322 KiB

Исходник Постоянная ссылка Ответственный История

1.133.1 (2019-03-19)

Features

devices: devices API with refreshTokens (3b33f41), closes #2547

1.133.0 (2019-03-19)

Bug Fixes

docs: add note for ops on how to check raw redis email config (063ef96)
node 8 and scrypt-hash: removed support for node 8 and scrypt-hash (5172ed8)
profile_server_messaging: fix db constructor signature (dd7c0e3), closes #2916
server: make sure to log errors on server start crash (6c6a779)

chore

api: make redis.watch.conflict a 409 instead of 500 error (5ad4d15)
package: update shrinkwrap (13dc222)
refactor: Refactor the /token endpoint to improve clarity. (b1aafd0)

Features

basket: Updates to login and verified events for Basket (0b02308), closes #2915

Refactor

logging: Update to Mozlog format. (0b3e970), closes #2940
oauthdb: Split OAuthDB implementation across multiple files. (04986a7)
redis: use the extracted redis implementation from fxa-shared (87f1bb0)

1.132.1 (2019-03-05)

1.132.0 (2019-03-05)

Bug Fixes

db: Stop using deprecated 'sessionWithDevice' db route. (8d36529)
errors: add extra data to internal validation errors (8bb7856)
errors: include request data on unexpected errors (b0a6d00)
errors: strip pii and sensitive fields from logged payloads (811e584)

chore

deploy: upgrade to node 10 (b7f9273)

1.131.2 (2019-03-04)

Bug Fixes

pkce: Check code expiry and ownership in the PKCE flow. (ff36b14)

1.131.1 (2019-02-21)

Bug Fixes

api: add validation for utm params and entrypoint (9732cf2)
metrics: reinstate entrypoint to the metrics context schema (551467e)

1.131.0 (2019-02-20)

Bug Fixes

devices: return full device response on spurious updates (24add4d)

chore

clients: Add a dev client_id for Fenix (f6b303a)
deps: Update handlebars dependency. (793bcb8)
deps: update shrinkwrap (f1914d9)

Features

email: Update verification email for OAuth reliers. (74b48af), closes #2859

1.130.1 (2019-02-11)

Bug Fixes

key-data: fix key-data endpoint for fresh accounts (ab6ce00), closes #2908

1.130.0 (2019-02-05)

Bug Fixes

scripts: sanely handle refreshTokens in the docs script (59ab662)
sms: catch errors thrown from phoneNumberUtil.parse (3900303)

chore

ci: run tests on node 10 (5bb853f)

Features

l10n: Enable Catalan (ca) (5b687de), closes mozilla/fxa-content-server-l10n#322
metrics: Emit additional data for the DataFlow fraud detection pipeline. (0a62639), closes #2858

Refactor

crypto: fall back to node's scrypt implementation (6d945c8)

1.129.5 (2019-01-31)

Bug Fixes

metrics: Fix entrypoint being overwritten for every event. (5036912), closes mozilla/fxa-shared#46

chore

deps: update deps (6294593)

1.129.4 (2019-01-28)

Bug Fixes

error: remove A from totpTokenNotFound and totpTokenAlreadyExists errors (d82232c)
npm: rewrap (cdc817d)
validation: fix missing validation for client name (72b2a52)

style

lib/senders: removed right arrows (d04300c)

1.128.5 (2019-01-18)

Bug Fixes

oauth: Allow keys_jwk through GET /authorization (d2f82dd), closes mozilla/notes#1440

1.129.3 (2019-01-25)

Bug Fixes

logs: rename code to status on request.summary log lines (42c4c37)

1.129.2 (2019-01-24)

Bug Fixes

email: add missing query params to link in new device email (f13de2f)
tests: ensure assertions cause test failures in local email tests (3b2e946)

1.129.1 (2019-01-24)

Bug Fixes

metrics: stop emitting route flow events for status endpoints (39c6d31)

chore

package: update shrinkwrap (4db4081)

1.129.0 (2019-01-24)

Bug Fixes

circle: version.json "source" should be code repository (3966cbb)
config: remove deprecated urls (871fdda), closes #2646
config: use local redirect for the reference browser (33cac8e)
oauth: Redirect GET /authorization directly to content server (69f8f3a), closes mozilla/fxa-auth-server#2862

chore

deps: Update to fxa-shared@1.0.15 (b8f5b22)
package: disable security advisory 766 for sandbox dependency (0a5e7f6)
package: disable security advisory 766 for sandbox dependency (737be65)

1.128.5 (2019-01-18)

Bug Fixes

oauth: Allow keys_jwk through GET /authorization (d2f82dd), closes mozilla/notes#1440

chore

package: disable security advisory 766 for sandbox dependency (0a5e7f6)

1.128.4 (2019-01-17)

Bug Fixes

oauth: Redirect GET /authorization directly to content server (69f8f3a), closes mozilla/fxa-auth-server#2862

1.128.3 (2019-01-17)

Bug Fixes

oauth: Use correct max length for oauth client name validation. (9b0fac9)

1.128.2 (2019-01-16)

Bug Fixes

log: use fatal instead of criticial in log (c09242a)

1.128.1 (2019-01-14)

Bug Fixes

circle: can never have enough version.json (adb59b9)

1.128.0 (2019-01-08)

Bug Fixes

docker: gen_keys in the OAuth docker container (1fa4a29), closes #412
docker: run gen_keys.js after the COPY has been done (28b0e73)
docs: Get write-api-docs script back up and running. (fdf0b1d)
email: check for null header values in the email service file (7e8c9dd), closes #2771
purge: adjust path to package.json (c64dd9e)

chore

docs: Fix typo "depricated" -> "deprecated" (5230d59)
grunt: remove grunt bump for oauth-server (8bf2ae4)

Features

metrics: add country and region to activity and flow events (c0c9739)
npm: update to latest npmshrink (ec5236e)
oauth: Expose /account/scoped-key-data endpoint, by making backend calls to oauth-serve (7f13766)
validation: Have validators.scope automatically parse the value to a ScopeSet. (00975dd)

Refactor

oauth: combine oauth deps and package.json with auth (db8ed63), closes #2748
oauth: remove service clients (63acef3), closes #2761
oauth: remove unused grunt tasks from oauth-server (32ead29)

1.127.0 (2018-12-11)

Bug Fixes

email: add manage devices button in new device login email template (7d4649b)
emails: fix arabic emails, add translator tests (cde4ce2), closes #2714
oauth: remove prod requirement flag (0f130b3)

1.127.1 (2018-12-14)

Merge v1.126.3 into train-127

1.127.0 (2018-12-11)

email: add manage devices button in new device login email template (7d4649b)
emails: fix arabic emails, add translator tests (cde4ce2), closes #2714
oauth: remove prod requirement flag (0f130b3)

1.126.3 (2018-12-14)

Bug Fixes

totp: fix account reset and totp (3f73c68)

1.126.2 (2018-11-29)

Bug Fixes

metrics: ensure email sent amplitude events include device id (03a2f2e)

1.126.1 (2018-11-28)

Bug Fixes

metrics: emit login complete amplitude event after reset complete (becd410)

chore

package: npm shrinkwrap (1085780)

1.126.0 (2018-11-27)

Bug Fixes

db: Improve query performance when deleting tokens for public clients. (d6a673c)
deps: drop nodemon (aa1919f)
tests: add Santa Clara to known locations (689f020)
tests: fix sinon compatbility in backendService (aca8277)
totp: don't send totp emails with invalid code (2ea84c1)

Features

config: Error out if secret key config items are not overwritten in production. (df34343)
deps: update dev deps to match with auth-server (567b0cb)
deps: update mozlog, newrelic and raven (7f0834d)
deps: update sinon to latest (516ffd5)
oauth: remove internal server (0f9793f)
service: Create a nice abstraction for calling backend service APIs (193dc71)

Refactor

headers: remove HPKP headers (d98b10c), closes #2744

1.125.0 (2018-11-14)

Bug Fixes

oauth: clean up client get route. (7031e73)

chore

tests: make geolocation assertions more robust (198c628)

1.124.4 (2018-11-09)

Bug Fixes

oauth: clean up client get route. (8301676)

chore

tests make geolocation assertions more robust. (3a21e8b)

1.124.3 (2018-11-05)

Bug Fixes

oauth-sentry: arg to server.events.on is "channels" (plural) (51833e2)

1.124.2 (2018-11-02)

Bug Fixes

errors: reinstate bounce error failures/messaging (42d165e)

chore

package: update deps (aa6c3be)

1.124.1 (2018-11-01)

1.124.0 (2018-10-30)

Bug Fixes

2fa: Allow an explicit null value for acr_values param. (47f4c61)
api: accept and ignore client_secret param in /destroy (c797ed2)
api: allow application/x-form-urlencoded (6cc91e2)
api: Change InvalidAssertions error code to 401 (2781b3a)
api: clean up response of client-tokens delete endpoint (#3) (#449); r=rfk (9c63273), closes #3 #449
api: Correct the error codes changed in 2781b3a (d0dba7c)
api: ensure /destroy endpoint returns an empty object in response body. (6efd47d)
api: fail on invalid action parameters (0c73ae7)
api: reject requests with bad content-types (2667228), closes #199
api: reject requests with invalid parameters (3b4fa24), closes #210
api: remove stray payload restriction from authorization route (e0d5368)
api: set update to return an empty object (6f334c6)
api: tolerate an empty client_secret in /destroy (25a4d30)
api: use invalidRequestParameter instead of invalidRedirect for invalid redirect acti (55eff2d)
authorization: allow empty scope with implicit grant (1d6ac8e), closes #315
authorization: Correctly handle non-existing URL scopes during authorization. (#594) r=@vladiko (21654a3), closes #594 #593
authorization: handle action parameter in GET/authorization (cfa6d97)
buffer: #527 Migrate deprecated buffer calls (#528) r=@vladikoff (fd85207), closes #527 #528 #527
changelog: Fixes #524 automated changelog is borked (#542) r=@vladikoff (d743721), closes #524 #542
changelog: update to latest changelog version (#556) (bc9256e), closes #556
ci: remove geodb workaround (521f4fe)
ci: remove nsp (#602) (64ade86), closes #602 #596 #597
ci: Run MySQL tests in Circle (#586) r=@vbudhram (4b1c4e4), closes #586 #581
ci: turn on memcached in travis and circle (eb86a37), closes #2681
clients: fix server error when omitting optional fields in client registration (80768c5), closes #203
clients: fixes client endpoint for clients with no redirect_uri (6d47110), closes #228
clients: fixes client registration to use payload.whitelisted (83e145b)
clients: match the notes client with fxa-dev and other envs (#585); r=rfk (e24a582), closes #585
clients: support client/client_id route via the internal server (ce04da7)
clients: update email validation (92d4bfc)
codes: Remove authorization codes after use. (e0f8961)
config: Add environment config options (14a9b4a)
config: expose clients config as OAUTH_CLIENTS (04ebf6f)
config: expose more environment variables for config (7a1dd19)
config: For dev, the openid issuer is http://127.0.0.1:3030 (#583) r=@vladikoff (38e1d73), closes #583 mozilla/fxa-content-server#6362
config: mark config sentryDsn and mysql password sensitive (#511) r=@vladikoff (d98fbcd), closes #511
config: option autoUpdateClients, will be disable in prod/stage (802a0b2)
config: remove 00000... from hashedSecrets (8dcfd56), closes #339
config: reverting 'mark config sentryDsn and mysql password sensitive (#511) r=@vladikof (41bd7c0), closes #511
config: set expiration.accessToken default to 2 weeks (7a4742d)
config: update config to use getProperties (c2ed6eb), closes #349
config: Update contentUrl (e1622b2)
config: Update name and redirectUri (2a16cdd)
config: update redirect_uri values to not be blank (5267c62)
db: don't change client database at startup; footgun (8877f81)
db: Drop foreign key constraints. (7ee117c)
db: ensure strict mode (#448) r=rfk,seanmonstar (8d309c5), closes #448 #446
db: Fix an old db patch to apply cleanly in local dev. (c7fa633)
db: Fix case-consistency of SQL query from #612 (9e55714), closes #612
db: make schema.sql accuratley reflect latest patch state (b17b000)
db: make the clients key mandatory in the config file (ac7a39e)
db: remove db name from clients (c724439)
db: Restore foreign key constraints on core tables. (2bd0845)
db: we need to enforce only a minimum patch level (not {n,n+1}) (e12f54d)
dependencies: move fxa-jwtool from dev-dependencies to dependencies (79b0427), closes #345
dependencies: switch back to main generate-rsa-keypair now that my fix to it was merged (1c1268b)
deps: add filtered npm audit (71048b3), closes mozilla/fxa#303
deps: ignore npm advisories 39, 48, 658 (238b0a1), closes /github.com/mozilla/fxa-auth-server/pull/2643/files#r220807985
deps: switch from URIjs to urijs (ecdf31e), closes #347
deps: update mocha and other dev deps (b99e82d)
deps: update newrelic and request r=@shane-tomlinson (b6d6c93)
deps: update some dependencies (09aa7b0)
deps: update to hapi 14 and joi 9 (9bc87c0), closes #424
deps: update to hapi 16, add srinkwrap scripts, update other prod deps (c102046)
deps: update to mozlog 2.0.2 (29342a9), closes #337
doc: Putting a little emphasis on email first (#584) r=@shane-tomlinson (8ad17c1), closes #584
docker: base image node:8-alpine and upgrade to npm6 (#567) r=@jbuck,@vladikoff (d4060be), closes #567
docs: add git guidelines link (a00167c)
docs: Change Status Code for Invalid Assertion based (780aaee)
docs: document keys and verification_redirect options (ef8c47a)
docs: minor spelling fixes (33ad1ec)
docs: note that codes are single use (6fe39f7), closes #214
docs: Update description of the action param to match latest reality. (b475fcb)
email: ensure mock senders take precedence over the email service (29f379d)
error: AppError uses Error.captureStackTrace (2337f80), closes #164
events: require events to be configured in production (1bef9e0)
fatal-error: Exit with non-zero exit code for fatal errors (7c90ff0), closes #244
headers: add cache-control headers to api endpoints; extend tests (5a81ef9)
headers: make "cache-control" value configurable (5ba82ea)
key-data: Correctly handle non-existent scopes when finding key data. (34d9493)
key-data: Fail cleanly when the client has no allowedScopes. (fafcef5)
keys: Generate unique 'kid' field when regenerating JWK keys (5b9acae)
keys: replace scope key TLD (#505) r=@rfk (a5e6d8f), closes #505
log: add remoteAddressChain to summary (#417) (568cfa6), closes #417 #415
log: avoid crashing on bad payload (#411) r=rfk,jrgm (19ebed5), closes #411 #410
logging: log the reason for account deletions (3092ac1)
logging: use route.path in debug message, not route.url (7d9efc2)
logging: use space-free tokens for mozlog (11f73f9)
logs: add scope and client_id logs to verify route (#447) r=seanmonstar (33eb39e), closes #447 #444
mailer: Fix the bulk-mailer, add lots of tests. (806129d)
memorydb: token createdAt used instead of client createdAt (#436) r=vladikoff,seanmonstar (02dec66), closes #436 #421
metrics: use correct format for email service notifications (ec3ff7b)
monorepo: Update CI config for oauth-server import. (6a5675c)
mysql: Correctly aggregate tokens by clientid. (#576) r=@vladikoff (2c2cd22), closes #576
newrelic: update to v2.1.0 (87a3aee)
node: use node 6.12.0 (#501) r=@vladikoff (167c973), closes #501
node: use node 6.12.3 (#510) r=@vladikoff (adc1fc0), closes #510
node: Use Node.js v6.14.0 (#537) (f32a3d7), closes #537
nodejs: update to 6.11.1 for security fixes (a0520c0)
oauth: another notes dev client (#546) (9d5ec8e), closes #546
openid: Generate openid keys on npm postinstall to file (5f15afa)
patcher: Fix patcher with no pre-loaded clients (dcc47b9)
pkce: Don't require PKCE in the direct grant flow. (#566) r=@vladikoff (d70fe6d), closes #566 #559
pkce: match pkce implementation to specifications (#498) r=rfk (cf1c836), closes #498 #495
profile: remove the profileChangedAt column on tokens table (5e87bce)
purge: add purgeExpiredTokensById to select, then delete by primary key (#580); r=rfk (adfff65), closes #580
purge-expired: accept a list of pocket-id's (1c843a9)
purge-expired: log uncaughtException; minimum log level of info (264271e)
purge-expired: moar logging (80c360e)
purge-expired: Promise.delay takes milliseconds; allow subsecond delay (10c6103)
purge-expired: set db.autoUpdateClients config to false (bc66fc3)
purge-expired: use db.getClient() to check for unknown clientId (c33f1d9)
route: make email false by default (#533) r=@rfk (aa68fb9), closes #533
scopes: Document scope-handling rules, use shared code to enforce them. (#551); r=vbudhr (237886d), closes #551
scopes: Dont treat foo:write as a sub-scope of foo. (b4b30c2)
scripts: Fix varname typo in test runner script. (#535) (02804a8), closes #535
scripts: Use pure JS module to generate RSA keypairs (#439) r=vladikoff (3380e1c), closes #439
security: enable x-content-type-options nosniff (5ea5001)
security: enable X-XSS-Protection 1; mode=block (52ca1e5)
security: set x-frame-options deny (21ea05d)
server: exit if db patch level is wrong (78d6382)
shrinkwrap: restore deleted npm-shrinkwrap.json (6383481)
spelling: minor spelling fix in tests (#403) r=vladikoff (d4ff105), closes #403
sql: fix the schema issue with the trailing comma (069caeb), closes #299
sql: remove references to the whitelisted column; this is now the trusted column (6b4d1ec)
sql: undo 155d2ce; for mysql-patcher fix up that database (eb9f40d), closes #301
test: encrypt refresh_token on db query (#414) r=seanmonstar,vladikoff (7f52d46), closes #414 #413
test: fix unhandled rejection error with memory db impl (#454) r=vladikoff (c870eba), closes #454
tests: check insert of utf8mb4 (4e6a77a)
tests: double before hook timeout for tests on slow machines (2333416)
tests: mock outstanding error logs in test suite r=@vladikoff (6a5d3ce), closes #334
tests: More reliable generation of RSA keys for tests (981d0b7)
tests: Refactor use of process.exit() to be outside of code under test. (47f4f17)
tests: remove assertions of profileChangedAt property (60af54f)
tests: sleep additional half second to adjust for mysql round of timestamp (a02f516)
tests: speed up and upgrade the test runner (#467) r=seanmonstar (2e76c9e), closes #467
token: disable expiration error (c9547a8)
tokens: Added scripts that purge expired access tokens. (10bbb24)
tokens: Avoid quadratic behaviour when listing active clients. (#9); r=vladikoff (15c3065), closes #9
tokens: Begin expiring access tokens beyond a configurable epoch. (b346326)
tokens: invalidate refresh tokens on client-token DELETE action (#508) (df0ca82), closes #508 #507
tokens: ttl parameter must be positive (#429) r=vladikoff (1764d73), closes #429
travis: build on node 0.10, 0.12, 4, no allowed failures (6684e8c)
travis: install libgmp3-dev so optionaldep bigint will be built for browserid-crypto (a64cb18)
travis: remove broken validate shrinkwrap (1729764)
travis: run tests with 6 and 8 (#497) r=vladikoff (a49b272), closes #497
travis: test on node4/node6 with default npm & g++-4.8 (b4e1dd8)
validation: Allow redirect uris with existing query params. (#548); r=philbooth (b93e6a1), closes #548
validation: Restrict characters allowed in 'scope' parameter. (7dd2a39)
version: use cwd and env var to get version (#452) r=vladikoff (a3b1aa2), closes #452
version: use explicit path with git-config (e0af8bc)

