Apostrophe 3.13.0

[agilbert]

Hi everyone,

One month of 2022 is in the books - I hope it was a great January for everyone. Today we shipped our latest release of Apostrophe features and modules, and I’m happy to share some details on those with you all.

The release includes some new hooks in the core of Apostrophe to support customizations of the login experience. We’re using these hooks in two new modules that have been shipped as beta releases.

• Login TOTP adds a TOTP (Time-based One-Time Password) check when any user logs into the site, compatible with Google Authenticator or any TOTP app.
• Login reCAPTCHA adds a reCAPTCHA check when any user logs into the site. It uses reCAPTCHA v3, which means that the test is invisible aside from a reCAPTCHA logo at the bottom of the screen.

Following the release of our Passport Bridge module in January, we’re excited to make these additional security enhancements available as open source modules, and hope that other developers are able to leverage the new hooks in the core to extend the login behavior of Apostrophe in helpful ways.

As always, read on for the full release notes, and enjoy the weekend 🌞

Apostrophe 3.13.0

Adds

• Additional requirements and related UI may be imposed on native ApostropheCMS logins using the new requirements feature, which can be extended in modules that improve the @apostrophecms/login module. These requirements are not imposed for single sign-on logins via @apostrophecms/passport-bridge. See the documentation for more information.
• Adds latest Slovak translation strings to SK.json in i18n/ folder. Thanks to Michael Huna for the contribution.
• Verifies afterPasswordVerified requirements one by one when emitting done event, allows to manage errors ans success before to go to the next requirement. Stores and validate each requirement in the token. Checks the new askForConfirmation requirement option to go to the next step when emitting done event or waiting for the confirm event (in order to manage success messages). Removes support for afterSubmit for now.

Fixes

• Decodes the testReq param property in serveNotFound. This fixes a problem where page titles using diacritics triggered false 404 errors.
• Registers the default namespace in the Vue instance of i18n, fixing a lack of support for un-namespaced l10n keys in the UI.

Apostrophe 3.x modules

content-upgrader 3.0.0-beta

• Replaced defaultLocale option with mapLocale, which defaults to mapping default to en, as that's the right thing to do for projects with or without workflow in most cases, and allows for a broader remapping if needed. Clarified documentation on how this works and implemented it for the case where workflow is enabled for the first time.
• The visibility property is now set, as required in A3. If published was true it is set to public, otherwise to loginRequired. While the two features are not identical this does a good job of avoiding premature public access to migrated content.
• Don't crash if the workflow module is enabled with no prefixes option.
• Supply an _id for every exported area.
• As the content upgrader intentionally does not copy user and group pieces, it should not copy the aposUsersSafe collection from 2.x to 3.x, either.

form 1.0.0

Fixes

• Sets the dev dependency of Apostrophe to a published version.
• Fixes a typo in the recaptchaValidationError l10n key.
• Fixes an incorrect error localization key usage.

Adds

• Adds full support for file field widgets, including a new dedicated upload route.

login-recaptcha 1.0.0-beta

• This login verification module adds a reCAPTCHA check when any user logs into the site. It uses reCAPTCHA v3, which means that the test is invisible aside from a reCAPTCHA logo at the bottom of the screen.

login-totp 1.0.0-beta

• This login verification module adds a TOTP (Time-based One-Time Password) check when any user logs into the site, compatible with Google Authenticator or any TOTP app. When activated, it will ask unregistered users to add a token to their app through a QR code. Once done, it will ask users to enter the code provided by their app after the initial login step.

multisite 3.2.1

• Part of our enterprise offering. Fixed a bug that affected non-admin users with no sites yet when the privateDashboards option is enabled.

Apostrophe 2.220.8

• Worked around bug preventing proper translation of the "Selected" message in certain modal operations. Thanks to stepanjakl.

Other modules

sanitize-html 2.7.0

• Allows a more sensible set of default attributes on <img /> tags. Thanks to Zade Viggers.