mare/SAP-BTP-Spielwiese
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
SAP-BTP-Spielwiese/app1/node_modules/@sap/approuter/CHANGELOG.md
Markus Rettig 775ac7b58c completed step 3 from the tutorial 
you must login with an BTP account in order to see the app
2024-02-08 16:13:36 +01:00

1509 lines
36 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Change Log
All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/).
The format is based on [Keep a Changelog](http://keepachangelog.com/)
## 16.1.0 - 2024-02-04
### Added
- IAS/XSUAA hybrid support for business services
### Fixed
- Root ca corruption when using destination with private link proxy type
- Fix for working with HTML5 repo - regenerate token if needed
- Debug logs for backend requests
- Fixed case sensitivity for headers defined in the xs-app.json file
## 16.0.2 - 2024-01-11
### Updated dependencies
- deps: axios@1.6.5
- deps: @sap/xssec@3.6.1
- deps: @sap/audit-logging@5.8.3
## 16.0.1 - 2024-01-05
### Updated dependencies
- deps: axios@1.6.4
## 16.0.0 - 2023-12-31
### Updated dependencies
- connect.js removed
## 15.0.0 - 2023-12-13
### Added
- Support node version 18 and node version 20 instead of node version 16 and node version 18
### Updated dependencies
- deps: cf-nodejs-logging-support@7.2.0
- deps: e2e-trace@4.1.0
- deps: logging@7.1.0
## 14.4.3 - 2023-12-07
### Fixed
- Path traversal validation - normalize for windows
- Only if tenant_id header not populated set header with provider/subscriber subdomain.
### Updated dependencies
- deps: @sap/audit-logging@5.8.2
# 14.4.2 - 2023-11-30
### Updated dependencies
- deps: @sap/xssec@3.6.0
## 14.4.1 - 2023-11-26
### Added
- Path traversal validation
### Updated dependencies
- deps: @sap/audit-logging@5.8.1
## 14.4.0 - 2023-11-19
### Fixed
- Retrieve logs from CLS instead of application log (SAAS approuter)
### Added
- Introduce a new configuration option (ENABLE_FRAME_ANCESTORS_CSP_HEADERS) to include the content security policy (CSP) header using subaccount trusted domains with frame-ancestors policy.
- Forward auth certificates only in case it is configured via HTML5.ForwardAuthCertificates destination property
- FULL_CERTIFICATE_CHAIN and SKIP_DEFAULT_MTLS_AUTH_CA env. variables support remove
- Provider/subscriber subdomain propagation to logs via tenant_id header
### Updated dependencies
- deps: @sap/xssec@3.5.0
- deps: axios@1.6.1
## 14.3.4 - 2023-10-25
### Fixed
- Avoid reading service credentials on approuter startup
- Read Redis tls certificates also from binding credentials ca property
### Updated dependencies
- deps: @sap/xsenv@4.0.0
## 14.3.3 - 2023-10-12
### Fixed
- Crash on cookie name equal to basic object attribute
### Updated dependencies
- deps: @sap/audit-logging@5.7.1
### Added
- Protect from timing attack on state parameter middleware.
- Validate state parameter is valid uuid v4 string.
- Protect against Request Smuggling.
## 14.3.2 - 2023-09-10
### Added
- Clean invalid token from cache when calling service in case of getting 401/403
- Add option (ENABLE_X_FORWARDED_HOST_VALIDATION) to validate x-forwarded-host header as a valid hostname
### Fixed
- Collect logout data also for Direct Routing URI
- Token exchange in html5 repo credentials flow
### Updated dependencies
- deps: @sap/xssec@3.3.4
## 14.3.1 - 2023-08-02
### Added
- Support of using several instances of a Business Service on the same session
## 14.3.0 - 2023-07-30
### Added
- IAS App2App navigation support via IAS dependency destination configuration
## 14.2.1 - 2023-07-23
### Updated dependencies
- deps: tough-cookie@4.1.3
### Added
- Introduce SKIP_DEFAULT_MTLS_AUTH_CA environment to prevent adding Auth certificate to backend call.
### Fixed
- Support mTLS certificate with more than three certificates in the chain.
## 14.2.0 - 2023-07-11
### Added
- Credentials caching support
- No html5 app found (503 response) caching support
### Fixed
- support not case sensitive in dynamicDestination property
- fix redis with Sentinel mode initialization: use 'sentinelPassword' instead of 'password'.
