Improved Password Strength and Security
Our Application Developers have a wide array of Field Types to choose from, and many of these field types validate the data they store. Some store numbers, some dates, email addresses, website URLs, and the list goes on. One thing we haven't been able to provide, before now, is a consistent set of tools for defining what must go into a *password* for it to be valid for your users. That is, until now.
You can now setup a password field to have:
A minimum length.
A minimum number of uppercase letters.
A minimum number of lowercase letters.
A minimum number of digits.
A minimum number of special characters.
When you do this, and the User enters an invalid value, they will get an instantaneous prompt that their password isn't strong enough and the prompt will tell them the password restrictions you have setup!
This validation is triggered as part of a new, super fast, UI-level Validation system. We'll be transitioning all of our built in data validations to this new system soon, and hope to allow you to write your own validations against this system in 2015.
Meanwhile, in the backend, we've always employed a one-way encryption algorithm when storing our passwords. This methodology allowed users to set their password, and for no one.. not even me.. to find out that password. When you set your password to "thispasswordissecure", the best I could do is read something like 32dDS3412SADFT%321 (32d...321). Obviously, not helpful, if I want to break into your account.
This is pretty cool, and the way this works is simple. When you're changing your password, and you enter "thispasswordissecure", we apply some encryption/hashing magic to that string, get 32d...321, and store that in the database. Then, when you login, you type "thispasswordissecure" we apply that same magic, and get 32d...321 again! Assuming the stored value, and this current value match.. we know that you entered the correct password. We don't know what it is, but we know you entered it correctly.
So, that's good.. but it's not great. For instance, if I happened to set my password to "thispasswordissecure" also, then my stored value would also be 32d...321. When I see that your hash and my hash match.. now I know your password!! That's bad.
To combat this, we are generating a unique key for every user that has a password, different for each user, and we're using it as part of the encryption magic. This key is called a "Salt". Since my salt and salt are different, the same password doesn't even look alike in the database. Problem solved.
To take things to the next level, instead of applying only 1 round of magic, we're doing it over 30,000 times. This not only helps with the strength of the encryption, but it also means it takes about 0.8 seconds to do the encryption. Yes, this will mean it will take a little extra time when logging in; but it also means that a brute force attacker who is trying to break your password, has to wait 0.8 seconds to find out his latest password attempt failed. When they are going to have to try millions of possible values to get a hit.. that translates into a lot of seconds.
Intuit and Quickbooks Integration
Quickbooks.. that pesky accounting system that just won't go away! Now you don't have to replace it with hours of building functionality in WorkXpress; instead.. simply integrate with Quickbooks online!
We have just released a pairing of integration tools to let you do just that: the Intuit Login Field Type, and a series of ESB Profile's for Browsing, Adding, Editing and Deleting records in many of the tables in Quickbooks, right from inside WorkXpress.
Your User will need to use the Intuit Field Type to get connected to Quickbooks Online. Here's a Wiki Page that talks all about it.
Quickbooks has a SQL-like syntax for working with it's records, so you can sort, and filter when Browsing, Editing, and Deleting. It's pretty sweet, IMHO. If you plan to build an application with a Quickbooks Integration, you'll want to read the documentation carefully.
Facebook changes their API, so we change our calls!
So, this one isn't so much a new feature, as it is just a shout out to the power of the WorkXpress Platform. Facebook recently changed part of the call we need to make for logging in through Facebook, and we were able to release a new Beta Platform Version to the clients who use Facebook within minutes!
Many of our built in features could easily be added to a lot of basic web apps. Download the Facebook oAuth Docs, implement the login capability to their standards.. and you're done right? Well.. sometimes.. but not usually.
See, connecting to, or logging in through, any web technology can be great, it can be consistent, work all the time, and never change. But, the reality is that these things change from time to time. These changes are generally not made available all that easily, and when you discover that something as important as signing in to your app is suddenly broken because Facebook changed something.. you're going to be running around panicking, trying to find a fix as fast as possible.
Enter WorkXpress. We monitor the developer feeds of over 50 services we provide integrations for, on the look out for upcoming changes in these services, and new versions. Our staff is dedicated to keeping the downtime because of changes in these services to an absolute minimum. That's what happened here: Facebook changed their service, we responded with a changed to the data we were passing them, and the clients using Facebook Login were able update their platform, roll out, and go back to business as usual. Chickens, with their heads still attached, so to speak :-)
And much more...
Here are the full patch notes. At time of posting, this release is but a few days away.
Platform Version: 14.10.1009:
Action Type - Display Field (available in Evaluated Field Triggers)
- Added a setting for which field mode the chosen field will display under (View, Edit, or both). This allows an evaluated field to show one field when viewing a field and a different field when editing the field, for instance.
Action Type - Excel Read
- Fixed an issue with adding new Actions of this type.
