RELEASE: v1.0.0-rc.2

[taylortom]

Note: These notes have been retro-added for posterity.

---

This release encompasses a number of fixes resulting from a thorough system penetration test which was carried out by a third-party security company. Due to the nature of some of the fixes, there are some breaking changes from previous releases of the authoring tool.

When testing this release, it is recommended to start with a clean install. If this is not possible, see the notes below.

Headline updates

• Node.js requirement has been bumped to Hydrogen LTS (v18)

  MongoDB config note: if connecting to a local MongoDB instance, you will need to set your connectionUri to 0.0.0.0 rather than localhost (e.g. mongodb://0.0.0.0/adapt-authoring), otherwise the app will not be able to connect to the database.

• The authentication mechanism has been made more secure (and configurable). If you stick with the default configuration, you will notice that you're being logged out of the authoring tool more regularly. This is as designed, and is configured using the follow config options:

  • adapt-authoring-auth.defaultTokenLifespan: This was previously set to 99 years, and has been reduced to a more sensible 7 days.
  • adapt-authoring-sessions.lifespan: This has been reduced to one hour, and is used in conjunction with adapt-authoring-sessions.rolling (when set).
  • adapt-authoring-sessions.rolling: This is a new option, and means that the current session cookie will remain active for as long as the user is working in the authoring tool. After a period of inactivity (set by adapt-authoring-sessions.lifespan), the cookie will become stale, requiring the user to log in again.

• Extra schema keywords have been added to allow API data to be filtered before and after requests:

  • isReadOnly: ensures that an attribute is returned via the API, but is not editable by incoming requests
  • isInternal: disables any read or write access to an attribute, which is only used internally by the application

• UI build process has been completely overhauled:

  • All build files have been moved into temp
  • Non-production builds are now quicker, as no JS is processed
  • Added support for a .rebuild-ui file which will trigger a rebuild when present (this file is created every time the UI module codebase is updated via npm)
  • All third-party libraries have been updated, consolidated and moved into a separate module for easier maintenance

Migration notes

• App data folders have been changed to allow more transparency and a better level of configurability. If you have not modified the directory values in your config file, you will need to either set these to match your current folder structure, or move your data and temp folders to the following locations:
  • data => APP_DATA/data
  • temp => APP_DATA/temp
• User authentication has been modified to remove support for multiple auth types. If using an existing install, all users' authTypes will need to be manually converted to a string called authType.
• A number of existing config options which specify time durations have be changed to accept string values rather than numbers. This is to make config files more readable (e.g. a duration of one day changes from 86400000 to "1d"). Any time values which you have customised in your config file will need to be updated. See the configuration docs to check your own config (if you don't have any custom time settings in your config file, these will be updated automatically).