## 14.1.2 - 2023-06-13
### Fixed
- Return content-type in user-api
- JWT refresh token flow with IAS (add app_tid to request)
- In service to approuter flow supports Basic token authorization only with XSUAA credentials
- Subscribed applications API handling
- Return user name from sub claim in user-api in case of IAS login
## 14.1.1 - 2023-03-21
### Fixed
- Connectivity token exchange in WS flow (env. ENABLE_CONNECTIVITY_TOKEN_EXCHANGE_WS)
## 14.1.0 - 2023-03-20
### Added
- Support CSRF token in service2approuter with external session management
### Fixed
- Set dynamic log level without x-subscriber-tenant
- IAS logout after session timeout
- user-api documentation
- Concatenating encrypted session cookies with non-sessions, in the case when both received from a backend
- Backend error handling when statusCode is null
### Updated dependencies
- deps: cookie-parser@1.4.6
## 14.0.0 - 2023-02-09
### Added
- Support node version 16 and node version 18 instead of node version 14 and node version 16
### Updated dependencies
- deps: @sap/logging@^6.2.0
## 13.1.1 - 2023-01-30
### Fixed
- Destination key calculation in headers sending
### Updated dependencies
- deps: @sap/audit-logging@5.6.3
## 13.1.0 - 2023-01-24
### Fixed
- IAS credentials from HTML5 Repo handling
- Use warning log level in handleBackendError
- Debug logs for backend response
### Added
- IAS token sharing support
### Updated dependencies
- deps: @sap/xssec@^3.2.17
- deps: @sap/xsenv@^3.4.0
## 13.0.2 - 2023-01-15
### Fixed
- Fix logout issue, when html5repo returns 503 error approuter still will use logout path from the central xs-app.json
### Updated dependencies
- deps: @sap/xssec@^3.2.15
## 13.0.1 - 2023-01-03
### Fixed
- Correct locating html5 repository runtime service by its label
- When connectivity service is bound to the approuter, load its credentials token in case it expired
- Query parameter in SAP Managed Approuter runtime url
- IAS in single tenant flow
### Updated dependencies
- deps: cf-nodejs-logging-support@^6.14.0
## 13.0.0 - 2022-12-25
### Added
- IAS custom domains support
- Create SMS subscribed application url with subscriber subdomain instead of zoneId -- IAS TenantId
- Certificates forwarding in service2approuter flow
### Fixed
- html5 repo creds performance fix correction
- Destination cache key changed from destination name to destinationId plus
destination name in case of instance level destination
- Remove connection specific headers from http2 response
- Scopes retrieval with IAS login in user-api
## 12.0.3 - 2022-12-11
### Fixed
- html5 repo creds performance issues
## 12.0.2 - 2022-12-06
### Fixed
- feature flag to disable html5 repo credentials consumption fix
### Updated dependencies
- deps: query-string@7.1.2
## 12.0.1 - 2022-11-31
### Fixed
- feature flag to disable html5 repo credentials consumption
### Updated dependencies
- deps: @sap/xsenv@3.4.0
## 12.0.0 - 2022-11-13
### Added
- Consume credentials from html5 repo
- Use server ca certificates with Hyperscaler Redis
### Fixed
- HTML5 Repo service name in client credentials token middleware
## 11.6.1 - 2022-11-3
### Fixed
- Type error in websockets flow when url does not contain application key
- Mask 'x-forwarded-client-cert' header
- Send all certificates chain if exist FULL_CERTIFICATE_CHAIN = 'true'
## 11.6.0 - 2022-10-24
### Added
- http2 support
## 11.5.1 - 2022-10-13
### Fixed
- Correct using sap_idp query parameter also in other sessions
- Avoid deleting sap_idp query parameter from the backend url, since there are use cases in which it is needed
## 11.5.0 - 2022-09-18
### Added
- Support of state parameters during authorization
### Updated dependencies
- deps: @sap/passport@0.6.0
## 11.4.1 - 2022-09-11
### Fixed
- Correct a failure with error code 400 during login callback when using dynamic identity provider
- Correct scopes handling when running user-api
- Error handling in password token creation
## 11.4.0 - 2022-09-05
### Added
- Dynamic log level support
- x-approuter-authorization with Basic authentication token
## 11.3.4 - 2022-08-30
### Fixed
- Crash when missing key in backend cookie
## 11.3.3 - 2022-08-25
### Fixed
- preferLocal destination
- Modify url for userInfo, as part of user-api/attributes
## 11.3.2 - 2022-08-04
### Fixed
- Destination token timeout calculation
- UserId deleted from session
- Query parameters with special characters in login callback
## 11.3.1 - 2022-07-28
### Fixed
- Missing destination instance credentials issue
- Avoid token exchange, when the session user is n/a (grant_type=client_credentials)
- Correct null pointer exception uaa missing in subscription-utils
- Dynamic provisioning of identity provider with welcome file
## 11.3.0 - 2022-07-20
### Added
- Support for dynamic provisioning of identity providers
- Support websocket in service2approuter flow
## 11.2.1 - 2022-06-15
### Fixed
- When user-api/attributes fails to get user attributes, it returns the basic user details
## 11.2.0 - 2022-06-14
### Added
- Expose the Redis retry strategy as an application router configuration.
