Skip to content

Latest commit

 

History

History
779 lines (521 loc) · 19.9 KB

CHANGELOG.md

File metadata and controls

779 lines (521 loc) · 19.9 KB
Raw

Changelog

Table of Contents

0.26.6 (2023-10-05)

Bugfixes

  • GuestTokenGuard included in oidc.module

0.26.5 (2023-10-05)

Bugfixes

  • Update semver from 6.3.0 to 6.3.1
  • Update word-wrap from 1.2.3 to 1.2.4
  • Creating GuestTokenGuard

0.26.4 (2023-10-04)

Bugfixes

  • Bugfix creating new strategy object passed into passport.authenticate in oidc.service

0.26.3 (2023-01-10)

Bugfixes

  • Bugfix updating the logout method in oidc.service to be asynchronous, to follow breaking change in passport 0.6.0

0.26.2 (2023-01-03)

Bugfixes

  • Update passport-jwt from 4.0.0 to 4.0.1
  • Update passport from 0.5.3 to 0.6.0

0.26.1 (2023-01-02)

Bugfixes

  • Update nestjs/jwt from 9.0.0 to 10.0.1

0.26.0 (2022-12-15)

Feature

  • Add email to user infos if present in the id_token

0.25.2 (2022-08-01)

Bugfixes

  • Fix passport version in the correct packages

0.25.1 (2022-08-01)

Bugfixes

  • Revert to 0.5.x of passport to accommodate for bugs in 0.6.x

0.25.0 (2022-07-20)

Features

  • Compatible with Nest v9

0.24.6 (2020-05-03)

Bugfixes

  • Adds missing axios dependency

0.24.5 (2020-05-02)

Bugfixes

  • Fixes post-logout redirect for single tenant config

0.24.4 (2022-02-28)

Bugfixes

  • Use latest version of @finastra/ssr-pages

0.24.3 (2022-02-04)

Bugfixes

  • Fix favicon causing tenant switch
  • Rename logging in session cookie to LOGIN_SESSION_COOKIE to avoid overlap with logout session cookie and fix potential future auto-login
  • Fix double prefix on logout

0.24.2 (2022-01-12)

Bugfixes

  • Remove log of access token altogether.

0.24.1 (2022-01-11)

Bugfixes

  • Remove signature from logged jwt in debug mode

0.24.0 (2021-11-22)

Features

  • Possibility to hardcode the channel type via channelType property in module configuration. Useful for application that are specific to a single channel type.

0.23.1 (2021-11-24)

Bugfixes

  • Fixes an issue where server side rendered applications couldn't load popup template, resulting in the app crashing.

0.23.0 (2021-11-24)

Features

  • Handle embedded login flow by opening the sso login page into a popup page

0.22.5 (2021-11-23)

Bugfixes

  • Remove secure and SameSite attribute on session.

0.22.4 (2021-11-05)

Bugfixes

  • Fix "401 unauthorized" error displayed when access token is expired but refresh token is valid.

0.22.3 (2021-10-20)

Bugfixes

  • Fix expired session issue if cookie maxAge is shorter than refresh token lifetime

0.22.2 (2021-10-20)

Bugfixes

  • Disallow cache of all endpoints
  • Add top level export of sessionMongo back but use require to prevent typescript from requiring unwanted dependencies for project not using it.

0.22.1 (2021-10-19)

Bugfixes

  • Remove top level export of sessionMongo to keep its dependencies optional
  • Switch SameSite cookie attribute from strict to lax

0.22.0 (2021-10-19)

Features

  • Both sessionInMemory and sessionMongo now use sameSite cookie and secure cookies when the app is launched in production mode

0.21.0 (2021-09-29)

Features

  • New sessionMongo util. Works the same as previous setupSession, but the store is using mongoDB instead of in-memory. To differentiate, a new sessionInMemory is also available, and to not introduce breaking changes, using the previous setupSession will call sessionInMemory in the background !
// Old and current way
setupSession(app, 'test-app');

// Alternative way
sessionInMemory(app, 'test-app');
// Use mongoDB as session store
sessionMongo(app, 'test-app', {
  mongoUrl: 'mongodb://user:password@localhost:27017',
  dbName: 'sample-db',
});

0.20.0 (2021-09-27)

Features

  • Nest 8 compatible

0.19.8 (2021-09-22)

Bugfixes

  • Fix no error sent if /refresh-token endpoint is called without using TokenGuard and with no authenticated user.

0.19.7 (2021-09-15)

Bugfixes

  • Fix token guard error using graphql
  • Fix tenant-switch to actually redirect to requested tenant

0.19.6 (2021-08-17)

Bugfixes

  • Fix displayed error in createStrategy function

0.19.5 (2021-08-04)

Bugfixes

  • HttpException Filter : Output specific attributes of the request

0.19.4 (2021-08-03)

Bugfixes

  • Stringify request in http exception

0.19.3 (2021-08-03)

Bugfixes

Add missing request details in exception logs.