chore

api: remove metrics context data from deprecated endpoints (d884148), closes #2496
awsbox: remove unused awsbox (f053c9f)
build: Bump eslint-config-fxa to latest version (fe45e0b)
build: create changelogs each release (16f1f5b), closes #158
build: switch to grunt-nsp (ac31672)
ci: drop node 4 as a supported env (#478) (176c828), closes #478
clients: add credentials for FF/FFOS/Fennec/FxA clients in dev (b501abe)
clients: remove deprecated 'whitelisted' column from clients table. (cf16f8a)
clients: rename "whitelisted" property to "trusted". (b8927a8)
config: add local loop dev credentials (70cc480)
config: add Notes trailing slash to redirect in dev.json (#536) (e8bf2e5), closes #536
config: add oauth console into dev config (14d7bab)
config: remove duplicate 'canGrant' field in config file (259da3d)
config: Update convict and switch on strict validation. (1f49ad4)
db: Add db migration to revert change that couldn't go to production. (9382239)
dep: replaced bidcrypto dep with fxa-jwtool (7d71239)
dependencies: bump hapi version (13c2d57)
dependencies: dependency upgrades (4430228)
dependencies: update 'jwcrypto' dependency to 'browserid-crypto' (b9bf102), closes #151
dependencies: update convict (8dfa52f)
dependencies: update most dependencies (ad61ecb)
dependencies: updating deps (e412925)
dependencies: upgrade mozlog to 2.0.3 (262bbc9)
deps: Generate shrinkwrap for latest dependency updates (84e69b5)
deps: update deps, fix nsp (#517) r=@philbooth (9f12267), closes #517
deps: Update hapi dependency. (#457), r=@vbudhram (24a570f), closes #457
deps: Update hapi to latest version (#482) r=vladikoff (6b2810e), closes #482
deps: Update hapi to v16.6.3 (#526) (78c88ad), closes #526
deps: Update request package to latest version (#407) r=vladikoff (b8ef1d7), closes #407
dev: add 321Done untrusted client (a291205)
dev: add Firefox Notes Web Extension client to development config (3960e5f)
dev: add Notes supprot scope in dev (#492) (85af2a2), closes #492
docker: remove old docker self-host files (9f5247f)
docker: Update to node 6.11.5 (#494) (6eb07cf), closes #494
docker: Use official node image & update to Node.js v4.8.2 (#462) r=vladikoff (b1924b0), closes #462
docs: Add a comment about privKey/pubKey confusion in gen_keys (d2edd4b)
docs: add a note about dev envs (0663c19), closes #148
docs: add CircleCI badge to readme (acff566)
docs: move self-host docker file (2180f92)
docs: remove older Docker files (#426) (370c898), closes #426
grunt: make 'grunt release' generate changelog also (87d5861)
license: Update license to be SPDX compliant (ff83ec2)
lint: add ESLint (1531061), closes #274
logging: Log additional details for debugging expired tokens (22cf3ab)
npm: update to npm5 (#522) r=@vbudhram (3783605), closes #522
package: npm shrinkwrap (8ba20b0)
package: pin blanket to 1.1.6 (072385b)
package: remove main from package.json (ebc60a5), closes #206
release: add tasks "grunt version" and "grunt version:patch" to create release tags (1be1380)
release: use CHANGELOG.md instead of CHANGELOG during bump (520b39c)
tests: remove weird mocking magic (47389fa)
tests: Uniformly use promises rather than done() callback. (2a4731f)
tokens: add a comment about why we're inserting an empty string for email (eed414b)
travis: drop node 0.12 support (b4eba46)
travis: Only install libgmp3-dev on Travis (cfafb19)
travis: Tell Travis to use #fxa-bots (17134db)
travis: use npm@2 for more stable installs (3c3e127)
version: add /version route with source repo (37a08f2)
version: generate legacy-format output for ./config/version.json (51b5f3b)

docs

api: Update email behavior for GET /v1/authorization. (755ec9a)
authorization: Document email param in GET /authorization (fbf1eb7)
service-clients: Document Service Clients, JKUs, and JWTs (d2f1ef3), closes #329
service-clients: Document Service Clients, JKUs, and JWTs (799f0e2), closes #329
verify: fix misnamed 'scopes' response property (b5728cf), closes #261
workflow: fixes workflow typo (318d9e1)

Features

2fa: check acr values during authorization flow (c20682a)
amr: Report amr and acr claims in the id_token. (#530); r=vbudhram (8181f7f), closes #530
api: Add action=force_auth to GET /v1/authorization. (33603bd), closes #190
api: add auth_at to token response schema. (bc8454d), closes #181
api: add ttl parameter to POST /authorization (36087fe)
api: allow destroying token without client_secret (7b4d01f)
auth: Accept client credentials in the Authorization header. (#514); r=philbooth (1c50807), closes #514
auth: redirect to content-server oauth root by default (34ad867), closes #245
authorization: add uri validation on the authorization endpoint (#428) r=jrgm,seanmonstar (fcc0b52), closes #428 #387 #388
authorization: Directly return code in authorization response. (#541); r=philbooth (7ad1e56), closes #541
authorization: exit early if assertion invalid returns first (5a27ee6)
authorization: Require tokenVerified=true for key-bearing scopes. (#561) r=@vladikoff (f9ad63e), closes #561 /github.com/mozilla-services/tokenserver/blob/master/tokenserver/views.py#L140
ci: move to CircleCI 2 (#554) r=@jbuck (97e4f62), closes #554
clients: add terms_uri and privacy_uri properties to clients. (51ae904)
clients: add notion of Service Clients in config (8cfdffe), closes #327
clients: Added initial support for using previous client secret (4f9df20)
clients: client registration apis (1a80294), closes #60
clients: move client management api to a separate port (07a61af)
clients: remove obsolete generate-client.js script (62ab0ad), closes #231
clients: report trusted property in GET /client/:id (c58d237)
codes: Delete authorization codes when revoking client access. (#578); r=philbooth (b905b7c), closes #578
config: add browserid pool maxSockets option (0bb40ba)
config: add mysql pool conectionLimit option (ca220ae)
db: add basic migration infrastructure to mysql backend (012e605), closes #183
db: remove clients.secret column (0e39d1e), closes #323
deps: update server dependencies (80ac3cf)
deps: update to bluebird 3 (8f4c664), closes #570
developers: adds support for oauth developers (abe0e52)
docker: Add CloudOps Dockerfile & CircleCI build instructions (a80b4b4)
docker: Additional Dockerfile for self-hosting (83a8b6c)
docker: Dockerfile and README update for basic docker development workflow (342d87b)
docker: Shrink Docker image size (#438) r=vladikoff (13d13b9), closes #438
docker: support feature branches (#464) r=jrgm (f94fd61), closes #464
email-first: Add support for the email-first flow. (#540); r=philbooth,rfk (cb11145), closes #540 #539
error: add info property with link to docs (681044c)
hpkp: Add the hpkp headers to all requests (#416) r=vladikoff (6b8a8c8), closes #416
keys: Add created-at timestamp to our public keys. (#453); r=seanmonstar,vladikoff (511d9a6), closes #453
keys: add key-data docs, move client_id into payload (#491); r=rfk (a9152c3), closes #491
keys: add keys_jwe support (#486) r=rfk (6a4efd1), closes #486 #484
keys: Check lastAuthAt freshness when fetching key data. (#502) r=@vladikoff (855adee), closes #502
keys: Check lastAuthAt freshness when fetching key data. (#506) r=@vladikoff (e0de2f3), closes #506
lb: Add __lbheartbeat__ endpoint (#458), r=@jbuck (c387907), closes #458
logging: add log of time taken in authorization endpoint (02ec0d2)
logging: add log when mysql pool enqueues (461b5c1)
logging: add method, payload, and auth to summary (df57e23), closes #174
logging: log details when generating code (81933f7)
logging: switch logging to mozlog (ec0f5db), closes #156
logs: add sentry support (#499), r=@vbudhram (ef34859), closes #499
metrics: add code and config for email service notification queue (ccd5556), closes #2633
monorepo: Move everything into a subdirectory. (8453f6e)
node: update to node 8 (#544) r=@jrgm (e9b08ae), closes #544
node: upgrade to node 6 (57c61ab)
oauth: add methods to support oauth client management (#405) r=seanmonstar (2748510), closes #405
oauth: make server compatible with AppAuth (#534) r=@rfk (ff9e422), closes #534
oauth: Track last time refreshToken was used (#412) r=vladikoff,seanmonstar (25c455a), closes #412 #275
openid: add initial OpenID Connect support (93f8758), closes #362
openid: add profileChangedAt to claims (#607), r=@rfk (f6e93eb), closes #607
openid: Add support for OIDC login_hint query param. (200ce43)
openid: add the openid connect at_hash value (#598), r=@rfk (d08310e), closes #598
openid: Allow untrusted reliers to request openid scope. (#516), r=@vbudhram (f764dc8), closes #516
pkce: add ability for PKCE clients to use refresh_tokens (#476) r=seanmonstar (7b401eb), closes #476 #472
pkce: add PKCE support to the oauth server (#466) r=seanmonstar (ed59c0e), closes #466
refresh_tokens: add refresh_tokens to /token endpoint (16e787f), closes #209
scopes: add key-data and scope support (#487) r=rfk (f3fcae5), closes #487 #483
scopes: allow https:// scopes (#490); r=rfk (f892bcb), closes #490 #489
scripts: Add script to generate an oauth client (f21f657)
server: set HSTS header for 180 days (d43accb)
server: update to Hapi 17 (0ebfebe)
shared: add new locales (d6e88df)
sync: add local test client for sync (#549) (61ed2e7), closes #549
sync: add oldsync scope (#550) r=@rfk (f2e7bb4), closes #550
token: reject expired tokens (4f519ca), closes #365
tokens: add support for password change and reset event (#485) r=rfk (f5873f9), closes #485 #481
tokens: allow using JWT grants from Service Clients (55f88a9), closes #328
tokens: allow using JWT grants from Service Clients (0a0e303), closes #328
untrusted-clients: restrict scopes that untrusted clients can request (8fd228a), closes #243
verify: add opt out parameter to verify endpoint (e4c54ff), closes #358
verify: added 'client' to /verify response (4c57551), closes #149

JsonFormatter

outputs JSON in same format as fxa-auth-server (c89ca92)

Refactor

client: scope added in memory and sql (#445) r=vladikoff (4efc383), closes #445 #431
clients: remove terms and privacy uris (5c1e0be), closes #406
config: Use human-readable duration values in config (20aa8fa)
db: add hashedSecret column to clients (9ceaf1f), closes #155
db: clients.secret to clients.hashedSecret, remove clients.whitelisted (155d2ce), closes #155 #267
email: Fixes #352 Remove ability to fetch email address (#543) r=@shane-tomlinson (068bd4b), closes #352 #543
keys: rename keyMaterial, timestamp to keyRotationSecret, k… (#500) r=@rfk (48ec2a3), closes #500
lint: remove jscs, update eslint rules (#477), r=@vbudhram (8bc148a), closes #477

Reverts

keys: Check lastAuthAt freshness when fetching key data (5d772f6)
service-tokens): Revert "docs(service-clients: Document Service Clients, JKUs, and JWTs" (6be9ac2)
service-tokens): Revert "feat(tokens: allow using JWT grants from Service Clients" (d3cc78a)
tokens: dont reject expired tokens, again (e8b563e)

test

api: rename assertRequestParam to assertInvalidRequestParam (3f00eb3), closes #280
db: fixing db.removeUser tests for mysql (94f96bf)

BREAKING CHANGES

[object Object]
[object Object]
[object Object]

1.124.0 (2018-10-30)

Bug Fixes

2fa: Allow an explicit null value for acr_values param. (47f4c61)
api: accept and ignore client_secret param in /destroy (c797ed2)
api: allow application/x-form-urlencoded (6cc91e2)
api: Change InvalidAssertions error code to 401 (2781b3a)
api: clean up response of client-tokens delete endpoint (#3) (#449); r=rfk (9c63273), closes #3 #449
api: Correct the error codes changed in 2781b3a (d0dba7c)
api: ensure /destroy endpoint returns an empty object in response body. (6efd47d)
api: fail on invalid action parameters (0c73ae7)
api: reject requests with bad content-types (2667228), closes #199
api: reject requests with invalid parameters (3b4fa24), closes #210
api: remove stray payload restriction from authorization route (e0d5368)
api: set update to return an empty object (6f334c6)
api: tolerate an empty client_secret in /destroy (25a4d30)
api: use invalidRequestParameter instead of invalidRedirect for invalid redirect acti (55eff2d)
authorization: allow empty scope with implicit grant (1d6ac8e), closes #315
authorization: Correctly handle non-existing URL scopes during authorization. (#594) r=@vladiko (21654a3), closes #594 #593
authorization: handle action parameter in GET/authorization (cfa6d97)
buffer: #527 Migrate deprecated buffer calls (#528) r=@vladikoff (fd85207), closes #527 #528 #527
changelog: Fixes #524 automated changelog is borked (#542) r=@vladikoff (d743721), closes #524 #542
changelog: update to latest changelog version (#556) (bc9256e), closes #556
ci: remove geodb workaround (521f4fe)
ci: remove nsp (#602) (64ade86), closes #602 #596 #597
ci: Run MySQL tests in Circle (#586) r=@vbudhram (4b1c4e4), closes #586 #581
ci: turn on memcached in travis and circle (eb86a37), closes #2681
clients: fix server error when omitting optional fields in client registration (80768c5), closes #203
clients: fixes client endpoint for clients with no redirect_uri (6d47110), closes #228
clients: fixes client registration to use payload.whitelisted (83e145b)
clients: match the notes client with fxa-dev and other envs (#585); r=rfk (e24a582), closes #585
clients: support client/client_id route via the internal server (ce04da7)
clients: update email validation (92d4bfc)
codes: Remove authorization codes after use. (e0f8961)
config: Add environment config options (14a9b4a)
config: expose clients config as OAUTH_CLIENTS (04ebf6f)
config: expose more environment variables for config (7a1dd19)
config: For dev, the openid issuer is http://127.0.0.1:3030 (#583) r=@vladikoff (38e1d73), closes #583 mozilla/fxa-content-server#6362
config: mark config sentryDsn and mysql password sensitive (#511) r=@vladikoff (d98fbcd), closes #511
config: option autoUpdateClients, will be disable in prod/stage (802a0b2)
config: remove 00000... from hashedSecrets (8dcfd56), closes #339
config: reverting 'mark config sentryDsn and mysql password sensitive (#511) r=@vladikof (41bd7c0), closes #511
config: set expiration.accessToken default to 2 weeks (7a4742d)
config: update config to use getProperties (c2ed6eb), closes #349
config: Update contentUrl (e1622b2)
config: Update name and redirectUri (2a16cdd)
config: update redirect_uri values to not be blank (5267c62)
db: don't change client database at startup; footgun (8877f81)
db: Drop foreign key constraints. (7ee117c)
db: ensure strict mode (#448) r=rfk,seanmonstar (8d309c5), closes #448 #446
db: Fix an old db patch to apply cleanly in local dev. (c7fa633)
db: Fix case-consistency of SQL query from #612 (9e55714), closes #612
db: make schema.sql accuratley reflect latest patch state (b17b000)
db: make the clients key mandatory in the config file (ac7a39e)
db: remove db name from clients (c724439)
db: Restore foreign key constraints on core tables. (2bd0845)
db: we need to enforce only a minimum patch level (not {n,n+1}) (e12f54d)
dependencies: move fxa-jwtool from dev-dependencies to dependencies (79b0427), closes #345
dependencies: switch back to main generate-rsa-keypair now that my fix to it was merged (1c1268b)
deps: add filtered npm audit (71048b3), closes mozilla/fxa#303
deps: ignore npm advisories 39, 48, 658 (238b0a1), closes /github.com/mozilla/fxa-auth-server/pull/2643/files#r220807985
deps: switch from URIjs to urijs (ecdf31e), closes #347
deps: update mocha and other dev deps (b99e82d)
deps: update newrelic and request r=@shane-tomlinson (b6d6c93)
deps: update some dependencies (09aa7b0)
deps: update to hapi 14 and joi 9 (9bc87c0), closes #424
deps: update to hapi 16, add srinkwrap scripts, update other prod deps (c102046)
deps: update to mozlog 2.0.2 (29342a9), closes #337
doc: Putting a little emphasis on email first (#584) r=@shane-tomlinson (8ad17c1), closes #584
docker: base image node:8-alpine and upgrade to npm6 (#567) r=@jbuck,@vladikoff (d4060be), closes #567
docs: add git guidelines link (a00167c)
docs: Change Status Code for Invalid Assertion based (780aaee)
docs: document keys and verification_redirect options (ef8c47a)
docs: minor spelling fixes (33ad1ec)
docs: note that codes are single use (6fe39f7), closes #214
docs: Update description of the action param to match latest reality. (b475fcb)
email: ensure mock senders take precedence over the email service (29f379d)
error: AppError uses Error.captureStackTrace (2337f80), closes #164
events: require events to be configured in production (1bef9e0)
fatal-error: Exit with non-zero exit code for fatal errors (7c90ff0), closes #244
headers: add cache-control headers to api endpoints; extend tests (5a81ef9)
headers: make "cache-control" value configurable (5ba82ea)
key-data: Correctly handle non-existent scopes when finding key data. (34d9493)
key-data: Fail cleanly when the client has no allowedScopes. (fafcef5)
keys: Generate unique 'kid' field when regenerating JWK keys (5b9acae)
keys: replace scope key TLD (#505) r=@rfk (a5e6d8f), closes #505
log: add remoteAddressChain to summary (#417) (568cfa6), closes #417 #415
log: avoid crashing on bad payload (#411) r=rfk,jrgm (19ebed5), closes #411 #410
logging: log the reason for account deletions (3092ac1)
logging: use route.path in debug message, not route.url (7d9efc2)
logging: use space-free tokens for mozlog (11f73f9)
logs: add scope and client_id logs to verify route (#447) r=seanmonstar (33eb39e), closes #447 #444
mailer: Fix the bulk-mailer, add lots of tests. (806129d)
memorydb: token createdAt used instead of client createdAt (#436) r=vladikoff,seanmonstar (02dec66), closes #436 #421
metrics: use correct format for email service notifications (ec3ff7b)
monorepo: Update CI config for oauth-server import. (6a5675c)
mysql: Correctly aggregate tokens by clientid. (#576) r=@vladikoff (2c2cd22), closes #576
newrelic: update to v2.1.0 (87a3aee)
node: use node 6.12.0 (#501) r=@vladikoff (167c973), closes #501
node: use node 6.12.3 (#510) r=@vladikoff (adc1fc0), closes #510
node: Use Node.js v6.14.0 (#537) (f32a3d7), closes #537
nodejs: update to 6.11.1 for security fixes (a0520c0)
oauth: another notes dev client (#546) (9d5ec8e), closes #546
openid: Generate openid keys on npm postinstall to file (5f15afa)
patcher: Fix patcher with no pre-loaded clients (dcc47b9)
pkce: Don't require PKCE in the direct grant flow. (#566) r=@vladikoff (d70fe6d), closes #566 #559
pkce: match pkce implementation to specifications (#498) r=rfk (cf1c836), closes #498 #495
profile: remove the profileChangedAt column on tokens table (5e87bce)
purge: add purgeExpiredTokensById to select, then delete by primary key (#580); r=rfk (adfff65), closes #580
purge-expired: accept a list of pocket-id's (1c843a9)
purge-expired: log uncaughtException; minimum log level of info (264271e)
purge-expired: moar logging (80c360e)
purge-expired: Promise.delay takes milliseconds; allow subsecond delay (10c6103)
purge-expired: set db.autoUpdateClients config to false (bc66fc3)
purge-expired: use db.getClient() to check for unknown clientId (c33f1d9)
route: make email false by default (#533) r=@rfk (aa68fb9), closes #533
scopes: Document scope-handling rules, use shared code to enforce them. (#551); r=vbudhr (237886d), closes #551
scopes: Dont treat foo:write as a sub-scope of foo. (b4b30c2)
scripts: Fix varname typo in test runner script. (#535) (02804a8), closes #535
scripts: Use pure JS module to generate RSA keypairs (#439) r=vladikoff (3380e1c), closes #439
security: enable x-content-type-options nosniff (5ea5001)
security: enable X-XSS-Protection 1; mode=block (52ca1e5)
security: set x-frame-options deny (21ea05d)
server: exit if db patch level is wrong (78d6382)
shrinkwrap: restore deleted npm-shrinkwrap.json (6383481)
spelling: minor spelling fix in tests (#403) r=vladikoff (d4ff105), closes #403
sql: fix the schema issue with the trailing comma (069caeb), closes #299
sql: remove references to the whitelisted column; this is now the trusted column (6b4d1ec)
sql: undo 155d2ce; for mysql-patcher fix up that database (eb9f40d), closes #301
test: encrypt refresh_token on db query (#414) r=seanmonstar,vladikoff (7f52d46), closes #414 #413
test: fix unhandled rejection error with memory db impl (#454) r=vladikoff (c870eba), closes #454
tests: check insert of utf8mb4 (4e6a77a)
tests: double before hook timeout for tests on slow machines (2333416)
tests: mock outstanding error logs in test suite r=@vladikoff (6a5d3ce), closes #334
tests: More reliable generation of RSA keys for tests (981d0b7)
tests: Refactor use of process.exit() to be outside of code under test. (47f4f17)
tests: remove assertions of profileChangedAt property (60af54f)
tests: sleep additional half second to adjust for mysql round of timestamp (a02f516)
tests: speed up and upgrade the test runner (#467) r=seanmonstar (2e76c9e), closes #467
token: disable expiration error (c9547a8)
tokens: Added scripts that purge expired access tokens. (10bbb24)
tokens: Avoid quadratic behaviour when listing active clients. (#9); r=vladikoff (15c3065), closes #9
tokens: Begin expiring access tokens beyond a configurable epoch. (b346326)
tokens: invalidate refresh tokens on client-token DELETE action (#508) (df0ca82), closes #508 #507
tokens: ttl parameter must be positive (#429) r=vladikoff (1764d73), closes #429
travis: build on node 0.10, 0.12, 4, no allowed failures (6684e8c)
travis: install libgmp3-dev so optionaldep bigint will be built for browserid-crypto (a64cb18)
travis: remove broken validate shrinkwrap (1729764)
travis: run tests with 6 and 8 (#497) r=vladikoff (a49b272), closes #497
travis: test on node4/node6 with default npm & g++-4.8 (b4e1dd8)
validation: Allow redirect uris with existing query params. (#548); r=philbooth (b93e6a1), closes #548
validation: Restrict characters allowed in 'scope' parameter. (7dd2a39)
version: use cwd and env var to get version (#452) r=vladikoff (a3b1aa2), closes #452
version: use explicit path with git-config (e0af8bc)