### Fixed
- Support compressing multipart/mixed content type when compressResponseMixedTypeContent is configured in xs-app.json
- Avoid token exchange in case of expired login token
- Correct a null pointer exception issue in user-api-middleware
## 11.1.0 - 2022-06-06
### Added
- Enhance user-api: both endpoints with user scopes, "attributes" endpoint with user attributes (including custom attributes)
- Support TrustAll for Private-link proxy type
### Fixed
- SAML Assertion via Cloud Connector issue
- ARBE cookie: null while working with multiple backends.
## 11.0.1 - 2022-05-15
### Fixed
- ARBE cookie size issue
## 11.0.0 - 2022-05-09
### Added
- Support node version 14 and node version 16 instead of node version 12 and node version 14
### Updated dependencies
- async removed
## 10.15.4 - 2022-05-08
### Fixed
- Instance level destination handling
- Error handling when calling svc2Approuter middleware
### Updated dependencies
- deps: @sap/xssec@3.2.13
- Caret (^) added to: @sap/audit-logging,@sap/e2e-trace,@sap/logging,@sap/xssec,async,node-forge,urijs
## 10.15.3 - 2022-04-26
### Fixed
- Request contains an invalid x-csrf-token
## 10.15.2 - 2022-04-24
### Fixed
- Improve readme documentation
- Token xsrf undefined, when approuter bound to external session storage
### Updated dependencies
- deps: @sap/logging@6.1.1
- deps: async@3.2.3
## 10.15.1 - 2022-04-07
### Updated dependencies
- should-send-same-site-none removed
- request.js removed
- moment removed
- deps: urijs@1.19.11
- deps: @sap/logging@6.1.0
## 10.15.0 - 2022-04-03
### Added
- External session management support in service2approuter flow
- Return auditLog, if has multi-tenant plan oauth2, as a dependency during subscription creation
- Write auditLog error message into subscription tenant, when approuter runs in multi-tenant mode
- Private-link proxy type support
- Error stack in error-handler
### Updated dependencies
- deps: body-parser@1.2.0
### Fixed
- Type error in case of missing app.services
## 10.14.2 - 2022-03-23
### Updated dependencies
- deps: node-forge@1.3.0
## 10.14.1 - 2022-03-23
### Fixed
- Cookie addition in decrypt cookies and check in merge cookies
- Improve destination service resilience in SaaS Approuter
## 10.14.0 - 2022-03-15
### Added
- Auto-Pipeline for ioredis support
### Fixed
- web sockets fixed status code
- IAS logout page redirect
- convert environment variable EXTERNAL_REVERSE_PROXY to boolean type
### Updated dependencies
- bluebird removed
## 10.13.2 - 2022-03-08
### Fixed
- Change log level to info for missing host destination
- Null object error for user property
### Updated dependencies
- deps: urijs@1.19.10
- deps: @sap/audit-logging@5.5.1
- deps: @sap/xsenv@3.2.1
## 10.13.1 - 2022-03-01
### Fixed
- Add check for correlationId header existence in getCorrelationId
## 10.13.0 - 2022-02-27
### Added
- Support multiple zoneIds in same IAS tenant
### Fixed
- Avoid reading uaa property from a null object
- Improve error handling in exchange token
### Updated dependencies
- deps: urijs@1.19.8
- deps: axios@0.26.0
## 10.12.0 - 2022-01-30
### Added
- Replace 'request' module by 'axios'
- Support query params in user-api
### Updated dependencies
- deps: tough-cookie@4.0.0
## 10.11.3 - 2022-01-25
### Updated dependencies
- deps: @sap/audit-logging@5.4.1
- deps: @sap/xssec@3.2.12
## 10.11.2 - 2022-01-13
### Updated dependencies
- deps: scmp@1.0.0
## 10.11.1 - 2022-01-12
### Updated dependencies
- deps: node-forge@1.2.1
## 10.11.0 - 2022-01-11
### Added
- POST method support for logout flows
- New env. variable to skip loading client_credentials tokens on approuter start
- Adding minimumTokenValidity from env variable
### Fixed
- Get uaadomain from subscription manager in case XSUAA is not bound
- Logs reduction -remove stackTrace on error log level
- Websocket try to get status code from message string when statusCode property undefined
- isDynamicRouting read defaultEnv.json file only in development environment
- accessToken references
### Updated dependencies
- deps: node-forge@1.2.0
## 10.10.4 - 2021-12-16
### Fixed
- SameSite cookie property concatenation
## 10.10.3 - 2021-12-13
### Fixed
- Handle bad cookie decryption error
- Fix missing session when token validity too short
- Set client_credentials token by tenant timeout to 5000 ms
- setXForwardedFor remove headers correction
### Added
- Adding serverKeepAlive from env variable to routerConfig
### Updated dependencies
- deps: @sap/audit-logging@5.3.0
- deps: debug@4.3.2
- deps: uuid@8.3.2
- deps: scmp@2.1.0
## 10.10.2 - 2021-12-02
### Fixed
- Adding expiration date on login-callback-provider check
- Increase client_credentials token request timeout to 5000 ms
- Protect accessToken references
