forked from mozilla/persona
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathChangeLog
296 lines (277 loc) · 18.6 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
train-2011.01.11 (in progress):
train-2011.01.05:
* client entropy pool mixes in randomness from server for better browser RNG: #298, #800
* new assertion format that avoids double (base64) encoding - 33% smaller: #507
* Turn license URL in ToS into a clickable link: #382
* limit post requests to 10kb: #822
* improved password length checks, check in client and server code more often
* after authenticating we store your userid rather than email in the session (many issues/possible attacks relate to this): #388
* session cookies are now encrypted, sent only when required, and generally more awesome: #416, #832
* IE8 display tweaks
* primary support 90% implemented but disabled in this train (*major* changes including schema, but not user visible)
* (hotfix on 2012.01.09) explicitly call .removeAllListeners() during http forwarding to eliminate memory leak: #839
train-2011.12.28:
* improve animation during cert/assertion procedures in dialog: #709
* user visible error message in dialog when under back breaking load: #738
* cleanup and removal of stale deps from package.json
* improve mobile formatting: #747
* fixes in dialog communication channel: #748
* add a waiting screen while crypto is running on slow browsers: #706
* don't allow a user to re-add address they already have verified: #732
* CSP (content security policy) fixes: #676
* doc fixes regarding running browserid under vagrant
* doc fixes regarding new dependencies (libgmp for (much) faster crypto)
* bcrypt now runs out of process, uses all available cores, allows for app level 503 under extreme load: #694
* Fix "cancel" in the forgot password screen when accessed via required email: #754
* first time a user visits browserid.org, show a "learn more" message: #384
* partial code versioning/cache busting implementation: #226 #687
* improved build process - resource minification no longer leaves artifacts all over: #700
* clean up whitespace. meh. #758
* emails now come from "BrowserID@" instead of "noreply@": #756
* completely new implementation for cross domain window communication (https://github.com/lloyd/winchan) #764 #766
* allow canceling of "use a different email: #765
* improve language and UX of required email flow: #608
* better, earlier dev errors for required email: #632
* new assertion format (smaller by 66%) handled by verifier, to be generated by browserid next train: #507
* now you can change your password: #771 #114
* load generator improvements: #782
* improved PRNG: #789 #735
* fix regressions in the above: #719 & #776
* CSRF token uses better RNG: #800
train-2011.12.08:
* improve performance of unit tests. #686
* IE8 fixes. #688
* logging improvements. #681
* loadgen fixes. #682
* android fixes. #704
* performance improvements. #680
* moar instrumentation. #691
train-2011.12.01:
* BrowserID now requires NodeJS >= 0.6.2
* extensive work on load generation tool: #504
* modularize front-end, remove deps on stealjs and JSMVC: #609, #625, #634
* front-end refactoring: #578, #611, #608, #650, #654, #655
* regression fix: account consolidation possible without explicit canceling: #607 #612
* make it possible to gracefully update domain key at any time: #599
* domain key now uses RSA-2048: #600
* optimize (and combine) frontend resources (vepbundle): #606
* many rpm/packaging updates: #617, #656
* timestamps on all log entries: #541
* IE8 fixes: #615
* unit test fixes: #557 (revisited), #629, #657
* update_password WSAPI added: #560, #114
* verifier improvements and unit tests: #467, #598, #605, #643, #642, #645, #646,
* node-mysql driver update - improved for prod env #648
* include a link to support.mozilla.com off of browserid.org - #533
* added command line tool to create and account: #603
* added command line tool to bcrypt a password: #651
* fix button heights in firefox on browserid.org: #658
* make sure logout is called only once in dialog: #666, #630
* make 'use another email address' more discoverable: #623
* use statsd for statistics reporting: #662
* heartbeat checks are now shallow, only indicating presence of a server and basic health: #566
* keysigner and verifier now saturate multiple cores via 'compute-cluster' module: #213
* fix spurious console error messages on sites that use postMessage and include.js: #534
* refine language in verification email: #672
* (hotfix on 2011.12.02) Fix regression where email rate limiting tooltips in dialog were not shown: #685
* (hotfix on 2011.12.02) Fix regression where emails sent out had no newlines: #684
* (hotfix on 2011.12.08) Fix bug where domain key update detection was not working properly, preventing users from logging in: #734
* (hotfix on 2011.12.08) Fix bugs in "internal api" used by native code (like openwebapps stuff): #601
