v1.2.0

Note
We've received valuable feedback from our community since launching Logto Cloud (Preview) and OSS General Availability. Thank you!

Over the past month, we've been focused on enhancing Logto's functionality, fixing bugs, and improving its security features. Additionally, we're working on developing a reasonable pricing model and finalizing the details. If you're interested, please don't hesitate to contact us.

Feature updates

1. Redis cache support: We’ve added support for Redis as a central cache for well-known data. This will allow for faster and more efficient data retrieval. See 🗄️ Enable central cache for details.

2. New CLI command: We’ve added a new CLI command logto connector link to link local connectors without downloading from the remote. See Manage connectors for details.

3. Translation updates: We’ve added Italian (it) and Polish (pl-PL) translations to make Logto more accessible to users worldwide.

4. Console updates:

   • The web console now supports creating users with multiple identifiers, such as email, phone number, and username.
     

   • On the user details page, you can now suspend or reactivate a user from the "more options" menu (accessible by clicking the three-dot button in the top right corner).
     

5. Two new Management APIs:

   1. POST /users/:userId/password/verify will allow you to verify a user's password;
   2. GET /users/:userId/has-password will allow you to check if a user has a password.

Security update

We've applied various security headers to server responses, and while the violation is currently report-only, we'll enforce them in the next version.

In most cases, no action is required. Please see #3590 #3613 for details.

Bug fix

• We've removed all deprecated values in the filter and fixed the filter functionality on the web console's Audit Logs tab.
• Fixed pt-BR phrase by @flaviofiori in #3656

Coming soon

Other important features we're planning for this year include SSO, MFA, and Organizations. Stay tuned!

Full Changelog: v1.1.0...v1.2.0

v1.1.0

Language support

• update 한국어 translation by @Alanimdeo
• update Français and Deutsch translation
• add Русский translation for console
• add Español, 日本語, 繁體中文 translation

Note
Except 한국어, other languages are credited to GhatGPT.

Others

This release also includes various improvements and bug fixes.

Full Changelog: v1.0.3...v1.1.0

v1.0.3

• Force bump version to fix @logto/schemas not found issue.

Note
For the recent major release, please refer to Announcing Logto Cloud (Preview) and OSS General Availability.

v1.0.1

v1.0.1

v1.0.0

Announcing Logto Cloud (Preview) and OSS General Availability

Did you know?
We have refreshed the Logto logo! We simplified the gradients but made our brand color stronger, resulting in improved recognizability.

---

We are grateful for your participation in testing Logto OSS, and we're excited to announce our first general availability version. In this version, we have delivered numerous improvements to the sign-in experience, making it more delightful for your end-users. This new release also includes several new practical features.

Note
In case you missed it, please see the letter from Gao: Announcing Logto Cloud (Preview) and OSS General Availability.

Let's take a look at what's new!

💥 BREAKING CHANGE 💥

Rename the /api/phrase API to /api/.well-known/phrases.

New features

Custom CSS editor

The console now has a custom CSS code editor in the “Sign-in experience” tab that allows you to apply advanced UI customization to your application. You can preview your changes in real-time via the sign-in experience preview on the right side.

Image uploader

The console now supports a drag-and-drop image uploader for multiple scenarios. If a storage provider is configured in the system, you can upload images directly from your local file system. The first version of the uploader supports AWS S3 and Azure Blob Storage. For more information, please refer to the Configure storage providers documentation.

Console profile page

We have removed the previous profile component and moved it to the user profile page. You can access the page by clicking your user avatar in the top right corner. From there, you can also change your language or theme directly from the popover menu.

On the profile page, you can update your avatar, name, and username, as well as change your password. For cloud users, it is now possible to link your email address and social accounts (Google and GitHub at first launch).

Sign-in experience

Added "Powered by Logto" to the sign-in experience.

CLI

We have added a new CLI command db system that allows you to get/set the system table value for your database. Enter logto db system --help in your terminal for details.

