v0.12.1

Changes since v0.12.0

ENX Redirector

• NOTE: ENX Apps configured for Android for Android should configure Store URL.
  iOS ENX regions should NOT. (#845, @flagxor)
• Return 404 on enx-redirect lookup when realm is not found. (#829, @sethvargo)

Realm Administration

• Selecting a row in the realm stats highlights the day in the per-user-per-realm chart. (#840, @jeremyfaller)
• Stats page now contains a per-user-per-realm chart. (#828, @jeremyfaller)
• Give system admins the ability to clear (Redis) caches. (#834, @sethvargo)

Observability

• Changes two alert names to have spaces in them. (#825, @icco)

Misc

• Fix failures during database seeding (local development) (#823, @sethvargo)

Dependencies

Added

Nothing has changed.

Changed

• github.com/google/exposure-notifications-server: 7e6d295 → v0.12.0

Removed

Nothing has changed.

v0.12.0

Release notes for main

Documentation

Changelog since v0.11.1

Changes by Kind

Uncategorized

• Apps that can support app links should now configure a store URL. (#766, @flagxor)
• Creates a new metric in the logging module from cloud run logs for counting what hosts are being used by clients. (#759, @icco)

Password reset & invitations

• Allow for invitations from a custom SMTP server (#796, @whaught)
• Move firebase password reset to the client (#776, @whaught)
• Move the send-password-reset email to the client for admin users (#781, @whaught)

Show recent codes

• Moved the /code/show page to GET /code/show/{uuid} (#777, @whaught)
• Show a list of recent codes on the code-status page (#774, @whaught)
• Show code created time in local timezone (#780, @whaught)

Minor fixes

• BUGFIX: Ensure that .well-known is served for the correct region. (#782, @mikehelmick)
• Fix pagination off-by-one (#806, @whaught)
• Handle edge case when realm quota is first enabled, enforce realm quota by default. (#765, @sethvargo)
• Make prevent_destroy configurable in Terraform configurations (#769, @sethvargo)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

v0.11.1

Changes since v0.11.0

Breaking changes

• Unify custom host handling logic in Terraform. *_custom_domains are now *_custom_hosts and fronted by a load balancer for more control and flexibility. (#750, @sethvargo)

Auth and identity

• Custom email verify page (#757, @whaught)
• Ensure that password-reset flows also check that the firebase user auth is created if it's missing and we have an entry for the user. (#756, @whaught)
• Show error message on too-many-attempts (#745, @whaught)

Documentation

• Update Terraform quick setup docs (#755, @sethvargo)

Dependencies

Added

Nothing has changed.

Changed

• cloud.google.com/go: v0.67.0 → v0.68.0
• github.com/Azure/go-autorest/autorest: v0.11.7 → v0.11.8
• github.com/aws/aws-sdk-go: v1.34.34 → v1.35.3
• github.com/google/exposure-notifications-server: v0.10.0 → 7e6d295
• github.com/hashicorp/errwrap: v1.0.0 → v1.1.0
• golang.org/x/crypto: 5c72a88 → 7f63de1
• golang.org/x/net: 4acb6c0 → 0a1ea39
• golang.org/x/tools: c8c0a1c → 576e169
• google.golang.org/genproto: 01fc692 → 3860012

Removed

Nothing has changed.

v0.11.0

Changes since v0.10.0

Abuse prevention

• Display the currently configured limit and remaining tokens on the realm settings page (#743, @sethvargo)

• Use abuse prevention limit factor when setting the limit (#727, @sethvargo)

Authentication and Identity

• Documentation for Identity Platform setup (#712, @whaught)

• MFA registration grace period (#723, @whaught)

• Password validation responds to copy/paste (#741, @whaught)

• Show error message on too-many-attempts (#745, @whaught)

• Trim whitespace from login and create-user inputs (#729, @whaught)

Security

• Add basic auditing system (#705, @sethvargo)

• Disable modifying user email (#737, @whaught)

Operations

• Allow system admins to join realms for recovery purposes (#705, @sethvargo)

• Add metrics for cleanup and audits (#717, @sethvargo)

• Always include build_id and build_tag in metrics (#731, @sethvargo)

• Include knative info in metrics if present (#736, @sethvargo)

Misc

• Add note about toll free and short codes to UI (#720, @sethvargo)

• Explicitly depend on database migrations and IAM during deployment (#722, @sethvargo)

• Update the Mobile Apps to store links to their appstore. (#738, @jeremyfaller)

Dependencies

Added

Nothing has changed.