Action Type - Read Email
- Updated IMAP implementation so it handles MIME Encoded Subjects properly, and does some encoding checking of the body of the emails that are coming in and corrects for this automatically.
Action Type - Reload Form
- Added options to "Reload the Current Tree Row", "Reload and Expand the Current Tree Row", "Reload the Tree Row from the Opening Page", and "Reload and Expand the Tree Row from the Opening Page".
Action Type - Save Field
- Fixed an issue with setting dynamic selection fields in the interface that use records from the page below.
Action Type - Send Fax
- Updated to include an option to record the page count of the sent fax in the application.
- Updated to read multiple files and fax them all in one, combined fax.
Action Type - Set Tenant
- Fixed typos in the configuration screens.
API
- Updated WX API Key generation to utilize improved password security.
Authentication
- Facebook Login Integration
* Updated the Log In button to request appropriate permissions for their newer oAuth API.
* Updated the Log In button to request the permissions to post to the wall only when there are Actions that will post to the wall in the application.
* Updated instructions for their Application approval process are on the wiki at http://wiki.workxpress.com/doku.php?id=Logging%20In.
Browser Detection
- Improved our compatible browser detection method so it will be automatically updated nightly as new browsers are released.
Enterprise Services Bus (ESB)
- Google Calendar Event ESB Profiles
- Fixed an issue when the user did not select a default calendar to post events to.
- *New* Intuit Quickbooks ESB Profiles
- Added ESB Profiles for Browsing Records from, Adding Records to, Updating Records in, and Deleting Records from Quickbooks.
Expressions and the Expression Builder
- Added RSASHA1, RSASHA1_Base64, HMACSHA1 and HMACSHA1_Bas64 to the CONVERT function.
- Fixed an issue with the CONCAT wizard interface.
- Fixed an issue with the parameters of the DISTANCE_BETWEEN function in the advanced expression builder.
- Fixed an issue with the return type for sub expressions not loading their stored value (HTML or Text).
Forms
- Added the For Each Logic Control to all Form Validation Triggers.
- Added a quick search to the Wizard Step where existing fields are selected for attachment to a Form.
Form Type - List
- Added fixed table header support to list forms with a maximum height set so that the list headers are visible when the form is scrolled.
- Added drag and drop column resizing for Testing and Production Applications. These settings are stored per User.
Form Type - Map
- Fixed an issue with some elements going behind the map controls.
- Fixed the name of a step in the configuration of these forms.
Form Type - Page
- Add and Save Behaviors
* Added options to "Reload the Tree Row Below" and "Reload and Expand the Tree Row Below".
* Renamed "Close" to "Close Popup".
* Added "Close Page", which works whenever the page has been opened indirectly.
* Updated how the 'Close' button is rendered on pages so it's compatible with quirks in IE11.
Form Type - Tabs
- Added the ability to define Ribbon style Tab Forms with options that are defined dynamically, by records in the database. The content for each Tab in this style is defined by an expression.
Form Type - Tree
- Added "Expand All" and "Collapse All" controls.
Field Type - Address
- Fixed an issue with saving the longitude or latitude parts when geocoding is enabled.
Field Type - Brain Tree Credit Card
- Updated when the non-editable flag is set to only work when the transaction amount setting is enabled.
Field Type - Counter
- Fixed an issue with Counter fields and their actions causing the counting to pause/stop.
Field Type - Google Calendar Subscription
- Updated the interface to automatically select the default calendar to the first calendar the user chooses to subscribe to.
*New* Field Type - Intuit oAuth
- This Field Type allows authenticated Users to connect to their Intuit Account. This connection generates a key that is used during the new Intuit Quickbooks Enterprise Service Bus Profiles.
Field Type - Location
- Fixed issues with saving and searching the individual longitude and latitude parts.
*New* Field Type - Password
- Fields of this type are now available for software developers to create. Note that the Password used during login is still the "Password" field on the User Record; so these values will need to be copied there for them to be read during login.
- Added settings for password validation, to enforce password strength.
- Password storage security has been revamped and improved.
Field Type - Recurrence
- Fixed an issue with filtering a Recurrence Field inside a query.
Field Type - Selection
- Updated how parent selection field data is handled by database driven selection fields to better support a multi value selection field being a parent.
- Updated context detection inside selection field config fields to include the parent picker context inside evaluated filters.
- Fixed an issue with interface actions acting on dynamic selection fields that used their parent field in their query configuration.
Internationalization - Language Import
- Fixed an issue with trying to import a file that references blocks that have been deleted.
Relational Tables
- Updated the 'Edit a Relationship Table' Wizard so it appears in the handbook, and is searchable through the help search in the bottom right.
Action Type - Display Field (available in Evaluated Field Triggers)
- Added a setting for which field mode the chosen field will display under (View, Edit, or both). This allows an evaluated field to show one field when viewing a field and a different field when editing the field, for instance.
