Implement compliance storage configuration using AWS CloudFront signed URLs for completed documents. This reuses the existing ATS infrastructure to provide secure, time-limited access to document storage while maintaining backward compatibility with legacy storage.
- Add aws-sdk-cloudfront dependency for URL signing
- Create DocumentSecurityService for CloudFront signed URL generation
- Add secured storage service configuration in storage.yml
- Update completed_documents model with storage_location tracking
- Modify download controllers to use signed URLs for secured storage
- Add compliance_storage.yml configuration for different environments
- Update submitter completion job to track storage location
BREAKING CHANGE: Requires SECURED_STORAGE_BUCKET and SECURED_STORAGE_REGION environment variables for staging/production environments
- Add account_groups table and model
- Add account_group references to accounts, users, templates, template_folders
- Make account_id nullable on users, templates, template_folders
- Add controllers and specs
* Consolidate account groups migrations
- Replace 8 separate migrations with 2 consolidated ones
- Create account groups and relationships in one migration
- Make account_id columns nullable in second migration
* this logic is being handled in external_auth_controller
* remove unnecessary controllers
* remove unnecessary routes
* refactor account_group.default_template_folder
* align method with Account version of this method
* refactor controllers to move complex logic to service
* move account/account group validation to concern
* this method is not yet needed
* we may implement this differently in next ticket to handle account and account group syncing for templates.
* rubocop violation fixes
* a few more refactors and add tests
* Change external_account_group_id to integer type
* Refactored external_account_group_id from string to integer in models, migrations, factories, and specs for consistency.
* Merged account_id nullability changes into a single migration and removed the obsolete migrations.
* Updated authentication logic to require either account or account_group presence for user activation.
- Extract complex ATS prefill logic from PrefillFieldsHelper into dedicated AtsPrefill service
- Create modular service objects: FieldExtractor, FieldMapper, ValueMerger, and CacheManager
- Implement proper caching strategy with Rails.cache for performance optimization
- Add comprehensive test coverage for all new service components
- Maintain backward compatibility through facade methods in PrefillFieldsHelper
- Improve security by validating field name patterns and sanitizing inputs
- Enhance performance with optimized field lookup caching
BREAKING CHANGE: PrefillFieldsHelper now delegates to AtsPrefill service layer. Direct usage of helper methods remains unchanged, but internal implementation has been refactored.
* Add external_id fields to accounts and users tables
Adds external_account_id and external_user_id fields to support
integration with external ATS systems. These fields will map
DocuSeal accounts/users to their corresponding ATS entities.
* Add external ID support to Account and User models
Implements find_or_create_by_external_id methods for both Account
and User models to support automatic provisioning from external
ATS systems. Users now have access tokens for authentication.
* Add external authentication API endpoint
Creates /api/external_auth/get_user_token endpoint for external API systems
to authenticate users and receive access tokens.
* Refactor authentication to support token-based login
Replaces demo user authentication and setup redirect logic with token-based authentication via params, session, or X-Auth-Token header.
Users do not login, they are just authenticated via token.
* Replace authenticate_user! with authenticate_via_token!
Refactored controllers to use authenticate_via_token! instead of authenticate_user! for authentication. Added authenticate_via_token! method to ApiBaseController.
* Update controller authentication and authorization logic
Removed and replaced several before_action and authorization checks in ExportController, SetupController, and TemplateDocumentsController.
* Add external authentication API endpoint
* Add IframeAuthentication concern for AJAX requests in iframe context
* Create shared concern to handle authentication from HTTP referer
* Extracts auth token from referer URL when AJAX requests don't include token
* Supports Vue component requests within iframes
* Remove old user authentication from dashboard controller
* Quick fix for request changes
Now that we have scoped users, we're changing this to compare to the template authot
* rubocop fixes
* Add and update authentication and model specs
Introduces new specs for iframe authentication, account, user, application controller, and external auth API.
* add safe navigation and remove dead method
- Replace present? check with blank? for better nil handling
- Add input size validation to prevent DoS attacks (64KB limit)
- Fix string formatting and indentation in audit logging
- Optimize caching with proper error handling for Redis failures
- Simplify conditional logic in field value merging
- Add frozen string literal comments for Ruby 3.4 compatibility
- Improve test coverage with better mocking and assertions
Security improvements include input validation and audit logging for ATS prefill usage tracking.
- Add input size limits (64KB for encoded, 32KB for decoded JSON) to prevent DoS attacks
- Implement audit logging for ATS prefill usage tracking
- Add caching layer for field UUID lookups with 30-minute TTL
- Optimize field resolution with O(1) lookup cache instead of O(n) search
- Add comprehensive error handling and logging throughout prefill pipeline
- Validate ATS field names against allowed patterns with security checks
- Add Base64-encoded JSON parameter support for ATS prefill values
- Implement field mapping between ATS field names and template field UUIDs
- Enhance merge logic to preserve existing submitter values while adding ATS prefill data
- Add comprehensive error handling for invalid Base64 and JSON parsing
- Update form rendering to use merged ATS values for prefill functionality
- Add integration tests for complete ATS prefill workflow
Add support for fetching prefill values from ATS system when task_assignment_id parameter is provided. This includes:
- New ATS API integration in PrefillFieldsHelper to fetch prefill values
- Cache layer for ATS prefill values with 30-minute TTL
- Merge logic to respect existing submitter values over ATS prefill values
- Error handling and logging for ATS API failures
- Integration with SubmitFormController to fetch values before form rendering
The feature allows forms to be pre-populated with candidate data from the ATS system while preserving any values already entered by submitters.
- Add available_ats_fields to template edit response payload
- Implement ATS field dropdown in field settings component
- Add prefill attribute to template fields for ATS integration
- Format ATS field names for user-friendly display in dropdown
* new controller to handle change requests
* add button and modal on completed submission view to request changes
* webhook job will send out to external API when submission is updated for changes_requested_at
* email will be sent to user that need to make changes
* submission status steps back from "completed"
- Implement Rails.cache-based caching for expensive Base64 decoding and JSON parsing
- Add configurable TTL (1 hour) for successful results and shorter TTL (5 minutes) for errors
- Include cache key generation using SHA256 hash for security and uniqueness
- Add comprehensive test coverage for caching behavior and edge cases
- Handle cache read/write failures gracefully with fallback to normal processing
- Add PrefillFieldsHelper module to extract ATS field data from base64 encoded parameters
- Integrate ATS field extraction into TemplatesController and SubmissionsController
- Support employee, manager, account, and location field name patterns
- Add comprehensive test coverage for field validation and error handling
- Remove unused backgroundColor style from template builder
We'll need to properly strip out the user authentication stuff in the future. Since they'll already be logged into CareerPlug we don't another login here.
* automatically log in as a Demo Account user for now
Bernardo Anderson
Ryan Arakawa
Bernardo Anderson
Mikhael Rakauskas
Pete Matsyburka
Alex Turchyn