Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v0.4.4 #72

Merged
merged 8 commits into from
Jan 16, 2024
Merged

v0.4.4 #72

merged 8 commits into from
Jan 16, 2024
+2,963 −280

Conversation

cjlapao
Copy link
Collaborator

@cjlapao cjlapao commented Jan 11, 2024

Description

Added

  • brute force attack protection, this will lock accounts after x attempts by
    default five attempts and will use by default incremental wait periods for each
    failed attempts, all of these parameters can be changed
  • added the ability to sign a token with different algorithms, by default, it will
    use HS256, but you can change it to RS256, HS384, RS384, HS512, RS512, this will
    cater for the request we had for asymmetric keys
  • added a random secret generator for the default HS256 if none is provided, this
    is a change from previous versions, where we used the machine ID as the secret
    this will increment the security of the default installation
  • I added a password complexity pipeline for checking if the user's passwords adhere
    to the complexity requirements; this can be disabled if required. By default, the
    password complexity is enabled, and the complexity is set to 12 characters, at least
    one uppercase, one lowercase, one number and one special character
  • added a diagnostics class to better cater for errors and exceptions. This will
    allow us to handle errors and exceptions better and return a more meaningful
    error message to the user a the moment is not used in all of the code, but we
    will be adding it to all of the code in the future

Changed

  • added back the ability to hash passwords using the SHA256 algorithm, this was
    removed in a previous version, but we have added it back as some users already
    had passwords hashed using this algorithm, and this was breaking them. the default
    installation will use the bcrypt algorithm

Fixed

  • fixed an issue where the token validation endpoint was not working and only accepted
    GET requests, it now accepts only POST requests as expected and documented

Type of change

Please delete options that are not relevant.

  • Documentation Change
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Checklist:

  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have run tests that prove my fix is effective or that my feature works
  • I have updated the CHANGELOG.md file accordingly

Sorry, something went wrong.

@cjlapao cjlapao merged commit d9479ed into main Jan 16, 2024
1 check passed
@cjlapao cjlapao deleted the security-update-090124 branch January 16, 2024 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@cjlapao