v2.0.0-rc.10

This is our tenth release candidate for v2.0.0 of Reaction.
Please check it out and let us know what works and what doesn't for you.

This release is being coordinated with reaction-platform and is designed to work with the same versions of reaction-next-starterkit and reaction-hydra.

Improvements

UI Removal

We have removed several UI components to transition and solidify that in 2.0 the application will only be used as an API and a UI for shop operators.

Additional PRs will be coming to remove other pieces of the storefront UI bit by bit until only an operator UI is left. (#4947 , #4948)

Performance Tweaks

• We have done a bunch of performance tweaks to increase performance and initial boot time! We removed the reaction-cli with this update. (#4992)

General

• We have added the ability for shops to apply surcharges depending on criteria for an order. (#4829)
• We have added a new Navigation Manager UI for Operator 2.0. (#4936)
• We have added envalid as a dependency for validating environment variables. (#4983)
• We changed the GraphIQL url from localhost:3000/graphiql to localhost:3000/graphql-alpha

GraphQL

• We have streamlined the way plugins register functions that can transform media objects for a product. (#4987)
• We have implemented GraphQL subscriptions support. (#4938)

Custom Data

• We have added the capability to add a custom data object when placing an order. (#4962)
• We have added the capability for calculateOrderTaxes to return a custom data object. (#4955)

Custom Plugins

• We have coalesced the separate env.example files from custom Reaction plugins into one file to reduce tedious integration steps. (#5003)

Breaking Changes

AppEvents

• We have replaced all Hooks usage with the newer appEvents. This does not break anything within the core and included plugins, however:
  If you use community or custom plugins that depend on the @reactioncommerce/hooks package, you will need to update or obtain updated versions that use context.appEvents instead.
  If you have a plugin that uses MethodHooks, update it to implement those hooks a different way.
  review all appEvents consumed and emitted by custom plugins. Update expected and emitted arguments. See the table. (#4915)

Multiple Payment Support

• All of the individual placeOrder* GraphQL mutations provided by the built-in payment plugins are removed and replaced with a single placeOrder mutation which supports multiple payments. Any custom payment method plugins will break due to the removal of createOrder internal mutation. Look at all changes. (#4908)

Surcharges

• When applying surcharges to certain methods, there is a delay in the update. (#4984)

Updates

• RefactorinventoryQuantity to inventoryInStock in Products collection, update if used in your codebase. (#4930)

Removals

• There is no longer a storefront catalog grid (#4973)
• There is no longer a Checkout UI (#4948)
• There is no longer a Cart UI (#4948)

New Commands

In relation to improving performance, we have added new debugging statements (#4992) so you can use the Node debugger while developing Reaction!:

"inspect": "node --experimental-modules --inspect ./.reaction/run/index.mjs",
"inspect-brk": "node --experimental-modules --inspect-brk ./.reaction/run/index.mjs",
"inspect-docker": "node --experimental-modules --inspect=0.0.0.0:9229 ./.reaction/run/index.mjs",
"inspect-brk-docker": "node --experimental-modules --inspect-brk=0.0.0.0:9229 ./.reaction/run/index.mjs",

Example Usage :

docker-compose run --rm --service-ports reaction yarn run inspect-brk --service-ports
docker-compose run --rm --service-ports reaction yarn run inspect --service-ports

New Documents

We have added new documentation! :

• We officially stated that reaction-platform has not been fully tested or is compatible with Windows.
  (https://docs.reactioncommerce.com/docs/next/installation-reaction-platform)
• We added a Storefront UI Development guide answering: "How do I build a storefront for Reaction or adapt my storefront to get its data from Reaction, without starting from an example app" (https://docs.reactioncommerce.com/docs/next/storefront-intro)
• We added a new tutorial on how to create a fullfillment methods plugin
  (https://docs.reactioncommerce.com/docs/how-to-create-a-fulfillment-methods-plugin)

