v0.26.0

New big release in a while!

This release primarily adds support for multiple email/addresses per user and separates the 'active' flag from the 'having validated your email address' flag.

It also introduces experimental support for a draft OAuth2 flow for first-party apps, which (right now) only supports usernames and passwords, and is sure to change over time.. but this will become the main framework for multi-step authentication with all flavours of MFA.

Please note that this release has a few database changes that (depending on your database size) may take a bit to complete. MAKE A BACKUP! I can't stress this enough!

• BC Break: Previous versions of a12nserver collated the 'active' status of users and whether or not their used email addresses were verified. These two flags are now separate. For a user to log in with their username and password their account must be active (now on by default) and email must be verified. When upgrading to 0.26 all active users will have their email automatically verified.
• BC Break: When creating users via the API, we no longer accept the 'active' flag. (is now on by default).
• New! Users can now be associated with multiple email addresses and/or phone numbers.
• Added support for OAuth 2.0 Multiple Response Type Encoding Practices) aka the "authorization_challenge" flow.
• Upgraded to Curveball 1.
• Moved from CommonJS to ESM.
• Upgraded to Typescript 5.5.
• Dropped mocha for the built-in Node tester.
• #494: Add 'public' to Postgres schema search path. (@elaugier)
• Auto-generate API types from JSON schema.
• Internal: oauth2-client is renamed to app-client to reduce confusion a bit.
• Internal: oauth2_codes now remember what grant_type was used to generate the code, plus the redirect_uri.