Fixes:
- Added a warning message to prevent a reviewer from losing work if they try to move to the previous/next review without saving their changes.
- Fixed an issue with scoring where sorting by average score would not accurately reflect the order.
- Fixed an issue with the Apply Connect Integrations page displaying an incorrect value for Client Secret. See API Updates below for more details.
API Updates
On January 25th, 2024 we released a security update that included a change to how API credentials are generated and stored in Apply. Because of this update, the client secret visible on the Apply Connect integrations page was displaying a value meant to be used internally rather than the plain-text version that was visible before.
For any user who had API credentials generated before January 25th and who used the API on or after that date, an issue would occur if they tried to programmatically refresh their access token and may have resulted in users copying the internal client secret to get their API connections up and running again.
As a result of this issue, we have made the following changes:
- We have updated the Apply Connect integrations page to display the plain-text secret when the credentials are first generated. This is the only time it will be visible, afterward it will display as hidden and it cannot be recovered. Make sure you copy it and keep it somewhere safe before navigating away from the page otherwise you'll need to revoke and regenerate.
- If you lose your credentials or they're compromised, you will need to use the Revoke Credentials button on the page to delete the existing credentials, and regenerate new ones to continue using the API.
We will temporarily allow the updated client secret that was shown between January 25th and this release to continue to work until February 23rd, 2024, after which any user who has not revoked and regenerated new credentials will need to in order to continue using the API.
What do you need to do?
- If you have been using the API since before January 25th and have your original client ID & secret, you don't need to do anything except start using your plain-text client secret again.
- If you do not have the original secret anymore, or first generated API credentials on or after January 25th, you will need to go to Settings > Integrations > Apply Connect and use the Revoke Credentials button to revoke the existing credentials, then generate new ones if you want to keep using the API. Do this before February 23rd so that your API usage is not impacted when we stop accepting the other secret.
Frequently asked questions
Can you provide me with my original secret?
Unfortunately, due to the secure nature of how these are stored in our database, we are not able to provide you with your original secret. If you do not know your original secret, you will need to revoke and regenerate the credentials.
Was any data compromised as a result of this issue?
No. The client secret displayed in error is still unique for every user and only users who had API access would have had access to the view where the credentials are displayed.
Why isn't the secret always visible anymore?
As security standards evolve, we constantly re-evaluate our own practices and incorporate these improvements into Apply. In this case, this means updating how we handle and store client secrets in our database so that they would be useless to anyone who didn't already know the original value. We can only validate that a value passed to us matches the stored value, we don't have access to the original value once it’s saved.
Are there any other changes to the functionality of the API?
- With the update on January 25th we increased the access token expiry time to 30 days (from 2 hours).
In today’s release we added support for revoking both access token and refresh tokens through the /api/o/revoke_token/ endpoint. Check out our API documentation for more information.