v0.13.0

• Support for WebauthN / Yubikeys (@mhum)
• Logging in is now a multi-step process, with 2FA (Webauthn/Yubikey/TOTP)
  as the second step. (@mhum)
• It's now possible to setup 2FA during registration. (@mhum)
• /validate-bearer and /validate-totp endpoints have been removed.
• Support for OAuth2 PKCE (@mhum)
• tslint -> eslint
• Typescript 4.
• Compatible with Typescript strict mode.

v0.12.7

• Update all dependencies

v0.12.6

• PUBLIC_URI is now correctly being auto-detected if it was not set in the
  environment in standalone mode.
• Improved error messaging when the server fails to start.

v0.12.5

• Now using @curveball/accesslog, which also colorizes CLI output when
  viewed on a terminal.
• A list of privileges are now returned from the 'introspect' endpoint.
• An error will be thrown when the server is used as a middleware (instead
  of standalone) and no PUBLIC_URI environment variable is set.

v0.12.4

• Added user links to accessToken

v0.12.3

• Added user links URL to introspect for 'authenticated-as' link

v0.12.1

• Bug fix. Curveball-session shouldn't have been dev dependency.

v0.12.0

• Added a /privileges endpoint to easily find out what kind of privileges
  are used in the system.
• The server now has an admin privilege, which is required to create new
  users or find information about other users.
• Users that are not yet marked active now show up in the /users
  collection, but still can't log in.
• The session cookie now uses SameSite: Lax, which means that users will see
  login screens less often.

v0.11.2

• Support for the /.well-known/change-password endpoint, as defined in
  RFC8615.
• Fixed a bug that could cause the TOTP field to not be rendered, even if it's
  required.
• Fixed a bug where users weren't getting activated using the "Create user"
  form.

v0.11.1

• Last release broke the OAuth2 authorization endpoint.