Feature

• feat: use .env.example files from custom plugins (#5003)
• feat: add ordersByAccountId query (#4981)
• feat: allow plugins to register functions to handle GraphQL transformation of catalog product media items (#4988)
• feat: support storing custom fields on orders when placing (#4962)
• feat: shipping Operator into 2.0 (#4967)
• feat: custom tax data part 2 (#4965)
• feat: allow tax services to add custom data to taxes (#4955)
• feat: shipping surcharges (#4829)
• feat: navigation manager UI (#4936)
• feat: make Sitemap data available via GraphQL query (#4927)
• feat: tag management operator UI (#4914)
• feat: add custom fields to order schema (#4979)
• feat: update collectionIndex util function to take options (#4950)
• feat: add envalid package (#4943)
• feat: GraphQL subscriptions (#4938)
• feat: create fulfillment surcharges (#4801)

Fixes

• fix: add tagId check to guard against undefined (#5015)
• fix: do not emit afterCartUpdate unless surcharges are updated (#5001)
• fix: properly save all customFields from tax service result (#4986)
• fix: don't crash when mediaItem.URLs is null (#4982)
• fix: addAccountAddressBookEntry mutation - set account updatedAt (#4971)
• fix: taxes not updating reactively in starterkit (#4949)
• fix: inventory is set to NaN in rare circumstances based on Migrations (#4946)
• fix: use stripe.setAppInfo to identify ReactionCommerce to Stripe (#4942)
• fix: tag bulk actions copy (#4941)
• fix: ENOSPC error with jest --watch (#4939)
• fix: tag ui bugs (#4933)
• fix: migration 56 throwing an error (#4934)
• fix: 404 from invite email link (#4919)

Refactor

• refactor: update inventoryQuantity field to be inventoryInStock (#4930)
• refactor: replace all Hooks with appEvents (#4915)
• refactor: rewrite placeOrder and support multiple payments for an order (#4908)

Chores

• chore: delete unused files (#4990)
• chore: wrong version in migration 54 & 55 file (#4940)
• chore: updated dependencies and snyk policies (#4974)
• chore: meteor and docker performance tweaks (#4992)
• chore: storefront catalog grid (#4973)
• chore: remove the cart UI (#4948)
• chore: remove the checkout UI (#4947)
• chore: update to base image 1.8.0.2 to include Kafka binary libs (#4937)

Contributors

Thanks, @rattrayalex-stripe for contributing to this release!

v2.0.0-rc.9

This is our ninth release candidate for v2.0.0 of Reaction. Please check it out and let us know what works and what doesn't for you.

This release is being coordinated with reaction-platform and is designed to work with the same versions of reaction-next-starterkit and reaction-hydra

Inventory improvements

We've made some updates to the way inventory is tracked, introducing a new inventory field: inventoryAvailableToSell. This field tracks inventory that has been ordered, but has not yet been processed and so is still counted in-stock. This number is what is displayed to customers and determines whether a product is considered "sold out" or not. The old inventory number inventoryQty has been renamed to inventoryInStock and continues to represent the inventory available in stock.

Breaking changes

Inventory

• Migration 51 has been added to attach inventoryAvailableToSell to all products / variants, to correctly calculate the numbers on parent products / variants, and to publish this data to already published Catalog items.
• currentQuantity has been marked with depreciated in the cart. This isn't a breaking change at the moment, but lays the path to remove this field and replace with inventoryAvailableToSell and inventoryInStock in the future.
• Catalog.getVariantQuantity and ReactionProduct.getVariantQuantity have been removed. Custom plugins using these methods will need to be updated. The same data returned by these methods is now on the object that was being passed into these methods as the field inventoryQuantity or inventoryAvailableToSell
• Moved isBackorder, isLowQuantity, and isSoldOut functions from the catalog plugin to the new inventory plugin. Custom plugins using these methods will need to update their import path.

