fxa-oauth-server/CHANGELOG.md

1.123.1 (2018-10-26)

Bug Fixes

• profile: remove the profileChangedAt column on tokens table (5e87bce)

1.123.0 (2018-10-16)

Bug Fixes

• db: Drop foreign key constraints. (7ee117c)
• db: Fix case-consistency of SQL query from #612 (9e55714), closes #612

1.122.0 (2018-10-02)

Bug Fixes

• ci: remove nsp (#602) (64ade86), closes #602 #596 #597
• key-data: Correctly handle non-existent scopes when finding key data. (34d9493)

Features

• openid: add profileChangedAt to claims (#607), r=@rfk (f6e93eb), closes #607

1.121.0 (2018-09-18)

Bug Fixes

• ci: remove nsp (#602) (64ade86), closes #602 #596 #597
• key-data: Correctly handle non-existent scopes when finding key data. (34d9493)

1.120.0 (2018-09-06)

Bug Fixes

• authorization: Correctly handle non-existing URL scopes during authorization. (#594) r=@vladiko (21654a3), closes #594 #593
• ci: Run MySQL tests in Circle (#586) r=@vbudhram (4b1c4e4), closes #586 #581
• scopes: Document scope-handling rules, use shared code to enforce them. (#551); r=vbudhr (237886d), closes #551

Features

• openid: add the openid connect at_hash value (#598), r=@rfk (d08310e), closes #598

1.119.0 (2018-08-21)

Bug Fixes

• authorization: Correctly handle non-existing URL scopes during authorization. (#594) r=@vladiko (21654a3), closes #594 #593
• ci: Run MySQL tests in Circle (#586) r=@vbudhram (4b1c4e4), closes #586 #581
• scopes: Document scope-handling rules, use shared code to enforce them. (#551); r=vbudhr (237886d), closes #551

1.117.0 (2018-07-24)

Bug Fixes

• clients: match the notes client with fxa-dev and other envs (#585); r=rfk (e24a582), closes #585
• config: For dev, the openid issuer is http://127.0.0.1:3030 (#583) r=@vladikoff (38e1d73), closes #583 mozilla/fxa-content-server#6362
• doc: Putting a little emphasis on email first (#584) r=@shane-tomlinson (8ad17c1), closes #584
• purge: add purgeExpiredTokensById to select, then delete by primary key (#580); r=rfk (adfff65), closes #580

Features

• codes: Delete authorization codes when revoking client access. (#578); r=philbooth (b905b7c), closes #578

1.116.0 (2018-07-11)

Features

• codes: Delete authorization codes when revoking client access. (#578); r=philbooth (b905b7c), closes #578

1.115.2 (2018-07-04)

Bug Fixes

• mysql: Correctly aggregate tokens by clientid. (#576) r=@vladikoff (2c2cd22), closes #576

1.115.1 (2018-06-27)

Bug Fixes

• tokens: Avoid quadratic behaviour when listing active clients. (#9); r=vladikoff (15c3065), closes #9

1.115.0 (2018-06-25)

1.114.0 (2018-06-13)

Bug Fixes

• docker: base image node:8-alpine and upgrade to npm6 (#567) r=@jbuck,@vladikoff (d4060be), closes #567

1.113.1 (2018-06-09)

Bug Fixes

• pkce: Don't require PKCE in the direct grant flow. (#566) r=@vladikoff (d70fe6d), closes #566 #559

Features

• authorization: Require tokenVerified=true for key-bearing scopes. (#561) r=@vladikoff (f9ad63e), closes #561 /github.com/mozilla-services/tokenserver/blob/master/tokenserver/views.py#L140

1.113.0 (2018-05-30)

1.112.1 (2018-05-17)

Bug Fixes

• changelog: update to latest changelog version (#556) (bc9256e), closes #556

Features

• ci: move to CircleCI 2 (#554) r=@jbuck (97e4f62), closes #554

<a name"1.112.0">

1.112.0 (2018-05-16)

<a name"1.111.0">

1.111.0 (2018-05-02)

Bug Fixes

• changelog: automated changelog is borked (#542) r=@vladikoff (d7437211, closes #524)
• oauth: another notes dev client (#546) (9d5ec8e5)
• validation: Allow redirect uris with existing query params. (#548); r=philbooth (b93e6a16)

