775ac7b58c
you must login with an BTP account in order to see the app
1509 lines
36 KiB
Markdown
1509 lines
36 KiB
Markdown
# Change Log
|
||
All notable changes to this project will be documented in this file.
|
||
|
||
This project adheres to [Semantic Versioning](http://semver.org/).
|
||
|
||
The format is based on [Keep a Changelog](http://keepachangelog.com/)
|
||
|
||
## 16.1.0 - 2024-02-04
|
||
|
||
### Added
|
||
- IAS/XSUAA hybrid support for business services
|
||
|
||
### Fixed
|
||
- Root ca corruption when using destination with private link proxy type
|
||
- Fix for working with HTML5 repo - regenerate token if needed
|
||
- Debug logs for backend requests
|
||
- Fixed case sensitivity for headers defined in the xs-app.json file
|
||
|
||
## 16.0.2 - 2024-01-11
|
||
|
||
### Updated dependencies
|
||
- deps: axios@1.6.5
|
||
- deps: @sap/xssec@3.6.1
|
||
- deps: @sap/audit-logging@5.8.3
|
||
|
||
## 16.0.1 - 2024-01-05
|
||
|
||
### Updated dependencies
|
||
- deps: axios@1.6.4
|
||
|
||
## 16.0.0 - 2023-12-31
|
||
|
||
### Updated dependencies
|
||
- connect.js removed
|
||
|
||
## 15.0.0 - 2023-12-13
|
||
|
||
### Added
|
||
- Support node version 18 and node version 20 instead of node version 16 and node version 18
|
||
|
||
### Updated dependencies
|
||
- deps: cf-nodejs-logging-support@7.2.0
|
||
- deps: e2e-trace@4.1.0
|
||
- deps: logging@7.1.0
|
||
|
||
## 14.4.3 - 2023-12-07
|
||
|
||
### Fixed
|
||
- Path traversal validation - normalize for windows
|
||
- Only if tenant_id header not populated set header with provider/subscriber subdomain.
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/audit-logging@5.8.2
|
||
|
||
# 14.4.2 - 2023-11-30
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/xssec@3.6.0
|
||
|
||
## 14.4.1 - 2023-11-26
|
||
|
||
### Added
|
||
- Path traversal validation
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/audit-logging@5.8.1
|
||
|
||
## 14.4.0 - 2023-11-19
|
||
|
||
### Fixed
|
||
- Retrieve logs from CLS instead of application log (SAAS approuter)
|
||
|
||
### Added
|
||
- Introduce a new configuration option (ENABLE_FRAME_ANCESTORS_CSP_HEADERS) to include the content security policy (CSP) header using subaccount trusted domains with frame-ancestors policy.
|
||
- Forward auth certificates only in case it is configured via HTML5.ForwardAuthCertificates destination property
|
||
- FULL_CERTIFICATE_CHAIN and SKIP_DEFAULT_MTLS_AUTH_CA env. variables support remove
|
||
- Provider/subscriber subdomain propagation to logs via tenant_id header
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/xssec@3.5.0
|
||
- deps: axios@1.6.1
|
||
|
||
## 14.3.4 - 2023-10-25
|
||
|
||
### Fixed
|
||
- Avoid reading service credentials on approuter startup
|
||
- Read Redis tls certificates also from binding credentials ca property
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/xsenv@4.0.0
|
||
|
||
## 14.3.3 - 2023-10-12
|
||
|
||
### Fixed
|
||
- Crash on cookie name equal to basic object attribute
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/audit-logging@5.7.1
|
||
|
||
### Added
|
||
- Protect from timing attack on state parameter middleware.
|
||
- Validate state parameter is valid uuid v4 string.
|
||
- Protect against Request Smuggling.
|
||
|
||
## 14.3.2 - 2023-09-10
|
||
|
||
### Added
|
||
- Clean invalid token from cache when calling service in case of getting 401/403
|
||
- Add option (ENABLE_X_FORWARDED_HOST_VALIDATION) to validate x-forwarded-host header as a valid hostname
|
||
|
||
### Fixed
|
||
- Collect logout data also for Direct Routing URI
|
||
- Token exchange in html5 repo credentials flow
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/xssec@3.3.4
|
||
|
||
## 14.3.1 - 2023-08-02
|
||
|
||
### Added
|
||
- Support of using several instances of a Business Service on the same session
|
||
|
||
## 14.3.0 - 2023-07-30
|
||
|
||
### Added
|
||
- IAS App2App navigation support via IAS dependency destination configuration
|
||
|
||
## 14.2.1 - 2023-07-23
|
||
|
||
### Updated dependencies
|
||
- deps: tough-cookie@4.1.3
|
||
|
||
### Added
|
||
- Introduce SKIP_DEFAULT_MTLS_AUTH_CA environment to prevent adding Auth certificate to backend call.
|
||
|
||
### Fixed
|
||
- Support mTLS certificate with more than three certificates in the chain.
|
||
|
||
## 14.2.0 - 2023-07-11
|
||
|
||
### Added
|
||
- Credentials caching support
|
||
- No html5 app found (503 response) caching support
|
||
|
||
### Fixed
|
||
- support not case sensitive in dynamicDestination property
|
||
- fix redis with Sentinel mode initialization: use 'sentinelPassword' instead of 'password'.
