Apostrophe 4.2.0 Rich text widget enhancement, security improvement, and fixes

[BoDonkey]

Hola Apostrophe Universe!

While we aren't releasing any new large features or extensions this cycle, the team has been busy making improvements and fixes while working toward a revamp of the @apostrophecms-pro/multisite extension dashboard.

Rich text improvements

The rich-text-widget received some UI/UX love this cycle. Now there are two intuitive menus for applying styling and element changes to your text. Without going into the inner workings of Tiptap which powers the widget, the selection of base elements like <h2> will occur through one dropdown menu, while the styling of other elements like <span> will be added to a second dropdown. This new arrangement enhances style tracking without necessitating any changes to your current editor setup.

Password hashing improvements improve performance

Additionally, the Apostrophe core itself has been enhanced with an improved password hashing process following guidance from OWASP. While the originally implemented procedure was completely secure, it could lead to significantly increased CPU load during login. This was replaced with the Node.js scrypt function that significantly improves login speed. The user’s first login following the update will still take time while their password is rehashed, but then shift into high gear with faster logins!

New MongoDB driver emulation extension

Tech moves fast, but sometimes getting to the leading edge takes time and energy. With that in mind, we've released a new MongoDB driver emulation extension. This allows you to continue using code that depends on the 3.x version of the MongoDB Node.js driver while updating to the newer 6.x version. Note that both legacy and new projects will automatically take advantage of this module with their next npm update. We have taken measures to emulate all of the changes that impact Apostrophe sites. If you encounter edge cases, your bug reports and pull requests are welcome. Thanks to Michelin for their support of this work.

Community contributions

Finally, we wrap up this release cycle by acknowledging the contributions from our community. Thanks to Gauav Kumar you can now use a / in the title field of a page. In the past, this would prevent further slug generation. Due to continued collaboration with the developers at Michelin, the login experience when integrating Astro with Apostrophe has become much smoother. Thanks! 🎉

While this note mentioned some great improvements, check out the release notes below for additional fixes and improvements. Remember npm update gets you the latest and greatest right in your project!

Apostrophe 4.2.0

Changes

• Rich text styles are now split into Nodes and Marks, with independent toolbar controls for a better user experience when applying text styles. There is no change in how the styles option is configured.
• Rich text style labels are fully localized.
• i18n module now uses the regular req.redirect instead of a direct res.redirect to ensure redirection, enabling more possibilities for @apostrophecms/redirect module
• Refactors AposModal component with composition api to get rid of duplicated code in AposFocusMixin and AposFocus.
• APOS_MONGODB_LOG_LEVEL has been removed. According to mongodb documentation "Both the logger and the logLevel options had no effect and have been removed."
• Update connect-mongo to 5.x. Add @apostrophecms/emulate-mongo-3-driver dependency to keep supporting [email protected] queries while using [email protected].

Fixes

• Updates the docs beforeInsert handler to avoid ending with different modes being set between _id, aposLocale and aposMode.
• Adds a migration to fix potential corrupted data having different modes set between _id, aposLocale and aposMode.
• Fix a crash in notification when req.body was not present. Thanks to Michelin for contributing this fix.
• Addresses a console error observed when opening and closing the @apostrophecms-pro/palette module across various projects.
• Fixes the color picker field in @apostrophecms-pro/palette module.
• Ensures that the data-apos-test attribute in the admin bar's tray item buttons is set by passing the action prop to AposButton.
• Prevents stripping of query parameters from the URL when the page is either switched to edit mode or reloaded while in edit mode.
• Add the missing metaType property to newly inserted widgets.
• Typing a / in the title field of a page no longer confuses the slug field. Thanks to Gauav Kumar.

Security

• New passwords are now hashed with scrypt, the best password hash available in the Node.js core crypto module, following guidance from OWASP. This reduces login time while improving overall security.
• Old passwords are automatically re-hashed with scrypt on the next successful login attempt, which adds some delay to that next attempt, but speeds them up forever after compared to the old implementation.
• Custom scrypt parameters for password hashing can be passed to the @apostrophecms/user module via the scrypt option. See the Node.js documentation for scrypt. Note that the maxmem parameter is computed automatically based on the other parameters.

Apostrophe 3.64.0

Fixes

• Add the missing metaType property to newly inserted widgets.

Security

• New passwords are now hashed with scrypt, the best password hash available in the Node.js core crypto module, following guidance from OWASP. This reduces login time while improving overall security.
• Old passwords are automatically re-hashed with scrypt on the next successful login attempt, which
  adds some delay to that next attempt, but speeds them up forever after compared to the old implementation.
• Custom scrypt parameters for password hashing can be passed to the @apostrophecms/user module via the scrypt option. See the [Node.js documentation for scrypt]. Note that the maxmem parameter is computed automatically based on the other parameters.

