Skip to main content

v0.6.0 — Production hardening

Production hardening release focused on authentication security, supplier data isolation, and a range of critical bug fixes surfaced during pre-launch testing.

Added

  • OTP enforcement for all users — one-time password verification is now mandatory on every login, with no bypass paths available in production. Previously, OTP could be skipped under certain session conditions.

  • Forgot password flow — operators, suppliers, and verifiers can now reset their password via a secure email link without requiring support intervention.

  • Supplier data isolation — supplier data queries are now scoped strictly to the supplier's own company. A supplier cannot access or infer the existence of materials, certificates, or responses belonging to a different supplier company.

  • URL protocol validation — all URL fields in DPP forms now validate that the protocol is https:// or http://. Protocols such as javascript:, data:, and file:// are rejected, preventing stored XSS via URL fields.

  • Industry classification — the signup flow now includes a dynamic industry dropdown populated from the platform's category database, enabling accurate company classification at registration.

Fixed

  • Login error handling — authentication errors now return structured error objects to the UI. Previously, some error paths were throwing exceptions that propagated as unhandled server errors rather than user-facing messages.
  • File upload URL fields — file upload fields in the DPP wizard now accept the storage path format returned by the upload API, resolving a type mismatch that prevented documents from being linked correctly.
  • Date field parsing — ISO 8601 date strings returned by the API are now correctly parsed into the calendar component's native date format, resolving a mismatch that caused previously saved dates to render as empty.
  • DPP page 500 error — metadata generation for the DPP public viewer now handles database connectivity issues gracefully instead of returning a server error page.
  • OTP length — one-time passwords are now six digits (down from eight), matching the standard length expected by authenticator apps and familiar to users.
  • Sidebar mobile flash — the mobile navigation state now initialises correctly on page load, preventing a flash of the desktop sidebar layout on mobile devices.