|
||
|
||
## 14.1.2 - 2023-06-13
|
||
|
||
### Fixed
|
||
- Return content-type in user-api
|
||
- JWT refresh token flow with IAS (add app_tid to request)
|
||
- In service to approuter flow supports Basic token authorization only with XSUAA credentials
|
||
- Subscribed applications API handling
|
||
- Return user name from sub claim in user-api in case of IAS login
|
||
|
||
## 14.1.1 - 2023-03-21
|
||
|
||
### Fixed
|
||
- Connectivity token exchange in WS flow (env. ENABLE_CONNECTIVITY_TOKEN_EXCHANGE_WS)
|
||
|
||
## 14.1.0 - 2023-03-20
|
||
|
||
### Added
|
||
- Support CSRF token in service2approuter with external session management
|
||
|
||
### Fixed
|
||
- Set dynamic log level without x-subscriber-tenant
|
||
- IAS logout after session timeout
|
||
- user-api documentation
|
||
- Concatenating encrypted session cookies with non-sessions, in the case when both received from a backend
|
||
- Backend error handling when statusCode is null
|
||
|
||
### Updated dependencies
|
||
- deps: cookie-parser@1.4.6
|
||
|
||
## 14.0.0 - 2023-02-09
|
||
|
||
### Added
|
||
- Support node version 16 and node version 18 instead of node version 14 and node version 16
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/logging@^6.2.0
|
||
|
||
## 13.1.1 - 2023-01-30
|
||
|
||
### Fixed
|
||
- Destination key calculation in headers sending
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/audit-logging@5.6.3
|
||
|
||
## 13.1.0 - 2023-01-24
|
||
|
||
### Fixed
|
||
- IAS credentials from HTML5 Repo handling
|
||
- Use warning log level in handleBackendError
|
||
- Debug logs for backend response
|
||
|
||
### Added
|
||
- IAS token sharing support
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/xssec@^3.2.17
|
||
- deps: @sap/xsenv@^3.4.0
|
||
|
||
## 13.0.2 - 2023-01-15
|
||
|
||
### Fixed
|
||
- Fix logout issue, when html5repo returns 503 error approuter still will use logout path from the central xs-app.json
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/xssec@^3.2.15
|
||
|
||
## 13.0.1 - 2023-01-03
|
||
|
||
### Fixed
|
||
- Correct locating html5 repository runtime service by its label
|
||
- When connectivity service is bound to the approuter, load its credentials token in case it expired
|
||
- Query parameter in SAP Managed Approuter runtime url
|
||
- IAS in single tenant flow
|
||
|
||
### Updated dependencies
|
||
- deps: cf-nodejs-logging-support@^6.14.0
|
||
|
||
## 13.0.0 - 2022-12-25
|
||
|
||
### Added
|
||
- IAS custom domains support
|
||
- Create SMS subscribed application url with subscriber subdomain instead of zoneId -- IAS TenantId
|
||
- Certificates forwarding in service2approuter flow
|
||
|
||
### Fixed
|
||
- html5 repo creds performance fix correction
|
||
- Destination cache key changed from destination name to destinationId plus
|
||
destination name in case of instance level destination
|
||
- Remove connection specific headers from http2 response
|
||
- Scopes retrieval with IAS login in user-api
|
||
|
||
## 12.0.3 - 2022-12-11
|
||
|
||
### Fixed
|
||
- html5 repo creds performance issues
|
||
|
||
## 12.0.2 - 2022-12-06
|
||
|
||
### Fixed
|
||
- feature flag to disable html5 repo credentials consumption fix
|
||
|
||
### Updated dependencies
|
||
- deps: query-string@7.1.2
|
||
|
||
## 12.0.1 - 2022-11-31
|
||
|
||
### Fixed
|
||
- feature flag to disable html5 repo credentials consumption
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/xsenv@3.4.0
|
||
|
||
## 12.0.0 - 2022-11-13
|
||
|
||
### Added
|
||
- Consume credentials from html5 repo
|
||
- Use server ca certificates with Hyperscaler Redis
|
||
|
||
### Fixed
|
||
- HTML5 Repo service name in client credentials token middleware
|
||
|
||
## 11.6.1 - 2022-11-3
|
||
|
||
### Fixed
|
||
- Type error in websockets flow when url does not contain application key
|
||
- Mask 'x-forwarded-client-cert' header
|
||
- Send all certificates chain if exist FULL_CERTIFICATE_CHAIN = 'true'
|
||
|
||
## 11.6.0 - 2022-10-24
|
||
|
||
### Added
|
||
- http2 support
|
||
|
||
## 11.5.1 - 2022-10-13
|
||
|
||
### Fixed
|
||
- Correct using sap_idp query parameter also in other sessions
|
||
- Avoid deleting sap_idp query parameter from the backend url, since there are use cases in which it is needed
|
||
|
||
## 11.5.0 - 2022-09-18
|
||
|
||
### Added
|
||
- Support of state parameters during authorization
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/passport@0.6.0
|
||
|
||
## 11.4.1 - 2022-09-11
|
||
|
||
### Fixed
|
||
- Correct a failure with error code 400 during login callback when using dynamic identity provider
|
||
- Correct scopes handling when running user-api
|
||
- Error handling in password token creation
|
||
|
||
## 11.4.0 - 2022-09-05
|
||
|
||
### Added
|
||
- Dynamic log level support
|
||
- x-approuter-authorization with Basic authentication token
|
||
|
||
## 11.3.4 - 2022-08-30
|
||
|
||
### Fixed
|
||
- Crash when missing key in backend cookie
|
||
|
||
## 11.3.3 - 2022-08-25
|
||
|
||
### Fixed
|
||
- preferLocal destination
|
||
- Modify url for userInfo, as part of user-api/attributes
|
||
|
||
## 11.3.2 - 2022-08-04
|
||
|
||
### Fixed
|
||
- Destination token timeout calculation
|
||
- UserId deleted from session
|
||
- Query parameters with special characters in login callback
|
||
|
||
## 11.3.1 - 2022-07-28
|
||
|
||
### Fixed
|
||
- Missing destination instance credentials issue
|
||
- Avoid token exchange, when the session user is n/a (grant_type=client_credentials)
|
||
- Correct null pointer exception uaa missing in subscription-utils
|
||
- Dynamic provisioning of identity provider with welcome file
|
||
|
||
## 11.3.0 - 2022-07-20
|
||
|
||
### Added
|
||
- Support for dynamic provisioning of identity providers
|
||
- Support websocket in service2approuter flow
|
||
|
||
## 11.2.1 - 2022-06-15
|
||
|
||
### Fixed
|
||
- When user-api/attributes fails to get user attributes, it returns the basic user details
|
||
|
||
## 11.2.0 - 2022-06-14
|
||
|
||
### Added
|
||
- Expose the Redis retry strategy as an application router configuration.
|
||
|
||
### Fixed
|
||
- Support compressing multipart/mixed content type when compressResponseMixedTypeContent is configured in xs-app.json
|
||
- Avoid token exchange in case of expired login token
|
||
- Correct a null pointer exception issue in user-api-middleware
|
||
|
||
## 11.1.0 - 2022-06-06
|
||
|
||
### Added
|
||
- Enhance user-api: both endpoints with user scopes, "attributes" endpoint with user attributes (including custom attributes)
|
||
- Support TrustAll for Private-link proxy type
|
||
|
||
### Fixed
|
||
- SAML Assertion via Cloud Connector issue
|
||
- ARBE cookie: null while working with multiple backends.