Improvements

Add parameter to specify showing sign-in or sign-up

A new parameter have been added to our JavaScript SDKs which allows users to specify their desired user interaction experience. For instance, in our React SDK:

const { signIn } = useLogto();

// Shows the sign-in page
void signIn('https://some-callback-url');

// Shows the sign-up page
void signIn('https://some-callback-url', 'signUp');

Other SDKs will be updated soon.

Country code selector

A new country code selector dropdown component with a search box has been added to sign-in experience, allowing users to quickly search for a country code by typing in the search box.

Custom favicon

Users can now upload their own favicon in the sign-in-experience branding settings. A local logto icon will be used as a fallback.

Dynamic HTML titles

Instead of showing “Logto”, now sign-in experience will change the page title based on the current context, for example, “Create account”.

Enhanced password policy

The password policy has been updated to require a minimum of 8 characters and contain a mix of letters, numbers, and symbols. The allowed characters now include:

• Digits: 0-9
• Letters: a-z, A-Z
• Symbols: !"#$%&'()*+,-./:;<=>?@[]^_`{|}~

Users must now use at least two out of three types of characters.

Note the new password policy only applies to new users or new passwords. Existing users can continue to use their old password to sign in.

Implement a lite version of set password form

The new lite version only contains one field for the password and will be used only if the forgot-password feature is enabled (password can be reset either by email and phone). If you don't have any email or SMS service enabled, the old version of set password form containing two fields (password and confirm password) will still be used.

Support Privacy Policy URL

A new Privacy Policy URL field has been added to the sign-in-experience settings to support end-users' privacy declaration needs.

Simplify the Terms of Use and Privacy Policy manual agreement for the sign-in flow

The Terms of Use and Privacy Policy manual agreement steps have been removed from the sign-in flow. The agreement checkbox in sign-in pages has been replaced with links to the Terms of Use and Privacy Policy.

Users can still read the agreements before signing in. However, the manual agreement is still mandatory for the sign-up flow, including sign-up with new social identities.

New Contributors

• @Eengineer1 made their first contribution in #3431

v1.0.0-rc.3

2023 Feb Update (Extended)

While Logto Cloud is still under construction, we would like to introduce some new features to our foundation, Logto OSS. This will be the last version before general availability.

Notable updates include:

• Refactored infrastructure and enhanced security
• Smart Input and Customize CSS added to Sign-in Experience
• Open standard connectors (SAML, OIDC, and OAuth 2.0)
• New language support

Let's take a look at what's inside!

💥 BREAKING CHANGES 💥

Decouple normal users and admins

Logto was using a single port to serve both normal users and admins, as well as the web console. While we continuously maintain a high level of security, it’ll still be great to decouple these components into two separate parts to keep data isolated and provide a flexible infrastructure.

Note
From this version, Logto listens to two ports by default, one for normal users (3001), and one for admins (3002).

---

‼️ Click to expand details

• Nothing changed for normal users. No adaption is needed.
• For admin users:
  • The default Admin Console URL has been changed to http://localhost:3002/console.
  • To change the admin port, set the environment variable ADMIN_PORT. For instance, ADMIN_PORT=3456.
  • You can specify a custom endpoint for admins by setting the environment variable ADMIN_ENDPOINT. For example, ADMIN_ENDPOINT=https://admin.your-domain.com.
  • You can now completely disable admin endpoints by setting ADMIN_DISABLE_LOCALHOST=1 and leaving ADMIN_ENDPOINT unset.
  • Admin Console and admin user data are not accessible via normal user endpoints, including localhost and ENDPOINT from the environment.
  • Admin Console no longer displays audit logs of admin users. However, these logs still exist in the database, and Logto still inserts admin user logs. There is just no convenient interface to inspect them.
  • Due to the data isolation, the numbers on the dashboard may slightly decrease (admins are excluded); admin users cannot sign in to the user apps.
• Resource Indicator for Logto Management API changed from https://api.logto.io to https://default.logto.app/api.

---

If you are upgrading from a previous version, simply run the database alteration command as usual, and we'll take care of the rest.

DID YOU KNOW?

Under the hood, we use the powerful Postgres feature Row-Level Security to isolate admin and user data.

