Apostrophe 2 v2.110.0 Release Notes
Release Date: 2020-07-29 // over 3 years ago-
- ๐ Security: added support for throttling login attempts. If you set the
throttle
option ofapostrophe-login
to{ allowedAttempts: 3, perMinutes: 1, lockoutMinutes: 1 }
, a user will be locked out and unable to try again for 1 minute after three failed login attempts in 1 minute. Thanks to Michelin for making this work possible via Apostrophe Enterprise Support. - Schemas: you may now set a regular expression to be used to validate any
string
schema field by setting thepattern
property of the schema field. Please note thatpattern
must be a string, not a regular expression literal. Otherwise it will only be validated on the server side, causing confusion for the user when it ๐ป is not reported on the browser side. You may also setpatternErrorMessage
to provide a clear explanation to the user when their input does not match. When settingpattern
as a string always remember to escape the\
character properly (you will often need two\
characters, for instance\\w
). To avoid Denial of Service attacks, take care to avoid evil regular expressions. - ๐ Security: added an
apostrophe-login:before
promise event which is emitted with(req)
before a login attempt is evaluated. If a handler throws a string as an error, that string is internationalized and displayed as a login error, otherwise login proceeds normally. This can be used to implement features like the newapostrophe-login-recaptcha
module, which you can install separately. - ๐ Security: to ease implementation of
apostrophe-login-recaptcha
, the login form now hasdata-apos-login-form
anddata-apos-login-submit-button
attributes on the appropriate elements. - ๐ Security: when requiring Google Authenticator or a similar app for login (TOTP), you may now limit the requirement to certain groups, by passing a setting like
totp: { groups: true }
to theapostrophe-login
module rather than justtotp: true
. Admins may then select which groups actually require TOTP by selecting it when editing the group (look at the permissions tab). In addition, the existingtotp
option has been added to the module documentation.
- ๐ Security: added support for throttling login attempts. If you set the