This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+3 more
Affected surfaces
Summary
AI summaryAdded single sign‑on with custom OIDC as a distinct sign‑in card.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
Single sign-on with custom OIDC supports any OpenID Connect provider as separate sign-in card. Single sign-on with custom OIDC supports any OpenID Connect provider as separate sign-in card. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Recovery codes generate one-time break-glass codes for sign-in when SSO or 2FA is unavailable. Recovery codes generate one-time break-glass codes for sign-in when SSO or 2FA is unavailable. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
SSO enforcement requires SSO for verified email domains, restricting sign-ins to identity provider. SSO enforcement requires SSO for verified email domains, restricting sign-ins to identity provider. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Sign-in defenses implement rate limiting and notification emails for new device sign-ins. Sign-in defenses implement rate limiting and notification emails for new device sign-ins. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
SSO provisioning controls allow JIT-provisioned SSO users' roles to be chosen and mapped from IdP claims. SSO provisioning controls allow JIT-provisioned SSO users' roles to be chosen and mapped from IdP claims. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Workspace lifecycle states introduce explicit states (active, suspended, deleting) with inline overlay and responses. Workspace lifecycle states introduce explicit states (active, suspended, deleting) with inline overlay and responses. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Reorganized admin settings consolidate API Keys, Webhooks, MCP under one tabbed API page; Members, Integrations, Security grouped under Administration; SSO has its own page. Reorganized admin settings consolidate API Keys, Webhooks, MCP under one tabbed API page; Members, Integrations, Security grouped under Administration; SSO has its own page. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Two-factor authentication allows users to enrol in TOTP-based 2FA from their profile. Two-factor authentication allows users to enrol in TOTP-based 2FA from their profile. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Security audit log records security-sensitive actions with an admin UI to review them. Security audit log records security-sensitive actions with an admin UI to review them. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Declarative configuration file enables Quackback to read settings from /etc/quackback/config.yaml and keep them reconciled. Declarative configuration file enables Quackback to read settings from /etc/quackback/config.yaml and keep them reconciled. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Enable TOTP-based two-factor authentication enrollment for users via profile settings. Enable TOTP-based two-factor authentication enrollment for users via profile settings. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Feature | Medium |
Introduce security audit log capturing auth config changes, SSO updates, 2FA resets, domain enforcement, and sign‑ins with admin UI review. Introduce security audit log capturing auth config changes, SSO updates, 2FA resets, domain enforcement, and sign‑ins with admin UI review. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Feature | Medium |
Support declarative configuration file at /etc/quackback/config.yaml with reconciliation and UI locking of managed fields. Support declarative configuration file at /etc/quackback/config.yaml with reconciliation and UI locking of managed fields. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Performance | Medium |
Queue hardening shares a single Redis connection, drains gracefully on shutdown, uses bounded retention, and dedupes jobs by ID for idempotency. Queue hardening shares a single Redis connection, drains gracefully on shutdown, uses bounded retention, and dedupes jobs by ID for idempotency. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
2FA redirect preserves callback URL through the 2FA challenge redirect. 2FA redirect preserves callback URL through the 2FA challenge redirect. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Pinned comment restored on public posts, no longer disappears from post detail view. Pinned comment restored on public posts, no longer disappears from post detail view. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Default post statuses now correctly seeded on first migrate for fresh installs. Default post statuses now correctly seeded on first migrate for fresh installs. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Restore pinned comment visibility on public post detail view. Restore pinned comment visibility on public post detail view. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Bugfix | Medium |
Seed default post statuses during initial migration for fresh installs. Seed default post statuses during initial migration for fresh installs. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
Full changelog
Features
- Single sign-on with custom OIDC. Connect any OpenID Connect provider as its own sign-in card, separate from the social login grid. A built-in Test sign-in flow runs a live diagnostic handshake so you can verify the connection before rolling it out.
- Two-factor authentication. Users can enrol in TOTP-based 2FA from their profile; admins can require 2FA workspace-wide for password sign-in or reset another user's enrollment.
- Recovery codes. Generate one-time break-glass codes to sign in when SSO or 2FA is unavailable.
- SSO enforcement. Require SSO for verified email domains, so members on those domains can only sign in through your identity provider.
- Security audit log. A new feed records security-sensitive actions (auth config changes, SSO secret updates, 2FA resets, domain enforcement, sign-ins) with an admin UI to review them.
- Sign-in defenses. Sign-in attempts are now rate limited, and signing in from a new device sends a notification email.
- SSO provisioning controls. Choose which role JIT-provisioned SSO users receive, and map roles from IdP claims via configurable attribute mapping.
- Declarative configuration file. Quackback can read settings from `/etc/quackback/config.yaml` and keep them reconciled; managed fields are locked in the admin UI so the file stays the source of truth.
- Workspace lifecycle states. Workspaces now have an explicit state (active / suspended / deleting) with an inline overlay and appropriate responses when not active.
- Reorganized admin settings. API Keys, Webhooks, and MCP are now one tabbed API page; Members, Integrations, and Security are grouped under Administration; SSO has its own page with a status chip in the nav.
Bug fixes
- Pinned comment restored on public posts. A pinned comment no longer disappears from the public post detail view.
- Default post statuses on first migrate. Fresh installs now seed the default post statuses.
- 2FA redirect preserves callback URL. The intended destination is kept through the 2FA challenge redirect.
Performance
- Queue hardening. OSS BullMQ queues share a single Redis connection, drain gracefully on shutdown, use bounded retention, and dedupe jobs by ID for idempotency.
Internal
- Per-feature tier-limit gates with internal endpoints and structured exception dispatch.
- UserVoice import CLI supports incremental top-up; the REST import API accepts an author attribution override.
- Combined magic-link + OTP sign-in email.
Tests
- Extensive new coverage across SSO, 2FA, audit logging, recovery codes, and sessions.
Full changelog: https://github.com/QuackbackIO/quackback/compare/v0.9.9...v0.10.0
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About QuackbackIO/quackback
Open-source customer feedback platform with built-in MCP server. Agents can search feedback, triage posts, update statuses, create and comment on posts, vote, manage roadmaps, merge duplicates, and publish changelogs.
Beta — feedback welcome: [email protected]