v0.18.1

Changelog since v0.18.0

Changes by Kind

Features

• The SMS Template max size is being doubled from 400 to 800. (#1295, @mikehelmick)

Operations

• Improved SLO-based alerting reset time (#1294, @yuriatgoogle)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

v0.18.0

Release notes for main

Documentation

Changelog since v0.17.1

Changes by Kind

User Stats

• Add CSV and JSON exports for user stats (#1286, @sethvargo)
• Add more detailed stats help information (#1276, @sethvargo)
• Capture and display daily active user stats (#1244, @sethvargo)
• Display user and external stats as tables (#1233, @sethvargo)
• Include user email addresses in stats export (#1215, @sethvargo)
• Print a message when loading returns with no stats (#1270, @sethvargo)
• Provide JSON and CSV output for API key stats (#1289, @sethvargo)

i18n

• Add clarity around terms for internationalization (#1282, @sethvargo)
• Add docs on how to i18n (#1241, @sethvargo)
• Added Portuguese translations. (#1274, @arturenault)
• Fully internationalize strings on code issue page. (#1229, @sethvargo)
• Internationalize SMS placeholder input (#1218, @sethvargo)

New service: app-sync

• Add terraform for setting up the mobile-app-sync cloud run service, scheduling, and URL config (#1243, @whaught)
• Build and deploy app-sync (#1245, @sethvargo)
• New endpoint to sync android apps to realms from a configurable .json file URL.
  This will be hooked up to a cron job in the future. (#1191, @whaught)
• Only warn on missing regions for appsync. (#1262, @sethvargo)
• Return appsync errors as strings (#1258, @sethvargo)

Terraform

• Add some missing dependencies to Terraform setup (#1209, @sethvargo)
• Enable cloudidentity.googleapis.com in Terraform (#1210, @sethvargo)

Documents

• Added user-guide documentation on realm-admin code settings. (#1264, @whaught)
• Add system admin guide (#1240, @sethvargo)
• DOCS: Added documentation for EN Express link handling for custom apps. (#1260, @mikehelmick)
• DOCS: clarified usage of chaff requests from client perspective (#1234, @mikehelmick)

Batch API

• Added user-guide documentation on bulk code issuance. (#1265, @whaught)
• Documentation for batch-issue API (#1288, @whaught)
• Move the Bulk Issue Codes UI to use the batch API (#1277, @whaught)
• Install batch-issue into the adminapi server (#1285, @whaught)

Other fixes

• Add UI to share system SMTP config (#1239, @sethvargo)
• Added an 'about' link to the login page (#1219, @whaught)
• Do not rate limit chaff requests (#1224, @sethvargo)
• Fix local time display helper edge cases (noon and midnight). (#1238, @sethvargo)
• Improve styles on realm signing key management page (#1279, @sethvargo)
• Unify common date types into project helpers (#1278, @sethvargo)
• When SMS numbers are provided, clarify that the 6-8 digit codes are backup codes. (#1217, @sethvargo)

Dependencies

Added

• github.com/jarcoal/httpmock: v1.0.4
• github.com/lestrrat-go/jwx: v0.9.0
• github.com/square/go-jose/v3: 708a9fe
• github.com/square/go-jose: v2.4.1+incompatible

Changed

• github.com/google/exposure-notifications-server: v0.17.0 → v0.18.0
• github.com/hashicorp/vault-plugin-auth-gcp: v0.6.1 → v0.8.0
• github.com/okta/okta-sdk-golang: v1.0.1 → v1.1.0

Removed

Nothing has changed.

v0.17.1

Changes since v0.17.0

New Features

• New statistics API - Statistics via the JSON API are now returned with more structure and any gaps in dates/users are zeroed to ensure data continuity.

• External issuers - When issuing a code via the adminapi, callers can specify an ExternalIssuerID to associate the issuance with an external identifier. See the API documentation for more information. (#1198, @sethvargo)

Bulk Import

• Add random padding to requests in bulk-uploader (#1195, @whaught)
• Include a table of errors for CSV bulk import (#1200, @whaught)

Misc

• Add some missing dependencies to Terraform setup (#1209, @sethvargo)
• Fix missing column in migration for verification code statistics (#1206, @sethvargo)
• Trim API key parts and log invalid signatures in debug (#1207, @sethvargo)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

v0.17.0

Release notes for main

Documentation

Changelog since v0.16.1

Changes by Kind

Bulk Code Issue Client

• Throttle batches for bulk code issuance (#1128, @whaught)
• Realm setting to allow/disallow bulk upload (#1105, @whaught)
• Cancel remaining bulk upload when throttled by the server (#1125, @whaught)

