- Photo by Goh Rhy Yan on Unsplash

Our newest release of Evetro has switched authorization mechanism.

This means that all of you who were registered users on the previous version of Evetro have to register new accounts, which entails that you now have lost access to your previously created retrospectives, notes and actions. This post will resolve this inconvenient issue. Students at UiO need only to access another domain then "app", "student".

On our release notes

It is no secret that our retrospective web application, Evetro, is always undergoing changes in its implementation. These changes manifest in appearance and functionality alike, to better cope with the most crucial needs of the many teams which use Evetro to conduct retrospectives. For two releases (v1.1.3 and v1.2.1) we have summarized the most important additions and changes to their set of features.

This, we pose, is a welcome benefit for those you who either have joined our test pilots, have been subscribed to our services via your team at work, or are simply following our journey from the sidelines. The release note provides a short documentation on what has changed or have been added, and a short testimony to defend each action. This release, v1.3, brings a fundamental change to the most important facet of the security of the app: The issue of authenticating and authorizing its actual users.

The breaking change

Old login screen.

We have completely redefined the login experience and the authentication process. Redefined, to the point that should you attempt to log onto the web app, the following surprise will occur to you. You will be redirected to a login page which looks rather different from the one you were used to seeing. Furthermore, the login dialog now prompts for a password and offers you to alternatively use either your Google ID or your GitHub ID to authenticate yourself. The latter two options will henceforth be referred to collectively as the Single Sign-On options or SSO for short.

You cry out ''But I've never typed in a password on the login before! What on earth could the password to my user account be?'' And here is the kicker: The answer is that your user account is not available in this new login solution. We wanted to leave our end users the choice on which identity provider, between a conventional password or one of the two SSO options, to authenticate with. Thus, we refrained from migrating any existing users to the new solution, as that would lock them to a password based authentication scheme, which would prompt a forced password change for all the migrated users, in spite of them never using a password in the first place.

WHAT!

Should you then opt to login with SSO, for instance the Google ID provider, perchance because you already used your GMail address to log onto the application, what awaits you is the default Get Started page. The icons on the top menu are mostly unchanged, so you can still click on the magnifying glass in the top left corner to access the ''Find'' page. However, if you do so, you won't find any of the retrospectives you created and/or facilitated. What happened here?

As a direct consequence the introduction of the new login module, our backend supporting it has been revamped completely, resulting in the deprecation of the document collection storing the user objects you usually read. We could have opted to actively migrate all of the existing user data ourselves such that the user data becomes available to you in spite of having to register a new user for the new authentication framework we are deploying. The drawback of this action is that we would be forced to thrust upon a password to all of our existing users, taking away the option to use an SSO alternative.

We thereby admit to putting all of you in a stressful situation. Below we describe how we can remediate this issue, first for our student users, then for our regular users.

If you are a student

Evetro is currently running a test pilot with the University of Oslo. If you are a student currently attending UiO, and you are part of this pilot, we have news for you: You will not at all be affected by this upgrade. We have moved the version of the application you are familiar with to another domain. This instance of the application will be operative until August 1st this year.

If you are a subscriber or running the free trial

For those of you who are on one of our paid plans, we have implemented a new section in the Control Panel page (marked with a cog icon on the top menu). The bottom section card of this page shows a green button labelled ''Attempt data recovery'' having the description ''Click the button below to get your retrospective data per v1.3 (including notes and actions) to be accessible to be accessible to you'' in boldface displayed directly above it.

Refresh the Find page once , and your retrospectives will have returned. There is one major, simplifying assumption we have made upon implementing this user model migration. If the full name (first name + last name) of the SSO profile is not strictly equal to the full name in the old user profile, the query will not work, and return a warning popup instead. What does one do then? You can contact me at the email address vegard dot bugge at evetro dot com and yell at me over how poorly this simple hotfix worked for you. You will have to tell me the email address you are logging in with and the email address you used to login with before this upgrade. This information will be used to manually query our databases for 1) your old participant document, and 2) the document representing your newly re-registered user.

Have fun retrospecting!