|
||
|
||
## 11.0.1 - 2022-05-15
|
||
|
||
### Fixed
|
||
- ARBE cookie size issue
|
||
|
||
## 11.0.0 - 2022-05-09
|
||
|
||
### Added
|
||
- Support node version 14 and node version 16 instead of node version 12 and node version 14
|
||
|
||
### Updated dependencies
|
||
- async removed
|
||
|
||
## 10.15.4 - 2022-05-08
|
||
|
||
### Fixed
|
||
- Instance level destination handling
|
||
- Error handling when calling svc2Approuter middleware
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/xssec@3.2.13
|
||
- Caret (^) added to: @sap/audit-logging,@sap/e2e-trace,@sap/logging,@sap/xssec,async,node-forge,urijs
|
||
|
||
|
||
## 10.15.3 - 2022-04-26
|
||
|
||
### Fixed
|
||
- Request contains an invalid x-csrf-token
|
||
|
||
## 10.15.2 - 2022-04-24
|
||
|
||
### Fixed
|
||
- Improve readme documentation
|
||
- Token xsrf undefined, when approuter bound to external session storage
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/logging@6.1.1
|
||
- deps: async@3.2.3
|
||
|
||
## 10.15.1 - 2022-04-07
|
||
|
||
### Updated dependencies
|
||
- should-send-same-site-none removed
|
||
- request.js removed
|
||
- moment removed
|
||
- deps: urijs@1.19.11
|
||
- deps: @sap/logging@6.1.0
|
||
|
||
## 10.15.0 - 2022-04-03
|
||
|
||
### Added
|
||
- External session management support in service2approuter flow
|
||
- Return auditLog, if has multi-tenant plan oauth2, as a dependency during subscription creation
|
||
- Write auditLog error message into subscription tenant, when approuter runs in multi-tenant mode
|
||
- Private-link proxy type support
|
||
- Error stack in error-handler
|
||
|
||
### Updated dependencies
|
||
- deps: body-parser@1.2.0
|
||
|
||
### Fixed
|
||
- Type error in case of missing app.services
|
||
|
||
## 10.14.2 - 2022-03-23
|
||
|
||
### Updated dependencies
|
||
- deps: node-forge@1.3.0
|
||
|
||
## 10.14.1 - 2022-03-23
|
||
|
||
### Fixed
|
||
- Cookie addition in decrypt cookies and check in merge cookies
|
||
- Improve destination service resilience in SaaS Approuter
|
||
|
||
## 10.14.0 - 2022-03-15
|
||
|
||
### Added
|
||
- Auto-Pipeline for ioredis support
|
||
|
||
### Fixed
|
||
- web sockets fixed status code
|
||
- IAS logout page redirect
|
||
- convert environment variable EXTERNAL_REVERSE_PROXY to boolean type
|
||
|
||
### Updated dependencies
|
||
- bluebird removed
|
||
|
||
## 10.13.2 - 2022-03-08
|
||
|
||
### Fixed
|
||
- Change log level to info for missing host destination
|
||
- Null object error for user property
|
||
|
||
### Updated dependencies
|
||
- deps: urijs@1.19.10
|
||
- deps: @sap/audit-logging@5.5.1
|
||
- deps: @sap/xsenv@3.2.1
|
||
|
||
## 10.13.1 - 2022-03-01
|
||
|
||
### Fixed
|
||
- Add check for correlationId header existence in getCorrelationId
|
||
|
||
## 10.13.0 - 2022-02-27
|
||
|
||
### Added
|
||
- Support multiple zoneIds in same IAS tenant
|
||
|
||
### Fixed
|
||
- Avoid reading uaa property from a null object
|
||
- Improve error handling in exchange token
|
||
|
||
### Updated dependencies
|
||
- deps: urijs@1.19.8
|
||
- deps: axios@0.26.0
|
||
|
||
## 10.12.0 - 2022-01-30
|
||
|
||
### Added
|
||
- Replace 'request' module by 'axios'
|
||
- Support query params in user-api
|
||
|
||
### Updated dependencies
|
||
- deps: tough-cookie@4.0.0
|
||
|
||
## 10.11.3 - 2022-01-25
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/audit-logging@5.4.1
|
||
- deps: @sap/xssec@3.2.12
|
||
|
||
## 10.11.2 - 2022-01-13
|
||
|
||
### Updated dependencies
|
||
- deps: scmp@1.0.0
|
||
|
||
## 10.11.1 - 2022-01-12
|
||
|
||
### Updated dependencies
|
||
- deps: node-forge@1.2.1
|
||
|
||
## 10.11.0 - 2022-01-11
|
||
|
||
### Added
|
||
- POST method support for logout flows
|
||
- New env. variable to skip loading client_credentials tokens on approuter start
|
||
- Adding minimumTokenValidity from env variable
|
||
|
||
### Fixed
|
||
- Get uaadomain from subscription manager in case XSUAA is not bound
|
||
- Logs reduction -remove stackTrace on error log level
|
||
- Websocket try to get status code from message string when statusCode property undefined
|
||
- isDynamicRouting read defaultEnv.json file only in development environment
|
||
- accessToken references
|
||
|
||
### Updated dependencies
|
||
- deps: node-forge@1.2.0
|
||
|
||
## 10.10.4 - 2021-12-16
|
||
|
||
### Fixed
|
||
- SameSite cookie property concatenation
|
||
|
||
## 10.10.3 - 2021-12-13
|
||
|
||
### Fixed
|
||
- Handle bad cookie decryption error
|
||
- Fix missing session when token validity too short
|
||
- Set client_credentials token by tenant timeout to 5000 ms
|
||
- setXForwardedFor remove headers correction
|
||
|
||
### Added
|
||
- Adding serverKeepAlive from env variable to routerConfig
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/audit-logging@5.3.0
|
||
- deps: debug@4.3.2
|
||
- deps: uuid@8.3.2
|
||
- deps: scmp@2.1.0
|
||
|
||
## 10.10.2 - 2021-12-02
|
||
|
||
### Fixed
|
||
- Adding expiration date on login-callback-provider check
|
||
- Increase client_credentials token request timeout to 5000 ms
|
||
- Protect accessToken references
|
||
|
||
### Updated dependencies
|
||
- deps: compressible@2.0.18
|
||
- deps: sap/xssec@3.2.11
|
||
|
||
## 10.10.1 - 2021-11-21
|
||
|
||
### Fixed
|
||
- Avoid sending certificates if not authentication type is client certificate or trusted certificate
|
||
|
||
## 10.10.0 - 2021-11-18
|
||
|
||
### Added
|
||
- Propagate correlationId to xssec and UAA requests
|
||