Security Improvements

• Do not display passwords in HTML forms (#1163, @sethvargo)
• Do not trust responses from the server to contain HTML (#1164, @sethvargo)
• Do not use show-password on sentinel forms (#1174, @sethvargo)
• Don't serve session cookie over javascript, restrict retry storage to 24h (#1165, @sethvargo)
• Only trust HTTP Referer from same origin domain (#1175, @sethvargo)
• Document that creds are for tests only (#1161, @sethvargo)
• Fully revoke signout tokens and update last_revoke_checked (#1167, @sethvargo)

Postegres 13 Upgrade

• *Potentially breaking- - Upgrade code and tests to use Postgres 13, change default database in Terraform to Postgres 13. This will cause Terraform to try and delete the database - set database_version to POSTGRES_12 before applying! (#1137, @sethvargo)
• Environment variable for maintenance mode (#1142, @whaught)
• Maintenance mode block issue and verify requests. Adds a banner to the header. (#1143, @whaught)
• Parameterize database_version in Terraform configuration (#1132, @sethvargo)

Alerts

• Add scaffolding for query param alert (#1187, @sethvargo)
• Added fast error budget burn alert and corresponding documentation. (#1101, @yuriatgoogle)
• Added slow error budget burn (5% consumed in 6 hours) alert. (#1120, @yuriatgoogle)

Internationalization

• Add REGION to .env (#1173, @sethvargo)
• Add internationalization framework (no supported translations yet) (#1107, @sethvargo)
• Add locales to Docker image (#1122, @sethvargo)

Auditing

• **Warning!*- - Enable and configure pgaudit. You *must- run the Terraform configuration changes before deploying this commit with migrations. (#1176, @sethvargo)
• Generate an audit entry when quota is increased (#1124, @sethvargo)

UI Improvements

• Mark e2e and testing events as "test" to filter them out from audit entries. (#1183, @sethvargo)
• Truncate long event entries in UI (#1134, @sethvargo)

Fixes

• Ensure code status is retained for 14 days, but the code itself is zeroed at 48h (#1178, @whaught)
• Set timeouts on rawSQL before gorm (#1156, @sethvargo)
• Stop processing after the controller returns an error in admin statistics pages. (#1184, @sethvargo)
• Lookup realm before passing in ID (#1185, @sethvargo)

Uncategorized

• Cleanup for old users who have no realms and have aged out. This clears their DB information, but not their auth. (#1135, @whaught)
• Default max test/symptom age is 28 days (#1154, @mikehelmick)
• /home paths redirect to /codes (#1102, @sethvargo)

Dependencies

Added

• github.com/agext/levenshtein: v1.2.1
• github.com/apparentlymart/go-dump: 23540a0
• github.com/apparentlymart/go-textseg/v12: v12.0.0
• github.com/apparentlymart/go-textseg: v1.0.0
• github.com/hashicorp/hcl/v2: v2.7.0
• github.com/kylelemons/godebug: d65d576
• github.com/leonelquinteros/gotext: v1.4.0
• github.com/sergi/go-diff: v1.0.0
• github.com/vmihailenco/msgpack: v3.3.3+incompatible
• github.com/zclconf/go-cty: v1.2.0

Changed

• github.com/google/exposure-notifications-server: v0.16.0 → v0.17.0
• github.com/mikehelmick/go-chaff: v0.3.0 → v0.4.1
• golang.org/x/tools: 079ba7b → 1d69943

Removed

Nothing has changed.

v0.16.1

• Changes from v0.16.0

• Merges a single change to the terraform configuration that allows the notification-email to be set by var

v0.16.0

Changes since v0.15.1

Important

• Critical bug! Fixed JWT iss and aud fields could be mixed up. (#939, @mikehelmick)

• Verification codes uniqueness now scoped by realm. Codes are retained 48 hours after expiration by default (instead of 24h). Status of a code (by UUID) is retained for 14d instead of 24h. (#969, @mikehelmick)