Changes

• APOS_MONGODB_LOG_LEVEL has been removed. According to mongodb documentation "Both the logger and the logLevel options had no effect and have been removed."
• Update connect-mongo to 5.x. Add @apostrophecms/emulate-mongo-3-driver dependency to keep supporting [email protected] queries while using [email protected].

Apostrophe modules

@apostrophecms/form 1.3.1

Allow ApostropheCMS editors to build their own forms. They can then place any form in one or more content areas across the website.

Changes

• Updates the documentation.

Fixes

• Changes the value collection for the form-boolean-field-widget to the checked status instead of the value directly.

@apostrophecms/svg-sprite 1.0.1

This module provides an Apostrophe piece type that manages and renders SVG sprites. Sprites can be imported from files in a website codebase or an external source via a URL.

Fixes

• Fix vulnerable dependencies axios, xml2js and mocha to pass npm audit.

Pro modules

@apostrophecms-pro/automatic-translation 1.0.1

This bundle allows automatic translation of documents (pages and pieces) when localizing content. It comes with two translation providers: Google Cloud Translation and DeepL, but it is also possible to configure your own providers. Explore our documentation to discover how this extension can enhance your project. Then, effortlessly integrate it through our new Apostrophe Workspaces. For further details or inquiries, feel free to contact us or visit our pricing page.

Fixes

• Adds mapping for deepl source and target languages as well as methods to normalize language codes.

@apostrophecms-pro/palette 4.1.0

An in-context interface for changing CSS. @apostrophecms-pro/palette is a module that provides an in-context interface for changing the values of developer-set CSS properties. The values are stored in an Apostrophe piece singleton (like @apostrophecms/global) and applied to the site whenever the stylesheet link is included in a template. Adjusting values via the palette interface renders changes to the site instantly. Explore our documentation to discover how this extension can enhance your project. Then, effortlessly integrate it through our new Apostrophe Workspaces. For further details or inquiries, feel free to contact us or visit our pricing page.

Adds

• It is possible to override the rendering of CSS with your own custom method. See the documentation for more information.
• Add a data-attribute to make e2e tests easier.
• Stop setting modified: true in the draft and published version of @apostrophecms/global when mirroring the stylesheet to it.

@apostrophecms-pro/multisite 3.16.0

This module lets you have many ApostropheCMS websites running on a single codebase in a single Node.js process. Each has its own database, users, media uploads, etc. Sites can be created and managed via a dashboard site. Explore our documentation to discover how this extension can enhance your project. For further details or inquiries, feel free to contact us or visit our pricing page.

Fixes

• The dashboard now delivers its own static assets via the CDN properly when the CDN environment variable is in effect. Previously this worked for both static assets and uploaded media of individual sites and for uploaded media of the dashboard, but not for static assets of the dashboard.

Changes

• Refactored uploadfs configuration code for maximum reuse to minimize bugs.
• server-destroy should not be a devDependency, it is used in production.
• ws should be an official dependency. Previously this worked because of a sub-dependency on it.
• Add @apostrophecms/emulate-mongo-3-driver dependency to keep supporting [email protected] queries while using [email protected].

Legacy modules

emulate-mongo-2-driver 1.3.3

emulate-mongo-2-driver aims to be a highly compatible emulation of the 2.x version of the MongoDB Node.js driver, implemented as a wrapper for the 3.x driver.

Changes

• Replace mongodb@3 with @apostrophecms/emulate-mongo-3-driver with mongodb@6.

emulate-mongo-3-driver 1.0.2

@apostrophecms/emulate-mongo-3-driver aims to be a compatible emulation of the 3.x version of the MongoDB Node.js driver, implemented as a wrapper for the 6.x driver.

Fix

• Discard connection options not permitted or required by newer MongoDB drivers. Important for emulate-mongo-2-driver which depends on this module.
• Allow FindCursor.sort with false as sort key.

Adds

• Initial release.

Utilities

@apostrophecms/apostrophe-astro 1.0.7 (2024-03-28)

This module integrates ApostropheCMS into your Astro application.

Changes

• Visiting the /login page when already logged in no longer results in an undesired direct response from Apostrophe. Redirects within api routes like the login issued on the Apostrophe side are now sending a redirect response as per Astro endpoints documentation.
• Page refreshes no longer alternate between displaying the admin UI and not displaying it with each refresh in certain configurations.
• Thanks to Michelin for collaborating on the solution.

1.0.6 (2024-03-26)

Changes

• Change the way we fetch from Apostrophe by using undici request method, so as all headers are correctly forwarded. As on latest Node.js versions, headers like Host are no more forwarded by the regular fetch global method.

@apostrophecms/rename-mongodb-database 1.0.1 (2024-04-04)

A handy little utility from apostrophecms to rename a mongodb database with one command.

Fixes

• Debugged legacy support for MongoDB 3.4.x command line tools without impacting newer tools.

Adds

• Fully functional first release.