9. v0.7.0 — User accounts

Released 2026-06-20. This release adds an end-to-end user-account system to Fractal Chart: create an account, sign in with email/password or a social provider, and manage your profile, password, active sessions, and account from a dedicated dashboard. Signing in is optional — the chart workspace continues to work without an account. The release also includes the production hardening and infrastructure fixes made while bringing auth live.

Added

Accounts & authentication

• Sign up / sign in / sign out. Email + password registration with a six-digit email confirmation, sign-in, and sign-out (clears the server session and the Cognito SSO session).
• Social login. Continue with Google / Facebook / Apple (whichever providers a deployment enables via NEXT_PUBLIC_SOCIAL_PROVIDERS).
• Password reset. Request an email code and set a new password without signing in (native accounts).
• Account collision handling. A social sign-in whose email already belongs to a native account is paused and resolved with a confirm-with-password link, after which both methods work for the same account.

Account dashboard (/account)

• Profile — edit display name and (native accounts) email, with an inline email-verification step.
• Change password — for native accounts; a successful change invalidates every other session.
• Devices — lists recognized browsers with last-seen time and a Sign out all other devices action.
• Delete account — disables the Cognito user, soft-deletes the profile, and terminates all sessions.
• Workspace integration — a user-avatar button in the chart header links to the account page; signed-in users are redirected away from the auth pages.

Sessions

• Server-managed sessions backed by an opaque, HttpOnly / Secure / SameSite=Lax cookie — no tokens are ever exposed to the browser. A 30-minute idle window (reset on activity) and a 7-day absolute cap, with transparent, single-flight token refresh.

Other

• Detachable indicator/strategy editor — the bottom editor dock can be popped out into a floating, draggable, resizable window.
• Landing footer theme toggle — light/dark/auto switch; removed the "Open BTCUSDT" footer link.
• Themed 404 page.

Changed

• .env.example split into the Next.js app (root .env.example) and the auth service (infra/.env.example); deploy scripts source infra/.env.local.
• Versioned API — all SPA → backend calls go through /v1 on NEXT_PUBLIC_API_BASE_URL.

Fixed

These surfaced while deploying auth to staging and production:

• Sessions reaped at the idle window. The DynamoDB ttl now tracks the absolute cap (7 days) instead of the 30-minute idle window, so sessions are no longer hard-deleted while still refreshable — fixing overnight logouts and the Devices-card error.
• Production /v1 mapping. Enabled the custom-domain base-path mapping so api.fractalchart.com/v1/* reaches the API (was returning 403 Forbidden).
• CORS for www + apex. CorsAllowOrigins allows every host the SPA is served on, so credentialed requests from www.fractalchart.com aren't blocked. Implemented as a CommaDelimitedList so the SAM template deploys cleanly.
• CSRF origin check. The assertCsrf guard accepts the same origin set as CORS (apex + www), fixing 403 on every account POST (profile, password, delete, etc.).
• Hardening. Authorizer result caching disabled (immediate revocation), least-privilege authorizer IAM, redacted OAuth-callback logs, DynamoDB reserved-word aliasing, and the oauth_tx cookie scoped to Path=/.

Deployment

Frontend (Vercel) ships from the app build. The auth backend is deployed with AWS SAM from infra/:

cd infra
sam deploy --config-env production-dynamodb
./bin/deploy-cognito.sh production      # social creds sourced from SSM
./bin/put-secrets.sh production         # SSM SecureString secrets
sam build  --config-env production-oauth-v1
sam deploy --config-env production-oauth-v1

See dev-docs/auth-deploy-runbook.md for the full runbook.

Next steps

Back to the release list.

Next: Release Notes