96 KiB
96 KiB
1.124.0 (2018-10-30)
Bug Fixes
- 2fa: Allow an explicit
nullvalue foracr_valuesparam. (47f4c61) - api: accept and ignore client_secret param in /destroy (c797ed2)
- api: allow application/x-form-urlencoded (6cc91e2)
- api: Change InvalidAssertions error code to 401 (2781b3a)
- api: clean up response of client-tokens delete endpoint (#3) (#449); r=rfk (9c63273), closes #3 #449
- api: Correct the error codes changed in
2781b3a(d0dba7c) - api: ensure /destroy endpoint returns an empty object in response body. (6efd47d)
- api: fail on invalid action parameters (0c73ae7)
- api: reject requests with bad content-types (2667228), closes #199
- api: reject requests with invalid parameters (3b4fa24), closes #210
- api: remove stray payload restriction from authorization route (e0d5368)
- api: set update to return an empty object (6f334c6)
- api: tolerate an empty client_secret in /destroy (25a4d30)
- api: use invalidRequestParameter instead of invalidRedirect for invalid redirect acti (55eff2d)
- authorization: allow empty scope with implicit grant (1d6ac8e), closes #315
- authorization: Correctly handle non-existing URL scopes during authorization. (#594) r=@vladiko (21654a3), closes #594 #593
- authorization: handle action parameter in GET/authorization (cfa6d97)
- buffer: #527 Migrate deprecated buffer calls (#528) r=@vladikoff (fd85207), closes #527 #528 #527
- changelog: Fixes #524 automated changelog is borked (#542) r=@vladikoff (d743721), closes #524 #542
- changelog: update to latest changelog version (#556) (bc9256e), closes #556
- ci: remove geodb workaround (521f4fe)
- ci: remove nsp (#602) (64ade86), closes #602 #596 #597
- ci: Run MySQL tests in Circle (#586) r=@vbudhram (4b1c4e4), closes #586 #581
- ci: turn on memcached in travis and circle (eb86a37), closes #2681
- clients: fix server error when omitting optional fields in client registration (80768c5), closes #203
- clients: fixes client endpoint for clients with no redirect_uri (6d47110), closes #228
- clients: fixes client registration to use payload.whitelisted (83e145b)
- clients: match the notes client with fxa-dev and other envs (#585); r=rfk (e24a582), closes #585
- clients: support client/client_id route via the internal server (ce04da7)
- clients: update email validation (92d4bfc)
- codes: Remove authorization codes after use. (e0f8961)
- config: Add environment config options (14a9b4a)
- config: expose clients config as OAUTH_CLIENTS (04ebf6f)
- config: expose more environment variables for config (7a1dd19)
- config: For dev, the openid issuer is http://127.0.0.1:3030 (#583) r=@vladikoff (38e1d73), closes #583 mozilla/fxa-content-server#6362
- config: mark config sentryDsn and mysql password sensitive (#511) r=@vladikoff (d98fbcd), closes #511
- config: option autoUpdateClients, will be disable in prod/stage (802a0b2)
- config: remove 00000... from hashedSecrets (8dcfd56), closes #339
- config: reverting 'mark config sentryDsn and mysql password sensitive (#511) r=@vladikof (41bd7c0), closes #511
- config: set expiration.accessToken default to 2 weeks (7a4742d)
- config: update config to use getProperties (c2ed6eb), closes #349
- config: Update contentUrl (e1622b2)
- config: Update name and redirectUri (2a16cdd)
- config: update redirect_uri values to not be blank (5267c62)
- db: don't change client database at startup; footgun (8877f81)
- db: Drop foreign key constraints. (7ee117c)
- db: ensure strict mode (#448) r=rfk,seanmonstar (8d309c5), closes #448 #446
- db: Fix an old db patch to apply cleanly in local dev. (c7fa633)
- db: Fix case-consistency of SQL query from #612 (9e55714), closes #612
- db: make schema.sql accuratley reflect latest patch state (b17b000)
- db: make the clients key mandatory in the config file (ac7a39e)
- db: remove db name from clients (c724439)
- db: Restore foreign key constraints on core tables. (2bd0845)
- db: we need to enforce only a minimum patch level (not {n,n+1}) (e12f54d)
- dependencies: move fxa-jwtool from dev-dependencies to dependencies (79b0427), closes #345
- dependencies: switch back to main generate-rsa-keypair now that my fix to it was merged (1c1268b)
- deps: add filtered npm audit (71048b3), closes mozilla/fxa#303
- deps: ignore npm advisories 39, 48, 658 (238b0a1), closes /github.com/mozilla/fxa-auth-server/pull/2643/files#r220807985
- deps: switch from URIjs to urijs (ecdf31e), closes #347
- deps: update mocha and other dev deps (b99e82d)
- deps: update newrelic and request r=@shane-tomlinson (b6d6c93)
- deps: update some dependencies (09aa7b0)
- deps: update to hapi 14 and joi 9 (9bc87c0), closes #424
- deps: update to hapi 16, add srinkwrap scripts, update other prod deps (c102046)
- deps: update to mozlog 2.0.2 (29342a9), closes #337
