Hanko Beta v0.5.0

3rd-party identity providers (OAuth SSO)

The leading feature of this release is support for 3rd-party identity providers, starting with Google and GitHub. Coming up next, Sign in with Apple is already in the making, and support for Microsoft accounts will follow shortly after. We've built the OAuth components in a modular way so that support for even more identity providers (e.g. Twitter, Facebook, Slack) can be added quickly by us or external contributors if there's demand for it.

During the first months of working on Hanko, we focused our efforts towards establishing a fully usable, production-ready authentication stack that is built for passkeys. With this now in place, we're able to combine the new and exciting passkey login flows with today's most popular authentication methods, i.e., "social logins".

Even with passkeys now broadly supported on all ecosystems, we think that offering sign up and login options for popular 3rd-party identity providers still makes sense, especially to convert new users quickly by allowing them to skip the "enter your email" and email verification steps. After a successful sign in with e.g. Google, users will be presented with the option to create a passkey for the app where Hanko is integrated, which can then be used for subsequent logins that no longer need to (but still can) be done through the 3rd-party.

Updated example apps

We've updated the example apps to use the latest hanko-elements version and added the hanko-profile element to each example.

Logout function in frontend SDK

Thanks to @irby, we now have support for the logout flow in hanko-frontend-sdk, making Hanko's integration even simpler.

What's changed

• Adjust method to parse the retry after header by @bjoern-m in #524
• fix: frontend-sdk build and and publish now in one step by @like-a-bause in #530
• fix: add registry-url by @like-a-bause in #531
• Update hanko-elements README by @bjoern-m in #532
• Fix retry after error handling by @bjoern-m in #533
• feat: add order query for user list by @FreddyDevelop in #556
• feat: store webauthn credential backup info by @FreddyDevelop in #554
• fix: add same site attribute to workaround cookie by @FreddyDevelop in #563
• feat: add basic metrics by @like-a-bause in #570
• Feat backend versioning by @like-a-bause in #581
• Fix: Resolve null reference exception that occurs when lang is not supplied to hanko-elements by @irby in #569
• fix(hanko-elements): change passcode button text by @bjoern-m in #586
• test: improve user handler test by @FreddyDevelop in #582
• feat: add third party integrations by @lfleischmann in #577
• Feat update examples by @like-a-bause in #597
• examples: use consistent naming schema by @like-a-bause in #601
• Feat: display last used time of WebAuthn credentials by @bjoern-m in #600
• chore: update frontend-sdk 0.2.0 by @like-a-bause in #604
• Feat release elements by @like-a-bause in #605
• feat(config): allow multi word env var keys by @lfleischmann in #617
• feat(elements): use svg icons by @lfleischmann in #606
• Show loading spinner until the api attribute is defined by @bjoern-m in #619
• Feat: Add logout method to sdk by @irby in #566
• Add hanko profile to example apps by @bjoern-m in #618
• fix(quickstart): use correct cursor for the logout link by @bjoern-m in #632
• chore: optimize imports by @bjoern-m in #634
• Feat monorepo solve hanko elements issues by @bjoern-m in #638
• fix(docs): content container layout issue by @lfleischmann in #637
• Feat monorepo by @like-a-bause in #614
• fix: divider overlaps the text when the background is transparent by @bjoern-m in #639
• roadmap updates and small text changes by @FlxMgdnz in #628

Full Changelog: v0.4.0...backend/v0.5.0

Hanko Beta v0.4.0

This release introduces the new Hanko profile custom element and basic rate limiting.

Profile element

In addition to <hanko-auth>, hanko-elements now also contains <hanko-profile>, a profile page that can be integrated into your app and fully customized with CSS. The profile supports email and credential management, allowing your users to change their email address, their password (if enabled), and manage their passkeys.

Our quickstart app utilizes the new profile page, so you can check it out there. We'd love to hear your thoughts.

Note: The import path for the elements package has been changed. See elements readme for more information. To use <hanko-profile>, you need the latest version of the hanko-elements package (v0.1.0-alpha).

Rate limiting

This version also introduces basic rate limiting to hanko to protect endpoints from scripted / DoS attacks. The rate limiter supports both in-memory and Redis configurations and uses a combination of user ID and IP address.

