Skip to content
This repository has been archived by the owner on Mar 8, 2021. It is now read-only.

Latest commit

 

History

History
201 lines (150 loc) · 8.03 KB

CHANGES.md

File metadata and controls

201 lines (150 loc) · 8.03 KB
Raw

Friend changelog

0.3.0

  • The "classic" OpenId (i.e. OpenId 1.1/2.0) workflow provided by cemerick.friend.openid has been removed, along with the dependencies it alone required. See #45 (comment) for something like a justification for the change. (gh-45)
  • The "channel security" features (requires-scheme* set of middlewares) deprecated in 0.2.3 have been removed.
  • Friend can now be used in IPv6 environments. (gh-154)

0.2.3

0.2.2

  • Bumped some dependencies to prevent fatal errors when used in conjunction with other libraries, certain versions of Clojure (gh-116, gh-127)
  • OpenId workflow can now be initialized via an HTTP GET request (contra the spec?) to interop with existing SSO systems (gh-114, gh-44)
  • wrap-authorize now requires its role parameter to be non-empty (gh-99)
  • robert-hooke is now properly classified as a test dependency (gh-106)

There are other changes, please see the full list of issues resolved leading up to this release, and the commit history if you're super-interested.

0.2.1

  • Added :cemerick.friend/ensure-session as an optional slot workflows can add to the metadata on authentication maps they return. By default, Friend will update (or set anew) the Ring session when a user is authenticated, redirecting them to where they were originally headed before hitting an authentication requirement. By setting :cemerick.friend/ensure-session and :cemerick.friend/redirect-on-auth? to false, the user will not be redirected, and the session will not be set. This addresses the use cases of both the HTTP Basic workflow, as well as use cases where a request is made simply to establish authentication without a redirect, but while retaining the session-setting behaviour. (gh-83)
  • Fix the HTTP Basic workflow so that non-Basic authentication mechanisms that use the Authorization HTTP header can be used (gh-85)
  • Workflows are now only ever run as needed (gh-90)
  • Port numbers are no longer set if X-Forwarded-Proto is present in the original request (gh-84)

0.2.0

Friend now depends upon Ring 1.2.0 final. This means (due to the transitive dependency on tools.reader) that Friend now requires Clojure 1.3.0+.

This release contains a significant refactoring of the library to follow the interceptor pattern adopted by Ring 1.2.0 (see the note under "Misc" below). Note that this refactoring is not a breaking change, either from an end-user or workflow author/maintainer standpoint.

Core API

  • The default-unauthenticated-handler now properly retains the query string of the initial requested unauthenticated URL (gh-68)

Workflows

  • The OpenID workflow can now be used much more reliably behind reverse proxies and load balancers:
    • The return_to URL now automatically takes into account any x-forwarded-proto header provided by your reverse proxy
    • If your proxy/load balancer doesn't send x-forwarded-proto headers, then you can use middleware to add an appropriate return_to URL to the request going into the OpenID middleware, keyed under :cemerick.friend.openid/return-url (gh-74)
  • The interactive-form workflow now properly picks up username parameter value after a failed login attempt (gh-69)

Misc

  • Friend's middlewares have been refactored internally to implement an interceptor pattern, to match Ring's middlewares >= 1.2.0. This makes Friend suitable for use with e.g. Pedestal and similar frameworks. (gh-54)

0.1.5

Friend is now tracking Ring v1.2.0 betas, minimally requiring [ring/ring-core "1.2.0-beta1"].

Core API

  • :roles in authentication maps may now optionally be a function returning a collection of roles (gh-21, gh-55)

Workflows

  • All included workflows now properly account for the in-force Ring context, if any. (gh-52, gh-53, gh-56)

0.1.4

Core API

  • Fixed handling of the optional authorization-error map that may be provided to authorize (gh-46)

Misc

  • Various minor documentation improvements.

0.1.3

Core API

  • cemerick.friend/current-authentication can now accept either a ring request map or a Friend identity map
  • cemerick.friend/authenticated can now accept more than one body form (gh-32)
  • A new cemerick.friend/authenticate option, :unauthenticated-handler, allows one to provide a separate Ring handler to control how to respond to unauthenticated requests when authentication is required (either via setting :allow-anon to false, or via use of cemerick.friend/authenticated). The prior behaviour (redirecting to the URI specified by :login-uri) is currently retained by the default :unauthenticated-handler, cemerick.friend/default-unauthenticated-handler. (gh-38)

Workflows

  • The http-basic workflow no longer produces a 401 Unauthorized response when no HTTP Basic credentials are supplied. (gh-38)
  • The OpenID workflow now offers a :consumer-manager option for providing a fully-configured org.openid4java.consumer.ConsumerManager (to be used instead of the in-memory default) (gh-35)
  • Usernames provided as part of an interactive-form workflow authentication are now URL-encoded in the resulting redirect when authentication fails (gh-41)

Misc

  • New function cemerick.friend.credentials/bcrypt-verify now available to verify bcrypt-hashed strings outside of cemerick.friend.credentials/bcrypt-credential-fn and the workflow/authentication process
  • All HTTP redirect responses sent by Friend now use an absolute URL in the Location header per the HTTP spec (gh-42)
  • The transitive dependency on Google Guice (needed by the openid4java dependency) has been updated to use the coordinates available via Maven Central

0.1.2

Core API

  • Credential functions may now return maps with a :cemerick.friend.credentials/password-key slot in their metadata to indicate the key within the credential map itself which holds the password.
  • The value of the :cemerick.friend/redirect-on-auth? key in workflow may now be a string URI to which the user will be redirected (instead of the :default-landing-uri provided to the authenticate middleware).
  • Friend now plays much nicer with Ring sessions; in particular, it no longer quashes session data set by lower-level handlers and middleware. (gh-24, gh-26)

Workflows

  • The http-basic workflow now properly supports empty usernames and passwords (gh-28)

0.1.1

Bricked, don't use.

0.1.0

Core API

  • :login-uri now actually defaults to "/login" as indicated in documentation (Yoshito Komatsu, gh-13)
  • Authorization failures are now handled more sanely (gh-19):
    • :unauthorized-redirect-uri is no longer used (was nonsensical)
    • additional data may now be added to the stone thrown upon unauthorized access (see cemerick.friend/authorize, cemerick.friend/authenticated, and throw-authorized)
    • data added to stone thrown by cemerick.friend/throw-authorized is now added to the request passed to :unauthorized-handler in the :cemerick.friend/authorization-failure slot
  • HTTP 401 is now used instead of 403 to properly indicate unauthorized authenticated request (gh-20)
  • cemerick.friend/logout* is now public (John Szakmeister)

Workflows

  • http-basic workflow now properly responds with www-authenticate challenge when no credentials are provided and :allow-anon? is false (gh-16)
  • the OpenID workflow's :max-nonce-age must now be specified in milliseconds instead of seconds
  • the OpenID workflow no longer adds unprintable objects to the ring session

Misc

  • Documentation for cemerick.friend/identity fixed