~fkooman/vpn-user-portal

vpn-user-portal/CHANGES.md -rw-r--r-- 21.0 KiB
6a186e3fFrançois Kooman prepare for new release 30 days ago

#Changelog

#2.4.0 (2021-11-09)

  • include and enable APIv3
  • update German translation
  • show "excluded routes" on the "Info" page

#2.3.14 (2021-08-26)

  • SECURITY: implement proper input validation for QR code generation (CVE-2021-41583)
  • only enable QR code module when 2FA is enabled

#2.3.13 (2021-08-02)

  • support (non vendor-specific) RADIUS attribute for authorization

#2.3.12 (2021-07-13)

  • remove nightly session expiry again as it was very broken
  • no longer show "Danger Zone" when managing your own account
  • allow hiding the "Permission(s)" on the user's "Account" page
  • show profiles available to the user on the "Account" page
  • fix margin for lists in tables

#2.3.11 (2021-06-08)

  • support expiring VPN session at night now for all scenarios where sessionExpiry >= 1 day
  • session expiry is now always (upper)bound to CA expiry
  • implement a "Delete User" (for local accounts) and "Delete User Data" (for accounts in external IdM)
  • add Romanian (Romania) translation

#2.3.10 (2021-05-03)

  • implement support for nightly session expiry @ 04:00 according to server timezone when session expiry is >= 7 days

#2.3.9 (2021-04-12)

  • add Spanish (Latin America) translation

#2.3.8 (2021-03-15)

  • show portal version on "Info" page
  • implement support for optional LDAP bind with credentials for initial search

#2.3.7 (2021-02-23)

  • tlsProtection is no longer a configuration option, it is always tls-crypt
  • only show "Management IP" and "Listen IP" if they are not the default of 127.0.0.1, respectively ::
  • sessionExpiry is optional now, default is P90D
  • authMethod and supportedLanguages have default values now when omitted
  • remove obsolete /_saml/* whitelist
  • rework menu, reduce code duplication and make it easier to add optional items

#2.3.6 (2020-11-27)

  • update for ProfileConfig refactor
  • reduce font size
  • update "Info" page to make the "keys" translatable and show them in a more "human readable" way
  • remove some overzealous use of <details> / <summary> on "Info" and "Stats" pages
  • always show the algorithm (RSA, ECDSA, EdDSA) for generating keys for OpenVPN clients
  • correct the number of maximum number of clients that can be simultaneously connected due to misunderstanding in available IPs in the OpenVPN managed IP pools

#2.3.5 (2020-10-20)

  • update pt_PT translation
  • switch to new discovery files for eduVPN federation
  • implement changes for updated Config API
  • switch to the common HTTP client
  • deal with Api and/or Api -> consumerList configuration options missing, it broke the portal
  • implement support for anonymous LDAP search to find the DN to bind with in order to verify the user's password (based on arbitrary LDAP attribute)

#2.3.4 (2020-09-08)

  • support client certificate authentication (ClientCertAuthentication)
  • fix CSS/JS cache busting, base.php template changes
  • add ECDSA certificate support for TLSv1.2, already supported with TLSv1.3
  • display used CA Key Type on "Info" page if not the default RSA
  • small CSS style fixes, giving more space to some elements on the page

#2.3.3 (2020-07-28)

  • update fkooman/secookie

#2.3.2 (2020-07-27)

  • use grid layout for vertical alignment on page
  • drop bacon/bacon-qr-code PHP dependency and use /usr/bin/qrencode instead, improving performance a lot

#2.3.1 (2020-07-10)

  • update uk_UA translation
  • update pl_PL translation
  • update nb_NO translation
  • update de_DE translation
  • update fr_FR translation
  • update ar_MA translation
  • update da_DK translation
  • small CSS style updates

#2.3.0 (2020-06-29)

