Skyve - The Low Code Open Source Enterprise Platform

View Original

Skyve 9.2.0 released

Ben Petito

This release of Skyve adds a new security event logging feature, progress towards a new UI component for displaying grids in the responsive renderer, and several security enhancements. Backups are now also validated prior to truncation and restore, and the SkyveFactory annotation now supports excluding attributes to cut down on strobing test results.

Skyve Factory

The @SkyveFactory annotation now supports an excludedUpdateAttributes attribute. This attribute can be used to exclude attributes from being updated during the automated domain tests. This can be useful when you want to exclude certain attributes from being tested because they are being set automatically by the Bizlet, or are being validated to have a certain value. This can help to reduce the number of strobing test results, especially for date fields that are being set, or are validated to not be before or after another date.

The excludedUpdateAttributes works similarly to the excludedActions attribute and takes an array of attribute names to exclude from the update tests.

@SkyveFactory(excludedUpdateAttributes = {
    Document.dateFieldPropertyName, Document.otherFieldPropertyName
})

Security Enhancements and Event Logging

Several new security features were added in Skyve 9.2.0:

Argon2 Password Hashing Algorithm

A new password hashing algorithm has been added to Skyve. Argon2 is a key derivation function that was the winner of the Password Hashing Competition in 2015. It is designed to be resistant to side-channel attacks and GPU cracking. To use Argon2, update the passwordHashingAlgorithm property in the account block of your application json file (see #notes-for-upgrading):

"account": {
        "passwordHashingAlgorithm": "argon2",
    },

Password reset token expiry

When a user requests a password reset, the reset token will now expire after a certain amount of time. The expiry time can be set by a system administrator in the Security Admin -> Configuration screen.

Password strength indicator

A new password strength indicator has been added to the password reset screen. The indicator will show the strength of the password as it is being typed, and will also offer suggestions or alert the user if the password is too weak.

Users will be given immediate feedback on password strength

Breached password checking

Skyve now checks the HaveIBeenPwned database to see if a user's password has been breached. If the password is found in the database, the user will be alerted and asked to choose a different password.

This is on by default for new applications, and can be enabled for existing applications, or disabled by a system administrator in the Security Admin -> Configuration screen on the Startup tab.

New user passwords will be checked if they have been breached when enabled

Password change email notification

When a user changes their password, an email notification will be sent to the user's email address to inform them that their password has been changed. This can help to alert the user if their account has been compromised.

Geographical restrictions

It is now possible to track the IP address of users when they log in, and to log the country that the IP address is located in. This can help to detect suspicious logins from unusual locations, and can be used to enforce geographical restrictions on user accounts.

This is disabled by default, but Skyve 9.2.0 supports geolocating a user's IP address via ipinfo.io. After signing up for an account, a system administrator can add the API key to the Security Admin -> Configuration screen on the Startup tab. Once an API key is entered, the option to allow or deny countries becomes available. This will silently deny access to users from countries that are not allowed.

Skyve 9.2.0 adds the ability to allow or deny countries access to an application when enabled

Invalidate all user sessions on password change

When a user changes their password, all of their active sessions will be invalidated, and all remember-me tokens will be removed. This can help to prevent unauthorised access to the user's account if their password has been compromised.

Security event logging

Skyve now logs security events to the database. These events include successful and failed login attempts, password changes, password resets, and other security-related events. The logs can be viewed by an administrator in the new Security Log screen.

The new Security Log screen in the admin module

Responsive Renderer

  • fix drop shadow and padding on PF date inputs when used with PrimeVue
  • fix VueListGrid row selection
  • VueListGrid visibility options and VueListGrid lazy load the snapshots
  • use a dialog in mobile UXUI for Uploads
  • state not remembered between VueListGrid visits
  • stop using the immediate faces attribute in Skyve form action faces implementations
  • implement grid titles in the PF renderer instead of in ComponentBuilder so it works for both PF and Vue List Grids
  • handle list models correctly in VueListGrid

Desktop Renderer

  • implement SmartClientFilterOperator.notInSet criteria via addition of Filter.addNotIn()
  • fix grid titles displaying correctly

MetaData/Repository

  • add excludedUpdateAttributes to the SkyveFactory annotation
  • update DocumentQueryMapModel to expose a default constructor and setQuery so that it can be extended and validated

