SAP-BTP-Spielwiese/app1/node_modules/@sap/xssec/CHANGELOG.md

Change Log

All notable changes to this project will be documented in this file.

3.6.1 - 2023-12-21

• better support for older node versions

3.6.0 - 2023-11-24

• adapt optimized IAS server API

3.5.0 - 2023-11-14

• update dependencies (e.g. axios 0 -> 1)

3.4.0 - 2023-10-23

• add optional x5t validation (RFC 8705) for IAS tokens
• Restore support for disableCache flag for JWKS retrieval
• Bugfix for requests to XSUAA with array values inside form

3.3.5 - 2023-09-28

• Support for app2service and app2app for IAS

3.3.4 - 2023-09-06

• Fix IAS token exchange with X509 binding

3.3.3 - 2023-08-08

• Send either both x-app_tid & x-client_id headers or none of them to IAS /certs endpoint to prevent bad request

3.3.2 - 2023-07-28

• restore backward-compatibility feature: use cleanUpPemKey function on verification keys to support PEM with missing line breaks-
• restore backward-compatible behaviour: use verificationKey as fallback if KID is not found in JWKS but throw error about missing KID if it fails
• fix error handling for cert endpoint

3.3.0 - 2023-07-24

• add app_tid to formular for token exchanges
• support for "x-app_tid" and "x-client-id" header for IAS cert endpoint
• bugfix for unknown variable in new cache implementation

3.2.18 - 2023-07-13

• Replaced keycache implementation with new JwksReplica implementation: When a JWKS is used for validation, it is now checked if the cached replica will expire soon (default refresh period: 15min before expiration). If so, it will be refreshed in the background and the cached replica will still be used for validation until it has expired completely (default expiration time: 30min since last refresh). Validation of incoming requests will only be blocked by an expired JWKS if it could not be refreshed during the refresh period. Only one call at a time will be performed to refresh the JWKS.
• Addd support for resource-attribute for token flow/token exchange calls

3.2.17 - 2023-01-09

• obfuscate credentials in debug output, when xssec:request debug variable is set

3.2.15 - 2023-01-09

• hotfix: upgrade to newest jsonwebtoken version ^9.0.0 because of security issue complainings. But the library was never affected

3.2.14 - 2022-10-11

• allow IAS issuer without https protocol prefix
• fix for additionalAttributes
• allow setting timeout without having credentials object provided

3.2.13 - 2022-02-15

• hofix in keycache implementation if you turn off to use the cache
• upgrade to newer axios library

3.2.12 - 2022-01-19

• add support for UAA system plan
• upgrade to newer axios library

3.2.11 - 2021-11-30

• add support for timeout setting for all requests-calls
• support for password token flow in requests module
• support for setting scopes for all requests to XSUAA

3.2.10 - 2021-11-02

• fix correlationID header names to "x-vcap-request-id" or "x-correlationid"

3.2.9 - 2021-10-22

• custom domain support for IAS
• support for "x-correlation-id" header to be set for createSecurityContext and tokenexchange-calls
• support to turn off the internal cache for a createSecurityContext call

3.2.8 - 2021-10-18

• add additional getter for user properties on XSUAA context
• remove deed and unneeded code for IAS context
• fix token flows in requests if subdomain is provided using certificate

3.2.7 - 2021-09-15

• replace got with axios library because of a bug in got lib during https get

3.2.5 - 2021-09-07

• fix to be backward-compatible for tokenFlow-APIs

3.2.4 - 2021-09-03

• fix an issue with IAS multitenancy support
• remove the deprecated request library with got library

3.2.3 - 2021-08-23

• add checkFollowingInstanceScope to SecurityContext to retrieve instance specific scope without need to build scope string on your own
• fix a reference error in key verification
• support for multitenance IAS applications using 'x-zone_uuid' Header in jwks call

3.2.2 - 2021-06-16

• Support for tokenexchanges with X.509 certificates managed by XSUAA
• Support for tokenexchanges with manually managed X.509 certificates
• support for configuration objects that does not provide a clientsecret (but a certificate)

3.2.1 - 2021-06-01

• Add some more error and tracing information

3.2.0 - 2021-04-20

• Support for IAS token validation. (more details)

3.1.2 - 2021-03-01

• Feature: Support for IAS to XSUAA token exchange (more details)
• Feature: Support for ZoneID enabled token flows (more details)

3.1.1 - 2021-02-11

• Bugfix: Tokenexchange with additional attributes may result in a wrong formatted url
• Feature: The passport middleware allows to provide scopes to be validated at authentication time. Details here

3.1.0 - 2021-02-10

• Support for multiple configurations for one security context (more details here)
• Bugfix: support for additional attributes in token exchange
• Bugfix: authorization now in payload for better XSUAA support
• correct support for azp (clientid) in token payload
• method to identify an XSUAA token

3.0.10 - 2021-10-01

• The requests to the XSUAA are now available using the requests module also if you do not have a securityContext

3.0.9 - 2020-08-06

• Set request library to version 2.88.2 because of security vulnerability

3.0.8 - 2020-08-06

• Increase timeout for jwt-bearer token flow to reduce of timeouts with very big tokens.

