v1.6.0

1.6.0 (2022-06-30)

Attention:

The newly added two-factor authentication feature defaults to ALWAYS. This means that after installation, the second factor (a Timebased-One-Time-Password) must be set up for everyone with the next login. If this is not desired, then in the .env the environment variable SECURITY_AUTH_DB_MFA_OPTION must be set to one of the following values:

• OPTIONAL_DEFAULT_TRUE
• OPTIONAL_DEFAULT_FALSE
• DISABLED

Bug Fixes

• Adds support for multi-column sort query parameters. (Fixes broken table sort of iris-message list.) (9daf6a1), closes #801
• Changes NGINX Content-Security-Policy configuration to allow data urls as image src and adds data: to the forbidden keywords. (cedf240), closes #862
• Deps: Fixes dependabot security alert and update multiple npm dependencies (7b71e64), closes #729
• Deps: Updates Spring Boot to 2.6.6 to fix the vulnerability avd.aquasec.com/nvd/cve-2022-22965 (46a50b5)
• Deps: Updates version of jackson-databind to fix the vulnerability: avd.aquasec.com/nvd/cve-2020-36518 (84a4b04)
• Fixes a validation error when changing user data of admins. This could lead to an admin not being able to change their data under certain circumstances (only admin and role not transferred with). (61f6bc3), closes #703
• Fixes an occasional ConstraintViolationException that can only be caused by parallel processing of multiple requests from the same IP. (71c1c98), closes #828
• HTTP status code is now set correctly for validation errors with JSON-RPC (400). Related to this, there is now a central place to handle exceptions with JSON-RPC and to configure the correct HTTP status code. (e0b98f7), closes #827
• Removed wrong line breaks at the end of certificates. (64104a0)
• When checking incoming and entered data for possible attacks, case is now ignored for keywords. (a378e58), closes #864

Features

• For JSON-RPC calls (calls from EPS), the client name submitted by EPS is now used as user (if available). Thus, the metadata of records created via JSON-RPC now also contain a user as creator and it is easier to see by whom the data was created. (71ff56f), closes #826
• In the .env (see .env.sample) now the configuration for the mail dispatch can be done. With this it is now possible to send notifications when new data has been transferred to the IRIS client (at the moment implemented for the data of an event). (4310bd0), closes #557 #858
• Messages: Messages can now be used to exchange guests of events between health departments. This makes it possible to transmit the guests received through a data request to the responsible department. The data can be transferred directly from the event overview to a message or can also be added to a message as an attachment. This is the beginning, more data types will follow. (9c3c8cd), closes #640
• Messages: Messages can now be used to exchange vaccination reports between health departments. This makes it possible to transmit received records to the appropriate department through a data transfer. The data can be transferred directly from the vaccination report overview to a message or can also be added as an attachment to a message. (64636ba), closes #762
• Old messages are deleted after a configurable time (default is after 180 days) with all associated data. (d768632), closes #773
• The authentication tokens (JWT) now retain their validity beyond the restart of the IRIS client. This means that, ideally, users notice only little of a restart of the application. (2442685), closes #804
• The client backend now also supports the use of a refresh token, which can be used to extend the short validity of the authentication. This makes it more convenient to use, especially in conjunction with a two-factor authentication. (b20ed86), closes #803
• The client is now a bit more secure against attacks and authentication token (JWT) stealing. For this, the JWT is now transferred and processed in HTTP-only cookies. In this context, XSRF protection with XSRF-TOKEN cookies has also been enabled. (ae25da8), closes #802
• Users are no longer deleted immediately, but marked as deleted. The marked users can no longer be used and are no longer displayed. However, the data is still available, for example, for working with the audit logs. After all references to the users are deleted according to the respective deadline or after a specified time, the users are finally anonymized. Procedure and time periods are configurable. (a913eaf), closes iris-connect/iris-backlog#235 #761
• Users can be marked as locked. This makes it possible to temporarily lock users when they are absent. The locked users are not deleted, they are still available in the overview, but cannot be used for a login. (68d55ec), closes #775
• Users can now use two-factor authentication with time-based one-time password (TOTP). If it is enabled, a TOTP is expected and verified by a corresponding app after the conventional login. To set up the app, the user is displayed a QR code by IRIS. It is also possible for the admin to activate this mandatorily via environment variable. If a 2FA is expected but has not yet been finally configured for a user with a successful verification, the QR code is displayed after the successful conventional login and the verification is performed. (03b915c), closes iris-connect/iris-backlog#251 #840

Upgrade Guides

Anleitung Docker Compose

Anleitung Stand-Alone

Note about the runtime environment for stand-alone installations.

