Friday, July 19, 2019

Change Log: 3.85.1633

Old survivor (work in progress).
Version three (3.85.1633) of the Manager is live!

Before I get into the release notes/change log, however, I have a few announcements.

First, as I have mentioned on Twitter and elsewhere, version three of the Manager uses the version 1.0.000 release of the KDM API, which has been deployed at a new URL ( and is a more or less total re-implementation of the API in Python 3.

(Also, in case you're wondering, is going away soon: more on that in future posts.)

The 1.0.000 release is designed around performance and the delivery of some major new features, including support for multiple rules sets/versions, gear grids/saved load-outs, etc.

Second, 3.85.1633 is the last "feature" release that I will be doing on what is now the legacy version of Manager: the new features that leave beta and go out for General Availability in this release are the last new features that will be added to the current version of the Manager and the API.

I will continue to support the legacy version of the Manager, but from now on, my efforts are officially going to be focused on a new project that...I can't actually officially announce yet.

All of that having been said, here's a summary of the major changes in release 3.85.1633:
  • I closed about a dozen issues and addressed a bunch of bugs, including long-standing issues with password hashing, cookies and adding expansion content to settlements.
  • API documentation app has been reorganized/cleaned up, uses material design and now has a nifty left-side nav bar. 
  • Support for the Santa Satan expansion has been added.
  • Gear card lookup exits beta (!) and becomes generally available.
  • The Manager now uses the 1.0.0 release of the API
  • I created a "downtime" app that will be used whenever I have to do an extended downtime for re-deployments of critical application components (of which I am planning three in 2019).

As usual, hit the jump for complete release notes!

Corrections and Fixes

  1. References to the Run Away story event in the flavor text for the Pictograph innovation now show the book icon correctly (instead of with weird spacing or not at all).
  2. Addressed an issue where attempting to start a session with an invalid session ID threw a traceback (before 86ing the session, would could lead to permanent lock-out).
  3. The Dragon Slayer gear card no longer incorrectly lists "Early Iron" as a keyword. I also added "Early Iron" to the rules for the card, which should have been fixed in the 1.5 errata (but was not).
  4. Corrected typos on the Shielded Quiver gear card.
  5. Bad POSTs (e.g. invalid username, invalid recovery code) to API endpoint /reset_password/reset now receive a response status code of 400 (instead of 200).
  6. Addressed issue #519 re: adding expansion content to settlements whose LY is greater than the year you would normally add the expansion.
  7. Resolved a non-user-facing JS issue on the Settlement Sheet that threw a false-positive error in the logs when adding a nemesis monster.
  8. Fixed an issue where (really old) settlements failed to load because of legacy data references in survivor asset lists (Fighting Arts, in this case). -SD
  9. Fixed an issue where settlement buffs for Ultimate Weapon and Final Fighting Art failed to show up on the settlement Campaign Summary. -WayForger
  10. Fixed a comparison error affecting PotStars Survivor Sheets that caused the "Weapon Mastery" box on The Constellations not to highlight when the survivor has a weapon mastery. -Shamanarza
  11. Addressed an issue where certain Unicode characters (such as ñ or ü, basically anything with a tilde, umlaut or accent) caused silent/mysterious authentication failures.
  12. The Blog's API key is no longer stored in source code (oops!); it has been moved to settings_private.cfg
  13. Fixed the grid alignment on the gear cards with affinity bonuses so that they square up instead of breaking into columns (when the bonus description is lengthy).

Application Enhancements

  1. Cleaned up some of the help document formatting and clarified some of the administrative items (e.g. the steps for arming the "Delete" button, how to open a ticket, etc.).
  2. The Dev Blog (this blog, in fact) can now be accessed purely by SSL: I never updated it when the Manager went full-time SSL (my bad).
  3. HTML for the login screen now tries to expire any existing cookies. 
  4. Gear Lookup exits beta and becomes generally available:
    1. Gear recipes can now show location level requirements (see Sun Vestments, etc.)
  5. Unsalted MD5 sums are deprecated and user passwords are now hashed using PBKDF2. Shouts to Armune (finally). This resolves issue #409.
  6. Legacy webapp authentication now backs off to Werkzeug style auth if MD5 check fails. See below for related API changes.
  7. The login HTML expires the 'session' and 'jwt_token' keys on the root path of the cookie now, just to make sure we don't get any accidental bad values.
  8. kdmManager.js now includes the API-KEY headers (referencing the settings_private.cfg value) on GET and POST operations to the API
  9. Added support for the Santa Satan expansion.
  10. Strain Milestone conditions now disappear from the Settlement Sheet when their box is checked. If the Milestone has a Permanent Effect, that will take its place.
  11. Created the downtime app and deployed it in production (you can even see it whenever you like at
  12. I also had to update the SSL configs so that the special downtime URL was supported.
  13. Added support for the "Generic" expansion content, and keyed in the Corsair Coat rare gear.
  14. Added the Labor in Vain logo to the about section