- doc: Putting a little emphasis on email first (#584) r=@shane-tomlinson (8ad17c1), closes #584
- docker: base image node:8-alpine and upgrade to npm6 (#567) r=@jbuck,@vladikoff (d4060be), closes #567
- docs: add git guidelines link (a00167c)
- docs: Change Status Code for Invalid Assertion based (780aaee)
- docs: document keys and verification_redirect options (ef8c47a)
- docs: minor spelling fixes (33ad1ec)
- docs: note that codes are single use (6fe39f7), closes #214
- docs: Update description of the
actionparam to match latest reality. (b475fcb) - email: ensure mock senders take precedence over the email service (29f379d)
- error: AppError uses Error.captureStackTrace (2337f80), closes #164
- events: require events to be configured in production (1bef9e0)
- fatal-error: Exit with non-zero exit code for fatal errors (7c90ff0), closes #244
- headers: add cache-control headers to api endpoints; extend tests (5a81ef9)
- headers: make "cache-control" value configurable (5ba82ea)
- key-data: Correctly handle non-existent scopes when finding key data. (34d9493)
- key-data: Fail cleanly when the client has no allowedScopes. (fafcef5)
- keys: Generate unique 'kid' field when regenerating JWK keys (5b9acae)
- keys: replace scope key TLD (#505) r=@rfk (a5e6d8f), closes #505
- log: add remoteAddressChain to summary (#417) (568cfa6), closes #417 #415
- log: avoid crashing on bad payload (#411) r=rfk,jrgm (19ebed5), closes #411 #410
- logging: log the reason for account deletions (3092ac1)
- logging: use route.path in debug message, not route.url (7d9efc2)
- logging: use space-free tokens for mozlog (11f73f9)
- logs: add scope and client_id logs to verify route (#447) r=seanmonstar (33eb39e), closes #447 #444
- mailer: Fix the bulk-mailer, add lots of tests. (806129d)
- memorydb: token createdAt used instead of client createdAt (#436) r=vladikoff,seanmonstar (02dec66), closes #436 #421
- metrics: use correct format for email service notifications (ec3ff7b)
- monorepo: Update CI config for oauth-server import. (6a5675c)
- mysql: Correctly aggregate tokens by clientid. (#576) r=@vladikoff (2c2cd22), closes #576
- newrelic: update to v2.1.0 (87a3aee)
- node: use node 6.12.0 (#501) r=@vladikoff (167c973), closes #501
- node: use node 6.12.3 (#510) r=@vladikoff (adc1fc0), closes #510
- node: Use Node.js v6.14.0 (#537) (f32a3d7), closes #537
- nodejs: update to 6.11.1 for security fixes (a0520c0)
- oauth: another notes dev client (#546) (9d5ec8e), closes #546
- openid: Generate openid keys on npm postinstall to file (5f15afa)
- patcher: Fix patcher with no pre-loaded clients (dcc47b9)
- pkce: Don't require PKCE in the direct grant flow. (#566) r=@vladikoff (d70fe6d), closes #566 #559
- pkce: match pkce implementation to specifications (#498) r=rfk (cf1c836), closes #498 #495
- profile: remove the
profileChangedAtcolumn on tokens table (5e87bce) - purge: add purgeExpiredTokensById to select, then delete by primary key (#580); r=rfk (adfff65), closes #580
- purge-expired: accept a list of pocket-id's (1c843a9)
- purge-expired: log uncaughtException; minimum log level of info (264271e)
- purge-expired: moar logging (80c360e)
- purge-expired: Promise.delay takes milliseconds; allow subsecond delay (10c6103)
- purge-expired: set db.autoUpdateClients config to false (bc66fc3)
- purge-expired: use db.getClient() to check for unknown clientId (c33f1d9)
- route: make email false by default (#533) r=@rfk (aa68fb9), closes #533
- scopes: Document scope-handling rules, use shared code to enforce them. (#551); r=vbudhr (237886d), closes #551
- scopes: Dont treat
foo:writeas a sub-scope offoo. (b4b30c2) - scripts: Fix varname typo in test runner script. (#535) (02804a8), closes #535
- scripts: Use pure JS module to generate RSA keypairs (#439) r=vladikoff (3380e1c), closes #439
- security: enable x-content-type-options nosniff (5ea5001)
- security: enable X-XSS-Protection 1; mode=block (52ca1e5)
- security: set x-frame-options deny (21ea05d)
- server: exit if db patch level is wrong (78d6382)
- shrinkwrap: restore deleted npm-shrinkwrap.json (6383481)
- spelling: minor spelling fix in tests (#403) r=vladikoff (d4ff105), closes #403
- sql: fix the schema issue with the trailing comma (069caeb), closes #299
- sql: remove references to the
whitelistedcolumn; this is now thetrustedcolumn (6b4d1ec) - sql: undo 155d2ce; for mysql-patcher fix up that database (eb9f40d), closes #301
- test: encrypt refresh_token on db query (#414) r=seanmonstar,vladikoff (7f52d46), closes #414 #413
- test: fix unhandled rejection error with memory db impl (#454) r=vladikoff (c870eba), closes #454
- tests: check insert of utf8mb4 (4e6a77a)
- tests: double before hook timeout for tests on slow machines (2333416)
- tests: mock outstanding error logs in test suite r=@vladikoff (6a5d3ce), closes #334
