v1.4.0

Features

Changelog

User-facing changelog with Markdown entries, optional Jira issue linking, pagination, and an RSS feed. Includes an Artisan command for scaffolding new entries and a database seeder for development. View the documentation for more information.

Support Ticketing

Contact support form with a pluggable gateway architecture. Ships with Email and TeamDynamix drivers, automatic email fallback when a non-email gateway fails, and a read-only submission log in the Filament administration panel. View the documentation for more information.

Help Navigation Menu

New Help dropdown in the main navigation bar, consolidating links to the changelog and contact support form based on which features are enabled.

Changed

Components

• Clipboard - Added configurable icon property

Permissions

• Added VIEW_SUPPORT_TICKETS permission for gating access to the support submission log

Dependencies

• Added spatie/laravel-markdown for changelog rendering
• Added northwestern-sysdev/tdx-php-sdk for TeamDynamix gateway integration

Full Changelog: v1.3.1...v1.4.0

v1.3.1

Fixed

• PostgreSQL UUID mismatch in login code verification - Fixed a critical bug where UUID decoy challenge IDs (used to prevent timing-based user enumeration) caused database errors. The controllers now properly validate that the challenge IDs are numeric before querying the database.

Changed

UI/UX Improvements

• Login code form - Added loading state with spinner to the verify button, polished resend countdown with badge styling
• OTP input component - Added responsive scaling for mobile viewports, improved focus states with purple ring

Filament Administration Panel

• Empty states - Added custom empty state messages with appropriate icons to all table views
• Filter consistency - Standardized filter trigger buttons across all tables
• Developer Tools - Fixed visibility inconsistency for MinIO Console and MailPit, added shouldOpenInNewTab to all external tool links

Code Quality

• Service providers - Improved organization and structure
• SCSS variables - Fixed button transition timing, improved focus states

v1.3.0

Features

• TracksPermissionSources trait - New User model trait for fine-grained permission source checking
  • hasPermissionFromRole() - Check if a permission is granted through a specific role
  • getRolesWithPermission() - Get all roles that grant a specific permission
  • getPermissionsFromRole() - Get all permissions from a specific role
• Platform Overview Page - New consolidated dashboard displaying environment information, service configurations, and health check status

Bug Fixes

• Fixed login-code-verify rate limiter so that it falls back to IP address when challenge ID cannot be decrypted, instead of using an inconsistent hash-based key
• Fixed session regeneration after login to properly regenerate CSRF token
• Fixed database snapshot restore silently skipping in non-interactive CI
• Fixed permission cache not clearing after database snapshot restore

Infrastructure

• Replaced Telescope toolbar with Laravel Debugbar
• Added IDe helper generation step in CI before Rector

Dependencies

• Updated various Composer, npm, and Github Action dependencies

v1.2.0

API Cluster

• New API Cluster page (/administration/api) consolidating API-related functionality under a dedicated navigation section
• Overview page with a polished dashboard displaying:
  • Active API users, 24h request volume, success rate, and average response time
  • Access token breakdown (active, expired, revoked) with expiration warnings
  • Configuration summary (rate limits, logging settings, sampling, notifications)
• Relocated API Request Logs into the API cluster as "Activity"

Exports

• Added CSV export functionality to all major resources:
  • Users, Roles, Audits, Login Records, API Request Logs
• Export files stored in S3 with automatic 7-day cleanup through model pruning
• Database notifications for export completion status

Health Checks

• Email notifications now configurable through environment variables (disabled by default)
• Added documentation at docs/features/health-checks.mdx

Administration Panel Improvements

• Added customizable Welcome Widget to the dashboard
• Full-width content layout for better table visibility
• Roles table now displays permission count with tooltip preview
• Enhanced role deletion modal with user impact warning
• "All Time" filter option for Login Records
• Trashed filter added to Roles table
• Renamed navigation group "Debug" → "Developer Tools"
• User creation buttons renamed from "Create" → "Add" for consistency

Configuration

• New environment variables:
  • HEALTH_NOTIFICATIONS_ENABLED - Enable/disable health check email alerts
  • HEALTH_NOTIFICATION_EMAIL - Recipient address for health notifications

