vc-platform

• Simplify the platform configuration to working with Redis cache server #1507 (#1508)
  Now it is enough to configure the connection string RedisConnectionString to switch the platform in the mode of using the Redis server as a synchronization server for the local caches of multiple platform instances.
  web.config

...
  <connectionStrings>
     <!--Redis Connection String -->
     <add name="RedisConnectionString" connectionString="SECRET" />
 </connectionStrings>
...

• Fixed a bug with invalid absolute links to blob resource when AzureBlobStorage is used as the primary blob provider and the CDN URL is configured in the platform web.config #1509 (#1510)

• Fixed bug with unavailability of authorization in swagger-ui
  

• Replaced cookie based authentication with a token barrier authorization for the manager application (OAuth2 password grant flow). The main goal of this migration is to prevent CSRF attacks to the platform API. #1476

Added three new application settings in web.config:

<!-- The access token life time -->
<add key="VirtoCommerce:Authentication:BearerTokens.AccessTokenExpireTimeSpan" value="00:30:00" />
<!-- The refresh-token life time read more about https://oauth.net/2/grant-types/refresh-token/ -->
<add key="VirtoCommerce:Authentication:BearerTokens.RefreshTokenExpireTimeSpan" value="30:00:00:00" />
  <!--The list of permissions that will be granted to the user by cookies when bearer token authentication is enabled.
 This can help to authorize the user for direct (non-AJAX) GET requests to the VC platform API and/or to use  some 3rd-party web applications for the VC platform (like Hangfire dashboard). -->
<add key="VirtoCommerce:Authentication:BearerTokens.LimitedCookiePermissions" value="security:call_api;platform:asset:read;platform:export;background_jobs:manage;content:read;platform:asset:create" />

• Updated swagger UI to v3.20.01
  
• Upgraded Application Insights SDK to the latest version #1485
• Allow to change the shortcut icon for platform application #1467
• Fixed time zone handling in DatetimePicker #1327

• Fixed the Swagger validation errors like $ref values must be RFC3986-compliant percent-encoded URIs
• Fixed bug when SignalR is stopped working with active Redis configuration. https://github.com/virtocommerce/vc-platform/issues/1462
• Added favicon.ico for Platform manager application
• Fixed JS errors on the new API account blade https://github.com/virtocommerce/vc-platform/issues/1472
• Minor platform performance improvements:
  • XmlExpressionSerializer is now used the static instance of ExpressionSerializer this should significantly reduce memory usage for some cases.
  • Fixed the performance issue with the caching of authorization logic

• Added Azure Active Directory authentification (SSO) #1388
  https://virtocommerce.com/docs/vc2devguide/authentication-with-azure-ad
• Reworked the action of the change the user password in the platform manager #1433
  • Added possibility for users to change their password when they sign in for the first time
  • Checking new passwords based on the password strength policy defined in the system
    
• Added workaround allows to use the timeout values of EF commands taken from the database connection string #1117

• Fixed bug When trying to save null value for a dynamic property value of type DateTime the null value is converted to 0001-01-01T00:00:00.0000000, which cannot be saved to the database #1418
• Added snapshot collection for exceptions into Application Insight #1422 #1415
• Fixed errors when importing sample data #1392 #1391
• Added availability to suppress emitting all domain events for the current asynchronous control flow.

 using (var guard = EventSupressor.SupressEvents())
{
....
}

• Minor security fixes
  • Disable CORS
  • Added HSTS policy
  • Disabled the run platform in iframe (prevent ClickJacking attack)

• Minor UI fixes

• Fixed the js bug of start the platform for the release configuration

• Grid menu is cropped when opened near the bottom edge of the #1286
• Added the possibility to change application authentication options in Web.config #1339
• Fixed read-only fields support in Metaform #1340 #1378
• Fixed a bug with flashing images if images not found when using the fallback-src directive
• Added new AngularJS directive va-chars-count #1288
• Added new platform API method POST users/{userId}/validatepasswordresettoken for security token validation #1358
• Added CC and BCC to email notifications #1380
• Added text wrapping in the common changes history blade #1324
• Edit layout for search count for blades #1367
• Grid's cells misaligned when scrolled to the bottom #1259
• Made errors log more readable #1321

Fixed error handling for some security operations (register by invite, reset password, unlock user & other). Need to regenerate AutoRest clients for correct working.

Fixed bugs:

• #1355: Reset password notification now will appear in notifications history
• #1354: Now en-US culture (default) will be used for Reset password template resolving
• #1353: Added ability to specify authentication options in web.config

Also, reverted back breaking changes in security APIs which was made in 2.13.30. Now they works as in 2.13.29 and previous versions.

• Fixed bug with swallowing exceptions thrown from event handlers
• Take username from a current thread in the UserNameResolver ( leads to unknown username for changes log were created in the background jobs)
• Added the new API POST api/platform/changelog/search
• Fixed bug with deadlock in the load security account operations
• Copy IAuditable properties from persistent entity to transient in the UserNameResolver, before they were not copied and it leads to auditable entities null values for new objects

• Invalidate user cache after unlocking a user #1348

• Extended the setup wizard with two new steps to force the default credentials for users admin and frontend to be changed. #1342
• Downgraded StackExchange.Redis.StrongName to 1.2.1 to avoid runtime exception when running in Azure #1334 #1305

• Added domain events for all operations in the security system, and moved the account changes log writing to the event handler
• Added migration which increases decimal values precision to five digits after the decimal point (#1338)
• Fixed a bug: the default global value for a setting was not used if it had a setting record without values in the database
• Added Russian localization

• Fixed minor bug with security account updating (the update of the AccountEntity.Member field was skipped)

• Fixed a possible bug with the platform repository deadlock, in the process of security accounts searching
• Extended platform security API with new methods were used by VC storefront identity user manager.

• Updated NuGet dependencies to latest versions #1261
• Added new API for work with assets entries 'api/platform/assetentries` #1308 (#1313 )
• Fixed routing issue #1292
• Added new abstractions for work with domain events (IEventPublisher, DomainEvent, DomainEventHandler)
• Allow unregistering of notification types #1310
• Added possibility to find users by multiple ids. #1315

• UploadFile Swagger attribute made not required
• Fixed uploading to assets root from admin
• Added new EnumerableExtensions.GetOrderIndependentHashCode method

• Fixed bug retrieval of notification template for overridden notification. #1266
• Extended ApplicationUserExtended with new properties from IdentityUser
• Possible fix for error The request was aborted: Could not create SSL/TLS secure channel. caused by this GitHub update https://developer.github.com/changes/2018-02-01-weak-crypto-removal-notice/
• Reveal whether an account exists #1296
• Added supports file upload requests with Content-Type: multipart/form-data in the API Swagger doc, added FileUpload attribute #1297
• Added possibility to see a server errors description on manager UI #1285