- tests: More reliable generation of RSA keys for tests (981d0b7)
- tests: Refactor use of process.exit() to be outside of code under test. (47f4f17)
- tests: sleep additional half second to adjust for mysql round of timestamp (a02f516)
- tests: speed up and upgrade the test runner (#467) r=seanmonstar (2e76c9e), closes #467
- token: disable expiration error (c9547a8)
- tokens: Added scripts that purge expired access tokens. (10bbb24)
- tokens: Avoid quadratic behaviour when listing active clients. (#9); r=vladikoff (15c3065), closes #9
- tokens: Begin expiring access tokens beyond a configurable epoch. (b346326)
- tokens: invalidate refresh tokens on client-token DELETE action (#508) (df0ca82), closes #508 #507
- tokens: ttl parameter must be positive (#429) r=vladikoff (1764d73), closes #429
- travis: build on node 0.10, 0.12, 4, no allowed failures (6684e8c)
- travis: install libgmp3-dev so optionaldep bigint will be built for browserid-crypto (a64cb18)
- travis: remove broken validate shrinkwrap (1729764)
- travis: run tests with 6 and 8 (#497) r=vladikoff (a49b272), closes #497
- travis: test on node4/node6 with default npm & g++-4.8 (b4e1dd8)
- validation: Allow redirect uris with existing query params. (#548); r=philbooth (b93e6a1), closes #548
- validation: Restrict characters allowed in 'scope' parameter. (7dd2a39)
- version: use cwd and env var to get version (#452) r=vladikoff (a3b1aa2), closes #452
- version: use explicit path with git-config (e0af8bc)
chore
- api: remove metrics context data from deprecated endpoints (d884148), closes #2496
- awsbox: remove unused awsbox (f053c9f)
- build: Bump eslint-config-fxa to latest version (fe45e0b)
- build: create changelogs each release (16f1f5b), closes #158
- build: switch to grunt-nsp (ac31672)
- ci: drop node 4 as a supported env (#478) (176c828), closes #478
- clients: add credentials for FF/FFOS/Fennec/FxA clients in dev (b501abe)
- clients: remove deprecated 'whitelisted' column from clients table. (cf16f8a)
- clients: rename "whitelisted" property to "trusted". (b8927a8)
- config: add local loop dev credentials (70cc480)
- config: add Notes trailing slash to redirect in dev.json (#536) (e8bf2e5), closes #536
- config: add oauth console into dev config (14d7bab)
- config: remove duplicate 'canGrant' field in config file (259da3d)
- config: Update convict and switch on strict validation. (1f49ad4)
- db: Add db migration to revert change that couldn't go to production. (9382239)
- dep: replaced bidcrypto dep with fxa-jwtool (7d71239)
- dependencies: bump hapi version (13c2d57)
- dependencies: dependency upgrades (4430228)
- dependencies: update 'jwcrypto' dependency to 'browserid-crypto' (b9bf102), closes #151
- dependencies: update convict (8dfa52f)
- dependencies: update most dependencies (ad61ecb)
- dependencies: updating deps (e412925)
- dependencies: upgrade mozlog to 2.0.3 (262bbc9)
- deps: Generate shrinkwrap for latest dependency updates (84e69b5)
- deps: update deps, fix nsp (#517) r=@philbooth (9f12267), closes #517
- deps: Update hapi dependency. (#457), r=@vbudhram (24a570f), closes #457
- deps: Update hapi to latest version (#482) r=vladikoff (6b2810e), closes #482
- deps: Update hapi to v16.6.3 (#526) (78c88ad), closes #526
- deps: Update request package to latest version (#407) r=vladikoff (b8ef1d7), closes #407
- dev: add 321Done untrusted client (a291205)
- dev: add Firefox Notes Web Extension client to development config (3960e5f)
- dev: add Notes supprot scope in dev (#492) (85af2a2), closes #492
- docker: remove old docker self-host files (9f5247f)
- docker: Update to node 6.11.5 (#494) (6eb07cf), closes #494
- docker: Use official node image & update to Node.js v4.8.2 (#462) r=vladikoff (b1924b0), closes #462
- docs: Add a comment about privKey/pubKey confusion in gen_keys (d2edd4b)
- docs: add a note about dev envs (0663c19), closes #148
- docs: add CircleCI badge to readme (acff566)
- docs: move self-host docker file (2180f92)
- docs: remove older Docker files (#426) (370c898), closes #426
- grunt: make 'grunt release' generate changelog also (87d5861)
- license: Update license to be SPDX compliant (ff83ec2)
- lint: add ESLint (1531061), closes #274
- logging: Log additional details for debugging expired tokens (22cf3ab)
- npm: update to npm5 (#522) r=@vbudhram (3783605), closes #522
- package: npm shrinkwrap (1ed76d9)
- package: pin blanket to 1.1.6 (072385b)
- package: remove main from package.json (ebc60a5), closes #206
- release: add tasks "grunt version" and "grunt version:patch" to create release tags (1be1380)
- release: use CHANGELOG.md instead of CHANGELOG during bump (520b39c)
- tests: remove weird mocking magic (47389fa)
- tests: Uniformly use promises rather than done() callback. (2a4731f)