- Support compression of response content with multipart/mixed content type
|
||
|
||
### Fixed
|
||
- Subscriber destination consumption in public flows
|
||
- Samesite attribute in callback login response header
|
||
- Support destination trust certificate propagation (format pem)
|
||
|
||
### Updated dependencies
|
||
- deps: sap/xssec@3.2.10
|
||
|
||
## 10.9.2 - 2021-11-09
|
||
|
||
### Fixed
|
||
- Backend invalid cookies handling
|
||
- Add checking for missing xsappConfig file along with xs-app.json on configuration load
|
||
|
||
|
||
### Updated dependencies
|
||
- deps: cf-nodejs-logging-support@6.11.0
|
||
- deps: validator@13.7.0
|
||
|
||
## 10.9.1 - 2021-10-28
|
||
|
||
### Fixed
|
||
- Missing HTML5 repo token in cache failure
|
||
|
||
## 10.9.0 - 2021-10-24
|
||
|
||
### Added
|
||
- Additional cookie logs
|
||
- Support client certificate authentication (format p12)
|
||
- Change log level to info for backend logs
|
||
- IAS token support in service to approuter flow
|
||
|
||
### Updated dependencies
|
||
- deps: sap/xssec@3.2.8
|
||
|
||
## 10.8.2 - 2021-10-11
|
||
|
||
### Fixed
|
||
- Remove clientsecret validation for mtls
|
||
|
||
## 10.8.1 - 2021-10-07
|
||
|
||
### Added
|
||
- New audit log SDK support
|
||
- Kyma Redis credentials documentation
|
||
|
||
### Fixed
|
||
- Redis credentials handling in Kyma
|
||
- X509 client secret validation in uua schema
|
||
|
||
### Updated dependencies
|
||
- deps: http-proxy-agent@4.0.1
|
||
- deps: https-proxy-agent@5.0.0
|
||
- deps: @sap/audit-logging@5.1.0
|
||
|
||
## 10.8.0 - 2021-09-13
|
||
|
||
### Added
|
||
- Propagate destination headers in approuter
|
||
|
||
### Fixed
|
||
- Sessions expiration in Redis
|
||
- Connections to Redis on Azure with premium plan
|
||
- Same site support for Lax value
|
||
- Request url with code parameter will be directed to authentication, in case it is required
|
||
- Session handling documentation
|
||
- When application name does not adhere to regex, the request will be directed to main routing configuration file
|
||
|
||
## 10.7.1 - 2021-08-30
|
||
|
||
### Added
|
||
- Skip xs-app.json cache support
|
||
- Login with XSUAA certificates
|
||
- Mutual Transport Layer Security (mTLS) handling
|
||
- Single use token support
|
||
|
||
## 10.6.1 - 2021-08-03
|
||
|
||
### Fixed
|
||
- Subscription callback requests will be directed to main routing configuration file
|
||
- App. config response headers modify additional headers value
|
||
|
||
## 10.6.0 - 2021-07-28
|
||
|
||
### Added
|
||
- HTML5 Application Repository Tenant Awareness support
|
||
|
||
### Fixed
|
||
- nullifying the Redis client when there's a connection issue with Redis
|
||
- Clear interval when calling approuter.close()
|
||
|
||
## 10.5.1 - 2021-07-25
|
||
|
||
### Fixed
|
||
- Return error immediately when reaches login callback middleware via query parameters
|
||
|
||
### Updated dependencies
|
||
- deps: urijs@1.19.7
|
||
|
||
## 10.5.0 - 2021-07-14
|
||
|
||
### Added
|
||
- Support of the configuration of the minimal logging level for the cf-nodejs-logging-support library
|
||
|
||
### Fixed
|
||
- Return an error code when calling login callback directly
|
||
- Fix for request traces that crash the application router
|
||
|
||
## 10.4.3 - 2021-07-05
|
||
|
||
### Fixed
|
||
- Display log with tenant ID, also when using direct routing URIs
|
||
- Support of session management with redis with multiple nodes plans
|
||
|
||
## 10.4.2 - 2021-06-13
|
||
|
||
### Fixed
|
||
- Correcting additional bug when Websocket Proxy is crashing if excluding a route by DIRECT_ROUTING_URI_PATTERN
|
||
|
||
## 10.4.1 - 2021-06-09
|
||
|
||
### Fixed
|
||
- Changing "favico.ico" to "favicon.ico" as a predefined direct routing URI
|
||
- Parsing client certificate for non-CF SMS subscription
|
||
- Improving logs in path-rewriter, request-handler, service-to-approuter-middleware, oauth2-strategy
|
||
- Adding cache-Control header ('no-cache, no-store') to the User API response
|
||
- Correcting a bug when Websocket Proxy is crashing if excluding a route by DIRECT_ROUTING_URI_PATTERN
|
||
|
||
### Updated dependencies
|
||
- deps: ws@7.4.6
|
||
|
||
## 10.4.0 - 2021-05-24
|
||
|
||
### Added
|
||
- External session management support
|
||
|
||
### Fixed
|
||
- Client certificate handling for non-CF SMS subscription
|
||
- Expose License
|
||
|
||
## 10.3.0 - 2021-05-11
|
||
|
||
### Added
|
||
- CLIENT_CERTIFICATE_HEADER_NAME configuration for non CF flows
|
||
- Support of SAP statistics for reporting the request performance
|
||
- AfterRequestHandler and backendTimeout extension support
|
||
|
||
### Fixed
|
||
- Lazy html5-repo client-credentials token creation in case it could not be created during startup
|
||
- Added "login" as a pre-configured direct URI route to prevent unnecessary calls to the HTML5 Application Repository
|
||
|
||
### Updated dependencies
|
||
- deps: cf-nodejs-logging-support@6.7.0
|
||
|
||
## 10.2.0 - 2021-04-11
|
||
|
||
### Added
|
||
- Support of routing directly to the routing configuration file (xs-app.json) of the application router using the DIRECT_ROUTING_URI_PATTERNS environment variable
|
||
- Caching support for destinations from destination service
|
||
|
||
### Fixed
|
||
- Verify cookie when IAS and XSUAA bound
|
||
- Websockest pong callback handling
|
||
- Empty getDependencies configuration handling in SaaS Registry subscription
|
||
- Handle SMS apiURLs in K8S
|
||
- Encode redirect logout url parameters in case of xsuaa authentication