Features

• feat: Add flag to enable only IDP routes (#4903)
• feat: Record plugin versions in DB and show in Shop panel (#4895)
• feat: Add support for fallback tax service (#4871)
• feat: Update to Apollo Server 2.0 (#4884)
• feat(#4848): Return only isVisible Tags, unless admin (#4879)
• feat: Support remote graphql schemas in plugins (#4870)
• feat: Support plugins directly registering React components (#4875)

Bugfixes

• fix: Password reset page not found (#4917)
• fix: add replace to remove comma from formatting (#4910)
• fix: add contentForLanguage resolver for nav item content (#4913)
• fix: Restore CORS for 401s (#4894)
• fix: Meteor method permissions fixes (#4883)
• fix: Multi-shop permission fixes (#4872)
• fix: check permissions for order workflow methods (#4863)

Tests

• test: Fix sitemaps test timeouts (#4920)

Refactors

• refactor: updates to inventory counts and statuses (#4859)

v2.0.0-rc.8

This is our eighth release candidate for v2.0.0 of Reaction. Please check it out and let us know what works and what doesn't for you.

New Bits

Operator 2.0

The core experience and UI for a shop operator using Reaction Commerce has not changed much over the last couple of years. We've been hard at work on the new and improved storefront but until now have not revealed any of our design or plans for improving the updated operator UI.

This release includes the first beta of the new Reaction operator UI. Our focus with this new operator UI has several goals. First, we’re transitioning from a single page storefront and admin experience to a full page admin experience that will be separate from the storefront. . We believe this change is necessary and beneficial for anyone operating a store that works with a large number of products and/or does a high-volume of order. This change also decouples the customer facing storefront from the operator UI. The existing UI had a WYSIWYG flavor to it where the product and catalog management was done in an interface that was identical to what the customer saw. There are some benefits to this - having a good perspective of what your customers see when you make a change - but for large catalogs, it's not very practical. In addition, we’ve received feedback that the experience could be confusing for admin users who wanted to concentrate on their admin tasks only. Once decoupled the operator UI can use 100% of the screen space for store management and operation. The change will be a big benefit to users managing large product catalogs and complex fulfillment patterns.

Right now this new operator UI is opt-in and the existing, drawer style operator experience will continue to function as it has. You can access the new operator UI by visiting /operator.

This UI should have all existing functionality baked in, but we anticipate that there may be some rough edges and from a user experience standpoint it is the first step on a longer path. The first step here has been to replicate existing functionality by moving existing components into the new layout and fixing bugs that we've found. Going forward, we'll be implementing improved UIs for many of the operator tools - Catalog Management, Inventory, Pricing, Order Management, etc.

Please file an issue for any bugs that you find, whether they be weird UI quirks or things that don't as expected.

.env file

Most services that make up the Reaction platform use a .env file in the root of the service folder to define environment variables that should be set while running. They also have a pre-build script that the reaction-platform tool runs to create or update the .env file from a .env.example file, which is committed. Until now, this project did not use .env file, so we've added one. See https://github.com/reactioncommerce/reaction/pull/4826 for more details.

Improved Bits

Support for extending GraphQL enums and unions

We've updated GraphQL and GraphQL Tools to new versions and added support for extend enum and extend union. This permits extending the core schema in this way from a plugin. See https://github.com/reactioncommerce/reaction/pull/4798 for more details

Developer performance

When we introduced reaction-platform and begun developing in Docker environments, we began to notice high CPU utilization that for those of us developing on OSX.

Long story short, this is an issue with filesystem operations in Docker for Mac and there's not much we can do to resolve the core issue. In development mode, we leverage Meteor to watch for file changes. By adjusting the polling interval for the Meteor file watcher, we can greatly reduce the issues introduced by Docker for Mac. We've set two environment variables in the example .env file .env.example (https://github.com/reactioncommerce/reaction/pull/4826) as follows, but if these don't work for you, I'd start by adjusting the polling interval to something higher - 20000 (20s) or 30000 (30s). If you're working directly on the core reaction project, this may impact how long it takes before a change you've made is recognized and rebuilt, but that may be a small price to pay to reduce CPU burn by hyperkit. There shouldn't be any other consequences to increasing this number.

