-
Support HTTPS redirects. pizauth now starts, by default, both HTTP and HTTPS servers, generating a new self-signed HTTPS certificate on each invocation.
pizauth infoshows you the certificate hash so you can verify that your browser is connecting to the right HTTPS server. You can turn either (but not both!) of the HTTP and HTTPS servers off withhttp_listen=offorhttps_listen=off. This is most useful if you want to force HTTPS redirects and ensure that you're not accidentally being redirected to an HTTP URL (i.e.http_listen=offis the option you are most likely to be interested in).
- Use
XDG_RUNTIME_DIRinstead ofXDG_DATA_HOMEfor the socket path.
-
Add
pizauth revokewhich revokes any tokens / ongoing authentication for a given account. Note that this does not revoke the remote token, as OAuth2 does not currently have standard support for this. -
Include bash completion scripts and example systemd units.
-
Rework file installation to better handle a variety of OSes and file layouts. The Makefile is now only compatible with gmake.
-
Add
pizauth statusto see which accounts have valid tokens (or not):$ pizauth status act1: No access token act2: Active access token (obtained Sat, 4 Nov 2023 21:52:11 +0000; expires Sat, 4 Nov 2023 23:20:42 +0000) act3: Active access token (obtained Sat, 4 Nov 2023 22:23:03 +0000; expires Mon, 4 Dec 2023 22:23:03 +0000) -
Give better syntax errors if backslashes (
\\) are used incorrectly.
-
Better handle syntactically invalid requests. In particular, this causes the check for a running instance of pizauth not to cause the existing instance to exit.
-
Document
-v(which can be repeated up to 4 times for increased verbosity) onpizauth server.
- Fix location of
ringdependency.
-
First stable release.
-
Add
pizauth info [-j]which informs the user where pizauth is looking for configuration files and so on. For example:$ pizauth info pizauth version 0.3.0: cache directory: /home/ltratt/.cache/pizauth config file: /home/ltratt/.config/pizauth.confAdding
-joutputs the same information in JSON format for integration with external tools. Theinfo_format_versionfield is an integer value specifying the version of the JSON output: if incompatible changes are made, this integer will be monotonically increased.
-
not_transient_error_ifhas been removed as a global and per-account option. In its place is a new global optiontransient_error_if_cmd.If you have an existing
not_transient_error_ifoption, you will need to reconsider the shell command you execute. One possibility is to change:not_transient_error_if = "shell-cmd";to:
transient_error_if_cmd = "! shell-cmd";transient_error_if_cmdsets the environment variable$PIZAUTH_ACCOUNTto allow you to perform different actions for different accounts if you desire.
-
Added a global
token_event_cmdoption, which runs a command whenever an account's token changes state. -
Added
pizauth dumpandpizauth restorewhich dump and restore pizauth's token state respectively. When combined withtoken_event_cmd, these allow users to persist token state. The output frompizauth dumpis not meaningfully encrypted: it is the user's responsibility to encrypt, or otherwise secure, the dump output. -
Update an account's refresh token if it is sent to pizauth by the remote server.
-
Move from the unmaintained
jsonto theserde_jsoncrate. -
Don't bother users with OAuth2 "errors" (e.g. that a token cannot be refreshed) that are better thought of as an inevitable part of the OAuth2 lifecycle.
-
login_hintis now deprecated in favour of the more generalauth_uri_fields. Change:login_hint = "[email protected]";to:
auth_uri_fields = { "login_hint": "[email protected]" };Currently
login_hintis silently transformed into the equivalentauth_uri_fieldsfor backwards compatibility. -
auth_uri_fieldsallows users to specify zero or more key/value pairs to be appended to the authorisation URI. Keys (and their values) are appended in the order they appear inauth_uri_fields, each separated by a&. The same key may be specified multiple times. -
Several options can now be set globally and overridden in individual accounts:
not_transient_error_ifrefresh_at_leastrefresh_before_expiryrefresh_retry
-
scopesis now optional and also, equivalently, can be empty.
-
auth_error_cmdhas been renamed toerror_notify_cmd. pizauth detects the (now) incorrect usage and informs the user. -
refresh_retry_intervalhas been renamed torefresh_retryand moved from a global to a per-account option. Its default value remains unchanged.
-
Tease out transitory / permanent refresh errors. Transitory errors are likely to be the result of temporary network problems and simply waiting for them to resolve is normally the best thing to do. By default, pizauth thus simply ignores transitory errors.
Users who wish to check that transitory errors really are transitory can set
not_transitory_error_ifsetting. This is a shell command that, if it returns a zero exit code, signifies that transitory errors are permanent and that an access token should be invalidated.nc -z <website> <port>is an example of a reasonable setting.not_transitory_error_ifis fail-safe in that if the shell command fails unnecessarily (e.g. if you specifypingon a network that prevents ping traffic), pizauth will invalidate the access token. -
Each refresh of an account now happens in a separate thread, so stalled refreshing cannot affect other accounts.
-
Fix bug where newly authorised access tokens were immediately refreshed.
Second alpha release.
-
Added global
http_listenoption to fix the IP address and port pizauth's HTTP server listens on. This is particularly useful when running pizauth on a remote machine, since it makes it easy to open anssh -Ltunnel to authenticate that remote instance. -
Fix build on OS X by ignoring deprecation warnings for the
daemonfunction. -
Report config errors before daemonisation.
First alpha release.