Apostrophe 2 v2.110.1 Release Notes

Release Date: 2020-08-12 // about 18 hours ago
    • ✂ Removes the aposBody template macro, which was unused.

Previous changes from v2.110.0

    • 🔒 Security: added support for throttling login attempts. If you set the throttle option of apostrophe-login to { allowedAttempts: 3, perMinutes: 1, lockoutMinutes: 1 }, a user will be locked out and unable to try again for 1 minute after three failed login attempts in 1 minute. Thanks to Michelin for making this work possible via Apostrophe Enterprise Support.
    • Schemas: you may now set a regular expression to be used to validate any string schema field by setting the pattern property of the schema field. Please note that pattern must be a string, not a regular expression literal. Otherwise it will only be validated on the server side, causing confusion for the user when it 💻 is not reported on the browser side. You may also set patternErrorMessage to provide a clear explanation to the user when their input does not match. When setting pattern as a string always remember to escape the \ character properly (you will often need two \ characters, for instance \\w). To avoid Denial of Service attacks, take care to avoid evil regular expressions.
    • 🔒 Security: added an apostrophe-login:before promise event which is emitted with (req) before a login attempt is evaluated. If a handler throws a string as an error, that string is internationalized and displayed as a login error, otherwise login proceeds normally. This can be used to implement features like the new apostrophe-login-recaptcha module, which you can install separately.
    • 🔒 Security: to ease implementation of apostrophe-login-recaptcha, the login form now has data-apos-login-form and data-apos-login-submit-button attributes on the appropriate elements.
    • 📚 Security: when requiring Google Authenticator or a similar app for login (TOTP), you may now limit the requirement to certain groups, by passing a setting like totp: { groups: true } to the apostrophe-login module rather than just totp: true. Admins may then select which groups actually require TOTP by selecting it when editing the group (look at the permissions tab). In addition, the existing totp option has been added to the module documentation.