Today's update (29bf398) brings with it the following changes:
Security issues
- Secure application better against XML-based attack vectors.
- Explicitly use
Samesite=Lax
cookie policy on insecure cookies.
New features
- Added login and authorization feature against e-portal, based on OpenID Connect workflow. Disabled until e-portal is fully configured.
- Added Log in using e-portal-button to standard right hand side menu. Disabled until e-portal is fully configured.
- Added
eportal
template function, giving access to issuer, API and logout URLs, making it possible to use these variables in templates.
- User details, institution memberships, groups, roles, course access and student/supervisor relationships are automatically provisioned when logging in using e-portal.
- User identity token (claims collection) from e-portal is verified by signature using JWT semantics. Reduces attack surface. Verification only allows RSA, ECC and Ed algorithms. Decoded identity claims are available in a session variable for use by templates.
- During login using e-portal, the user is redirected to a common Portfolio site before being redirected back to the original site. This is normal and part of the e-portal login process.
- Users without any email registered in e-portal will get an auto-generated email address associated with their Portfolio account.
- If no username has been defined in e-portal, existing users will keep their existing Portfolio username when they login using e-portal.
- If an institution with no owner is imported using e-portal, the owner is set to the orphan user.
- Information from e-portal is cached for a short while to decrease load on e-portal API during login.
- When logging out a session authenticated using e-portal, e-portal session is also logged out.
Enhancements
- Set HTTP user-agent so that when Portfolio is operating as an HTTP client, it can be more easily identified in remote systems.
- Use contact manager UI for adding user in event log report.
Bugfixes
- Logout and redirect to front page when deleting your own account, to avoid a weird login issue.
- Changed the logout request handler to be available to anonymous, so that when you explicitly try to logout when your session is already expired, it doesn't show a login prompt followed by an immediate logout.
- Fixed issue with negative time intervals in time usage reports causing skewed reports.
- Fixed grammar inconsistency with regards to the phrase "login/logout" being used as a verb, when it should be phrased as "log in/log out".
- Ensure consistent phrasing of the word e-portal.