0.19.2 (2021-07-07)

Bugfixes

Fix token refresh call when the access_token is expired.

0.19.1 (2021-06-17)

Bugfixes

Log exceptions caught by HttpExceptionFilter

0.19.0 (2021-05-31)

Bugfixes

Upgrade openid-client to suppress normalize-url vulnerability

0.18.0 (2021-05-13)

Features

Add redirect to url after login /login?redirect_url=[/your-path]

0.17.0 (2021-04-27)

Features

Logs url to jwt.io with token when app is launched with debug log levels.

0.16.2 (2021-04-06)

Bugfixes

Move ssr-pages to an external repository to fix imports

0.16.1 (2021-04-01)

Bugfixes

Fix published package structure preventing to import modules correctly

0.16.0 (2021-03-05)

Features

Re-designed error pages via @finastra/ssr-pages

0.15.1 (2021-02-09)

Bugfixes

If token expires without refresh request, throw unauthorized exception.

0.15.0 (2020-12-10)

Features

On multitenant authentication, do not prefix /login/callback anymore. Tenant and channel information are saved in express session.

0.14.1 (2020-11-17)

Bugfixes

Fix CurrentUser decorator and add coverage

0.14.0 (2020-11-16)

Bugfixes

Strong(er) typing (i.e. all functions that return a value should be typed) Prefer name to username for fallback user name mapping Remove 404 response from /logout endpoint

Features

New user info related type interfaces Special treatment of /user endpoint: make it public + returns userinfo if authenticated or { isGuest: true } otherwise Add config options for custom mappings of user id and user name: userInfoMapping Add config option for post logout uri redirection: postLogoutRedirectUri

0.13.1 (2020-10-15)

Bugfixes

  • Fix access to routes which are not protected with @isAvailableRouteForMultitenant decorator.

0.13.0 (2020-10-14)

Features

  • Two new endpoints : tenant-switch and tenant-switch-warn. Those are used whenever logged in user is trying to switch to another tenant. tenant-switch-warn displays a warning page to the user, while tenant-switch logs him out of previous tenant and redirects him to login page of the new tenant.

Bugfixes

  • Fix @isAvailableRouteForMultitenant decorator call with false at class level not detected.

0.12.1 (2020-10-14)

Bugfixes

  • Tenancy Guard sends back a 421 if the requested tenantId or channelType is different from the one in the userinfo.
  • Better handling of errors when fetching issuer in multitenant apps

0.12.0 (2020-10-12)

Features

Endpoint /check-token is removed. Use /refresh-token instead, token will be refreshed if it is expired, the status code 200 is returned otherwise.

0.11.2 (2020-09-18)

Bugfixes

tenancy.guard.ts now handles GraphQL context

0.11.1 (2020-09-16)

Bugfixes

Decorator @isAvailableRouteForMultitenant can be added for classes or functions. Fix redirection if there is no tenant and channel in url. Fix incoming REST calls with token in header and no login screen ever prompted. Fix multiple user connections coming from different IDPs.

0.11.0 (2020-08-28)

Features

Enable multitenancy authentication.

0.10.2 (2020-07-24)

Bugfixes

Fix refresh token with single authToken 🤓

0.10.1 (2020-07-23)

Bugfixes

Remove unnecessary master prefix for authTokens.

0.10.0 (2020-07-21)

Features

New endpoints:

  • /check-token : Returns 200 if the token is valid, else returns 401. \ To request token refresh if the token is about to expire, add refresh query parameter: /check-token?refresh=true
  • /refresh-token : Refresh user's token.

New option:

  • idleTime: If the token expiration date on /check-token?refresh=true call is in less than idleTime seconds, the token is refreshed. Default value: 30 seconds.

Compatible with @ffdc/nestjs-proxy 0.3.0 onwards

0.9.1 (2020-07-16)

Bugfixes

Fix copy of loggedout page

0.9.0 (2020-07-16)

Features

  • For IDPs that do not handle end_session_endpoint :
    • Displays a logged out page
    • Simulates a logout by prompting again the login after logout (thanks to a SESSION_STATE cookie)

0.8.1 (2020-06-23)

Bugfixes

Fix no authentication on external identity provider on incoming request with authorization header.

0.8.0 (2020-06-22)

Features

It is possible to authenticate and get token from other IDPs during authentication and forward those information in second parameter of userInfoCallback function. Check externalIdps in documentation for more details.

0.7.4 (2020-06-11)

Bugfixes

Fix ability to set session name from setupSession.