Database

• Added migrations for Filament's notification, import, and export tables

v1.1.0

Artisan Commands

• New RunSteps trait with shared logic for step-by-step command execution with spinners and progress tracking
• config:validate
  • Improved output with detailed hints on failure
  • Added AppKeyValidator and EventHubValidator
• db:rebuild
  • Added production protection and improved output
• Added db:snapshot:delete and db:snapshot:info commands

Dependency Upgrades

• Node.js 24 → 25
• Vite 6 → 7, FontAwesome 6 → 7, Sentry 9 → 10, Cypress 14 → 15, swagger-php 5 → 6
• Various Composer, npm, and GitHub Action dependency updates

Other

• Added .starter-version.yaml to track the template version projects are cloned from

v1.0.0

The Northwestern Laravel Starter is now generally available. This release marks the culmination of months of development, testing, and refinement based on internal feedback.

For installation, configuration, and usage guides, visit the documentation.

v0.5.0

Changed

• Moved various classes to a new Auth domain plus security enhancements (#27)

v0.4.0

Added

• Default API endpoints (#25)
  • Refer to the documentation for a full list of available routes

Changed

• For local users, the authentication method has been changed from magic links to OTP codes (#26)

v0.3.0

Added

• Added environment lockdown feature to secure deployments (#20)
• Automated NetID update webhook removes elevated roles and logs context when accounts are deactivated (#19)
• Created initial project documentation (#17)

Changed

• Streamlined access token provisioning by adding token names and replacing valid-from/to dates with practical expiration options (#24)
• Renamed "API Token" terminology to "Access Tokens" to align with OAuth standards (#23)
• Revamped authorization with permission scopes, default Northwestern User role assignment, and refreshed permission names (#18)
• Updated project dependencies to the latest versions (#21)
• Adjusted API sampling documentation for clarity (f7ea316)
• Restyled documentation with purple theme accents (a89def0)

Fixed

• Fixed model pruning by using absolute model paths and allowing null retention days (#10)

v0.2.0

Added

• Redesigned exception page with conditional error display for debugging (#8)
• #[AutomaticallyOrdered] attribute for automatic model ordering (#6)
• Configurable retention period for API request logs (#4)
• Scheduled model:prune command for daily cleanup (#4)
• Encrypted cast for token_prefix on API tokens (#4)
• Polling support for API Request Log widgets (468826b)
• Missing #[SensitiveParameter] attributes and IP restriction validation with a custom exception (0e20e01)
• Documentation deployment workflow (#3)
• Test coverage expansion (#5)

Changed

• BREAKING: Logout route changed from GET to POST for CSRF protection (#8)
• BREAKING: SESSION_ENCRYPT now defaults to true (#8)
• BREAKING: LoginLink model renamed to UserLoginLink (#4)
• BREAKING: UserRepository removed in favor of UserBuilder class (#4)
• BREAKING: CreateUserByLookup renamed to FindOrUpdateUserFromDirectory (6ecad4e)
• BREAKING: Removed project:customize Artisan command (#5)
• API_DEMO_USER_TOKEN now empty by default in .env.example (#8)
• Renamed sort_index to order_index (#5)
• Removed defer() usage in AuthenticatesApiTokens middleware (#5)
• Organized action namespaces (Api, Directory, Impersonation, Local) (#5)
• Refactored NetID status logic into dedicated utility class (b0daffd)
• Enhanced audit methods moved to isolated traits (#4)
• Improved login link notification with signed URL explanation (0e20e01)
• Moved mockery/mockery to dev dependencies to support EventHub mocking (aa04ae3)

Fixed

• Exception handling before service providers boot (#7)
• Session fixation vulnerability in login link flow (127ad79)
• Open redirect vulnerability in impersonation controller (2270db2)
• IP address validation for restricted API tokens (0e20e01)
• Documentation site deployment trigger filtering (a558b79)
• Sentry feedback integration from captureUserFeedback() to captureFeedback() (#8)

Removed

• spatie/laravel-ignition package dependency (#7)
• Unneeded casts on ApiRequestLog model (#4)