Note: version 2.100.1 fixed a TOTP reset bug in the briefly available 2.100.0. These are the release notes for 2.100.0, plus the fix.
- New feature: Google Authenticator two-factor authentication (TOTP) support for Apostrophe accounts. Set the
totp: trueoption of the
apostrophe-loginmodule. When enabled, users (including admins) are required to set up and complete authentication with Google Authenticator or a compatible TOTP app on their mobile device. On the user’s next login they set up Google Authenticator; after that they must supply a code from Google Authenticator at each login. If a user loses their device, an admin can reset their access by editing that user via “Manage Users” and selecting “Reset TOTP 2-Factor Authentication.” If the admin loses their device, they can use the new
apostrophe-users:reset-totpcommand line task. Thanks to Michelin for making this work possible via Apostrophe Enterprise Support.
- New feature:
resetLegacyPassword: trueoption for
apostrophe-login. When the
passwordMinLengthoptions are present, enabling
resetLegacyPasswordpermits the user to change their password right away at login time if it is correct, but does not meet your new standards for adequate passwords. This does not require receiving a confirmation email; if you are concerned by that, consider enabling
passwordResetinstead if you are willing to configure email delivery. Thanks to Michelin for making this work possible via Apostrophe Enterprise Support.
- New feature:
resetKnownPassword: trueoption for
apostrophe-login. When enabled, a currently logged-in user is permitted to change their own password without receiving an email, as long as they know their current password. This adds an additional admin bar item, which you may want to group. Thanks to Michelin for making this work possible via Apostrophe Enterprise Support.
- Performance: Apostrophe is now much faster when editing a piece with hundreds of areas in its schema. Thanks to Bharathkumar Chandrasekaran of Freshworks for his contributions to finding the solution.
- Bug fix:
passwordMinLengthno longer break support for new users created via
apostrophe-passportwho use single sign-on and do not have explicit passwords in Apostrophe.
- Developer warning: a module that implements a widget must have a name ending in
-widgetsor the editor will not work properly in the browser. We now display a warning.
- Developer warning: if the developer tries to configure
piecesFiltersfor the pieces module, rather than the corresponding pieces-pages module, a warning is displayed.
- UI fix: modal dialog box height corrected. Thanks to Paul Grieselhuber for this contribution.
- UI fix: better Microsoft Edge support. Thanks to Denis Lysenko.
- Must confirm when resetting password, since there are no do-overs if we do not have the email confirmation method available (with
resetLegacyPassword: true) and since it’s generally a pain not to have this.
- Fixed the “Reset TOTP authentication” feature of “Manage Users” (2.100.1).
- Joins in
objectfields now remap properly when committing. Thanks to Eric Wong for this contribution.
- The new
apostrophe-workflow:removetask removes workflow from a project completely. You MUST remove
app.jsimmediately AFTER you run this task, and your site should NOT be running while you run the task. NOTE: if you are localizing content, you will lose ALL BUT ONE of your locales if you remove workflow! You do get to choose which to keep. You really should READ THE DOCUMENTATION for more information about the consequences and the right way to use this in production.