This release improves user profile handling, enhances session token transparency, and includes important security fixes.
New Features
Name and Picture Attributes for Users (#2417)
Users can now store name and picture attributes directly in Hanko.
This allows:
- Richer user profiles
- Better OIDC compatibility
- Easier frontend integrations that expect display name and avatar fields
These attributes follow standard OIDC conventions, are available via the API, and can be managed like other user properties. The main source for these properties will be 3rd-party accounts like Google or GitHub for now. We will add the required functionality to manage these fields to the profile element in a later update.
AMR Values in Session Tokens (#2429)
Session tokens now include AMR (Authentication Methods References) values.
This enables relying parties to:
- Inspect how a user authenticated (e.g. passkey, password, MFA)
- Improve auditability and policy decisions
The AMR claim follows standard OIDC conventions.
Extended /me Endpoint (#2442)
The /me endpoint has been extended to return additional user information.
This reduces the need for follow-up requests and simplifies frontend integrations that rely on a single user introspection endpoint.
Bug Fixes
Prevent SQL Injection in audit_logs Queries
Replaced string concatenation with prepared statements when querying audit_logs.
This prevents potential SQL injection attacks and strengthens overall security.
Security Notification Webhooks Fixed
Security notification webhooks were not triggering correctly in certain scenarios.
This has been fixed and webhooks now work as expected.
What's Changed
- chore: increase version numbers by @FreddyDevelop in #2385
- ci: fix doc publish permissions by @lfleischmann in #2386
- fix: set passcode charset to numeric by default by @FreddyDevelop in #2393
- ci: fix package lock by @lfleischmann in #2395
- fix: webhook update by @lfleischmann in #2383
- fix: remove code_verifier for linkedin by @FreddyDevelop in #2405
- fix: security notification webhooks by @lfleischmann in #2396
- ci: remove dependabot exclude paths by @lfleischmann in #2404
- chore: remove unnecessary log by @FreddyDevelop in #2407
- fix: email creation security notification by @lfleischmann in #2424
- chore: add missing webhook event in readme by @lfleischmann in #2421
- fix: remove duplicate key in webpack config by @lfleischmann in #2420
- feat: add name and picture attributes to user by @lfleischmann in #2417
- chore: update turbo by @lfleischmann in #2425
- feat: add AMR values to session token by @lfleischmann in #2429
- fix: use prepared statement by @FreddyDevelop in #2435
- chore: update angular in example by @lfleischmann in #2434
- feat: extend me endpoint by @lfleischmann in #2442
New Contributors
- @jaffarkeikei made their first contribution in #2403
Full Changelog: backend/v2.4.0...backend/v2.5.0