- tokens: add a comment about why we're inserting an empty string for email (eed414b)
- travis: drop node 0.12 support (b4eba46)
- travis: Only install libgmp3-dev on Travis (cfafb19)
- travis: Tell Travis to use #fxa-bots (17134db)
- travis: use npm@2 for more stable installs (3c3e127)
- version: add /version route with source repo (37a08f2)
- version: generate legacy-format output for ./config/version.json (51b5f3b)
docs
- api: Update
emailbehavior for GET /v1/authorization. (755ec9a) - authorization: Document email param in GET /authorization (fbf1eb7)
- service-clients: Document Service Clients, JKUs, and JWTs (d2f1ef3), closes #329
- service-clients: Document Service Clients, JKUs, and JWTs (799f0e2), closes #329
- verify: fix misnamed 'scopes' response property (b5728cf), closes #261
- workflow: fixes workflow typo (318d9e1)
Features
- 2fa: check acr values during authorization flow (c20682a)
- amr: Report
amrandacrclaims in the id_token. (#530); r=vbudhram (8181f7f), closes #530 - api: Add
action=force_authto GET /v1/authorization. (33603bd), closes #190 - api: add
auth_atto token response schema. (bc8454d), closes #181 - api: add ttl parameter to POST /authorization (36087fe)
- api: allow destroying token without client_secret (7b4d01f)
- auth: Accept client credentials in the Authorization header. (#514); r=philbooth (1c50807), closes #514
- auth: redirect to content-server oauth root by default (34ad867), closes #245
- authorization: add uri validation on the authorization endpoint (#428) r=jrgm,seanmonstar (fcc0b52), closes #428 #387 #388
- authorization: Directly return
codein authorization response. (#541); r=philbooth (7ad1e56), closes #541 - authorization: exit early if assertion invalid returns first (5a27ee6)
- authorization: Require tokenVerified=true for key-bearing scopes. (#561) r=@vladikoff (f9ad63e), closes #561 /github.com/mozilla-services/tokenserver/blob/master/tokenserver/views.py#L140
- ci: move to CircleCI 2 (#554) r=@jbuck (97e4f62), closes #554
- clients: add
terms_uriandprivacy_uriproperties to clients. (51ae904) - clients: add notion of Service Clients in config (8cfdffe), closes #327
- clients: Added initial support for using previous client secret (4f9df20)
- clients: client registration apis (1a80294), closes #60
- clients: move client management api to a separate port (07a61af)
- clients: remove obsolete generate-client.js script (62ab0ad), closes #231
- clients: report
trustedproperty in GET /client/:id (c58d237) - codes: Delete authorization codes when revoking client access. (#578); r=philbooth (b905b7c), closes #578
- config: add browserid pool maxSockets option (0bb40ba)
- config: add mysql pool conectionLimit option (ca220ae)
- db: add basic migration infrastructure to mysql backend (012e605), closes #183
- db: remove clients.secret column (0e39d1e), closes #323
- deps: update server dependencies (80ac3cf)
- deps: update to bluebird 3 (8f4c664), closes #570
- developers: adds support for oauth developers (abe0e52)
- docker: Add CloudOps Dockerfile & CircleCI build instructions (a80b4b4)
- docker: Additional Dockerfile for self-hosting (83a8b6c)
- docker: Dockerfile and README update for basic docker development workflow (342d87b)
- docker: Shrink Docker image size (#438) r=vladikoff (13d13b9), closes #438
- docker: support feature branches (#464) r=jrgm (f94fd61), closes #464
- email-first: Add support for the email-first flow. (#540); r=philbooth,rfk (cb11145), closes #540 #539
- error: add info property with link to docs (681044c)
- hpkp: Add the hpkp headers to all requests (#416) r=vladikoff (6b8a8c8), closes #416
- keys: Add created-at timestamp to our public keys. (#453); r=seanmonstar,vladikoff (511d9a6), closes #453
- keys: add key-data docs, move client_id into payload (#491); r=rfk (a9152c3), closes #491
- keys: add keys_jwe support (#486) r=rfk (6a4efd1), closes #486 #484
- keys: Check lastAuthAt freshness when fetching key data. (#502) r=@vladikoff (855adee), closes #502
- keys: Check lastAuthAt freshness when fetching key data. (#506) r=@vladikoff (e0de2f3), closes #506
- lb: Add
__lbheartbeat__endpoint (#458), r=@jbuck (c387907), closes #458 - logging: add log of time taken in authorization endpoint (02ec0d2)
- logging: add log when mysql pool enqueues (461b5c1)
- logging: add method, payload, and auth to summary (df57e23), closes #174
- logging: log details when generating code (81933f7)
- logging: switch logging to mozlog (ec0f5db), closes #156
- logs: add sentry support (#499), r=@vbudhram (ef34859), closes #499
- metrics: add code and config for email service notification queue (ccd5556), closes #2633
- monorepo: Move everything into a subdirectory. (8453f6e)
- node: update to node 8 (#544) r=@jrgm (e9b08ae), closes #544
