Release Oct 2024

Overview

The LBMS V7.13.0 release introduces performance upgrades, security enhancements, and a range of new functionalities requested by clients, improving the usability, configurability, and security of the loyalty platform. This release is ready for UAT, with client-focused testing and validation completed by the QA team in a production-equivalent environment.

Key Enhancements

Enhanced Management of Transaction Amounts in Indonesian Rupiah (IDR):
What's new: The system now supports transaction amounts up to 99999999999.9999 (11 digits) for IDR.
Validation: An error message is displayed if the transaction amount exceeds this limit. This validation applies only to IF, AND, OR conditions; the "Then" condition remains unaffected.
Restricted Platform Configuration View
The "Organization" details view permission only allows users to see basic organization information. The program configuration tabs are hidden for all users with this permission, ensuring that sensitive program settings remain protected.
Audit Trail Report Now Available in PDF Format
What's New: The Audit Trail report can now be downloaded in PDF format.
Changes: The previous CSV format has been removed. The PDF files will be compressed into ZIP or GZ format based on your configuration settings.
CAPTCHA Added to Enhance Security
What's New: A 6-digit CAPTCHA challenge is now required for all users (including LDAP, non-LDAP, and SaaS environments) at login. This measure improves protection against brute-force attacks.
Expiration: CAPTCHA expiration has been introduced to limit multiple failed login attempts.
Updated Wording for Report Downloads
What's New: "Download Successful" has been updated to "Reports Generated" for better clarity during exporting action actions. This change applies to the following reports:
- Users Data Exports
- Roles Data Exports
- Audit Data Exports
- Member Exports
  Note: This update ensures users receive more accurate and descriptive feedback when exporting data from the platform.
"Basic Details" Replaced with "Admin Details" in Org Configuration
What's new: The "Basic Details" section is now labelled "Admin Details" for Giift LBMS SaaS clients in the program creation process.
What's changed: The sender name and email are set by default as "Giift LBMS" and [email protected]
Enhanced Report Download Experience
What's new: The manual report download process has been improved. The date selector is no longer part of the download interface, simplifying the process.
Secure API Authorization for Multi-Tenant LBMS Cloud
What’s new: Separate and secure API key handling is required for each SaaS client to ensure security across multiple programs.
Changes: Tokens will have configurable validity (default 30 minutes), and authorization is now restricted per client.
Enhanced Security with Progressive Login Attempts and Account Blocking
What's New:
This feature improves the security of user accounts by implementing a progressive error message and account-blocking mechanism after multiple failed login attempts.
- 6 Wrong Attempts: After six consecutive incorrect login attempts, the user account will be blocked, but the user will still be able to reset the password using the "Forgot Password" option.
  LDAP Behavior:
  - When LDAP is disabled: The progressive error message will be displayed to the user.
  - When LDAP is enabled: Only the error message will be shown, and the user will not be blocked.
  - Resetting Attempt Count: If the user enters the correct password within the six wrong attempts, the incorrect password attempt count will be reset.
    This feature enhances security by preventing brute-force login attacks while allowing users to recover access.
Improved Handling of Rule Group Date Range
This update makes it easier to manage date ranges for rule groups.
- If no date range is selected or the chosen range exceeds 25 years when creating or editing a rule group, the system will automatically display "Lifetime" as the default option.
- If Maker-Checker is enabled and a user changes the rule group's date range from "Lifetime" to a specific period, the "old value" section will show a default range of 60 years, from 1994 to 1954.

Note: This feature has been tested with all rule types, including Flat Points, Tier Multiplier, For Every Rule, Multiplier Rule, and Limitations, ensuring it works seamlessly.

Manual Points Addition with Restricted Member Details Access
This update introduces new permissions for managing member details and manual points:
- View Member Details Permission: A new permission, "View Member Details," has been added during role creation. Only users with this permission can view member details in the system.
- Add/Remove Points Permission: Users with "Add/Remove Points" permission can add or remove points, even without the "View Member Details" permission.
- Anomaly Detection Access: Only users with "View Member Details" permission can access member details in the Anomaly Detection module. Without this permission, the "View Member" button will be disabled.
- Auto-Enable View Permission: If a user enables permissions like "Add/Remove Points," "Show PI Details," or "On Behalf of Redemption," the "View Member Details" permission will automatically be enabled.
- Active Status Check: Manual points can only be issued for members with an active status.