  • expose default_gateway in /profile_list API response indicating whether or not the profile expects all traffic over the VPN
  • implement CSS cache busting
  • redesign the "Account" page
  • show most recent VPN connections on the "Account" page
  • allow admins to see the most recent VPN connections of the users
  • remove the (hidden) /events page and show account events on "Account" page
  • various minor template changes to allow for better CSS styling
  • redesign the OAuth consent dialog
  • the /info.json (and /.well-known/vpn-user-portal) response headers will now indicate that the files MUST NOT be cached in applications
  • complete redesign of the portal UI
  • remove SamlAuthentication module, we only include PhpSamlSpAuthentication from now on

#2.2.8 (2020-05-26)

  • update PhpSamlSpAuthentication for php-saml-sp API changes
    • skip WAYF when "upgrading" AuthnContextClassRef (MFA)
    • remove support for permissionSessionExpiry as it is never used

#2.2.7 (2020-05-21)

  • add "Application Use" pie-chart on "Stats" page showing the distribution of the VPN client application use by users
  • make profile graphs on "Stats" page expandable like on "Info" page
  • make sure browser session never outlives sessionExpiry

#2.2.6 (2020-05-12)

  • support array next to string for permissionAttribute in FormLdapAuthentication module
  • show CA info on "Info" page
  • use <details> to fold profile information by default on "Info" page
  • do not allow downloading hidden profile through the API /profile_config call

#2.2.5 (2020-04-05)

  • fix styling of links in styled <p> and <span> elements
  • allow overriding locales and templates in config/ folder for themes as well
  • add pt_PT translation
  • update fr_FR translation
  • let server dictate data channel key renegotiation interval
  • fix custom authentication class loader

#2.2.4 (2020-03-30)

  • introduce userIdAttribute for FormLdapAuthentication to "normalize" the user ID used inside the VPN service (issue #151)
  • implement addRealm option for FormLdapAuthentication that adds a configured domain to the user specified "authUser" if no domain is specified yet

#2.2.3 (2020-03-23)

  • add German portal translation

#2.2.2 (2020-03-13)

  • rework "Connections" page to list number of connected clients by default per profile instead of all connected clients

#2.2.1 (2020-02-14)

  • session cookie for SamlAuthentication rename to make switching to PhpSamlSpAuthentication possible without running into a big session confusion situation

#2.2.0 (2020-02-13)

  • update fkooman/secookie (2.1.0 -> 4.0.0) to supporting multiple parallel sessions and properly support SameSite=None with SAML session cookies
  • update fkooman/saml-sp (0.2.2 -> 0.3.0), supporting <EncryptedAssertion> and some other small change
  • add support for php-saml-sp (external SAML SP written in PHP) with PhpSamlAuthentication authentication module
    • SamlAuthentication authentication module was never officially supported and is now deprecated. It will be removed in the next release
  • include Tpl class here and update API use regarding locale(s)
  • cleanup/simplify LogoutModule

#2.1.6 (2020-01-20)

  • fix session cookie Path parameter

#2.1.5 (2020-01-20)

  • the select box for downloading a new configuration in the portal has the exact size of the number of available profiles
  • switch to our own SessionInterface and CookieInterface instead of using the one of fkooman/secookie
  • do not show the "Sign Out" button on the OAuth authorization dialog
  • simplify authentication mechanisms and allow adding custom authentication classes without modifying the portal code

#2.1.4 (2019-12-10)

  • update for server API to handle per profile tls-crypt keys
  • expose /.well-known/vpn-user-portal and /info.json alias through vpn-user-portal, allowing for software updates to the API definition
  • expose the version of the portal through /.well-known/vpn-user-portal and /info.json

#2.1.3 (2019-12-02)

  • add Estionian translation

#2.1.2 (2019-11-21)

  • fix issue with init script and add-user script

#2.1.1 (2019-11-21)

  • better implementation for "remote" lines added to generated client configuration, "special" ports are always added (last).
  • update to new internal API format for retrieving list of connected clients
  • remove some dead code that does nothing except slow down the portal
  • fix bug where it was possible to obtain a configuration for a profile you had no access to, even though you still wouldn't be able to actually use it
  • allow API clients to request first (0), random (1) or all (2) remote lines in the configuration obtained through /profile_config API call using the remote_strategy parameter taking an integer
  • remove some dead code

#2.1.0 (2019-11-04)

