train-2011.02.08 (in progress):
train-2011.02.02:
* i18n support, now BrowserID speaks your language: #926, #936, #977, #1013, #1031
* improved error screens on slow server responses: #913, #915
* better cache headers on all html resources (which Vary by Accept-Languages): #226, #620, #920, #938
* cosmetic fixes: #918, #947, #966, #981, #1020, #987
* preliminary work to improve messaging when cookies are disabled: #835
* remove dead code: #925
* fix include.orig.js: #921, #911
* load testing compatibility and minified resources are no longer mutually exclusive: #939
* improve usability via default button focus (just hit enter in more places): #946, #960
* scripts to deploy to an amazon EC2 instance.
* improve configuration mechanism: #582, #1006
* limit post bodies to verifier: #878
* cancel from forgot password doesn't cause your email to be, uh, forgotten: #1001
* remember the users email as they move from screen to screen in the dialog: #984, #1001, #1002, #1003, #1004
* secondary "cancel" style buttons have a smaller font: #1020
* build fixes: #1021, #1024
train-2011.01.18:
* support for 3rd party primary identity providers: #761, #904, #865
* loadgen improvements
* Re-license under MPL2: #859 (& #827)
* clean up unused developer tools (vagrant): #861
* (primary support) declaration of support now hosted in .well-known/browserid (was 'vep'): #865
* unit test fixes: #889 & #851
* help link opens in new window: #728
* fix 'not supported' display in IE7: #831
* language/rendering refinements: #850, #439, #622, #818, #901, #630, #888, #345, #815
* front end performance improvements: #899, #910
* better UX for network timeouts: #905
* (hotfix 2012.01.23) Remove unwanted scrollbar in dialog: issue #947
* (hotfix 2012.01.23) Fix black backgrounds on IE8: issue #929
* (hotfix 2012.01.23) fix broken transition to "check your email": #933, #934, #935
* (hotfix 2012.01.24) Fix "slow script" error on IE8 during keygen on behalf of primary: #956
* (hotfix 2012.01.24) Publish javascript API to provide a native-support compatible for primaries' auth pages: #909
* (hotfix 2012.01.24) Allow load testing hooks to be enabled with minified resources: #939
* (hotfix 2012.01.24) IE8 fixes for primary flow: #962, #961, #958, #955
* (hotfix 2012.01.24) print correct url for where the user will be directed: #964
* (hotfix 2012.01.31) fix silent assertions: #972
* (hotfix 2012.02.01) fix verification of email on a browser other than the initiator: #973, #1026 (and maybe others)
train-2011.01.05:
* client entropy pool mixes in randomness from server for better browser RNG: #298, #800
* new assertion format that avoids double (base64) encoding - 33% smaller: #507
* Turn license URL in ToS into a clickable link: #382
* limit post requests to 10kb: #822
* improved password length checks, check in client and server code more often
* after authenticating we store your userid rather than email in the session (many issues/possible attacks relate to this): #388
* session cookies are now encrypted, sent only when required, and generally more awesome: #416, #832
* IE8 display tweaks
* primary support 90% implemented but disabled in this train (*major* changes including schema, but not user visible)
* (hotfix on 2012.01.09) explicitly call .removeAllListeners() during http forwarding to eliminate memory leak: #839
train-2011.12.28:
* improve animation during cert/assertion procedures in dialog: #709
* user visible error message in dialog when under back breaking load: #738
* cleanup and removal of stale deps from package.json
* improve mobile formatting: #747
* fixes in dialog communication channel: #748
* add a waiting screen while crypto is running on slow browsers: #706
* don't allow a user to re-add address they already have verified: #732
* CSP (content security policy) fixes: #676
* doc fixes regarding running browserid under vagrant
* doc fixes regarding new dependencies (libgmp for (much) faster crypto)
* bcrypt now runs out of process, uses all available cores, allows for app level 503 under extreme load: #694
* Fix "cancel" in the forgot password screen when accessed via required email: #754
* first time a user visits browserid.org, show a "learn more" message: #384
* partial code versioning/cache busting implementation: #226 #687
* improved build process - resource minification no longer leaves artifacts all over: #700
* clean up whitespace. meh. #758
* emails now come from "BrowserID@" instead of "noreply@": #756
* completely new implementation for cross domain window communication (https://github.com/lloyd/winchan) #764 #766
* allow canceling of "use a different email: #765
* improve language and UX of required email flow: #608
* better, earlier dev errors for required email: #632
* new assertion format (smaller by 66%) handled by verifier, to be generated by browserid next train: #507
* now you can change your password: #771 #114
* load generator improvements: #782
* improved PRNG: #789 #735
* fix regressions in the above: #719 & #776
* CSRF token uses better RNG: #800
train-2011.12.08:
* improve performance of unit tests. #686
* IE8 fixes. #688
* logging improvements. #681
* loadgen fixes. #682
* android fixes. #704
* performance improvements. #680
* moar instrumentation. #691
train-2011.12.01:
* BrowserID now requires NodeJS >= 0.6.2
* extensive work on load generation tool: #504
* modularize front-end, remove deps on stealjs and JSMVC: #609, #625, #634
* front-end refactoring: #578, #611, #608, #650, #654, #655
* regression fix: account consolidation possible without explicit canceling: #607 #612
* make it possible to gracefully update domain key at any time: #599
* domain key now uses RSA-2048: #600