  METEOR_DISABLE_OPTIMISTIC_CACHING=1
  METEOR_WATCH_POLLING_INTERVAL_MS=10000

Breaking changes

This release contains a number of breaking changes that we've been working to get into Reaction before we cut the final 2.0.0 release. If you're planning to update an existing shop, please read through this list

Catalog

• Added a new, final param to xformVariant with the processed inventory flags (https://github.com/reactioncommerce/reaction/pull/4742)

Meteor Methods

• Payment plugins that use Meteor methods for capture and refund will not be compatible with this PR. This is intentional as we're migrating toward GraphQL and away from Meteor Methods for client-server interaction. Custom payment methods will need to be rewritten to follow the pattern in #4803. (https://github.com/reactioncommerce/reaction/pull/4803)
• If a custom plugin uses any of these methods, it will need to be updated. (https://github.com/reactioncommerce/reaction/pull/4815)
  • shop/getBaseLanguage
  • shop/getCurrencyRates
  • shop/getWorkflow
  • getTemplateByName
  • orders/addOrderEmail
  • taxes/updateTaxCode
  • workflow/coreOrderWorkflow/coreOrderProcessing
  • workflow/coreOrderWorkflow/coreOrderCompleted
• Custom code relying on being able to call the "accounts/sendWelcomeEmail" Meteor method will break. Calls from client code must be removed. Calls from server code should be updated to import and call the util function. (https://github.com/reactioncommerce/reaction/pull/4867)

Taxes

• We've created a new taxes-rates plugin in the included folder, and all features related to custom rates have been moved there. This includes the "Custom Rates" panel in tax settings; the Taxes collection and its related schemas; the "taxes/addRate", "taxes/editRate", and "taxes/deleteRate" Meteor methods, and the "Taxes" Meteor publication.
• The core taxes plugin has a new API for registering tax services (such as the included "Custom Rates" service, or a custom Avalara service for example). They are registered by passing in a taxServices array to registerPackage (example and details in #4785)
• Some tax-related fields on Cart, CartItem, Order, OrderFulfillmentGroup, and OrderItem have been moved, renamed, added, or removed. We've attempted to remove all unused fields, and group or rename other fields for clarity. One example is the taxes array, which now has a different schema and appears for individual items as well as the full cart or order fulfillment group.
• On Products documents, taxable is now isTaxable. This change had previously been made in the Catalog schema and now is made in Products to match.
• For the Custom Rates plugin, be aware that the taxCode value is now used for filtering which products should be taxed at that rate. This requires a review of all your products to ensure that they have a tax code specified, in addition to being marked as taxable. If you'd rather not do this review, you can revert to the old behavior of ignoring tax codes by editing each of your Custom Rates entries, clearing the the "Tax Code" field, and saving.
• If you are upgrading from 1.x and use only Custom Rates for taxes, data migrations should provide a seamless transition. Most tax changes are breaking only for third-party non-included tax plugins. However, please verify after upgrading that the correct tax service is active.

Address Validation

Breaking changes to how address validation works. Affects all plugins that provide address validation and all clients that validate addresses. (https://github.com/reactioncommerce/reaction/pull/4767)

Configuration

• Propel was updated and any propel scripts must be updated. (https://github.com/reactioncommerce/reaction/pull/4802)
• If you run Reaction locally, such as for development, you will now need to be sure there is a .env file with correct environment variables set in it. The .env.example file, with no changes, should work for most people. When running with reaction-platform, this should happen automatically. But if you've already been developing locally and you pull in this change, you'll need to run bin/setup once. You can also run bin/setup anytime you pull in the future, to add any new ENV variables. (https://github.com/reactioncommerce/reaction/pull/4826)
• Docker network streams.reaction.localhost must be created, which developers can do by pulling down the latest reaction-platform and running make (or make network-create if they want to be surgical about it). (https://github.com/reactioncommerce/reaction/pull/4805)