Features

• node: update to node 8 (#544) r=@jrgm (e9b08ae0)
• sync:
  • add oldsync scope (#550) r=@rfk (f2e7bb47)
  • add local test client for sync (#549) (61ed2e73)

<a name"1.110.0">

1.110.0 (2018-04-18)

Bug Fixes

• tests: mock outstanding error logs in test suite r=@vladikoff (6a5d3ceb, closes #334)

Features

• authorization: Directly return code in authorization response. (#541); r=philbooth (7ad1e56f)
• email-first: Add support for the email-first flow. (#540); r=philbooth,rfk (cb11145e, closes #539)

<a name"1.109.0">

1.109.0 (2018-04-03)

Bug Fixes

• buffer: #527 Migrate deprecated buffer calls (#528) r=@vladikoff (fd85207), closes #527
• node: Use Node.js v6.14.0 (#537) (f32a3d7)
• route: make email false by default (#533) r=@rfk (aa68fb9)
• scripts: Fix varname typo in test runner script. (#535) (02804a8), closes [(#535](https://github.com/(/issues/535)
• tests: mock outstanding error logs in test suite r=@vladikoff (6a5d3ce)

chore

• config: add Notes trailing slash to redirect in dev.json (#536) (e8bf2e5)

Features

• amr: Report amr and acr claims in the id_token. (#530); r=vbudhram (8181f7f)
• email-first: Add support for the email-first flow. (#540); r=philbooth,rfk (cb11145), closes #539
• oauth: make server compatible with AppAuth (#534) r=@rfk (ff9e422)

<a name"1.108.0">

1.108.0 (2018-03-21)

Bug Fixes

• buffer: #527 Migrate deprecated buffer calls (#528) r=@vladikoff (fd852072, closes #527)

Features

• amr: Report amr and acr claims in the id_token. (#530); r=vbudhram (8181f7f6)

<a name"1.107.0">

1.107.0 (2018-03-08)

<a name"1.106.0">

1.106.0 (2018-02-21)

<a name"1.105.0">

1.105.0 (2018-02-07)

Features

• openid: Allow untrusted reliers to request openid scope. (#516), r=@vbudhram (f764dc82)

<a name"1.104.0">

1.104.0 (2018-01-24)

Bug Fixes

• config:
  • reverting 'mark config sentryDsn and mysql password sensitive (#511) r=@vladikof (41bd7c00)
  • mark config sentryDsn and mysql password sensitive (#511) r=@vladikoff (d98fbcde)

Features

• auth: Accept client credentials in the Authorization header. (#514); r=philbooth (1c508078)
• keys: Check lastAuthAt freshness when fetching key data. (#506) r=@vladikoff (e0de2f3b)

<a name"1.103.0">

1.103.0 (2018-01-08)

Bug Fixes

• node: use node 6.12.3 (#510) r=@vladikoff (adc1fc02)

<a name"1.100.2">

1.100.2 (2017-12-04)

Bug Fixes

• tokens: invalidate refresh tokens on client-token DELETE action (#508) (df0ca82a, closes #507)

<a name"1.100.1">

1.100.1 (2017-11-27)

Bug Fixes

• keys: replace scope key TLD (#505) r=@rfk (a5e6d8f4)

Features

• keys: Check lastAuthAt freshness when fetching key data. (#502) r=@vladikoff (855adee4)

<a name"1.100.0">

1.100.0 (2017-11-15)

Bug Fixes

• node: use node 6.12.0 (#501) r=@vladikoff (167c9734)

Features

• logs: add sentry support (#499), r=@vbudhram (ef34859b)

<a name"1.99.0">

1.99.0 (2017-11-03)

Bug Fixes

• pkce: match pkce implementation to specifications (#498) r=rfk (cf1c836b, closes #495)
• travis: run tests with 6 and 8 (#497) r=vladikoff (a49b2727)

<a name"1.98.1">

1.98.1 (2017-10-26)

<a name"1.98.0">

1.98.0 (2017-10-18)

<a name"1.97.0">

1.97.0 (2017-10-03)

