14 KiB
@emdash-cms/auth
0.29.0
0.28.1
0.28.0
0.27.0
0.26.0
0.25.1
0.25.0
0.24.1
0.24.0
0.23.0
0.22.0
0.21.0
0.20.0
0.19.0
0.18.0
0.17.2
0.17.1
0.17.0
0.16.1
0.16.0
0.15.0
Minor Changes
-
#1146
11b3001Thanks @MohamedH1998! - Adds first-class i18n support for bylines, mirroring the row-per-locale model already used by menus and taxonomies (PR #916, migrations 036).Schema (migration 040)
_emdash_bylinesgains two columns:locale—TEXT NOT NULL DEFAULT 'en'. Every row now belongs to exactly one locale.translation_group—TEXT NOT NULL. Shared across every locale variant of a single byline identity. The anchor row'stranslation_groupequals itsid; siblings inherit it.
A partial unique index
idx_bylines_group_locale_uniqueenforces one row per(translation_group, locale). The pre-existing(slug)unique index becomes(slug, locale)to allow the same slug across locales.Existing rows are backfilled to the configured
defaultLocale(or'en'if i18n isn't configured) withtranslation_group = id. Monolingual sites see no functional change; multilingual sites continue rendering the same byline data at the default locale until editors create translations.Credit hydration: strict per-locale
_emdash_content_bylines.byline_idnow stores the byline'stranslation_group, not its row id. When an entry is rendered, credits are filtered by joining the junction against the byline sibling whoselocalematches the entry'slocale. If no sibling exists at the entry's locale, the credit hydrates as empty — there is no fallback to other locales' bios.Author-inferred bylines (where an entry has no explicit credits but its author is linked to a byline) still fall back per-locale and respect the strictness gate: an entry with explicit credits at any locale will not infer from the author even if the explicit credits don't resolve at the rendering locale.
This is a deliberate behavior change for multilingual sites. The motivation is correctness: chain-walking credits across locales renders the wrong-language bio on translated entries.
The "explicit credit suppresses author fallback" check reads
primary_byline_iddirectly from the content row — set bysetContentBylinesiff junction rows exist, backfilled by migration 040 for pre-existing rows. No separate probe against_emdash_content_bylinesis needed at hydration time; the column is folded into the single per-entry context fetch (author_id+primary_byline_idin one query). Both monolingual and multilingual sites get the same query count.Identity lookups: chain-walk
getBylineBySlug(slug, { locale })walks the configured fallback chain (resolveLocaleChain), likegetMenuandgetTerm. Author pages for un-translated bylines still render an identity rather than 404'ing. This is conceptually distinct from credit hydration and runs throughrequestCachedfor per-render dedupe.Admin
- TranslationsPanel in the bylines editor lists every configured locale with Edit / Translate buttons. The Translate action POSTs to the new
POST /_emdash/api/admin/bylines/:id/translationsendpoint. - LocaleSwitcher on
/bylinesfilters the list strictly to one locale. Cross-locale navigation via TranslationsPanel routes through/bylines?locale=…. - The byline picker on the content editor is locale-pinned to the entry's locale. Editors only see bylines that will actually hydrate at the entry's locale.
- The byline credit empty state on a locale with no bylines yet shows a CTA linking to
/bylines?locale=…for inline creation. - Translating an entry (
POST /content/:collectionwithtranslationOf) callscopyContentBylinesto inherit the source's credits — these resolve at the new entry's locale via the strict-hydration model, so credits "follow" the content across translations once sibling bylines exist.
API additions
GET /_emdash/api/admin/bylines/:id/translations— list every sibling row sharing a translation_group.POST /_emdash/api/admin/bylines/:id/translations— create a sibling at a target locale. Body defaults (slug, displayName, websiteUrl, avatar) inherit from the source.POST /_emdash/api/admin/bylinesacceptstranslationOf+localeto create a sibling in one call.GET /_emdash/api/admin/bylines?locale=…filters strictly.BylineSummarygainslocale: stringandtranslationGroup: string | null(additive — existing consumers ignore the new fields).
Permissions
Two new entries on
@emdash-cms/auth:bylines:read— minimumSUBSCRIBER.bylines:manage— minimumEDITOR.
All byline routes (list, get, update, delete, translations) now check these instead of
content:read/Role.EDITOR. Role thresholds are unchanged, so existing users see no permission differences. Custom RBAC configurations that bind to the old strings should add the new permission names.Repository
BylineRepositoryis strict per-locale:findMany,findBySlug,findByIdaccept an optionallocaleand return rows matching that locale (or all locales when omitted, for the manager view).- New methods:
listTranslations(id),findByTranslationGroup(group),copyContentBylines(collection, fromId, toId). setContentBylinesdeduplicates bytranslation_groupafter resolving wire row ids, so passing two sibling row ids of the same identity collapses to one credit row.deleteis sibling-aware: removing one locale variant leaves siblings standing.
Notable trade-offs
- Strict hydration over chain-walking for credits. Chain-walking would render mismatched-language bios on translated content. The honest answer is to show nothing rather than the wrong thing; the picker tells editors which bylines will resolve at the entry's locale, and the empty-state CTA makes creating a sibling a one-click flow.
- Schema is row-per-locale, not a separate
byline_translationsside-table. Matches the existing content / menu / taxonomy convention so query patterns and indexes are consistent across the codebase.