### Updated dependencies
- deps: compressible@2.0.18
- deps: sap/xssec@3.2.11
## 10.10.1 - 2021-11-21
### Fixed
- Avoid sending certificates if not authentication type is client certificate or trusted certificate
## 10.10.0 - 2021-11-18
### Added
- Propagate correlationId to xssec and UAA requests
- Support compression of response content with multipart/mixed content type
### Fixed
- Subscriber destination consumption in public flows
- Samesite attribute in callback login response header
- Support destination trust certificate propagation (format pem)
### Updated dependencies
- deps: sap/xssec@3.2.10
## 10.9.2 - 2021-11-09
### Fixed
- Backend invalid cookies handling
- Add checking for missing xsappConfig file along with xs-app.json on configuration load
### Updated dependencies
- deps: cf-nodejs-logging-support@6.11.0
- deps: validator@13.7.0
## 10.9.1 - 2021-10-28
### Fixed
- Missing HTML5 repo token in cache failure
## 10.9.0 - 2021-10-24
### Added
- Additional cookie logs
- Support client certificate authentication (format p12)
- Change log level to info for backend logs
- IAS token support in service to approuter flow
### Updated dependencies
- deps: sap/xssec@3.2.8
## 10.8.2 - 2021-10-11
### Fixed
- Remove clientsecret validation for mtls
## 10.8.1 - 2021-10-07
### Added
- New audit log SDK support
- Kyma Redis credentials documentation
### Fixed
- Redis credentials handling in Kyma
- X509 client secret validation in uua schema
### Updated dependencies
- deps: http-proxy-agent@4.0.1
- deps: https-proxy-agent@5.0.0
- deps: @sap/audit-logging@5.1.0
## 10.8.0 - 2021-09-13
### Added
- Propagate destination headers in approuter
### Fixed
- Sessions expiration in Redis
- Connections to Redis on Azure with premium plan
- Same site support for Lax value
- Request url with code parameter will be directed to authentication, in case it is required
- Session handling documentation
- When application name does not adhere to regex, the request will be directed to main routing configuration file
## 10.7.1 - 2021-08-30
### Added
- Skip xs-app.json cache support
- Login with XSUAA certificates
- Mutual Transport Layer Security (mTLS) handling
- Single use token support
## 10.6.1 - 2021-08-03
### Fixed
- Subscription callback requests will be directed to main routing configuration file
- App. config response headers modify additional headers value
## 10.6.0 - 2021-07-28
### Added
- HTML5 Application Repository Tenant Awareness support
### Fixed
- nullifying the Redis client when there's a connection issue with Redis
- Clear interval when calling approuter.close()
## 10.5.1 - 2021-07-25
### Fixed
- Return error immediately when reaches login callback middleware via query parameters
### Updated dependencies
- deps: urijs@1.19.7
## 10.5.0 - 2021-07-14
### Added
- Support of the configuration of the minimal logging level for the cf-nodejs-logging-support library
### Fixed
- Return an error code when calling login callback directly
- Fix for request traces that crash the application router
## 10.4.3 - 2021-07-05
### Fixed
- Display log with tenant ID, also when using direct routing URIs
- Support of session management with redis with multiple nodes plans
## 10.4.2 - 2021-06-13
### Fixed
- Correcting additional bug when Websocket Proxy is crashing if excluding a route by DIRECT_ROUTING_URI_PATTERN
## 10.4.1 - 2021-06-09
### Fixed
- Changing "favico.ico" to "favicon.ico" as a predefined direct routing URI
- Parsing client certificate for non-CF SMS subscription
- Improving logs in path-rewriter, request-handler, service-to-approuter-middleware, oauth2-strategy
- Adding cache-Control header ('no-cache, no-store') to the User API response
- Correcting a bug when Websocket Proxy is crashing if excluding a route by DIRECT_ROUTING_URI_PATTERN
### Updated dependencies
- deps: ws@7.4.6
## 10.4.0 - 2021-05-24
### Added
- External session management support
### Fixed
- Client certificate handling for non-CF SMS subscription
- Expose License
## 10.3.0 - 2021-05-11
### Added
- CLIENT_CERTIFICATE_HEADER_NAME configuration for non CF flows
- Support of SAP statistics for reporting the request performance
- AfterRequestHandler and backendTimeout extension support
### Fixed
- Lazy html5-repo client-credentials token creation in case it could not be created during startup
- Added "login" as a pre-configured direct URI route to prevent unnecessary calls to the HTML5 Application Repository
### Updated dependencies
- deps: cf-nodejs-logging-support@6.7.0
## 10.2.0 - 2021-04-11
### Added
- Support of routing directly to the routing configuration file (xs-app.json) of the application router using the DIRECT_ROUTING_URI_PATTERNS environment variable
- Caching support for destinations from destination service