IRIS uses and requires Java 17! For stand-alone installations, make sure that a current version of Java 17 is installed! With this we use the latest version of Java with long term support.

v1.6.0-rc.2

1.6.0-rc.2 (2022-06-30)

Bug Fixes

• Changes NGINX Content-Security-Policy configuration to allow data urls as image src and adds data: to the forbidden keywords. (cedf240), closes #862
• Fixes an occasional ConstraintViolationException that can only be caused by parallel processing of multiple requests from the same IP. (71c1c98), closes #828
• HTTP status code is now set correctly for validation errors with JSON-RPC (400). Related to this, there is now a central place to handle exceptions with JSON-RPC and to configure the correct HTTP status code. (e0b98f7), closes #827
• When checking incoming and entered data for possible attacks, case is now ignored for keywords. (a378e58), closes #864

Features

• In the .env (see .env.sample) now the configuration for the mail dispatch can be done. With this it is now possible to send notifications when new data has been transferred to the IRIS client (at the moment implemented for the data of an event). (4310bd0), closes #557 #858
• Users can now use two-factor authentication with time-based one-time password (TOTP). If it is enabled, a TOTP is expected and verified by a corresponding app after the conventional login. To set up the app, the user is displayed a QR code by IRIS. It is also possible for the admin to activate this mandatorily via environment variable. If a 2FA is expected but has not yet been finally configured for a user with a successful verification, the QR code is displayed after the successful conventional login and the verification is performed. (03b915c), closes iris-connect/iris-backlog#251 #840

v1.6.0-rc.1

1.6.0-rc.1 (2022-06-22)

Bug Fixes

• add support for multi-column sort query parameters (fixes broken table sort of iris-message list) (9daf6a1), closes #801
• Dependencies: Updates version of jackson-databind to fix the vulnerability: avd.aquasec.com/nvd/cve-2020-36518 (84a4b04)
• Deps: updates Spring Boot to 2.6.6 to fix the vulnerability avd.aquasec.com/nvd/cve-2022-22965 (46a50b5)
• fix dependabot security alert and update multiple npm dependencies (7b71e64), closes #729
• fix e2e tests by correcting the spec order (53fd088), closes #764
• Fixes a validation error when changing user data of admins. This could lead to an admin not being able to change their data under certain circumstances (only admin and role not transferred with). (61f6bc3), closes #703
• ga-gotham config tls communication between internal eps (4b6cf41)
• removed line breaks at the end of certificates. (64104a0)

Features

• For JSON-RPC calls (calls from EPS), the client name submitted by EPS is now used as user (if available). Thus, the metadata of records created via JSON-RPC now also contain a user as creator and it is easier to see by whom the data was created. (71ff56f), closes #826
• Messages: Messages can now be used to exchange guests of events between health departments. This makes it possible to transmit the guests received through a data request to the responsible department. The data can be transferred directly from the event overview to a message or can also be added to a message as an attachment. This is the beginning, more data types will follow. (9c3c8cd), closes #640
• Messages: Messages can now be used to exchange vaccination reports between health departments. This makes it possible to transmit received records to the appropriate department through a data transfer. The data can be transferred directly from the vaccination report overview to a message or can also be added as an attachment to a message. (64636ba), closes #762
• Old messages are deleted after a configurable time (default is after 180 days) with all associated data. (d768632), closes #773
• The authentication tokens (JWT) now retain their validity beyond the restart of the IRIS client. This means that, ideally, users notice only little of a restart of the application. (2442685), closes #804
• The client backend now also supports the use of a refresh token, which can be used to extend the short validity of the authentication. This makes it more convenient to use, especially in conjunction with a two-factor authentication. (b20ed86), closes #803
• The client is now a bit more secure against attacks and authentication token (JWT) stealing. For this, the JWT is now transferred and processed in HTTP-only cookies. In this context, XSRF protection with XSRF-TOKEN cookies has also been enabled. (ae25da8), closes #802
• Users are no longer deleted immediately, but marked as deleted. The marked users can no longer be used and are no longer displayed. However, the data is still available, for example, for working with the audit logs. After all references to the users are deleted according to the respective deadline or after a specified time, the users are finally anonymized. Procedure and time periods are configurable. (a913eaf), closes iris-connect/iris-backlog#235 #761
• Users can be marked as locked. This makes it possible to temporarily lock users when they are absent. The locked users are not deleted, they are still available in the overview, but cannot be used for a login. (68d55ec), closes #775

v1.5.1

1.5.1 (2022-03-29)

Bug Fixes

• Messages: Displays the county or city name from RKI data as recipient and in the recipient selection instead of a technical name.
• Messages: Improves the recipient selection. The list of possible recipients for messages is now created cyclically in a background job and is immediately available for the frontend. (73cda44), closes #678 #680
• Removes long deprecated environment variables from .env.sample. These variables have had no effect for some time. (9bf0a55), closes #679
• RPC methods can now be extended with additional parameters while still remaining compatible with legacy RPC clients if default values are used. (4320b23), closes iris-connect/iris-backlog#278
• Updates EPS to version v0.2.6 (2cd3a4a)

Upgrade Guides

Anleitung Docker Compose

Anleitung Stand-Alone

Note about the runtime environment for stand-alone installations.