What's changed

• docs: add a simple guide for mobile by @FreddyDevelop in #458
• feat: add database url config variable by @FreddyDevelop in #487
• feat: add query parameter for searching audit logs by @FreddyDevelop in #490
• feat: introduce hanko profile element and related api changes by @bjoern-m in #495
• Feat basic rate limiting by @like-a-bause in #501
• chore: update echo and switch the deprecated jwt middleware with echo… by @like-a-bause in #507
• fix: fix button width by @bjoern-m in #508
• fix: adjust the invalid WebAuthn credential error message by @bjoern-m in #463
• fix: frontend dockerfiles by @lfleischmann in #509
• fix: add 'emails' section to Config.md by @bjoern-m in #523
• feat: add query params to search users by @FreddyDevelop in #522

Full Changelog: v0.3.2...v0.4.0

Hanko Beta v0.3.2

Adding support for native Android and iOS apps and bringing Hanko to Svelte.

Mobile app support

Developers can now use Hanko for authentication when building native apps for Android and iOS. Since passkeys can also be used in native apps, this enables a seamless user experiences across websites and native apps. To make this work, we had to add support for multiple WebAuthn origins to Hanko backend. Passkeys are always bound to an "origin", and in most cases that is a domain. However, unlike websites and iOS apps, an Android app identifies itself with its APK hash during the WebAuthn ceremonies required to use passkeys. This APK hash can now be added to the list of allowed origins in the Hanko backend config. We will also release a first draft of a sample app for Android very soon to provide guidance on building native app authentication with passkeys using Hanko.

Bringing passkeys to Svelte 👋

A small bug in the library we're using for our web components prevented Hanko to work with Svelte apps. Until now. The integration guide can be found at https://docs.hanko.io/guides/svelte.

What's changed

• ci: add npm publishing/release workflows for elements and frontend-sdk by @like-a-bause in #394
• chore: use hanko preact custom element fork by @lfleischmann in #421
• ci: add missing build steps to frontend package workflows by @lfleischmann in #422
• chore: bump elements version by @lfleischmann in #423
• feat(examples): add svelte example by @lfleischmann in #424
• docs: fix typo in svelte guide by @lfleischmann in #439
• ci: fix elements workflow by adding frontend sdk build step by @lfleischmann in #440
• Adjust passkey and conditional mediation support by @bjoern-m in #446
• Fix conditional UI stops working on error by @bjoern-m in #451
• fix(hanko-auth): don't overwrite existing 'lang' property with a poss… by @bjoern-m in #450
• ci: fix elements release workflow by @lfleischmann in #452
• ci: fix elements workflow again by @lfleischmann in #453
• ci: rename elements workflow job and remove dry run flag on publish by @lfleischmann in #454
• chore(examples): bump hanko-elements version in examples by @lfleischmann in #455
• Feat allow multiple webauthn origins by @FreddyDevelop in #456

Full changelog: v0.3.1...v0.3.2

Hanko Beta v0.3.1

The main feature of this release is the support for hardware security keys on passkey creation.

FIDO security keys (and other roaming authenticators)

Until now, we allowed passkeys to be created only on platform authenticators (Touch ID, Face ID, Windows Hello..., i.e., the device you're browsing on) to keep things simple. Roaming authenticators, most commonly known as security keys, were not supported by Hanko so far. But with this release, we removed all restrictions regarding the authenticator types. It is perfectly fine to store a passkey on a physical security key, and now you can do that with Hanko.

One thing to be aware of is that most security keys only support storing a limited number of passkeys that can be as low as 25 in some cases.

This change also improves the passkey creation UI in Chromium browsers where it's now possible to store the passkey on your phone through the QR code flow – which was only working in Safari before.

Multi-platform support

Thanks to @hilli our docker builds now support other platforms than X86, namely AMD64 and ARM64. That's awesome!