UI/UX

• Add pagination helpers (#953, @sethvargo)
• Add pagination to mobile apps (#955, @sethvargo)
• Improved UI and added pagination for API keys (#954, @sethvargo)
• Only show 5 next/prev pages in pagination. (#1017, @sethvargo)
• Pagination for audit logs (#1020, @whaught)
• Add realm search for system admins. (#1035, @sethvargo)
• Add search for mobile apps (#1043, @sethvargo)
• Allow searching API keys (#1018, @sethvargo)
• Create time-based search for event entries (#1023, @whaught)
• Fix system admin events search form (#1036, @sethvargo)
• Search for system-admin mobile apps (#970, @whaught)
• Show all mobile apps in system admin (#951, @whaught)
• Show event logs in system-admin (#1025, @whaught)
• Show regular users across realms in system-admin. Allow deletion. (#980, @whaught)
• Add unique titles to all HTML pages (#1021, @sethvargo)
• Limit number of non-deleted KMS signing keys on a realm (default: 5, configurable) (#1000, @sethvargo)
• System admin user-details page (#995, @whaught)
• Toggle for user search for all/system-admin (#988, @whaught)
• Update system admin UX to match realm pages. (#999, @sethvargo)
• Update user list UI and UX (#964, @sethvargo)
• Move /users to /realm/users (#1024, @whaught)
• Rename users admin to system_admin for clarity. (#984, @sethvargo)

Operations

• Add unique request_id for logs (#1012, @sethvargo)
• Added debug logging to device APIs (#949, @mikehelmick)
• Support configuring regional database replicas. (#1014, @sethvargo)
• Switch to nobody user for running container images (#947, @sethvargo)

Settings

• Default to "date required" on new realms. Existing realms are unchanged. (#1033, @mikehelmick)

Infrastructure

• Add Terraform module to optionally mirror dependent Docker Hub images for tests (#981, @sethvargo)

Misc

• Ensure bits don't overflow when running on 32-bit systems (#1002, @sethvargo)
• Allow admins to add/remove users from other realms (#1007, @sethvargo)
• Do not return successful JSON on SMS error (#1031, @sethvargo)
• E2e-runner improvements, fixes race condition (#1011, @mikehelmick)

Dependencies

Added

• github.com/form3tech-oss/jwt-go: v3.2.2+incompatible

Changed

• cloud.google.com/go: v0.68.0 → v0.71.0
• github.com/Azure/azure-sdk-for-go: v46.4.0+incompatible → v48.1.0+incompatible
• github.com/Azure/go-autorest/autorest/adal: v0.9.4 → v0.9.5
• github.com/Azure/go-autorest/autorest/azure/auth: v0.5.2 → v0.5.3
• github.com/Azure/go-autorest/autorest/azure/cli: v0.4.1 → v0.4.2
• github.com/Azure/go-autorest/autorest: v0.11.8 → v0.11.11
• github.com/Microsoft/go-winio: fc70bd9 → v0.4.15
• github.com/aws/aws-sdk-go: v1.35.3 → v1.35.24
• github.com/dimchansky/utfbom: v1.1.0 → v1.1.1
• github.com/golang/protobuf: v1.4.2 → v1.4.3
• github.com/google/exposure-notifications-server: v0.15.0 → v0.16.0
• github.com/google/martian/v3: v3.0.0 → v3.1.0
• github.com/google/pprof: acf8798 → 3e6fc7f
• github.com/grpc-ecosystem/grpc-gateway: v1.15.0 → v1.16.0
• github.com/hashicorp/go-retryablehttp: v0.6.7 → v0.6.8
• github.com/ianlancetaylor/demangle: 5e5cf60 → 28f6c0f
• github.com/pierrec/lz4: v2.5.2+incompatible → v2.6.0+incompatible
• github.com/prometheus/client_golang: v1.7.1 → v1.8.0
• github.com/prometheus/common: v0.14.0 → v0.15.0
• go.opencensus.io: v0.22.4 → v0.22.5
• golang.org/x/crypto: 7f63de1 → 9e8e0b3
• golang.org/x/net: 0a1ea39 → 69a7880
• golang.org/x/oauth2: 5d25da1 → 9fd6049
• golang.org/x/sync: 3042136 → 67f06af
• golang.org/x/text: v0.3.3 → v0.3.4
• golang.org/x/tools: 576e169 → 079ba7b
• google.golang.org/api: v0.32.0 → v0.35.0
• google.golang.org/appengine: v1.6.6 → v1.6.7
• google.golang.org/genproto: 3860012 → 8816d57
• google.golang.org/grpc: v1.32.0 → v1.33.2
• honnef.co/go/tools: v0.0.1-2020.1.5 → v0.0.1-2020.1.6

