RC65 patch 1

Bugs and Enhancements

• Update LOA3 "failure to proof" screens #2454
• Redirect piv/cac errors to cleanup url #2380
• Add spinner when requesting piv/cac cert from user #2258
• Piv/cac available based on email domain #2429
• Track additional IdV analytics #2431
• Use 2-letter phone country code for analytics #2442
• Refactor and fix account reset requests #2444
• Allow sign in via remember me after idling #2438
• Display fake banner in lower environments #2418
• Prevent calling unsupported countries #2423
• Fix already authenticated users redirecting to account page #2426
• Fix border radius on Account boxes #2427
• Add client-side Crockford Base32 encoding helper #2417

New Service Providers and updates to existing ones

• Add RRB LOA3 SP to Production #2457
• Adds in the logo for the Small Business Administration #2393
• Add a new redirect_uri for logout with the CBP ROAM SP #2435
• Update redirect_uri list for OIDC Sinatra developer demo app #2433
• Add a logout redirect uri for the Trusted Traveler Program SP #2446

RC 64

Features

• Failure to proof URL for service provides at LOA3 i#2389

Bugs and Enhancements

• Fix preview images from PRs from showing in internal Slack channels #2422
• Update dependencies #2420
• Add script to give IDP access to CloudHSM keys #2235
• Add a task to copy user phone numbers into a new table to eventually allow multiple phones per user #2415
• Fix a bug where session timeout prevented user from ending at SP #2390
• Stop storing unnecessary OIDC request data in the session #2412
• Track errors when the user is nil in analytics #2407
• Fix bug where users without a phone number where asked to use auth app to confirm phone during IdV #2389
• Add account reset health checker #2387
• Change release script to stop recycling unused servers #2349

New Service Providers and updates to existing ones

• Add a redirect URI for DOE #2416

RC 63

Features

• Add Connected Applications to Account Management #2376
• Write 2L KMS encrypted sessions #2373
• Add script to email compromised users #2340

Bugs and Enhancements

• Add phone configurations table #2361
• Fix OIDC Sinatra SP redirect uri for int and dev #2391
• Refactor SP redirect URI validation #2351
• Use different text in SMS for login vs verify phone number #2342
• Fix confusing placeholder phone number #2359
• Update PR template and contribution guidelines #2315
• Add console output suppression spec helper #2383
• Remove stray SAML test file #2382
• Add logstash.conf.example and update README #2378
• Production Error: ERROR: duplicate key (email) #2379
• Ran make normalize_yaml on PR 2358 #2377
• Update USAJOBS / TTP instructions on create account #2358
• Update gems with bummr #2371
• Clean up localizations #2333
• Create an AWS lambda function for delayed notifications with account reset #2310
• Fix 500 errors on bad personal key. Match host on redirect URIs #2362
• Fix phone validation logic to prevent toggling disable #2357
• User can't create account because their email is "invalid" #2360
• Display a message to the user when an account reset link is expired #2331
• Ignore saml_*.txt files generated by tests #2352
• Adjust response code for SMS reply #2325
• Fix 500 errors on bad personal key and invalid otp_delivery_preference in path. Add specs. #2346
• Match host on redirect URIs #2347
• Add SMS opt-out reply job spec #2343
• Create an AWS lambda function to upload USPS verification to GPO #2332
• Ignore the old password columns on the user model #2330
• Hardcode session encryption cost for migration #2395
• Catch sending too much to kms #2411
• Use 32 byte salts for passwords #2372

New Service Providers and updates to existing ones

• Add Forest Service ePermits to the production service providers #2339

RC 62

Bugs and Enhancements

• Cancelling account deletion now notifies both email and sms #2320
• 2FA selection at sign in has been cleaned up #2317
• Attribute encryption rake task logs errors and continues #2322
• The IdP supports serving assets from the Cloudfront CDN #2321
• Invalid user params won’t raise errors #2324
• Adjust checkbox spacing on OTP verification screen #2316
• Remove stray TODO comment #2312
• Handle Twilio errors more gracefully #2308
• Only send one SMS for account reset delayed notification #2309
• Redesign IDV verification OTP delivery method screen #2302
• Fix typo on account reset page #2306
• Make programmable SMS countries configurable #2298
• Make the call to action full width on mobile for some pages #2291
• Fix attribute_encryption_key_queue in example application configuration #2294
• Allow Code Climate to analyze spec folder #2292
• Fix USPS uploader spec #2296
• Remove TODO comments from codebase #2295
• Remove CSRF protection from SendNotificationsController #2290
• Remove CSRF protection from account reset delayed notifications endpoint #2289
• Fix Voice OTP bug in previous release #2287
• Define locale argument for VoiceOtpSenderJob #2284
• Add SMS opt-out messaging #2276

New Service Providers and updates to existing ones

• Add a new redirect uri to DOT portal SP #2327
• Allow users of NGA and EOP SPs to use piv/cac as a second factor #2323
• Add tsp.move.mil SP #2319