3.0.7 - 2020-07-24

• Move the token to the request body for jwt-bearer token flow, because of problems with very big tokens

3.0.6 - 2020-07-01

• Audience Validation validates to true when the derived client_id of broker-clone token matches the trusted client. This is relevant to support tokens of grant type user_token that contains no scopes.

3.0.5 - 2020-06-26

• Audience Validation accepts tokens of grant type user_token that does not provide aud claim. In that case the audience is derived from the audiences from the scopes.
• Audience Validation is skipped when cid of token matches the trusted client.
• Use getSubaccountId() method only to fetch the subaccount id, e.g. for calling the metering API for user-based pricing.
• In case you are interested in the customers tenant GUID make use of getZoneId method instead!
• A new TokenInfo class is introduced for better logging capabilities.

3.0.3 - 2020-05-25

• Fix jwt-bearer flow to take the right token as uri parameter.

3.0.2 - 2020-05-20

• Fix get verification key from keycache.

3.0.1 - 2020-05-19

• HotFix missing debugTrace in verification key
• Fix RetryStrategy

3.0.0 - 2020-05-15

• Replace grant type user_token in method requestToken (TYPE_USER_TOKEN) in favor of urn:ietf:params:oauth:grant-type:jwt-bearer
• Remove obsolete method getToken (use getHdbToken or getAppToken))
• Remove obsolete method requestTokenForClient (use requestToken)
• Remove obsolete method getIdentityZone (use getZoneId() instead, or getSubaccountId() for metering purposes)
• Support for audience validation in token
• remove of SAP_JWT_TRUST_ACL environment variable support (functionality now comes with audience validation); see also here.
• remove depencency to node-jwt (ALPINE support)
• restructure internal code for better maintainability

2.2.5 - 2020-02-28

• Update to node-jwt version 1.6.6

2.2.4 - 2019-08-14

• Support for API methods getUserName and getUniquePrincipalName

2.2.3 - 2019-08-07

• Add retry for recieving keys

2.2.2 - 2019-06-24

• Use verification key from binding as backup if online key retrieval fails

2.2.1 - 2019-06-17

• Fix uaaDomain comparison in key cache

2.2.0 - 2019-06-17

• Align key cache implementation with other container security libraries

2.1.17 - 2019-05-17

• Introduce http timeout of two seconds
• Update version of module debug, lru-cache and @sap/xsenv
• Fix token verification for broker master instance subscriptions

2.1.16 - 2019-01-28

• Fix token parser: switch ASCII to Utf8 decode

2.1.15 - 2018-08-13

• Update version of module request

2.1.14 - 2018-07-24

• Evaluate SAP_JWT_TRUST_ACL if trustedclientidsuffix is present but not matching

2.1.13 - 2018-07-18

• Update version of module request

2.1.12 - 2018-06-01

• Support for API methods getSubaccountId and getOrigin
• Mark API method getIdentityZone as deprecated

2.1.11 - 2018-05-18

• Update version of module request

2.1.10 - 2018-04-20

• Fixes for keycache

2.1.9 - 2018-04-18

• Update version of module @sap/node-jwt (1.4.8)
• Fixes for keycache
• Update version of module request

2.1.8 - 2018-03-14

• Support for API method getAppToken

2.1.7 - 2018-03-05

• Support for API method requestToken

2.1.6 - 2018-02-19

• Update version of module @sap/node-jwt

2.1.5 - 2018-02-07

• Update version of module request

2.1.4 - 2017-12-04

• Support new JWT structure (attribute location ext_cxt)
• First implementation for keycache

2.1.3 - 2017-11-29

• Support for API method getClientId

2.1.2 - 2017-10-23

• Support for API method getSubdomain

2.1.1 - 2017-10-09

• Update version of modules @sap/node-jwt, @sap/xsenv and debug

2.1.0 - 2017-07-06

• Support of API method requestTokenForClient
• Update version of module @sap/node-jwt

2.0.0 - 2017-06-26

• Removal of deprecated constructor method createSecurityContextCc
• Removal of API method method getUserInfo

1.3.0 - 2017-06-23

• Revert removal of API method method getUserInfo

1.2.0 - 2017-06-22

• Support for API methods getLogonName, getGivenName, getFamilyName, getEmail
• Removal of API method method getUserInfo
• Fix identity zone validation (only relevant for tenants created with SAP Cloud Cockpit)

1.1.1 - 2017-05-30

• Update version of dependent modules

1.1.0 - 2017-05-22

• Mark API method createSecurityContextCC as deprecated

1.0.4 - 2017-05-17

• Support for validation of XSUAA broker plan tokens
• Support for API methods getCloneServiceInstanceId and getAdditionalAuthAttribute
• Support for validation of XSUAA application plan tokens in arbitrary identity zones

1.0.3 - 2017-03-29

• Update version of dependent modules

1.0.2 - 2017-02-22

• Support for validation of SAML Bearer tokens

1.0.1 - 2017-02-02

• Support for client credentials tokens in JWT strategy

1.0.0 - 2017-01-25

• Introduction of scopeing, module name changed to @sap/xssec