chore

api: remove metrics context data from deprecated endpoints (d884148), closes #2496
awsbox: remove unused awsbox (f053c9f)
build: Bump eslint-config-fxa to latest version (fe45e0b)
build: create changelogs each release (16f1f5b), closes #158
build: switch to grunt-nsp (ac31672)
ci: drop node 4 as a supported env (#478) (176c828), closes #478
clients: add credentials for FF/FFOS/Fennec/FxA clients in dev (b501abe)
clients: remove deprecated 'whitelisted' column from clients table. (cf16f8a)
clients: rename "whitelisted" property to "trusted". (b8927a8)
config: add local loop dev credentials (70cc480)
config: add Notes trailing slash to redirect in dev.json (#536) (e8bf2e5), closes #536
config: add oauth console into dev config (14d7bab)
config: remove duplicate 'canGrant' field in config file (259da3d)
config: Update convict and switch on strict validation. (1f49ad4)
db: Add db migration to revert change that couldn't go to production. (9382239)
dep: replaced bidcrypto dep with fxa-jwtool (7d71239)
dependencies: bump hapi version (13c2d57)
dependencies: dependency upgrades (4430228)
dependencies: update 'jwcrypto' dependency to 'browserid-crypto' (b9bf102), closes #151
dependencies: update convict (8dfa52f)
dependencies: update most dependencies (ad61ecb)
dependencies: updating deps (e412925)
dependencies: upgrade mozlog to 2.0.3 (262bbc9)
deps: Generate shrinkwrap for latest dependency updates (84e69b5)
deps: update deps, fix nsp (#517) r=@philbooth (9f12267), closes #517
deps: Update hapi dependency. (#457), r=@vbudhram (24a570f), closes #457
deps: Update hapi to latest version (#482) r=vladikoff (6b2810e), closes #482
deps: Update hapi to v16.6.3 (#526) (78c88ad), closes #526
deps: Update request package to latest version (#407) r=vladikoff (b8ef1d7), closes #407
dev: add 321Done untrusted client (a291205)
dev: add Firefox Notes Web Extension client to development config (3960e5f)
dev: add Notes supprot scope in dev (#492) (85af2a2), closes #492
docker: remove old docker self-host files (9f5247f)
docker: Update to node 6.11.5 (#494) (6eb07cf), closes #494
docker: Use official node image & update to Node.js v4.8.2 (#462) r=vladikoff (b1924b0), closes #462
docs: Add a comment about privKey/pubKey confusion in gen_keys (d2edd4b)
docs: add a note about dev envs (0663c19), closes #148
docs: add CircleCI badge to readme (acff566)
docs: move self-host docker file (2180f92)
docs: remove older Docker files (#426) (370c898), closes #426
grunt: make 'grunt release' generate changelog also (87d5861)
license: Update license to be SPDX compliant (ff83ec2)
lint: add ESLint (1531061), closes #274
logging: Log additional details for debugging expired tokens (22cf3ab)
npm: update to npm5 (#522) r=@vbudhram (3783605), closes #522
package: npm shrinkwrap (8ba20b0)
package: pin blanket to 1.1.6 (072385b)
package: remove main from package.json (ebc60a5), closes #206
release: add tasks "grunt version" and "grunt version:patch" to create release tags (1be1380)
release: use CHANGELOG.md instead of CHANGELOG during bump (520b39c)
tests: remove weird mocking magic (47389fa)
tests: Uniformly use promises rather than done() callback. (2a4731f)
tokens: add a comment about why we're inserting an empty string for email (eed414b)
travis: drop node 0.12 support (b4eba46)
travis: Only install libgmp3-dev on Travis (cfafb19)
travis: Tell Travis to use #fxa-bots (17134db)
travis: use npm@2 for more stable installs (3c3e127)
version: add /version route with source repo (37a08f2)
version: generate legacy-format output for ./config/version.json (51b5f3b)

docs

api: Update email behavior for GET /v1/authorization. (755ec9a)
authorization: Document email param in GET /authorization (fbf1eb7)
service-clients: Document Service Clients, JKUs, and JWTs (d2f1ef3), closes #329
service-clients: Document Service Clients, JKUs, and JWTs (799f0e2), closes #329
verify: fix misnamed 'scopes' response property (b5728cf), closes #261
workflow: fixes workflow typo (318d9e1)

Features

2fa: check acr values during authorization flow (c20682a)
amr: Report amr and acr claims in the id_token. (#530); r=vbudhram (8181f7f), closes #530
api: Add action=force_auth to GET /v1/authorization. (33603bd), closes #190
api: add auth_at to token response schema. (bc8454d), closes #181
api: add ttl parameter to POST /authorization (36087fe)
api: allow destroying token without client_secret (7b4d01f)
auth: Accept client credentials in the Authorization header. (#514); r=philbooth (1c50807), closes #514
auth: redirect to content-server oauth root by default (34ad867), closes #245
authorization: add uri validation on the authorization endpoint (#428) r=jrgm,seanmonstar (fcc0b52), closes #428 #387 #388
authorization: Directly return code in authorization response. (#541); r=philbooth (7ad1e56), closes #541
authorization: exit early if assertion invalid returns first (5a27ee6)
authorization: Require tokenVerified=true for key-bearing scopes. (#561) r=@vladikoff (f9ad63e), closes #561 /github.com/mozilla-services/tokenserver/blob/master/tokenserver/views.py#L140
ci: move to CircleCI 2 (#554) r=@jbuck (97e4f62), closes #554
clients: add terms_uri and privacy_uri properties to clients. (51ae904)
clients: add notion of Service Clients in config (8cfdffe), closes #327
clients: Added initial support for using previous client secret (4f9df20)
clients: client registration apis (1a80294), closes #60
clients: move client management api to a separate port (07a61af)
clients: remove obsolete generate-client.js script (62ab0ad), closes #231
clients: report trusted property in GET /client/:id (c58d237)
codes: Delete authorization codes when revoking client access. (#578); r=philbooth (b905b7c), closes #578
config: add browserid pool maxSockets option (0bb40ba)
config: add mysql pool conectionLimit option (ca220ae)
db: add basic migration infrastructure to mysql backend (012e605), closes #183
db: remove clients.secret column (0e39d1e), closes #323
deps: update server dependencies (80ac3cf)
deps: update to bluebird 3 (8f4c664), closes #570
developers: adds support for oauth developers (abe0e52)
docker: Add CloudOps Dockerfile & CircleCI build instructions (a80b4b4)
docker: Additional Dockerfile for self-hosting (83a8b6c)
docker: Dockerfile and README update for basic docker development workflow (342d87b)
docker: Shrink Docker image size (#438) r=vladikoff (13d13b9), closes #438
docker: support feature branches (#464) r=jrgm (f94fd61), closes #464
email-first: Add support for the email-first flow. (#540); r=philbooth,rfk (cb11145), closes #540 #539
error: add info property with link to docs (681044c)
hpkp: Add the hpkp headers to all requests (#416) r=vladikoff (6b8a8c8), closes #416
keys: Add created-at timestamp to our public keys. (#453); r=seanmonstar,vladikoff (511d9a6), closes #453
keys: add key-data docs, move client_id into payload (#491); r=rfk (a9152c3), closes #491
keys: add keys_jwe support (#486) r=rfk (6a4efd1), closes #486 #484
keys: Check lastAuthAt freshness when fetching key data. (#502) r=@vladikoff (855adee), closes #502
keys: Check lastAuthAt freshness when fetching key data. (#506) r=@vladikoff (e0de2f3), closes #506
lb: Add __lbheartbeat__ endpoint (#458), r=@jbuck (c387907), closes #458
logging: add log of time taken in authorization endpoint (02ec0d2)
logging: add log when mysql pool enqueues (461b5c1)
logging: add method, payload, and auth to summary (df57e23), closes #174
logging: log details when generating code (81933f7)
logging: switch logging to mozlog (ec0f5db), closes #156
logs: add sentry support (#499), r=@vbudhram (ef34859), closes #499
metrics: add code and config for email service notification queue (ccd5556), closes #2633
monorepo: Move everything into a subdirectory. (8453f6e)
node: update to node 8 (#544) r=@jrgm (e9b08ae), closes #544
node: upgrade to node 6 (57c61ab)
oauth: add methods to support oauth client management (#405) r=seanmonstar (2748510), closes #405
oauth: make server compatible with AppAuth (#534) r=@rfk (ff9e422), closes #534
oauth: Track last time refreshToken was used (#412) r=vladikoff,seanmonstar (25c455a), closes #412 #275
openid: add initial OpenID Connect support (93f8758), closes #362
openid: add profileChangedAt to claims (#607), r=@rfk (f6e93eb), closes #607
openid: Add support for OIDC login_hint query param. (200ce43)
openid: add the openid connect at_hash value (#598), r=@rfk (d08310e), closes #598
openid: Allow untrusted reliers to request openid scope. (#516), r=@vbudhram (f764dc8), closes #516
pkce: add ability for PKCE clients to use refresh_tokens (#476) r=seanmonstar (7b401eb), closes #476 #472
pkce: add PKCE support to the oauth server (#466) r=seanmonstar (ed59c0e), closes #466
refresh_tokens: add refresh_tokens to /token endpoint (16e787f), closes #209
scopes: add key-data and scope support (#487) r=rfk (f3fcae5), closes #487 #483
scopes: allow https:// scopes (#490); r=rfk (f892bcb), closes #490 #489
scripts: Add script to generate an oauth client (f21f657)
server: set HSTS header for 180 days (d43accb)
server: update to Hapi 17 (0ebfebe)
shared: add new locales (d6e88df)
sync: add local test client for sync (#549) (61ed2e7), closes #549
sync: add oldsync scope (#550) r=@rfk (f2e7bb4), closes #550
token: reject expired tokens (4f519ca), closes #365
tokens: add support for password change and reset event (#485) r=rfk (f5873f9), closes #485 #481
tokens: allow using JWT grants from Service Clients (55f88a9), closes #328
tokens: allow using JWT grants from Service Clients (0a0e303), closes #328
untrusted-clients: restrict scopes that untrusted clients can request (8fd228a), closes #243
verify: add opt out parameter to verify endpoint (e4c54ff), closes #358
verify: added 'client' to /verify response (4c57551), closes #149

JsonFormatter

outputs JSON in same format as fxa-auth-server (c89ca92)

Refactor

client: scope added in memory and sql (#445) r=vladikoff (4efc383), closes #445 #431
clients: remove terms and privacy uris (5c1e0be), closes #406
config: Use human-readable duration values in config (20aa8fa)
db: add hashedSecret column to clients (9ceaf1f), closes #155
db: clients.secret to clients.hashedSecret, remove clients.whitelisted (155d2ce), closes #155 #267
email: Fixes #352 Remove ability to fetch email address (#543) r=@shane-tomlinson (068bd4b), closes #352 #543
keys: rename keyMaterial, timestamp to keyRotationSecret, k… (#500) r=@rfk (48ec2a3), closes #500
lint: remove jscs, update eslint rules (#477), r=@vbudhram (8bc148a), closes #477

Reverts

keys: Check lastAuthAt freshness when fetching key data (5d772f6)
service-tokens): Revert "docs(service-clients: Document Service Clients, JKUs, and JWTs" (6be9ac2)
service-tokens): Revert "feat(tokens: allow using JWT grants from Service Clients" (d3cc78a)
tokens: dont reject expired tokens, again (e8b563e)

test

api: rename assertRequestParam to assertInvalidRequestParam (3f00eb3), closes #280
db: fixing db.removeUser tests for mysql (94f96bf)

BREAKING CHANGES

[object Object]
[object Object]
[object Object]

1.123.3 (2018-11-01)

Bug Fixes

tests: fix the geodb location assertions again (90449d4)
tests: remove assertions of profileChangedAt property (565d2c8)

chore

errors: make email-sending errors a 422 for new addresses (17e787b)

1.123.2 (2018-10-24)

Bug Fixes

metrics: ensure metrics context is propagated from /account/reset (48ed7be)

1.123.1 (2018-10-23)

Bug Fixes

metrics: ensure email events use stashed flow data where applicable (2168ea7)

1.123.0 (2018-10-16)

Bug Fixes

email: handle the new error structure from fxa-email-service (787031f)
email: include data from headers in email sent events (28a4a53)
email: throw error for failed emails during account creation (75815f2), closes #2565
emails: expose config to append domain to verification emails (510bf08)

chore

deps: Update commander, jsxgettext-recursive to remove security warnings. (7185ad8)

1.122.2 (2018-10-04)

Bug Fixes

commands: Assign default TTL to send-tab commands (6afb0e3)

1.122.1 (2018-10-03)

chore

docs: add missing private releases to change log (47ea091)
package: npm shrinkwrap (081f7d8)

1.122.0 (2018-10-02)

Bug Fixes

codes: increase token code font size in email (28ed315)
customs: increase customs timeout to 3000ms (973815e)
deps: Update i18n-abide to remove npm audit warnings (055788c)
metrics: prohibit overwriting stashed metrics context (fafccce)
metrics: stash metrics context during the account reset flow (804907a)
npm: use npm ci for npm install (3e66f67), closes #2614
profile: add profileChangedAt to cert sign (cca665d)
scripts: make tls-shrink script portable (721c069)
sms: use a five minute period on polling (57e82a5)
tests: fetch cities db from S3 (9d370fb)

chore

memcached: remove the cache.set method (2a88926)
package: bump fxa-shared to 1.0.14 + npm shrinkwrap (04bd8f2)
sms: log JSON-serialised result if we fail to parse max spend (f0b5d08)

Features

scripts: force registry links in shrinkwrap to use tls (eae04fc)

1.121.1 (2018-10-02)

Bug Fixes

random: Reduce bias when generating random base-10 codes. (65dab2b)

1.121.0 (2018-09-18)

Bug Fixes

keys: return proper error when failing to create duplicate recovery key (4954b69)
tests: separate remote and local test runs (499c9fa)

Features

totp: allow reliers to request totp on login (fa98878)

1.120.2 (2018-09-10)

1.120.0 (2018-09-06)

Bug Fixes

config: update correct recoveryCodes config (#2604), r=@philbooth (67b7053), closes #2604
errors: Surface a backendServiceFailure when connection to db fails. (#2600) r=@philboot (2e9b9e6), closes #2600 #2599
logging: log errors when reading/parsing live email config (9fe542e)
mail_helper: remove '<' from to headers in email service requests (#2595) r=@vladikoff (87f0d61), closes #2595 mozilla/fxa-content-server#6470
recovery: update to support hashing recoveryKeyId (e9bb25c)
test: update to latest token requirements (#2601), r=@philbooth (000b15d), closes #2601
tests: update to mocha 5 (#2590) r=@shane-tomlinson (e504e39), closes #2590 #2531

chore

docs: add badges for LGTM analysis and alerts (45975d6)
email: force value to boolean in account deletion check (a00dcac)
tests: switch from insist to chai for assertions (#2608) r=@vladikoff (1b47186), closes #2608

1.120.1 (2018-09-06)

1.120.0 (2018-09-06)