|
||
|
||
## 10.1.0 - 2021-03-21
|
||
|
||
### Added
|
||
- If you are using Identity Authentication (IAS), you can now use subdomains in multitenant URLs
|
||
- Identity Authentication (IAS) is fully supported (no longer a Beta feature)
|
||
|
||
### Fixed
|
||
- Destination token exchange when using destinations on instance level
|
||
|
||
## 10.0.0 - 2021-03-10
|
||
|
||
### Added
|
||
- Support node version 12 and node version 14 instead of node version 10 and node version 12
|
||
|
||
## 9.4.0 - 2021-03-09
|
||
|
||
### Added
|
||
- Support the consumption of destinations from the provider subaccount via the preferLocal property
|
||
- Support of cross-origin resource sharing via the application router configuration file (xs-app.json)
|
||
|
||
### Fixed
|
||
- logout flow while using system plan XSUAA instance
|
||
- missing scope in XSUAA token after refresh
|
||
|
||
### Updated dependencies
|
||
- deps: lodash@4.17.21
|
||
- deps: @sap/audit-logging@4.2.0
|
||
- deps: @sap/logging@6.0.3
|
||
|
||
## 9.3.0 - 2021-02-24
|
||
|
||
### Fixed
|
||
- user-api consumption from local approuter
|
||
- avoid endless loop when calling approuter with /login/callback
|
||
|
||
### Added
|
||
- Service to approuter is not beta anymore, README file changed
|
||
|
||
### Updated dependencies
|
||
- deps: urijs@1.19.6
|
||
|
||
## 9.2.0 - 2021-02-14
|
||
|
||
### Added
|
||
- Support of custom response headers via the application router configuration file (xs-app.json)
|
||
|
||
### Fixed
|
||
- Verify application key without query parameters
|
||
|
||
### Updated dependencies
|
||
- deps: e2e-trace@3.0.0
|
||
- deps: xsenv@3.1.0
|
||
|
||
## 9.1.0 - 2021-01-21
|
||
|
||
### Added
|
||
- User API
|
||
|
||
### Fixed
|
||
- Connectivity authentication issue in IAS flow
|
||
- Initialize server keepAliveTimeout to zero
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/audit-logging@3.2.0
|
||
|
||
## 9.0.2 - 2021-01-14
|
||
|
||
### Fixed
|
||
- Options handling for extensibility case when html5 repo is bound
|
||
- Logout request handling when approuter session times out
|
||
- Use "http_header" section of authTokens from the Destination Service response
|
||
|
||
### Updated dependencies
|
||
- deps: urijs@1.19.5
|
||
|
||
## 9.0.1 - 2020-12-20
|
||
|
||
### Fixed
|
||
- Subprotocol handling in websockets flows
|
||
|
||
### Updated dependencies
|
||
- deps: validator@13.5.2
|
||
- deps: @sap/logging@6.0.2
|
||
|
||
## 9.0.0 - 2020-12-06
|
||
|
||
### Added
|
||
- IAS authentication support
|
||
- Forward IAS token to destination
|
||
- IAS authentication with XSUAA authorization
|
||
- Subscription manager (SMS) support
|
||
|
||
### Updated dependencies
|
||
- deps: base64-url@2.3.3
|
||
|
||
## 8.6.1 - 2020-11-25
|
||
|
||
### Fixed
|
||
- Wrong application URL protocol returned by onSubscription callback additional fix
|
||
|
||
## 8.6.0 - 2020-11-19
|
||
|
||
### Fixed
|
||
- Wrong application URL protocol returned by onSubscription callback
|
||
|
||
## 8.5.5 - 2020-10-21
|
||
|
||
### Fixed
|
||
- Destination middleware improvement
|
||
|
||
## 8.5.4 - 2020-10-14
|
||
|
||
### Fixed
|
||
- Fix invalid backend response handling
|
||
|
||
## 8.5.3 - 2020-10-06
|
||
|
||
### Fixed
|
||
- Do not forward SAP-Connectivity-Authentication header in onPremise flows if destination authentication type is NoAuthentication
|
||
|
||
## 8.5.2 - 2020-09-21
|
||
|
||
### Fixed
|
||
- Handle SameSite:None value in client side cookies (signature, locationAfterLogin and fragmentAfterLogin)
|
||
|
||
## 8.5.1 - 2020-08-25
|
||
|
||
### Updated dependencies
|
||
- deps: lodash@4.17.20
|
||
- deps: sap/logging@5.3.1
|
||
- deps: cf-nodejs-logging-support@6.4.3
|
||
|
||
### Fixed
|
||
- Avoid crash if user provided service without credentials
|
||
- Don't forward auth token to connectivity in service2approuter flow if destination.forwardToken = false
|
||
|
||
## 8.5.0 - 2020-08-10
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/audit-logging@3.1.1
|
||
- deps: request@2.88.2
|
||
- deps: @sap/xssec@3.0.9
|
||
- deps: lodash@4.17.19
|
||
- deps: ws@7.3.1
|
||
|
||
### Fixed
|
||
- Pass tenant id in service to approuter audit log message
|
||
|
||
## 8.4.1 - 2020-08-02
|
||
|
||
### Fixed
|
||
- Fix token exchange for Business Service access
|
||
|
||
## 8.4.0 - 2020-08-02
|
||
|
||
### Added
|
||
- Support merge of approuter and backend content-security-policy headers
|
||
- Support cookie merge in service2Approuter flow
|
||
|
||
### Fixed
|
||
- Handle undefined user in refresh token flow
|
||
|
||
## 8.3.1 - 2020-07-26
|
||
|
||
### Fixed
|
||
- Upgrade xssec version to 3.0.7 - fix big tokens exchange error
|
||
|
||
## 8.3.0 - 2020-07-23
|
||
|
||
### Fixed
|
||
- Fix missing subdomain in exchange token
|
||
|
||
## 8.2.2 - 2020-07-15
|
||
|
||
### Fixed
|
||
- Adapt to changes in @sap/xssec-3.0.6 - replace secContext private subdomain property by getSubdomain method
|
||
- Fix websocket pong behavior when status is not open
|
||
|
||
## 8.2.1 - 2020-07-09
|
||
|
||
### Fixed
|
||
- SAP Passport header handling fixed in service 2 approuter flow
|
||
|
||
## 8.2.0 - 2020-07-02
|
||
|
||
### Fixed
|
||
- Passport handling fix in service 2 approuter flow – increment counter
|
||
|
||
### Updated dependencies
|
||
- deps: sap/xssec@3.0.6
|
||
|
||
## 8.1.1 - 2020-06-24
|
||
|
||
### Announcement
|
||
- The Preserve URL fragment (PRESERVE_FRAGMENT) will not be deprecated as previously announced.