### Fixed
- Verify cookie when IAS and XSUAA bound
- Websockest pong callback handling
- Empty getDependencies configuration handling in SaaS Registry subscription
- Handle SMS apiURLs in K8S
- Encode redirect logout url parameters in case of xsuaa authentication
## 10.1.0 - 2021-03-21
### Added
- If you are using Identity Authentication (IAS), you can now use subdomains in multitenant URLs
- Identity Authentication (IAS) is fully supported (no longer a Beta feature)
### Fixed
- Destination token exchange when using destinations on instance level
## 10.0.0 - 2021-03-10
### Added
- Support node version 12 and node version 14 instead of node version 10 and node version 12
## 9.4.0 - 2021-03-09
### Added
- Support the consumption of destinations from the provider subaccount via the preferLocal property
- Support of cross-origin resource sharing via the application router configuration file (xs-app.json)
### Fixed
- logout flow while using system plan XSUAA instance
- missing scope in XSUAA token after refresh
### Updated dependencies
- deps: lodash@4.17.21
- deps: @sap/audit-logging@4.2.0
- deps: @sap/logging@6.0.3
## 9.3.0 - 2021-02-24
### Fixed
- user-api consumption from local approuter
- avoid endless loop when calling approuter with /login/callback
### Added
- Service to approuter is not beta anymore, README file changed
### Updated dependencies
- deps: urijs@1.19.6
## 9.2.0 - 2021-02-14
### Added
- Support of custom response headers via the application router configuration file (xs-app.json)
### Fixed
- Verify application key without query parameters
### Updated dependencies
- deps: e2e-trace@3.0.0
- deps: xsenv@3.1.0
## 9.1.0 - 2021-01-21
### Added
- User API
### Fixed
- Connectivity authentication issue in IAS flow
- Initialize server keepAliveTimeout to zero
### Updated dependencies
- deps: @sap/audit-logging@3.2.0
## 9.0.2 - 2021-01-14
### Fixed
- Options handling for extensibility case when html5 repo is bound
- Logout request handling when approuter session times out
- Use "http_header" section of authTokens from the Destination Service response
### Updated dependencies
- deps: urijs@1.19.5
## 9.0.1 - 2020-12-20
### Fixed
- Subprotocol handling in websockets flows
### Updated dependencies
- deps: validator@13.5.2
- deps: @sap/logging@6.0.2
## 9.0.0 - 2020-12-06
### Added
- IAS authentication support
- Forward IAS token to destination
- IAS authentication with XSUAA authorization
- Subscription manager (SMS) support
### Updated dependencies
- deps: base64-url@2.3.3
## 8.6.1 - 2020-11-25
### Fixed
- Wrong application URL protocol returned by onSubscription callback additional fix
## 8.6.0 - 2020-11-19
### Fixed
- Wrong application URL protocol returned by onSubscription callback
## 8.5.5 - 2020-10-21
### Fixed
- Destination middleware improvement
## 8.5.4 - 2020-10-14
### Fixed
- Fix invalid backend response handling
## 8.5.3 - 2020-10-06
### Fixed
- Do not forward SAP-Connectivity-Authentication header in onPremise flows if destination authentication type is NoAuthentication
## 8.5.2 - 2020-09-21
### Fixed
- Handle SameSite:None value in client side cookies (signature, locationAfterLogin and fragmentAfterLogin)
## 8.5.1 - 2020-08-25
### Updated dependencies
- deps: lodash@4.17.20
- deps: sap/logging@5.3.1
- deps: cf-nodejs-logging-support@6.4.3
### Fixed
- Avoid crash if user provided service without credentials
- Don't forward auth token to connectivity in service2approuter flow if destination.forwardToken = false
## 8.5.0 - 2020-08-10
### Updated dependencies
- deps: @sap/audit-logging@3.1.1
- deps: request@2.88.2
- deps: @sap/xssec@3.0.9
- deps: lodash@4.17.19
- deps: ws@7.3.1
### Fixed
- Pass tenant id in service to approuter audit log message
## 8.4.1 - 2020-08-02
### Fixed
- Fix token exchange for Business Service access
## 8.4.0 - 2020-08-02
### Added
- Support merge of approuter and backend content-security-policy headers
- Support cookie merge in service2Approuter flow
### Fixed
- Handle undefined user in refresh token flow
## 8.3.1 - 2020-07-26
### Fixed
- Upgrade xssec version to 3.0.7 - fix big tokens exchange error
## 8.3.0 - 2020-07-23
### Fixed
- Fix missing subdomain in exchange token
## 8.2.2 - 2020-07-15
### Fixed
- Adapt to changes in @sap/xssec-3.0.6 - replace secContext private subdomain property by getSubdomain method
- Fix websocket pong behavior when status is not open
## 8.2.1 - 2020-07-09
### Fixed
- SAP Passport header handling fixed in service 2 approuter flow
## 8.2.0 - 2020-07-02
### Fixed
- Passport handling fix in service 2 approuter flow increment counter
### Updated dependencies
- deps: sap/xssec@3.0.6
## 8.1.1 - 2020-06-24
### Announcement
- The Preserve URL fragment (PRESERVE_FRAGMENT) will not be deprecated as previously announced.
