FusionAuth has released version 1.30.0 of FusionAuth. This version shipped on August 12, 2021. 1.30.0 includes a robust Advanced Threat Detection feature, adds 38 webhook events, resolves issues for FusionAuth community members, and more!
This release contained a number of features, enhancements, and bug fixes. Please see the release notes for a full breakdown of the changes between 1.29 and 1.30.0.
There are a few items worth calling out.
JWT Vending Machine
There are scenarios where a user does not yet exist, or is in the process of being created, yet still needs access to services. This may be an anonymous user, who will never authenticate, or a future user, who is using the site, but has not yet authenticated. Imagine a prospective user clicking around a recipe site. They may want to save recipes without signing in. But when they do finally create an account and sign in, they expect their saved recipes to still be attached to their account. In these cases we cannot yet authenticate to FusionAuth.
To address this, the new release includes an API allowing a JWT to be created without a corresponding user.
When you call the /api/jwt
endpoint with a JSON payload, you’ll get back a signed JWT, which, when decoded and validated, will look like the below output:
// header
{
"alg": "HS256",
"typ": "JWT",
"kid": "vEp2zjZX45e1SvPuVaZfbkIv_V6vpVPs"
}
// payload
{
"exp": 1629495785,
"iat": 1629495485,
"iss": "piedpiper.com",
"jti": "09c723b1-cb85-4130-bd27-e435eb4f35c3",
"id": "cksknqcp90002au664j1j1cul"
}
If you want to try this out, FusionAuth wrote a curl script for you, which you need to modify with your own FusionAuth API key, a URL to your FusionAuth app, and a payload of your choosing.
curl -XPOST -H 'Content-type: application/json' -H "Authorization: ..." 'https://local.fusionauth.io/api/jwt/vend' -d '{"claims": {"id":"cksknqcp90002au664j1j1cul", "iss": "piedpiper.com"}, "timeToLiveInSeconds":300}'
Using this ability, a new user on your app can start interacting with the app as a unique user, before needing to create an account. Then, once they do create an account, the unique Id can be used to ensure any saved profile data is retained.
Threat Detection Feature
Flagging and responding to suspicious behavior is a part of any cybersecurity product, so naturally, FusionAuth incorporated this functionality into the ever-evolving FusionAuth platform. FusionAuth created advanced threat detection, a feature that brings best-practice functionality to help you deal with bizarre, possibly malicious behaviour around logins, registrations, user creation, and user updates.
This is a paid feature, available to enterprise-level customers only. If you are already on enterprise, turning this feature on requires a support ticket, as FusionAuth are rolling this out over time.
While the entirety of this feature is too large to cover here, there a few notable aspects discussed here.
Customizable rate limiting per user for specific requests such as:
- failed login
- forgot password
- send email verification
- and more!
Captcha – Uses additional captcha to guard against brute force attacks.
- Adds a (re)captcha for login pages.
- Includes support for Google ReCaptcha v2, Google ReCaptcha v3, HCaptcha and Hcaptcha Enterprise.
Location aware security
- Inside of every Forgot/Reset Password email that is sent to a user, the geographic location of where the password reset request was made is displayed, so the recipient can identify if the location of the request seems suspicious. (For example: ‘That’s odd..how could I have asked for a password reset in Illinois? I’m in Mumbai!’)
- Flags suspicious IP addresses on login and sends an email to notify the user of a new login with the IP’s approximate location.
- Calculates ‘impossible travel’ to see if a user could realistically login at different locations around the globe in a reasonable time frame. (This does not provide support if your user is a quantum being…)
- When a login request occurs from an unexpected IP address, a user receives an email to notify them of a new login with an approximate location of the IP address.
To learn more, you can take a look at FusionAuth release notes.
Webhook Events
FusionAuth have added 38 webhook events to help you monitor what is going on with your app and integrate with other systems. These webhooks cover the entire breadth of creating, updating, and deleting a user, as well as the user registration and password reset lifecycle.
Lastly, FusionAuth have added some webhook events to notify you of the completion of any kickstart files that you run, and also webhooks to audit the behavior of JWTs.
The documentation for these webhooks are being updated, which will be available here shortly.
The rest of it
Some of the other enhancements and fixes included in this release:
- Search on
oldValue
,newValue
, andreason
in the Audit Log. - More themed pages have access to the currently logged user using the
currentUser
variable. - When an IdP has a linking mode other than Create Pending Link, the token is now stored correctly in the Identity Provider Link object.
- Making an API request to
/api/two-factor/login
with an empty JSON body, an exception now occurs instead of returning a validation error with a400
status code. This has been fixed.
Upgrade at will
The release notes are a guide of the changes, fixes, and new features. Please read them carefully to see if any features you use have been modified.
If you’d like to upgrade your self-hosted FusionAuth instance, see FusionAuth upgrade guide.
If you have a FusionAuth Cloud deployment, proceed to the “Deployments” tab on your account dashboard and upgrade your servers. If you have any questions about the upgrade, please open a support ticket.
Or, if you are interested and you’d like to use FusionAuth, check out your options.