Starter Versions Save

Sessions are now deleted after password reset/change.

A year has gone by... a lot has changed :sweat_smile: Probably best you scan through the git history, there's too much to list really.

• Added .editorconfig
• Added *.sql to .gitattributes to ensure LF line endings (rather than CRLF, which was breaking migration execution on Windows)
• Adds support for ?sslrootcert=... in Postgres connection strings, e.g. to support self-signed or default untrusted (e.g. AWS RDS) SSL keys
  • Achieves this by using yarn resolutions; will not work with npm!
• Fixes an issue with a test not running on non-standard PORT

The main feature in this release is Organizations support. An organization is a group of users (a company, charity, team, workspace, etc), where one user is in charge (the "owner") and one person is the billing contact. You may add further permissions. We've added all the behaviours you'd expect around organizations: creating, deleting, inviting users, inviting non-users, sending invite emails, accepting invites, re-assigning ownership/billing contact, managing members, managing other settings, controlling access to settings based on user role.

There's many other changes in this release; for full details have a look at the git history, but here are some of the highlights:

• Security:
  • Added "auditing" emails - so a user gets notified when they add/remove email, change password, etc
  • Switched to UUIDs for primary keys so adversaries cannot trivially determine a cap on the number of users/organizations/etc you have
• Design
  • Upgrade to AntD v4
  • Made pages more consistent
  • Use more AntD components
  • Tweak colours slightly
• Schema
  • Removes query: Query from type Query
  • Enables pgStrictFunctions for stronger typing
• Development
  • Extend use of React hooks (especially for forms)
  • Extracted some helpers to @app/lib to ease sharing between components/client/server/worker
• Testing
  • Added helpers for checking/executing jobs within other tests
  • Test snapshots now track which masked values are identical
• General & maintenance
  • Upgraded Graphile stack to latest versions
  • Optimize and update linting
  • GitHub Actions CI
  • Node v14 support

Remember:

It is intended that you use a "point in time" version of this software ─ it is not intended that you can merge updates to this software into your own derivative in an automated fashion.

i.e. you can't simply update to this version - no attempt at backwards compatibility has been made

• Fixes an issue with Next.js hot-loading of new GraphQL queries, see next.config.js
• Works around breaking change to Docker postgres:11 image so that yarn docker setup works again
• Tweaks to tests to make easier to work with
• Upgrade to graphql-codege 1.12.1
• "login" -> "Sign in"
• Example migration added to current.sql
• Various minor changes

The community have really enjoyed playing with the starter; and they've given back. This release contains a number of features and fixes contributed by the community; in particular I'd like to thank (in no particular order) @JoeSchr, @singingwolfboy, @makoncline, @MobliMic, @charlex, @alexk111 and @hos.

Here are some highlights:

• SECURITY: does not fall back to generating a (weak) random SECRET if no envvar set; instead throws an error
• SECURITY: enhances the database schema with greater SECURITY DEFINER function security
• DOCKER: fixes a bug in the production Dockerfile where the email templates were not included, improves Docker build times
• SIGNIFICANT FIX: the user__forgot_password task has been fixed, it was using the user id as if it were a user_email id (which works whilst those ids line up on an empty database, but stops working when they diverge - e.g. when anyone adds a second email).
• Fixes deploying to Heroku if you're not us :wink: (we have a demo mode which resets everything, if demo mode was not set previously it would bail out to get you to change your config, now it just warns but continues in non-demo mode)
• Fixes an issue where the last_active value for a session was never updated
• TypeScript is no longer used to enforce lintable issues (like not using variables/parameters) so you can code free-er with less interruption
• Fixes a large number of issues with TypeScript/types, including improving build times thanks to project references
• Upgrades almost all the dependencies
• Fixes missing dependencies (thanks to depcheck, now added to CI)
• Informs users that they should commit the initial version of the starter if they clone from the zip option
• Upgrades VSCode configuration/integration based on latest VSCode changes (much faster linting/formatting)
• Disables poweredBy header
• Refactors components into their own package to show how it can be done
• Tests Docker build on CI to ensure it's always valid
• Password strength indicator has been added
• ARIA autoComplete fields have been added to various inputs

Fix issue with production.Dockerfile

Thanks to all the people who’ve tested the starter and given feedback and pull requests!

• Fixes issue with settings pages trying to render when you're not logged in.
• If you don't have a password (e.g. you used OAuth) you are now guided to change your password using the reset password flow.
• More AntD-native stuff
• More consistent styling (headings, etc)
• Ability to delete your account (requires email confirmation)
• Add and configure Apollo VSCode plugin
• Allow overriding some defaults with envvars so we can run this: https://graphile-starter.herokuapp.com