Security Release v2.2.0 v0.41.2

A series of security updates have been released today.

Recipients Verification

When adding recipients, the recipient has to be verified with an OTP code before it is added. This prevents adding invalid or un-approved alerting recipients.

Rate Limiting

We defined 4 categories of endpoints according to their abuse vulnerability, from GET requests that are the lightest to number four, POST request that generate costs in our or external systems. We added rate limiting for each category so any abuse will be logged and rejected with HTTP 429 Too Many Requests. I'm still debating if we should also block the IP or not. We will assess this later.

Recipient Test Limitation

We've limited the test feature of the recipients to 10 tests for free/trialing accounts. Paid accounts have no such limitation, but the overall throttling protection will kick in if abuse is detected.

Remove PWA - Adding Cloudflare Caching Headers

The Progressive Web Application code was not behaving as required, so we decided to remove it until a better version is thoroughly tested. This version had a few side effects, one of which was that it would cache the admin interface indefinitely, requiring a hard refresh to get the latest version, which is unacceptable.

If you scroll to the footer of the Admin area and you don't see Admin v0.41.2 (minimum), it means you're stuck with an older version of the frontend interface.

On Firefox, Command/Ctrl + Shift + R forces a hard refresh and you should get to the latest version.

On Safari, go to Safari menu → Develop → Empty Caches, then reload with Command + R.

Also, we added proper caching headers, so that HTML is never cached, and static resources (which are versioned), are cached indefinitely.

React Upgrade

This version contains a React version update, now using React v18 for Wrangler and other Node-based tools. We also switched from yarn to npm to better address dependencies.