### Fixed
- Bug correction in forwardAuthToken in business service flow
## 8.1.0 - 2020-06-14
### Added
- Added fallback mechanism for html5 repo client_credentials token refresh
- Security improvement for signature verifying during login
### Fixed
- Bug fix when calling connectivity in a non-authenticated flow (no login in approuter)
## 8.0.0 - 2020-05-26
### Updated dependencies
- deps: @sap/xssec@3.0.3
### Removed
- Remove of SAP_JWT_TRUST_ACL environment variable support (functionality now comes with audience validation)
## 7.1.3 - 2020-05-17
### Added
- Enhances of the x-approuter-authorization token security check in the service2Approuter flow.
## 7.1.2 - 2020-05-08
### Fixed
- Fix appurl usage of x-subscriber-tenant
## 7.1.1 - 2020-05-05
### Added
- Cache improvements
- Usage of x-subscriber-tenant header when provided.
- handle html5 repo and xsuaa destinations separately
### Fixed
- Fix connectivity token handling for Kubernetes
## 7.1.0 - 2020-04-16
### Added
- Enable service logout configuration in central xs-app.json.
### Fixed
- Destination token cached in session is never refreshed.
## 7.0.0 - 2020-04-06
### Added
- Support node version 10 and node version 12 instead of node version 8 and node version 10
## 6.8.2 - 2020-03-04
### Fixed
- Fix extension of resolveUaaConfig
## 6.8.1 - 2020-02-20
### Fixed
- Fix default route
## 6.8.0 - 2020-02-10
### Added
- Enable external session manager extensibility when using HTML5 Repository
## 6.7.2 - 2020-01-30
### Added
- Support SameSite cookie attribute
### Updated dependencies
- deps: express-session@1.17.0
- deps: @sap/logging@5.2.0
## 6.7.1 - 2019-12-24
### Added
- Backend cookies secret variable (BACKEND_COOKIES_SECRET) Secret that is used to encrypt backend session cookies in service to Application Router flow. Should be set in case multiple instances of Application Router are used. By default a random sequence of characters is used.
## 6.7.0 - 2019-11-24
### Added
- Enhance the use of the xsenv@2.1.0 library to access bound destination service credentials, which support reading destination service credentials in Kubernetes.
### Fixed
- Anonymous login on destination flow
## 6.6.0 - 2019-11-12
### Announcement
- The Preserve URL fragment (PRESERVE_FRAGMENT) is being deprecated and will be removed in the near future
### Updated dependencies
- deps: sap/xsenv@2.1.0 Application Router uses xsenv library to access bound services credentials. We have upgraded the library to xsenv version 2.1.0 which supports reading credentials in Kubernetes.
- deps: https-proxy-agent@2.2.4
## 6.5.1 - 2019-10-10
### Fixed
- Adding sec-websocket-protocol header as the protocol of websockets
## 6.5.0 - 2019-10-03
### Added
- Timeout for Business Service
### Fixed
- Adding destination token middleware for websockets
## 6.4.1 - 2019-09-23
### Fixed
- CSP header fix return frame-ancestors in login
## 6.4.0 - 2019-09-16
### Added
- Allowed dynamic destinations
- Return CSP header with no cache
- Added setXForwardedHeaders option
## 6.3.0 - 2019-09-10
### Added
- Support Cache-Control for static content from html5-repo
## 6.2.0 - 2019-09-03
### Added
- Support Subscription url from vcap.
- Adding validation - Session created for one tenant must not be used by other tenants
### Updated dependencies
- deps: @sap/xssec@2.2.2
## 6.1.2 - 2019-08-28
- Support Xsuaa credentials in request body
## 6.1.1 - 2019-08-27
- Fix in destination middleware - session.update
## 6.1.0 - 2019-07-31
### Added
- Support for redirection to logout page with query parameters after central logout
- Connectivity is now returned in subscription getDependencies callback
### Fixed
- Error when processing unknown authentication types
## 6.0.2 - 2019-07-14
### Fixed
- Validation of destination with OnPremise proxyType
- CSRF protection in Service to Approuter flow
### Updated dependencies
- deps: lodash@4.17.13
## 6.0.1 - 2019-05-30
### Fixed
- Fixed TypeError bug when Approuter saves a cookie from backend and should logout when session timeout exceeded.
- Fixed calculation of location after login.
## 6.0.0 - 2019-05-06
### Added
- Support node version 8 and node version 10 instead of node version 4.5 and node version 6
## 5.15.0 - 2019-04-29
### Added
- Support for Service to Application Router functionality (Beta version).
- Added destination in host support.
