Skip to content

whats-new.md

Latest commit

 

History

History
72 lines (65 loc) · 5.93 KB

whats-new.md

File metadata and controls

72 lines (65 loc) · 5.93 KB

Release 2.0.0

What’s changed?

The overall goals, compliance principles and functionality of this FDA MyStudies release are similar to previous releases. Notable changes from version 2019.10 of FDA MyStudies include:

Functionality

  • Removed dependencies on the LabKey framework
  • Added the Response datastore as a platform-agnostic service to handle study response storage and access
  • Added the Participant manager graphical user interface and Participant datastore backend to manage participant enrollment
  • Added support for OAuth 2.0 and OIDC
  • Added templates for semi-automated deployment
  • Added support for infrastructure-as-code and CICD
  • Upgraded the Android application for compatibility with Android 10
  • Improved exception handling
  • Improved request and data validation
  • Introduced unit tests and test frameworks to the codebase

Architecture

  • Migrated to a modular container-based architecture
  • Refactored and extended mobileAppStudy-ResponseServer to Response datastore
  • Refactored UserReg-WS to Participant datastore
  • Refactored WCP-WS and Resources-WCP to Study datastore
  • Reduced code duplication by extracting Common modules that are used by all new services
  • Migrated restrictive open-source dependencies to alternatives with permissive licenses
  • Removed dependencies that require commercial licenses
  • Simplified mobile application calls and moved some functionality server-side to reduce dependencies between services
  • Adjusted data storage based on usage and security requirements (for example, study and participant status storage and calls were moved to Response datastore; enrollment generation logic was moved to Participant datastore)

Security

  • Replaced hard-coded credentials with scripts that inject initial users into each component
  • Fixed potential cross-site scripting vulnerabilities
  • Added query binding to all existing queries to prevent SQL injection
  • Enhanced auth throughout codebase:
    • Unified distributed auth implementation into a single Auth server (Study builder retains built-in auth)
    • Integrated with Hydra, an OAuth 2.0 and OpenID Connect provider for OAuth 2.0 Access & Refresh token generation and authentication
    • Improved remaining authentication (for example, removed client_secret from being transmitted in all calls)
  • Created deployment templates that support security best practices, such as:
    • Automation of secret generation and handling:
      • Configured secrets to be generated and stored with a Secret Manager instance deployed in an isolated cloud project
      • Configured secret values to be transmitted automatically within the private Kubernetes cluster
    • Implementation of centralized network control:
      • Configured deployment to use a VPC host project to manage networks and subnets in a centralized way (enabling network administration to be separated from project administration)
      • Enabled resources in different projects to communicate securely with internal IPs
    • Separation of projects with the security principle of least privilege:
      • Configured dedicated projects for different purposes (secrets, networks, applications, audit) for management by teams with isolated permissions - for example, a centralized network team can administer the network without having access the secrets project)
    • Implementation of external access limitations:
      • Configured databases and VMs to be isolated from the internet with only internal IP addresses (Private Google Access)
      • Established bastion host for secure on-demand connections to private instances
    • Implementation of DevOps best practices:
    • Delegation of responsibility through groups and service accounts:
      • Configured deployment to assign IAM roles to groups and service accounts so that individuals obtain permissions through groups rather than direct IAM roles

Usability

  • Made interactions more intuitive for participants using the Android and iOS mobile applications
  • Updated text for clarity in user interfaces and messages throughout the platform
  • Moved hard-coded values to centralized configuration files to streamline platform customization
  • Improved code readability to simplify usability and extensibility for developers
  • Added support for unit testing, linter and CICD
  • Added detailed documentation and deployment instructions

Bug fixes

  • Fixed stability and usability bugs throughout the applications and platform

Copyright 2020 Google LLC