Changed

• cloud.google.com/go: v0.66.0 → v0.68.0
• github.com/Azure/azure-sdk-for-go: v46.3.0+incompatible → v46.4.0+incompatible
• github.com/Azure/go-autorest/autorest: v0.11.6 → v0.11.8
• github.com/aws/aws-sdk-go: v1.34.30 → v1.35.3
• github.com/containerd/continuity: efbc448 → f2cc351
• github.com/google/exposure-notifications-server: v0.10.0 → 7e6d295
• github.com/hashicorp/errwrap: v1.0.0 → v1.1.0
• github.com/sethvargo/go-limiter: v0.5.2 → v0.6.0
• github.com/sethvargo/go-redisstore: v0.2.1-opencensus → v0.3.0-opencensus
• github.com/sirupsen/logrus: v1.6.0 → v1.7.0
• golang.org/x/crypto: 5c72a88 → 7f63de1
• golang.org/x/net: 328152d → 0a1ea39
• golang.org/x/sync: 6e8e738 → 3042136
• golang.org/x/tools: 06f3a46 → 576e169
• google.golang.org/genproto: a14c0a9 → 3860012

Removed

Nothing has changed.

v0.10.0

Release notes for main

Documentation

Changelog since v0.9.0

Changes by Kind

Login Authorization

• Allow users to change their password (#652, @whaught)
• Allow users to delete enrolled factor for MFA (#628, @whaught)
• Automatically redirect home after MFA enrollment (#696, @whaught)
• Created a login page for re-authorizing an already logged-in user (#639, @whaught)
• Created a login page for re-authorizing an already logged-in user (#639, @whaught)
• Minor fix to password selection validation UI (#694, @whaught)
• Move password reset call to the server (#668, @whaught)
• Password complexity validation UI shows all validation stats (not just first failure) (#681, @whaught)
• Password creation time field falls back to user creation time (#661, @whaught)
• Redirect to login if re-authorization is required (#643, @whaught)
• Refresh session with enrolled MFA on registration (#695, @whaught)
• Select MFA factor at login (#633, @whaught)
• Telephone input widget for MFA registration (#702, @whaught)

Documentation

• Add setup instructions for Twilio (#708, @sethvargo)

Redirector

• Add ability to register mobile apps which publish metadata to the redirector service for app deep-linking. (#688, @sethvargo)
• Changes the certificates on the redirect server. (#653, @icco)

Realm Settings

• Add forms for system SMS configs and sharing logic (#641, @sethvargo)
• Add per-realm firewall security settings (#644, @sethvargo)
• Allow country level ISO regions for EN Express (#686, @mikehelmick)
• Allow realms to select a default country code for SMS messages (#656, @sethvargo)
• Display realm ID in admin view (#683, @sethvargo)
• Use more consistent ordering on realm selection and lists pages (#632, @sethvargo)

Minor fixes

• Add upper max and lower min to modeler (#648, @sethvargo)
• Don't log a 500 when it's a user error (#647, @sethvargo)
• Ensure SMS provider type is set on system configs (#666, @sethvargo)
• Fix cache type envvar as CACHE_TYPE (#635, @sethvargo)
• Fix inability to visit ENX tab (#631, @sethvargo)
• If you use the "alerting" Terraform module, you need to change var.project to var.monitoring-host-project. It's recommended to use a separate empty project to host the monitoring workspace. See also https://cloud.google.com/monitoring/workspaces/create#multi-project-ws (#540, @yegle)
• Introduce scaffolding for system SMS configs (#637, @sethvargo)
• Make mobile app names unique by realm_id and platform (#701, @sethvargo)
• Record and monitor realm verification token capacity (#645, @femnad)
• Serve /favicon.ico (#642, @sethvargo)

Dependencies

• Update to Go 1.15.2 (#671, @sethvargo)

Added

• github.com/jeremyfaller/puddle: 91d0159
• github.com/jmespath/go-jmespath/internal/testify: v1.5.1

