All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
5.1.0 (2021-11-18)
- auth: confirmed recovery email addresses can be used to login (dcb51c9)
- security: passwords must now pass a dictionary test in addition to all existing requirements (5b8fdae)
- email: clarify email notification when adding recovery address to profile (ee502b2)
- email: fix footer inclusion in FR alert email (13d25f8)
- email: make EN template closure more consistent (aa1bb41)
- email: remove CTA for email support from email_alert (c0dfaa0)
- email: remove CTA for email support from reset_password (6bdd0ea)
- email: remove email wording related to HID Contacts (af8905e)
- email: remove legacy command and email template special_password_reset (5433630)
- email: remove legacy email template verification_expiry (d3787ca)
- email: update EN/FR email footers to remove email and add FAQs (a7e7da8)
- email: update wording in FR templates and make introduction and closure more consistent (de0d806)
- log password update/reset errors with consistent metadata (70f8769)
- point users to FAQs for common errors (7824e8e)
- provide more specific error when password did not meet guidelines (6a0ede6)
- security: do explicit case-insensitive string matching before passing to cracklib (f4141da)
- security: isStrongDictionary auto-compares email, and logs feedback when present (9689e8b)
- security: isStrongDictionary compares password to family, given, and each email address (3b83d60)
- security: only destroy session after password reset succeeds (0d30eea)
- security: only destroy session after password reset succeeds (f1db7c9)
- theme: update CD and implement Header nav (02e984e)
- upgrade qrcode and underlying dependencies (50a4bb8)
- when password requirements are not met during password reset, show form again (80803bf)
4.0.0 (2021-09-16)
5.0.1 (2021-10-28)
- security: only destroy session after password reset succeeds (0d30eea)
4.0.0 (2021-09-16)
5.0.0 (2021-10-20)
- auth: the OAuth clients in the removed code might experience adverse affects. However, HID logs do not show any usage of the currentClient param being sent with requests, so the impact is expected to be very low.
Refs: HID-2192
- removed PUT /api/v3/user/emails/{email}
- /api/v3/user/password no longer exists
- adopt standard-version to generate CHANGELOG (d9706b4)
- password visibility toggle on all password inputs (4e8977e)
- remove commands/emails/functions to send password expiry emails (a198d89)
- security: check historical passwords during email-based password resets (4ef847c)
- security: comply with 2021 OICT password strength guidance (2102a1a)
- security: store 5 previous password hashes and prevent their re-use (65ff556)
- security: store old passwords when using password-reset as well (43da48f)
-
add hyphen to password regexes (1c3d8b6)
-
any emailId lookup should be lowercased (f32bbf4)
-
auth: make sure JWT requests don't 500 (73666a9)
-
auth: safely clone data and output oauth.client_id when logging /account.json (5175677)
-
ensure that emailId never gets set to undefined (3ef4a9a)
-
escape HTML in password-regex include (98034aa)
-
escape HTML in password-requirements include (d925482)
-
force user input to lowercase when sending password reset emails (c89e1e4)
-
on TOTP form, checkbox to remember device now has a label (ef8f528)
-
provide migration to drop expiry-related fields from all users (7becb5f)
-
purge new_password URL/template from codebase (992116b)
-
registration form client-side JS now wotks with CSP (43a1ec9)
-
remove password expiry check from login process (447eabe)
-
security: destroy session when password reset is attempted (4591c7b)
-
store time of last password reset when using logged-in settings form (516087b)
-
wait to save user record until after verifying email during PW reset (a5f4c10)
-
when verifying an account, store success message in a new object (7bdbe62)
-
HID-2064: split UserController.validateEmail into two functions (1333be2)
-
HID-2067: split resetPasswordEndpoint into two endpoints (12b731b)
-
auth: remove special cases from /account.json (b1487ff)