Bug Fixes

config: update correct recoveryCodes config (#2604), r=@philbooth (67b7053), closes #2604
errors: Surface a backendServiceFailure when connection to db fails. (#2600) r=@philboot (2e9b9e6), closes #2600 #2599
logging: log errors when reading/parsing live email config (9fe542e)
mail_helper: remove '<' from to headers in email service requests (#2595) r=@vladikoff (87f0d61), closes #2595 mozilla/fxa-content-server#6470
recovery: update to support hashing recoveryKeyId (e9bb25c)
test: update to latest token requirements (#2601), r=@philbooth (000b15d), closes #2601
tests: update to mocha 5 (#2590) r=@shane-tomlinson (e504e39), closes #2590 #2531

chore

docs: add badges for LGTM analysis and alerts (45975d6)
email: force value to boolean in account deletion check (a00dcac)
tests: switch from insist to chai for assertions (#2608) r=@vladikoff (1b47186), closes #2608

1.120.0 (2018-09-06)

Bug Fixes

config: update correct recoveryCodes config (#2604), r=@philbooth (67b7053), closes #2604
errors: Surface a backendServiceFailure when connection to db fails. (#2600) r=@philboot (2e9b9e6), closes #2600 #2599
logging: log errors when reading/parsing live email config (9fe542e)
mail_helper: remove '<' from to headers in email service requests (#2595) r=@vladikoff (87f0d61), closes #2595 mozilla/fxa-content-server#6470
recovery: update to support hashing recoveryKeyId (e9bb25c)
test: update to latest token requirements (#2601), r=@philbooth (000b15d), closes #2601
tests: update to mocha 5 (#2590) r=@shane-tomlinson (e504e39), closes #2590 #2531

chore

docs: add badges for LGTM analysis and alerts (45975d6)
email: force value to boolean in account deletion check (a00dcac)
tests: switch from insist to chai for assertions (#2608) r=@vladikoff (1b47186), closes #2608

1.119.6 (2018-09-07)

Bug Fixes

tests: comment out flaky tests (c505991)
tests: comment out flaky tests (c50acaf)
validation: allow https pushCallback URLs that contain :443 (e41522f)

1.119.5 (2018-09-07)

Bug Fixes

deps: Pin auth-db-mysql dependency for train-119 (3c09697)

1.119.4 (2018-09-06)

push: support port numbers in push urls (8a9859f)
tests: add port test (f258387)
tests: adjust geodb city for now (fd751b2)

1.119.3 (2018-08-23)

Bug Fixes

mysql: fix pushbox mysql (#2597) r=@philbooth (cd5b5cd), closes #2597

1.119.2 (2018-08-23)

Bug Fixes

devices: Add feature-flag for the "device commands" functionality. (#2591) r=@vladikoff (85889ee), closes #2591
npm: new shrinkwrap

1.119.1 (2018-08-21)

Bug Fixes

devices: disable cached devices in account destroy (#2588) r=@philbooth (326881b), closes #2588

1.119.0 (2018-08-21)

Bug Fixes

devices: check token.deviceAvailableCommands before dereferencing (eedf321)
devices: treat matching device commands as spurious updates (71f8c18)
devices: used cached devices property during requests (3015a40)
email: ensure email-service errors fail the call to sendMail (bdc7c7a)
email: JSON.parse live email config after reading from redis (dd262a9)
redis: Close the redis pool when closing the DB. (855d681)
redis: recover from invalid token JSON in Redis (db8022f)
reset: update must-verify script to use string instead of buffer (#2551) r=@vladikoff (2a2eeab), closes #2551
scripts: fix the broken api docs generator script (fedaa23), closes #2521
scripts: improve regex validation for email-config script (14694e4)
scripts: stop email-config script logging config to stdout (807e4ac)
sentry: server.events.on takes channels, not channel (7d69830)
server: do not return customs.flag in the destroy route (#2573) (4998f2b), closes #2573 #2563
sessionTokens: actually prune expired session tokens (72809f8)
test: increase totp code window (#2548), r=@vladikoff (fecc9e3), closes #2548
test: set default test timeout to 5000 (#2560), r=@philbooth (5caedf3), closes #2560
tests: add a check from sentry setup (7f60f8c)
tests: adjust async tests (9e20e69)
tests: increase timeout on selectEmailService integration tests (cd5f341)
tests: temporarily disable deviceCommands assertions (08f5ee9)
validation: don't treat +-\/ as a character range in email regex (cfb9704)
validation: validate length of user and domain email address parts (a872363), closes #2568

chore

install: Only clone the l10n repo if needed. (#2546) r=@vladikoff (0e91f45), closes #2546
package: update shrinkwrap (842aae4)
tests: add tests to email_service.js (abfb6be)

Features

admin: Add an admin script to delete an account. (2074d56)
ci: update to circle 2 (#2529), r=@vbudhram (395a02e), closes #2529
codes: expose verificationMethod as optional (#2564), r=@philbooth (fb256ff), closes #2564
email: change the email service errno values to numbers (577237d), closes #2569
email: read live email-sending config from redis (bc55e8b)
email: write live email-sending config to redis (c6ad402)
pushbox: activate pushbox in dev environments (#2567) r=@vladikoff (03e1e6e), closes #2567 mozilla/fxa-local-dev#122
recovery: add account recovery email templates (#2553), r=philbooth (8f36f62), closes #2553
scripts: validate inputs in the email-config script (122ce3b)
tests: write unit tests for email address validation (eaf3615)

Refactor

devices: extract and write tests for devices.isSpuriousUpdate (bebee79)
devices: shortcut redundant tests for spurious device updates (0bce944)
validation: simplify the validation logic for email addresses (8dee2e8)

1.118.0 (2018-08-08)

Bug Fixes

email: ensure email-service errors fail the call to sendMail (bdc7c7a)
redis: Close the redis pool when closing the DB. (855d681)
redis: recover from invalid token JSON in Redis (db8022f)
reset: update must-verify script to use string instead of buffer (#2551) r=@vladikoff (2a2eeab), closes #2551
sentry: server.events.on takes channels, not channel (7d69830)
sessionTokens: actually prune expired session tokens (72809f8)
test: increase totp code window (#2548), r=@vladikoff (fecc9e3), closes #2548
test: set default test timeout to 5000 (#2560), r=@philbooth (5caedf3), closes #2560
tests: add a check from sentry setup (7f60f8c)

chore

install: Only clone the l10n repo if needed. (#2546) r=@vladikoff (0e91f45), closes #2546
tests: add tests to email_service.js (abfb6be)

Features

admin: Add an admin script to delete an account. (2074d56)
ci: update to circle 2 (#2529), r=@vbudhram (395a02e), closes #2529
codes: expose verificationMethod as optional (#2564), r=@philbooth (fb256ff), closes #2564
email: read live email-sending config from redis (bc55e8b)
recovery: add account recovery email templates (#2553), r=philbooth (8f36f62), closes #2553

1.117.2 (2018-08-01)

Bug Fixes

sentry: server.events.on takes channels, not channel (5bc7b87)

1.117.1 (2018-07-26)

Bug Fixes

hapi: use the new server event error handler (#2543) r=@rfk (2d52887), closes #2543 #2542 hapijs/hapi#3658

1.117.0 (2018-07-24)

Bug Fixes

email: make config.sesConfigurationSet default the empty string (35ac5f0)
package: fixes for npm security audit (2bfa482)
push: send FxA commands push messages to iOS devices (#2517) r=@vladikoff,@eoger (c020798), closes #2517

chore

browserid: Remove unnecessary browserid routes. (#2539); r=philbooth,stomlinson (a1e64dd), closes #2539
emails: log smtp port in mail_helper.js (#2519) (6dbf15a), closes #2519

Features

email: add a service property to the X-SES-MESSAGE-TAGS header (b6908b9)
recovery: update delete recovery key and get recovery key endpoints (#2518), r=@rfk (4d109a0), closes #2518
scopes: Use shared code lib for checking OAuth scopes. (#2501); r=vbudhram,shane-tomlins (59de0ae), closes #2501
server: Update to hapi 17 (#2486) r=@vbudhram,@philbooth (63738c8), closes #2486 #2438

1.116.1 (2018-07-16)

Bug Fixes

email: fix broken X-SES-CONFIGURATION-SET header (#2523) r=@vladikoff (a3c994f), closes #2523

1.116.0 (2018-07-11)

Bug Fixes

customs: Fail closed if customs-server gives an error. (#2483) r=@vladikoff,@shane-tomlin (acef9ef), closes #2483
email: gracefully handle errors from fxa-email-service (#2510) r=@vladikoff (d46526f), closes #2510 #2509
metrics: don't force utm_source=email on links in emails (e47b710)

Features

email: use fxa-email-server for specific email addresses (4b5bd9a)
metrics: add amplitude event properties for email service/sender (55b3290)

1.115.1 (2018-06-28)

Bug Fixes

devices: Fix race between real and placeholder device registration. (#2492); r=philbooth (4c0bab6), closes #2492

1.115.0 (2018-06-27)

Features

devices: Introduce infrastructure for "device commands". (#2449); r=philbooth,eoger (f359006), closes #2449
recovery: account recovery apis (#2463), r=@rfk (ba27d41), closes #2463

1.114.3 (2018-06-21)

Bug Fixes

recovery-codes: Correctly rate-limit recovery code consumption. (e6b3043)

chore

release: Reverse merge train-114 into master (#2475) r=@vbudhram (177fa46), closes #2475

1.114.2 (2018-06-19)

Bug Fixes

devices: Do not echo 'capabilities' field in device registration response. (#2478); r=jrg (9bbc715), closes #2478

1.114.1 (2018-06-14)

Bug Fixes

l10n: Enable nb-NO locale by updating fxa-shared (#2474) r=@philbooth,@vladikoff (3a60d05), closes #2474

1.114.0 (2018-06-13)

Bug Fixes

devices: Remove the unused "device capabilities" API. (#2460); r=eoger (9e53247), closes #2460
docker: base image node:8-alpine and upgrade to npm6 (#2470) r=@jbuck (e990d39), closes #2470

chore

merge: Reverse merge v1.113.5-private into origin/master (#2472) r=@vbudhram (be7e6f1), closes #2472

1.113.5 (2018-06-08)

Bug Fixes

2FA: enforce 2FA on /reauth (#75) r=@rfk,@vbudhram (181a7ec), closes #75 #76

1.113.4 (2018-06-07)

Bug Fixes

signing: Don't let mustVerify sessions sign a certificate if unverified. (706541a)

1.113.3 (2018-05-31)

Bug Fixes

deps: Really use v1.113.1 of auth-db-mysql (#2461); r=jrgm (2f2c00c), closes #2461

1.113.2 (2018-05-31)

1.113.1 (2018-05-30)

Bug Fixes

deps: Use v1.113.1 of auth-db-mysql (f8ca91c)

1.113.0 (2018-05-30)

Bug Fixes

deps: Update fxa-geodb version, remove nexmo (#2446) r=@philbooth (44e9dac), closes #2446
params: remove query param for verificationMethod (#2456) r=@vladikoff (dc1bb44), closes #2456
sms: follow documented conventions for AWS GetMetricStatistics call (95c3364)

chore

ci: Remove coveralls from travis config. (#2452) (aedd180), closes #2452
devices: Remove notifyUpdate and filter target devices in the /devices/notify handler (a9c6e0e)

Features

pool: Allow pool requests to specify headers and query params. (1f63621)

Refactor

metrics: move amplitude email types back here from fxa-shared (c2767f5)

1.112.1 (2018-05-17)

Bug Fixes

docs: fix devices validation output of the doc generator (#2440) r=@vladikoff (957c760), closes #2440 #2434
nsp: fix nsp warnings (2b663dd)

1.112.0 (2018-05-16)

Bug Fixes

deps: update shrink (#2431) r=@vladikoff (291713a), closes #2431
logging: log successful sms budget checks (9731a08)
metrics: don't emit route flow events for 404s (f8bbfff)
newrelic: update newrelic module (#2424) r=@vladikoff (690ba82), closes #2424
nsp: update nsp for constantinople (#2430), r=@philbooth (57118d6), closes #2430
password: require totp verified session to change password (#2437), r=@rfk (ab05574), closes #2437

chore

logging: downgrade location translation error to warning (6b58bf9)

Features

emails: notify users when they are running low on recovery codes (#2429), r=@shane-tomli (a9c8aca), closes #2429

1.111.1 (2018-05-04)

Bug Fixes

metrics: remove old flow signature fallback code (4fc70a0)

1.111.0 (2018-05-02)

Bug Fixes

docs: add missing closing code-quote (0204096)
scripts: Remove obsolete bufferize call from must-reset script. (#2414); r=philbooth,st (56b00e3), closes #2414
totp: check totp before account deletion (#2405), r=@philbooth (7793de3), closes #2405

chore

config: update redirect domain for dev.json (#2403) r=@vladikoff (4ce2726), closes #2403
deps: Update web-push to latest release. (#2407) r=@vladikoff (9ed5a33), closes #2407

Features

emails: add email to all manage account email links (#2392), r=@philbooth, @shane-tomlin (308d7ff), closes #2392
node: update to node 8 (#2404) r=@jrgm (b43fd28), closes #2404
notifications: Add SNS msg attributes for service notification filtering (#2412); r=philbooth (0cf1bc4), closes #2412
sms: query the available budget in /sms/status (7aedef2)

1.110.1 (2018-04-19)

Refactor

email: remove email parameter from config (#2400) r=@vladikoff,@rfk (4a021c6), closes #2400

1.110.0 (2018-04-18)

Bug Fixes

devices: Rename pushbox capability to messages in tests (#2389) r=@rfk (9462e34), closes #2389
docs: remove old/misleading information about the locale property (#2382) r=@vladikoff (098f990), closes #2382
email: only send new sign-in emails for sync when verifying with totp (#2381), r=@philb (35da0bd), closes #2381
metrics: stop using user-agent string in flow id check (445cf30)
recovery: set assuranceLevel when verifying with recovery code (#2388), r=@rfk (b830707), closes #2388
recovery: update to latest recovery code requirements (#2397), r=@philbooth (ed3d99e), closes #2397
totp: Change 2FA removed email title to Two-step authentication disabled (#2396) r=@ (5128fd8), closes #2396 mozilla/fxa-content-server#6073

chore

logging: use a less confusing op on flow event errors (778fc33)
tests: remove duplicate mocking code (25f2404), closes #2383

Features

docs: Add documentation for "attached service" notification events. (#2362); r=vladiko (766fb16), closes #2362
profile: Send "profileDataChanged" event when modifying 2FA status. (#2390); r=vbudhram (19162ff), closes #2390
totp: rate limit totp verify actions (#2386), r=@rfk (4a89201), closes #2386

Refactor

metrics: use boiler-plate amplitude code from fxa-shared (a6069e0)

1.109.0 (2018-04-04)

Bug Fixes

metrics: count 28 days per metric month (e327e4f)
metrics: emit route flow events from more endpoints (35544c7)
metrics: include full version information in event data (#2356) (85da7f2), closes #2356 mozilla/fxa-amplitude-send#58
metrics: pass metricsContext to consumeRecoveryCode (#2367) r=@vladikoff (6e0b56c), closes #2367
node: Use Node.js v6.14.0 (#2374) (632dc35), closes #2374
server: validate ip addresses before setting them on request object (b181738)
sessions: only return major rev for browser version (#2363) r=@vladikoff (be6cc00), closes #2363
totp: add totp code window validation config (#2371), r=@vladikoff (110190d), closes #2371
totp: ensure correct session verification state before deleting totp (#2365), r=@rfk (0b1d075), closes #2365
totp: throw unverified session in promise chain (#2364), r=@rfk (575b899), closes #2364
validation: Reject URLs with unexpected characters. (#2370); r=pb (10e934f), closes #2370

chore

db: prevent the possibility of future url-injection bugs (fd26a4a)
deps: upgrade joi to 12.0.0 (#2358) (5040060), closes #2358
emails: use popular email domain list from fxa-shared (d3eeab1)

Features

metrics: add user properties for active device counts (a23eeaa), closes mozilla/fxa-amplitude-send#60
totp: initial recovery codes (#2349), r=@philbooth (81700da), closes #2349

1.108.0 (2018-03-21)

Bug Fixes

buffers: migrate from 'Buffer()' constructor calls r=@vladikoff (4815505), closes #2333
codes: Take token-code uid from the token, not the request payload. (#2339), r=@vbudhra (ab17bf8), closes #2339
deprecation: check for deprecated APIs r=@vladikoff (2262ce8), closes #2343
emails: add location to verify primary email (#2341), r=@philbooth (ab7ba5a), closes #2341
metrics: ensure service is set when possible on amplitude events (c681053)
params: use default parameters in options (#2332) r=@vladikoff (65f9802), closes #2332
totp: Restrict allowed chars in TOTP code input. (#2340); r=vbudhram (86de08b), closes #2340

Features

amr: Report AMR and AAL in relier-facing APIs. (#2346); r=vbudhram (517f482), closes #2346
devices: Devices capabilities (#2350) r=@philbooth (2067dba), closes #2350
emails: totp notification emails (#2331), r=@philbooth (8d3928d), closes #2331
node: update to node v6.13.1 r=@jbuck (75d8737)

1.108.0 (2018-03-21)

Bug Fixes

buffers: migrate from 'Buffer()' constructor calls r=@vladikoff (4815505), closes #2333
codes: Take token-code uid from the token, not the request payload. (#2339), r=@vbudhra (ab17bf8), closes #2339
deprecation: check for deprecated APIs r=@vladikoff (2262ce8), closes #2343
emails: add location to verify primary email (#2341), r=@philbooth (ab7ba5a), closes #2341
metrics: ensure service is set when possible on amplitude events (c681053)
params: use default parameters in options (#2332) r=@vladikoff (65f9802), closes #2332
totp: Restrict allowed chars in TOTP code input. (#2340); r=vbudhram (86de08b), closes #2340

Features

amr: Report AMR and AAL in relier-facing APIs. (#2346); r=vbudhram (517f482), closes #2346
devices: Devices capabilities (#2350) r=@philbooth (2067dba), closes #2350
emails: totp notification emails (#2331), r=@philbooth (8d3928d), closes #2331
node: update to node v6.13.1 r=@jbuck (75d8737)

1.107.4 (2018-03-21)

Bug Fixes

emails: Make all DB request paths containing an email use hex encoding (#72); r=philboot (d275d7a), closes #72

1.107.3 (2018-03-16)

Bug Fixes

validators: Normalize redirectTo url to avoid parsing edge-cases. (#71) r=@vladikoff (bb17257), closes #71

1.107.2 (2018-03-15)

Bug Fixes

emails: prevent unsafe content from reaching rendered email body (8da511c)

1.107.1 (2018-03-10)

chore

uplift: uplift token validation fixes (#2335) r=@vladikoff (a35411a), closes #2335

1.107.0 (2018-03-07)

Bug Fixes

redis: delete clashing tokens from redis in createSessionToken (e9ec39d)
tests: Make email-polling-expiry tests pass in March. (#2324) r=@vladikoff (597bfab), closes #2324

chore

deps: Update hapi to v16.6.3 (#2330) (ad1888a), closes #2330

Features

emails: delete bounced registrations that are younger than 6 hours (#2305); r=rfk (e2d2a7e), closes #2305
totp: update to use new verification methods (#2321), r=@philbooth, @vladikoff (45ae7b2), closes #2321

1.106.0 (2018-02-21)