## 5.14.1 - 2019-04-17
### Added
- Enhanced Approuter application logs when serving of static content (from HTML5 App Repo) was failed.
### Fixed
- Fixed subscription callbacks url.
## 5.14.0 - 2019-04-04
### Added
- Websockets support for HTML5 Application Repository.
### Fixed
- onSubscription callback.
## 5.13.1 - 2019-03-27
### Added
- Added automatic recovery of Approuter after recovery of UAA.
### Fixed
- Fixed subscription callbacks url.
- Fixed avoid central appConfig routes overrides.
### Updated dependencies
- deps: @sap/xssec@2.1.16
## 5.13.0 - 2019-02-14
### Added
- Ability to define identity provider for authentication in the route.
## 5.12.0 - 2019-02-05
### Added
- Dynamic destination support.
## 5.11.0 - 2019-01-22
### Added
- Client credentials token support.
## 5.10.2 - 2019-01-08
### Fixed
- Fix proxy issue in Connectivity flow.
## 5.10.1 - 2019-01-03
### Fixed
- Fixed flow of access destination via desination service.
## 5.10.0 - 2018-12-30
### Added
- Propagation of approuter host during logout.
## 5.9.0 - 2018-12-18
### Added
- Ability to change destination without restarting application on CF
- Access destination that is exposed on destination service instance level.
- Enabled all authentication types defined in the destination service.
## 5.8.0 - 2018-10-27
### Fixed
- Fix login flow for URLs with empty query (URL that ends with '?').
### Added
- Documentation of integration with HTML5 Apps Repo.
### Updated dependencies
- deps: ws@1.1.5
- deps: lodash@4.17.11
- deps: @sap/logging@4.0.2
- deps: lodash@4.17.11
## 5.7.0 - 2018-10-08
### Added
- Propagate client id to UAA during Logout
## 5.6.4 - 2018-08-27
### Updated dependencies
- deps: @sap/audit-logging@2.2.4
- deps: sync-request@5.0.0
### Fixed
- Duplicate destination names in xs-app.json bug
## 5.6.3 - 2018-08-15
### Updated dependencies
- deps: e2e-trace@1.3.0
- deps: xssec@2.1.15
- deps: request@2.88.0
### Fixed
- Fix bug of post/put requests with content/type=application/json
## 5.6.2 - 2018-08-09
### Updated dependencies
- deps: serve-static@1.13.2
- deps: send@0.16.1
- deps: mime@1.4.1
- deps: debug@2.6.9
### Fixed
- Fix error in case of local destination and UAA with tenant mode shared
## 5.6.1 - 2018-08-07
### Updated dependencies
- deps: body-parser@1.18.3
- deps: uid-safe@2.1.5
- deps: @sap/xssec@2.1.9
- deps: send@0.16.2
- deps: compression@1.7.3
- deps: express-session@1.15.6
- deps: connect@3.6.5
## 5.6.0 - 2018-08-05
### Added
- Added SaaS application registration support (subscription)
- Enhanced usage of PreserveHostHeader additional property
### Fixed
- Fix error handling in case of bad signature
## 5.5.0 - 2018-07-19
### Added
- Added optional additional properties 'PreserveHostHeader' to Destination service
- Added optional additional properties 'sap-client' to Destination service
## 5.4.2 - 2018-07-04
### Fixed
- Fix refresh page location after timeout bug
- Fix fragment cookie name bug
- Fix vulnerabilities issues
## 5.4.1 - 2018-06-25
### Fixed
- Fix logout bug
## 5.4.0 - 2018-06-10
### Added
- Support extensibility of logout end-point
### Fixed
- Fix vulnerabilities issues
## 5.3.0 - 2018-05-13
### Added
- Enable extended session management
- Enable Correlation ID propagation
## 5.2.1 - 2018-05-02
### Added
- Support audit log service
## 5.2.0 - 2018-04-16
### Added
- Support routing to destination with authentication type OAuth2SAMLBearerAssertion
### Fixed
- Fix bug in forward undefine token
## 5.1.0 - 2018-03-14
### Added
- Support destination configuration from destination service
### Fixed
- Fix bug in trace functionality
- Fix bug in fragment functionality
## 5.0.0 - 2018-01-29
### Fixed
- Minor fix in destinations handling in Extension flow.
- Fix fragment handling in URL during Login flow.
## 4.0.1 - 2018-01-01
### Fixed
- Minor fixes in CORs.
## 4.0.0 - 2017-12-18
### Added
- Application router can consume content from the HTML5 application repository.
### Fixed
- Fix in headers handling when using CF destination and onPremise destination in same xs-app.json.
- Minor fix in CORs.
## 3.0.1 - 2017-10-08
### Removed
- Node 0.12 support.
## 2.10.0 - 2017-07-30
### Added
- Enabled connectivity to on premise backend.
- Added external reverse proxy support.
### Fixed
- Fix CSRF token generation to use a Secure Random number generator.