API Development

  1. Massively restructed the API, in terms of modules and organization:
    1. Moved to the more Pythonic within the api module
    2. Moved utils out of the api module and into its own module
    3. gridfs_files is now a module within utils (which makes more sense, if you think about its context, i.e. an object that is only used in API routes).
    4. The API's routes are now in, which is way more flask-ish (if slightly less pythonic)
    5. The mysteriously named file is now called, lives in the project root and is used to start the API server in test or dev mode
    6. Revised the systemctl scripts to have the correct paths and file names required by the reorganization
    7. is now a resident of the new utils module; I also moved settings.cfg and settings_private.cfg out into the project root (and adjusted/simplified all imports).
    8. All of the non-route-having methods of api.application have been moved into (i.e. they have been moved out of
    9. The HTTP basic auth stuff has been upgraded to part of the application, i.e. it is application.basicAuth and it's available everywhere the application is available now.
    10. is no longer part of the project: it has been rolled up into utils/ as the GridfsImage class/object.
    11. Pylinted the new up to a final score of 10.00 (for that ass).
    12. utils is a proper module now: I moved (which is way overgrown) utils/ and will continue the clean-up here or in the upcoming fork...
    13. Moved the crossdomain decorator into
    14. settings.cfg now has a new entry under API called 'default_headers', which is a string that crossdomain() uses as its default
    15. Updated to reference the crossdomain method there.
    16. Updated a bunch of routes in to just use the default headers, which should be good for most of our user-ish routes
  2. Added the /stat route to the API. It returns utils.api_meta for now.
    1. The API knows how old it is now (two years and 60 days, as I write this).
  3. Merged superpowered master into master:
    1. added IDE files to .gitignore
    2. added copies attribute to a number of assets in 
    3. updated to start to distinguish between flavor_text and rules_text (a la what we do in for better standardization and (eventual) deprecation of the desc attribute
    4. PR 537, which touches up a lot of expansion resources, etc.
  4. Created models/rules.pymodels/, and assets/ to track gear/resource rules
    1. Added get_rules() and get_keywords() methods to the Models.AssetCollection class methods. It returns a set of rules for all assets in the collection.
    2. Created a new endpoint /game_assets/rules and /game_assets/keywords to support rules lookups by handle ( not a thing yet). Added it to the docs for the /game_assets/... route.
  5. Keyed in a bunch of game assets:
    1. Keyed in some more gear info, including recipes: Lion God, Sunstalker (which seriously took over an hour), 
    2. Keyed in a few more random names. I'm trying to add a few with every release lately, which I think is really helping.
    3. Keyed in some resource card descriptions.
    4. Keyed some core rules and keywords.
  6. Refactored password hashing to stop using MD5 sums and to start using werkzeug methods (i.e. I decided to outsource the problem of security):
    1. added new methods for hashing and checking hashes to models/
    2. refactored the helper methods (i.e. outside of the main object code) in models/ to have better doc strings and to back-off (e.g. in authenticate() method, etc.) to the werkzeug check.
    3. The authenticate() method uses kwargs now instead of positional ones.
    4. Passwords can now use unicode characters with accents, umlauts, etc.
  7. User objects are now created with a 'notifications' dict (for tracking webapp/UI notifications that they've dismissed, etc.)
  8. User objects are now baselined to include the 'notifications' dict
  9. Corrected the documentation for the /login route, which erroneously described using the 'Authorization' key in the header, etc.
  10. The user object is now serialized with a key called 'gravatar_hash' that includes the MD5 hash of the login email.
  11. The "API-Key" header of each incoming API request is now captured and logged:
    1. Updated to set the api_key attrib on the request before processing (this is where we'll start checking for valid keys in the future)
    2. Updated utils.record_response_time() to insert the api_key value into the MDB when metering
  12. Created models/ and started moving some methods there:
    1. Moved log_event_exception_manager() from utils and changed its reference in
    2. Started pylinting the file and I'm going to try to keep it above...let's say 9.0 for now
  13. now dumps the latest_authentication value for the user; it also dumps a None type for any time value that doesn't exist on the user's record in the MDB
  14. can now dump API response records (with pprint; nothing fancy)
  15. Refactored the users.initiate_password_reset() method for generic webapp usage:
    1. now it checks the incoming request for the app_url attribute. If present, it is used to generate the change password email that the user gets.
    2. Updated the documentation for the /reset_password/request_code URL.
    3. Added support for app_url values that include a path beyond the basic netloc. The incoming value is parsed (by urlparse) into pieces and reconstructed when writing the email
  16. Created the docs application within the API to manage documentation more intelligently (than a flat file of manually tweaked HTML):
    1. Added the /docs/<render_type>/<action> endpoint to
    2. Ported the actual HTML documentation strings to the public, private and sections modules in the docs module
    3. Created a new front end (AngularJS) webapp for it
  17. Updated the nginx config to let nginx serve the static files (because we're going to be serving more of them and we need some actual performance there going forward).
  18. Adding and removing expansions to/from existing campaigns has been enhanced and refactored for usability and rules compliance:
    1. expansion asset definitions now contain mandatory attribs called maximum_intro_ly and late_intro_event, which, respectively define the latest LY that content can be added using the normal method and the event that introduces the content to settlements who are at or beyond maximum_intro_ly
    2. refactored settlements.Settlement.add_expansions():
      1. updated comments and clarified some things
      2. the save at the end is now controllable via save kwarg
      3. inflicted PEP8 on the method (haha) and reorganized the doc strings and comments
      4. Removing nemesis monsters now shows up in the settlement event log
    3. Updated the docs application re: how the new attribs look
    4. Updated all KS1 expansion content to include maximum_intro_ly and late_intro_event if their books define it.
  19. Alphabetized the asset definitions in assets/ for KS1 expansions
  20. The rules attribute is baselined onto all settlements now (and hardcoded to 'core_1_5' for now): for compatibility with API release 1.0.
  21. Removed some old print debugging in a few settlement methods (that never should have been committed in the first place oops)
  22. Added assets/ to start tracking rules sets. 

No comments:

Post a Comment