Changed

• cloud.google.com/go/storage: v1.11.0 → v1.12.0
• cloud.google.com/go: v0.65.0 → v0.66.0
• github.com/Azure/azure-sdk-for-go: v46.0.0+incompatible → v46.3.0+incompatible
• github.com/Azure/go-autorest/autorest/adal: v0.9.2 → v0.9.4
• github.com/Azure/go-autorest/autorest/azure/auth: v0.5.1 → v0.5.2
• github.com/Azure/go-autorest/autorest/azure/cli: v0.4.0 → v0.4.1
• github.com/Azure/go-autorest/autorest: v0.11.4 → v0.11.6
• github.com/aws/aws-sdk-go: v1.34.19 → v1.34.30
• github.com/golang/snappy: v0.0.1 → v0.0.2
• github.com/google/exposure-notifications-server: v0.9.1 → v0.9.2
• github.com/google/pprof: 1a94d86 → acf8798
• github.com/gorilla/handlers: v1.5.0 → v1.5.1
• github.com/grpc-ecosystem/grpc-gateway: v1.14.8 → v1.15.0
• github.com/jmespath/go-jmespath: v0.3.0 → v0.4.0
• github.com/prometheus/common: v0.13.0 → v0.14.0
• github.com/prometheus/procfs: v0.1.3 → v0.2.0
• github.com/sethvargo/go-envconfig: v0.3.1 → v0.3.2
• go.uber.org/atomic: v1.6.0 → v1.7.0
• go.uber.org/multierr: v1.5.0 → v1.6.0
• golang.org/x/net: 62affa3 → 328152d
• golang.org/x/tools: acefd22 → 06f3a46
• google.golang.org/api: v0.30.0 → v0.32.0
• google.golang.org/genproto: 0bd0a95 → a14c0a9
• google.golang.org/grpc: v1.31.1 → v1.32.0

Removed

• github.com/jackc/puddle: v1.1.1

v0.9.0

Changes since v0.8.0

Breaking

• *Potentially breaking- Require region codes be globally unique, add database constraint for realm name uniqueness (#621, @sethvargo)
• Remove create firebase user page. Users should be invited by an admin only. (#565, @whaught)
• Remove add-realm tool, move other tools to tools/ directory (#587, @sethvargo)

Security

• Add modeling service for abuse detection (and prevention in the future) (#551, @sethvargo)
  • Add database fields and UI structure for abuse prevention (#548, @sethvargo)
  • Add enforcement mechanism for realm quotas (#571, @sethvargo)
  • Avoid integer overflow when model is negative (#625, @sethvargo)
  • Give modeler ability to clear the cache (#626, @sethvargo)
• Add session idle duration with a default of 20min (#583, @sethvargo)
• Change default session duration from 24h to 20h (#578, @sethvargo)

System administration

• Allow managing system admins via the UI (#562, @sethvargo)
• Allow system admins to remove themselves from realms (#561, @sethvargo)

Realm administration

• Add customizable realm welcome banner (#585, @sethvargo)
• Add info page for admins to see build info (#560, @sethvargo)
• Add password-reset button for admins
  Change new-user redirect to show-user (#598, @whaught)
• Differentiated nav bar for System Admin (#603, @whaught)
• Enforce password rotation (#596, @whaught)
• Fix stats inconsistencies (#569, @sethvargo)
• For ENX enabled domains, take advantage of the enx-redirect service for https:// clickable links / universal links / ens:// redirect. (#597, @mikehelmick)
• Make it more difficult to accidentally disable ENX (#623, @sethvargo)
• New realm setting for password rotation requirements (#592, @whaught)
• New realm setting to allow skipping or requiring email verification (#563, @whaught)
• Improve UX on realm settings page (#601, @sethvargo)
• Logic for bulk user import (#553, @whaught)

Account management

• Add a password selection page (#568, @whaught)
• Added UI for password complexity requirements (#579, @whaught)
• Allow users to delete enrolled factor for MFA (#628, @whaught)
• As-you-type password validation
  fix redirects from password change page (#602, @whaught)
• Created a 'my account' page for the current user's settings (#599, @whaught)

Misc

• Iff redirect_domain_map is specified in terraform, we will setup a second IP and LB for it. (#581, @icco)

• Introduce deep link redirect service to support exposure notification express. (#546, @mikehelmick)

• Add enx-redirect to deployment and promote (#590, @sethvargo)

  • Adds redirector to terraform services (#558, @icco)

• Use the configured cacher for public key and signing key caches (#604, @sethvargo)

• Use custom html for entering SMS pin (#556, @whaught)

• Switch to toasts for notices (#566, @sethvargo)

• Switch navigation to light tabs (#617, @whaught)

Dependencies

Added

• github.com/aymerick/douceur: v0.2.0
• github.com/chris-ramon/douceur: v0.2.0
• github.com/gonum/blas: f22b278
• github.com/gonum/floats: c233463
• github.com/gonum/internal: f884aa7
• github.com/gonum/lapack: e4cdc5a
• github.com/gonum/matrix: c518dec
• github.com/gorilla/css: v1.0.0
• github.com/microcosm-cc/bluemonday: v1.0.4
• github.com/sethvargo/go-password: v0.2.0