|
||
|
||
### Fixed
|
||
- Bug correction in forwardAuthToken in business service flow
|
||
|
||
## 8.1.0 - 2020-06-14
|
||
|
||
### Added
|
||
- Added fallback mechanism for html5 repo client_credentials token refresh
|
||
- Security improvement for signature verifying during login
|
||
|
||
### Fixed
|
||
- Bug fix when calling connectivity in a non-authenticated flow (no login in approuter)
|
||
|
||
## 8.0.0 - 2020-05-26
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/xssec@3.0.3
|
||
|
||
### Removed
|
||
- Remove of SAP_JWT_TRUST_ACL environment variable support (functionality now comes with audience validation)
|
||
|
||
## 7.1.3 - 2020-05-17
|
||
|
||
### Added
|
||
- Enhances of the x-approuter-authorization token security check in the service2Approuter flow.
|
||
|
||
## 7.1.2 - 2020-05-08
|
||
|
||
### Fixed
|
||
- Fix appurl usage of x-subscriber-tenant
|
||
|
||
## 7.1.1 - 2020-05-05
|
||
|
||
### Added
|
||
- Cache improvements
|
||
- Usage of x-subscriber-tenant header when provided.
|
||
- handle html5 repo and xsuaa destinations separately
|
||
|
||
### Fixed
|
||
- Fix connectivity token handling for Kubernetes
|
||
|
||
## 7.1.0 - 2020-04-16
|
||
|
||
### Added
|
||
- Enable service logout configuration in central xs-app.json.
|
||
### Fixed
|
||
- Destination token cached in session is never refreshed.
|
||
|
||
## 7.0.0 - 2020-04-06
|
||
|
||
### Added
|
||
- Support node version 10 and node version 12 instead of node version 8 and node version 10
|
||
|
||
## 6.8.2 - 2020-03-04
|
||
|
||
### Fixed
|
||
- Fix extension of resolveUaaConfig
|
||
|
||
## 6.8.1 - 2020-02-20
|
||
|
||
### Fixed
|
||
- Fix default route
|
||
|
||
## 6.8.0 - 2020-02-10
|
||
|
||
### Added
|
||
- Enable external session manager extensibility when using HTML5 Repository
|
||
|
||
## 6.7.2 - 2020-01-30
|
||
|
||
### Added
|
||
- Support SameSite cookie attribute
|
||
|
||
### Updated dependencies
|
||
- deps: express-session@1.17.0
|
||
- deps: @sap/logging@5.2.0
|
||
|
||
## 6.7.1 - 2019-12-24
|
||
|
||
### Added
|
||
- Backend cookies secret variable (BACKEND_COOKIES_SECRET) Secret that is used to encrypt backend session cookies in service to Application Router flow. Should be set in case multiple instances of Application Router are used. By default a random sequence of characters is used.
|
||
|
||
|
||
## 6.7.0 - 2019-11-24
|
||
|
||
### Added
|
||
- Enhance the use of the xsenv@2.1.0 library to access bound destination service credentials, which support reading destination service credentials in Kubernetes.
|
||
|
||
### Fixed
|
||
- Anonymous login on destination flow
|
||
|
||
## 6.6.0 - 2019-11-12
|
||
|
||
### Announcement
|
||
- The Preserve URL fragment (PRESERVE_FRAGMENT) is being deprecated and will be removed in the near future
|
||
|
||
### Updated dependencies
|
||
- deps: sap/xsenv@2.1.0 Application Router uses xsenv library to access bound services credentials. We have upgraded the library to xsenv version 2.1.0 which supports reading credentials in Kubernetes.
|
||
- deps: https-proxy-agent@2.2.4
|
||
## 6.5.1 - 2019-10-10
|
||
|
||
### Fixed
|
||
- Adding sec-websocket-protocol header as the protocol of websockets
|
||
|
||
## 6.5.0 - 2019-10-03
|
||
|
||
### Added
|
||
- Timeout for Business Service
|
||
|
||
### Fixed
|
||
- Adding destination token middleware for websockets
|
||
|
||
## 6.4.1 - 2019-09-23
|
||
|
||
### Fixed
|
||
- CSP header fix return frame-ancestors in login
|
||
|
||
## 6.4.0 - 2019-09-16
|
||
|
||
### Added
|
||
- Allowed dynamic destinations
|
||
- Return CSP header with no cache
|
||
- Added setXForwardedHeaders option
|
||
|
||
## 6.3.0 - 2019-09-10
|
||
|
||
### Added
|
||
- Support Cache-Control for static content from html5-repo
|
||
|
||
## 6.2.0 - 2019-09-03
|
||
|
||
### Added
|
||
- Support Subscription url from vcap.
|
||
- Adding validation - Session created for one tenant must not be used by other tenants
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/xssec@2.2.2
|
||
|
||
## 6.1.2 - 2019-08-28
|
||
- Support Xsuaa credentials in request body
|
||
|
||
## 6.1.1 - 2019-08-27
|
||
- Fix in destination middleware - session.update
|
||
|
||
## 6.1.0 - 2019-07-31
|
||
|
||
### Added
|
||
- Support for redirection to logout page with query parameters after central logout
|
||
- Connectivity is now returned in subscription getDependencies callback
|
||
|
||
### Fixed
|
||
- Error when processing unknown authentication types
|
||
|
||
## 6.0.2 - 2019-07-14
|
||
|
||
### Fixed
|
||
- Validation of destination with OnPremise proxyType
|
||
- CSRF protection in Service to Approuter flow
|
||
### Updated dependencies
|
||
- deps: lodash@4.17.13
|
||
|
||
## 6.0.1 - 2019-05-30
|
||
|
||
### Fixed
|
||
- Fixed TypeError bug when Approuter saves a cookie from backend and should logout when session timeout exceeded.
|
||
- Fixed calculation of location after login.
|
||
|
||
## 6.0.0 - 2019-05-06
|
||
|
||
### Added
|
||
- Support node version 8 and node version 10 instead of node version 4.5 and node version 6
|
||
|
||
## 5.15.0 - 2019-04-29
|
||
|
||
### Added
|
||
- Support for Service to Application Router functionality (Beta version).
|
||
- Added destination in host support.
|
||
|
||
## 5.14.1 - 2019-04-17
|
||
|
||
### Added
|
||
- Enhanced Approuter application logs when serving of static content (from HTML5 App Repo) was failed.
|
||
|
||
### Fixed
|
||
- Fixed subscription callbacks url.
|
||
|
||
## 5.14.0 - 2019-04-04
|
||
|
||
### Added
|
||
- Websockets support for HTML5 Application Repository.
|
||
|
||
### Fixed
|
||
- onSubscription callback.
|
||
|
||
## 5.13.1 - 2019-03-27
|
||
|
||
### Added
|
||
- Added automatic recovery of Approuter after recovery of UAA.
|
||
|
||
### Fixed
|
||
- Fixed subscription callbacks url.
|
||
- Fixed avoid central appConfig routes overrides.
