apostrophe - npm Package Versions

3.16.0 (2022-03-18)

Adds

• Offers a simple way to set a Cache-Control max-age for Apostrophe page and GET REST API responses for pieces and pages. See the documentation for more information.
• API keys and bearer tokens "win" over session cookies when both are present. Since API keys and bearer tokens are explicitly added to the request at hand, it never makes sense to ignore them in favor of a cookie, which is implicit. This also simplifies automated testing.
• data-apos-test="" selectors for certain elements frequently selected in QA tests, such as data-apos-test="adminBar".
• Offer a simple way to set a Cache-Control max-age for Apostrophe page and GET REST API responses for pieces and pages.
• To speed up functional tests, an insecurePasswords option has been added to the login module. This option is deliberately named to discourage use for any purpose other than functional tests in which repeated password hashing would unduly limit performance. Normally password hashing is intentionally difficult to slow down brute force attacks, especially if a database is compromised.

Fixes

• POSTing a new child page with _targetId: '_home' now works properly in combination with _position: 'lastChild'.

3.15.0 (2022-03-02)

Adds

• Adds throttle system based on username (even when not existing), on initial login route. Also added for each late login requirement, e.g. for 2FA attempts.

3.14.2 (2022-02-27)

• Hotfix: fixed a bug introduced by 3.14.1 in which non-parked pages could throw an error during the migration to fix replication issues.

3.14.1 (2022-02-25)

• Hotfix: fixed a bug in which replication across locales did not work properly for parked pages configured via the _children feature. A one-time migration is included to reconnect improperly replicated versions of the same parked pages. This runs automatically, no manual action is required. Thanks to justyna1 for identifying the issue.

3.14.0 (2022-02-22)

Adds

• To reduce complications for those implementing caching strategies, the CSRF protection cookie now contains a simple constant string, and is not recorded in req.session. This is acceptable because the real purpose of the CSRF check is simply to verify that the browser has sent the cookie at all, which it will not allow a cross-origin script to do.
• As a result of the above, a session cookie is not generated and sent at all unless req.session is actually used or a user logs in. Again, this reduces complications for those implementing caching strategies.
• When logging out, the session cookie is now cleared in the browser. Formerly the session was destroyed on the server side only, which was sufficient for security purposes but could create caching issues.
• Uses express-cache-on-demand lib to make similar and concurrent requests on pieces and pages faster.
• Frontend build errors now stop app startup in development, and SCSS and JS/Vue build warnings are visible on the terminal console for the first time.

Fixes

• Fixed a bug when editing a page more than once if the page has a relationship to itself, whether directly or indirectly. Widget ids were unnecessarily regenerated in this situation, causing in-context edits after the first to fail to save.
• Pages no longer emit double beforeUpdate and beforeSave events.
• When the home page extends @apostrophecms/piece-page-type, the "show page" URLs for individual pieces should not contain two slashes before the piece slug. Thanks to Martí Bravo for the fix.
• Fixes transitions between login page and afterPasswordVerified login steps.
• Frontend build errors now stop the @apostrophecms/asset:build task properly in production.
• start replaced with flex-start to address SCSS warnings.
• Dead code removal, as a result of following up on JS/Vue build warnings.

3.13.0 - 2022-02-04

Adds

• Additional requirements and related UI may be imposed on native ApostropheCMS logins using the new requirements feature, which can be extended in modules that improve the @apostrophecms/login module. These requirements are not imposed for single sign-on logins via @apostrophecms/passport-bridge. See the documentation for more information.
• Adds latest Slovak translation strings to SK.json in i18n/ folder. Thanks to Michael Huna for the contribution.
• Verifies afterPasswordVerified requirements one by one when emitting done event, allows to manage errors ans success before to go to the next requirement. Stores and validate each requirement in the token. Checks the new askForConfirmation requirement option to go to the next step when emitting done event or waiting for the confirm event (in order to manage success messages). Removes support for afterSubmit for now.

Fixes

• Decodes the testReq param property in serveNotFound. This fixes a problem where page titles using diacritics triggered false 404 errors.
• Registers the default namespace in the Vue instance of i18n, fixing a lack of support for un-namespaced l10n keys in the UI.