Changed

• github.com/aws/aws-sdk-go: v1.34.18 → v1.34.19
• github.com/google/exposure-notifications-server: v0.7.0 → v0.9.1
• github.com/sethvargo/go-limiter: v0.4.1 → v0.5.2
• github.com/sethvargo/go-redisstore: v0.1.2-opencensus → v0.2.1-opencensus
• golang.org/x/tools: ea3a2cd → acefd22

Removed

Nothing has changed.

v0.8.0

Release notes for main

Documentation

Changelog since v0.7.0

Changes by Kind

Uncategorized

• Major change!- Change rate limiting for API keys to rate limit by "Realm + IP" to reduce the chance of a DOS attack. Re-evaluate your rate limits to ensure they still make sense in this new model. (#513, @sethvargo)

• Use HMAC instead of hashes in cacher keys (#503, @sethvargo)

Fixes & Maintenance

• Recommend filesystem key manager for local development (#488, @sethvargo)
• Rename Terraform bucket_policy_only to uniform_bucket_level_access to handle deprecation (#502, @sethvargo)
• Return build information in response headers if X-Debug is supplied as a request header ([#497]
  (#497), @sethvargo)

Monitoring & Stats

• Add an elevated 5xx requests to our alerting module. (#515, @icco)
• Add backfill migration for realm stats (#527, @sethvargo)
• Adds per-realm stats and visualization of the last 30 days of issued and claimed codes. (#514, @sethvargo)

UX Changes

• Add realm configuration for requiring a date when generating a verification code. This includes a new missing_date error code in the issue API. (#520, @sethvargo)
• Fix a rendering bug when retrieving a public key fails (#523, @sethvargo)
• Keep the realm selection during realm admin tasks (#530, @whaught)
• Pagination for Users page (#541, @whaught)
• Refreshed various UI elements (#533, @sethvargo)
• Send new users a password reset email (#501, @whaught)

Dependencies

• Upgrade to Go 1.15.1 (#496, @sethvargo)

Added

Nothing has changed.

Changed

• github.com/sethvargo/go-limiter: v0.4.1 → v0.5.1
• github.com/sethvargo/go-redisstore: v0.1.2-opencensus → v0.2.0-opencensus

Removed

Nothing has changed.

v0.7.0

Changelog since v0.6.0

Changes by Kind

Breaking

• Breaking:: *_custom_domain are now *_custom_domains in Terraform and the type has changed from string to set(string) to support specifying multiple domains mapped to a single service. (#440, @sethvargo)
• Potentially breaking: Add padding fields to all API requests and responses (#475, @sethvargo). Clients should not parse this field.
  • Include random padding bytes in API responses. Clients should not process these bytes. (#490, @sethvargo)

UI

• Add favicon and mobile assets (#473, @sethvargo)
• Trim whitespace around public keys in the UI (#481, @sethvargo)
• When checking code status via UUID, the long expiry time/countdown will be shown. (#458, @mikehelmick)

Security

• Add support for rotating HMAC and encryption keys (#450, @sethvargo)

Documentation

• Updated API documentation to correct casing in JSON examples (#453, @mikehelmick)
• Added documentation for admin APIs (#470, @mikehelmick)
• Additional user documentation. (#444, @mikehelmick)
• Document users, realms admins, and sys admins (#480, @sethvargo)
• Include a password-reset page (#447, @whaught)

Observability

• After this PR SQL metrics should be available to view in metrics exporter https://opencensus.io/integrations/sql/go_sql/ (#396, @taddari)
• Fix data race in database initialization (#484, @sethvargo)
• Fix migration logging (#455, @sethvargo)
• Fixes stackdriver metrics being dropped (#445, @icco)
• Following metrics will be available https://github.com/opencensus-integrations/ocsql#metrics (#489, @taddari)
• There is now an alerting module you can initialize to get alerts for server health. (#472, @icco)

Miscellaneous

• /health no longer requires an API key to call (#465, @icco)
• Temporarily return error_code and errorCode in API JSON responses for backwards compatibility. error_code will be removed in a future version. (#451, @sethvargo)
• Recommend filesystem key manager for local development (#488, @sethvargo)

