v1.5.4¶
Creation Date: 26.01.2021
Restrictions Policy¶
21211 – Restrictions Policy
For an endpoint define specific IP White List and IP Black List.
- Tenant admin can add IP White List and IP Black List using Restrictions Policy.
Security Improvements¶
22377 – Super admin accounts are only given access to specific external IPs
/superadmin path only can access with specific external IPs. So this path which important for product management are protected against attacks from outside.
- The IP White List middleware added to Treafik.
21211 – Grafana arrangement
A malicious user can access to DB layer with SQL injection. This user should not use DROP, DELETE, TRUNCATE and UPDATE commands.
- Create new DB user for using Grafana report.
- This DB user only have SELECT permission.
22189 – Endpoint development that checks banks’ own sessionIds
Endpoint checks sessionID so if it is not available , this login request is not allowed. It provides an additional security measure.
- An Endpoint which validates sessionID has been sent from request body.
User Account Management¶
22216/22737 – Configurations of ApiGo Users register and login with Microsoft Azure Accounts
ApiGo users can register and login to admin panel with their Microsoft Azure account.
- Creating App with company account for com and com.tr on Azure.
- Users can login and register with Microsoft Azure accounts.
22189 – Adding the custom claim information sent from the header to the authorization token
Information which important for bank like WebUserID, LastName, Firstname etc. transferred to the authorization token.
Management Portal¶
21206 – Developing an policy which validate Json data in Request Body
The policy validates request body compare with data model which defined by admin. If it is not valid, policy blocks the request. So this request will not sent to bank back-end system.
- The policy works with PUT or POST method.
- The JSON schema must be taken by tenant admin.
- If request data is not valid, returns 422 – Unprocessable status code
21194 – Adding description to scope selection page
This description will be appear in the choosing scope on selecting screen at IdentityServer. So banks can explain scope details to their customers.
21206 – Adding advance settings to application creating page
Tenant admin can configure authorization token lifetime settings for own applications.
- This configuration only set on Management Portal.
- This settings have higher priority than global token settings.
21219 – Adding timeout field for device push token on app to app configuration page
Timeout field has been added to device push tokens. Thus, security vulnerabilities that may arise are prevented.
FIXED ISSUES¶
| PORTAL | TASK | ISSUE | ACTION | STATUS |
|---|---|---|---|---|
| Management Portal | 23837 | Super admin applications table style is crashed. | UI fixed | Done |
| Management Portal | 23172 | Reset password has an error. | Backend fixed | Done |
| Management Portal | 23353 | Forget password screen has 404 error. | Backend fixed | Done |
| Management Portal | 22387 | When create an account using social network account free trial time cannot showed itself. | Backend fixed | Done |
| Management Portal | 21904 | Numbers are mixed in Dashboard status code graphic. | Backend fixed | Done |
| Management Portal | 22389 | A wrong message which when a blocked developer want to sign in have to change. | UI and backend fixed | Done |
| Management Portal | 21857 | Client signature validation policy is not working. | Backend fixed | Done |
| Management Portal | 23651 | Device push token timeout field is not working. | Backend fixed | Done |
| Management Portal | 23607 | When social account’s data equals null super admin social login page crashed. | Backend fixed | Done |
| Management Portal | 22375 | Log out endpoint is not working on ApiGo. | Backend fixed | Done |
| Management Portal | 22897 | When an image upload at bank settings page system returns 500 internal server error. | Backend fixed | Done |
| Identity Server | 23357 | Sample bank app has a redirect problem to IdentityServer at apigo.com and apigo.com.tr. | Backend fixed | Done |
| Management Portal | 22146 | Reset Password is not working. | Backend fixed | Done |
| Management Portal | 21867 | Sending mail problem at apigo.com and apigo.com.tr. | Backend fixed | Done |
| Developer Portal | 21869 | Grafana dashboard is not showing on Developer portal. | Backend fixed | Done |
| Management Portal | 21902 | JUST Transformation Policy does not have extend feature. | UI fixed | Done |
| Management Portal | 21968 | Start with www domains have a 404 error. | Backend fixed | Done |