- node: upgrade to node 6 (57c61ab)
- oauth: add methods to support oauth client management (#405) r=seanmonstar (2748510), closes #405
- oauth: make server compatible with AppAuth (#534) r=@rfk (ff9e422), closes #534
- oauth: Track last time refreshToken was used (#412) r=vladikoff,seanmonstar (25c455a), closes #412 #275
- openid: add initial OpenID Connect support (93f8758), closes #362
- openid: add profileChangedAt to claims (#607), r=@rfk (f6e93eb), closes #607
- openid: Add support for OIDC
login_hintquery param. (200ce43) - openid: add the openid connect
at_hashvalue (#598), r=@rfk (d08310e), closes #598 - openid: Allow untrusted reliers to request
openidscope. (#516), r=@vbudhram (f764dc8), closes #516 - pkce: add ability for PKCE clients to use refresh_tokens (#476) r=seanmonstar (7b401eb), closes #476 #472
- pkce: add PKCE support to the oauth server (#466) r=seanmonstar (ed59c0e), closes #466
- refresh_tokens: add refresh_tokens to /token endpoint (16e787f), closes #209
- scopes: add key-data and scope support (#487) r=rfk (f3fcae5), closes #487 #483
- scopes: allow https:// scopes (#490); r=rfk (f892bcb), closes #490 #489
- scripts: Add script to generate an oauth client (f21f657)
- server: set HSTS header for 180 days (d43accb)
- server: update to Hapi 17 (0ebfebe)
- shared: add new locales (d6e88df)
- sync: add local test client for sync (#549) (61ed2e7), closes #549
- sync: add oldsync scope (#550) r=@rfk (f2e7bb4), closes #550
- token: reject expired tokens (4f519ca), closes #365
- tokens: add support for password change and reset event (#485) r=rfk (f5873f9), closes #485 #481
- tokens: allow using JWT grants from Service Clients (55f88a9), closes #328
- tokens: allow using JWT grants from Service Clients (0a0e303), closes #328
- untrusted-clients: restrict scopes that untrusted clients can request (8fd228a), closes #243
- verify: add opt out parameter to verify endpoint (e4c54ff), closes #358
- verify: added 'client' to /verify response (4c57551), closes #149
JsonFormatter
- outputs JSON in same format as fxa-auth-server (c89ca92)
Refactor
- client: scope added in memory and sql (#445) r=vladikoff (4efc383), closes #445 #431
- clients: remove terms and privacy uris (5c1e0be), closes #406
- config: Use human-readable duration values in config (20aa8fa)
- db: add hashedSecret column to clients (9ceaf1f), closes #155
- db: clients.secret to clients.hashedSecret, remove clients.whitelisted (155d2ce), closes #155 #267
- email: Fixes #352 Remove ability to fetch email address (#543) r=@shane-tomlinson (068bd4b), closes #352 #543
- keys: rename keyMaterial, timestamp to keyRotationSecret, k… (#500) r=@rfk (48ec2a3), closes #500
- lint: remove jscs, update eslint rules (#477), r=@vbudhram (8bc148a), closes #477
Reverts
- keys: Check lastAuthAt freshness when fetching key data (5d772f6)
- service-tokens): Revert "docs(service-clients: Document Service Clients, JKUs, and JWTs" (6be9ac2)
- service-tokens): Revert "feat(tokens: allow using JWT grants from Service Clients" (d3cc78a)
- tokens: dont reject expired tokens, again (e8b563e)
test
- api: rename assertRequestParam to assertInvalidRequestParam (3f00eb3), closes #280
- db: fixing db.removeUser tests for mysql (94f96bf)
BREAKING CHANGES
- [object Object]
- [object Object]
- [object Object]
1.123.2 (2018-10-30)
Bug Fixes
- db: Restore foreign key constraints on core tables. (2bd0845)
1.123.1 (2018-10-26)
Bug Fixes
- profile: remove the
profileChangedAtcolumn on tokens table (5e87bce)
1.123.0 (2018-10-16)
Bug Fixes
- db: Drop foreign key constraints. (7ee117c)
- db: Fix case-consistency of SQL query from #612 (9e55714), closes #612
1.122.0 (2018-10-02)
Bug Fixes
- ci: remove nsp (#602) (64ade86), closes #602 #596 #597
- key-data: Correctly handle non-existent scopes when finding key data. (34d9493)
Features
1.121.0 (2018-09-18)
Bug Fixes
- ci: remove nsp (#602) (64ade86), closes #602 #596 #597
- key-data: Correctly handle non-existent scopes when finding key data. (34d9493)
1.120.0 (2018-09-06)
Bug Fixes
- authorization: Correctly handle non-existing URL scopes during authorization. (#594) r=@vladiko (21654a3), closes #594 #593
- ci: Run MySQL tests in Circle (#586) r=@vbudhram (4b1c4e4), closes #586 #581
- scopes: Document scope-handling rules, use shared code to enforce them. (#551); r=vbudhr (237886d), closes #551
Features
1.119.0 (2018-08-21)
Bug Fixes
- authorization: Correctly handle non-existing URL scopes during authorization. (#594) r=@vladiko (21654a3), closes #594 #593
- ci: Run MySQL tests in Circle (#586) r=@vbudhram (4b1c4e4), closes #586 #581
- scopes: Document scope-handling rules, use shared code to enforce them. (#551); r=vbudhr (237886d), closes #551
1.117.0 (2018-07-24)
Bug Fixes
- clients: match the notes client with fxa-dev and other envs (#585); r=rfk (e24a582), closes #585
