Merge branch 'main' into fix/astro-breadcrumb

astro/src/content/blog/announcing-fusionauth-1-54.mdx

@@ -0,0 +1,30 @@
+---
+publish_date: 2024-11-25
+title: Announcing FusionAuth Version 1.54.0 - Free Trials for Everyone
+description: Version 1.54.0 of FusionAuth fixes an important SCIM issue, and brings free FusionAuth trials for everyone.
+authors: Brad McCarty
+image: /img/blogs/release-1-54/fusionauth-1-54.png
+categories: Product
+tags: SCIM, free trial, fusionauth cloud
+excerpt_separator: "{/* more */}"
+---
+
+We recently announced the release of FusionAuth version 1.54.0 into the world. Our astute audience of developers will probably notice that this release looks a little different than most, so let's talk about it.
+
+As is common in the software world, most minor releases include the addition of a notable, customer-facing feature:
+
+- [1.53.0](/blog/announcing-fusionauth-1-53) added webhook logs and new updates for login lambdas. 
+- [1.52.0](/blog/announcing-fusionauth-1-52) gave passkeys to the Community plan. 
+- [1.51.0](/blog/announcing-fusionauth-1-51) was the release where we made major changes to theming.
+
+1.54.0 takes a slight turn. There are still two significant updates to this release. Although we know that the individual audiences for each will be limited, they represent a big change to the FusionAuth software, so they still warrant a version update.
+
+Long-time users of FusionAuth will remember that we released SCIM support way back in [1.36.0](/blog/announcing-fusionauth-1-36). We've been pleased to see how many of you have put SCIM to work, but there was a nagging problem that we needed to address. The most recent release adds a change to the SCIM groups API that resolves a situation which could cause concurrency issues when making simultaneous calls to patch groups and group members. This revision ensures SCIM group updates all show up when they should, and (critically) how they should.
+
+The next big change that we're announcing makes it easier than ever to start using FusionAuth. In the past, there were certain criteria under which a new FusionAuth user could get a two-week trial of a paid version. Now anyone who signs up for FusionAuth Cloud gets a fully-featured, 30-day trial without needing a credit card. We've been calling this Express Free Trial (EFT) internally, so we've dubbed 1.54.0 the EFT Elephant.
+
+![Free trials are for everyone](/img/blogs/release-1-54/EFT-elephant.png)
+
+Express Free Trials include 30 days of the FusionAuth Starter plan, hosted on FusionAuth Cloud, in the region of your choice. If you've been on the fence about replacing your DIY auth system, there's never been a better time to [take FusionAuth for a spin](/pricing). If you need features that the Starter plan doesn't include, it's simple to [drop us a line](/contact) and set up a proof of concept deployment with everything that you need.
+
+On top of the SCIM changes and Express Free Trial, we've also mitigated one security vulnerability and improved overall stability. You can catch all of the details in the [release notes](/docs/release-notes/). We expect to release 1.55.0 within the next few weeks, and it has some great additions that we're excited to share.

astro/src/content/docs/operate/deploy/upgrade.mdx

@@ -272,6 +272,7 @@ fusionauth-database-schema/
       |-- 1.50.1.sql
       |-- 1.51.0.sql
       |-- 1.53.0.sql
+      |-- 1.54.0.sql
 ```
 
 ## Rolling Back an Upgrade

astro/src/content/docs/release-notes/index.mdx

@@ -44,6 +44,22 @@ import { YouTube } from '@astro-community/astro-embed-youtube';
 
 Looking for release notes older than 1.44.0? Look in the [release notes archive](/docs/release-notes/archive). Looking to be [notified of new releases?](/docs/operate/roadmap/releases#release-notifications) <span class="not-prose no-underline"><a class="ml-2" href="/docs/releases.xml"><i class="fas fa-xs fa-rss text-orange-700 text-2xl" width="50px" /></a></span>
 
+<ReleaseNoteHeading version='1.54.0' releaseDate='November 25, 2024'/>
+
+<DatabaseMigrationWarning />
+
+### Security
+* <Issue issue="2933">
+  A vulnerability was discovered in the FusionAuth hosted pages. Under specific application configurations, and with insufficient authorization validation being performed on an access token, a malicious user could bypass required steps in post-authentication workflows, allowing unauthorized access to protected resources.
+
+  This vulnerability was introduced in version `1.41.0`. It is recommended that you upgrade to version `1.54.0` at your earliest convenience.
+  </Issue>
+
+### Fixed
+* <Issue issue="2869">
+  The SCIM Groups API does not properly perform atomic updates to groups and members. This can lead to consistency issues when multiple SCIM update requests are simultaneously processed requiring membership changes.
+  </Issue>
+
 <ReleaseNoteHeading version='1.53.3' releaseDate='October 25, 2024'/>
 
 <ThemeUpdateWarning version="1.53.3">
@@ -704,7 +720,7 @@ Update dependencies.
 
 ### Fixed
 * Revert the GC (garbage collection) logging change introduced in version `1.47.0` for compatibility with the FusionAuth docker image.
- * Resolves [GitHub Issue #2392](https://github.com/FusionAuth/fusionauth-issues/issues/2392), thanks to [@pigletto](https://github.com/pigletto) and [@patricknwn](https://github.com/patricknwn) for reporting.
+  * Resolves [GitHub Issue #2392](https://github.com/FusionAuth/fusionauth-issues/issues/2392), thanks to [@pigletto](https://github.com/pigletto) and [@patricknwn](https://github.com/patricknwn) for reporting.
 
 
 <ReleaseNoteHeading version="1.47.0" releaseDate="July 25th, 2023" name="Performance Panther" />
@@ -758,7 +774,7 @@ Please be sure to read the notes in the **Changed** section before upgrading.
                           federatedCSRFToken=""]
 ```
 
-3.  Find the element `<div class="login-button-container">` in the macro named `alternativeLogins` in `helpers` and add `id="login-button-container"` and `data-federated-csrf="${federatedCSRFToken}"` attributes.
+3. Find the element `<div class="login-button-container">` in the macro named `alternativeLogins` in `helpers` and add `id="login-button-container"` and `data-federated-csrf="${federatedCSRFToken}"` attributes.
 
 ```html
 [#-- Updated div in alternativeLogins macro. Line breaks added for readability. --]
@@ -839,7 +855,7 @@ Please be sure to read the notes in the **Changed** section before upgrading.
   * Resolves [GitHub Issue #2210](https://github.com/FusionAuth/fusionauth-issues/issues/2210)
 * Resolve a JavaScript bug when enabling MFA during login. The bug caused an error to be written to the JavaScript console, but no functional errors occurred.
   * Resolves [GitHub Issue #2296](https://github.com/FusionAuth/fusionauth-issues/issues/2296)
-*  When the `user.login.success` is configured to be transactional and the webhook returns a non `200` status code when the event is fired during the final step of the change password workflow, the failed webhook may not fail the login attempt.
+* When the `user.login.success` is configured to be transactional and the webhook returns a non `200` status code when the event is fired during the final step of the change password workflow, the failed webhook may not fail the login attempt.
   * Resolves [GitHub Issue #2288](https://github.com/FusionAuth/fusionauth-issues/issues/2288)
 * When enabling IdP initiated login on a SAMLv2 IdP, the base ACS URL is hidden in the view dialog
   * Resolves [GitHub Issue #2146](https://github.com/FusionAuth/fusionauth-issues/issues/2146)