  • completely redone the UI (CSS, templates) of the portal
  • support translations for themes / branding
  • support RTL (right to left) language translations
  • add ar_MA translation
  • update various translations

#2.0.14 (2010-10-14)

  • drop "auth none" from client configuration file
  • support TLSv1.3-only configurations
  • allow restricting any access to portal/API based on permissions

#2.0.13 (2019-09-25)

  • implement static permissions for PDO|LDAP|RADIUS authentication backends

#2.0.12 (2019-08-29)

  • switch to paragonie/sodium_compat for Composer installations
  • make border spacing for stats diagrams absolute 3px instead of relative 0.2em
  • support translation for themes/styles as well
  • update templates for new Tpl class

#2.0.11 (2019-08-19)

  • rework "Stats" graphs using HTML/CSS instead of PNG image, allowing for simpler code, translation of graph text and styling using CSS

#2.0.10 (2019-08-13)

  • URL encode the user ID and issuer when generating OTP QR code

#2.0.9 (2019-08-08)

  • add uk_UA translation
  • document all (possible) configuration changes since 2.0.0 in CONFIG_CHANGES.md

#2.0.8 (2019-07-31)

  • close </span> on Stats page
  • add credits for portal translations
  • update fkooman/saml-sp dependency

#2.0.7 (2019-07-20)

  • add Ubuntu 18.04 Roboto font path (issue #135)
  • make the log work with local timezone instead of UTC (issue #137)
  • do not allow to specify a time in the future on log page (issue #136)
  • update nl_NL and nb_NO translations
  • add pl_PL translation
  • support multiple permission attributes with experimental SamlAuthentication backend, merging all values

#2.0.6 (2019-06-27)

  • also show maximum number of concurrent connections possible per profile (issue #133)
  • fix rounding problem in traffic graph on stats page (issue #134)

#2.0.5 (2019-06-07)

  • proper input validation on value from language cookie

#2.0.4 (2019-05-21)

  • fix default language for portal, it always used English independent of the order of languages in the configuration file
  • fix MellonAuthentication logout

#2.0.3 (2019-05-14)

  • update Norwegian translation
  • fix issue HTTP 500 API response when token was not JWT token (failed to extract key ID) (eduvpn/macos#217, eduvpn/vpn-server-api#75)

#2.0.2 (2019-05-01)

  • do not list hidden profile in /profile_list API call

#2.0.1 (2019-04-26)

  • update tests to deal with updates internal API error messages (vpn-lib-common)
  • fix bug where 2FA documentation was shown even when 2FA is disabled (PR #122)

#2.0.0 (2019-04-01)

  • remove PHP error suppression
  • rework 2FA enrollment, enrollment goes through /two_factor_enroll now
  • no longer show which profiles have 2FA enabled, no longer relevant as 2FA through OpenVPN will be removed in the near future
  • update 2FA documentation
  • no longer ask for confirmation when deleting a certificate (#107)
  • remove VOOT support
  • force user to enroll for 2FA when 2FA is required
  • remove YubiKey support
  • only show certificates manually issued on "Certificates" page, not the ones issued to OAuth clients
  • rewrite ForeignKeyListFetcher to no longer require fkooman/oauth2-client
  • remove /create_config (was not used by any client anymore)
  • lie about 2FA to the API client so client never will try to enroll the user
  • no longer use display_name parameter for /create_keypair, just use the OAuth client_id of the client as display name
  • implement database migration support for OAuth tokens
  • remove user registration with vouchers for PdoAuth
  • remove Twig, switch to Tpl
  • remove compression framing support
  • remove tls-auth support
  • remove "multi instance" support
  • update to version 4 of fkooman/oauth2-server
  • (re)introduce admin permission based on userId
  • rename "entitlement" to "permission"
  • OAuth key moved to configuration directory instead of data directory
  • implement SamlAuthentication support (php-saml-sp)
  • implement ShibAuthentication support (Shibboleth SP)
  • implement user session expiry

#1.8.5 (2018-11-28)

  • no longer allow clients to obtain new access tokens using the refresh token when the user account is disabled
  • add ability to disable 2FA or select which methods are supported
    • new default is TOTP only
    • YubiKey OTP is DEPRECATED
  • implement SAML logout for MellonAuthentication