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/xssec@2.1.16
|
||
|
||
## 5.13.0 - 2019-02-14
|
||
|
||
### Added
|
||
- Ability to define identity provider for authentication in the route.
|
||
|
||
## 5.12.0 - 2019-02-05
|
||
|
||
### Added
|
||
- Dynamic destination support.
|
||
|
||
## 5.11.0 - 2019-01-22
|
||
|
||
### Added
|
||
- Client credentials token support.
|
||
|
||
## 5.10.2 - 2019-01-08
|
||
|
||
### Fixed
|
||
- Fix proxy issue in Connectivity flow.
|
||
|
||
## 5.10.1 - 2019-01-03
|
||
|
||
### Fixed
|
||
- Fixed flow of access destination via desination service.
|
||
|
||
## 5.10.0 - 2018-12-30
|
||
|
||
### Added
|
||
- Propagation of approuter host during logout.
|
||
|
||
## 5.9.0 - 2018-12-18
|
||
|
||
### Added
|
||
- Ability to change destination without restarting application on CF
|
||
- Access destination that is exposed on destination service instance level.
|
||
- Enabled all authentication types defined in the destination service.
|
||
|
||
## 5.8.0 - 2018-10-27
|
||
|
||
### Fixed
|
||
- Fix login flow for URLs with empty query (URL that ends with '?').
|
||
|
||
### Added
|
||
- Documentation of integration with HTML5 Apps Repo.
|
||
|
||
### Updated dependencies
|
||
- deps: ws@1.1.5
|
||
- deps: lodash@4.17.11
|
||
- deps: @sap/logging@4.0.2
|
||
- deps: lodash@4.17.11
|
||
|
||
## 5.7.0 - 2018-10-08
|
||
|
||
### Added
|
||
- Propagate client id to UAA during Logout
|
||
|
||
## 5.6.4 - 2018-08-27
|
||
|
||
### Updated dependencies
|
||
- deps: @sap/audit-logging@2.2.4
|
||
- deps: sync-request@5.0.0
|
||
|
||
### Fixed
|
||
- Duplicate destination names in xs-app.json bug
|
||
|
||
## 5.6.3 - 2018-08-15
|
||
|
||
### Updated dependencies
|
||
- deps: e2e-trace@1.3.0
|
||
- deps: xssec@2.1.15
|
||
- deps: request@2.88.0
|
||
|
||
### Fixed
|
||
- Fix bug of post/put requests with content/type=application/json
|
||
|
||
## 5.6.2 - 2018-08-09
|
||
|
||
### Updated dependencies
|
||
- deps: serve-static@1.13.2
|
||
- deps: send@0.16.1
|
||
- deps: mime@1.4.1
|
||
- deps: debug@2.6.9
|
||
|
||
### Fixed
|
||
- Fix error in case of local destination and UAA with tenant mode shared
|
||
|
||
## 5.6.1 - 2018-08-07
|
||
|
||
### Updated dependencies
|
||
- deps: body-parser@1.18.3
|
||
- deps: uid-safe@2.1.5
|
||
- deps: @sap/xssec@2.1.9
|
||
- deps: send@0.16.2
|
||
- deps: compression@1.7.3
|
||
- deps: express-session@1.15.6
|
||
- deps: connect@3.6.5
|
||
|
||
## 5.6.0 - 2018-08-05
|
||
|
||
### Added
|
||
- Added SaaS application registration support (subscription)
|
||
- Enhanced usage of PreserveHostHeader additional property
|
||
|
||
### Fixed
|
||
- Fix error handling in case of bad signature
|
||
|
||
## 5.5.0 - 2018-07-19
|
||
|
||
### Added
|
||
- Added optional additional properties 'PreserveHostHeader' to Destination service
|
||
- Added optional additional properties 'sap-client' to Destination service
|
||
|
||
## 5.4.2 - 2018-07-04
|
||
|
||
### Fixed
|
||
- Fix refresh page location after timeout bug
|
||
- Fix fragment cookie name bug
|
||
- Fix vulnerabilities issues
|
||
|
||
## 5.4.1 - 2018-06-25
|
||
|
||
### Fixed
|
||
- Fix logout bug
|
||
|
||
## 5.4.0 - 2018-06-10
|
||
|
||
### Added
|
||
- Support extensibility of logout end-point
|
||
|
||
### Fixed
|
||
- Fix vulnerabilities issues
|
||
|
||
## 5.3.0 - 2018-05-13
|
||
|
||
### Added
|
||
- Enable extended session management
|
||
- Enable Correlation ID propagation
|
||
|
||
## 5.2.1 - 2018-05-02
|
||
|
||
### Added
|
||
- Support audit log service
|
||
|
||
## 5.2.0 - 2018-04-16
|
||
|
||
### Added
|
||
- Support routing to destination with authentication type OAuth2SAMLBearerAssertion
|
||
|
||
### Fixed
|
||
- Fix bug in forward undefine token
|
||
|
||
|
||
## 5.1.0 - 2018-03-14
|
||
|
||
### Added
|
||
- Support destination configuration from destination service
|
||
|
||
### Fixed
|
||
- Fix bug in trace functionality
|
||
- Fix bug in fragment functionality
|
||
|
||
## 5.0.0 - 2018-01-29
|
||
|
||
### Fixed
|
||
- Minor fix in destinations handling in Extension flow.
|
||
- Fix fragment handling in URL during Login flow.
|
||
|
||
## 4.0.1 - 2018-01-01
|
||
|
||
### Fixed
|
||
- Minor fixes in CORs.
|
||
|
||
## 4.0.0 - 2017-12-18
|
||
|
||
### Added
|
||
- Application router can consume content from the HTML5 application repository.
|
||
|
||
### Fixed
|
||
- Fix in headers handling when using CF destination and onPremise destination in same xs-app.json.
|
||
- Minor fix in CORs.
|
||
|
||
## 3.0.1 - 2017-10-08
|
||
|
||
### Removed
|
||
- Node 0.12 support.
|
||
|
||
## 2.10.0 - 2017-07-30
|
||
|
||
### Added
|
||
- Enabled connectivity to on premise backend.
|
||
- Added external reverse proxy support.
|
||
|
||
### Fixed
|
||
- Fix CSRF token generation to use a Secure Random number generator.
