Barong 2.3.0

Overview

We are pleased to present Barong Open Source 2.3.0.

This release concentrated on improving overall project flexibility, security and session updates and several new storage/phone providers and updates

1. Server side sessions via rails cache 2. Restrictions and related Admin API 3. Support Twilio Verify service (without dropping legacy sms solution) 4. Flexible state - labels flow 5. Support Ali Cloud storage provider and S3 custom storages

This release notes is must-read for migrating from older versions.

New Features

  • Add ability to configure sms content for phone verification #877 (ec)

    • This PR introduce an ability to configurate (via ENV) before deployment the future Twilio sms content:
    • "Your verification code for Barong: {{code}}"" - default one
    • You can change position of verification code, words and content in template
    • e.q. "Hoooray! Here is magic {{code}} for you to verify your account!""
  • Simple rake task to create users and api keys #816 (ec)

    • [ATTENTION] The best usage for the rake task - testing purpose
    • You can generate up to N (1000 by default) users with valid api keys to simulate any platform actions
  • Add Resctrictions #891 (dnfd)

    • AuthZ level validations to ban traffic on a network base.
    • Available types of validations: IP IP_SUBNET CONTINENT COUNTRY
    • After being created restriction can be toggled to be turned ON or OF via admin api
    • Full support of CRUD functionality in the admin module
  • Feature Ability to change UID prefix with BARONG_UID_PREFIX=ABC #893 (ec)

    • This PR introduce an ability to configurate (via ENV) before deployment the future user UIDs:
    • ID{RANDOM_HASH} - default
    • MYAWESOMEAPP{RANDOM_HASH} - available to configurate
  • Add Management API: push document for user #894 (ec)

    • New management API call that gives an ability to push documents for the user in base64
    • Good base for any third-party KYC providers
  • Add endpoint for delete restriction #902 (chumaknadya)

    • Admin endpoint to delete Restriction (remove from DB, cant be rolled back)
  • Add state to Profile model #910 (mnaichuk)

    • Define 2 Profile states: partial and completed
    • Allow to create EMPTY profile (with empty fields)
    • Profile state - attributes dependency
  • Ability to update and delete users profiles #913 (ec)

    • New admin and user API endpoints that allows to update / delete profiles
  • Flexible state - labels flow #907 (ec)

    • State - Label dependency
    • Similar to levels configuration now you can configurate requirements for each of the user states
    • Separately - ACTIVE requirements
    • Now on every label change (update, remove, delete) user state recalculates and forces to update
    • Default values remains the same as in the <= 2.2 version
  • Add AliCloud Carrierwave storage provider #911 (dnfd)

    • Now Barong support Ali Cloud storages and easily deploys on AliBaba cloud
  • Add ability to restrict by geoip #920 (dnfd)

    • Add support of CONTINENT and COUNTRY restriction scopes
  • Add ability to skip label creation on doc save #922 (dnfd)

  • Add ability to disable 2fa #925 (dnfd)

  • Add AliCloud Uploader #926 (dnfd)

    • Now Barong support Ali Cloud storages and easily deploys on AliBaba cloud
  • Define DocumentTypes class for flexible doc type configuration #935 (ec)

    • This PR introduce an ability to predefine available document types before deployment. There is hardcoded freezed array anymore.
    • By default, abailable document type list remains the same as <= 2.2 versions
  • Make labels acts_as_eventable on: [create update] #936 (ec)

    • Spread events on label CUD
  • Add the support of twilio verify API #928 (ec)

    • Now Barong supports twilio verification service ( via CALL and SMS )
    • Should be switched from SMS to Twilio Verify via ENV before deployment
  • Server side sessions via cache_store #949 (ec)

    • Now session stores on the server side in the cache
    • User receives only 1 session cookie, that proves he got it from Barong
    • Session lifetime extends after every private call
    • Session will automatically close if user will try to reuse cookies in another browser or IP network
    • Session will expire in 24h

Enhancements

  • Updating gem multisign and jwt 45f975 (mod)
  • Allow pending user to open session #881 (ec)
  • Update to ruby 2.6.3 and rails 5.2.3 #867 (ec)
  • Update models' annotations #895 (dnfd)
  • Small fixes in document and profile model #901 (ec)
  • Feature: Add redeploy on devkube step to drone #874 (alinetskyi)
  • Add validation for referral && Add ability to get referral uid #882 (chumaknadya)
  • Update nokogiri version #906 (dnfd)
  • Update Barong::App validations #904 (dnfd)
  • Support 'with replace' policy on labels update #915 (ec)
  • UPDATES: sessions delete, permissions update, log error on 500 #917 (chumaknadya)
  • Add :upload in list of params to be filtered #919 (ec)
  • Fix structure of event API messages #912 (shal)
  • Use Barong::App.config.barong_uid_prefix in referral validation #923 (ec)
  • Allow blank doc_expire for documents controllers #927 (dnfd)
  • Add system.session.create event with user and request_ip data #916 (chumaknadya)
  • Update seeds.yml #934 (ec)
  • Simple GET levels requirements endpoint for admin #932 (ec)
  • Get rid of 'serialize: JSON', accept 'metadata' as json instead of pure hash #930 (ec)
  • Add missing labels event api documentation #937 (ec)
  • Add session autorenew #903 (dnfd)
  • Introduce MockPhoneVerifyService #941 (ec)
  • Use uid instead of id on profile update && delete api #943 (ec)
  • Profile act as eventable on update #945 (ec)
  • Update ruby to 2.6.5 for security reasons #946 (ec)
  • Add ability to configure aws_signature_version && endpoint #947 (ec)
  • Feature: allow # \ () & ' : " in profile residental address field #950 (ymasiuk)
  • Add redis - hiredis dependency, specify driver in dev env #951 (ec)
  • Protect superadmin against changes from non-superadmin users #955 (ec)
  • Update storage-related gems #957 (ec)

Bug Fixes

  • Use CGI::escape instead of pure url in documents event api #942 (ec)
  • fix binstubs issue #867 (ec)
  • Fix rollback to pending state, add missing data in entities #914 (ec)
  • Handle Vault errors on POST /api/v2/resource/api_keys #918 (dnfd)
  • Avoid no method error UTC for nil entities #921 (ec)
  • Event API changes: remove blocking check for on_update events #933 (ec)