Bug Fixes

api: make authentication required on GET /account/profile (#2290) r=@vladikoff (6411c5a), closes #2290
docs: Support declaration of extra error types in route config. (9254e31)
logging: Make oauth_client_info use shared logging instance. (#2299) r=@vladikoff (bb2c677), closes #2299
reauth: Don't send a "new device" email during session re-auth. (e2cd9f9)
tests: Add verifyTokenCode support for mem keyFetchToken (#2287), r=@philbooth (5cb76e5), closes #2287
tests: Test that unauthenticated /account/profile rejects cleanly. (#2296) r=@philbooth (79b2876), closes #2296

chore

emails: delete bin/mailer_server.js (#2303) r=@vladikoff (d8bd876), closes #2303
emails: remove all verification reminder code (a33756e)
logging: downgrade redis.watch.conflict to warning level (#2307) r=@vladikoff (d219cdd), closes #2307
nsp: ignore hoek warning (695499a)

Features

cad: change destination of CAD in email to FxA-controlled page (#2297) r=@philbooth (2a05116), closes #2297 #1860
emails: fetch service names from OAuth servers, use in emails (#2284) r=@rfk (f0ecf0a), closes #2284 #2213 #2249
reset: improve reset for reliers (#2298) r=@ryanfeeley,@vbudhram (a937c16), closes #2298 mozilla/fxa-content-server#5776 mozilla/fxa-content-server#5896
sessions: Add ability to reauth within an existing login session. (aa388cc)
totp: TOTP Management APIs (#2300), r=@philbooth (c805f9c), closes #2300

1.105.0 (2018-02-06)

Bug Fixes

bounce: Update bounces lib to use accountRecord (#2273) r=@rfk,@vladikoff (3953051), closes #2273 #2272
email: log to recipient alongside smtp message-id (993fd02)
emails: Reset account tokens when deleting an email address. (#2266); r=philbooth (70d0f96), closes #2266
redis: delete session tokens from redis in db.deleteDevice (11f7024)
tests: Use higher test timeout under Windows Subsystem for Linux (c9baa00)
unblock: Send correct primary email when blocked (#2271), r=@rfk (0e4b77f), closes #2271

chore

ci: stop setting USE_REDIS in the test invocations (#2281), r=@vbudhram (26a5a8a), closes #2281
code: eliminate duplicate pool and db modules (924e8ca)
tests: Set defaults for env vars in test-local.sh script. (0960eaf)

Features

sessions: Add /session/duplicate API (669f59a)

1.104.1 (2018-01-29)

Bug Fixes

metrics: ensure amplitude events always have a metrics context (f7ce4d0)

1.104.0 (2018-01-24)

Bug Fixes

redis: pack redis tokens inside db.deleteSessionToken (1b2d1d9)
tests: Fix account destroy device test (#2263), r=@rfk (220d57d), closes #2263

chore

deps: update fxa-geodb (e7bbb86)

Features

auth: Enable hawk payload validation for additional replay protection (#2252); r=pboot (af3a9eb), closes #2252
redis: eliminate property names from redis-stored tokens (fcddf0b)
redis: prune expired session tokens from redis (a9a61f0)

1.103.0 (2018-01-09)

Bug Fixes

node: use node 6.12.3 (#2251) r=@vladikoff (c804acd), closes #2251
scripts: use latest Husky module for git hooks (#2250); r=rfk (f76015c), closes #2250 #2128
tests: fix failing geolocation tests (#2253) r=@vladikoff (804344d), closes #2253

Features

sms: Enable SMS in australia (#2248) r=@rfk (86369d0), closes #2248

1.102.0 (2017-12-13)

Features

codes: don't send delete notification when deleting unverified email (#2246), r=@rfk (ae36ddf)
sms: Enable SMS in Denmark (DK) and the Netherlands (NL) (#2238) r=@vladikoff,@vbudhr (c8e55fe), closes #2237

1.101.1 (2017-12-05)

Bug Fixes

push: Send a notification to the device that's being disconnected. (#2245); r=eoger (9da5305)

1.101.0 (2017-11-29)

Bug Fixes

db: implement safe redis write semantics (91cd539)
metrics: include oauth_client_id in amplitude event properties (#2240); r=rfk (3034a41)
metrics: stop sending raw client ids to amplitude (#2239) r=@vladikoff (0069873)
tests: test against actual redis instance (f68e4bb)

chore

email: remove check_can_add_secondary_address route (#2234), r=@philbooth (90646b9)
email: Remove FF57 gating logic (#2232), r=@philbooth (2617b5a)
nsp: ignore warning about redos for date parsing in moment (a5e0a2c)

Features

sms: Enable SMS in Spain (ES), Portugal (PT), Italy (IT) (#2229) r=@philbooth (043ee6c), closes #2228

1.100.0 (2017-11-15)

Bug Fixes

db: sanely handle redis errors (8826364)
emails: update accountExists to check for secondary emails (#2216); r=rfk (a8130d3)
newrelic: allow enabling newrelic in background daemons r=@vladikoff (2d59a0c)

chore

nodejs: update to 6.12.0 (#2219) r=@vladikoff (983c369)

Features

sms: Enable SMS in Belgium, France, Luxembourg (#2211) r=@vladikoff (afccd3a)

1.99.2 (2017-11-03)

Bug Fixes

emails: add post change email template (#2194), r=@philbooth (f3261a6)
links: use a custom url when verifying primary email (#2196), r=@vladikoff (e6da576)
logo: fix FF57 logo width and height (#2204) r=@ryanfeeley (9f74735), closes #2204 #2203
tests: add local test coverage for english device locations (#2201), r=@vbudhram (686c3eb)
travis: run tests with 6 and 8 (#2195); r=rfk (d6910cd)

1.99.1 (2017-11-02)

Bug Fixes

logging: don't log errors if location is not set (#2200) (ddb3bc9)

1.99.0 (2017-10-31)

Bug Fixes

email: add missing whitespace after semi-colon (#2192), r=@vbudhram (0a5ea8c)
email: Added secondary to subject line (#2174), r=@vbudhram (163dd9c)

chore

deps: update shrinkwrap (f170820)
email: regenerate templates from partials (#2193) r=vladikoff (23c54c1)

Features

devices: return approximateLastAccessTime for old devices (b498fbd)
devices: translate location in devices and sessions response (b18079f)
metrics: add newsletter_state property to amplitude events (b55bfb0)
scripts: warn about no work in email template version bumper (84a567d)
session: Add email templates (#2184), r=@philbooth (dd68d88)
sms: Enable SMS in Austria, Germany. (#2179) r=@philbooth (2e6fcd6), closes #2177
tokens: add city and stateCode to sessionTokens (563851f)

1.98.2 (2017-10-30)

chore

logo: add new logo to email templates (#2190), r=@philbooth (a5c4105)

1.98.1 (2017-10-26)

chore

docker: Update to node v6.11.5 for security fix (2e7c769)

1.98.0 (2017-10-18)

Bug Fixes

config: add smsmock to dev config (6852ce6)
devices: Avoid reporting stale last-access times when feature is disabled. (#2144); r=phi (e8ce382)
logging: more clearly distinguish amplitude error messages (d205c9a)
logging: silence annoying redis log noise (#2164), r=@vbudhram (a397b67)
metrics: don't emit os_version if os_name is unset (#2165), r=@vbudhram (c60f198)
metrics: map service event property from client id (5be3475)
push: Allow sending verification messages from /devices/notify (#2161), r=@rfk (717253f)
push: Target Firefox Beta for account verification messages (#2167), r=@rfk (#2170) (37349fe)
tests: unify the mock log implementations (d959491)

Features

sqs: Add timestamp to notify services sqs message (#2168), r=@rfk (89e1ad1)

Refactor

tokens: prefer token.id to token.tokenId (80d3de1)

1.97.5 (2017-10-17)

Bug Fixes

devices: Always report a name and type in device registration response. (00e69f2)

1.97.2 (2017-10-05)

chore

logging: log email headers to diagnose #2133 (8d23ca9)

1.97.1 (2017-10-05)

Bug Fixes

email: Make blocking rule for complaints match that for hard bounces (#2152), r=@vbudhr (272a4cf)

Features

push: Drop collection_changed push notifications for first sync sent to iOS devices (# (b6d9490)

1.97.0 (2017-10-04)

Bug Fixes

deps: update deps (#2143), r=@vbudhram (b328873)
devices: return the whole device record in POST /device response (#2132); r=rfk (6fe2dac)
docs: update dependencies for api doc generation (#2131), r=@vbudhram (06071b5)
email: Show proper error and delete email if postfix fails to send (#2147), r=@vladikof (f4c54da), closes #2147
email: Update secondary email footers (#2136), r=@rfk (1d834a9)
sessions: update the access time on /sign checking (#2149) r=rfk (2543bf0)

Features

metrics: implement email_version amplitude property (925760a)

1.96.3 (2017-09-25)

Bug Fixes

metrics: fix the data on email sent events (4f6f367)
metrics: prefer standard amplitude properties (8a255c9)

1.96.2 (2017-09-22)

chore

logs: log error if headers are missing in email notifications (34bf492)

1.96.1 (2017-09-20)

Bug Fixes

push: return pushEndpointExpired as a boolean (#2127); r=rfk (eec0a43)

chore

package: update shrinkwrap (cd32fd8)

Features

email: Throw error when attempting to resend email code for email that doesn't belong t (4325eb0)
metrics: include fxa_services_used in amplitude user properties (938ef5c)

Refactor

server: extract unblock_codes routes to a separate module (#2126) r=vladikoff (189240f), closes #1445

1.96.0 (2017-09-19)

Bug Fixes

basket: reinstate utm params to the metrics context bundle (549b891)
metrics: include missing user_properties on amplitude events (0567350)
server: enforce 'use strict' everywhere (#2124), r=@vbudhram (df6cd60)
tests: silence obnoxious "possible memory leak detected" warning (dae0e58)

chore

deps: Update hapi to latest version (68e2c12)
docs: update docs for node 6 (#2120) r=rfk (0c0ef30)

Features

logs: add Sentry integration (#2116) r=vbudhram (ceab903), closes #2115
password: notify attached services when a user changes their password (#2117); r=rfk (e8cc49d)
server: lazily get all request.app properties (3518b0c)
server: lazily get devices array on the request object (#2107) r=vladikoff,vbudhram (f084830), closes #2106

Refactor

secondary-email: Remove "add secondary email" feature flag. (#2121), r=@vbudhram (359caeb)

1.95.3 (2017-09-13)

chore

deps: Update hapi to latest version (eed3203)

1.95.2 (2017-09-12)

Bug Fixes

email: Block sending if gated primary and unverified secondary. (#2098), r=@vbudhram (36ba048)
profile: progress logging for handleProfileUpdated (#2094) r=vladikoff,eoger (55e1a91)
server: make geo data lazily available on the request (2238b37)

Features

db: allow BMP chars in device name (#2053) r=rfk,jbuck (2e8e674)

Refactor

l10n: take l10n repo out of node_modules (#2079) (1f36c6d), closes #1678

1.95.1 (2017-09-12)

Bug Fixes

push: Only send device connection push msgs to iOS 10+ (#2108) r=vladikoff (6b1f73d)

1.95.0 (2017-09-06)

Bug Fixes

bounces: Handle mis-formatted bounce addrs as best we can. (#2090); r=jrgm (a2e3d1e)
metrics: add missing device_id and user_id amplitude properties (b36ea32)
metrics: remove the forgot_sent amplitude event (#2078) r=vladikoff (32f2caa)
profile: Handle incoming uids as strings, not buffers. (#2089) r=philbooth (a6d8bc0)
push: Allow device connection push messages for Firefox iOS >= 9.0 (#2088); r=vbudhram (d04778c)
push: send push notification after a device is deleted (87a410e)

chore

docs: Auto-generated docs update (a45cbc3)
package: update shrinkwrap (bd9b53a)

Features

logging: send amplitude events to the logs (5800418)
push: add a pushEndpointExpired flag for devices that need to re-register their push e (735f323)

Refactor

api: extract device schema to a common definition (f136268)
mailer: automatically pass through args to mailer methods (#2075) r=vladikoff,shane-toml (cc2da2a)

1.94.2 (2017-08-23)

Bug Fixes

deps: update shrinkwrap (4694cd1)
devices: saner mobile/tablet recognition for devices (#2051), r=@vbudhram (3e5859f)
l10n: fix l10n updates (2d3c4ab)
senders: update gettext dependency that can parse es6 syntax (#2057) r=vladikoff (12dd0fe)
strings: change "to" to "for" for verify secondary email (#2048), r=@vbudhram (742be75)
tests: update remote db tests for uaFormFactor column (c4d1e50)

chore

ci: remove node4 test target from travis-ci (#2054) r=vladikoff (e1de16d)
docs: update precommit doc script to use grunt-newer (fd62a8d)
eslint: fix eslint task config so newer works (#2055) r=vladikoff (12a14fc), closes #2055
git: remove prepush git hook (#2058) r=vladikoff (8e1de31)

Features

email: Notify services when user changes primary email (#2066) r=vladikoff,rfk (7bbdd44)
server: add parsed user agent info to the request object (#2061), r=@vbudhram (cc69b36)

Refactor

email: extract common flow id boilerplate (#2065) r=vladikoff (8d5f2b0)
sms: unleash es6 in senders/sms (#2064), r=@vbudhram (a37589c)

1.94.1 (2017-08-23)

Bug Fixes

deps: update shrinkwrap (4694cd1)

1.94.0 (2017-08-22)

Bug Fixes

devices: saner mobile/tablet recognition for devices (#2051), r=@vbudhram (3e5859f)
l10n: fix l10n updates (2d3c4ab)
senders: update gettext dependency that can parse es6 syntax (#2057) r=vladikoff (12dd0fe)
strings: change "to" to "for" for verify secondary email (#2048), r=@vbudhram (742be75)

chore

ci: remove node4 test target from travis-ci (#2054) r=vladikoff (e1de16d)
docs: update precommit doc script to use grunt-newer (fd62a8d)
eslint: fix eslint task config so newer works (#2055) r=vladikoff (12a14fc), closes #2055
git: remove prepush git hook (#2058) r=vladikoff (8e1de31)

Features

email: Notify services when user changes primary email (#2066) r=vladikoff,rfk (7bbdd44)
server: add parsed user agent info to the request object (#2061), r=@vbudhram (cc69b36)

Refactor

email: extract common flow id boilerplate (#2065) r=vladikoff (8d5f2b0)
sms: unleash es6 in senders/sms (#2064), r=@vbudhram (a37589c)

1.93.1 (2017-08-11)

Bug Fixes

devices: ditch OS in synthesized name if form factor is present (#2047) r=vladikoff (d96f299)

1.93.0 (2017-08-09)

Bug Fixes

db: expose config options for Poolee timeout and maxPending (#2027) (bfecf6d)
email: Fix issue where you couldn't delete account after changing email (#2036) r=vladi (5eca134), closes #2036
email: Notify all verified emails when a secondary email is removed (#2016) r=vladikoff (4c394cf), closes #1948
push: Send push notification to devices when email has changed (#2038), r=@philbooth (26f6104)
redisSessions: improve redis session lookup performance (#2026) r=vladikoff,rfk (10e8310), closes #2025
sms: make the sms copy friendlier (1d80d81)
tests: add coverage for failing redis requests (3cced62)

chore

docs: regular maintenance for the metrics doc (8e0af2e)
docs: update AUTHORS list (#2024) (4143efc)
logs: add log when stale emails hit recovery endpoint (#2020) r=vladikoff (b58e822)
tests: tidy up the remote db session token tests (3031098)

Features

devices: include form factor in synthesized device name (5a59afa)
session: add location to sessions query (#1993) r=vladikoff,philbooth (27ca0e4)

1.92.0 (2017-07-26)

Bug Fixes

config: set token updates to true by default (#1994) r=udaraweerasinghege (bdf7db6)
emails: check against original account email (#2011), r=@philbooth (76aedd2)
tokens: add is memory token property to sessions (#2004) r=vladikoff (1f57821)

chore

timestamps: add two timestamps to sessions and devices (#2009) r=vladikoff (516826b)

Features

emails: Add ability to change email (#1983), r=@philbooth (0541f13)
errors: include conflicting device id in errno 124 response (0217750)
metrics: emit route performance events (50c55f1)
signin: Skip signin confirmation for new accounts by default (#1992) r=vladikoff (9900c42), closes #1991
style: update to new device image (#2014) r=ryanfeeley (9568c70), closes #1914
tokens: delete account all reset tokens on password reset (#1979) r=vladikoff (310e199)
tokens: expire session tokens that have no device record (4941dd5)

Refactor

server: extract email-related routes to a separate module (#1989), r=@vbudhram (2903609)

1.91.2 (2017-07-18)

Bug Fixes

tests: update tests to match recent db changes (#1995), r=@vbudhram (c059518)

1.91.1 (2017-07-12)

Bug Fixes

nodejs: update to 6.11.1 for security fixes (b653e4c)

1.91.0 (2017-07-12)

Bug Fixes

hawk: key passed to hawk must be a Buffer (8d2a861)
nodejs: update to node:4.8.4-alpine (2945ef9)
push: Don't notify the originating device about pwd change. (#1931) r=mhammond,vladiko (baed71d)
server: return sane user agent from /account/sessions (2f10d1b)
tests: update db tests to match recent session token changes (#1986), r=@vbudhram (aecb7f1)

chore

docs: git add generated api docs in precommit hook (a1f3373)
package: update api docs on precommit (#1972) r=vladikoff (7d59790)

Features

account: receive marketingOptIn when verifying email codes (1d2a9f4)
account: send marketingOptIn to attached services on registration (ea93642), closes #1973
email: When primary email gated, send to secondary email if avalible (#1954), r=@seanmo (979968a)
node: upgrade to Nodejs 6!!! (c9be152)

Refactor

lib: use strings instead of buffers for as much as possible (0cfd39c)
routes: break out device-related routes to a separate module (ba5c927)
server: eliminate some unnecessary serial invocation (#1965), r=@vbudhram (91f8e43)

1.90.2 (2017-07-06)

1.90.1 (2017-07-05)

Bug Fixes

server: stop using raw user agent string for browser name (14f0bf9)

1.90.0 (2017-06-28)

Bug Fixes

ios: only notify ios devices for collection change events (#1960) r=vladikoff (111bfbb)
notifications: Make data fields consistent across all notifyAttachedServices calls. (#1879); r= (88a9fc8)
server: do not return flowId from consumeSigninCodes endpoint (6fd020d)
server: step in before node-uap parses Sync UA strings (3f78f6e)
test: Make db tests more independent and update auth-db dev version (ed4d9ad)

chore

docs: document the newsletter flow events (307f24c)

Features

metrics: emit a flow.continued event for signinCodes (13eeab2)

1.89.1 (2017-06-28)

Features

sms: Switch to AWS SNS for SMS (7ce5c05)

1.89.0 (2017-06-14)

Bug Fixes

CAD: Document CAD flow events. (aa789f8)
CAD: Fix connectMethod table formatting. (#1941), r=@philbooth (fa9ebc7), closes #1941
email: Escape device name in HTML emails. (#1944), r=@philbooth (bcad58c)
email: log a 'sent' email event for each CC address (#1936), r=@vbudhram (82b24e2)
server: remove duplicate URL-safe base 64 validator (50f6303)
sms: Use the real email sender when sending via MockNexmo (577db70)
test: Add tests for the sender and from fields in mock-nexmo. (068791a)
test: Fix the broken smsSend test. (ef2cc2a)
tests: add CC suport to mail_helper (#1937) r=vbudhram (8dfb5e3)
tests: Update loadtests to cope with sign-in confirmation (#1890) r=jrgm,vladikoff (be2d1ef)

chore

log: Remove datadog/statsd integration (#1921); r=vladikoff (3f7ed68)

