# Changelog
All notable changes to the MCP Server Template.
## [Unreleased]
### Added
- **Admin User Management**: Full user management via better-auth Admin plugin
- List users with pagination and search
- Set user roles (admin/user)
- Ban/unban users with reason tracking
- View and revoke user sessions
- Impersonation for admin support
- XSS-safe UI with DOM manipulation (no innerHTML with user data)
- **better-auth Integration**: Replaced DIY OAuth with better-auth v1.4.0
- Social login with Google, Microsoft Entra, and GitHub
- D1 database with Drizzle ORM for user/session storage
- OAuth Provider plugin for MCP client authentication
- JWT key rotation via JWKS table
- **MCP OAuth Flow**: New approval dialog and auth completion flow
- `src/oauth/better-auth-handler.ts` - OAuth routes using better-auth sessions
- Dark theme approval dialog matching MCP homepage style
- `formatClientId()` helper for friendly client names (handles UUID client IDs)
- **Login Page**: New `/login` page with social provider buttons
- JSON POST for better-auth compatibility
- Supports Google, Microsoft, GitHub providers
### Changed
- **OAuth Callback URLs**: Now use `/api/auth/callback/{provider}` pattern (better-auth standard)
- **Session Management**: better-auth handles session creation/validation
- **Multi-Layer Auth Directory Structure**: Refactored authentication into modular `src/auth/` directory
- `src/auth/identity/` - Layer 1: Identity providers (Google OAuth implementation)
- `src/auth/backend/` - Layer 2: Backend API authentication (interfaces for future patterns)
- Extracted Google OAuth logic from `oauth/utils.ts` to `auth/identity/google.ts`
- Added type interfaces for `IdentityProvider`, `BackendAuth` patterns
- **Homepage Module**: Extracted homepage to `src/pages/homepage.ts` with configurable `HomepageConfig`
### Fixed
- **Social Sign-In 404**: better-auth requires JSON POST, not form-urlencoded
- **Unknown Client Display**: UUID client IDs now show as "MCP Client"
- **JWKS Table Missing**: Added schema + migration for better-auth v1.4.0 JWT key rotation
### Deprecated
- **DIY OAuth Handlers**: `src/oauth/google-handler.ts`, `microsoft-handler.ts`, `github-handler.ts` superseded by better-auth
- **`src/oauth/utils.ts`**: Re-exports maintained for backward compatibility
## [1.1.0] - 2026-01-02
### Security
- **XSS Protection**: Added `escapeHtml()` function and refactored admin UI to use data attributes with event delegation instead of inline onclick handlers
- **Session Security**: Changed cookies to `SameSite=Strict` for CSRF protection
- **Timing-Safe Comparison**: Added `timingSafeEqual()` for Bearer token validation to prevent timing attacks
- **CSP Headers**: Added Content-Security-Policy headers on admin dashboard routes
- **Input Validation**: Added max length limits to all tool string inputs (1MB default)
- **Rate Limiting**: Added KV-based rate limiting (30 req/min for chat, 10/hour for token creation)
- **Safe JSON Parsing**: Added fallback handling for corrupted JSON in D1 metadata
- **Conversation Ownership**: Added user email verification for conversation access
### Added
- `src/lib/crypto.ts` - Timing-safe string comparison utility
- `src/lib/rate-limit.ts` - KV-based rate limiter with configurable windows
- `list_my_conversations` tool - Users can list their conversation history
- Multi-turn tool calling in admin chat (up to 5 rounds)
- Markdown table rendering in admin chat
- Security documentation in README.md and CUSTOMIZATION.md
### Changed
- Updated architecture diagram in README to reflect modular tools/resources/prompts structure
- Improved tool result/call box sizing in admin chat UI
- Admin chat now properly handles tool call sequences
### Fixed
- Tool result boxes no longer collapse to single row height
## [1.0.0] - 2026-01-01
### Added
- Initial MCP server template with Google OAuth
- Admin dashboard with AI chat testing
- Conversation memory with D1 storage
- Internal agent pattern with Workers AI gatekeeper
- Dynamic model registry from OpenRouter API
- Multi-provider AI support (Workers AI, OpenAI, Anthropic, Google, Groq)
- Modular tools, resources, and prompts system
- Bearer token authentication for programmatic access
- Marketing homepage in Jezweb style
