Skip to content

v0.1.0 Release Notes

Release Date: 2026-02-28

CoreForge v0.1.0 is the initial release of our batteries-included Go platform module for multi-tenant SaaS applications. This release provides a complete foundation for building secure, scalable SaaS products with identity management, OAuth 2.0, session handling, and authorization.

Highlights

  • Batteries-included Go platform module for multi-tenant SaaS applications
  • Complete identity management with users, organizations, and memberships
  • Full OAuth 2.0 server implementation using Fosite with PKCE, client credentials, and JWT bearer grants
  • Session management with JWT, DPoP (RFC 9449) proof-of-possession, and BFF pattern

What's New

Identity Module

The identity module provides the core user and organization management:

  • 👤 User accounts with email and Argon2id password hashing
  • 🏢 Organizations for multi-tenant applications with name, slug, plan, and settings
  • 🔗 Memberships with flexible role-based user-organization relationships
  • 🔐 OAuth account linking for GitHub and Google providers
  • 🔑 API key service for machine-to-machine authentication with scopes

OAuth 2.0 Server

A complete OAuth 2.0 server built on Fosite:

  • 📜 Authorization Code + PKCE grant for secure browser-based authentication
  • 🤖 Client Credentials grant for service-to-service authentication
  • 🔄 Refresh Token grant with rotation and theft detection
  • 📝 JWT Bearer (RFC 7523) grant for service account authentication
  • ⚙️ Service accounts with RSA/EC key pairs for non-human identities
  • 🔍 Token introspection (RFC 7662) and revocation (RFC 7009) endpoints

Session Module

Secure session management with modern security features:

  • 🎫 JWT service supporting HS256, RS256, and ES256 algorithms
  • 🔒 DPoP (RFC 9449) proof-of-possession token binding
  • 🖥️ Backend for Frontend (BFF) pattern with server-side sessions
  • 🌐 OAuth handlers for GitHub and Google social login
  • 🛡️ Authentication middleware for JWT Bearer and API key validation

Authorization Module

Flexible role-based access control:

  • 👥 RBAC with organization-scoped permissions
  • ⚖️ Casbin provider for advanced policy rules
  • Simple provider for lightweight permission checking
  • 🚧 HTTP middleware for route protection (Chi and stdlib)

Feature Flags

Feature flag engine for progressive rollouts:

  • 🚩 Flag engine with boolean, percentage, and user list flags
  • 🏢 Organization scoping for per-org flag evaluation
  • 💾 In-memory store for development and testing

Row-Level Security

PostgreSQL RLS helpers for multi-tenant data isolation:

  • 🗃️ PostgreSQL RLS policy generation and session variable helpers
  • 🏠 Tenant isolation for multi-tenant data separation
  • 🔗 Ent integration with transaction helpers for tenant context

Installation

go get github.com/grokify/coreforge

Quick Start

See the Quick Start Guide for a complete walkthrough.

package main

import (
    "context"
    "github.com/grokify/coreforge/identity/ent"
    _ "github.com/lib/pq"
)

func main() {
    client, err := ent.Open("postgres", "postgres://...")
    if err != nil {
        panic(err)
    }
    defer client.Close()

    // Run migrations - creates cf_* tables
    if err := client.Schema.Create(context.Background()); err != nil {
        panic(err)
    }
}

Database Tables

All CoreForge tables use the cf_ prefix for side-by-side migration:

Table Description
cf_users User accounts
cf_organizations Multi-tenant organizations
cf_memberships User-organization relationships
cf_oauth_accounts External OAuth provider links
cf_refresh_tokens JWT refresh token tracking
cf_api_keys Developer API keys
cf_oauth_apps OAuth client applications
cf_oauth_app_secrets Client secrets (hashed)
cf_oauth_tokens Issued OAuth tokens
cf_oauth_auth_codes Authorization codes
cf_oauth_consents User consent records
cf_service_accounts Non-human identities
cf_service_account_key_pairs RSA/EC key pairs

Migration from Existing Apps

CoreForge supports side-by-side migration for existing applications:

  1. Side-by-Side: Create cf_* tables alongside existing tables
  2. Dual-Write: Write to both old and new tables
  3. Cutover: Switch reads to CoreForge tables
  4. Cleanup: Remove old tables

See the Migration Guide for detailed instructions.

Documentation

What's Next

Future releases will include:

  • Cedar authorization provider
  • Redis-backed feature flag store
  • SAML/OIDC enterprise SSO
  • WebAuthn hardware security key binding