Logto product updates
π Introducing our April release: Security center, identifier lockout (sentinel), CAPTCHA, magic link support, and explore more updates!
Developer
Security center in Logto Console
We have introduced a new"Security" page in the Logto console, which includes the following features:
- Password policy: This feature has been migrated from the "Sign-in Experience" page to the new "Security" page.
- CAPTCHA: Enable CAPTCHA for sign-up, sign-in, and password recovery to mitigate automated threats.
- Identifier lockout: Temporarily lock an identifier after multiple failed authentication attempts (e.g., consecutive incorrect passwords or verification codes) to prevent brute force access.
Refer to documentation for more details.
Captcha bot protection
As mentioned in the above "Security" update, you can now enable CAPTCHA bot protection for your sign-in experience with providers such as Google reCAPTCHA enterprise and Cloudflare Turnstile.
To enable CAPTCHA bot protection, you need to:
- Go to Console > Security > CAPTCHA > Bot protection.
- Select the CAPTCHA provider you want to use.
- Configure the CAPTCHA provider by following our step-by-step guide.
- Save the settings.
- Enable CAPTCHA in the Security page.
Then take a preview of your sign-in experience to see the CAPTCHA in action.
Refer to documentation for more details.
Identifier lockout (sentinel)
The identifier lockout has always been there protecting your Logto instance. However, previously it is hard-coded and not configurable. Now you can fully customize and override the default rules in the Security center.
This update includes the follow 3 parts:
- Maximum failed attempts:
- This limits the number of consecutive failed authentication attempts per identifier within an hour. If the limit is exceeded, the identifier will be temporarily locked out.
- Default value: 100
- Lockout duration (minutes):
- This specifies the period during which all authentication attempts for the given identifier are blocked after exceeding the maximum failed attempts.
- Default value: 60 minutes
- Manual unblock:
A new API endpoint has been introduced to manually unblock a specified list of identifiers. This feature is useful for administrators to unlock users who have been temporarily locked out due to exceeding the maximum failed attempts.
Endpoint: POST /api/sentinel-activities/delete
This endpoint allows for the bulk deletion of all sentinel activities within an hour in the database based on the provided identifiers, effectively unblocking them.
Refer to documentation for details.
Magic link (one-time token) support
You can now use the "one-time token" to compose magic links, and send them to the end user's email.
With a magic link, one can register a new account or sign in directly to the application, without the need to enter a password, or input verification codes.
You can also use magic link to invite users to your organizations.
Example API request to create a one-time token
Request payload:
Compose your magic link
After you get the one-time token, you can compose a magic link and send it to the end user's email address. The magic link should at least contain the token and the user email as parameters, and should navigate to a landing page in your own application. E.g. https://yourapp.com/landing-page.
Here's a simple example of what the magic link may look like:
Refer to documentation for more details.
Bump Node.js to v22
We've updated Node.js to v22 for better performance and security.
Improvements
- Respond 404 for non-existing paths in
/assets - Move password encyption to separate worker thread
- Clean up legacy Experience package
- Support string-typed boolean claims in OIDC connector
- Add Ukrainian translation to Experience (credit @HighError)
- Convert Windows absolute paths to file URLs for dynamic imports (credit @jtmaveryk)
- Various security and vulnerability fixes