Meteor Plugins

• Custom plugins that rely on the dispatch:run-as-user Meteor package will need to find a different solution and remove the dependent code. (https://github.com/reactioncommerce/reaction/pull/4825)

Features

• feat: Navigation Backend (#4683)
• feat: shipping method restrictions (#4821)
• feat: Update main Reaction app to use .env file (#4826)
• feat(tag): add Display Title to Tag (#4856)
• feat: Operator 2.0 first draft (#4800)
• feat: Deploy feature branches to ECS (#4834)
• feat: Add Order.referenceId (#4827)
• feat: Use no-meteor functions for payment capture and refund methods (#4803)
• feat: Remove unused meteor methods (#4815)
• feat: Put mongo on the streams network (#4805)
• feat: Update graphql packages to support extend enum and extend union (#4798)
• feat: Improve tax API, split out Custom Rates plugin (#4785)
• feat: Address validation GraphQL (#4767)
• feat: add isBackorder data to variants (#4855)

Fixes

• fix: Migrate existing tag nav to new navigation tree structure (#4882)
• fix: primaryShopId query fallback (#4862)
• fix: permission issues with Meteor methods for Accounts plugin (#4867)
• fix: Add migration file for plugin route name change (#4858)
• fix: CartCleanupJob (#4799)
• fix: 404 on Hydra Oauth page (#4835)
• fix: Jest integration tests (#4824)
• fix: ECS deployments (#4836)
• fix: ECS deployment: move TLS certificate ARN from propel.yaml to ENV vars (#4802)
• fix: catalog variant inventory flags always false (#4742) .. Resolves #4741
• fix: tax calculation arguments, other tax fixes (#4811)

Refactor

• refactor: shipping rules (#4789)

Performance

• perf: Add a mongodb index on Catalog.updatedAt (#4819)

Chores

• chore: use ci env var for staging url (#4885)
• chore: e2e integration for release branches (#4878)
• chore: Configure prettier arrowParens to match our eslint rules (#4876)
• chore: Add node_modules/.bin to PATH in docker (#4820)
• chore: remove unused dispatch:run-as-user package (#4825)

Contributors

Thanks to @willmoss1000 for contributing to this release! 🎉

v2.0.0-rc.7

Security Release

This security release addresses to potential vulnerabilities

1. We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured. More details on this issue below.

2. Remove dependency on event-stream

Event Stream Dependency Removal

This fix removes a dependency on event-stream introduced by nodemon via pstree by bumping nodemon and pstree.remy through nodemon to a version that does not include pstree.

event-stream had a malicious bit of code added to version 3.3.6 which has since been removed from github and appears to have specifically targeted copay.

From the original post in the event-stream repo:

Am I affected?:
If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to by copay at this point). If you are using a crypto-currency related library and if you see [email protected] after running npm ls event-stream flatmap-stream, you are most likely affected. For example:

   $ npm ls event-stream flatmap-stream
   ...
   [email protected]
   ...

What does it do:
Other users have done some good analysis of what these payloads actually do.
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441759047
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441746370
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441749105

What can I do:
By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to [email protected]. This protects people with cached versions of event-stream.

Snyk has a great writeup about this issue in their blog: https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream.

See the issue on the event-stream repo for more information: https://github.com/dominictarr/event-stream/issues/116

Reaction Social Issue Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Patch files for removing the UI dependent on software version
fb-app-secret-ui-{version-number}-2018-11-19.patch

Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-{version-number}-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Invalidate Existing Secrets

If you had a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login within Reaction Commerce, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

v1.17.1

Security Release

This security release addresses to potential vulnerabilities

1. We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured. More details on this issue below.

2. Remove dependency on event-stream

Event Stream Dependency Removal

This fix removes a dependency on event-stream introduced by nodemon via pstree by bumping nodemon and pstree.remy through nodemon to a version that does not include pstree.

event-stream had a malicious bit of code added to version 3.3.6 which has since been removed from github and appears to have specifically targeted copay.