train-2011.11.17:
* frontend code restructuring and refactoring
* process breakup complete (dbwriter, keysigner, browserid, and verifier): #460
* several updates to production deployment scripts (rpm generation): #571, #575
* all processes should log and exit hard if misconfigured: #576, #581
* complete 'keep me signed in' feature: #559, #490
* simplify and consolidate user facing help links in dialog: #553
* clean up user facing error messages (email throttling and sent email): #579, #577, #591
* moved 'this is not me' and 'use a different email' links based on UX suggestions: #459
* incrementally work to repair load_gen (not yet complete) : #504
* unit test fixes: #504
* remove extraneous console logging: #574
* improve email validation in main site (whitespace handling): #583, #429
* fix serious regressions related to iOS5 fixes that prevented dialog from working the second time on RPs: #580, #588 #589
* fix "go back and try another" link in dialog: #587
* added "required email" feature: #491
* (added 2011.11.18) fix regression - sporadic assertion verification failures: #616
train-2011.11.10:
* keysigner process now handles certificate generation: #460
* verifier no longer supports CORS requests: #245
* experimental support for nodejs 0.6.0: #535
* reduce access to private key (only the keysigner has access to it): #539
* improve language of buttons during sign-in: #198
* better error messaging during sign-in/up interactions on main site: #542
* user only has to type their browserid password every two weeks (not one): #543
* upgrade mysql driver - no crash upon idle reconnection: #540
* address regression in #540 - reconnect to proper database (also fixes 'create_schema' flag): #548
* implement 'keep me signed in' - includes API changes and UX/UI changes: #490
* front end unit test improvements: #542, #408
* fix regression in tooltips (weren't showing contents): #547
* calls to __heartbeat__ aren't logged: #537
* strip whitespace on email input: #429
* fix sporadic errors in unit tests: #550, #556
* crypto changes to support IE8: #244
* fix tab ordering in UI: #544
* chrome specific UI fixes: #552
* better UI feedback when hovering over buttons: #553
* reorganization of browserid process, breakout of dbwriter (not yet enabled): #460
* improve log message error levels (be sparing with 'error'): #509
train-2011.11.03:
* Remember the last used email for a site, and optimize the default selection based on this: #1
* Fix regression where verification of assertions would fail for https sites: #500 (also hot-fixed in production https://github.com/mozilla/browserid/commit/1528364)
* improved end user visible error messages: #448, #465, #512, #515
* style/transition improvements for desktop and mobile devices: #494, #502, #522, #527
* refuse to send out more than one email per minute to the same address: #430
* be *really* smart about how long to display tool-tips in the dialog: #508
* behave reasonably (at least display content) when javascript is disabled: #510
* remember the users email as they transition between screens, when appropriate: #476
* Suppress iOS autocapitalizion and auto-correction for email addresses: #464
* Improve front end email address validation: #513
* Improve repository organization: #503 & #488
* As part of above and in prep for #460 - all processes (browserid, verifier, etc) are now always run separately (never combined into the same express instance
* Test improvements: #520, #530, #531
* Fix undefined reference (crash) in verifier after verification failure: #523 (hot-fixed in production: https://github.com/mozilla/browserid/commit/ba3c53)
* Remove UI that corresponds to unimplemented features: #519
* Handle upper case letters in domain part of email addresses properly: #501
* Use a more conventional log format that includes time-stamps when logging to file. closes #234
* Shutdown gracefully whenever possible, and always log why we go down: #529
* 'LOG_TO_CONSOLE' env var for verbose console output during tests: #530
* more checks around '/code_update' URL invocation - for bug #699171
* Many minor bug-fixes: #497, #532
* (2011.11.08) don't crash on mysql connection timeout: #540
train-2011.10.27:
* link fixing ('need help?' to point to SUMO): #378
* unit tests repaired: #469 (broken in fix to #82)
* improve handling of network errors: #448
* improve styling and language of email confirmation page: #349
* logging improvements: #455
* RPM generation script created (for installation of browserid on redhat [moz prod] boxes): #478
* SCHEMA CHANGES to improve database performance and scalability: #480
* change the health check call from '/ping.txt' to '/__heartbeat__': #481
* remove application level network timeouts (let the network stack do its job, the user can cancel if they get sick of it): #485
* improve messaging for unsupported browsers: #273, #484
* developer documentation improvements: #496
