Releases: 18F/identity-idp
Releases · 18F/identity-idp
RC 68
2018-10-11T141509 2018-10-11T141509 release
RC 66 - Patch 1
Features
- List/delete webauthn configurations for a user #2494
- Allow a user to add a new webauthn configuration #2490
- Create WebAuthn Configurations Table #2461
Bugs and Enhancements
- Don't show recovery code before IdV flow #2485
- Revert removal of #2351 (redirect uri validation) #2498
- Update Reek from 4.8.1 to 5.0.2 #2499
- Revert changes to `find_with_email #2497
- Update gems with bummr #2493
- Add timeout to Twilio API calls #2491
- Fix tests using users with phones #2496
- Ensure rack-timeout is properly configured #2488
- Set up a TOTP user for local development #2483
- Remove unused personal_key method #2481
- Allow full exception logs for users without phone #2479
- Refactor AccountReset::DeleteAccountController #2450
- Catch no method error in formatted phone #2477
- Fix failure screens throwing 500 error with failure_to_proof_url #2473
- Take into account nil user in SmsLoginOptionPolicy #2472
- Make user_access_key_overrides fasterer #2458
- Remove dup webauthn_configurations index creation #2469
- Add nil phone_configuration to anonymous user #2467
- Run
bundle install
in devops repo when releasing #2468 - Int: Fix Idv::Proofer vendor initialization #2465
- Fix Idv::Proofer vendor initialization #2463
- Return blank for nil phone numbers #2521
New Service Providers and updates to existing ones
RC65 patch 1
Bugs and Enhancements
- Update LOA3 "failure to proof" screens #2454
- Redirect piv/cac errors to cleanup url #2380
- Add spinner when requesting piv/cac cert from user #2258
- Piv/cac available based on email domain #2429
- Track additional IdV analytics #2431
- Use 2-letter phone country code for analytics #2442
- Refactor and fix account reset requests #2444
- Allow sign in via remember me after idling #2438
- Display fake banner in lower environments #2418
- Prevent calling unsupported countries #2423
- Fix already authenticated users redirecting to account page #2426
- Fix border radius on Account boxes #2427
- Add client-side Crockford Base32 encoding helper #2417
New Service Providers and updates to existing ones
RC 64
Features
- Failure to proof URL for service provides at LOA3 i#2389
Bugs and Enhancements
- Fix preview images from PRs from showing in internal Slack channels #2422
- Update dependencies #2420
- Add script to give IDP access to CloudHSM keys #2235
- Add a task to copy user phone numbers into a new table to eventually allow multiple phones per user #2415
- Fix a bug where session timeout prevented user from ending at SP #2390
- Stop storing unnecessary OIDC request data in the session #2412
- Track errors when the user is nil in analytics #2407
- Fix bug where users without a phone number where asked to use auth app to confirm phone during IdV #2389
- Add account reset health checker #2387
- Change release script to stop recycling unused servers #2349
New Service Providers and updates to existing ones
- Add a redirect URI for DOE #2416
RC 63
Features
- Add Connected Applications to Account Management #2376
- Write 2L KMS encrypted sessions #2373
- Add script to email compromised users #2340
Bugs and Enhancements
- Add phone configurations table #2361
- Fix OIDC Sinatra SP redirect uri for int and dev #2391
- Refactor SP redirect URI validation #2351
- Use different text in SMS for login vs verify phone number #2342
- Fix confusing placeholder phone number #2359
- Update PR template and contribution guidelines #2315
- Add console output suppression spec helper #2383
- Remove stray SAML test file #2382
- Add logstash.conf.example and update README #2378
- Production Error: ERROR: duplicate key (email) #2379
- Ran make normalize_yaml on PR 2358 #2377
- Update USAJOBS / TTP instructions on create account #2358
- Update gems with bummr #2371
- Clean up localizations #2333
- Create an AWS lambda function for delayed notifications with account reset #2310
- Fix 500 errors on bad personal key. Match host on redirect URIs #2362
- Fix phone validation logic to prevent toggling disable #2357
- User can't create account because their email is "invalid" #2360
- Display a message to the user when an account reset link is expired #2331
- Ignore saml_*.txt files generated by tests #2352
- Adjust response code for SMS reply #2325
- Fix 500 errors on bad personal key and invalid otp_delivery_preference in path. Add specs. #2346
- Match host on redirect URIs #2347
- Add SMS opt-out reply job spec #2343