|
||
|
||
## 2.9.1 - 2017-06-29
|
||
|
||
### Fixed
|
||
- Minor fixes in CORs.
|
||
- Introduce CORs feature in README.md.
|
||
|
||
## 2.9.0 - 2017-06-27
|
||
|
||
### Added
|
||
- Support for CORs functionality.
|
||
|
||
## 2.8.2 - 2017-06-13
|
||
|
||
### Fixed
|
||
- Fix cancel request.
|
||
- Fix logout in dynamic routing.
|
||
|
||
## 2.8.1 - 2017-06-01
|
||
|
||
### Fixed
|
||
- Fixes in documentation of dynamic routing and troubleshooting section.
|
||
- Fix logout when using websocket.
|
||
|
||
## 2.8.0 - 2017-04-26
|
||
|
||
### Added
|
||
- Introduce table of contents in README.md.
|
||
- Added JWT refresh in websocket connections.
|
||
- Significant performance improvements via adopting @sap/logging version 3
|
||
|
||
## 2.7.1 - 2017-03-20
|
||
|
||
### Fixed
|
||
- Add username to logs.
|
||
- Minor fixes in websockets and session handling.
|
||
|
||
## 2.7.0 - 2017-02-13
|
||
|
||
### Added
|
||
- Replacements from services.
|
||
- Start approuter on https
|
||
- Show warning when a route is explicitly both public and csrf protected.
|
||
|
||
### Fixed
|
||
- Should not escape client cookies.
|
||
- Redirect to welcome page if not CSRF token fetch request.
|
||
- Wrong basic authentication status codes.
|
||
|
||
## 2.6.1 - 2017-01-25
|
||
|
||
### Changed
|
||
- Rename package to use @sap scope
|
||
|
||
## 2.6.0 - 2017-01-25
|
||
|
||
### Added
|
||
- `REQUEST_TRACE` environment variable for enhanced request tracing.
|
||
- Support for PATCH in router configuration.
|
||
- New extensions - see extending.md.
|
||
|
||
### Removed
|
||
- Customizable UAA config resolution.
|
||
|
||
### Fixed
|
||
- Fixes in documentation.
|
||
- Handling of request protocol.
|
||
- Removed npm 2 restriction.
|
||
|
||
## 2.5.0 - 2016-12-13
|
||
|
||
### Added
|
||
- Enable customizable UAA config resolution
|
||
- Support for custom error pages (errorPage in xs-app.json)
|
||
- Extend sizing guide
|
||
|
||
### Fixed
|
||
- Crash in error handler due to missing logger.
|
||
- Does not cache login responses.
|
||
- Does not log UAA missing when not needed.
|
||
- In case of parallel logins Approuter may use wrong user.
|
||
- Does not send basic credentials to backend, unless route is public.
|
||
|
||
## 2.4.0 - 2016-11-16
|
||
|
||
### Added
|
||
- Introduce SECURE_SESSION_COOKIE environment variable - enforces the secure flag of application router's session cookie.
|
||
- Additional checks for regular expressions during startup.
|
||
|
||
### Changed
|
||
- Previous component name in sap passport has been changed to 'XSA Approuter'.
|
||
|
||
### Fixed
|
||
- Missing logging context in error handler when using extensions.
|
||
|
||
## 2.3.4 - 2016-11-04
|
||
|
||
### Fixed
|
||
- The _x-csrf-token_ header is no longer forwarded to backend in case a path requires authentication and CSRF token protection.
|
||
- Set the _Secure_ flag of the session cookie depending on the environment application router runs in.
|
||
- Some of the links in README.md were broken.
|
||
|
||
## 2.3.3 - 2016-11-02
|
||
|
||
### Added
|
||
- Add COMPRESSION env var to be able to configure compression.
|
||
|
||
### Fixed
|
||
- Do not cache wsAllowedOrigins across requests.
|
||
- Favor UAA config from default-env.json over default-services.json.
|
||
- Extend error message for proxy settings problem.
|
||
- Enable compression by default when custom setting is provided.
|
||
- Propagate errors to handler.
|
||
- Avoid session resave at the end of request. Fix session overwrite.
|
||
|
||
## 2.3.2 - 2016-09-30
|
||
|
||
### Fixed
|
||
- Cookie locationAfterLogin clash in port based routing.
|
||
|
||
## 2.3.1 - 2016-09-28
|
||
|
||
### Fixed
|
||
- Unverified redirect via locationAfterLogin cookie.
|
||
- Fallback to default UAA if no tenant captured.
|
||
- Fix X-Frame-Options header overwriting.
|
||
- Session cookie name - use application_id instead of instance_id.
|
||
- Fix port validation for approuter.start().
|
||
|
||
## 2.3.0 - 2016-09-02
|
||
|
||
### Added
|
||
- Multitenancy support.
|
||
- Matching route by both URL path and HTTP method.
|
||
|
||
### Fixed
|
||
- Fixed race condition while CSRF token generation.
|
||
|
||
## 2.2.0 - 2016-08-17
|
||
|
||
### Added
|
||
- Start approuter with xs-app.json passed as an object.
|
||
- Follow symlinks in localDir config.
|
||
- Document the Content-Security-Policy header as a best practice.
|
||
|
||
## 2.1.3 - 2016-08-13
|
||
|
||
### Added
|
||
- Genarate CSRF token once per session.
|
||
|
||
## 2.1.2 - 2016-08-06
|
||
|
||
### Fixed
|
||
- Remove instance cookies from client request.
|
||
- Fix locatioinAfterLogin cookie path.
|
||
|
||
## 2.1.1 - 2016-07-24
|
||
|
||
### Fixed
|
||
- Support to host welcome page externally.
|
||
- Fix logout path matching.
|
||
- Fix 500 sent in case locationAfterLogin cookie is missing.
|
||
|
||
|
||
## 2.1.0 - 2016-07-17
|
||
|
||
### Added
|
||
- Allow source of route to be matched in case-insensitive way.
|
||
- New configuration for maximum client connection timeout.
|
||
- Add support for approuter extensions (custom middleware).
|
||
- Allow fetching CSRF token with HEAD request.
|
||
|
||
## 2.0.0 - 2016-05-12
|
||
|
||
### Added
|
||
- Configuration for the Cache-Control header in xs-app.json. The header is used when serving static resources.
|
||
|
||
### Removed
|
||
- local-* files (e.g. local-destinations, local-plugins) can no longer be used in the approuter during local development. Instead of these the approuter reads a single file located in the working directory (default-env.json), which contains the corresponding environment variables (e.g. destinations, plugins) and their values.
|