Removed

Nothing has changed.

v0.15.1

Release notes for v0.15.1

Changelog since v0.15.0

Changes by Kind

Bug fixes and improvements

• BUG FIX - Issuer and Audience fields could be mixed up. Was introduced in v0.15.0 (#939, @mikehelmick)

Infrastructure improvements

• Enable BinaryAuth and Container Analysis APIs (#937, @sethvargo)
• Update to use new alpha flag (#938, @sethvargo)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.
lmick))

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

v0.15.0

Changes since v0.14.0

Notable

• Change default symptom age from 14 to 27 days. (#925, @mikehelmick)

Security

• Scope mobileapp lookup to the realm. (#929, @sethvargo)

Realm administration

• Realm stats now supports CSV export:
  ${SERVER}/realm/stats?csv
  Returns overall realm stats.
  ${SERVER}/realm/stats?csv&user
  Returns the per-user realm stats. (#922, @jeremyfaller)

Misc

• Add test harness for headless browser testing (#881, @sethvargo)
• Adds alert playbooks (#911, @icco)
• Allow realm custom template for invitations (#917, @whaught)
• Clarify that recently issued codes are your recently issued codes. (#927, @sethvargo)
• Clean up deleted API keys after 1 week (#909, @sethvargo)
• Fix context race when sending email via SMTP (#898, @sethvargo)
• Fixes an issue where certain non-printable unicode characters would accepted as valid characters for the verification certificate issuer and audience. (#931, @mikehelmick)
• Introduce auth provider interface (#902, @sethvargo)
• Make it possible to save system email configs (#900, @sethvargo)
• Switch emails to plaintext renderer (#899, @whaught)
• Fixes overflow error in capacity metrics when burst quota is given. (#913, @icco)

Dependencies

Added

• github.com/chromedp/cdproto: 1c6a710
• github.com/chromedp/chromedp: v0.5.3
• github.com/chromedp/sysutil: dc95e7e
• github.com/gobwas/httphead: 2c6c146
• github.com/gobwas/pool: v0.2.0
• github.com/gobwas/ws: v1.0.2
• github.com/knq/sysutil: 15668db

Changed

• github.com/google/exposure-notifications-server: v0.14.0 → v0.15.0
• github.com/mailru/easyjson: d5b7844 → v0.7.1

Removed

Nothing has changed.

v0.14.0

Release notes for main

Documentation

Changelog since v0.13.0

Changes by Kind

API Changes

• API CHANGE : /api/verify now returns the testDate in addition to symptom date if present. When the verification certificate is issue only one interval is inserted: symptomDate if present, testDate if not. (#883, @mikehelmick)
• Updated API documentation to reflect new fields in verify response. (#892, @mikehelmick)

Custom SMTP Email

• Per-realm override of emailer used for invitations, verification, and password reset (#849, @whaught)
• System level email setting (#859, @whaught)

Production Support

• Add Terraform output for backup command (#888, @sethvargo)
• Automatically backup the Cloud SQL database to GCS every 6 hours (#875, @sethvargo)
• Support multiple keys for HMAC secrets (#863, @sethvargo)

Minor / Fixes

• Document setting versioning and lifecycle on Terraform state (#870, @sethvargo)
• Fix redirect loop when verifying email for an admin with no realm selected (#887, @whaught)
• Pull CSRF token from meta tags (#897, @sethvargo)
• Serve JS and CSS as separate assets (#880, @sethvargo)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

v0.13.0

Release notes for main

Documentation

Changelog since v0.12.1

Changes by Kind

Security

• Limits redirector load balancer to only use TLS 1.2+ (#855, @icco)
• Sets the default TLS to 1.2+ for the verification server loadbalancer. (#852, @icco)

Fixes

• Fixed statistics reporting dates.
  Previously, it was possible for many statistics to report themselves on the wrong day. This has been fixed. (#851, @jeremyfaller)
• Fixes the dates reported in the statistics.
  Before this change, it's quite likely that the date reported for all statistics on VerificationCode creation was a day earlier than it was supposed to be. (#847, @jeremyfaller)

Dependencies

Added

Nothing has changed.

Changed

• github.com/google/exposure-notifications-server: v0.12.0 → v0.13.0

Removed

Nothing has changed.