Bug Fixes

• deps: update newrelic and request r=@shane-tomlinson (b6d6c93c)

Features

• keys:
  • add key-data docs, move client_id into payload (#491); r=rfk (a9152c35)
  • add keys_jwe support (#486) r=rfk (6a4efd1b, closes #484)
• scopes:
  • allow https:// scopes (#490); r=rfk (f892bcba, closes #489)
  • add key-data and scope support (#487) r=rfk (f3fcae5a, closes #483)

<a name"1.96.0">

1.96.0 (2017-09-19)

Features

• tokens: add support for password change and reset event (#485) r=rfk (f5873f9d, closes #481)

<a name"1.95.1">

1.95.1 (2017-09-14)

<a name"1.95.0">

1.95.0 (2017-09-06)

<a name"1.94.0">

1.94.0 (2017-08-23)

Bug Fixes

• newrelic: update to v2.1.0 (87a3aeee)

Features

• pkce: add ability for PKCE clients to use refresh_tokens (#476) r=seanmonstar (7b401ebf, closes #472)

<a name"1.92.0">

1.92.0 (2017-07-26)

<a name"1.91.0">

1.91.0 (2017-07-12)

Bug Fixes

• nodejs: update to 6.11.1 for security fixes (a0520c0c)

Features

• node: upgrade to node 6 (57c61ab1)

<a name"1.90.0">

1.90.0 (2017-06-28)

Features

• pkce: add PKCE support to the oauth server (#466) r=seanmonstar (ed59c0e6)

<a name"1.89.0">

1.89.0 (2017-06-14)

Bug Fixes

• tests:
  • double before hook timeout for tests on slow machines (23334169)
  • speed up and upgrade the test runner (#467) r=seanmonstar (2e76c9e4)

Features

• docker: support feature branches (#464) r=jrgm (f94fd61a)

<a name"1.86.0">

1.86.0 (2017-05-03)

<a name"1.85.0">

1.85.0 (2017-04-19)

Bug Fixes

• config:
  • expose clients config as OAUTH_CLIENTS (04ebf6fd)
  • Add environment config options (14a9b4a6)
• patcher: Fix patcher with no pre-loaded clients (dcc47b98)

Features

• lb: Add __lbheartbeat__ endpoint (#458), r=@jbuck (c387907c)

<a name"1.84.1">

1.84.1 (2017-04-05)

<a name"1.84.0">

1.84.0 (2017-04-04)

Bug Fixes

• config: expose more environment variables for config (7a1dd19e)
• test: fix unhandled rejection error with memory db impl (#454) r=vladikoff (c870eba4)

Features

• scripts: Add script to generate an oauth client (f21f657a)

<a name"1.83.0">

1.83.0 (2017-03-21)

Bug Fixes

• tests: check insert of utf8mb4 (4e6a77a8)
• version: use cwd and env var to get version (#452) r=vladikoff (a3b1aa28)

Features

• keys: Add created-at timestamp to our public keys. (#453); r=seanmonstar,vladikoff (511d9a63)

<a name"1.81.0">

1.81.0 (2017-02-24)

Bug Fixes

• api: clean up response of client-tokens delete endpoint (#3) (#449); r=rfk (9c632731)
• db: ensure strict mode (#448) r=rfk,seanmonstar (8d309c5b, closes #446)
• logs: add scope and client_id logs to verify route (#447) r=seanmonstar (33eb39ec, closes #444)

<a name"0.80.0">

0.80.0 (2017-02-07)

Features

• client: scope is now returned in client-tokens (#445) r=vladikoff (4efc383effc80)

<a name"0.79.0">

0.79.0 (2017-01-25)

Bug Fixes

• headers:
  • make "cache-control" value configurable (5ba82ea6)
  • add cache-control headers to api endpoints; extend tests (5a81ef94)
• keys: Generate unique 'kid' field when regenerating JWK keys (5b9acae3)
• scripts: Use pure JS module to generate RSA keypairs (#439) r=vladikoff (3380e1cc)

Features

• docker: Shrink Docker image size (#438) r=vladikoff (13d13b9e)

<a name"0.78.0">

0.78.0 (2017-01-11)