RC 61

Features

• Use GPO instead of Equifax for address verification #2267, #2272
• Delayed account reset requests #2274
• Use Twilio/Auth Verify service to send international SMS #2275, #2280

Bugs and Enhancements

• Fix 500 errors #2269
• Allow SMS to be sent to Zambian and Liberian phone numbers #2256
• Clarify and simplify personal keys instructions #2266

New Service Providers and updates to existing ones

• MyCBP #2282
• Update USAID logo #2278
• Add piv/cac subject to attributes for move.mil #2263

Code maintenance

• Remove unused code #2268
• Update dependencies #2270
• Refactor encryption #2203, #2229, #2260, #2271

RC 60

Features

• Add PIV/CAC as a two factor authentication option #2234, #2237, #2244, #2250, #2253
• Allow dynamic service provider updates in production #2227
• Log ‘Password Changed’ event #2233
• Log ‘Personal Key Changed’ event #2217
• Offer all two factor authentication options during account creation #2099
• Increased the Reauthentication Timeout window from 2 to 5 minutes

Bugs and Enhancements

• Fix bug in enter phone number screen #2255
• Remove already initialized constant #2252
• Hide nonce from html #2236
• Upgrade Ruby from 2.3.5 to 2.5.1 #1997
• Improve request tracing #2245
• Add help text for SAM users on account creation screen #2230
• Update dependencies #2175, #2228
• Send ‘password reset link’ to confirmed email address #2182
• Prevent ‘password reset tokens’ from leaking to 3rd party sites #2214
• Fix validation bug on personal key screen #2215
• Fix rate limiting issues #2216, #2222

New Service Providers and updates to existing ones

• DOE - Fossil Energy #2251
• SAM.gov #2248
• USAID logo #2239
• Secret Service #2232

RC 59

Features

• Support new encryption model using 2L-KMS #2191 , #2192 , #2210
• Update identity verification flow #2193 , #2194 , #2200 , #2201 , #2205 , #2206
• Add support for LexisNexis as an identity verification vendor #2198
• Enable PIV/CAC on per agency basis #2148 , #2197
• Add CloudHSM and automate key generation #2159 , #2202

Bugs and Enhancements

• Add 849 and 829 area codes for Dominican Republic #2196
• Fix visual bug on phone input #2190
• Update edit phone screen to use new phone input #2195
• Upgrade file encryptor to work with gpg2 #2199
• Add proofer information to result and analytics #2207
• Switch queuing from sidekiq to inline by default. #2208
• Fix CircleCI build caching issue #2211

New Service Providers and updates to existing ones

• move.mil #2209
• SAM.gov #2212, #2213

RC 58

Features

• Allow PIV/CAC as 2FA during login #2142, #2188
• Manage PIV/CAC association in account #2128
• Add reCAPTCHA to account creation and password reset screens #2136, #2160

Bugs and Enhancements

• Add more testing for PIV/CAC feature #2157
• Default recaptcha to off and whitelist it for unsafe-inline #2160
• Prefix email confirmation event with use registration label #2181
• Exclude events with invalid tokens #2153
• Disallow indexing of certain pages #2151
• Update gems with bummr #2173
• Automate release management #2080
• Sanitize Ahoy headers and cookies #2165
• Make tests compatible with zeus #2158
• Add script to create test accounts #1860

New Service Providers and updates to existing ones

• Add move.mil and DOT SPs to production #2183

RC 57

Bugs and Enhancements

• Use XHR transport mechanism for analytics #2143
• Update links from IDP to support documentation #2140
• Add new Spanish and French translations for some text #2138
• Fix issue where poisoned urls could cause redirects to a different host #2139
• Clarify invalid OIDC token error message #2133
• Fix issue with 500 error that occasionally occurred during SAML SLO #2125
• Regenerate visit ID after user logs out in analytics #2120
• Clean up dead code from agency UUID migration #2124
• Clean up code resulting from one time email alert about password policy changes #2123
• Allow analytics to capture bot events in lower environments #2129
• New Service Providers and updates to existing ones
• Add secret service PIX SP #2145

RC 56

Features

Allow authenticator app setup during signup #2061
Add ability to remember a phone for 2FA #2063

Bugs and Enhancements

Break trailing comma cop into hash and array cop #2054
Turn on agency based UUIDs #2076
Add the uuid for a x509 subject to the users table #2086
Remove vendor session id from idv session and proofing flow #2089
Log user out when deleting account #2091
Add temporary mailer #2093
Library updates #2100, #2111, #2115
Replace Poltergeist/PhantomJS with Headless Chrome #2108
Create user Event when password is changed #2114
Added and updated specs #2090, #2092, #2094, #2095, #2097, #2101, #2102, #2103, #2104, #2106, #2107, #2112

New Service Providers and updates to existing ones

Update NGA and DOT SPs #2096
Update DOT Portal cert #2117