CORS policy

• If ADMIN_ENDPOINT is not specified, localhost:[admin-port] will be allowed to perform Cross-Origin Resource Sharing (CORS) in Logto.
• If ADMIN_ENDPOINT is specified, only requests from the origin of ADMIN_ENDPOINT will be allowed.

🔐 Security update

In previous versions, when registering or changing passwords, all new passwords were stored in plain text in the Audit Logs before being encrypted and inserted into the database.

In this version, we have updated the process to fully mask password fields before inserting them into the Audit Logs.

Warning

For enhanced security and compliance, we strongly recommend removing all passwords from the Audit Logs or deleting all logs that include passwords.

If you have any questions regarding this issue or the removal of data, please do not hesitate to contact us via email or Discord.

🧑‍🚀 Feature update

💡 Smart Input for Sign-in Experience

We have integrated the traditional input fields for username, phone number, and email into a single intelligent input box:

combined-input.mov

This advanced input box automatically identifies the type of characters you’re entering, such as an @ sign or consecutive numbers, and provides relevant error feedback.

By streamlining the sign-in process, users no longer need to waste time figuring out which button to click to switch their desired login method. This reduces the risk of errors and ensures a smoother sign-in experience.

🎨 Customize CSS in Sign-in Experience

We have put a lot of effort into improving the user sign-in experience and have provided a brand color option for the UI. However, we know that fine-tuning UI requirements can be unpredictable. While Logto is still exploring the best options for customization, we want to provide a programmatic method to unblock your development.

You can now use the Management API PATCH /api/sign-in-exp with body { "customCss": "arbitrary string" } to set customized CSS for the sign-in experience. You should see the value of customCss attached after <title> of the page. If the style has a higher priority, it should be able to override.

For instance, if you want to give your sign-in page a feel of the Night City, try this CSS:

---

Click to expand CSS and preview

@font-face { font-family: 'Rock Salt'; font-style: normal; font-weight: 400; font-display: swap; src: url(https://fonts.gstatic.com/s/rocksalt/v18/MwQ0bhv11fWD6QsAVOZrt0M6p7NGrQ.woff2) format('woff2'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; }
@font-face { font-family: 'Share Tech'; font-style: normal; font-weight: 400; font-display: swap; src: url(https://fonts.gstatic.com/s/sharetech/v17/7cHtv4Uyi5K0OeZ7bohU8H0JmBUhfrE.woff2) format('woff2'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; }
#app * { font-family: 'Share Tech'; letter-spacing: 0.5px; }
#app > div[class$=viewBox] { background-image: url(https://silverhand.io/assets/v-in-nc.jpg); background-size: cover; }
#app main[class$=main] { background-image: url(https://silverhand.io/assets/gentle-universe.png); background-size: cover; opacity: 0.98; min-height: initial; padding: 24px; padding-bottom: 72px; border-radius: 12px; }
#app main[class$=main] img[class$=logo] { content: url(https://silverhand.io/assets/cyberpunk-2077.png); margin: -20px 0 -12px; height: 160px; }
#app main[class$=main] div[class$=headline] { visibility: hidden; height: 60px; }
#app main[class$=main] div[class$=headline]:before { content: 'Welcome to Night City'; visibility: visible; display: block; font-family: 'Rock Salt'; font-style: italic; line-height: 60px; font-size: 20px; color: rgba(245,250,255,0.6); padding: 0 20px; }
#app form div[class$=inputField] > div { outline: none; border: none; border-radius: 4px; }
#app form div[class$=inputField] > div > input, #app form div[class$=inputField] div[class$=countryCodeSelector] { background: initial; background-color: #453f67; font-family: 'Share Tech'; letter-spacing: 0.5px; font-size: 16px; font-weight: 600; }
#app button { font-weight: 600; font-size: 16px; border-radius: 4px; }
#app button[type=submit] { background: linear-gradient(270.84deg, #2FD6FB -24.55%, #6369FC 44.33%, #A741EB 119.2%), #5D34F2; }

"We have a city to burn!"