#1.8.4 (2018-11-22)

  • use UserInfo::authTime. Obtain it from the last_authenticated_at information retained by the server in case of API requests
  • synchronize expiry of browser session, X.509 client certificate and OAuth refresh_token so they all expire at the same time
  • remove Api/refreshTokenExpiry from config template, replaced by sessionExpiry
  • remove Api/tokenExpiry from config template, overriding it will still work, but don't advertise this
  • remove "Entitlements" from Account page, merged with "Group Membership(s)"
  • add "VOOT membership" retrieval through "frontend". Deprecates the VOOT backend handling through vpn-server-api and making VOOT integration more robust

#1.8.3 (2018-10-15)

  • drop support for OpenVPN 2.3 clients

#1.8.2 (2018-10-10)

  • update da_DK translation (by Sanne Holm)
  • also consider entitlements when showing list of profiles
  • cache entitlements on the server as well as part of LastAuthenticatedAtPing

#1.8.1 (2018-09-10)

  • update for new vpn-lib-common API
  • cleanup autoloader so Psalm will be able to verify the scripts in web and bin folder
  • when creating a certificate through the API, bind it to the OAuth client ID
  • delete all certificates associated with OAuth client ID when revoking OAuth application on "Account" page and disconnect the clients using certificates issued to this client (issue #89)
  • rename "Configurations" to "Certificates" as that better covers what this page is actually about
  • update nl_NL translations
  • add fr_FR translation (by Tangui Coulouarn)

#1.8.0 (2018-08-15)

  • use new authorization method

#1.7.2 (2018-08-05)

  • many vimeo/psalm fixes
  • code refactors to make it better verifyable

#1.7.1 (2018-07-24)

  • convert errors from backend into proper API responses instead of HTTP/500 responses to API client (#95)

#1.7.0 (2018-07-02)

  • record the last time the user authenticated
  • certificates can no longer be disabled, so no need to show this any longer, also remove it as a reason from /check_certificate API call

#1.6.10 (2018-06-06)

  • support tlsProtection

#1.6.9 (2018-05-24)

  • support optional "customFooter" template

#1.6.8 (2018-05-22)

  • add support for Android "app links" for OAuth clients
  • enable logging in OAuth client

#1.6.7 (2018-05-17)

  • update nl_NL translations

#1.6.6 (2018-05-16)

  • show the user ID on the TOTP/YubiKey page when authenticating

#1.6.5 (2018-05-11)

  • add Let's Connect for Android as an OAuth client registration

#1.6.4 (2018-05-03)

  • convert spaces in _ when downloading an OpenVPN configuration through the portal, fixes import in NetworkManager (Linux) (#92)
  • return reason through API when checking validity of certificate

#1.6.3 (2018-04-20)

  • fix /check_certificate response to match API (#32)

#1.6.2 (2018-04-12)

  • update for fkooman/oauth2-client version 7

#1.6.1 (2018-03-29)

  • implement /check_certificate API call
  • support multiple RADIUS servers

#1.6.0 (2018-03-19)

  • update for fkooman/oauth2-server API changes

#1.5.4 (2018-05-16)

  • support RADIUS for user authentication

#1.5.3 (2018-03-15)

  • switch to UserInfo class
  • add extra redirect URIs for iOS client

#1.5.2 (2018-02-28)

  • make sure chosen userId does not exist yet when registering a new account (avoiding database constraint exception)
  • script to generate voucher now prints voucherCode
  • input validation for user chosen passwords when changing passwords and registering new accounts
  • rework exposing proto/port in client configuration
  • make sure data directory exists before adding users

#1.5.1 (2018-02-26)

  • remove addVpnProtoPorts configuration option, and switch to exposedVpnProtoPorts in Server API

#1.5.0 (2018-02-25)

  • support FormPdoAuthentication and make it the default
  • deprecate FormAuthentcation, new deploys will use FormPdoAuthentication by default
  • implement support for changing passwords by users when using FormPdoAuthentication
  • implement user self registration with vouchers
  • if tlsCrypt is enabled, use AES-256-GCM as only supported cipher

