What's New?

• TTL-aware magic links: Replaced permanent community login links (from Agency Dashboard) with short-lived links to prevent unauthorized access.

• Session Expiry: Users can now choose to invalidate all active sessions across devices during any password change or reset.

Fixes:

• User enumeration prevention: Standardised error responses across Login, Forgot Password, and OTP flows to prevent attackers from verifying if an email exists in our system.

• Users V1 update API: Added XSS payload sanitisation and limiting updates to an approved list of fields to prevent unintended modifications.

Next Steps:

• Enforcing Strong Password Policy: Backend enforcement is next. It is already rolled out partially, with the UI enforcing the new policy on all apps.