v3.6.0 ~ New Morning (pro)

Release date: May 25th, 2022.

The team is pleased to announce the v3.6 immediate availability which, as you may already have seen, includes a design refresh of the application.

The Pro Edition also includes the most awaiting account recovery feature, also known as secret key escrow. This feature is available in “Beta”. While it is functional and have been thoroughly tested and reviewed by the team it may still contains some glitches. Moreover the independent security audit for this feature is scheduled for Mid-July 2022. We therefore expect to go out of beta at the end of July, once we’ve gathered your feedback.

On top of that, this release ships with some more improvements and fixes.

• Performance boost on the client cryptographic operations;
• Additional key validations on setup for better error reporting;
• Experimental support for ECC keys.
• More performance fixes.

We wish to thank the contributors who participated:

• People who answered the account recovery survey and helped us defined how the feature should behave;
• Alpha testers who helped us test the pre-release;
• All the community members who helped with the internationalization;

Next up? We’ll go through a maintenance cycle where we’ll be fixing issues reported in terms of performance (e.g. adding users to a group, working with large folder structure, etc.), as well as preparing for the migration to Manifest v3, and support for PHP 8.1.

Browser extension

[3.6.2] - 2022-06-03

Improved

• PB-16651 As LU I want to get a clear message if I enroll to a disabled account recovery program
• PB-15677 As LU I want to see openpgp assertions messages translated into my language

Fixed

• PB-16736 Fix as AN I can accept a new server key(GITHUB-150)

[3.6.1] - 2022-05-31

Improved

• PB-16116 Change user creation dialog tips following the introduction of account recovery
• PB-16119 As LU changing my security token I should be able to access documentation about phishing attacks
• PB-16166 Change nested folders icons size
• PB-16206 Change search bar padding
• PB-16207 Change midgar theme hover background colour
• PB-16208 Change midgar inset shadow highlight opacity
• PB-16209 Change inside fields buttons radius
• PB-16210 Change midgar hover/active grid lines backgrounds
• PB-16211 Change midgar active button background
• PB-16212 Change authentication loading spinner padding
• PB-16213 As LU I should see a beta pill next to the account recovery menu entry
• PB-16556 Change midgar sign-in form background
• PB-16559 Change user settings account recovery layout
• PB-16588 As GM editing group memberships, I want to see the tooltip icon aligned with the username
• PB-16589 Change the attention required icon color in the user settings menu
• PB-16592 Change quickaccess connecting state box background
• PB-16603 Change grids font weight
• PB-16605 Reduce letter spacings globally
• PB-16639 As LU enrolling to the account recovery program I should be requested my passphrase

Fixed

• PB-14278 As LU I should see warning messages on form fields
• PB-16117 As AD I should not see the MFA status in the user sidebar if the user is not active
• PB-16146 As AD I should not be able to copy the public key of a inactive user
• PB-16558 As AN on unauthenticated page I should not see “about us” cta tooltip
• PB-16604 As a LU I should be able to sort the grid by Username and URI
• PB-16661 As a AN I can accept a server key rotation when the server key stored in the local storage cannot be parsed

Maintenance

• PB-16155 Apply linter on all styleguide src code
• PB-14951 Move common test material

[3.6.0] - 2022-05-23

Added

• PB-12965 As AD I can enable account recovery for the organization
• PB-13759 As AD I can rotate the organization account recovery key
• PB-16193 As AD I can see a user account recovery requests history
• PB-13012 As a user who lost its credentials I can request an account recovery
• PB-13025 As AD I can approve or reject an account recovery request
• PB-16117 As AD I can see a user MFA status in the details sidebar
• PB-15033 As a user who lost its credentials I can request help to an administrator
• PB-14672 As a user I should see the new design on the password workspace
• PB-14673 As a user I should see the new design on the user workspace
• PB-14674 As a user I should see the new design on the user settings workspace
• PB-15026 As a user I should see the new design on the administration workspace
• PB-14675 As a user I should see the new design on the authentication screens
• PB-14677 As a user I should see the new design on the quickaccess application
• PB-14960 As a user I should see the new design on the web integration inform menu
• PB-14131 As AN performing a setup, I can import ECC keys

Improved

• PB-14896 As AN performing a setup, I should not be able to import an already decrypted key
• PB-14816 As AN performing a setup, I should not be able to use a passphrase which is part of a data breach
• PB-14462 As AN on the authentication screens, I should see unexpected errors details
• PB-14203 As LU on the application, I should see unexpected errors details
• PB-13852 Improve encryption/decryption performances

Security

• PB-13908 As AN performing a setup, I generate key of 3072 bits
• PB-13908 As AN performing a setup, I cannot import keys weaker than 3072 bits

Fixed

• PB-15241 As a user I can use the web integration inform menu in iframe authentication forms
• PB-13901 As AN performing a sign-in, I should be prompted the server key changed only when the parsed key changed
• PB-14130 As LU I can select multiple passwords filtered by folder
• PB-14405 Fix misc sentences plural

Maintenance

• PB-14155 Upgrade node to version 16
• PB-13852 Upgrade openpgp.js to version 5
• PB-14672 Increase storybook screens coverage
• PB-14052 Increase browser extension code coverage

API

[3.6.0] - 2021-05-25

Added

• PB-9738 Add account recovery organization policy settings by admins
• PB-13685 Add account recovery organization settings set with key rotation + misc cleanup
• PB-12837 Add account recovery setup for users
• PB-14236 Add account recovery request process for users
• PB-14236 Add account recovery response process by admins
• PB-14410 Add the account recovery final step for users after approval by admins
• PB-14233 List all pending account recovery requests for admins
• PB-13769 Add account recovery related email notifications to users and admins
• PB-14452 Add cleanup tasks for account recovery

Improved

• PB-9739 OpenPGP key and message validation refactoring
• PB-14141 Enhanced public/private key validation rules
• PB-13685 Enhanced secret validation rules
• PB-14138 Refactor setup and recover related controllers with dependency injection
• PB-14510 Three trivial endpoints, such as GET on login are not logged anymore
• PB-14511 The trivial endpoints are cleaned-up from the relevant audit logs table

Security

• PB-14400 Upgrade firebase/php-jwt to 6.1

Fixed

• PB-14369 Fixes email settings issues in the test suite
• PB-15046 Handle user lost-passphrase scenarios with API <= v3.5
• PB-15024 Action logs slow query fix for Maria DB
• PB-14253 Disable MFA cookie on user setup or recover

Maintenance

• PB-14812 Upgrade cakephp/cakephp to 4.3