Features

bounces: add tiers to bounce blocklist (09e18e5), closes #1893
emails: Add email metrics documentation (#1919) r=vladikoff,davismtl (ae0a4f8)
emails: Add endpoint to check if secondary emails are enabled (#1926), r=@philbooth, @rf (a459ff1)

1.88.1 (2017-06-01)

Bug Fixes

sms: ditch the balance checks due to rate-limiting woe (2394652)

1.88.0 (2017-05-31)

Bug Fixes

devices: handle new user agent string from Sync client lib (009428e)
docs: overhaul the metrics events documentation (2d5943c)
email: check case insensitive headers in EmailSent event (#1916), r=@philbooth, @vbudhr (23593c7)
notifications: Send disable notification to all devices (91ce14c)
push: add extra logs (5362c64)
push: correct params types in push.js (7ba4f67)
push: Validate push public keys at registration time. (8920a01)
tests: adjust public keys in tests (43b8fd8)

chore

ci: always get most recent node 4 on travis (4e9b8b4)
push: Add a link to nodejs ECDH issue in code comments. (0503479)

Features

docs: automatically generate API docs from the code (643ed85)
push: send push notification on account deletion (163e2f4)
server: add endpoint for consuming signinCodes (f10655d)
server: include signinCode in the installFirefox SMS (2610d2f)
sms: Show SMS links in the mail helper. (fd4b85a)

1.87.1 (2017-05-26)

Bug Fixes

push: add extra logs (5362c64)
push: Validate push public keys at registration time. (8920a01)

1.87.0 (2017-05-17)

Bug Fixes

config: Add email regex feature flag for secondary email (d62995e)
config: Update secondary email config to support softvision and restmail (#1894) r=vladi (b3edcef), closes #1891
devices: Add test for unicode device names. (#1758) r=vladikoff (46861c3)
emails: Can create secondary email if it is unverified in another account (#1892) r=vlad (34e3841)
emails: Fix issue where change password link was undefined (#1886) r=vladikoff (e62aab1), closes #1886
emails: Only send email notifications to verified secondary emails (#1888) r=rfk,philboo (3bc36eb), closes #1887
metrics: handle and log missing payload (#1875) r=vbudhram (36ec6f7), closes #1817
push: add support for dev and stage push servers (#1895) r=vbudhram (495acd6), closes #1799

chore

deps: update nexmo (#1899), r=@vbudhram (362aa6b)

Features

emails: enable secondary email for matching emails (#1896), r=@vbudhram (ff78b04)
mailer: disable X-Mailer header in emails (#1881) r=vladikoff,philbooth (4948a7e)

1.86.0 (2017-05-03)

Bug Fixes

circle: fix string comparison on docker push (#1870) r=vladikoff (9f660d4), closes #1870
circle: if branch master, tag is latest (#1869) r=vladikoff (6462d6c)
config: Add config for unverified account to exist before secondary email can be create (d0b5976)
config: Correctly resolve isSecondaryEmailEnabled and add more checks for config (#1872) (ae95582), closes #1872
mailer: escape json output (#1853) r=vladikoff (b06033e)
metrics: include template name in sms.sent event (2e9963c)
notifier: disable notifier in key_server.js (#1852) r=jrgm (bb35ed2)
tests: Add timeout for sms (#1866) r=vladikoff (93bb872)

chore

deps: update shrinkwrap and latest eslint (#1868) (10d5b56)
docker: Use official node image & update to Node.js v4.8.2 (#1840) r=vladikoff (3d80e82)
email: Remove unused emailSent (#1846) r=vladikoff,philbooth (a5ff7ca)

Features

deps: update shrinkwrap (5e80168)
devices: return OS from user agent os (#1848) r=philbooth (3fd0418), closes #1829
docker: add feature branches (#1865) (cb7e8c3)
emails: Add custom error for users logging in with secondary email (#1850), r=@vladikoff (f509bcb)
emails: Throw unique error if initiating password reset from secondary email (#1874) r=v (d1fae0d), closes mozilla/fxa-content-server#4996
emails: Use new verification link, pass type, pass email verified (#1864), r=@vladikoff (e7697e0)
session: add a 'state' property in /session/status (a74a1f7)

Refactor

server: extract memcached usage to a dedicated module (5698537)
server: remove separate notifier process (#1800) r=vbudhram (7414ee8)

1.85.1 (2017-04-18)

Bug Fixes

starup: handle promise rejected on bind failure (#1838) r=vladikoff,seanmonstar (7fd45e3)

1.85.0 (2017-04-18)

Bug Fixes

config: bring back signin confirmation in dev (#1830) (e9f8c23)
config: change default BOUNCES_SOFT_DURATION to '5 minutes' (#1813) r=vladikoff (9cb75ac)
config: Merge auth and mailer configs (#1798), r=@philbooth (64c96d6)
config: stop using envc; interferes with docker --env-file (#1833) r=vladikoff (82bd9b5)
mailer: bring back process ports for mailer_server.js (#1815) r=jrgm (4a4df8e), closes #1814
metrics: fix metrics context errors (fb5997e)
promise: log unhandled rejections instead of throwing (#1818) r=vladikoff (adc6d3e)
routes: Add a /lbheartbeat route. (#1807) r=vladikoff (89f5cac)
test: remove obsolete test check (#1824) r=vladikoff (c8dece9)
tests: add remote tests for POST /sms (9ac11ac)
tests: remove leftover ./test/.env.dev file (#1836) r=vladikoff (646fa64)

chore

config: remove verifier version (#1834) (e396ea6)
docs: add npm test LOG_LEVEL docs (7631997)

Features

db: update to latest db v1.85.0 (#1837) r=jrgm (f1a02f0)
emails: Add secondary emails api support Part 2 (#1768) r=vladikoff (7ecad75)

1.84.1 (2017-04-05)

Bug Fixes

locale: Fix merge conflicts (#1794) (5a7e4a7), closes #1794

1.83.4 (2017-04-05)

Bug Fixes

server: remove crippled isLocaleAcceptable functionality (#1793), r=@vbudhram, @rfk (748fcee)

1.84.4 (2017-04-13)

Bug Fixes

metrics: fix metrics context errors (7880d41)

1.84.3 (2017-04-13)

Bug Fixes

promise: log unhandled rejections instead of throwing (9f90711)
server: set useDomains to true (bf96223)

1.84.2 (2017-04-11)

Bug Fixes

config: update the default SMS install link (f82797c)
locale: Fix merge conflicts (#1794) (5406b56), closes #1794

Features

keys: Add key id and created-at timestamp to our public keys. (#1734); r=seanmonstar (59cdb4c)

1.84.1 (2017-04-05)

Bug Fixes

locale: Fix merge conflicts (#1794) (5406b56), closes #1794

Features

keys: Add key id and created-at timestamp to our public keys. (#1734); r=seanmonstar (59cdb4c)

1.84.0 (2017-04-04)

Bug Fixes

config: environment expose verification reminder config (3a71789)
config: Graduate security history and ip profiling (2b7e712)
logging: don't emit null or undefined uid on flow events (23c58b9)
push: reject extra push-payloads properties instead of removing them (c90719a)
script: fix broken write email template script (#1775) r=vladikoff (3697246), closes #1775
scripts: fix the broken sms scripts (#1773), r=@vbudhram (5c78f7f), closes #1773
server: recognise the new iOS client UA string (72687c2)
tests: add missing require statement (#1784), r=@vbudhram (79488e4)

chore

ci: kill the broken cross-repo tests (#1723) r=vladikoff (6b310a1)
config: Added environment variable support for verificationReminders.pollTime (c77df31)
docs: document the flow_experiments table (#1780), r=@vbudhram (ef2878e)
docs: update node version in docs (9c49c5f)
files: remove vagrant config (48f3ee9)
test: fix mail_helper to run if require.main is mail_helper (#1763) (a77c591), closes #1763 #1762
tests: move test/local/lib/* up to test/local/ (#1790) r=vladikoff (597371c)

Features

emails: Mailer accept multiple emails Part 1 (#1767), r=@philbooth (b06b0da)
metrics: emit a flow event for the sms region (b062d79)
profile: send push notifications after a profile update (2e83420)
sms: Mock out Nexmo for functional tests. (e8a932d)
sms: return country code from /sms/status (e9ed457)

Refactor

bounces: pull bounce logic into separate module (48d7625)
db: remove unnecessary dependency injection for DB (cbad916)
routes: remove unnecessary dependency injection in routes (a6b97a7)
token: remove ability to pass createdAt to Token.create (dac8f64)
tokens: reduce unnecessary dependency injection in Tokens (a393413)

test

mailer: simplify TestServer using in mailer remote tests (93da89b)
remote: refactor to run remote tests in a single process (8d5c1ed)

1.83.4 (2017-04-05)

Bug Fixes

server: remove crippled isLocaleAcceptable functionality (#1793), r=@vbudhram, @rfk (748fcee)

1.83.3 (2017-03-28)

Bug Fixes

sms: propagate countryCode through our fxa-geodb wrapper (176c63e)

1.83.1 (2017-03-21)

Features

email: Pass correct args to verify_email (#1754), r=@philbooth (1fc8617)

1.83.0 (2017-03-21)

Bug Fixes

config: sync up both auth and mailer configs (#58) r=jrgm (ac1e208)
config: Use a more generic server url pattern for push registrations. (3099acc)
docker: prevent duplicate installation of dev dependencies (#1730) r=vladikoff (ef8f1c1)
docs: fix broken links in metrics events docs (#1738) r=vladikoff (a843f74), closes #1738
errors: fix misleading error string for featureNotEnabled (1c8511a)
mailer: fix sender from field. uplift (ba6a8de)
mailer: fix sender from field. uplift (461c52f)
metrics: log locale instead of accept languages on flow events (2a5d3d0)
metrics: suppress route flow events if metrics context is invalid (c2dc6fc)
push: fix push payload validation and disallow additional props (#57) r=vladikoff (32750a2), closes #57
scripts: mend the broken write-emails-to-disk script (#1701) r=vladikoff,vbudhram (56a6538)
sessions: improve tests and fix incorrect buffer conversion (#1708) r=vbuhdram (bbdaa64), closes #1708
sms: ditch the silly ad-hoc config file for sender ids (4cd6f9e)
tests: fix bad assertion in mailer tests (fb916c2)
tests: invoke mocha recursively on test directories (1a907f7)
tokens: Don't override createdAt when deserializing an existing token. (#1744); r=philbo (3be60f3)
tokens: ensure account reset tokens get a fresh createdAt (efed703)
version: use cwd and env var to get version in dev (a456c76)

chore

config: change SMS region config from regex to array (#1743) r=vladikoff (33041e9)
docs: add circle badge (#1703) (5a1561b)
docs: update the metrics documentation (#1732), r=@vbudhram (917d7d8)

Features

db: make database fault tolerant of db server (#1716) r=vladikoff (5138ad7)
docker: add docker support with circle-ci (#1692) r=vladikoff,jbuck (4fbc25f)
logging: Use correct logging format (#60) r=vladikoff (1932afe)
mailer: check for hard bounced or complaints before sending emails (51f85ce)
metrics: Log metrics event for sending a tab between devices. (#1700); r=pb,vbudhram,sean (e2942c2)
sessions: add /sessions support (#1617) r=vbudhram (d79f63a)

Refactor

logging: Log email domain if popular otherwise log other (#1666), r=@rfk, @vladikoff (357d2f7)
logging: Log email domain if popular otherwise log other (#1666), r=@rfk, @vladikoff (# (37d6569)
routes: remove preVerifyToken support (#1690) r=rfk (e440d8f), closes #1599

1.82.7 (2017-03-17)

Features

logging: Use correct logging format (#60) r=vladikoff (1932afe)

1.82.6 (2017-03-17)

Refactor

logging: Log email domain if popular otherwise log other (#1666), r=@rfk, @vladikoff (# (37d6569)

1.82.5 (2017-03-16)

Bug Fixes

config: sync up both auth and mailer configs (#58) r=jrgm (ac1e208)

1.82.4 (2017-03-11)

Bug Fixes

mailer: fix sender from field. uplift (ba6a8de)

1.82.3 (2017-03-08)

Bug Fixes

push: fix push payload validation and disallow additional props (#57) r=vladikoff (32750a2), closes #57

1.82.2 (2017-03-08)

Features

metrics: Log metrics event for sending a tab between devices. (#1700); r=pb,vbudhram,sean (55bba26)

1.82.1 (2017-03-06)

Bug Fixes

push: add extra validation to pushCallback payload param (#1698) r=rfk (9fd2ca3)

1.82.0 (2017-03-06)

Bug Fixes

config: change reminder poll for many servers (#257), r=@vbudhram (a721920)
db: update to latest db (3a6101f)
dependencies: update bluebird, nodemailer, convict, moment-timezone (#251) r=vladikoff (02fbda3)
git: update husky to unbreak git hooks on ubuntu (#258) r=vladikoff (83e9458)
merge: update shrinkwrap and library refs (f32a867)
project: move mailer files into proper directories (#1676) r=vladikoff (d09759c)
push: don't wait on push methods to reply in account/devices/notify r=vladikoff (09e2e00), closes #1657

chore

ci: clean up travis ci files and docs (4e1bab6)
deps: update bluebird (#1688) r=vladikoff (838b602)
deps: update to latest db-mysql (31f8d6b)
docs: add coverage badge (6f49d99)
docs: remove extra AUTHORS file (404fdec)
docs: update docs, AUTHORS (c71e577)
docs: update mailer docs (87d97e2)
git: move repo into subdir (458cc46)
scripts: install mailer during install (8f647a4)
style: update eslint styles and .gitignore (df8070a)

Features

logs: disable statsd reporting in config (#1673), r=@vbudhram (0c52a7c)
mailer: add support for sending SMS messages (3bc1027)
server: implement GET /sms/status (34f4390)

Refactor

sms: swap out ad hoc error structures for lib/error (#1696) r=vladikoff (388fd50)

1.81.0 (2017-02-22)

Bug Fixes

dev: disable ip profile in dev (#1643) r=vbudhram (d9b6bd9)
docs: Document that devices should reigster before attempting to sync. (#1667); r=phil (496be0e)
docs: document the /sms endpoint (7226ce0)
logging: log errors when we encounter unexpected createdAt values (a3d4f56)
push: notify a device connected only when account verified (901525b), closes #1651
server: disallow any query or payload params without validation (#1668) r=vladikoff (0acab56)
sms: make the fallback error case work sanely (3eff2d3)
tests: add missing tests for log.begin and log.summary calls (e1265ff)

chore

docs: Add some more details on metrics db column contents. (06913c6)

Features

api: add an endpoint for sending SMS messages (d35d442)
email: record email bounces in database (b4279c1)
logging: add optional uid and locale to flow event data (038d457)
server: auto-unbuffer binary data when crossing API boundaries (35115f9)

Refactor

server: unify the unbuffering functions to one place (a649b78)
unblock: Graduate sign-in unblock (5f07f22)

style

lib: update let to const when possible (29c9f39)

1.80.0 (2017-02-07)

Bug Fixes

docs: document recent flow event changes (#1630), r=@vbudhram (e5eaccf)
email: turn on SES Event Publishing metrics (9105f87)
logging: Log bounced complaint (0fa378e)
logging: Log templates that don't have flow event data (#1618), r=@philbooth (e6a1b87)
push: Try to always send a deviceName in the 'device connected' push message. (#1633); (2b4777a)
shrinkwrap: update shrinkwrap to latest version (1a709fa)
style: adjust config code style issue (bb5f5d0)

chore

mailer: update fxa-auth-mailer (and other shrinkwrap) (#1620) (04aa467)
travis: add node6 test target (#1632) r=vladikoff (05f9dd6)

Features

ci: add config for cross-repo testing (81428f3)
docs: document the fix for duplicate flow events (#1634) r=vladikoff (da5edc5), closes #1634
email: Add flow events for email delivery notifications (#1626), r=@philbooth (2e84e07)
ip-profiling: make IP Profiling allowed recency use config (#1615), r=@vbudhram (ca4419a), closes #1614
logs: log endpoint errors for better debugging (#1627) r=vbudhram,philbooth (3719437)

Refactor

email: Don't flag logins with incorrect email case (#1623). r=@rfk (88cd267)
tests: Reorganize local tests (#1629) r=vladikoff,philbooth (38d4957)

1.79.0 (2017-01-30)

Bug Fixes

email: turn on SES Event Publishing metrics (9105f87)
logging: Log bounced complaint (0fa378e)
logging: Log templates that don't have flow event data (#1618), r=@philbooth (e6a1b87)

chore

mailer: update fxa-auth-mailer (and other shrinkwrap) (#1620) (04aa467)

Features

ci: add config for cross-repo testing (81428f3)
email: Add flow events for email delivery notifications (#1626), r=@philbooth (2e84e07)
ip-profiling: make IP Profiling allowed recency use config (#1615), r=@vbudhram (ca4419a), closes #1614
logs: log endpoint errors for better debugging (#1627) r=vbudhram,philbooth (3719437)

Refactor

email: Don't flag logins with incorrect email case (#1623). r=@rfk (88cd267)
tests: Reorganize local tests (#1629) r=vladikoff,philbooth (38d4957)

1.78.2 (2017-01-18)

1.78.1 (2017-01-12)

Bug Fixes

tokens: Do not override the createdAt field on existing tokens. (af0eb33)

1.78.0 (2017-01-11)

Bug Fixes

logging: handle /v1 path prefix in route summary flow events (686306e)

Refactor

logging: remove request argument from log methods (a8f8c4a)

1.77.0 (2017-01-04)

Bug Fixes

customs: Mark suspicious requests, even if they were rate-limited. (02e8f19)
docs: add unblock code API docs (3655cfd), closes #1577
emails: remove /v1/ api prefix (#1605); r=rfk (5e99cf3), closes #1605 #1059
unblock: Use normalized email address for feature-flag calculation. (83ef76a)

Refactor

server: eliminate duplicate calls to user-agent parser (4ac625c)
signin: Add support for sending flow metrics in email (#1593); r=pb,vladikoff (6955261)
signin: Extract unblock-code-checking into a separate helper function. (0c4beb7)
signin: Use new verify account sync template and add location data to others (#1600), r= (6fc0c50)

1.76.1 (2016-12-21)

Bug Fixes

logging: silence spurious "missing token" error noise (f8f8a21)
pool: Reject with an Error instance for HTTP errors. (60c15c8)

Refactor

signin: Skip sign-in confirmation depending on account age (#1591), r=@seanmonstar, @rfk (1d1fa41)

1.76.0 (2016-12-14)

Bug Fixes

server: remove redundant metrics context fields (f027f0b)
server: tolerate missing payload in AppError.translate (a19ff6d)
signup: Return canonical email address in 'account exists' error. (#1589), r=@vbudhram (ddd4fdb)

1.75.2 (2016-12-05)

Bug Fixes

docs: add links to prs under "significant changes" (#1582) r=vladikoff (1d49428)
server: make account.reset a flow event (ed9ec79)
unblock: Remove 'context' check from unblock feature-flag. (764c96a)

chore

login: Remove the legacy contentToken parameter from login (505b627)

