Skip to content

8.1.0

Latest
Latest
Compare
Choose a tag to compare
@YasharF YasharF released this 01 Feb 17:57
· 3 commits to master since this release
8.1.0
e42d0f5

Security Enhancements

  • Added URL validation for redirects through session.returnTo (CWE-601).
  • Fixed OAuth state parameter generation and handling to address CSRF attack vectors in the OAuth workflow.
  • Added additional sanitization for user input in database queries using $eq in MongoDB.

API and Integration:

  • Unified formatting for authentication parameters in route definitions and passport.js configuration.
  • Refactored common code for OAuth 2 token processing in passport strategies to improve maintainability.
  • Reworked the GitHub and Twitch API integration examples with additional data from the APIs.
  • Reworked the Twilio API integration example to use Twilio’s sandbox servers and test phone numbers.
  • Upgraded the Pinterest API example to use v5 calls instead of the broken v1.
  • Reworked the Tumblr API integration example with additional data from the API.
  • Added a properly working OAuth 1.0a integration for Tumblr.
  • Removed sign-in by Snapchat due to increased difficulty for developers and a focus on hackathon participants.
  • Removed Foursquare OAuth authorization and updated the API demo with new examples.
  • Renamed Twitter to X (Some of the backend and code still reference Twitter due to upstream dependencies, and the login button is using Twitter colors pending X addition to bootstrap-social).

Update/Upgrades:

  • Dropped support for Nodejs < 22 due to ESM module import issues prior to that version.
  • Migrated from the unmaintained passport-linkedin-oauth2 to a passport-openidconnect strategy.
    --- Added support and examples for openid-client.
  • Migrated from the deprecated paypal-rest-sdk to an example without the SDK, providing OAuth calls depending on the page state.
  • Migrated from the unmaintained bootstrap-social to a fork that can be easily patched and updated.
  • Migrated eslint to v9, and its new config format (breaking change).
  • Migrated Husky to v9, and its new config format (breaking change). Fixed Windows commit issue.
  • Updated dependencies.
  • Added temporary patch files for connect-flash and passport-openidconnect based on pending pull requests or issues on GitHub.

Other:

  • Fixed a bug that prevented profile pictures from being displayed.
  • Added authentication link/unlink options to the user profile page for all OAuth/Identity providers.
  • Fixed typos, broken links, and minor formatting alignment issues on various pages.
  • Fixed spelling errors in startup information displayed in the console.
  • Refactored URL validation in unit tests for Gravatar generation to conform with CodeQL rules. Even though CodeQL does vulnerability checks, this is not a security issue since it is unit tests.
  • Updated the placeholder main.js to use the current format (not deprecated JS).
  • Updated the GitHub repo worker/runner configs to use proper permissions
  • Return exit code 1 if there is a database connection issue at startup.
  • Added the --trace-deprecation flag to startup to provide better information on runtime deprecation warnings.
  • .gitignore file to exclude the uploads path.
  • Updated the copyright year.
  • Updated documentation.
Assets 2
Loading