Update restheart.version to v9.4.2

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.restheart:restheart (source)	9.4.1 → 9.4.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

SoftInstigate/restheart (org.restheart:restheart)

v9.4.2

Compare Source

RESTHeart 9.4.2

This release is primarily a stabilization and hardening pass on the restheart-accounts module, driven by extensive testing against a real, complex production application. That real-world exercise surfaced a number of edge cases in the invite flow, JWT handling, multi-tenancy, and account lifecycle — all now fixed. It also adds a new built-in metrics and monitoring stack.

Hardening of restheart-accounts

Extensive testing on a real complex app drove fixes across the whole module:

Account lifecycle

• Replaced the status field with a roles-based user lifecycle; the status field has been removed from accounts.
• Removed consent requirements from account activation.

Invite workflow

• New accept-invite endpoint and auth_invitations collection for inviting existing users.
• Invite token storage unified in auth_invitations across all user types.
• Refactored invite flow; added ACL and full invitation test coverage; made test setup idempotent to prevent state leakage and handle already-accepted invitations.
• Handle OPTIONS requests in AcceptInviteService; fixed email lookup in ResendInviteService; team name now derived from memberships.

Team membership

• Added endpoints to remove members and update member roles.

Multi-tenancy

• Tenant IDs changed from String to BsonValue to support ObjectId types, with extended JSON representation.
• JWT tenant claim now uses tenantClaimName from config instead of a hardcoded tenant.
• MembershipProvider.activeMembership() now used instead of hardcoded tenant-field lookups in email verification, password reset, and resend-invite services.
• Added mclient injection to SwitchTenantService.

Security & JWT

• Account operations now restricted to the owner role; invite access restricted and role handling updated.
• Added issued-at (iat) claim to issued JWTs.
• JWTs now include authDb and account-properties-claims.

Email templates

• Fixed custom mail templates being ignored.
• Fixed variable names in default templates; added responsive email styles.

New: Metrics & Monitoring

• Built-in metrics and monitoring with a real-time dashboard and Prometheus integration (with docs).
• Added metrics static resources and an HTML monitor; requests metrics collector enabled in config.

Other

• Fallback class loader support in ResourcesExtractor for plugin resources.
• Fixed OAuth error URL construction and added an email-mismatch check for OAuth-with-invite.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.