v7.13 — October 2024
Released: October 2024Security
CAPTCHA on Login
- A 6-digit CAPTCHA is required at login for all user types (LDAP, non-LDAP, SaaS)
- Failed login attempts are limited; CAPTCHA expiration is enforced to defend against brute-force attacks
Progressive Login Protection
- After 6 failed login attempts, the account is blocked
- Blocked users can still reset their password via “Forgot Password”
- For non-LDAP environments: a progressive error message is shown before blocking
- For LDAP environments: only an error message is shown; no account block occurs
- A successful login within the 6-attempt window resets the attempt counter
Multi-Tenant API Security
- Separate API keys are issued per SaaS client
- Token validity is configurable (default: 30 minutes)
- Authorization is restricted to the specific client’s programs
OTP Encryption
- OTPs are encrypted before storage in the database; the decrypted OTP is delivered to the member
- Expired or inactive OTPs fail API verification
- The OTP view option is disabled in the communication template UI for sensitive templates
- Audit logs are generated for OTP resend email actions
Password Reset Security (VAPT Fix)
- The system now displays a generic confirmation: “If the entered username exists in our system, you will receive an email with instructions to reset your password” — regardless of whether the username exists
- The API always returns true for all usernames, preventing username enumeration
- Invalid CAPTCHA triggers a specific error message
Password Encryption in Infrastructure
The following passwords and keys are now encrypted via config maps:- MSSQL password
- Redis password
- Minio access key
- SMTP password
Sensitive Data Removed from Logs
OTP and PII data has been removed from application logs across: Notifications, Milestones, Segmentation, Member, Transaction, RBAC, OAuth, and Maker-Checker modulesAccess Control
Restricted Platform Configuration View
- The “Organisation” view permission now shows basic information only
- All program configuration tabs are hidden for users with this permission level
Manual Points and Member Details Permissions
- A new “View Member Details” permission controls access to sensitive member data
- “Add/Remove Points” works independently — users can award points without needing View Member Details
- Auto-enable: Granting “Add/Remove Points,” “Show PI Details,” or “On Behalf of Redemption” automatically enables “View Member Details”
- Manual points can only be awarded to members with Active status
Report Access & Sharing (RBAC)
- “Create” permission: Full access — view, create, delete, and share reports and logs for accessible programs; share with individual or multiple users
- “View” permission: Read-only access — view, generate, and download shared reports only; cannot create, delete, or modify
Reports
Audit Trail Export
- Audit Trail reports now export as PDF (compressed as ZIP or GZ based on configuration)
- The previous CSV export format has been removed
Export / Import Enhancement
- Roles and auto-generated reports are now exportable
- On import: all existing target program roles are deleted and users are reassigned to the Program Admin role
- Only auto-generated transactional, member, and communication reports are exported with their settings
- No audit logs are generated for import/export operations
Users
Username Field for Business Users
- Existing users’ usernames are set to their email ID (applied via upgrade script)
- New users are added to LDAP with their username and password
- The username field is non-editable in the application
- Adding the same credentials across multiple programs maps the user to all those programs
- “Forgot Password” flows are based on the username
Transactions
Non-ASCII Character Support
- Non-ASCII characters are now supported in Transaction, Member, and BNS file processing and APIs
- Special characters remain prohibited in Product file uploads and the application itself
Infrastructure
Tech Stack Upgrades
| Component | Before | After |
|---|---|---|
| Node.js | 14–16 | 22 (LBMSUI: 20, others: 22) |
| C# | 3.1 | 8 |
| Redis | 5.7 | 7 |