Releases

3.0.19

• Increased built-in trial runtime validity to 30 mins.
• Moved XSS validation invokation into the pipeline from platform’s Protect attributes taking advantage of the standard pipeline’s error handling workflow and security settings infrastructure.
• added OpResult.XssDetected error code and mapped it to 400 HTTP status code.
• Introduced a new ValidateForXss method in IRequestService, which all platforms implement to invoke XSS validation from the pipeline with the appropriate request input model.

3.0.15

• Added support for searching and registration of trial key file ‘AskTrial.dat’ as part of the TryRegistrerFromExecutionPath method itself.
• Upgraded ASPSecurityKit.Tools to 3.0.9.
• Added couple of overloads of IRequestService.WriteToResponse – for writing text content (with content type) and writing model as json, along with HTTP status code.
• Added a new UnprotectedRequestPaths setting and its evaluation in the pipeline as a first thing.
• Added support to automatically locate a right related references loader method for such parameters/properties named generically as Id, by trying alternative names prefixed using EntityCode or parent type name, so as to eliminate a need to define Authorize attribute on such members.
• Added new GetErrorMessage method in ISecurityUtility to reuse logic that determines whether or not to return the actual error depending on the environment/HTTP status code.
• Added support for authorizing optional EntityIds as part of possesses permission check.
• Added NullSuspensionService so as to not send the same in non-Premium source packages.
• Removed duplicate call to GetReferences in IsAuthorized.
• Updated VerifyAccount to return OpResult instead of boolean so we can check for and report already verified status as well.

3.0.7

• Added host constraint for trial keys and support for subscription keys.
• MFAEnforcement conditions in AuthorizationProvider updated to use Enabled property rather than IsMFAVerified, new condition added.
• Setting additional detailed errors parameter/property in error handlers of AuthorizationProvider, AuthenticationProvider, MultiFactorProvider, SecurityPipeline into AuthFailedException and call to WriteToResponse etc.
• Setting entityId failing authorization and suspension checks in AuthErrors.Meta as well, for internal server processing by the application.
• New specific error codes - IpDenied, InvalidOrigin, InvalidSiteKeyUse, NotAllowedDuringImpersonation and their usage in AuthSessionProvider/AuthorizationProvider instead of generic Unauthenticated/Unauthorized.
• New MFA related properties (MFAEnforced/MFAWhiteListedIpRanges) in IAuthDetails, use of these in UserService/AuthSessionProvider.
• Implemented support for password expiration policy based on a custom security setting method.
• Skipping further checks if identity fails any of the following authorization checks: user verification, password expiration, MFA enforcement, custom other checks.
• Moved allow during impersonation check to be the first in authorization checks (after public key check).
• Added new RequestFeature AuthorizationNotRequired with support in the pipeline to skip authorization step completely.
• changed IdMemberSelectorRegex to IdMemberSelectorRegexPattern.
• Added urn as part of IdMemberSelectorRegexPattern to capture it as entityId field for ADA.
• New IsURLSimilarTo string extension.
• Marked some members as virtual in components wherever found missing.

3.0.8

• Upgraded to ASPSecurityKit 3.0.19

3.0.7

• Added supporting logic for locating related references loader by alternative identifier names by providing EntityCode as entityName to the Authorize method.
• Added supporting logic for authorizing optional EntityIds as part of possesses permission check. An option in the PossessesPermissionCodeAttribute is added to ignore this default behavior.
• Added DI registration for ISuspensionService defaulting to NullSuspensionService.
• Made permissionCode parameter optional in the AuthPermission attribute’s constructor, to indicate ActionName as the complete permissionCode.

3.0.4

• New MFAPromptUrl, MFASettingUrl and ChangePasswordUrl properties in Security Settings and logic in MvcFailureHandler to leverage these to redirect to a proper page during errors like NotMultiFactored, MustEnableMFA and PasswordExpired, respectively.
• Changed redirection in MvcFailureHandler to work only if the current URL isn’t the same as the URL to redirect to. Otherwise, let the error be thrown.
• Added new FeatureAttribute to specify one or more RequestFeature values directly.
• Marked some members as virtual in components wherever found missing.

3.0.9

• Remove XSS logic from the ProtectAttribute as it’s moved to the pipeline.
• Implemented ValidateForXss method.
• Added an initializer delegate in ProtectAttribute to initialize an instance of IRequestService through it instead of inline initialization. This makes it possible to initialize a customized version of IRequestService.