Bug Fixes

• security:
  • set x-frame-options deny (21ea05dd)
  • enable X-XSS-Protection 1; mode=block (52ca1e56)
  • enable x-content-type-options nosniff (5ea5001c)

<a name"0.77.0">

0.77.0 (2017-01-04)

Bug Fixes

• codes: Remove authorization codes after use. (e0f8961d)
• memorydb: token createdAt used instead of client createdAt (#436) r=vladikoff,seanmonstar (02dec664, closes #421)
• tokens: Begin expiring access tokens beyond a configurable epoch. (b3463264)

<a name"0.76.0">

0.76.0 (2016-12-13)

Bug Fixes

• deps: update to hapi 16, add srinkwrap scripts, update other prod deps (c102046e)

Features

• authorization: add uri validation on the authorization endpoint (#428) r=jrgm,seanmonstar (fcc0b52a, closes #387, #388)

<a name"0.74.0">

0.75.0 (2016-11-30)

Bug Fixes

• tokens: ttl parameter must be positive (#429) r=vladikoff (1764d73a)

Features

• hpkp: Add the hpkp headers to all requests (#416) r=vladikoff (6b8a8c86)

<a name"0.73.0">

0.73.0 (2016-11-02)

Bug Fixes

• deps: update to hapi 14 and joi 9 (9bc87c01, closes #424)
• travis: test on node4/node6 with default npm & g++-4.8 (b4e1dd8e)

<a name"0.71.0">

0.71.0 (2016-10-05)

Features

• docker: Add CloudOps Dockerfile & CircleCI build instructions (a80b4b47)
• shared: add new locales (d6e88df0)

<a name"0.70.0">

0.70.0 (2016-09-21)

Bug Fixes

• purge-expired:
  • accept a list of pocket-id's (1c843a93)
  • Promise.delay takes milliseconds; allow subsecond delay (10c61034)
  • moar logging (80c360e7)
  • set db.autoUpdateClients config to false (bc66fc37)
  • use db.getClient() to check for unknown clientId (c33f1d9c)
  • log uncaughtException; minimum log level of info (264271ef)

<a name"0.69.0">

0.69.0 (2016-09-08)

Bug Fixes

• log: add remoteAddressChain to summary (#417) (568cfa64, closes #415)

Features

• oauth:
  • add methods to support oauth client management (#405) r=seanmonstar (27485107)
  • Track last time refreshToken was used (#412) r=vladikoff,seanmonstar (25c455a6, closes #275)

<a name"0.68.0">

0.68.0 (2016-08-24)

Bug Fixes

• log: avoid crashing on bad payload (#411) r=rfk,jrgm (19ebed51, closes #410)
• test: encrypt refresh_token on db query (#414) r=seanmonstar,vladikoff (7f52d46d)

<a name"0.66.0">

0.66.0 (2016-07-27)

Bug Fixes

• deps: update some dependencies (09aa7b0e)
• spelling: minor spelling fix in tests (#403) r=vladikoff (d4ff105b)

<a name"0.65.0">

0.65.0 (2016-07-13)

Bug Fixes

• scopes: Dont treat foo:write as a sub-scope of foo. (b4b30c29)
• tokens: Added scripts that purge expired access tokens. (10bbb240)

<a name"0.64.0">

0.64.0 (2016-07-02)

Bug Fixes

• scopes: Dont treat foo:write as a sub-scope of foo. (fe2f1fef)

<a name"0.61.0">

0.61.0 (2016-05-04)

• travis: drop node 0.12 support (b4eba468)

<a name"0.59.0">

0.59.0 (2016-03-30)

<a name"0.57.0">

0.57.0 (2016-03-05)

Bug Fixes

• db: Fix an old db patch to apply cleanly in local dev. (c7fa6336)
• dependencies: switch back to main generate-rsa-keypair now that my fix to it was merged (1c1268b0)
• shrinkwrap: restore deleted npm-shrinkwrap.json (63834811)
• tests:
  • More reliable generation of RSA keys for tests (981d0b7c)
  • Refactor use of process.exit() to be outside of code under test. (47f4f176)
• validation: Restrict characters allowed in 'scope' parameter. (7dd2a391)

<a name"0.56.0">

0.56.0 (2016-02-10)

