All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Add static backup codes (behind feature flag)
- On user account page: see codes and generate more codes
- On signup: new accounts can create codes instead of adding a phone
- On login: login accepts a backup code, and allows users to message an administrator
- List users under "Manage team" alphabetically by email address
- "Delete" buttons are red (ie, they are destructive actions) and horizontal
- Update "instructions for patients" screens to reflect new traceback instructions in the app
- Split the signup flow into multiple pages: add a second page for entering mobile phone as 2FA device
- Add the password label and help text back to the sign up page
- Hide the "Your account" link on the 2FA page because people can't see/edit their account info yet
- Rewrite default validation messages
- Content updates to various pages in the app, including the Quick Guide page
- Remove the "required" attribute from form inputs
- (Super)admins are no longer permitted to change other users' passwords
- Redirect to the login page if yubikey verification page is visited before user is authenticated
- Lowercase emails during logins attempts. We convert emails to lowercase during signup, so we should do it during login as well.
- Add new page and flash messages to handle scenarios where account invitations are expired, deleted or accepted
- Pass the admin user's email to the account invitation template in Notify
- Update French content in various places across the application
- Replace straight apostrophes (
') with curly apostrophes (’)
- Now that more provinces are onboarded, bump the limits for how many keys can be generated before alarms go off
- Add custom error templates for common error states
- Very small change to the phonetic alphabet
- Application throttling works as expected, fixed the sequencing of operations
- Remove prior login attempts for newly created accounts
- Fix the login page layout on IE11
- Remove traceback instructions for the instructions for patients. We want to wait for the app to be updated before those go out.
-
Update in-app content
- Update instructions and screenshots for instructions that healthcare providers give to patients
- Data migration to add "sent" dates to any invitations missing that fields
- Allow resending invitations whenever no user account exists — previously, an "accepted" invitation for a deleted user would prevent that user from being invited again
- Remove duplicate "preconnect" link in HTML header
- Title Case the words in the phonetic alphabet
- Updated content for the Privacy and Terms of use pages
- Fixed CSS for "logged-in" nav items for the login page
- Fixed CSS for login thank you message on IE11
- Fixed CSS for the big code box on the "/key" page
- Use Notify to send user-facing emails: ie, the password reset and the invitation email
- No longer flag invitations as accepted when the user clicks on the link
- Adds a welcome page for new users (after completing signup + 2fa for the first time)
- Update the quick guide with an example code
- Up the invitations limit properly to 200 per hour temporarily
- COVID Keys back down to 25
- Up the COVID Key limit to 200 per hour temporarily
- Fix password reset links running in non-production environments
- Default superusers are associated with CDS, not "Ontario"
- Let managers remove other team members who have created a CovidKey in the past
- Add "thank you" message to login page
- Added aria-describedby attributes to inputs when there are validation error messages.
- Yubikey verification form now using base form (no colons, removed autocomplete, etc.)
- Superusers can now block users permanently via django-admin. Those users won't be able to login until a superuser reactivate them.
- Adding a check in the login_handler to prevent the login form from crashing when trying login with a non-existent e-mail
- Lower the daily limit of one time key generation to 25 in production
- Move the errors messages of fields that equality validation (Enter your password again, Enter your phone number again) into the first field to make it easier for accessibility.
- When the user changes password, the user loose his session. Now the user will keep his session on the device used to change the password but will loose his session on all other logged-in devices.
- Adding a second layer of user throttling. After 100 failed logins in a 30 days window, the user will be blocked for 24 hours.
- New Quick Guide page now available in the footer.
- A slack notification is now sent on failed Github Actions
- Github Actions now running terraform check, plan and security scans on deploys (staging repository)
- The privacy page has been simplified
- Adding a list of authorized domains for outgoing account invites
- Amazing new feature: added skiplink for logged-in users
- Added CHANGELOG file
- Added VERSION file
- Added version to GitHub actions
- Added version to of application