#1.4.9 (2018-02-06)

  • set default for refresh token expiry to 180 days (instead of 6 months to sync with default of CA certificates)
  • add Let's Connect OAuth client registration for Windows

#1.4.8 (2018-01-24)

  • update Norwegian translation

#1.4.7 (2018-01-22)

  • update authorization dialog text

#1.4.6 (2018-01-10)

  • support refresh token expiry (update fkooman/oauth2-server)
  • set default for refresh token expiry to 6 months

#1.4.5 (2017-12-28)

  • no longer show "Scope" for authorized applications
  • translate "Enroll" on account page
  • do not show group information when there are no groups to show (issue #85)
  • do not show authorized applications when there are none

#1.4.4 (2017-12-23)

  • simplify OAuth consent dialog
  • reenable "Approval" dialog for OAuth clients for now
  • make add-user script interactive if no --user or --pass CLI parameters are specified (issue #83)

#1.4.3 (2017-12-14)

  • use 160 bits TOTP secret instead of 80 bits
  • expose user_id in /user_info API call
  • update Tunneblick documentation

#1.4.2 (2017-12-12)

  • cleanup autoloading
  • hardcode the official eduVPN application registration for all platforms
  • wrap InputValidationException in proper API responses when the API calls triggered those exceptions
  • update eduvpn/common

#1.4.1 (2017-12-08)

  • add 2FA enrollment to OAuth API

#1.4.0 (2017-12-05)

  • cleanup templates for easier extension and custom styling
    • breaks existing templates (falls back to default)
  • implement page informing user to close the browser (after redirects to native app only)
  • mention uMatrix on documentation page (for advanced users)
  • update nl_NL translation

#1.3.2 (2017-11-30)

  • support disabling approval for trusted OAuth clients
  • rework (lib)sodium compatiblity

#1.3.1 (2017-11-29)

  • fix unit tests for fkooman/oauth2-server 2.0.1
    • OAuth server update fixes IE 11 support for the eduVPN for Windows application

#1.3.0 (2017-11-28)

  • update fkooman/oauth-client to 6.0.0
  • update LDAP authentication configuration examples

#1.2.0 (2017-11-23)

  • support LDAP authentication

#1.1.1 (2017-11-20)

  • support disabling compression

#1.1.0 (2017.11-14)

  • support PHPUnit 6
  • update to fkooman/oauth2-server 2.0 (CHANGES)
  • allow updating branding/style using styleName configuration option

#1.0.10 (2017-11-06)

  • update documentation, recommend against jail breaking / rooting
  • federated identity issuer can also contain numbers

#1.0.9 (2017-10-26)

  • support PHP 7.2 (sodium)
  • refactor binary scripts

#1.0.8 (2017-10-24)

  • update iOS documentation, mention seamless tunnel
  • update Linux documentation, mention various tested distributions

#1.0.7 (2017-10-17)

  • add Danish translation (provided by Tangui Coulouarn)
  • update Documentation page (remove screenshot, 2FA updates)
  • only have English as UI language by default as we have multiple languages supported now, it does not make sense to favor Dutch

#1.0.6 (2017-09-18)

  • API call user_info also exposes two_factor_enrolled_with now to show which 2FA methods the user is enrolled for

#1.0.5 (2017-09-14)

  • show "display name" of OAuth client instead of "client id" on the account page (issue #75)

#1.0.4 (2017-09-11)

  • change session name to SID to get rid of explicit Domain binding;

#1.0.3 (2017-09-11)

  • update session handling:
    • (BUG) session cookie MUST expire at end of user agent session;
    • do not explicitly specify domain for cookie, this makes the browser bind the cookie to actual domain and path;

#1.0.2 (2017-09-10)

  • update fkooman/secookie
  • update default config file, no effect for deployed instances:
    • set OAuth access token expiry to 1 hour
    • remove old Android app as OAuth client

#1.0.1 (2017-08-24)

  • remove incomplete de_DE and fr_FR translations for now
  • update configuration template
    • new default discovery URL
    • disable eduvpn.tuxed.net client by default

#1.0.0 (2017-07-13)

  • initial release