## 2.9.1 - 2017-06-29
### Fixed
- Minor fixes in CORs.
- Introduce CORs feature in README.md.
## 2.9.0 - 2017-06-27
### Added
- Support for CORs functionality.
## 2.8.2 - 2017-06-13
### Fixed
- Fix cancel request.
- Fix logout in dynamic routing.
## 2.8.1 - 2017-06-01
### Fixed
- Fixes in documentation of dynamic routing and troubleshooting section.
- Fix logout when using websocket.
## 2.8.0 - 2017-04-26
### Added
- Introduce table of contents in README.md.
- Added JWT refresh in websocket connections.
- Significant performance improvements via adopting @sap/logging version 3
## 2.7.1 - 2017-03-20
### Fixed
- Add username to logs.
- Minor fixes in websockets and session handling.
## 2.7.0 - 2017-02-13
### Added
- Replacements from services.
- Start approuter on https
- Show warning when a route is explicitly both public and csrf protected.
### Fixed
- Should not escape client cookies.
- Redirect to welcome page if not CSRF token fetch request.
- Wrong basic authentication status codes.
## 2.6.1 - 2017-01-25
### Changed
- Rename package to use @sap scope
## 2.6.0 - 2017-01-25
### Added
- `REQUEST_TRACE` environment variable for enhanced request tracing.
- Support for PATCH in router configuration.
- New extensions - see extending.md.
### Removed
- Customizable UAA config resolution.
### Fixed
- Fixes in documentation.
- Handling of request protocol.
- Removed npm 2 restriction.
## 2.5.0 - 2016-12-13
### Added
- Enable customizable UAA config resolution
- Support for custom error pages (errorPage in xs-app.json)
- Extend sizing guide
### Fixed
- Crash in error handler due to missing logger.
- Does not cache login responses.
- Does not log UAA missing when not needed.
- In case of parallel logins Approuter may use wrong user.
- Does not send basic credentials to backend, unless route is public.
## 2.4.0 - 2016-11-16
### Added
- Introduce SECURE_SESSION_COOKIE environment variable - enforces the secure flag of application router's session cookie.
- Additional checks for regular expressions during startup.
### Changed
- Previous component name in sap passport has been changed to 'XSA Approuter'.
### Fixed
- Missing logging context in error handler when using extensions.
## 2.3.4 - 2016-11-04
### Fixed
- The _x-csrf-token_ header is no longer forwarded to backend in case a path requires authentication and CSRF token protection.
- Set the _Secure_ flag of the session cookie depending on the environment application router runs in.
- Some of the links in README.md were broken.
## 2.3.3 - 2016-11-02
### Added
- Add COMPRESSION env var to be able to configure compression.
### Fixed
- Do not cache wsAllowedOrigins across requests.
- Favor UAA config from default-env.json over default-services.json.
- Extend error message for proxy settings problem.
- Enable compression by default when custom setting is provided.
- Propagate errors to handler.
- Avoid session resave at the end of request. Fix session overwrite.
## 2.3.2 - 2016-09-30
### Fixed
- Cookie locationAfterLogin clash in port based routing.
## 2.3.1 - 2016-09-28
### Fixed
- Unverified redirect via locationAfterLogin cookie.
- Fallback to default UAA if no tenant captured.
- Fix X-Frame-Options header overwriting.
- Session cookie name - use application_id instead of instance_id.
- Fix port validation for approuter.start().
## 2.3.0 - 2016-09-02
### Added
- Multitenancy support.
- Matching route by both URL path and HTTP method.
### Fixed
- Fixed race condition while CSRF token generation.
## 2.2.0 - 2016-08-17
### Added
- Start approuter with xs-app.json passed as an object.
- Follow symlinks in localDir config.
- Document the Content-Security-Policy header as a best practice.
## 2.1.3 - 2016-08-13
### Added
- Genarate CSRF token once per session.
## 2.1.2 - 2016-08-06
### Fixed
- Remove instance cookies from client request.
- Fix locatioinAfterLogin cookie path.
## 2.1.1 - 2016-07-24
### Fixed
- Support to host welcome page externally.
- Fix logout path matching.
- Fix 500 sent in case locationAfterLogin cookie is missing.
## 2.1.0 - 2016-07-17
### Added
- Allow source of route to be matched in case-insensitive way.
- New configuration for maximum client connection timeout.
- Add support for approuter extensions (custom middleware).
- Allow fetching CSRF token with HEAD request.
## 2.0.0 - 2016-05-12
### Added
- Configuration for the Cache-Control header in xs-app.json. The header is used when serving static resources.
### Removed
- local-* files (e.g. local-destinations, local-plugins) can no longer be used in the approuter during local development. Instead of these the approuter reads a single file located in the working directory (default-env.json), which contains the corresponding environment variables (e.g. destinations, plugins) and their values.
Reference in a new issue View git blame Copy permalink