From the original post in the event-stream repo:

Am I affected?:
If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to by copay at this point). If you are using a crypto-currency related library and if you see [email protected] after running npm ls event-stream flatmap-stream, you are most likely affected. For example:

   $ npm ls event-stream flatmap-stream
   ...
   [email protected]
   ...

What does it do:
Other users have done some good analysis of what these payloads actually do.
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441759047
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441746370
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441749105

What can I do:
By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to [email protected]. This protects people with cached versions of event-stream.

See the issue on the event-stream repo for more information: https://github.com/dominictarr/event-stream/issues/116

Reaction Social Issue Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

v1.16.3

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

v1.15.2

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

v1.14.3

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

v1.13.3

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

v1.12.3

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

v1.11.2

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

v1.10.2

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.

v1.17.0

This release contains mostly bug fixes, many of which are focused on Marketplace implementations. Thanks to @pmn4 for contributing many of the marketplace fixes and additions.

There's also a little bit of cleanup of unused code in this release. This will likely be our last release on the 1.x line as our new work is focused on our 2.x version.

Features

• feat: Prioritize Primary when multiple Shops match domain (#3528)

Fixes

• fix: custom tax rates not applied (#4806)
• fix: console error tag name error pdp .. Resolves #4776 (#4790)
• fix: email settings update on cancel (#4792)
• fix: update detailView when its data changes (#4791)
• fix: submitting the template edit form now works .. Resolves #4774 (#4780)
• fix: edit groups panel (#4771)
• fix: add translated text for adding user to group by admin (#4562)
• fix: Hide Action View if Product Settings panel open (#4433)
• fix: Import getSlug instead of using this.getSlug (#4547)
• fix: Product Visibility for Marketplace Shops (#4425)
• fix: cart item attributes (#4607)
• fix: startup error before primary shop is created on initial startup (#4602)
• fix: avoid infinite looping when taxes are enabled (11e95ba) .. Resolves #4620
• fix: limit jest maxWorkers to 4 to improve CI perf (cd76a50)

Refactors

• refactor: Remove unused schemas (#4566)

Chores

• chore: Rename the reaction-api Docker network (#4613)
• chore: Use new CLI tool "propel" to deploy services to ECS (#4623)

Contributors

Thanks to @pmn4, @nadaa, and @janus-reith for contributing to this release! 🎉

v2.0.0-rc.6

This is our sixth release candidate for v2.0.0 of Reaction. Please check it out and let us know what works and what doesn't for you.

Meteor 1.8 Final

We've been using a release candidate of Meteor 1.8 in all of our 2.0 release candidates to this point - this has also included release candidate versions of Babel 7. In this release we're updating to the final version of Meteor 1.8 and Babel 7.

There are a lot of great updates that are included in Meteor 1.8 and you can read all about them in the Meteor blog. I think the one that we'll notice the most is significant improvement to build performance that. We've been focused on improving the performance and developer experience with Reaction for a while now and this update makes significant progress towards improving the developer experience and build times. Anyone who's been using Reaction for a while should notice big improvements to the amount of time it takes for the app to rebuild after making changes.

We're still working with Node.js 8.11.4 as the upgrade to Node 8.12.0 got postponed to the Meteor 1.8.1 release. If you're itching to play with it, you can run meteor update --release 1.8.1-beta.n from the directory that you've got the core reaction project installed. There may be some additional speed improvements related to Meteor's use of Fibers that come along in this version.