train-2011.10.20:
* android < 3.0 now supported: #461
* properly set assertion expiration time to when they expire, not when they're issued: #433, #457, #458
* update privacy policy language to jive with new UI: #381
* add redirects for old URLs that no longer exist with the new UI: #376
* inside the minified include.js, link to uncompressed version for developer convenience and discovery: #432
* language tweaks: #437, #444
* improve button UI appearance on opera and IE: #435
* improve visual feedback for links: #440
* UI fixes for > 2 email addresses on iOS: #417
* smooth out screen transitions in dialog: #369
* improved "check your email" screen on mobile: #462
* no auto-caps nor auto-correct for iOS in add email field: #464
* improve event listening on input fields: #406
* remember email when moving user from signup to sign-in for known email address: #108
* don't call sync_emails more than necessary: #434
* assertions now include full origin (scheme+host+port). verifier accepts only host+port OR full origin, and returns whatever RP sends for back compat: #82
train-2011.10.13:
* fix verification of email in different browser than where verification is initiated: #336
* Android < 3.0 (browsers that can't handle JSON.parse("null")) now blocked explicitly (until we complete support)
* textual fixes to about page: #350
* 'cancel account' link added to manage page: #405
* warn user that removing last email address effectively cancels account: #394, #404, #137
* fixed signing dialog hang when you delete an email on manage page while dialog is open (now that's not obscure :P): #401
* Optimize UI in case where user has only 1 email address: #412
* smooth out transition from pick email to add new email pages: #410
* reposition remove buttons on manage page: #409
* identity and labs links open in new tabs: #380
* fix innocuous (but ugly) error in firefox error console: #390
* implement dynamic bcrypt work factor update: #204
* default work factor is now at 12 (NOTE: [re]authentication now takes 6x longer - ~600ms on our current hardware): #212
* many test fixes, and code refactoring, cleanup, and reorganization
* accept SMTP parameters from the environment: #214 (not yet closed)
* WSAPI CHANGES (https://github.com/mozilla/browserid/commit/511b56): all server responses are now objects: #217, #325
train-2011.10.06:
* full site & dialog redesign: (many, many closed issues are related to this, including #269, #343, #342, #347, #354, #356, #357, #350, #349, #364, #346, #336)
* improved debugging, all network callbacks are invoked asynchronously: #276
* MYSQL SCHEMA CHANGE: passwd field no longer in staged table (password is now set after verify link clickthrough)
* MYSQL SCHEMA CHANGE: add index to emails table: #209
* WSAPI CHANGES (to support new UI): https://github.com/mozilla/browserid/commit/b6ee51
* WSAPI CHANGES: a mis-set client clock no longer causes invalid assertions to be issued (wsapi changed to minimize network requests): #329
* disallow re-registration of existing account: #333
* (non-visible) namespacing in dialog code: #275
* API BREAKING CHANGE: verifier no longer supports GET requests: #98
* significant performance / UX improvement - keys are generated and certified when needed, not all upfront at sign-in: #278
* remove 'download printable format' language from privacy policy: #280
* faster keygen via crypto optimizations: https://github.com/mozilla/browserid/commit/778433
* improvements to mobile layout & usability (specific to the new UI)
* more user visible error messages to improve community sourced problem reports: #335
* IE8 improvements (still not fully supported): #246, #361, #346
* cookie fixes revisited, now on upstream version of connect-cookie-session: #310
* (merged 2011.10.07) fix unstyled flash at first dialog display: #365
train-2011.09.29:
* shortly after dialog is spawned, we remove the four random chars in the fragment (aesthetic)
* fix bug where session duration had an upper bound of 7 days - the time the server was running: #310
* fix bug where a user could go longer than 1 week without re-authenticating: #309
* fix link on /developers page to verfier source: #326
* (merged 2011.10.04) fix issue where a wrong-set client clock could prevent login: #329
* (external fix in myfavoritebeer) IE9 support: #240
train-2011.09.22:
* migrate to browserid signed certificates rather than keypairs where browserid hosts the public key: https://github.com/mozilla/browserid/issues?milestone=6
* IE9 support
* partial IE8 support (not yet usable, several small remaining bugs, and abysmal performance)
* development harness (./run.js) now respects an IP_ADDRESS env var to bind to a specific address (other than 127.0.0.1)
* improved first-time development experience: `git clone && cd browserid && npm install && npm run`
* initial support for running locally under virtualbox via vagrant: issue #261 (thanks ozten!)