_Note: This update enhances control over who can view sensitive member data while managing points flexibly.

Enhanced Report Access and Sharing with RBAC Permissions

This update introduces Role-Based Access Control (RBAC) for report access and sharing:

"Create" Report Permission: Users with the "Create" report permission can view, create, delete, and share all reports/logs for the programs they can access. They can also share or un-share reports/logs with individual or multiple users.
"View" Report Permission: Users with the "View" permission can view, generate, and download reports/logs that have been shared with them. They cannot create, delete, or modify reports/logs.
This update ensures business users have precise control over report visibility and sharing based on their permissions.

Introduction of Username Field for Business Users
- For existing users, the username will be set to their email ID, which will be updated via the upgrade script.
  Users must be added to the LDAP directory with a username and password, which will be used to log in to the LBMS.
- The "Username" field in the application is now un-editable.
- If a user is already added to a program, attempting to add them again will result in a "Duplicate Record" error. However, if the user exists in another program and uses the same credentials, the user will be mapped to multiple programs.
- The "Forgot Password" flow will now function based on the username.
- If a user belongs to multiple programs and changes are made in one program, those changes will be reflected across all associated programs.
Password Encryption within OCP
Sensitive information, such as passwords, is now encrypted using config maps.
The following passwords are encrypted:
- MSSQL password
- Redis password
- Minio access key
- SMTP password
BDI VAPT
- Security vulnerabilities identified by the BDI team are fixed as part of the above story. All issues, along with good-to-have/best practices recommended, are incorporated
- The details of the test can be found here BDI VAPT Fixes
BDI | Export and Import Feature (V7 to V7) - Roles, Communication templates, Program
- Roles and Reports are now exported as part of the export/import feature.
- All existing roles in the target program will be deleted, and existing users will be reassigned to the Program Admin role.
- Only transactional, member, and communication reports of type auto-generated will be exported along with their respective report settings.
- No audit logs are generated for import or export actions.
OTP Table Fields to be Encrypted and Decrypted

- OTPs are encrypted before being stored in the database, and the decrypted OTP is sent to the member.
- A new database column, OTPEncrypt, stores the encrypted OTP.
- Expired or inactive OTPs fail verification with the VerifyOTP API.
- The "View" option for the LBMS Member OTP template is disabled in the UI.
- OTP functionality is currently validated only for email, as the SMS channel is not configured.
- Audit logs are generated for every OTP resend email action.
- OTPs are not displayed anywhere within the application for sensitive data templates.

GIM VAPT Issue - I_003
- The system always displays the message: "If the entered username exists in our system, you will receive an email with instructions to reset your password," regardless of whether the user exists or not.
- The API response for all usernames (existing/non-existing) is always "true".
- If the entered captcha is incorrect, an error message for an invalid captcha is displayed.
- Verified that emails are received and password reset functionality works correctly using the link provided.
Support for Non-ASCII Characters in TXN File Processing
- Non-ASCII characters are supported in Transaction, Member, BNS, and CRD file processing.
- These characters are also supported in Transaction, Member, BNS, and CRD APIs.
- Non-ASCII characters are not supported in product file uploads and on the application, where special characters are prohibited.
Remove Critical Information (OTP, PII Data) from Application Logs
- Sensitive member information such as OTP and PII data has been removed from the following application service logs:
  - Notifications
  - Milestones
  - Segmentation
  - Member
  - Transaction
  - RBAC
  - OAuth
  - Maker-checker
- Only OTP and Notification Payload are encrypted in the database. The rest of the PII information is not encrypted in DB or Redis.
- LBMS RBAC user information will still be available in the logs.
LBMS Tech Stack Upgrade
As part of the tech stack version upgrade, the following upgrades have been made:
- NodeJS: from version 14-16 → 22 (LBMSUI is upgraded to 20; other services are on 22)
- C#: from version 3.1 → 8
- Redis: from version 5.7 → 7