FreddyDevelop in #2052
• Parse email_verified claim correctly from Apple ID token by @FreddyDevelop in #2054
• feat: introduce html mails by @bjoern-m in #2045
• fix: use TriggerWebhook function instead of NotifyUserChange by @FreddyDevelop in #2058
• Feat periodic session checks by @bjoern-m in #2032
• feat: add privacy settings by @FreddyDevelop in #2072
• fix: third party login search param retention by @lfleischmann in #2075
• docs: add missing webhook events to schema extension by @lfleischmann in #2059
• chore: update go version to 1.24 by @lfleischmann in #2070

Full Changelog: backend/v1.4.0...backend/v1.5.0