We've also updated the our base docker image to use Meteor 1.8 (#4760)

Email Sending

We've extracted the core email sending functionality into a new reaction-email-smtp plugin which is included and created a new sendEmail event which is emitted for each email job. The core smtp email plugin now listens for these events and sends an email if an SMTP provider is configured. By doing this we've made it possible to create plugins which send emails via an API rather than via SMTP.

The email provider config form found at Dashboard -> Emails -> Mail Provider is now also able to be overridden. Plugins can use register.js to provide a React component to use here.

GraphQL API

Added a primaryShop GraphQL query & resolver, eliminating the need to first query for the primary shop ID, followed by another query for shop by ID.

Breaking Changes

In #4749 we changed the names of our included payment method plugins. We've included a migration to automatically update any existing installation, but if you have custom code that relies on these payment method names you may need make some changes.

Fixes

• fix: keep toggles shown, width 100% in action view (#4772)
• fix: Use babel.config.js to fix Jest tests in custom plugins with package.json (#4782)

Features

• feat: decouple SMTP email sending logic from core to allow plugins to override (#4740)
• feat: Add a CORS-enabled endpoint for token refresh in Hydra plugin (#4743)
• feat: GraphQL query & resolver for loading the primary shop (#4747)
• feat: update to Meteor 1.8 final (#4753)
• feat: update to base image 1.8 (#4760)
• feat: client ui payment methods (#4749) .. Resolves #4719
• feat: added migration for adding available payment methods to shops. (#4729)
• feat: use GraphQL for payment methods operator ui (#4749) .. Resolves #4719

Migrations

• chore: added migration for adding available payment methods to shops. (#4729)

Chores

We've been ignoring some of our integration tests as the in-memory MongoDB they rely on has not been working effectively. Previously we did this by skipping our entire test:integration tests in CI, we're now just skipping the tests that are failing due to this db incompatibility and have plans to address this soon.

• chore: Skip failing integration tests (#4751)
• chore: Deploy release branches to staging ECS environment (#4758)

v1.16.2

We discovered vulnerabilities that affect shops built on Reaction Commerce that use third-party oAuth services or SMS services.

On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.

Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact [email protected] for patch files for your version.

Vulnerabilities

What you should do

1. Patch Reaction Commerce

We have prepared a patch release with a fix for every affected minor version since v1.10.0

v2.0.x

Pull latest from release branch release-2.0.0-rc.6

v1.17.x

Pull latest from release branch release-1.17.0

v1.16.x

Install version v1.16.1

v1.15.x

Install version v1.15.1

v1.14.x

Install version v1.14.2

v1.13.x

Install version v1.13.2

v1.12.x

Install version v1.12.2

v1.11.x

Install version v1.11.1

v1.10.x

Install version v1.10.1

Older than v1.10.x

Please contact [email protected] for patch files for your version.

2. Invalidate Existing Secrets

For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.

3. Generate New Secrets

To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.

If you have any questions about this advisory or about the patches, please contact us at: [email protected].

v1.16.1

We discovered vulnerabilities that affect shops built on Reaction Commerce that use third-party oAuth services or SMS services.

On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.

Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact [email protected] for patch files for your version.

Vulnerabilities

What you should do

1. Patch Reaction Commerce

We have prepared a patch release with a fix for every affected minor version since v1.10.0

v2.0.x

Pull latest from release branch release-2.0.0-rc.6

v1.17.x

Pull latest from release branch release-1.17.0

v1.16.x

Install version v1.16.1

v1.15.x

Install version v1.15.1

v1.14.x

Install version v1.14.2

v1.13.x

Install version v1.13.2

v1.12.x

Install version v1.12.2

v1.11.x

Install version v1.11.1

v1.10.x

Install version v1.10.1

Older than v1.10.x

Please contact [email protected] for patch files for your version.

2. Invalidate Existing Secrets

For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.

3. Generate New Secrets

To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.

If you have any questions about this advisory or about the patches, please contact us at: [email protected].

v1.15.1

We discovered vulnerabilities that affect shops built on Reaction Commerce that use third-party oAuth services or SMS services.