3.0.5

• Count multiple action methods by the same name as one operation for evaluating number of operations trial restriction. This helps in MVC evaluation where the same operation is split into GET and POST actions.
• Implemented the new overloads of IRequestService.WriteToResponse – to write text content and write model as json to response.
• Implemented evaluation of new setting UnprotectedRequestPaths in the ProtectAttribute as the first thing (even before the XSS check).
• Fixed IsApiRequest to also consider action as non-API action when the return type is IActionResult.
• Implemented GetEntityCode to aid in new feature of locating related references loader by alternative identifier names.
• Modified GetPermissionCode to consider ActionName as the PermissionCode when AuthPermissionAttribute.PermissionCode isn’t specified.

3.0.2

• Added support for FeatureAttribute in the RequestService.

3.0.9

• Remove XSS logic from the ProtectAttribute as it’s moved to the pipeline.
• Implemented ValidateForXss method.
• Added an initializer delegate in ProtectAttribute to initialize an instance of IRequestService through it instead of inline initialization. This makes it possible to initialize a customized version of IRequestService.

3.0.5

• Count multiple action methods by the same name as one operation for evaluating number of operations trial restriction. This helps in MVC evaluation where the same operation is split into GET and POST actions.
• Implemented the new overloads of IRequestService.WriteToResponse – to write text content and write model as json to response.
• Implemented evaluation of new setting UnprotectedRequestPaths in the ProtectAttribute as the first thing (even before the XSS check).
• Implemented GetEntityCode to aid in new feature of locating related references loader by alternative identifier names.
• Modified GetPermissionCode to consider ActionName as the PermissionCode when AuthPermissionAttribute.PermissionCode isn’t specified.

3.0.2

• Added support for FeatureAttribute in the RequestService.

3.0.9

• Remove XSS logic from the ProtectAttribute as it’s moved to the pipeline.
• Implemented ValidateForXss method.
• Added an initializer delegate in ProtectAttribute to initialize an instance of IRequestService through it instead of inline initialization. This makes it possible to initialize a customized version of IRequestService.

3.0.5

• Implemented the new overloads of IRequestService.WriteToResponse – to write text content and write model as json to response.
• Implemented evaluation of new setting UnprotectedRequestPaths in the ProtectAttribute as the first thing (even before the XSS check).
• Implemented GetEntityCode to aid in new feature of locating related references loader by alternative identifier names.
• Modified GetPermissionCode to consider ActionName as the PermissionCode when AuthPermissionAttribute.PermissionCode isn’t specified.

3.0.2

• Added support for FeatureAttribute in the RequestService.

3.0.11

• Removed XSS logic from the ProtectAttribute as it’s moved to the pipeline.
• Implemented ValidateForXss method.
• Added an initializer delegate in ASPSecurityKitFeature to initialize an instance of IRequestService through it instead of inline initialization. This makes it possible to initialize a customized version of IRequestService.

3.0.7

• Added supporting logic for locating related references loader by alternative identifier names by providing EntityCode as entityName to the Authorize method. Also includes a new EntityNameFromDTONameGetter delegate setting with a default implementation that cleanses the DTO name for GetEntityCode.
• Added supporting logic for authorizing optional EntityIds as part of possesses permission check. An option in the PossessesPermissionCodeAttribute is added to ignore this default behavior.
• Added DI registration for ISuspensionService defaulting to NullSuspensionService.
• Implemented the new overloads of IRequestService.WriteToResponse – to write text content and write model as json to response.
• Implemented evaluation of new setting UnprotectedRequestPaths in both Async Filter and the ProtectAttribute as the first thing (even before the XSS check).

3.0.4

• Added new FeatureAttribute (along with support in the RequestService) to specify one or more RequestFeature values directly on request DTOs.
• Marked some members as virtual in components wherever found missing.

3.0.9

• Logic to generate a trial key automatically upon installation of a trial source package which requires it.
• Implemented new feature Get Trial Key to aid in trying out ASPSecurityKit with getting started and similar tutorials that need more operations than what’s permitted with the default restrictions.
• Some fixes in tools version supported check and other processes.

3.0.5

• Change help link with a button to open a context menu instead with options 1. User Guide 2. Known Issues and Workarounds 3. Logs 4. Report Issue 5. About 6. Contact 7. Terms.
• Support optional files in package so do not get copied to target if already exists.
• Support deletion of unwanted files in project via file.dep.
• Logic in add assembly/install nuget package to take action based on package installationErrors rules in case of exception.
• Changed restartRequired to afterInstall and also added a short version of it to capture message to show during error.
• Showing postInstallationMessage upon completion if available for the package.
• Opening readme upon completion (from url/text file as per the availability).
• Logging related optimizations.
• Made removing item failure as reportable ‘required action from user’.