* (fix 2011.09.23) fix race condition between relay iframe and window introduced with IE9 support. issue #287
* (fix 2011.09.23) fix blank popup on second signin invocation in same session in FFX: issue #286
* (fix 2011.09.23) explicitly disable caching for /wsapi calls, prevents unwanted caching of CSRF and friends. issue #294
train-2011.09.01:
* /ws_api/set_key always returns returns value instead of HTTP 204 response: #219
* update javascript mvc to 3.1.0.
* major interframe/window communication change using a hidden relay iframe to facilitate IE: #97(still open)
* link colors on browserid.org are consistent: #227
train-2011.08.25:
* created command line load generation tool and performance analysis work: #125
* beginning unit/functional tests for front end: #183
* front end refactor to facilitate unit/functional tests and UX iteration: #183
* error messages are shown on front end: #184
* users must now verify account ownership before attempting a key sync.
* manage page date format: #191
* manage page button only displayed if user is currently authenticated: #195
* manage page emails are synced on page open: #181
* wsapi_client created for clients needing programatic access to wsapi.
* harden set_key against duplicate keys.
* fix new email addresses added not being synced on client: #199
* upgrade to bcrypt 0.2.4.
* minify include.js by default: #206
* more than one email address can be added per dialog lifespan: #215
* verifyier no longer verifies assertions issued by another server.
* (2011.08.31) no error message displayed if you try to authenticate with an invalid u/p: #222
train-2011.08.18:
* upon clickthrough of the email link, don't have the browser window close itself: #162
* passwords must be between 8 and 80 chars: #155
* improved handling of emailing & verification urls during local development & testing: #88
* language changes in dialog: #150
* many improvements to unit tests: #171
* forgotten password flow was broken with port to mysql, fixed: #170
* improved metrics reporting abstraction: #168
* moved all server logging into a single file: #169
* all files created at execution time are now in one location: #172
* developer ergonomics - improved colorized logging with terse webserver output to console
* always require a user to authenticate if they don't have an active session: #74
* improved CSRF protection to fix race conditions in previous train: #173
train-2011.08.12:
* massive zero-user-visibile refactoring of dialog javascript.
* fix cancel button in "waiting for verification state" (issue #147)
* all browserid source is now tri-licensed (MPL1.1/GPL/LGPL). (issue #141)
* fixes for mobile firefox (fennec). (issue #140)
* mysql support implemented for browserid (default persistence production) (issue #71)
* json persistence support added - a standalone dead simple persistence layer which is the default for local development and requires no external software.
* email secrets are now persisted in the database, so upon server restart outstanding verification links are no longer invalidated (issue #91)
* (website) styling changes - like fix issues where links on dev page were being displayed white on white.
train-2011.08.04:
* when user closes dialog without clicking "cancel", properly return 'null' to the webpage (via getVerifiedEmail callback) - issue #107
* improve checks to warn developer that prerequisite software is missing. issue #110
* parameterize software to support multiple deployment environments (dev/beta/prod) issues #102 & #52
* documentation updates.
* improved logging (using the winston logging framework for node.js)
* [website] fixed inclusion of youtube video (now over https to keep browsers from getting scared about mixed mode resource inclusion)
train-1:
* beginning of time, everything is new.
* (2011.08.03) include youtube video embedding over https (issue #112)
* (2011.08.04) fix mozillalabs.com link in dialog (issue #116)