Changelog | rs-auth

Changelog

Apr 15, 2026

What's New

OAuth Account Lifecycle

Link provider accounts: GET /auth/link/{provider} — initiate OAuth link for authenticated users
List linked accounts: GET /auth/accounts — returns provider accounts without sensitive tokens
Unlink accounts: POST /auth/accounts/{id}/unlink — with safety check preventing last auth method removal
Token refresh: service.refresh_oauth_token() — refresh stored OAuth tokens using refresh token grant

Auth Hardening

Event system: AuthEvent enum with 11 lifecycle events (signup, login, logout, verification, OAuth, sessions)
Auth hooks: EventEmitter with multi-subscriber, fire-and-forget hook support
Rate limiter trait: RateLimiter with NoOpRateLimiter default, ready for custom implementations

Release Automation

cargo-release config for workspace publishing
GitHub Actions release workflow (verify → publish → GitHub Release)
CHANGELOG.md and documented release process

Architecture

Protected routes use require_auth middleware + CurrentUser extractor (ADR-0002)
Public routes remain middleware-free

New Endpoints

Method	Path	Auth	Description
GET	`/auth/link/{provider}`	Required	Initiate OAuth account link
GET	`/auth/accounts`	Required	List linked provider accounts
POST	`/auth/accounts/{id}/unlink`	Required	Unlink a provider account

Breaking Changes (pre-1.0)

AccountStore trait gains update_account() method
OAuthState/NewOAuthState gain intent and link_user_id fields
AuthService gains events field (defaults to empty emitter)
AuthService::new() signature unchanged; use with_events() for hooks

Migration Required

006_oauth_states_intent.sql: Adds intent and link_user_id columns to oauth_states

Full Changelog: https://github.com/rs-auth/rs-auth/compare/v0.1.1...v0.1.2

Full Changelog: https://github.com/rs-auth/rs-auth/compare/v0.1.1...v0.1.2

View changes on GitHub

Apr 13, 2026

OAuth Stabilization Release

rs-auth 0.1.1 stabilizes the current Google and GitHub OAuth surface and improves the local testing experience.

Highlights

Dedicated OAuth state storage with a separate database table for CSRF state and PKCE verifiers
Stronger OAuth error handling, callback validation, cleanup behavior, and regression coverage
Updated documentation and a more complete local example app for testing email/password and OAuth flows

Published Crates

rs-auth - facade crate
rs-auth-core - auth service, store traits, and OAuth/domain logic
rs-auth-postgres - SQLx-backed PostgreSQL stores and migrations
rs-auth-axum - Axum router, cookie sessions, middleware, and OAuth handlers

Included Improvements

Dedicated OAuth state storage and cleanup integration
Stable Google and GitHub OAuth login/callback support
Improved provider HTTP failure handling and config validation
Expanded example app with Docker-based local setup and optional provider configuration
Updated docs and changelog presentation for the stabilized OAuth release

View changes on GitHub

Apr 10, 2026

Initial Release

rs-auth is now available on crates.io.

Published Crates

rs-auth - facade crate
rs-auth-core - auth service, store traits, OAuth primitives
rs-auth-postgres - SQLx-backed PostgreSQL stores and migrations
rs-auth-axum - Axum router, cookie sessions, and OAuth handlers

Features

Email/password signup and login with Argon2id hashing
Database-backed sessions with opaque tokens (SHA-256 hashed)
Email verification and password reset
Signed cookies via axum-extra
Configurable session and token TTLs
Google and GitHub OAuth (experimental)
CLI tool for migrations and cleanup

View changes on GitHub

View all releases on GitHub →