atlassian-connect-express

# Atlassian Connect for Express.js Release Notes ## 11.5.3 * Minor fix: Keep options.json for GET Request in host-request so that it can be retained to be used as Accept header ## 11.5.2 * Drop body for GET requests to host to avoid 403 errors, complying with: https://developer.atlassian.com/cloud/jira/platform/changelog/#CHANGE-2328 and https://developer.atlassian.com/cloud/confluence/changelog/#CHANGE-2328 ## 11.5.1 * Update `express` from `4.18.2` to `4.21.21` ## 11.5.0 * Route to new installation key CDN URL with fallbacks to old URL ## 11.4.1 * Fix types and documentation for `addon.getForgeAppToken` ## 11.4.0 * (Atlassian internal only) Update CONNECT_INSTALL_KEYS_CDN_URL_STAGING to use CDN in region stg-east. ## 11.3.0 * Add documentation and diagnostic logging regarding DynamoDB table requirements ## 11.2.0 * Add Forge token storage and retrieval methods ## 11.1.0 * Add Forge installation specific storage API ## 11.0.0 * Remove oauth2 support for harmonised apps * Don't load database-handling code that we don't need * Fix request options and callback type definitions * Actually return a scoped httpClient if userKey or userAccountId is passed ## 10.1.0 * Improve type definition structure, allowing for user overrides * Add types for new StoreAdaptor methods added for FRC support * Fix error handling for authenticateWebhook middleware ## 10.0.3 * Add support for Atlassian FedRAMP services ## 10.0.2 * Make @ngrok/ngrok an optional dependency (omit it using --omit=optional when installing) * Cleanup duplicate error logging for registration ## 10.0.1 * Set current user in Connect context from Forge token ## 10.0.0 * Changes format of credentials.json to accept all ngrok config ## 9.0.0 * Changes to an alternative ngrok support library. * An ngrok auth token is now required for automatic registration. ## 8.7.0 * Updated minor and patch dependencies ## 8.6.0 * atlassian-connect-express apps can now act as a [remote backend for Forge](https://developer.atlassian.com/platform/forge/forge-remote-overview/). * NOTE: if you use an adapter other than redis, be aware that this release will add a new RDMBS table / DynamoDB table / MongoDB collection to your data store, `InstallationClientKeys`, for the purposes of relating Connect and Forge identifiers. ## 8.5.0 * Add Fedramp sandbox support in oauth2-forge. ## 8.4.0 * Add support to make ACJS CDN url configurable in config.json. * NOTE: Version 8.3.0 is skipped due to an NPM publishing error. The new version will be 8.4.0 to keep in sync with the public registry ## 8.2.1 * Removed the unsupported `logger` option from being passed to the `MongoClient()` constructor to avoid a `MongoParseError` ## 8.2.0 * Added support for FedRAMP sandbox tenants for OAuth2 and installation callbacks ## 8.1.1 * Update dependency sqlite3 to v5.1.6 * Update dependency @aws-sdk/client-dynamodb to v3.398.0 ## 8.1.0 * Update dependency mongodb to v5. Note: only the Node.js driver was updated and the new version is still compatible with MongoDB 3.6 and later. * Update dependency eslint-plugin-jest to v27 * Update dependency eslint-plugin-prettier to v5 * Remove references to decommissioned apps ## 8.0.2 * Improve error message when dev mode is not enabled * Fix error when "JWT claim did not contain the correct audience (aud) claim" and using addon.config.expressErrorHandling(). ## 8.0.1 * [ACEJS-117](https://ecosystem.atlassian.net/browse/ACEJS-177) Fix issues with cross-protocol redirect blocking. ## 8.0.0 * CVE-2023-28155 Block cross-protocol redirect. [More Details](https://community.developer.atlassian.com/t/atlassian-connect-express-ace-vulnerability-in-deprecated-dependency/67599) ## 8.0.0-beta.0 * A major version bump because the minimum node version is raised for atlassian-connect-express from 14 to 18. * Updated minor and patch dependencies ## 7.11.0 * Updated minor and patch dependencies ## 7.10.0 * Added the app key to the User-Agent header * NOTE: Version 7.9.0 is skipped due to an NPM publishing error. The new version will be 7.10.0 to keep in sync with the public registry ## 7.8.0 * Added