Action Type - Excel Read
- Fixed an issue with adding new Actions of this type.
Action Type - Read Email
- Updated IMAP implementation so it handles MIME Encoded Subjects properly, and does some encoding checking of the body of the emails that are coming in and corrects for this automatically.
Action Type - Reload Form
- Added options to "Reload the Current Tree Row", "Reload and Expand the Current Tree Row", "Reload the Tree Row from the Opening Page", and "Reload and Expand the Tree Row from the Opening Page".
Action Type - Save Field
- Fixed an issue with setting dynamic selection fields in the interface that use records from the page below.
Action Type - Send Fax
- Updated to include an option to record the page count of the sent fax in the application.
- Updated to read multiple files and fax them all in one, combined fax.
Action Type - Set Tenant
- Fixed typos in the configuration screens.
API
- Updated WX API Key generation to utilize improved password security.
Authentication
- Facebook Login Integration
* Updated the Log In button to request appropriate permissions for their newer oAuth API.
* Updated the Log In button to request the permissions to post to the wall only when there are Actions that will post to the wall in the application.
* Updated instructions for their Application approval process are on the wiki at http://wiki.workxpress.com/doku.php?id=Logging%20In.
Browser Detection
- Improved our compatible browser detection method so it will be automatically updated nightly as new browsers are released.
Enterprise Services Bus (ESB)
- Google Calendar Event ESB Profiles
- Fixed an issue when the user did not select a default calendar to post events to.
- *New* Intuit Quickbooks ESB Profiles
- Added ESB Profiles for Browsing Records from, Adding Records to, Updating Records in, and Deleting Records from Quickbooks.
Expressions and the Expression Builder
- Added RSASHA1, RSASHA1_Base64, HMACSHA1 and HMACSHA1_Bas64 to the CONVERT function.
- Fixed an issue with the CONCAT wizard interface.
- Fixed an issue with the parameters of the DISTANCE_BETWEEN function in the advanced expression builder.
- Fixed an issue with the return type for sub expressions not loading their stored value (HTML or Text).
Forms
- Added the For Each Logic Control to all Form Validation Triggers.
- Added a quick search to the Wizard Step where existing fields are selected for attachment to a Form.
Form Type - List
- Added fixed table header support to list forms with a maximum height set so that the list headers are visible when the form is scrolled.
- Added drag and drop column resizing for Testing and Production Applications. These settings are stored per User.
Form Type - Map
- Fixed an issue with some elements going behind the map controls.
- Fixed the name of a step in the configuration of these forms.
Form Type - Page
- Add and Save Behaviors
* Added options to "Reload the Tree Row Below" and "Reload and Expand the Tree Row Below".
* Renamed "Close" to "Close Popup".
* Added "Close Page", which works whenever the page has been opened indirectly.
* Updated how the 'Close' button is rendered on pages so it's compatible with quirks in IE11.
Form Type - Tabs
- Added the ability to define Ribbon style Tab Forms with options that are defined dynamically, by records in the database. The content for each Tab in this style is defined by an expression.
Form Type - Tree
- Added "Expand All" and "Collapse All" controls.
Field Type - Address
- Fixed an issue with saving the longitude or latitude parts when geocoding is enabled.
Field Type - Brain Tree Credit Card
- Updated when the non-editable flag is set to only work when the transaction amount setting is enabled.
Field Type - Counter
- Fixed an issue with Counter fields and their actions causing the counting to pause/stop.
Field Type - Google Calendar Subscription
- Updated the interface to automatically select the default calendar to the first calendar the user chooses to subscribe to.
*New* Field Type - Intuit oAuth
- This Field Type allows authenticated Users to connect to their Intuit Account. This connection generates a key that is used during the new Intuit Quickbooks Enterprise Service Bus Profiles.
Field Type - Location
- Fixed issues with saving and searching the individual longitude and latitude parts.
*New* Field Type - Password
- Fields of this type are now available for software developers to create. Note that the Password used during login is still the "Password" field on the User Record; so these values will need to be copied there for them to be read during login.
- Added settings for password validation, to enforce password strength.
- Password storage security has been revamped and improved.
Field Type - Recurrence
- Fixed an issue with filtering a Recurrence Field inside a query.
Field Type - Selection
- Updated how parent selection field data is handled by database driven selection fields to better support a multi value selection field being a parent.
- Updated context detection inside selection field config fields to include the parent picker context inside evaluated filters.
- Fixed an issue with interface actions acting on dynamic selection fields that used their parent field in their query configuration.
Internationalization - Language Import
- Fixed an issue with trying to import a file that references blocks that have been deleted.
Relational Tables
- Updated the 'Edit a Relationship Table' Wizard so it appears in the handbook, and is searchable through the help search in the bottom right.