---

Note

Since Logto uses CSS Modules, you may see a hash value in the class property of DOM elements (e.g. a <div> with vUugRG_container). To override these, you can use the $= CSS selector to match elements that end with a specified value. In this case, it should be div[class$=container].

🔗 Open standard connectors with better config interface

Logto now supports standard protocols (SAML, OIDC, and OAuth 2.0) for creating social connectors to integrate external identity providers. Each protocol can create multiple social connectors, giving you more control over your access needs.

Plus, we optimized the config interface for SAML connectors. Try it and let us know your feeling!

📄 New language

Added Russian translation. (credit @evist0)

🎉 New Contributors

• @Alanimdeo made their first contribution in #3064
• @gadkins made their first contribution in #3032
• @evist0 made their first contribution in #3158
• @muratgozel made their first contribution in #3203

Thank you!

---

Full Changelog: v1.0.0-rc.1...v1.0.0-rc.3

v1.0.0-rc.2

Please see v1.0.0-rc.3.

v1.0.0-rc.1

Note
For the full release notes of the recent major release, please see v1.0.0-rc.0.

What's Changed

• fix(core): insert id when patch application #3052
• fix(ui): should handle requiredProfile error on bindSocialRelatedUser #3034

Full Changelog: v1.0.0-rc.0...v1.0.0-rc.1

v1.0.0-rc.0

v1.0.0-rc.0 (2023-02-02)

Note
Please welcome our first release candidate! Logto is just a few steps away from general availability.

💥 Breaking changes 💥

• core: remove GET /settings and PATCH /settings API
• core: add GET /configs/admin-console and PATCH /configs/admin-console API
  • /configs/* APIs are config/key-specific now. they may have different logic per key.
• core: officially remove all deprecated /session APIs
• core: use HTTP/2 to serve TLS (HTTPS) connections
• cli: change valid logto db config keys by removing alterationState and adding adminConsole since:
  • OIDC configs and admin console configs are tenant-level configs (the concept of "tenant" can be ignored until we officially announce it)
  • alteration state is still a system-wide config
• for admin access of Machine to Machine applications, now it's required to add scope all for client configs to fetch proper Access Token
  • see 🚝 Interact with Management API for details

🔒 Role-Based Access Control

We are excited to introduce our latest addition to our product, Role-Based Access Control (RBAC). This powerful feature gives administrators the ability to assign specific roles and permissions to users, ensuring they only have access to the resources and functions they need to do their job.

With RBAC, administrators can:

• Define permissions across APIs
• Create custom roles with specific permissions
• Assign roles to users and manage their roles
• Easily manage and update permissions
• Securely validate permissions to protect APIs

Logto takes a major step forward in security and control with easy access management and authorization of sensitive info, ensuring only authorized users have the right to access. This aligns with our vision to provide an open-source identity solution with features for authentication and authorization, and packed with all the features you need.

Note
If you are using Logto SDKs, please upgrade to the latest version to take advantage of RBAC.

Check out our RBAC recipe for a step-by-step guide. Give it a try and let us know what you think!

🏄 Streamlined social sign-in flow

💡 Logto now detects a trusted email (or phone number) from the social account during social sign-in.

• If the email (or phone number) has been registered: Automatically connect the social identity to the existing user account with a single click.
• If the email (or phone number) is not registered: Automatically sync the user profile with the social-provided email (or phone number) if and only if it is marked as a required user profile.

🔢 Send and verify verification codes via Management API

The new Management APIs allow you to reuse connectors to dynamically send and verify verification codes for various purposes, such as validating identity before a user updates their profile or performs a dangerous action.

• Call /api/verification-code to send verification code to a given email or phone
• Call /api/verification-code/verify to verify the code against a given email or phone

↩️ Rollback database alteration state

In case of any issues with the database, you can now use the logto db alteration rollback [target] command to roll back all database schemas to a previous version, for example logto db alteration rollback v1.0.0-beta.19.

v1.0.0-beta.19

v1.0.0-beta.19 (2023-01-06)

• Fixed an alteration scripts issue

For full release notes of the recent major release, please see v1.0.0-beta.18.