Dependencies

Added

• contrib.go.opencensus.io/integrations/ocsql: v0.1.6
• github.com/PuerkitoBio/purell: v1.0.0
• github.com/PuerkitoBio/urlesc: 5bd2802
• github.com/apache/arrow/go/arrow: b2287a2
• github.com/emicklei/go-restful: ff4f55a
• github.com/go-logr/logr: v0.1.0
• github.com/go-openapi/jsonpointer: 46af16f
• github.com/go-openapi/jsonreference: 13c6e35
• github.com/go-openapi/spec: 6aced65
• github.com/go-openapi/swag: 1d0bd11
• github.com/gobuffalo/here: v0.6.0
• github.com/google/flatbuffers: v1.11.0
• github.com/mailru/easyjson: d5b7844
• github.com/markbates/pkger: v0.15.1
• github.com/munnerz/goautoneg: a547fc6
• github.com/pkg/browser: 0a3d74b
• github.com/snowflakedb/glog: f5055e6
• github.com/snowflakedb/gosnowflake: v1.3.5
• k8s.io/gengo: 0689ccc
• sigs.k8s.io/structured-merge-diff/v3: 43c19bb

Changed

• cloud.google.com/go/spanner: v1.5.1 → v1.8.0
• contrib.go.opencensus.io/exporter/ocagent: v0.7.0 → f8c219d
• contrib.go.opencensus.io/exporter/prometheus: v0.2.0 → 6bcf6f8
• github.com/Azure/azure-pipeline-go: v0.2.1 → v0.2.3
• github.com/Azure/azure-storage-blob-go: v0.8.0 → v0.10.0
• github.com/Microsoft/go-winio: v0.4.14 → fc70bd9
• github.com/asaskevich/govalidator: f9ffefc → 475eaeb
• github.com/aws/aws-sdk-go: v1.34.14 → v1.34.18
• github.com/elazarl/goproxy: c4fc265 → 947c36d
• github.com/evanphx/json-patch: 5858425 → v4.2.0+incompatible
• github.com/frankban/quicktest: v1.4.1 → v1.8.1
• github.com/go-playground/validator/v10: v10.2.0 → v10.3.0
• github.com/golang-migrate/migrate/v4: v4.10.0 → v4.12.2
• github.com/google/exposure-notifications-server: v0.6.0 → v0.7.0
• github.com/google/gofuzz: v1.0.0 → v1.1.0
• github.com/googleapis/gnostic: 0c51083 → v0.1.0
• github.com/grpc-ecosystem/grpc-gateway: v1.14.7 → v1.14.8
• github.com/jackc/pgconn: v1.5.0 → v1.6.4
• github.com/jackc/pgproto3/v2: v2.0.1 → v2.0.4
• github.com/jackc/pgservicefile: 3430c54 → 2b9c447
• github.com/jackc/pgtype: v1.3.0 → v1.4.2
• github.com/jackc/pgx/v4: v4.6.0 → v4.8.1
• github.com/jackc/pgx: v3.6.2+incompatible → v3.3.0+incompatible
• github.com/jackc/puddle: v1.1.0 → v1.1.1
• github.com/jinzhu/now: v1.0.1 → v1.1.1
• github.com/kelseyhightower/envconfig: v1.3.0 → v1.4.0
• github.com/kelseyhightower/run: v0.0.16 → v0.0.17
• github.com/mattn/go-ieproxy: 91bb50d → v0.0.1
• github.com/mattn/go-sqlite3: v1.14.0 → v2.0.1+incompatible
• github.com/neo4j/neo4j-go-driver: v1.7.4 → b626aa9
• github.com/smartystreets/assertions: b2de0cb → v1.0.0
• go.uber.org/zap: v1.15.0 → v1.16.0
• golang.org/x/net: c890458 → 62affa3
• golang.org/x/oauth2: bf48bf1 → 5d25da1
• golang.org/x/sys: 64077c9 → f9321e4
• golang.org/x/tools: 5a2aa26 → ea3a2cd
• google.golang.org/genproto: d7...

v0.6.0

Changes since since v0.5.1

 

Notes

We added a new service, e2e, that runs routine e2e tests on the system. Before deploying, re-run the Terraform configurations. You need to force a re-build by running terraform taint null_resource.build.

