BOMnipotent v0.5.0 introduces email verification
Users now need to prove that they have access to the provided email address.
User accounts in BOMnipotent are associated with email addresses. Up until now, they were merely a stand-in for a username. With the new release v0.5.0, BOMnipotent sends newly registered users a verification link. This link contains a hash-based message authentication code (HMAC) generated using a key that is randomly generated at the server startup. Only after users followed this link will they be marked as “verified”, and only then can they be approved by a user manager.
But what about automation? CI/CD pipelines are typically not associated with an email address. For them, BOMnipotent Client offers the new option “–robot”, which can be used to request an account that does not receive a verification email. The same option then needs to be used to approve one such account.
Email capability requires connection to an SMTP server. For this to work, an smtp section needs to be added to the configuration file. The documentation describes this in familiar detail.
Why is this new feature a breaking change? Because BOMnipotent is secure-by-default, meaning that this feature is enabled and requires the smtp config, unless you explicitly disable it. Please don’t, a lot of love and labour went into developing it.
P.S.: Did you notice the new look of the website, with higher contrast for improved accessibility?