* optimize (and combine) frontend resources (vepbundle): #606
* many rpm/packaging updates: #617, #656
* timestamps on all log entries: #541
* IE8 fixes: #615
* unit test fixes: #557 (revisited), #629, #657
* update_password WSAPI added: #560, #114
* verifier improvements and unit tests: #467, #598, #605, #643, #642, #645, #646,
* node-mysql driver update - improved for prod env #648
* include a link to support.mozilla.com off of browserid.org - #533
* added command line tool to create and account: #603
* added command line tool to bcrypt a password: #651
* fix button heights in firefox on browserid.org: #658
* make sure logout is called only once in dialog: #666, #630
* make 'use another email address' more discoverable: #623
* use statsd for statistics reporting: #662
* heartbeat checks are now shallow, only indicating presence of a server and basic health: #566
* keysigner and verifier now saturate multiple cores via 'compute-cluster' module: #213
* fix spurious console error messages on sites that use postMessage and include.js: #534
* refine language in verification email: #672
* (hotfix on 2011.12.02) Fix regression where email rate limiting tooltips in dialog were not shown: #685
* (hotfix on 2011.12.02) Fix regression where emails sent out had no newlines: #684
* (hotfix on 2011.12.08) Fix bug where domain key update detection was not working properly, preventing users from logging in: #734
* (hotfix on 2011.12.08) Fix bugs in "internal api" used by native code (like openwebapps stuff): #601
train-2011.11.17:
* frontend code restructuring and refactoring
* process breakup complete (dbwriter, keysigner, browserid, and verifier): #460
* several updates to production deployment scripts (rpm generation): #571, #575
* all processes should log and exit hard if misconfigured: #576, #581
* complete 'keep me signed in' feature: #559, #490
* simplify and consolidate user facing help links in dialog: #553
* clean up user facing error messages (email throttling and sent email): #579, #577, #591
* moved 'this is not me' and 'use a different email' links based on UX suggestions: #459
* incrementally work to repair load_gen (not yet complete) : #504
* unit test fixes: #504
* remove extraneous console logging: #574
* improve email validation in main site (whitespace handling): #583, #429
* fix serious regressions related to iOS5 fixes that prevented dialog from working the second time on RPs: #580, #588 #589
* fix "go back and try another" link in dialog: #587
* added "required email" feature: #491
* (added 2011.11.18) fix regression - sporadic assertion verification failures: #616
train-2011.11.10:
* keysigner process now handles certificate generation: #460
* verifier no longer supports CORS requests: #245
* experimental support for nodejs 0.6.0: #535
* reduce access to private key (only the keysigner has access to it): #539
* improve language of buttons during sign-in: #198
* better error messaging during sign-in/up interactions on main site: #542
* user only has to type their browserid password every two weeks (not one): #543
* upgrade mysql driver - no crash upon idle reconnection: #540
* address regression in #540 - reconnect to proper database (also fixes 'create_schema' flag): #548
* implement 'keep me signed in' - includes API changes and UX/UI changes: #490
* front end unit test improvements: #542, #408
* fix regression in tooltips (weren't showing contents): #547
* calls to __heartbeat__ aren't logged: #537
* strip whitespace on email input: #429
* fix sporadic errors in unit tests: #550, #556
* crypto changes to support IE8: #244
* fix tab ordering in UI: #544
* chrome specific UI fixes: #552
* better UI feedback when hovering over buttons: #553
* reorganization of browserid process, breakout of dbwriter (not yet enabled): #460
* improve log message error levels (be sparing with 'error'): #509
train-2011.11.03:
* Remember the last used email for a site, and optimize the default selection based on this: #1
* Fix regression where verification of assertions would fail for https sites: #500 (also hot-fixed in production https://github.com/mozilla/browserid/commit/1528364)
* improved end user visible error messages: #448, #465, #512, #515
* style/transition improvements for desktop and mobile devices: #494, #502, #522, #527
* refuse to send out more than one email per minute to the same address: #430
* be *really* smart about how long to display tool-tips in the dialog: #508
* behave reasonably (at least display content) when javascript is disabled: #510
* remember the users email as they transition between screens, when appropriate: #476
* Suppress iOS autocapitalizion and auto-correction for email addresses: #464
* Improve front end email address validation: #513
* Improve repository organization: #503 & #488
* As part of above and in prep for #460 - all processes (browserid, verifier, etc) are now always run separately (never combined into the same express instance
* Test improvements: #520, #530, #531
* Fix undefined reference (crash) in verifier after verification failure: #523 (hot-fixed in production: https://github.com/mozilla/browserid/commit/ba3c53)
* Remove UI that corresponds to unimplemented features: #519
* Handle upper case letters in domain part of email addresses properly: #501
* Use a more conventional log format that includes time-stamps when logging to file. closes #234
* Shutdown gracefully whenever possible, and always log why we go down: #529
* 'LOG_TO_CONSOLE' env var for verbose console output during tests: #530
* more checks around '/code_update' URL invocation - for bug #699171
* Many minor bug-fixes: #497, #532
