Pre-release
Pre-release

@paragonie-scott paragonie-scott released this Jun 21, 2016 · 670 commits to master since this release

Assets 2
  • Implemented a secure account recovery implementation, wherein users can
    opt out of account recovery entirely, or supply a GPG public key. We send a
    random, short-lived token to the email address on file (since Airship
    doesn't store plaintext passwords). If a GPG public key is available, their
    account recovery email will be encrypted by GnuPG.
  • Turned all of the Cabin classes into Gears, so that Gadgets can extend
    their functionality.
  • Gadgets can also override the selected Lens, transparently.
  • Added the option to cache blog posts and blog listings. If cached, comments
    will be loaded from AJAX instead of in the page itself. This should allow a
    single blog post to handle over 10,000 requests per second without a sweat.
  • Updated jQuery to 3.0.0.
  • Regenerate session IDs on login. Thanks @kelunik
    for bringing this oversight to our attention.
  • Implemented progressive rate-limiting based on two factors: IP subnet and
    username. This covers both the login form and the account recovery form.
  • You can now specify HPKP headers
    on a per-Cabin basis, via the Cabin Management screen.
  • You can now add/remove Cabins, Gadgets, and Motifs from the Bridge.
  • Sysadmins can "lock" installs to prevent an admin account compromise from
    leading to a vulnerable extension from being installed and subsequently
    used by an attacker to compromise the server. Locks come in two varieties:
    • Password-based locks, where you must enter a separate password to
      install a new extension.
    • Absolute locks, which can only be removed by the sysadmin.
  • In Landings, $this->lens() will now terminate script execution. If you
    need to fetch the output (e.g. for caching), use $this->lensRender()
    instead.
  • Implemented input filters which work on multidimensional arrays (e.g
    $_POST). We provide a few examples (one for each cabin's custom config
    and one for the universal config).
  • Implemented optional Two-Factor Authentication support via TOTP
    (e.g. Google Authenticator).
  • Airship now supports in-memory caching via APCu instead of the filesystem.
  • Comments are now loaded with AJAX when you elect to cache a blog post.
  • When you delete a custom directory, you can elect to create redirects
    automatically to guide your passengers to the correct destination.