- config: For dev, the openid issuer is http://127.0.0.1:3030 (#583) r=@vladikoff (38e1d73), closes #583 mozilla/fxa-content-server#6362
- doc: Putting a little emphasis on email first (#584) r=@shane-tomlinson (8ad17c1), closes #584
- purge: add purgeExpiredTokensById to select, then delete by primary key (#580); r=rfk (adfff65), closes #580
Features
- codes: Delete authorization codes when revoking client access. (#578); r=philbooth (b905b7c), closes #578
1.116.0 (2018-07-11)
Features
- codes: Delete authorization codes when revoking client access. (#578); r=philbooth (b905b7c), closes #578
1.115.2 (2018-07-04)
Bug Fixes
1.115.1 (2018-06-27)
Bug Fixes
- tokens: Avoid quadratic behaviour when listing active clients. (#9); r=vladikoff (15c3065), closes #9
1.115.0 (2018-06-25)
1.114.0 (2018-06-13)
Bug Fixes
- docker: base image node:8-alpine and upgrade to npm6 (#567) r=@jbuck,@vladikoff (d4060be), closes #567
1.113.1 (2018-06-09)
Bug Fixes
Features
- authorization: Require tokenVerified=true for key-bearing scopes. (#561) r=@vladikoff (f9ad63e), closes #561 /github.com/mozilla-services/tokenserver/blob/master/tokenserver/views.py#L140
1.113.0 (2018-05-30)
1.112.1 (2018-05-17)
Bug Fixes
Features
<a name"1.112.0">
1.112.0 (2018-05-16)
<a name"1.111.0">
1.111.0 (2018-05-02)
Bug Fixes
- changelog: automated changelog is borked (#542) r=@vladikoff (d7437211, closes #524)
- oauth: another notes dev client (#546) (9d5ec8e5)
- validation: Allow redirect uris with existing query params. (#548); r=philbooth (b93e6a16)
Features
- node: update to node 8 (#544) r=@jrgm (e9b08ae0)
- sync:
<a name"1.110.0">
1.110.0 (2018-04-18)
Bug Fixes
Features
- authorization: Directly return
codein authorization response. (#541); r=philbooth (7ad1e56f) - email-first: Add support for the email-first flow. (#540); r=philbooth,rfk (cb11145e, closes #539)
<a name"1.109.0">
1.109.0 (2018-04-03)
Bug Fixes
- buffer: #527 Migrate deprecated buffer calls (#528) r=@vladikoff (fd85207), closes #527
- node: Use Node.js v6.14.0 (#537) (f32a3d7)
- route: make email false by default (#533) r=@rfk (aa68fb9)
- scripts: Fix varname typo in test runner script. (#535) (02804a8), closes [(#535](https://github.com/(/issues/535)
- tests: mock outstanding error logs in test suite r=@vladikoff (6a5d3ce)
chore
- config: add Notes trailing slash to redirect in dev.json (#536) (e8bf2e5)
Features
- amr: Report
amrandacrclaims in the id_token. (#530); r=vbudhram (8181f7f) - email-first: Add support for the email-first flow. (#540); r=philbooth,rfk (cb11145), closes #539
- oauth: make server compatible with AppAuth (#534) r=@rfk (ff9e422)
<a name"1.108.0">
1.108.0 (2018-03-21)
Bug Fixes
Features
- amr: Report
amrandacrclaims in the id_token. (#530); r=vbudhram (8181f7f6)
<a name"1.107.0">
1.107.0 (2018-03-08)
<a name"1.106.0">
1.106.0 (2018-02-21)
<a name"1.105.0">
1.105.0 (2018-02-07)
Features
- openid: Allow untrusted reliers to request
openidscope. (#516), r=@vbudhram (f764dc82)
<a name"1.104.0">
1.104.0 (2018-01-24)
Bug Fixes
- config:
Features
- auth: Accept client credentials in the Authorization header. (#514); r=philbooth (1c508078)
- keys: Check lastAuthAt freshness when fetching key data. (#506) r=@vladikoff (e0de2f3b)
<a name"1.103.0">
1.103.0 (2018-01-08)
Bug Fixes
- node: use node 6.12.3 (#510) r=@vladikoff (adc1fc02)
<a name"1.100.2">
1.100.2 (2017-12-04)
Bug Fixes
<a name"1.100.1">
1.100.1 (2017-11-27)
Bug Fixes
- keys: replace scope key TLD (#505) r=@rfk (a5e6d8f4)
Features
- keys: Check lastAuthAt freshness when fetching key data. (#502) r=@vladikoff (855adee4)
<a name"1.100.0">
1.100.0 (2017-11-15)
Bug Fixes
- node: use node 6.12.0 (#501) r=@vladikoff (167c9734)
Features
- logs: add sentry support (#499), r=@vbudhram (ef34859b)
<a name"1.99.0">
1.99.0 (2017-11-03)
Bug Fixes
- pkce: match pkce implementation to specifications (#498) r=rfk (cf1c836b, closes #495)
- travis: run tests with 6 and 8 (#497) r=vladikoff (a49b2727)
<a name"1.98.1">
1.98.1 (2017-10-26)
<a name"1.98.0">
1.98.0 (2017-10-18)
<a name"1.97.0">
1.97.0 (2017-10-03)
Bug Fixes
- deps: update newrelic and request r=@shane-tomlinson (b6d6c93c)
Features
- keys:
- scopes:
<a name"1.96.0">
1.96.0 (2017-09-19)
Features
<a name"1.95.1">
1.95.1 (2017-09-14)
<a name"1.95.0">
1.95.0 (2017-09-06)
<a name"1.94.0">
1.94.0 (2017-08-23)
Bug Fixes
- newrelic: update to v2.1.0 (87a3aeee)
Features
- pkce: add ability for PKCE clients to use refresh_tokens (#476) r=seanmonstar (7b401ebf, closes #472)
<a name"1.92.0">
1.92.0 (2017-07-26)
<a name"1.91.0">
1.91.0 (2017-07-12)
Bug Fixes
- nodejs: update to 6.11.1 for security fixes (a0520c0c)
Features
- node: upgrade to node 6 (57c61ab1)
<a name"1.90.0">
1.90.0 (2017-06-28)
Features