* (2011.11.08) don't crash on mysql connection timeout: #540
train-2011.10.27:
* link fixing ('need help?' to point to SUMO): #378
* unit tests repaired: #469 (broken in fix to #82)
* improve handling of network errors: #448
* improve styling and language of email confirmation page: #349
* logging improvements: #455
* RPM generation script created (for installation of browserid on redhat [moz prod] boxes): #478
* SCHEMA CHANGES to improve database performance and scalability: #480
* change the health check call from '/ping.txt' to '/__heartbeat__': #481
* remove application level network timeouts (let the network stack do its job, the user can cancel if they get sick of it): #485
* improve messaging for unsupported browsers: #273, #484
* developer documentation improvements: #496
train-2011.10.20:
* android < 3.0 now supported: #461
* properly set assertion expiration time to when they expire, not when they're issued: #433, #457, #458
* update privacy policy language to jive with new UI: #381
* add redirects for old URLs that no longer exist with the new UI: #376
* inside the minified include.js, link to uncompressed version for developer convenience and discovery: #432
* language tweaks: #437, #444
* improve button UI appearance on opera and IE: #435
* improve visual feedback for links: #440
* UI fixes for > 2 email addresses on iOS: #417
* smooth out screen transitions in dialog: #369
* improved "check your email" screen on mobile: #462
* no auto-caps nor auto-correct for iOS in add email field: #464
* improve event listening on input fields: #406
* remember email when moving user from signup to sign-in for known email address: #108
* don't call sync_emails more than necessary: #434
* assertions now include full origin (scheme+host+port). verifier accepts only host+port OR full origin, and returns whatever RP sends for back compat: #82
train-2011.10.13:
* fix verification of email in different browser than where verification is initiated: #336
* Android < 3.0 (browsers that can't handle JSON.parse("null")) now blocked explicitly (until we complete support)
* textual fixes to about page: #350
* 'cancel account' link added to manage page: #405
* warn user that removing last email address effectively cancels account: #394, #404, #137
* fixed signing dialog hang when you delete an email on manage page while dialog is open (now that's not obscure :P): #401
* Optimize UI in case where user has only 1 email address: #412
* smooth out transition from pick email to add new email pages: #410
* reposition remove buttons on manage page: #409
* identity and labs links open in new tabs: #380
* fix innocuous (but ugly) error in firefox error console: #390
* implement dynamic bcrypt work factor update: #204
* default work factor is now at 12 (NOTE: [re]authentication now takes 6x longer - ~600ms on our current hardware): #212
* many test fixes, and code refactoring, cleanup, and reorganization
* accept SMTP parameters from the environment: #214 (not yet closed)
* WSAPI CHANGES (https://github.com/mozilla/browserid/commit/511b56): all server responses are now objects: #217, #325
train-2011.10.06:
* full site & dialog redesign: (many, many closed issues are related to this, including #269, #343, #342, #347, #354, #356, #357, #350, #349, #364, #346, #336)
* improved debugging, all network callbacks are invoked asynchronously: #276
* MYSQL SCHEMA CHANGE: passwd field no longer in staged table (password is now set after verify link clickthrough)
* MYSQL SCHEMA CHANGE: add index to emails table: #209
* WSAPI CHANGES (to support new UI): https://github.com/mozilla/browserid/commit/b6ee51
* WSAPI CHANGES: a mis-set client clock no longer causes invalid assertions to be issued (wsapi changed to minimize network requests): #329
* disallow re-registration of existing account: #333
* (non-visible) namespacing in dialog code: #275
* API BREAKING CHANGE: verifier no longer supports GET requests: #98
* significant performance / UX improvement - keys are generated and certified when needed, not all upfront at sign-in: #278
* remove 'download printable format' language from privacy policy: #280
* faster keygen via crypto optimizations: https://github.com/mozilla/browserid/commit/778433
* improvements to mobile layout & usability (specific to the new UI)
* more user visible error messages to improve community sourced problem reports: #335
* IE8 improvements (still not fully supported): #246, #361, #346
* cookie fixes revisited, now on upstream version of connect-cookie-session: #310
* (merged 2011.10.07) fix unstyled flash at first dialog display: #365
train-2011.09.29:
* shortly after dialog is spawned, we remove the four random chars in the fragment (aesthetic)
* fix bug where session duration had an upper bound of 7 days - the time the server was running: #310
* fix bug where a user could go longer than 1 week without re-authenticating: #309
* fix link on /developers page to verfier source: #326
* (merged 2011.10.04) fix issue where a wrong-set client clock could prevent login: #329
* (external fix in myfavoritebeer) IE9 support: #240
train-2011.09.22:
* migrate to browserid signed certificates rather than keypairs where browserid hosts the public key: https://github.com/mozilla/browserid/issues?milestone=6
* IE9 support
* partial IE8 support (not yet usable, several small remaining bugs, and abysmal performance)
* development harness (./run.js) now respects an IP_ADDRESS env var to bind to a specific address (other than 127.0.0.1)
* improved first-time development experience: `git clone && cd browserid && npm install && npm run`
* initial support for running locally under virtualbox via vagrant: issue #261 (thanks ozten!)