Features

• System admin page to create realms from the UI instead of command line tools. (#426, @mikehelmick)
• Adds a variety of best practice security headers to all three servers. (#415, @icco)
• Realm settings to enable ENX (EN Express) (#437, @mikehelmick)
• A simple e2e test is added to test APIs provided by the verification server and the key server. (#417, @yegle)

Operational

• Set up Cloud Scheduler to probe the e2e runner service handlers every 10min. (#420, @yegle)
• Improve deployment scripts (#419, @sethvargo)
• Adds three new host variables to terraform and sets up a GCLB with those hosts. (#409, @icco)

Other

• Bump main server version to v0.5.1 (#408, @sethvargo)
   

Dependencies

 

Added

• github.com/felixge/httpsnoop: v1.0.1
• github.com/rakutentech/jwk-go: v1.0.1
• github.com/unrolled/secure: v1.0.8
• github.com/urfave/negroni: v1.0.0
   

Changed

• cloud.google.com/go/storage: v1.10.0 → v1.11.0
• cloud.google.com/go: v0.63.0 → v0.65.0
• contrib.go.opencensus.io/exporter/stackdriver: v0.13.3 → v0.13.4
• github.com/Azure/azure-sdk-for-go: v45.1.0+incompatible → v46.0.0+incompatible
• github.com/aws/aws-sdk-go: v1.34.7 → v1.34.14
• github.com/google/exposure-notifications-server: v0.5.1 → v0.6.0
• github.com/google/go-cmp: v0.5.1 → v0.5.2
• github.com/google/uuid: v1.1.1 → v1.1.2
• github.com/gorilla/handlers: v1.4.2 → v1.5.0
• github.com/gorilla/mux: v1.7.4 → v1.8.0
• github.com/gorilla/schema: v1.1.0 → v1.2.0
• github.com/gorilla/sessions: v1.2.0 → v1.2.1
• github.com/prometheus/common: v0.12.0 → v0.13.0
• github.com/prometheus/statsd_exporter: v0.17.0 → v0.18.0
• github.com/yuin/goldmark: v1.1.32 → v1.2.1
• golang.org/x/crypto: 123391f → 5c72a88
• golang.org/x/net: 3edf25e → c890458
• golang.org/x/sys: 9781c65 → 64077c9
• golang.org/x/tools: 188abfa → 5a2aa26
• google.golang.org/genproto: f69a880 → d751682
• google.golang.org/grpc: v1.31.0 → v1.31.1
   

v0.5.1

Changes since v0.5.0

• Add redis opencensus metrics to the verification server cache. (#376, @taddari)
• Add redis opencensus metrics to the verification server, this will enable to monitor problems with redis connections itself. (#361, @taddari)
• Add support for destroying signing key versions (#389, @sethvargo)
• Add test type and issuer to show code page (#375, @whaught)
• Adds open census metrics for main API flows. (#384, @mikehelmick)
• Allow configuring database max lifetime idle timeout (#406, @sethvargo)
• Allow users to expire a code (#390, @whaught)
• Bump main server version to v0.5.1 (#408, @sethvargo)
• CRITICAL FIX: Select correct realm's signing keys for multi-tenant signing. (#398, @mikehelmick)
• Client timezone should be valid. (#340, @jeremyfaller)
• Create separate key manager instances instead of using a shared pool. This changes the configuration to require a prefix on the key managers (e.g. TOKEN_KEY_MANAGER and CERTIFICATE_KEY_MANAGER) if you are overriding the defaults. (#382, @sethvargo)
• Fix SQL error in cleanup logic (#403, @sethvargo)
• Fix redis cache environment variable (#402, @sethvargo)
• New environment variable.
  • DB_MAX_CONN_IDLE_TIME a duration, when set will be passed to DB connection pool. Default value of 1m (#393, @mikehelmick)
• Set HSTS headers in production service (#387, @sethvargo)
• Set a 1m idle timeout on all Redis connections. REDIS_HOST and REDIS_PORT are now prefixed based on their scope (e.g. CACHE_REDIS_HOST and RATE_LIMIT_REDIS_HOST). This enables using a different Redis cluster or configuration for rate limiting vs caching. (#391, @sethvargo)
• Sort users and API keys (#371, @sethvargo)
• Verification server operators can rotate their token signing key. TOKEN_SIGNING_KEY and TOKEN_SIGNING_KEY_ID are now array based env vars. They must be the same length. The first items in the lists represents the active key/kid and the remaining entries are allowed to validate. (#348, @mikehelmick)

Dependencies

Added

• github.com/opencensus-integrations/redigo: v2.0.1+incompatible

Changed

• github.com/google/exposure-notifications-server: v0.5.0 → v0.5.1
• github.com/sethvargo/go-limiter: v0.4.0 → v0.4.1
• github.com/sethvargo/go-redisstore: v0.1.0 → v0.1.2-opencensus

Removed

• github.com/gomodule/redigo: v1.8.2