Bug Fixes

• openid: Generate openid keys on npm postinstall to file (5f15afaa)

Features

• clients: Added initial support for using previous client secret (4f9df20c)
• docker: Additional Dockerfile for self-hosting (83a8b6c1)

<a name"0.53.1">

0.53.1 (2016-01-11)

<a name"0.53.0">

0.53.0 (2016-01-04)

Bug Fixes

• deps: switch from URIjs to urijs (ecdf31ed, closes #347)
• travis: build on node 0.10, 0.12, 4, no allowed failures (6684e8c8)

Features

• openid:
  • Add support for OIDC login_hint query param. (200ce433)
  • add initial OpenID Connect support (93f87582, closes #362)

<a name"0.51.0">

0.51.0 (2015-12-02)

Bug Fixes

• config: option autoUpdateClients, will be disable in prod/stage (802a0b22)

Features

• token: reject expired tokens (4f519ca0, closes #365)

<a name"0.50.0">

0.50.0 (2015-11-18)

Bug Fixes

• config: update config to use getProperties (c2ed6ebd, closes #349)
• db: make schema.sql accuratley reflect latest patch state (b17b0008)
• docs: add git guidelines link (a00167ce)
• travis: remove broken validate shrinkwrap (1729764f)

Features

• tokens: allow using JWT grants from Service Clients (55f88a9c, closes #328)
• verify: add opt out parameter to verify endpoint (e4c54ff6, closes #358)

<a name"0.48.1">

0.48.1 (2015-10-28)

Bug Fixes

• docs: note that codes are single use (6fe39f7b, closes #214)

<a name"0.48.0">

0.48.0 (2015-10-20)

Bug Fixes

• config: remove 00000... from hashedSecrets (8dcfd560, closes #339)
• dependencies: move fxa-jwtool from dev-dependencies to dependencies (79b0427a, closes #345)

Features

• tokens: allow using JWT grants from Service Clients (0a0e3034, closes #328)

0.47.0 (2015-10-07)

Bug Fixes

• deps: update to mozlog 2.0.2 (29342a92, closes #337)

0.46.0 (2015-09-23)

Features

• clients: add notion of Service Clients in config (8cfdffe8, closes #327)

0.45.0 (2015-09-11)

Bug Fixes

• token: disable expiration error (c9547a8b)
• version: use explicit path with git-config (e0af8bcc)

Features

• db: remove clients.secret column (0e39d1ee, closes #323)

0.44.0 (2015-08-26)

Bug Fixes

• authorization: allow empty scope with implicit grant (1d6ac8e5, closes #315)
• db: don't change client database at startup; footgun (8877f818)

0.43.0 (2015-08-04)

Bug Fixes

• db: we need to enforce only a minimum patch level (not {n,n+1}) (e12f54d5)
• events: require events to be configured in production (1bef9e0a)
• server: exit if db patch level is wrong (78d63829)

Breaking Changes

• Server will fail to start up if config.events is not set with values when in production. (1bef9e0a)

0.42.0 (2015-07-22)

Bug Fixes

• config: set expiration.accessToken default to 2 weeks (7a4742de)
• sql:
  • remove references to the whitelisted column; this is now the trusted column (6b4d1ec3)
  • undo 155d2ce; for mysql-patcher fix up that database (eb9f40d1)
  • fix the schema issue with the trailing comma (069caeb4, closes #299)
• tests: sleep additional half second to adjust for mysql round of timestamp (a02f5161)

Features

• api: add ttl parameter to POST /authorization (36087fe6)

<a name"0.41.0">

0.41.0 (2015-07-07)

Bug Fixes

• api:
  • tolerate an empty client_secret in /destroy (25a4d308)
  • accept and ignore client_secret param in /destroy (c797ed23)
  • use invalidRequestParameter instead of invalidRedirect for invalid redirect acti (55eff2dd)
  • fail on invalid action parameters (0c73ae79)
• config: update redirect_uri values to not be blank (5267c62a)

Features

• refresh_tokens: add refresh_tokens to /token endpoint (16e787f0, closes #209)

<a name"0.39.0">

0.39.0 (2015-06-10)