What's changed

• Use Discussions rather than the slack community by @like-a-bause in #330
• ci: make solution sections optional in feature request template by @lfleischmann in #336
• fix: check wrapped error for sql.ErrNoRows by @FreddyDevelop in #341
• fix: remove ../ from backend docker build. by @like-a-bause in #345
• fix: add dockerignore for elements and frontend-sdk by @like-a-bause in #344
• rewrite community section by @FlxMgdnz in #343
• docs: set api spec version by @lfleischmann in #346
• docs: update readmes by @lfleischmann in #350
• Feat bundle frontend sdk by @like-a-bause in #362
• fix: make compose debug file work with new frontend lib dir structure by @lfleischmann in #379
• docs: fix links to elements readme in frontend guides by @lfleischmann in #380
• fix: frontend sdk doc build by @lfleischmann in #388
• fix: set correct frontend sdk url env var in compose debug file by @lfleischmann in #390
• docs: fix links in elements readme by @lfleischmann in #391
• docs: allow chore prefix in contribution commit guidelines by @lfleischmann in #395
• Add total count & link header for pagination by @FreddyDevelop in #393
• docs: fix code examples in react guide by @lfleischmann in #405
• feat: remove platform attachment requirement on registration by @lfleischmann in #331
• chore: update elements package lock file by @lfleischmann in #406
• docs: remove announcement bar by @lfleischmann in #412
• docs: add hint to hanko cloud in intro and api url info in frontend guides by @lfleischmann in #413
• docs: simplified getting started section and other minor changes by @FlxMgdnz in #399
• Multiplatform docker by @hilli in #416

New contributors

• @hilli made their first contribution in #416

Full changelog: v0.3.0...v0.3.1

Hanko Beta v0.3.0

The main features of this release are support for Conditional UI and an audit log system.

Conditional UI

Hanko's login box now supports Conditional UI, aka passkey autofill. In supported browsers, the "Sign in with a passkey" button is no longer required, and instead a passkey autofill UI is displayed when the user clicks or taps on the username input. Passkey autofill lists all available passkeys and is much less intrusive or misleading than the extra button that may or may not work for users that don't have any passkey yet. You can test passkey autofill today by spinning up a local Hanko example. We will also update passkeys.io in the next few days. Browsers that already support conditional UI are:

• Safari on iOS16
• Safari on macOS13 Beta/RC
• Chrome Canary on Android (with Play Services Beta)
• Chrome Canary on Windows 11 22H2

Audit logs

We've added a new feature to Hanko backend to collect audit logs and an API to access the logs. The focus here is on user actions (e.g., login attempt, passkey creation, password changed).

What's changed

• ci: build and publish frontend-sdk by @aspeteRakete in #229
• create code_of_conduct from github template by @aspeteRakete in #232
• docs: move documentation into monorepo by @lfleischmann in #230
• docs: move into monorepo cleanup by @lfleischmann in #233
• Passkey creation view minor text improvements by @FlxMgdnz in #231
• rename "private" api to "admin" api by @lfleischmann in #234
• docs: link frontend guides to ui customization guide by @lfleischmann in #242
• docs: provide only the latest version of the frontend sdk docs by @lfleischmann in #239
• chore: add License note for frontend-sdk by @aspeteRakete in #244
• docs: add js backend guide example by @lfleischmann in #241
• Remove console log by @irby in #250
• fix: send 401 when passcode is not found instead of 404 by @aspeteRakete in #247
• Update README.md by @shibukawa in #180
• Update dependabot.yml by @aspeteRakete in #253
• feat(hanko-elements): add light dom support by @bjoern-m in #235
• chore: add issue and pull request templates by @lfleischmann in #264
• Update Config.md by @aspeteRakete in #254
• Feat conditional UI by @bjoern-m in #255
• docs: add plausible analytics by @lfleischmann in #274
• Ask for Browser in BugReport by @aspeteRakete in #283
• fix(hanko-frontend-sdk): access X-Auth-Token header during cross-doma… by @bjoern-m in #251
• docs: fix broken link in e2e readme by @FreddyDevelop in #297
• Test hanko frontend sdk by @bjoern-m in #266
• feat: add audit logs by @FreddyDevelop in #185
• Add link to the slack community to the issue templates by @aspeteRakete in #299
• docs: misc api spec fixes, adjustments by @lfleischmann in #303
• fix: persisted passcode timestamps by @lfleischmann in #311
• feat: enable debugging for services/libs used in quickstart cluster by @lfleischmann in #312

New contributors

• @irby made their first contribution in #250
• @shibukawa made their first contribution in #180

Full changelog: v0.2.0...v0.3.0

Hanko Beta v0.2.0

Aka Introducing the Hanko JavaScript Frontend SDK.

Using the Hanko API has now become much easier with the introduction of our frontend SDK. The most common use cases (for now) are retrieving information about or creating a(nother) passkey for the authenticated user. We also updated the example app to make use of the SDK and added a "Create a passkey" button to the /secured page.

Our OpenAPI specification (docs/spec/api.yaml) has been reworked from scratch and is now on par with the backend.