- Create an AWS lambda function to upload USPS verification to GPO #2332
- Ignore the old password columns on the user model #2330
- Hardcode session encryption cost for migration #2395
- Catch sending too much to kms #2411
- Use 32 byte salts for passwords #2372
New Service Providers and updates to existing ones
- Add Forest Service ePermits to the production service providers #2339
RC 62
Bugs and Enhancements
- Cancelling account deletion now notifies both email and sms #2320
- 2FA selection at sign in has been cleaned up #2317
- Attribute encryption rake task logs errors and continues #2322
- The IdP supports serving assets from the Cloudfront CDN #2321
- Invalid user params won’t raise errors #2324
- Adjust checkbox spacing on OTP verification screen #2316
- Remove stray TODO comment #2312
- Handle Twilio errors more gracefully #2308
- Only send one SMS for account reset delayed notification #2309
- Redesign IDV verification OTP delivery method screen #2302
- Fix typo on account reset page #2306
- Make programmable SMS countries configurable #2298
- Make the call to action full width on mobile for some pages #2291
- Fix attribute_encryption_key_queue in example application configuration #2294
- Allow Code Climate to analyze spec folder #2292
- Fix USPS uploader spec #2296
- Remove TODO comments from codebase #2295
- Remove CSRF protection from SendNotificationsController #2290
- Remove CSRF protection from account reset delayed notifications endpoint #2289
- Fix Voice OTP bug in previous release #2287
- Define locale argument for VoiceOtpSenderJob #2284
- Add SMS opt-out messaging #2276
New Service Providers and updates to existing ones
RC 61
Features
- Use GPO instead of Equifax for address verification #2267, #2272
- Delayed account reset requests #2274
- Use Twilio/Auth Verify service to send international SMS #2275, #2280
Bugs and Enhancements
- Fix 500 errors #2269
- Allow SMS to be sent to Zambian and Liberian phone numbers #2256
- Clarify and simplify personal keys instructions #2266
New Service Providers and updates to existing ones
Code maintenance
RC 60
Features
- Add PIV/CAC as a two factor authentication option #2234, #2237, #2244, #2250, #2253
- Allow dynamic service provider updates in production #2227
- Log ‘Password Changed’ event #2233
- Log ‘Personal Key Changed’ event #2217
- Offer all two factor authentication options during account creation #2099
- Increased the Reauthentication Timeout window from 2 to 5 minutes
Bugs and Enhancements
- Fix bug in enter phone number screen #2255
- Remove already initialized constant #2252
- Hide nonce from html #2236
- Upgrade Ruby from 2.3.5 to 2.5.1 #1997
- Improve request tracing #2245
- Add help text for SAM users on account creation screen #2230
- Update dependencies #2175, #2228
- Send ‘password reset link’ to confirmed email address #2182
- Prevent ‘password reset tokens’ from leaking to 3rd party sites #2214
- Fix validation bug on personal key screen #2215
- Fix rate limiting issues #2216, #2222
New Service Providers and updates to existing ones
RC 59
Features
- Support new encryption model using 2L-KMS #2191 , #2192 , #2210
- Update identity verification flow #2193 , #2194 , #2200 , #2201 , #2205 , #2206
- Add support for LexisNexis as an identity verification vendor #2198
- Enable PIV/CAC on per agency basis #2148 , #2197
- Add CloudHSM and automate key generation #2159 , #2202
Bugs and Enhancements
- Add 849 and 829 area codes for Dominican Republic #2196
- Fix visual bug on phone input #2190
- Update edit phone screen to use new phone input #2195
- Upgrade file encryptor to work with gpg2 #2199
- Add proofer information to result and analytics #2207
- Switch queuing from sidekiq to inline by default. #2208
- Fix CircleCI build caching issue #2211
New Service Providers and updates to existing ones
RC 58
Features
- Allow PIV/CAC as 2FA during login #2142, #2188
- Manage PIV/CAC association in account #2128
- Add reCAPTCHA to account creation and password reset screens #2136, #2160
Bugs and Enhancements
- Add more testing for PIV/CAC feature #2157
- Default recaptcha to off and whitelist it for unsafe-inline #2160
- Prefix email confirmation event with use registration label #2181
- Exclude events with invalid tokens #2153
- Disallow indexing of certain pages #2151
- Update gems with bummr #2173
- Automate release management #2080
- Sanitize Ahoy headers and cookies #2165
- Make tests compatible with zeus #2158
- Add script to create test accounts #1860
New Service Providers and updates to existing ones
- Add move.mil and DOT SPs to production #2183