IRIS uses and requires Java 17! For stand-alone installations, make sure that a current version of Java 17 is installed! With this we use the latest version of Java with long term support.

v1.5.1-rc.2

1.5.1-rc.2 (2022-03-25)

Bug Fixes

• Updates EPS to version v0.2.6 (2cd3a4a)

v1.5.1-rc.1

1.5.1-rc.1 (2022-03-25)

Bug Fixes

• Messages: Improves the performance of the . The list of possible recipients for messages is now created cyclically in a background job and is immediately available for the frontend. (73cda44), closes #678 #680
• Removes long deprecated environment variables from .env.sample. This variables have had no effect for some time. (9bf0a55), closes #679
• RPC methods can now be extended with additional parameters while still remaining compatible with legacy RPC clients if default values are used. (4320b23), closes iris-connect/iris-backlog#278

v1.5.0

1.5.0 (2022-03-16)

Features

• Displays meta-data (who and when created/last modified an entity) on event-tracking, index-tracking and user detail pages. (da1b7a6), closes iris-connect/iris-backlog#234 #638
• Docker Compose: Adds scope labels to the services in the Docker Compose file to avoid conflicts with possibly existing other instances of Watchtower on the same Docker host. (499267f), closes #666
• Messages: Adds a hint to search for hd-contacts by postal code or city into the message input frontend. (032a648), closes #632 #636
• Messages: Uses _ping and the EPS version check when building the recipient list to determine if a health department is able to receive messages. This avoids additional configuration and enables faster propagation of the feature. (446da17), closes #668
• vaccination report: Apps connected to EPS can announce the submission of a vaccination report via the JSON-RPC method announceVaccinationInfoList. A transmission channel is then opened briefly for the respective user of the app. (c38078a), closes iris-connect/iris-backlog#273 #635
• vaccination report: Apps connected to EPS can submit a vaccination report via the JSON-RPC method submitVaccinationInfoList. The information is saved and made available to health department staff via the front end. (72b1f74), closes iris-connect/iris-backlog#274 #651
• vaccination report: There is a new view in the front end with an overview of submitted vaccination reports. In the details view of a vaccination report, the submitted persons are displayed with their vaccination status. (00e93e8), closes iris-connect/iris-backlog#275 #629

Upgrade Guides

Anleitung Docker Compose

Anleitung Stand-Alone

Note about the runtime environment for stand-alone installations.

IRIS now uses and requires Java 17! For stand-alone installations, make sure that a current version of Java 17 is installed! With this we use the latest version of Java with long term support.

v1.5.0-rc.3

1.5.0-rc.3 (2022-03-15)

Features

• Messages: Uses _ping and the EPS version check when building the recipient list to determine if a health department is able to receive messages. This avoids additional configuration and enables faster propagation of the feature. (446da17), closes #668

v1.5.0-rc.2

1.5.0-rc.2 (2022-03-14)

Features

• Docker Compose: Adds scope labels to the services in the Docker Compose file to avoid conflicts with possibly existing other instances of Watchtower on the same Docker host. (499267f), closes #666

v1.5.0-rc.1

1.5.0-rc.1 (2022-03-09)

Features

• Adds a hint to search for hd-contacts by postal code or city into the message input frontend. (032a648), closes #632 #636
• Displays meta-data (who and when created/last modified an entity) on event-tracking, index-tracking and user detail pages. (da1b7a6), closes iris-connect/iris-backlog#234 #638
• vaccination report: Apps connected to EPS can announce the submission of a vaccination report via the JSON-RPC method announceVaccinationInfoList. A transmission channel is then opened briefly for the respective user of the app. (c38078a), closes iris-connect/iris-backlog#273 #635
• vaccination report: Apps connected to EPS can submit a vaccination report via the JSON-RPC method submitVaccinationInfoList. The information is saved and made available to health department staff via the front end. (72b1f74), closes iris-connect/iris-backlog#274 #651
• vaccination report: There is a new view in the front end with an overview of submitted vaccination reports. In the details view of a vaccination report, the submitted persons are displayed with their vaccination status. (00e93e8), closes iris-connect/iris-backlog#275 #629