What's changed

• feat(hanko-frontend-sdk): introduce separated frontend sdk package by @bjoern-m in #181
• hanko-js switch to new sdk by @bjoern-m in #189
• chore: rename hanko-js folder by @bjoern-m in #215
• Feat example app frontend sdk integration by @bjoern-m in #224
• docs(api-spec): update spec by @lfleischmann in #197
• feat(jwk): make explicit public jwks are used for verifying signatures by @lfleischmann in #207
• docs(api-spec): webauthn login initialization adjustments by @lfleischmann in #223
• fix(e2e): playwright loader error by @lfleischmann in #186
• refactor(backend): remove unused ApiError dto by @lfleischmann in #187
• fix: do not serialize credential transports to json by @lfleischmann in #193
• docs(backend): document min_password_length config option by @lfleischmann in #194
• fix(jwk): remove conflicting order by clause when retriving last jwt … by @lfleischmann in #198
• update in vocabulary by @LucidSamuel in #175
• Small wording changes by @FlxMgdnz in #202

New contributors

• @LucidSamuel made their first contribution in #175

Full changelog: v0.1.1...v0.2.0

Hanko Beta v0.1.1

Aka The Compatibility Patch.

After our initial release about a month ago, we've been coding through the heat wave and made sure to fix a handful of issues. We were able to make some important steps to give the Hanko login experience a good polish. Here are some highlights:

hanko-js

• The default design of hanko-auth element is now a bit more neutral and we removed most width and height default settings to make it more responsive for seamless integration into different layouts
• Entering an email address now also triggers the WebAuthn / passkey login flow if the associated account has a credential
• Disabled the passkey button on Android, as passkeys (i.e. an empty allowList) are not yet supported on Android; WebAuthn logins can still be triggered by entering an email that has registered a credential before

Hanko API

• Added support for cross-domain cookies to allow backend and frontend to be hosted on different domains
• WebAuthn transports = "internal" is currently broken on Android and Windows, so we removed transports from all login requests; this results in the option "Security Keys" being shown in some login scenarios, even if the credential was created with a platform authenticator; we'll revisit this when the authenticators on Android and Windows got better passkey support
• Worked around an issue with Safari on iOS 15 and macOS Monterey where the WebAuthn login could only be initiated once per page reload

Other

• Docker Compose / Quickstart now works properly on M1 macs

Contributors

• @sojinsamuel made their first contribution to this project. Thank you!
• @SimoMay contributed to v0.1.0, but we forgot to mention it. Sorry & big thanks to you!

Hanko Beta v0.1.0

It's been 4 months since we've started building Hanko open source and today we're happy to announce the initial beta release of the project.

The timing couldn't be better, as Apple's passkey implementations will soon be available for everyone to test in the public beta versions of iOS 16 and macOS 13. It's a fascinating experience to see the first true evolutionary step in user authentication in action. Of course, Hanko's passwordless authentication already works perfectly on all current live platforms (iOS, macOS, Android, Windows), just without the full passkey synchronization support that will be available on our devices later this year.

What's new

Hanko's code has been available on GitHub since day 1 of development. We've been adding new features almost daily, and today we reached our biggest milestone yet: the first beta release. Here's what we've added recently and what completes the project:

• UI customization: The last missing piece for the first version of Hanko was UI customization. While we made sure the Hanko login box looked good without any additional styling, our goal was for Hanko to fit seamlessly into any website and brand. Customers want their login to feel native, it should blend well with the rest of the site. This is now possible thanks to the extensive customization options we've added to the Hanko web component, which is delivered as part of our frontend library.
• Hanko-elements published on npm: Besides the minimalistic passkey authentication API, a key feature of Hanko is the <hanko-auth> element, which brings a full user interface, gives your users a modern login and registration experience, and can be integrated into any website with just two lines of code. We have now released the first version of hanko-elements on npm to make building with Hanko as easy as possible.
• E2E testing: Delivering stable code is a priority for us, so we put a lot of effort into setting up end-to-end testing. We use Playwright for this and are very happy with the results. The tests are already integrated into our build pipeline, and we have put together a short guide on how to run the tests locally.‍

How to get started

Just follow the Getting Started guide in the project's readme to get your passkey-enabled login example app up and running with Docker Compose in just a few minutes.‍

Get involved

We'd love to get to know you and hear your feedback, so we invite you to join our growing Hanko Community on Slack and be a part of the passkey revolution.