- pkce: add PKCE support to the oauth server (#466) r=seanmonstar (ed59c0e6)
<a name"1.89.0">
1.89.0 (2017-06-14)
Bug Fixes
- tests:
Features
- docker: support feature branches (#464) r=jrgm (f94fd61a)
<a name"1.86.0">
1.86.0 (2017-05-03)
<a name"1.85.0">
1.85.0 (2017-04-19)
Bug Fixes
- config:
- patcher: Fix patcher with no pre-loaded clients (dcc47b98)
Features
- lb: Add
__lbheartbeat__endpoint (#458), r=@jbuck (c387907c)
<a name"1.84.1">
1.84.1 (2017-04-05)
<a name"1.84.0">
1.84.0 (2017-04-04)
Bug Fixes
- config: expose more environment variables for config (7a1dd19e)
- test: fix unhandled rejection error with memory db impl (#454) r=vladikoff (c870eba4)
Features
- scripts: Add script to generate an oauth client (f21f657a)
<a name"1.83.0">
1.83.0 (2017-03-21)
Bug Fixes
- tests: check insert of utf8mb4 (4e6a77a8)
- version: use cwd and env var to get version (#452) r=vladikoff (a3b1aa28)
Features
- keys: Add created-at timestamp to our public keys. (#453); r=seanmonstar,vladikoff (511d9a63)
<a name"1.81.0">
1.81.0 (2017-02-24)
Bug Fixes
- api: clean up response of client-tokens delete endpoint (#3) (#449); r=rfk (9c632731)
- db: ensure strict mode (#448) r=rfk,seanmonstar (8d309c5b, closes #446)
- logs: add scope and client_id logs to verify route (#447) r=seanmonstar (33eb39ec, closes #444)
<a name"0.80.0">
0.80.0 (2017-02-07)
Features
- client: scope is now returned in client-tokens (#445) r=vladikoff (4efc383effc80)
<a name"0.79.0">
0.79.0 (2017-01-25)
Bug Fixes
- headers:
- keys: Generate unique 'kid' field when regenerating JWK keys (5b9acae3)
- scripts: Use pure JS module to generate RSA keypairs (#439) r=vladikoff (3380e1cc)
Features
- docker: Shrink Docker image size (#438) r=vladikoff (13d13b9e)
<a name"0.78.0">
0.78.0 (2017-01-11)
Bug Fixes
- security:
<a name"0.77.0">
0.77.0 (2017-01-04)
Bug Fixes
- codes: Remove authorization codes after use. (e0f8961d)
- memorydb: token createdAt used instead of client createdAt (#436) r=vladikoff,seanmonstar (02dec664, closes #421)
- tokens: Begin expiring access tokens beyond a configurable epoch. (b3463264)
<a name"0.76.0">
0.76.0 (2016-12-13)
Bug Fixes
- deps: update to hapi 16, add srinkwrap scripts, update other prod deps (c102046e)
Features
- authorization: add uri validation on the authorization endpoint (#428) r=jrgm,seanmonstar (fcc0b52a, closes #387, #388)
<a name"0.74.0">
0.75.0 (2016-11-30)
Bug Fixes
- tokens: ttl parameter must be positive (#429) r=vladikoff (1764d73a)
Features
- hpkp: Add the hpkp headers to all requests (#416) r=vladikoff (6b8a8c86)
<a name"0.73.0">
0.73.0 (2016-11-02)
Bug Fixes
- deps: update to hapi 14 and joi 9 (9bc87c01, closes #424)
- travis: test on node4/node6 with default npm & g++-4.8 (b4e1dd8e)
<a name"0.71.0">
0.71.0 (2016-10-05)
Features
- docker: Add CloudOps Dockerfile & CircleCI build instructions (a80b4b47)
- shared: add new locales (d6e88df0)
<a name"0.70.0">
0.70.0 (2016-09-21)
Bug Fixes
- purge-expired:
- accept a list of pocket-id's (1c843a93)
- Promise.delay takes milliseconds; allow subsecond delay (10c61034)
- moar logging (80c360e7)
- set db.autoUpdateClients config to false (bc66fc37)
- use db.getClient() to check for unknown clientId (c33f1d9c)
- log uncaughtException; minimum log level of info (264271ef)
<a name"0.69.0">
0.69.0 (2016-09-08)
Bug Fixes
Features
- oauth:
<a name"0.68.0">
0.68.0 (2016-08-24)
Bug Fixes
- log: avoid crashing on bad payload (#411) r=rfk,jrgm (19ebed51, closes #410)
- test: encrypt refresh_token on db query (#414) r=seanmonstar,vladikoff (7f52d46d)
<a name"0.66.0">
0.66.0 (2016-07-27)
Bug Fixes
- deps: update some dependencies (09aa7b0e)
- spelling: minor spelling fix in tests (#403) r=vladikoff (d4ff105b)
<a name"0.65.0">
0.65.0 (2016-07-13)
Bug Fixes
- scopes: Dont treat
foo:writeas a sub-scope offoo. (b4b30c29) - tokens: Added scripts that purge expired access tokens. (10bbb240)
<a name"0.64.0">
0.64.0 (2016-07-02)
Bug Fixes
- scopes: Dont treat
foo:writeas a sub-scope offoo. (fe2f1fef)
<a name"0.61.0">
0.61.0 (2016-05-04)
- travis: drop node 0.12 support (b4eba468)
<a name"0.59.0">
0.59.0 (2016-03-30)
<a name"0.57.0">
0.57.0 (2016-03-05)
Bug Fixes
- db: Fix an old db patch to apply cleanly in local dev. (c7fa6336)
- dependencies: switch back to main generate-rsa-keypair now that my fix to it was merged (1c1268b0)
- shrinkwrap: restore deleted npm-shrinkwrap.json (63834811)
- tests:
- validation: Restrict characters allowed in 'scope' parameter. (7dd2a391)
<a name"0.56.0">
0.56.0 (2016-02-10)
Bug Fixes
- openid: Generate openid keys on npm postinstall to file (5f15afaa)
Features
- clients: Added initial support for using previous client secret (4f9df20c)
- docker: Additional Dockerfile for self-hosting (83a8b6c1)
<a name"0.53.1">
0.53.1 (2016-01-11)
<a name"0.53.0">
0.53.0 (2016-01-04)