Bug Fixes

• api:
  • Correct the error codes changed in 2781b3a (d0dba7c9)
  • Change InvalidAssertions error code to 401 (2781b3a2)
  • ensure /destroy endpoint returns an empty object in response body. (6efd47d1)
• clients: fixes client registration to use payload.whitelisted (83e145b0)
• docs:
  • Change Status Code for Invalid Assertion based (780aaee3)
  • document keys and verification_redirect options (ef8c47a5)
  • Update description of the action param to match latest reality. (b475fcbc)
• fatal-error: Exit with non-zero exit code for fatal errors (7c90ff08, closes #244)

Features

• clients: remove obsolete generate-client.js script (62ab0adb, closes #231)

<a name"0.36.1">

0.36.1 (2015-04-30)

Bug Fixes

• db: remove db name from clients (c7244393)

Features

• auth: redirect to content-server oauth root by default (34ad867c, closes #245)
• clients:
  • add terms_uri and privacy_uri properties to clients. (51ae9043)
  • report trusted property in GET /client/:id (c58d237b)
• untrusted-clients: restrict scopes that untrusted clients can request (8fd228ad, closes #243)

<a name"0.36.0">

0.36.0 (2015-04-27)

Features

• authorization: exit early if assertion invalid returns first (5a27ee61)
• config:
  • add browserid pool maxSockets option (0bb40ba1)
  • add mysql pool conectionLimit option (ca220ae7)
• developers: adds support for oauth developers (abe0e52a)
• logging:
  • add log of time taken in authorization endpoint (02ec0d20)
  • add log when mysql pool enqueues (461b5c19)

<a name"0.35.0">

0.35.0 (2015-04-13)

Bug Fixes

• clients: support client/client_id route via the internal server (ce04da76)

0.33.0 (2015-03-16)

Bug Fixes

• clients: fixes client endpoint for clients with no redirect_uri (6d47110f, closes #228)
• travis: install libgmp3-dev so optionaldep bigint will be built for browserid-crypto (a64cb183)

Features

• clients: move client management api to a separate port (07a61af2)

0.30.3 (2015-02-20)

Bug Fixes

• clients: update email validation (92d4bfc3)
• db: make the clients key mandatory in the config file (ac7a39e8)

Features

• docker: Dockerfile and README update for basic docker development workflow (342d87bb)

0.30.2 (2015-02-09)

Bug Fixes

• api: remove stray payload restriction from authorization route (e0d53682)
• logging: use route.path in debug message, not route.url (7d9efc25)

0.30.1 (2015-02-03)

Bug Fixes

• api:
  • allow application/x-form-urlencoded (6cc91e28)
  • reject requests with invalid parameters (3b4fa244, closes #210)

Breaking Changes

• If you're passing invalid parameters, stop it. (3b4fa244)

0.30.0 (2015-02-02)

Bug Fixes

• api: reject requests with bad content-types (26672287, closes #199)
• clients: fix server error when omitting optional fields in client registration (80768c51)

Features

• api:
  • add auth_at to token response schema. (bc8454df)
  • allow destroying token without client_secret (7b4d01ff)
• db: add basic migration infrastructure to mysql backend (012e605c)

0.29.0 (2015-01-20)

Bug Fixes

• docs: minor spelling fixes (33ad1ec0)

Features

• api: Add action=force_auth to GET /v1/authorization. (33603bd2)

0.26.2 (2014-11-20)

Bug Fixes

• logging: use space-free tokens for mozlog (11f73f9e)

0.26.1 (2014-11-13)

Features

• logging: log details when generating code (81933f70)

0.26.0 (2014-11-12)

Bug Fixes

• api: set update to return an empty object (6f334c66)
• error: AppError uses Error.captureStackTrace (2337f809, closes #164)

Features

• clients: client registration apis (1a80294d)
• error: add info property with link to docs (681044c6)
• logging:
  • add method, payload, and auth to summary (df57e23c)
  • switch logging to mozlog (ec0f5db1, closes #156)
• verify: added 'client' to /verify response (4c575516, closes #149)

Breaking Changes

• both the config and the logging output has changed.

Closes #156 (ec0f5db1)

0.24.0 (2014-10-20)

Features

• server: set HSTS header for 180 days (d43accb9)