* (fix 2011.09.23) fix race condition between relay iframe and window introduced with IE9 support. issue #287
* (fix 2011.09.23) fix blank popup on second signin invocation in same session in FFX: issue #286
* (fix 2011.09.23) explicitly disable caching for /wsapi calls, prevents unwanted caching of CSRF and friends. issue #294
train-2011.09.01:
* /ws_api/set_key always returns returns value instead of HTTP 204 response: #219
* update javascript mvc to 3.1.0.
* major interframe/window communication change using a hidden relay iframe to facilitate IE: #97(still open)
* link colors on browserid.org are consistent: #227
train-2011.08.25:
* created command line load generation tool and performance analysis work: #125
* beginning unit/functional tests for front end: #183
* front end refactor to facilitate unit/functional tests and UX iteration: #183
* error messages are shown on front end: #184
* users must now verify account ownership before attempting a key sync.
* manage page date format: #191
* manage page button only displayed if user is currently authenticated: #195
* manage page emails are synced on page open: #181
* wsapi_client created for clients needing programatic access to wsapi.
* harden set_key against duplicate keys.
* fix new email addresses added not being synced on client: #199
* upgrade to bcrypt 0.2.4.
* minify include.js by default: #206
* more than one email address can be added per dialog lifespan: #215
* verifyier no longer verifies assertions issued by another server.
* (2011.08.31) no error message displayed if you try to authenticate with an invalid u/p: #222
train-2011.08.18:
* upon clickthrough of the email link, don't have the browser window close itself: #162
* passwords must be between 8 and 80 chars: #155
* improved handling of emailing & verification urls during local development & testing: #88
* language changes in dialog: #150
* many improvements to unit tests: #171
* forgotten password flow was broken with port to mysql, fixed: #170
* improved metrics reporting abstraction: #168
* moved all server logging into a single file: #169
* all files created at execution time are now in one location: #172
* developer ergonomics - improved colorized logging with terse webserver output to console
* always require a user to authenticate if they don't have an active session: #74
* improved CSRF protection to fix race conditions in previous train: #173
train-2011.08.12:
* massive zero-user-visibile refactoring of dialog javascript.
* fix cancel button in "waiting for verification state" (issue #147)
* all browserid source is now tri-licensed (MPL1.1/GPL/LGPL). (issue #141)
* fixes for mobile firefox (fennec). (issue #140)
* mysql support implemented for browserid (default persistence production) (issue #71)
* json persistence support added - a standalone dead simple persistence layer which is the default for local development and requires no external software.
* email secrets are now persisted in the database, so upon server restart outstanding verification links are no longer invalidated (issue #91)
* (website) styling changes - like fix issues where links on dev page were being displayed white on white.
train-2011.08.04:
* when user closes dialog without clicking "cancel", properly return 'null' to the webpage (via getVerifiedEmail callback) - issue #107
* improve checks to warn developer that prerequisite software is missing. issue #110
* parameterize software to support multiple deployment environments (dev/beta/prod) issues #102 & #52
* documentation updates.
* improved logging (using the winston logging framework for node.js)
* [website] fixed inclusion of youtube video (now over https to keep browsers from getting scared about mixed mode resource inclusion)
train-1:
* beginning of time, everything is new.
* (2011.08.03) include youtube video embedding over https (issue #112)
* (2011.08.04) fix mozillalabs.com link in dialog (issue #116)