0.7.3 (2020-06-10)

Bugfixes

Fix user info callback data not present in user object.

0.7.2 (2020-06-10)

Bugfixes

Fix for userinfo applied to incoming requests and not only for login flow.

If userInfoMethod is configured to endpoint and the call fails, the sub parameter is defined as user's username.

0.7.1 (2020-06-10)

Bugfixes

Userinfo were never resolved and appeared as a promise.

0.7.0 (2020-06-05)

Features

Previously, incoming requests weren't decorated with user information. An interceptor put user object in requests and calls userInfoCallback once the token is validated for Bearer authentication on http request.

Using TokenGuard requests only reflector parameter now:

How to set a global guard BEFORE

main.ts

const issuer = app.get(ConfigService).get('OIDC_ISSUER');
const tokenStore = await getTokenStore(issuer);
const reflector = app.get(Reflector);
app.useGlobalGuards(new TokenGuard(tokenStore, reflector));

How to set a global guard NOW

main.ts

app.useGlobalGuards(app.get(TokenGuard));

0.6.1 (2020-06-03)

Bugfixes

Previously, a wrongly configured issuer or one that didn't respond within configured timeout would result in a shady error, leaving the user clueless about what is the issue at hand.
Error handling was improved, with a link to the documentation and will terminate the application, as it is not usable :

[OidcModule] Error accessing the issuer/tokenStore. Check if the url is valid or increase the timeout in the defaultHttpOptions : https://github.com/fusionfabric/finastra-nodejs-libs/blob/develop/libs/oidc/README.md
[OidcModule] Terminating application

0.6.0 (2020-05-27)

Features

  • It's possible to customize the options for all HTTP requests adding defaultHttpOptions in OidcModuleOptions.
  • A nonce value is generated if nonce parameter is equals to 'true' in authParams.
  • userInfoCallback allows to customize the userInfo method and add more information in user object. To use it:
OidcModule.forRootAsync({
  useFactory: async (configService: ConfigService) => ({
    issuer: configService.get('OIDC_ISSUER'),
    clientMetadata: {
      client_id: configService.get('OIDC_CLIENT_ID'),
      client_secret: configService.get('OIDC_CLIENT_SECRET'),
    },
    authParams: {
      scopes: configService.get('OIDC_SCOPES'),
    },
    origin: configService.get('ORIGIN'),
    userInfoCallback: async userId => {
      return {
        username: userId,
        customUserInfo: 'custom',
      };
    },
  }),
  inject: [ConfigService],
  imports: [ConfigModule],
});

Doc fixes

  • Replace scopes parameter to scope in documentation.

0.5.0 (2020-05-19)

Features

  • Module registration was harmonized with the rest of the modules :
OidcModule.forRootAsync({
  useFactory: async (configService: ConfigService) => ({
    issuer: configService.get('OIDC_ISSUER'),
    clientMetadata: {
      client_id: configService.get('OIDC_CLIENT_ID'),
      client_secret: configService.get('OIDC_CLIENT_SECRET'),
    },
    authParams: {
      scopes: configService.get('OIDC_SCOPES'),
    },
    origin: configService.get('ORIGIN'),
  }),
  inject: [ConfigService],
  imports: [ConfigModule],
});

If using a class, createOidcOptions was changed to a more generic createModuleConfig.

Bug fixes

  • Fix returned error for unauthenticated requests, return 401 Unauthorized instead of 403 Forbidden

Documentation

  • Add a global description

0.4.0 (2020-05-06)

Features

  • TokenGuard now handles graphQL requests

0.3.1 (2020-05-06)

Bug fixes

  • Fix default userInfoMethod to token

0.3.0 (2020-04-30)

Features

  • New endpoint /user that returns user information

0.2.1 (2020-04-30)

Bug fixes

  • Add user groups in req.user.userinfo

0.2.0 (2020-04-23)

Features

  • Configuration is closer to openid-client, which we are using under the hood

Before

interface OidcModuleOptions {
  issuer: string;
  clientId: string;
  clientSecret: string;
  scopes: string;
  redirectUriLogin: string;
  redirectUriLogout: string;
  userInfoMethod?: UserInfoMethod;
  clockTolerance?: number;
  resource?: string;
}

Now

interface OidcModuleOptions {
  issuer: string;
  clientMetadata: ClientMetadata;
  authParams: AuthorizationParameters;
  origin: string;
  usePKCE?: boolean;
  userInfoMethod?: UserInfoMethod;
}

With clientMetadata and authParams coming from the openid-client library.

Redirect URI for login and logout are now derived from 'origin'

0.1.2 (2020-04-23)

Bug fixes

  • Add resource parameter in oidc config
  • provide a default value for setupSession instead of requiring SESSION_SECRET as a env variable