Patch Changes
-
#1139
88f544dThanks @ask-bonk! - Upgradeskyselyto^0.29.0(was^0.27.0) to resolve three high-severity advisories fixed in>=0.28.17:- GHSA-wmrf-hv6w-mr66 – SQL injection via unsanitized JSON path keys
- GHSA-pv5w-4p9q-p3v2 – JSON-path traversal injection via
JSONPathBuilder.key()/.at() - GHSA-8cpq-38p9-67gx – MySQL SQL injection via
sql.lit(string)
Also updates import paths for
MigratorandMigrationtypes tokysely/migrationto comply with kysely 0.29 export changes.
0.14.0
0.13.0
Patch Changes
- #1019
5681eb2Thanks @ascorbic! - Fixes a Zod type-incompatibility between trusted plugins and core. Without a workspace-level pin, emdash'szod: ^4.3.5could resolve to a different patch than Astro's bundled Zod, and Zod 4 embeds the version in the type — so schemas imported viaastro/zodin trusted plugins (e.g.@emdash-cms/plugin-forms) were not assignable todefinePlugin'sPluginRoute<TInput>['input']. Pins Zod in the pnpm catalog so the entire workspace dedupes on one instance.
0.12.0
0.11.1
0.11.0
Patch Changes
-
#893
f8ee1edThanks @j-liszt! - Enhances Passkey authentication with polymorphic algorithm support. Adds support for RS256 (RSA) alongside the existing ES256 (ECDSA) implementation, ensuring full compatibility with Windows Hello, hardware security keys, and FIDO2 standards. Includes a database migration to track and persist credential algorithms for future-proof authentication.Note for standalone
@emdash-cms/authconsumers: If yourcredentialstable already exists, you must manually runALTER TABLE credentials ADD COLUMN algorithm INTEGER NOT NULL DEFAULT -7to support this update. TheDEFAULT -7value ensures that existing rows (which are all ES256) continue to work seamlessly without requiring any data backfill.
0.10.0
Patch Changes
- #912
c8a3a2cThanks @lsngmin! - Permanent-delete API now refuses to remove live (non-trashed) rows and uses a content-domaincontent:delete_permanentpermission instead of the unrelatedimport:execute. Existing audience (ADMIN-only) is unchanged.
0.9.0
Minor Changes
- #800
e2d5d16Thanks @csfalcao! - Adds support for accepting passkey assertions from multiple origins that share anrpId, for deployments reachable under several hostnames (apex + preview/staging) under one registrable parent. Declare additional origins viaEmDashConfig.allowedOrigins(inastro.config.mjs) or theEMDASH_ALLOWED_ORIGINSenv var (comma-separated); the two sources merge at runtime. EmDash validates the merged set againstsiteUrland rejects dead config (non-subdomain entries, IP-literalsiteUrl, trailing dots, empty labels) with source-attributed errors.PasskeyConfig.origin: stringis replaced byPasskeyConfig.origins: string[].
0.8.0
Minor Changes
- #779
e402890Thanks @ascorbic! - Addssettings_getandsettings_updateMCP tools so agents can read and update site-wide settings (title, tagline, logo, favicon, URL, posts-per-page, date format, timezone, social, SEO).settings_getresolves media references (logo/favicon/seo.defaultOgImage) to URLs;settings_updateis a partial update that preserves omitted fields. Newsettings:read(EDITOR+) andsettings:manage(ADMIN) API token scopes back the tools, with matching options in the personal API token settings UI.
Patch Changes
-
#398
31333dcThanks @simnaut! - Adds pluggable auth provider system with AT Protocol as the first plugin-based provider. Refactors GitHub and Google OAuth from hardcoded buttons into the sameAuthProviderDescriptorinterface. All auth methods (passkey, AT Protocol, GitHub, Google) are equal options on the login page and setup wizard. -
#777
3eca9d5Thanks @ascorbic! - Addstaxonomies:manageandmenus:manageAPI token scopes for fine-grained control over taxonomy and menu mutations via MCP and REST. Existing tokens withcontent:writecontinue to work for those operations:content:writenow implicitly grantsmenus:manageandtaxonomies:manageso PATs issued before the split keep their effective permissions. The reverse implication does not hold — a token with onlymenus:managecannot create or edit content.
0.7.0
Patch Changes
- #736
81fe93bThanks @ascorbic! - Restricts Subscriber-role access to draft, scheduled, and trashed content. Subscribers retaincontent:readfor member-only published content but no longer see non-published items via the REST API or MCP server. Adds a newcontent:read_draftspermission (Contributor and above) that gates/compare,/revisions,/trash,/preview-url, and the corresponding MCP tools.
0.6.0
Patch Changes
- #552
f52154dThanks @masonjames! - Fixes passkey login failures so unregistered or invalid credentials return an authentication failure instead of an internal server error.
0.5.0
Patch Changes
- #542
64f90d1Thanks @mohamedmostafa58! - Fixes invite flow: corrects invite URL to point to admin UI page, adds InviteAcceptPage for passkey registration.
0.4.0
0.3.0
0.2.0
Patch Changes
- #452
1a93d51Thanks @kamine81! - Fixes GitHub OAuth login failing with 403 on accounts where email is private. GitHub's API requires aUser-Agentheader and rejects requests without it.
0.1.1
Patch Changes
- #133
9269759Thanks @kyjus25! - Fix auth links and OAuth callbacks to use/_emdash/api/auth/...so emailed sign-in, signup, and invite URLs resolve correctly in EmDash.