Bug Fixes
- deps: switch from URIjs to urijs (ecdf31ed, closes #347)
- travis: build on node 0.10, 0.12, 4, no allowed failures (6684e8c8)
Features
- openid:
<a name"0.51.0">
0.51.0 (2015-12-02)
Bug Fixes
- config: option autoUpdateClients, will be disable in prod/stage (802a0b22)
Features
<a name"0.50.0">
0.50.0 (2015-11-18)
Bug Fixes
- config: update config to use getProperties (c2ed6ebd, closes #349)
- db: make schema.sql accuratley reflect latest patch state (b17b0008)
- docs: add git guidelines link (a00167ce)
- travis: remove broken validate shrinkwrap (1729764f)
Features
- tokens: allow using JWT grants from Service Clients (55f88a9c, closes #328)
- verify: add opt out parameter to verify endpoint (e4c54ff6, closes #358)
<a name"0.48.1">
0.48.1 (2015-10-28)
Bug Fixes
<a name"0.48.0">
0.48.0 (2015-10-20)
Bug Fixes
- config: remove 00000... from hashedSecrets (8dcfd560, closes #339)
- dependencies: move fxa-jwtool from dev-dependencies to dependencies (79b0427a, closes #345)
Features
0.47.0 (2015-10-07)
Bug Fixes
0.46.0 (2015-09-23)
Features
0.45.0 (2015-09-11)
Bug Fixes
Features
0.44.0 (2015-08-26)
Bug Fixes
- authorization: allow empty scope with implicit grant (1d6ac8e5, closes #315)
- db: don't change client database at startup; footgun (8877f818)
0.43.0 (2015-08-04)
Bug Fixes
- db: we need to enforce only a minimum patch level (not {n,n+1}) (e12f54d5)
- events: require events to be configured in production (1bef9e0a)
- server: exit if db patch level is wrong (78d63829)
Breaking Changes
- Server will fail to start up if
config.eventsis not set with values when in production. (1bef9e0a)
0.42.0 (2015-07-22)
Bug Fixes
- config: set expiration.accessToken default to 2 weeks (7a4742de)
- sql:
- tests: sleep additional half second to adjust for mysql round of timestamp (a02f5161)
Features
- api: add ttl parameter to POST /authorization (36087fe6)
<a name"0.41.0">
0.41.0 (2015-07-07)
Bug Fixes
- api:
- config: update redirect_uri values to not be blank (5267c62a)
Features
<a name"0.39.0">
0.39.0 (2015-06-10)
Bug Fixes
- api:
- clients: fixes client registration to use payload.whitelisted (83e145b0)
- docs:
- fatal-error: Exit with non-zero exit code for fatal errors (7c90ff08, closes #244)
Features
<a name"0.36.1">
0.36.1 (2015-04-30)
Bug Fixes
- db: remove db name from clients (c7244393)
Features
- auth: redirect to content-server oauth root by default (34ad867c, closes #245)
- clients:
- untrusted-clients: restrict scopes that untrusted clients can request (8fd228ad, closes #243)
<a name"0.36.0">
0.36.0 (2015-04-27)
Features
- authorization: exit early if assertion invalid returns first (5a27ee61)
- config:
- developers: adds support for oauth developers (abe0e52a)
- logging:
<a name"0.35.0">
0.35.0 (2015-04-13)
Bug Fixes
- clients: support client/client_id route via the internal server (ce04da76)
0.33.0 (2015-03-16)
Bug Fixes
- clients: fixes client endpoint for clients with no redirect_uri (6d47110f, closes #228)
- travis: install libgmp3-dev so optionaldep bigint will be built for browserid-crypto (a64cb183)
Features
- clients: move client management api to a separate port (07a61af2)
0.30.3 (2015-02-20)
Bug Fixes
- clients: update email validation (92d4bfc3)
- db: make the clients key mandatory in the config file (ac7a39e8)
Features
- docker: Dockerfile and README update for basic docker development workflow (342d87bb)
0.30.2 (2015-02-09)
Bug Fixes
- api: remove stray payload restriction from authorization route (e0d53682)
- logging: use route.path in debug message, not route.url (7d9efc25)
0.30.1 (2015-02-03)
Bug Fixes
- api:
Breaking Changes
- If you're passing invalid parameters, stop it. (3b4fa244)
0.30.0 (2015-02-02)
Bug Fixes
- api: reject requests with bad content-types (26672287, closes #199)
- clients: fix server error when omitting optional fields in client registration (80768c51)
Features
- api:
- db: add basic migration infrastructure to mysql backend (012e605c)
0.29.0 (2015-01-20)
Bug Fixes
- docs: minor spelling fixes (33ad1ec0)
Features
- api: Add
action=force_authto GET /v1/authorization. (33603bd2)
0.26.2 (2014-11-20)
Bug Fixes
- logging: use space-free tokens for mozlog (11f73f9e)
0.26.1 (2014-11-13)
Features
- logging: log details when generating code (81933f70)
0.26.0 (2014-11-12)
Bug Fixes
- api: set update to return an empty object (6f334c66)
- error: AppError uses Error.captureStackTrace (2337f809, closes #164)
Features
- clients: client registration apis (1a80294d)
- error: add info property with link to docs (681044c6)
- logging:
- verify: added 'client' to /verify response (4c575516, closes #149)
Breaking Changes
- both the config and the logging output has changed.
Closes #156 (ec0f5db1)
0.24.0 (2014-10-20)
Features
- server: set HSTS header for 180 days (d43accb9)