1.75.1 (2016-12-02)

1.75.0 (2016-11-30)

Bug Fixes

bypass: Don't bypass sign-in confirmation for forced emails (#1554), r=@seanmonstar (1fa95a9)
customs: Sanitize 'oldAuthPW' field when sending to customs (76aad23)
devices: add special-case recognition of Firefox-iOS (#1558) r=vladikoff (1d1d16b)
docs: document recent fix that affects flow events (#1560), r=@vbudhram (70ff376), closes #1560
docs: document recent flow event changes (7c97bb8)
error: Include more specific error messages in invalidToken(). (b38bace)
logging: remove raw token data from error log (#1572) r=vladikoff (f9112d1)
server: propagate metrics context in /account/reset (30ec03d)
tests: Test fixes for upcoming change to db-mysql behaviour (#1552); r=vladikoff (8cd0a8e), closes #1552

chore

debug: Expose debug port for spawned process (#1550) r=vladikoff (767d53d)
shrinkwrap: add npm script for shrinkwrap (#1568) r=vladikoff (3be3e63), closes #1564
tests: Make remote db tests independent (d3635e3)
travis: remove the old tmp workaround (5032982)

Features

metrics: log flowEvents of all requests (7153da7)
signin: Remove feature flag from sign-in confirmation. (#1530); r=vbudhram (5f0f3ba)

1.74.1 (2016-11-16)

Bug Fixes

unblock: rethrow customs server error when account is unknown (b5bda6b)

1.74.0 (2016-11-15)

Bug Fixes

docs: document the recent flow event changes (0a31229)
logging: drop invalid metrics context data (97ad615)

chore

cleanup: Remove signer-stub.js (#1541), r=@seanmonstar (edcc433)

Features

metrics: Emit an account.changedPassword activity event. (37c408d)
profiling: IP Profiling (#1525), r=@seanmonstar (21723e8)
unblock: log when an unverfied user successfully unblocked (b9a7111)

test

all: switch tap runner for mocha (6c815d0)

1.73.1 (2016-11-07)

Bug Fixes

reminders: fix disabled state (#1536) r=vbudhram (d01e115), closes #1536 #1408

1.73.0 (2016-11-02)

Bug Fixes

lib: make all calls to crypto.randomBytes async (9f59235), closes #1474
push: do not throw if push fails on the notify endpoint (90b37d5), closes #1510
unblock: Fix db.createUnblockCode - code generation is async. (2d1a6a2), closes #1531

Features

docs: document the event data available in redshift/redash (9611019)
logging: emit a flow.complete event (44e044b)
metrics: add account.login.blocked flow event (15cd8d8)
metrics: add account.login.invalidUnblockCode flow event (2e3ea80)
metrics: add flow events for email sent and clicked" (d903b6c), closes #1511
metrics: Add password reset flow metrics (#1520), r=@philbooth (145d537)
metrics: set metricsContext expiry to 2 hours (2f03ce5), closes #1513
unblock: change unblock codes to base32 (#1529) r=vladikoff (f82db02), closes #1497

style

error: order ERRNO constant numerically (2f6b203), closes #1518

test

lint: add lint for synchronous randomBytes usage (f4d02a1)

1.72.0 (2016-10-19)

Bug Fixes

deps: Update shrinkwrap for the new auth-mailer (05da657)
logging: device.created is not a flow event (82e579c)
logging: emit flow events for sign-in unblock, not activity events (#1508); r=seanmonstar (9a4e89c)
node6: update to scrypt-hash@1.1.14 for node6 compat (#1494) r=vladikoff (aee737c)
push: Add metrics events for reason=accountConfirm (d2dc5c0)
scripts: nicely stringify regexps when logging config (479b034)

Features

hpkp: Add hpkp support (#1499), r=@philbooth (9b77446)
push: Add VAPID identification to push messages. (#1468); r=philbooth (6e6b28c)
unblock: add Signin Unblock feature (c3a66c2), closes #1398

Refactor

email: Fix lint (383198a)
email: Remove sendEmailIfUnverified (d742d67)
logging: decorate request object with metricsContext methods (16cf030)
logging: eliminate the event argument from stash and gather (4dd3f7e)
logging: move activity/flow event decision out of log object (957a883)

1.71.2 (2016-10-11)

Bug Fixes

push: Add metrics events for reason=accountConfirm; r=seanmonstar (45dfa20)

1.71.1 (2016-10-05)

Bug Fixes

tests: es-ES is now 100% supported (#1493) (23234c6)

1.71.0 (2016-10-05)

Bug Fixes

config: increase flowId expiration to 2 hours (#1487); r=jrgm,rfk (798ef83)
config: return parsed RegExp instances from config (020235f)
deps: downgrade to hapi 14 (#1485) r=seanmonstar (fe803da)
logging: device.created is not a flow event (#1483), r=@vbudhram (7337af0)
push: notify devices after successful sign-in confirmation (190442f)
server: add unit tests for the request helpers (9a4954d)
server: hide session token lastAccessTime updates behind a flag (51d7cdd)

chore

deps: update l10n, shrinkwrap (16d3d99)
git: ignore npm-debug.log (3529d47)
mocks: Extract mockCustoms into shared helper. (39bd65a)

Features

customs: Rate-limit verification of email codes. (2580333)
geo: add state code to location response (#1478) r=vbudhram (eabfcc6)
logging: Log email template header if available (#1466), r=@jbuck (cccd899)
reset: Accept metricsContext bundle on password-reset endpoints. (05a3b4e)

1.70.1 (2016-10-03)

Bug Fixes

deps: downgrade to hapi 14 (7c6d5f7)

1.70.0 (2016-09-24)

Bug Fixes

deps: update dev deps and latest eslint (a929f9c)
email: Refactor to send sendEmailIfUnverified via query params, add emailSent to re (19753fc)
emails: Fix bug when signin with unverified session and not using signin confirmation (ad9272c)
emails: Fixed comment (aaccab2)
emails: Fixed regression where verification email was being sent to already verified ema (41f4632)
emails: PR Fixes (9d30cc0)
emails: Remove extra customs.flag mock (7929de7)
logging: ignore account.signed flow events from the content server (f3f2468)
process: remove process.domain in token.js (#1456) r=rfk (9fb1f71), closes #740
push: Fix and re-enable the end-to-end push tests. (#1467) r=vladikoff (f5f3abf), closes [(#1467](https://github.com/(/issues/1467)
security: Fix the security event calls to the DB. (f780e59), closes #1464
security: Use correct param names in call to db-server (abb23af)
tests: make stub implementation of gather match reality (94c377f)

chore

deps: update to latest version of hapi (#1330) r=rfk,seanmonstar,vbudhram (b3adbcf)
nsp: remove exceptions (#1455) r=seanmonstar (55e93b6)

Features

customs: return localized retry after data (#1453) r=vbudhram (5603ad3)
devices: add tablet detection (e09406a)
security: record event names and ip addresses for important events (05485b4)

1.69.0 (2016-09-09)

Bug Fixes

config: Remove unused URL opions from mailer config. (8de1230)
deps: use poolee@1.0.1 (#1436) (ba11125)
emails: On login, delegate email sending to auth-server (#1435), r=@rfk (e072e35)
geodb: 8.8.8.8 in latest data not in Mountain View; point to moz MTV (db23e8e)

chore

deps: update shrinkwrap (aa14433)

feature

newrelic: add optional newrelic integration (c811ebe)

1.68.0 (2016-08-24)

Bug Fixes

docs: document the new flow events (7ffa73c)
geodb: if you write a module that takes a hash argument, call it with a hash argument (3feefa6)
geodb: load at startup and log configuration used (#1414) r=vladikoff (4085c78)
geodb: update to fxa-geodb 0.0.7 (#1418) (b8b6e2b)
logging: not all activity events are flow events (#1416) r=vladikoff (1a6c3af)
logs: account.verified & account.confirmed are mutually exclusive (d59edd3)
logs: look in response.source for uid (2224f87)
password: Remove raw token support (882317d), closes #1351
reminders: fix issue with reminder rate (#1410) (c4c087e), closes [(#1410](https://github.com/(/issues/1410) #1408
server: reinstate default user agent fallback (#1422) r=vladikoff (470fd52)

chore

deps: update dev deps, fix husky issues (#1430), r=@vbudhram (a610337), closes [(#1430](https://github.com/(/issues/1430) #1429

Features

l10n: localize device list (#1420) r=vbudhram (7a91f31), closes #1404
metrics: add flowEvent support to all activityEvents and customs (#1409) r=philbooth (8d36f00), closes #1403

Refactor

l10n: use fxa-shared locale list (#1411) (b70caed)

1.67.0 (2016-08-11)

Bug Fixes

config: Added new url configs for mailer (#1397) r=vladikoff (d44cb56)
deps: update shrinkwrap, add missing deps (#1407) r=vbudhram (5062a66)
device: remember devices to push-notify before resetting account on password change/rese (69c1eef), closes #1391
devices: serialize push payload in /devices/notify route (b91a982), closes #1386
e2e-email: fix e2e-email test (4e1d200)
login: fix handling of sign-in confirmation for keyless logins (3f03557)
password: Remove raw token support (bb5f28b), closes #1351
server: assign fresh createdAt timestamp to passwordForgotTokens (21c5df7)
server: ensure tokens get a fresh createdAt timestamp (#1389) r=vladikoff (6acb9e0)
server: reinstate placeholder devices for sync sessions (e12cd08)
server: remove unused createAccountResetToken method (2c95903)
ses: add status and diagnosticCode for bounce (#1401) r=seanmonstar,vbudhram (61941e8), closes #834
tests: remove duplicate assignment (7659b58)

chore

deps: update shrinkwrap (10f857a)

Features

geolocation: add geolocation data to emails (#1334) (8132d55)
logging: emit an account.confirmed activity event (4107e58)
push: Send proper push messages for password change/reset (#1381) r=vladikoff,rfk (8cd9403), closes #1380
server: Rate limit account/devices/notify with the new UIDRecord (#1394) r=vladikoff (09aee43), closes #1372

1.66.1 (2016-07-29)

Bug Fixes

signin: No signin confirmation for email regexp match if keys not requested (61d1de4), closes #1374

chore

signin: Add commentary about temporary workarounds in sign-in confirmation config. (e62b1c0)

1.66.0 (2016-07-27)

Bug Fixes

deps: update fxa-content-server-l10n dependency (ab3b232)
deps: update most dev dependencies (dc4c5ff)
deps: update request to latest version (#1370) r=vbudhram (0e3c463)
deps: update tap and db mysql dependencies (#1356) r=vladikoff (93723eb), closes #1353
server: Fixes based on @vladikoff and @rfk feedback. (29d7fde)
server: remove metricsContext from payloads where it is never sent (0649a30)
server: remove placeholder device records for sync sessions (c4c6733)
server: Return undefined from Customs.prototype.flag if everyting is OK (e265694)
tests: disable e2e tests until push server fixed (#1369) r=vbudhram (bf72778), closes [(#1369](https://github.com/(/issues/1369)
tests: fix test runner to exit with proper exit code (b978b6e)
tests: switch coverage tool, adjust log_tests (#1348) r=vbudhram (8451a56), closes #1340

chore

deps: update tap testing to latest version (#1339) r=vladikoff (6648da0)
server: Add some comments about why a some strange patterns are used. (2fba045)

Features

account: devices push notify endpoint (699caa1), closes #1357
server: Remove the account lockout feature. (df3b0de), closes #1359
signin: Always do sign-in confirmation on suspicious requests. (cb8f33b)

Refactor

customs: Add function to scrub payload before performing customs check (f44872d)
push: provide pushToDevice, pushToDevices and pushToAllDevices methods (89083cd)

1.65.3 (2016-07-21)

Bug Fixes

l10n: bump content-server-l10n to current HEAD (e097090)

1.65.2 (2016-07-19)

Bug Fixes

server: remove placeholder device records for sync sessions (1af5624)

1.65.0 (2016-07-14)

Bug Fixes

config: adjust local dev config to support signin confirmation (#1313) r=vbudhram,shane- (282271b)
customs: Report errno to customs when password check fails. (bdd5d0c)
deps: update npm-shrinkwrap.json w/ newest auth-mailer & fxa-content-server-l10n (#129 (56b6ad1)
docs: correct the acitvity event data documentation (#1322) r=vladikoff (9b8747b)
log: Add comments and clarify naming for logging methods. (35c7f68)
server: fix bad sessionTokenId arg in call to updateDevice (#1324) r=vladikoff (4777a8a), closes [(#1324](https://github.com/(/issues/1324)
server: remove default user agent fallback pending legal ok (8b8f00d)
signin: Let /password/change/finish accept session tokens by id. (b589b79)
verify: Don't sent post-verify email when service is blank. (06bf05a)

chore

docs: add more docs to activity events. (#1304) r=philbooth (31177ad), closes #1202
nsp: Add NSP exception for https://nodesecurity.io/advisories/121 (9465a99)
scripts: Add stricter error handling to bash scripts (7d595c2)
tests: allow passing a glob to npm test (37f0fe4)

docs

config: clarify sample rate for sign in confirmation (#1315) r=vladikoff (bc9d79d)

Features

customs: Send more request metadata to customs-server for checking. (70944d3)
docs: document the new activity events (62b1255)
logging: emit account.deleted activity event (01828ab)
metrics: Drop invalid flowids so they dont confuse our metrics. (8827b91)
server: emit new activity events for kpi dashboards (ace64e7)
server: synthesize device records for sync sessions (b536fd7)
signin: Add support for keyFetchToken verification (#1320), r=@rfk (10ee322)

Refactor

openid: remove openid login support (8cb651e), closes #1336

1.64.0 (2016-06-23)

Bug Fixes

account: fix payload typo in device update (673dd5d)
config: improve sign-in confirmation email regex (33301c5)
logs: Log the uid when reporting push errors. (db9e5f4)
mail: Remove the "resend blackout period". (27082be)
metrics: Monitor for clients sending obsolete contentToken parameter. (1d58b3e)
push: Avoid blocking event loop when pushing to lots of devices. (1be85c3)
tests: add verify_code tests (e4eb4d8)

Features

config: accept CORS requests from multiple origins (f792d35)
email: add verification reminders (5007b4d), closes #1081
login: Log an error on login if account has too many active sessions. (ca9524b)
metrics: add metrics for reminder queries (aca4185)
push: Log an error if pushing notifications to too many active devices. (5b81e10)
signin: Add regex for enabling signin confirmation (#1290) r=pbooth (fa02ee8)

Refactor

tests: eliminate duplicate setup in local route tests (e8cd5df)

chore

changelog: Generate changelog for v1.63.0 release (0ca8367)
deps: Update to latest version of mozlog (aa3b4e7), closes #1279
nsp: update .nsprc and travis.yml (9d047b5), closes #1295
shrinkwrap: update fxa-auth-mailer (1ced8c9)

1.63.0 (2016-06-06)

Bug Fixes

api: remove device registration from signup/login endpoints (21ad7f3)
e2e-email: fix e2e-email for all locales (0250e50)
mail: Remove the "resend blackout period". (27082be)
push: add verification push event to push log (e5d609a)
verify: Only send post-verify email when service=sync (e0cacf8)

chore

deps: Update to latest version of fxa-auth-mailer (bc1ae49)
git: Run a quick linting task on pre-push (0c8767a)

Features

device: emit create and delete events to SNS (c90e44e), closes #1186
devices: notify a device when it has been disconnected (fcb9e80), closes #1139
devices: notify other devices of a new device (6ed2697), closes #1250
events: Include metrics context in SQS events (d5dc75b)
metrics: Log metrics about whether metrics are transmitted correctly. (c4119f1)
signin: Updated password/change/finish and account/reset (333451e)

1.62.5 (2016-05-27)

Bug Fixes

l10n: update to fix broken lt locale (512576d)

1.62.4 (2016-05-24)

1.62.3 (2016-05-24)

chore

shrinkwrap: update auth-mailer/content-server-l10n on v1.62.2 (3e1027a)

1.62.2 (2016-05-20)

Bug Fixes

token: Use new REQUEST_BLOCKED error for bad content tokens. (c0696be)

1.62.1 (2016-05-20)

Bug Fixes

deps: Update to auth-db-mysql train-62 (685054d)

1.62.0 (2016-05-19)

Bug Fixes

clientAddress: Cope better with X-Forwarded-For having fewer items than expected. (fd85359)
push: adjust metrics increment logs (8120c76), closes #1253

Features

errors: Add API and docs for new "request blocked" errno 125. (d7edef8)
locale: add Arabic locale support (a13e32a)
locale: add Finnish locale (8646591)
push: document the format of the push payloads (9fa65ce)
push: Prepare codebase for data payloads (b60c464)

Refactor

reset: Adds sessionToken as an optional param for /account/reset (#1265) (8b796b3)

1.61.0 (2016-05-04)

Bug Fixes

device: Restrict device name to display-safe unicode characters (79acb18)
devices: Avoid spurious writes to device record if nothing has changed (4330f2d)
push: Disallow storing of public-key values until we're ready to use them. (12265c3)
tests: Fix typo in test name (dbc0de0)

Features

devices: Add metrics on device updates, and a flag to disable them (af748be)
log: includes uid in summary for account create and login (1232f95), closes #1225
mailer: Add "re-confirm your email" templates. (f7508cb)
push: Add event logging for password changes and resets. (0db73f5)
push: Notify devices when the password is changed or reset. (77e53bf)

chore

nsp: Update convict, add .nsprc file to silence some NSP warnings (038f46e)

1.60.4 (2016-04-29)

Bug Fixes

devices: Avoid spurious writes to device record if nothing has changed (5017913)
token: Tweak regex for samsung user-agents in content-token allow list (13e13b2)

1.60.3 (2016-04-20)

Bug Fixes

token: Add end-of-string anchor in contenttoken email regex. (c1aae28)

1.60.2 (2016-04-19)

Bug Fixes

token: Add samsung user-agents to content-token allow list (96f2190)

1.60.1 (2016-04-19)

Bug Fixes

account: flag unknown attempts for the emailRecord (b4fa3f6)
bulk-mailer: Remove the locale prefix on filenames w/ --write (3c9d584)
bulk-mailer: Set error rate to 0, we are done testing. (06b4c91)
clientAddress: allow location of the client ip address in forward headers to be specified in co (3440484)
contentToken: don't let hapi give validation errors about contentToken (5725061)
contentToken: fix docs (dd68374)
contentToken: update metrics, remove ip (89dd85b)
customs: Check more password-related actions with customs-server. (cf76513)
customs: fix type for form.email (398c98e)
customs: provide email properly to customs (b28fb17)
email: Add feature-flag for new-login notification email. (1868914)
email: Point to private fork of auth-mailer for prod deploy. (26f7b3a)
email: reinstate new sync device emails (9f7ff9f)
email: send additional template data for new-login email. (e35eba8)
errors: move bad content error up (e67990c)
must-reset: exit code 1 on reset account error (3774ea8)
tests: Build and test fixes for latest fxa-auth-mailer update. (e3eb504)
token: Allow certain emails to bypass the content-token restriction (#27) (2a162e6), closes #27
token: Allow the UA for a specific partner device. (6401431)
token: Fix test bustage from missing contentToken config (6924d5c)
token: More diagnostic logging for content-token errors. (#25) (33f6307), closes #25
token: Validate and log metrics on content-tokens even when they're optional (002219b)

chore

bulk-mailer: Settle on the "password_reset_required" template (90de303)
bulk-mailer: Stop all processing on error. (ae83d72)
customs: use named error constant for UNEXPECTED_ERROR (ead6134)
doc: add usage info to scripts/must-reset.js (8d02f8b)
docs: Add more docs to the reset-send-batch script. (975132e)
shrinkwrap: pick up new versions auth-mailer and content-l10n (3fb3186)