On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.

Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact [email protected] for patch files for your version.

Vulnerabilities

What you should do

1. Patch Reaction Commerce

We have prepared a patch release with a fix for every affected minor version since v1.10.0

v2.0.x

Pull latest from release branch release-2.0.0-rc.6

v1.17.x

Pull latest from release branch release-1.17.0

v1.16.x

Install version v1.16.1

v1.15.x

Install version v1.15.1

v1.14.x

Install version v1.14.2

v1.13.x

Install version v1.13.2

v1.12.x

Install version v1.12.2

v1.11.x

Install version v1.11.1

v1.10.x

Install version v1.10.1

Older than v1.10.x

Please contact [email protected] for patch files for your version.

2. Invalidate Existing Secrets

For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.

3. Generate New Secrets

To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.

If you have any questions about this advisory or about the patches, please contact us at: [email protected].

v1.14.2

We discovered vulnerabilities that affect shops built on Reaction Commerce that use third-party oAuth services or SMS services.

On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.

Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact [email protected] for patch files for your version.

Vulnerabilities

What you should do

1. Patch Reaction Commerce

We have prepared a patch release with a fix for every affected minor version since v1.10.0

v2.0.x

Pull latest from release branch release-2.0.0-rc.6

v1.17.x

Pull latest from release branch release-1.17.0

v1.16.x

Install version v1.16.1

v1.15.x

Install version v1.15.1

v1.14.x

Install version v1.14.2

v1.13.x

Install version v1.13.2

v1.12.x

Install version v1.12.2

v1.11.x

Install version v1.11.1

v1.10.x

Install version v1.10.1

Older than v1.10.x

Please contact [email protected] for patch files for your version.

2. Invalidate Existing Secrets

For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.

3. Generate New Secrets

To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.

If you have any questions about this advisory or about the patches, please contact us at: [email protected].

v1.13.2

We discovered vulnerabilities that affect shops built on Reaction Commerce that use third-party oAuth services or SMS services.

On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.

Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact [email protected] for patch files for your version.

Vulnerabilities

What you should do

1. Patch Reaction Commerce

We have prepared a patch release with a fix for every affected minor version since v1.10.0

v2.0.x

Pull latest from release branch release-2.0.0-rc.6

v1.17.x

Pull latest from release branch release-1.17.0

v1.16.x

Install version v1.16.1

v1.15.x

Install version v1.15.1

v1.14.x

Install version v1.14.2

v1.13.x

Install version v1.13.2

v1.12.x

Install version v1.12.2

v1.11.x

Install version v1.11.1

v1.10.x

Install version v1.10.1

Older than v1.10.x

Please contact [email protected] for patch files for your version.

2. Invalidate Existing Secrets

For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.

3. Generate New Secrets

To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.

If you have any questions about this advisory or about the patches, please contact us at: [email protected].

v1.12.2

We discovered vulnerabilities that affect shops built on Reaction Commerce that use third-party oAuth services or SMS services.

On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.

Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact [email protected] for patch files for your version.

Vulnerabilities

What you should do

1. Patch Reaction Commerce

We have prepared a patch release with a fix for every affected minor version since v1.10.0

v2.0.x

Pull latest from release branch release-2.0.0-rc.6

v1.17.x

Pull latest from release branch release-1.17.0

v1.16.x

Install version v1.16.1

v1.15.x

Install version v1.15.1

v1.14.x

Install version v1.14.2

v1.13.x

Install version v1.13.2

v1.12.x

Install version v1.12.2

v1.11.x

Install version v1.11.1

v1.10.x

Install version v1.10.1

Older than v1.10.x

Please contact [email protected] for patch files for your version.

2. Invalidate Existing Secrets

For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.

3. Generate New Secrets

To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.

If you have any questions about this advisory or about the patches, please contact us at: [email protected].