Behaviour

  • generate the payload once for EXT.push()
  • validate Skyve backup before truncate and restore
  • implement Snapshot Adapters to convert SC and Vue snapshots
  • added EXT.getHttpServletRequest() and EXT.getHttpServletResponse() to be accessible from anywhere in the Skyve application
  • add null-safety to JSON and collaborating classes
  • add Util.getBaseUrl() convenience method to get the base URL of the running application
  • use ANSI SQL 2016 UNIQUE NULLS DISTINCT expression for unique indexes in H2 2.2 dialect
  • update maven assemble files changed to include router.xml
  • fix StandardLoader polymorphic association population
  • ensure Freemarker's ContentDirective uses Skyve's thumbnail system
  • fix embedded generate domain validation to not rely on the current customer which could be null
  • fix faces error handling under Jakarta EE 10
  • fix component usage in views across UX/UIs
  • check Unique Constraints once per bean instance in saved graph

Security

  • use UUIDv7 generation throughout Skyve
  • Password Reset Token Expiry
  • added Argon2 as a supported password encoder
  • add security event logging
  • added HaveIBeenPwned weak password validation
  • implemented Password strength indicator
  • added password change email notification
  • added cached GeoIP service and log the IP and country during login
  • add user session management and tracking across all user sessions
  • invalidate all user active sessions and remove all remember-me tokens on a change of password
  • remediate reflected XSS attack through referer header

Admin

  • remove unused startup configuration from Control Panel to fix loading issues
  • made it so that captcha is not required for password reset to work

Notes for Upgrading

To upgrade your Skyve project to this version, change the Skyve version in your pom.xml to 9.2.0 and perform an assemble.

If you are upgrading from a version older than 9.1.2, please see the previous release notes and also apply those changes.

See the complete upgrade instructions on GitHub.

New state settings

Skyve 9.2.0 introduces some new required JSON configuration settings which need to be added before an application will deploy. Please update your application json file and replace the existing "state" block with (keeping any existing modifications):

// State settings
    "state": {
        // Cache folder - defaults to <content.directory>/SKYVE_CACHE/
        // Skyve will create this folder at startup but if defined it must exist at startup.
        "directory": null,
        // Conversation cache settings
        "conversations": {
            // Max conversations allowed in heap memory before being moved off-heap or to disk
            "heapSizeEntries": 1000,
            // Max off-heap memory size - 0 indicates no usage
            "offHeapSizeMB": 64,
            // Max disk size - 0 indicates no usage
            "diskSizeGB": 10,
            // Number of minutes to wait until expiring a conversation from the cache
            "expiryTimeMinutes": 60
        },
        // CSRF Token cache settings
        "csrfTokens": {
            // Max session tokens allowed in heap memory before being moved off-heap or to disk
            "heapSizeEntries": 1000,
            // Max off-heap memory size - 0 indicates no usage
            "offHeapSizeMB": 64,
            // Max disk size - 0 indicates no usage
            "diskSizeGB": 10,
            // Number of minutes to wait until expiring session tokens from the cache
            "expiryTimeMinutes": 60
        },
        // Geo IP cache settings
        "geoIPs": {
            // Max session tokens allowed in heap memory before being moved off-heap or to disk
            "heapSizeEntries": 1000,
            // Max off-heap memory size - 0 indicates no usage
            "offHeapSizeMB": 0,
            // Max disk size - 0 indicates no usage
            "diskSizeGB": 10,
            // Number of minutes to wait until expiring session tokens from the cache
            "expiryTimeMinutes": 1440
        },
        // Session cache settings
        "sessions": {
            // Max sessions allowed in heap memory before being moved off-heap or to disk
            "heapSizeEntries": 1000,
            // Max off-heap memory size - 0 indicates no usage
            "offHeapSizeMB": 64,
            // Max disk size - 0 indicates no usage
            "diskSizeGB": 10,
            // Number of minutes to wait until expiring sessions from the cache
            "expiryTimeMinutes": 60
        },
        // CRON Expression for Evicting Expired State job - run at 12:37 - null indicates no eviction
        "evictCron": "0 37 0 1/1 * ? *"
    },

Remove your existing "conversations" top level property, as this is now part of "state":

// Conversation cache settings
    "conversations": {
        // Max conversations allowed in heap memory before being moved off-heap or to disk
        "heapSizeEntries": 1000,
        // Max off-heap memory size - 0 indicates no usage
        "offHeapSizeMB": 128,
        // Max disk size - 0 indicates no usage
        "diskSizeGB": 10,
        // Number of seconds to wait until expiring a conversation from the cache
        "expiryTimeMinutes": 60,
        // CRON Expression for Evicting Expired Conversations job - run at 12:37 - null indictes no eviction
        "evictCron": "0 37 0 1/1 * ? *"
    },

We also recommend updating the password encoder to use the new argon2 encoder. This can be done by updating the passwordHashingAlgorithm property in the account block of your application json file:

"account": {
        "passwordHashingAlgorithm": "argon2",
    },

Existing passwords will continue to work with the previous hashing algorithm, and will be updated to argon2 the next time the user changes their password.