Features

bulk-mailer: --errors and --unsent now have defaults. (61c092d)
bulk-mailer: Add some utilities to work with batches (21a9033)
contentToken: add customs flag on bad token (e811ced)
contentToken: add tests, add new error code (8372a62)
contentToken: adjust user agents (70bc661)
customs: include errno in customs flags (d50f959)
login: add content token support (a2ac3ad)
reset: Added "must reset account" error state (e86d16f)
scripts: Add a bulk mailer (09c2671)

1.60.0 (2016-04-19)

Bug Fixes

bulk-mailer: Remove the locale prefix on filenames w/ --write (1c0959d)
bulk-mailer: Set error rate to 0, we are done testing. (897de10)
clientAddress: allow location of the client ip address in forward headers to be specified in co (517fbff)
customs: Check more password-related actions with customs-server. (8ceedb6)
deps: fix node-uap commit sha (e2aa184)
email: Add feature-flag for new-login notification email. (3d4d5f9)
email: Point to latest auth-mailer (17123ee)
email: reinstate new sync device emails (93a78de)
email: send additional template data for new-login email. (177e192)
must-reset: exit code 1 on reset account error (c100a48)
tests: Build and test fixes for latest fxa-auth-mailer update. (493f917)

Features

bulk-mailer: --errors and --unsent now have defaults. (eec2e72)
customs: include errno in customs flags and merge fixes (3dcdaf8)
reset: Ability to put a users account in a "must reset" state, per dannycoates (PATCH) (d7638a6)
scripts: Add a bulk mailer (296f152)

chore

bulk-mailer: Settle on the "password_reset_required" template (f02e292)
bulk-mailer: Stop all processing on error. (de8e355)
convict: use convict .getProperties(), not deprecated .root() (4fa61c0)
customs: use named error constant for UNEXPECTED_ERROR (d417644)
docs: Add more docs to the reset-send-batch script. (107062a)

1.59.0 (2016-03-28)

Bug Fixes

email: Clean up accounts with invalid emails on status poll. (5233391)

Features

logging: add metrics context metadata to activity events (09d3851)
metrics: track push email status checks (eb3920e), closes #1220

Reverts

metrics: disable logging hask skew to datadog (7a1bc82), closes #1215

chore

changelog: Remove duplicate changelog entries (18b8899)
shrinkwrap: bump to auth-mailer#f4098f9 and content-l10n#b61acfa and no other changes (72b5d55)
shrinkwrap: bump to fxa-auth-db-mysql#v0.59.0 (bf01283)

1.58.1 (2016-03-17)

chore

deps: fix shrinkwrap for latest auth-db-mysql version (2880e67)

1.58.0 (2016-03-17)

Bug Fixes

api: permit null lastAccessTime in devices response (474032d)
api: reject emails without a dot in the domain (434e460)
tests: sanely handle unicode email addresses in account tests (71e4126)

chore

api: Add signin config value (0beade7)

1.57.1 (2016-03-04)

Bug Fixes

email: Restrict unicode chars allowed in email addresses. (81a42de)

1.57.0 (2016-03-01)

Bug Fixes

api: permit lastAccessTime 0 in devices response (4059323)
bounces: Cope with quoted email addresses in bounce notifications. (9b976e7)
config: adjust localized post-verification links (c7c73c9)
deps: Migrate to more up-to-date user-agent parsing lib. (8106c8b)
e2e-email: fix expected link s@/en-US/firefox/sync/@/firefox/sync/@ (5396868)
logging: Remove PII from logged error object details. (9e4bcde)
push: add TTL to push requests (ed98cc6), closes #1187

Features

api: Add get account status by email endpoint (5d7ca53)
devices: added fxa-deviceId to the signed certificate (a866e8f)
logging: Log hawk timestamp skew to statsd for easier analysis. (0c153fb)

Refactor

bounces: Make bounce-handling code testable, add some tests. (a1da228)
errors: Define named constants for errno values. (8680d22)
tests: Use a shared helper function for mocking out logging. (52dc521)

chore

dependencies: upgrade mozlog to 2.0.3 (afa5926)
shrinkwrap: update fxa-content-server-l10n to 4bf305a1 (efeef25)
test: no need to test with node v0.12 (3ae34da)

1.56.0 (2016-02-11)

Bug Fixes

config: Pass 'options.extra.email' to hapi-fxa-oauth, not 'options.email'. (68572fa)
e2e-email: adjust expected query arguments for auth-mailer#118 (b8b345c)
hawk: Update to latest hapi-auth-hawk (078ddc0)
tests: Update tests for new fxa-auth-mailer behaviour (0f25ddd)

Features

config: Add 'oauth.keepAlive' config option. (f8abfe2)
push: respond to 400 level errors from the push server by clearing device push info (b37dc91), closes #1151

chore

e2e-email: bg is now translated for 'Firefox Account Verified' (e5baead)
shrinkwrap: update shrinkwrap to pick up fxa-auth-mailer#01f8ee75 (64ca8c0)

1.55.1 (2016-01-31)

Bug Fixes

sessiontokens: effectively disable sessionToken updates (8c9597d)

1.55.0 (2016-01-28)

Bug Fixes

tokens: extend token freshness threshold to 6 hours (cffc099)

Features

docker: Add Dockerfile for self-hosting (c96cec1)
metrics: Added additional user info on statsd messages (fff4624)
push: add account verification push updates (b4d5822), closes #1141

chore

deps: update changelog template to 1.1.0 (4f9af41), closes #1152
docs: add activity events log (6c6c307), closes #312
e2e-email: ko is now translated for some email strings (4aaf43f)
shrinkwrap: update shrinkwrap, notably for auth-mailer and content-server-l10n (789cb8d)

docs

contributing: Mention git commit guidelines (d7bf16f)

1.53.0 (2016-01-12)

Bug Fixes

events: emit an event for account reset so sync can update the generation (7a8a0ad
e2e-email: update localQuirks for new translations (cy) (fb08283)
log: add mozlog fmt properly (35d8291), closes #1138

Features

activity: log successful account resets (f244af6), closes #1144

1.51.1 (2015-12-15)

Bug Fixes

e2e-email: update localQuirks for new translations (f9f31d6)

1.51.0 (2015-12-14)

Bug Fixes

server: add missing lastAccessTime field to devices response (e28a4fa)
server: require device name to be set explicitly (417f494)
travis: install/use g++-4.8 for node 4.x build of scrypt-hash (f129b7b)

1.50.1 (2015-11-23)

Bug Fixes

auth-db-mysql: update to latest fxa-auth-db-mysql @ 939f04e (34f2ffb)
server: permit null values in devices response (3407f4e)
server: return isCurrentDevice from /account/devices (c75a8a3)
tests: ignore error on listen (when auth-db-mysql is already bound) (0bab602)
tests: repair travis-ci mysql testing to ensure auth-db-mysql is used (6eb3639)
tests: unskip tests now that they are translated (GH-995) (ebb60b6)
travis-ci: check that auth-db-mysql reports "MySql" as constructor class name (cd0e28e)

Features

metrics: send email-bounce-related metrics to statsd. (203c054)

1.50.0 (2015-11-18)

Bug Fixes

docs: fix docs typo (d238fa4)
locale: reenable pt-PT locale (e6617f9)
mail: update email support url (f051b21)
oauth: look for the correct 'scope' param in oauth response, not 'scopes' (7fc5030)
server: eliminate device validation discrepancies (6722204)
server: refactor account promise chains to named functions (05e50aa)

Features

oauth: pass email=false when verifying oauth tokens (f1306c9), closes #1109
server: implement device registration api (d7e976b)

1.49.0 (2015-11-04)

Bug Fixes

e2e-email: update for sr localization of subject (40068d6)
tests: Eliminate race condition in teardown of concurrent_tests (bc85618)
tests: wait for email delivery in concurrent_tests (fe279ff)

Features

profile: Add oauth-authenticated /account/profile endpoint. (9ebec1a)

1.48.3 (2015-10-29)

Bug Fixes

e2e-email: exit 1 on error (5420049)
startup: if error on startup, log and exit (2c4df03)

1.48.2 (2015-10-23)

1.48.1 (2015-10-21)

Bug Fixes

deps: shrinkwrap excludes fxa-jwtool->pem-jwk dep if pem-jwk is a devDep (ffe145e)
deps: shrinkwrap excludes fxa-jwtool->pem-jwk dep if pem-jwk is a devDep (08f0dca)

1.48.0 (2015-10-21)

Bug Fixes

email: stop sending new sync device emails (b7dcef4)

Features

server: optionally enforce a strict CORS origin (664d73e)

1.47.1 (2015-10-13)

1.47.0 (2015-10-08)

Features

i18n: Enable Romainian ro support. (c0f419b), closes mozilla/fxa-content-server#3125
metrics: send account verification time to statsd (65870d3)

1.46.0 (2015-09-23)

Bug Fixes

logging: use service query parameter in activityEvent (243879a)
tests: changes for "Firefox Account Verified" in train-46 (e630ed6)
tests: run mysql tests on travis (f90a8c1), closes #1032

Features

basket: send sync login events to basket (28842c7)
db: add function to return user's sessions array (bfaddc5)
logging: add createdAt to account.signed activity event (ab4d815)

1.45.0 (2015-09-14)

Bug Fixes

db: decrease session token update frequency (6924fba)
db: properly encapsulate session token update logic (92c94c1)
loadtest: adjust url for /.well-known/browserid (85ddb43)
metrics: properly report account.uid for account.created (da29324)
tests: changes to allow setting accept-language for some requests (bdc9c36)
tests: improved script to checking email of all supported locales (67ffcd1)
tests: update loadtest build script to work with latest PyFxA. (08f4d2d)
version: use explicit path with git-config (986b5b8)

1.44.0 (2015-08-28)

Bug Fixes

config: update convict .root() to .getProperties() calls (4b6cab9)
notifier: calling undefined log.level method throws (e413713)
server: check errno on database errors (28627ee)
server: improve identification of mobile user agents (cf947d2)
tests: make smtp.redirectDomain configurable in remote tests (6adc10f)
tests: unset user-agent fields are null (a2a7b10)

Features

db: store user agent and last-access time in sessionTokens (f0d80ff)
l10n: add en-GB as a supported locale. (980236a)
l10n: add fa as a supported locale. (c4b3bd2)
metrics: add DataDog to activity events, email verified activity events (63842b0), closes #922

1.42.0 (2015-07-24)

Bug Fixes

api: accept service as a query parameter (3d49b51), closes #961
errors: convert missing parameter errors correctly (2bbdc7e)
tests: add an EventEmitter to test/mailbox (4d0f95a)
tests: skip 3 pt-BR specific tests due to no translation yet (4659017)
tests: verifyHash should no longer be returned (7db5996)

1.41.0 (2015-07-07)

1.40.0 (2015-06-30)

Bug Fixes

db: Test for 400 from checkPassword, which shows incorrect password (45c1ea3)
password: Revert changes induced by #954 pull request (d3e3462)

Features

Add account notification emails. (34ae5d0)

1.39.0 (2015-06-11)

Bug Fixes

docs: Fix Markdown link in api.md (b65a5a6)
docs: update documentation for example verification code, from 64 to 32 chars (5c3bf0b), closes #937
password: revert part of GH-943; currently in broken state (4a82735)
test: add missing .bind's to deferred handlers (0eaf5b4)

Features

log: Add logging of various account event (8b22c23)

1.38.0 (2015-05-27)

Bug Fixes

env: set RESEND_BLACKOUT_PERIOD to zero in development (068820c)
env: updated development TRUSTED_JKUS to bring back support for the untrusted relier (1472e74)
test: use a version of node-ass with updated node-temp (3b31c52)

Features

server: Log the service and reason parameters for /account/login. (fa7d1bd)

1.37.0 (2015-05-15)

Bug Fixes

logging: configuration changes per @whd (f65106d)
pool: Stop retrying requests to db-server (179e1b5), closes #921

1.36.0 (2015-04-28)

Bug Fixes

l10n: pass config.i18n.defaultLanguage to fxa-auth-mailer (eddc014)
mailer: add a soft check that we are using the same locales as content-server (0aa3da7)
mailer: add some tests of various supported, unsupported and non-existent locales (341a512)
mailer: split out the list of supported locales, for easier maintenance (0251cb8)
tests: a config update now makes uk,hsb,dsb available (a18ceae)
tests: update for some locales that have now translated fxa-auth-mailer strings (92a444b)

1.35.0 (2015-04-14)

Bug Fixes

httpdb: Set verifierSetAt for resetAccount() (791ab91)
options: -L, --locale <en[,zh-TW,de,...]>; Test only this csv list of locales (e0a79ae)
travis: set --force flag on validate-shrinkwrap (327e4c3)

1.33.0 (2015-03-17)

Bug Fixes

logging: log emailRecord.uid as a hex string, not a byte array (b9a1f67)
server: Fix the "Cannot call method 'tooManyRequests' of undefined error. (03aae55), closes #665

Older versions

train-32

Add ability to put an account in "lockout" state after many auth failures - #867

train-32

Add ability to put an account in "lockout" state after many auth failures - #867

train-31

Don't forward restmail.net email addresses to basket API - #870

train-30

Add more fine-grained logging on basket API errors - #839, #856
Increase passwordForgotToken lifetime to 60mins - #862, #845
Tell basket that locale="en-US" when the user doesn't provide one explicitly - #863
Use shiny new PyFxA library for the python loadtests - #844

train-29

increased basket logging #857
deleted unused code #847

train-28

updated hapi to 7.5.3

train-27

updated fxa-auth-mailer for mail template changes
added locale to basket api response logging

train-26

no changes

train-25

no changes

train-24

added uid to /session/status #830
updated dependencies

train-23

improved operational affordances for scrypt max-pending limit #819
Fixed JWT related bugs for preVerifyToken #824 #825

train-22

basket API #818

train-21

added 'preVerifyToken' optional parameter to /account/create #784
reset customs state on password reset #798
added 'resume' optional parameter to email sending endpoints #793

train-20

limit the number of pending scrypt hashes #783

train-19

belated major version 1 bump but maintain minor version count
fixed uid logging issue #755
nonceFunc logging is now trace instead of info level
updated many dependencies
removed awsbox

train-18

fixed internal server error on /certificate/sign #771
removed mysql and heap DB implementations #769
fixed log uid encoding issue #765
updated documentation

train-17

added locale to account #751
better db related error messages for httpdb #754
updated customs-server #756

train-16

updated hapi to 6.0.2

train-15

allow routes to use a base path for hosting in a subdirectory
updated dependencies
use poolee module for HTTP requests
code reorganization

train-14

moved email sending into fxa-auth-mailer #730
updated hapi-auth-hawk to mitigate bug (#700) #731
added use_https config option #728
always return an error on __heartbeat__ failure #726
updated documentation

train-13

added contributing file #719
added MPL license file
fix for certificate sign requests when the provided key is invalid #717
fixed hawk payload verification bug #713
updated base email templates #709

train-12

verify an account if its unverified when forgot password verification succeeds #694
added 'accountRecreated' flag to the request summary log line #695
deprecate smtp.verificationUrl and passwordResetUrl in favor of contentServer.url #696
Update the URL for the customs server #702
add http datastore api #684

train-11

moved customs-server (fraud/abuse) to its own repo #685
improved the email based rate-limiting behavior

train-10

added email_bouncer.js for processing SES email bounces #678
fixed an email validation bug #681

train-09

noop

train-08

added /account/status #656
added basic email rate limiting #664

train-07

improve concurrent duplicate request handling #626
improved test coverage #628
added SNS account delete notifier #629
added fxa-verifiedEmail to the signed certificate #630
removed dependency on redis #634
added db_patcher for db migrations #643
improved redirectTo domain validation
updated readme design doc link #616
added /password/forgot/status endpoint #636
added /session/status endpoint #637
exit key_server when stdout is piped and the other process exits
improved mysql connection error handling

train-06

stop logging OPTIONS requests #619
fixed /verify_email uid parameter validation
default config.env to prod #614

train-05

fixed some i18n issues #611
use npm shrinkwrap #603
don't send verify emails to verified accounts #609

train-04

added lockdown for stable dependencies #19
refactored mysql.js #588
allow repeat signup against unverified emails #593
added cache-control to /.well-known/browserid #597
collect loggable data before authentication #601

train-03

upgrade hapi to 2.4.0
fixed password reset account lockout bug #575
upgrade mysql to 2.1.0
added mysql stat log lines
default mysql pools to 10 connections instead of 100
improved mysql connection error handling #581
check and cache ts+nonce pairs, not just plain nonces #584
disable HAWK timestamp checking in authentication #585

train-02

added fxa-lastAuthAt to signed certificates #547
load test enhancements
fixed redirectTo bug in /recovery_email/resend_code #563
updated mysql module from 2.0.0 to 2.0.1
improved mysql error handling #566
implemented new request logging convention #565
fixed remote test timing issue #512
more comprehensive email address validation #573
added CHANGELOG :)

train-01

all the things

322 KiB Исходник Постоянная ссылка Ответственный История

1.133.1 (2019-03-19)

Features

1.133.0 (2019-03-19)

Bug Fixes

chore

Features

Refactor

1.132.1 (2019-03-05)

1.132.0 (2019-03-05)

Bug Fixes

chore

1.131.2 (2019-03-04)

Bug Fixes

1.131.1 (2019-02-21)

Bug Fixes

1.131.0 (2019-02-20)

Bug Fixes

chore

Features

1.130.1 (2019-02-11)

Bug Fixes

1.130.0 (2019-02-05)

Bug Fixes

chore

Features

Refactor

1.129.5 (2019-01-31)

Bug Fixes

chore

1.129.4 (2019-01-28)

Bug Fixes

style

1.128.5 (2019-01-18)

Bug Fixes

1.129.3 (2019-01-25)

Bug Fixes

1.129.2 (2019-01-24)

Bug Fixes

1.129.1 (2019-01-24)

Bug Fixes

chore

1.129.0 (2019-01-24)

Bug Fixes

chore

1.128.5 (2019-01-18)

Bug Fixes

chore

1.128.4 (2019-01-17)

Bug Fixes

1.128.3 (2019-01-17)

Bug Fixes

1.128.2 (2019-01-16)

Bug Fixes

1.128.1 (2019-01-14)

Bug Fixes

1.128.0 (2019-01-08)

Bug Fixes

chore

Features

Refactor

1.127.0 (2018-12-11)

Bug Fixes

1.127.1 (2018-12-14)

1.127.0 (2018-12-11)

1.126.3 (2018-12-14)

Bug Fixes

1.126.2 (2018-11-29)

Bug Fixes

1.126.1 (2018-11-28)

Bug Fixes

chore

1.126.0 (2018-11-27)

Bug Fixes

Features

Refactor

1.125.0 (2018-11-14)

Bug Fixes

chore

1.124.4 (2018-11-09)

322 KiB

Исходник Постоянная ссылка Ответственный История