@mashroom/mashroom-security-provider-ldap
Advanced tools
@mashroom/mashroom-security-provider-ldap - npm Package Versions
Changelog
1.6.3 (December 20, 2020)
- Error Pages: Deliver error pages only if text/html explicitly is accepted (and not for xhr/fetch requests).
Changelog
1.6.2 (December 14, 2020)
- Added a new plugin mashroom-error-pages that sends configurable error pages for specific HTTP response codes
- Portal: Disabled the page caching if the user is authenticated because the back button could reveal sensitive information to other users (on the same machine!). See https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses
Changelog
1.6.1 (November 26, 2020)
- Portal: Fixed the problem that incomplete pages and sites could be saved in the Portal (which could lead to a corrupt storage)
- Portal: The portal-page-enhancement plugins have now a config property "order" that defines in which order the resources are added to a page (useful for polyfills that needs to be started first)
- Portal: Fixed logout when exposing a site via vhost-path-mapper and frontendBasePath is empty or "/"
Changelog
1.6.0 (November 11, 2020)
- Portal: Decreased start time of static Portal Apps by delivering the appSetup with the Portal Page
- Core: Plugins are now only built when they changed since the last start. This dramatically decreases the start time in dev mode.
- Added a new plugin mashroom-portal-legacy-browser-support that adds polyfills for legacy browsers (such as IE11) to all portal pages (only if IE detected)
- Portal: Added a new plugin type portal-app-enhancement that allows it to update or rewrite the portalAppSetup that is passed to Portal Apps at startup. This can be used to add extra appConfig or user properties from a context. Additionally, this plugin allows it to pass extra clientServices to Portal Apps or replace one of the default ones.
- Portal: Added a new plugin type portal-page-enhancement that allows it to add extra resources (JavaScript and CSS) to a Portal page based on some (optional) rules. The resources can also be generated dynamically. This can be used to add polyfills or some analytics stuff without the need to change the theme.
- HTTP Proxy: The HTTP interceptor plugins now receive the original headers from the incoming request without filtering
- Portal: Plugin updates are now pushed to the Browser via SSE (in development mode). So, Portal Apps are reloaded faster after an update. Also, the portal page reloads on theme or layout changes.
- Portal: Fixed the problem that the CSRF token was invalidated on public pages when an ajax request was rejected by the ACL check. And after the invalidation all subsequent ajax POST's were failing
- Http Proxy: Fixed nasty bug that caused http headers to be dropped randomly because RegExp.lastIndex is not reset when test() returns true
Changelog
1.5.4 (October 29, 2020)
- Portal: The base backend proxy path is now also passed to the apps. This simplifies the handling of mulitple proxis.
E.g. if you have a proxy definition like this:
You could fetch SpaceX's rocket starts like this:{ "restProxies": { "spaceXApi": { "targetUri": "https://api.spacexdata.com/v3" }, "secondApi": { "targetUri": "..." } } }const apiUrl = portalAppSetup.restProxyPaths.__base; fetch(`${apiUrl}/spaceXApi/launches/upcoming`) // Instead of: // fetch(`${portalAppSetup.restProxyPaths.spaceXApi}/launches/upcoming`) - LDAP Security Provider: Added possibility to map arbitrary LDAP attributes to user.secrets
- OpenID Connect security provider: Add the access token to user.secrets.accessToken so it could for example be used in a Http Proxy Interceptor
- Simple Security Provider: Allow to set extraData and secrets for users
- Added a property secrets to the user. In opposite to the extraData property the data will never be exposed to the browser (e.g. to Portal Apps).
- Added a plugin that exports Node.js and plugin metrics to PM2 (via pm2/io)
- Fixed broken support for older browsers (IE11)
Changelog
1.5.3 (October 18, 2020)
- Core: Show cluster details such as the worker PIDs if the Node.js cluster module is active
- Http Proxy: Added a new plugin type http-proxy-interceptor which allows it to rewrite target URIs and headers. This can be used to add security headers to backend calls. BREAKING CHANGE: The getApiSecurityHeaders() method in the security provider interfaces has been removed since the http-proxy-interceptor is the more generic approach to solve the same problem.
- LDAP Security Provider: Added possibility to map arbitrary LDAP attributes to user.extraData
- LDAP Security Provider: Use the LDAP attributes displayName or givenName + sn as displayName instead of cn
- Portal: The mashroom-portal-demo-alternative-theme module uses now express-react-views and TypeScript to demonstrate a type save theme template
Changelog
1.5.2 (October 6, 2020)
- BREAKING CHANGE: All paths (config, sessions, ...) are now relative to the Mashroom config file (if they are not absolute)
- WebSockets: Clients can now reconnect to the previous session and receive missed messages if they use the clientId generated by the server
- LDAP Security Provider: Improved reliability and performance
- Portal: ReasonReact based demo app added
- Upgraded libraries with known vulnerabilities
Changelog
1.5.1 (August 25, 2020)
- Portal: The MashroomPortalStateService prefixes now data in the browser storage to avoid conflicts.
So, its save now to use it to persist the application state like this:
stateService.setLocalStoreStateProperty('state', store.getState()); - Portal: Made it possible to use environment variables in the plugin definition of remote portal apps as well
- Portal: Call the willBeRemoved lifecycle hook of all apps on page unload; this gives the app a chance to do some cleanup or persist its state properly
- Portal: Made defaultTheme and defaultLayout in the site configuration optional and derive it from the server configuration if not set
Changelog
1.5.0 (June 14, 2020)
- Sandbox: Added query parameter sbPreselectAppName to preselect an app without loading it
- Added metrics for: Plugin count, Remote apps, Session count, HTTP proxy pool, WebSocket connections, Redis/MongoDB/MQTT/AMQP connection status
- Added a plugin that exports the collected metrics for the Prometheus monitoring system
- Added a metrics collector plugin that adds request metrics and exposes a service for other plugins to add more metrics
- MongoDB Storage Provider: Added the possibility pass connection properties such as pool size. BREAKING CHANGE: Renamed the connectionUri property to uri.
- Remote Portal App Registries: Added an option socketTimeoutSec to configure the timeout when trying to access remote apps
- Storage Service: Can now leverage the new Memory Cache Service to accelerate the access. Can be configured like this:
"Mashroom Storage Services": { "provider": "Mashroom Storage Filestore Provider", "memoryCache": { "enabled": true, "ttlSec": 120, "invalidateOnUpdate": true, "collections": { "mashroom-portal-pages": { "ttlSec": 300 } } } } - Added a Redis provider plugin for the Memory Cache
- Added a general purpose Memory Cache Service with a built-in provider implementation based on node-cache
- Login web-app: All query parameters in the redirectUrl are now preserved after login
- Core: Added a new property serverInfo.devMode to the plugin context that can be used to determine if some packages are in development mode
- Added a wrapper security provider that adds support for Basic authentication to any other security provider that implements login() properly. Useful for end-2-end or load tests and if you want to access some API from an external system.
- Core: Enable Express "view cache" when no plugin package is in devMode, even if NODE_ENV is not production.
Changelog
1.4.5 (May 5, 2020)
- Security: A valid response object will now be passed to security providers during a silent login (when canAuthenticateWithoutUserInteraction() is true). It was not possible to set cookies.
- OIDC Security Provider: Fixed rejectUnauthorized - didn't work as expected