support to make OAuth 2.0 client credential request to product apis for Connect on Forge app, using `isClientCredentialsGrantAvailable()` and `clientCredentialsGrant()` ## 7.7.0 * Restoring bitbucket app support for symmetric install hooks. * Security fixed ## 7.6.0 * Added option to use a custom error template, along with `errorTemplateName` and `errorTemplateObject` config parameters. ## 7.5.1 * Updated README to move `expressErrorHandling` to correct location in config. Fixed broken link to express error handling URL docs. ## 7.5.0 `signed-install` enforcement: Only asymmetrically signed JWT is expected for install / uninstall hooks. ## 7.4.9 * Pin the working version for colors.js: https://www.theverge.com/2022/1/9/22874949/developer-corrupts-open-source-libraries-projects-affected ## 7.4.8 * BaseUrl modified by the 'descriptorTransformer' function should be allowed for a JWT audience check ## 7.4.7 * Fix for global permissions check when there is neither project nor issue in the context ## 7.4.6 * Add support to the authorization middleware for checking anonymous Jira user permissions ## 7.4.4, 7.4.5 * TS type signature fix: AddOnFactory ## 7.4.3 * Add request context for installation middleware * Add test support for 1st party apps ## 7.4.1 * `addon.authenticateInstall` middleware supports uninstall hook sent from an old version. ## 7.4.0 * Removed default opt-in to signed-install feature: Manually opt-in from the app descriptor * Support multiple baseUrls when verifying install callback audience claim. ## 7.3.0 * TS type signature fix: HostClient#getAllClientInfos() * TS type signature addition: ConfigOptions#watch * TS type signature addition: HostClient#getUserBearerToken * TS type signature addition: addon.authenticateInstall() ## 7.2.0 * Add and adjust type signatures for store and client methods ## 7.1.8 * Remove lockfiles * Fixed typo in auth error message ## 7.1.7 * Patch to remove an unsupported descriptor field for bitbucket apps. * Fixing minor bug which fails to check bitbucket apps ## 7.1.5 * Add config to control whether to use secure install hook only. * Add authorization middleware for Jira and Confluence ## 7.1.4 * Update install lifecycle to check audience(app base url). ## 7.1.3 * Fixed typescript definition ## 7.1.2 * Removed `esModuleInterop` requirement from typescript typings ## 7.1.1 * Fixed `@aws-sdk/client-dynamodb` dependency issue ## 7.1.0 * Added dynamoDB storage adapter ## 7.0.1 * Install lifecycle callback uses asymmetric JWT * Bug fix for missing context qsh check in v7.0.0 ## 6.6.0 * Enforce presence of qsh claim on lifecycle endpoints ## 6.5.0 * Type updates ## 6.4.0 * Use registered installation keys over a pre-configured key ## 6.3.0 * Type and style updates ## 6.2.2 * Fix "TypeError: Promise.resolve is not a constructor". ## 6.2.1 * Fix the bug that causes sequelize adapter to always insert a new record instead of updating the existing one; this breaks reinstallation: https://community.developer.atlassian.com/t/i-found-a-bug-in-atlassian-connect-express-sequelize-storage-adapter-how-do-i-report-it/42399 ## 6.2.0 * Allow custom table name with sequelize. ## 6.1.0 * Add Redis storage adapter. ## 6.0.0 * Update all package versions to latest. * [sequelize](https://www.npmjs.com/package/sequelize) is updated to v6 from v5, see [breaking changes](https://github.com/sequelize/sequelize/blob/master/docs/manual/other-topics/upgrade-to-v6.md). * [rsvp](https://www.npmjs.com/package/rsvp) promise library is removed. * A major version bump also because it removes `addon._` ([Lodash](https://lodash.com/) utilities). ## 5.0.0 * Update all package versions to latest. * Fix [ACEJS-57](https://ecosystem.atlassian.net/browse/ACEJS-57) ACE fails to start if descriptor contains double quote. * A major version bump because it also raises the minimum node version for atlassian-connect-express from 8 to 10. ## 4.4.1 * Refactor and test library migration only ## 4.4.0 * Split out getVerifiedClaims as separate function ## 4.3.0 * Bump minor and patch dependencies to pick up security fixes * Refactor auth class ## 4.2.0 * (Atlassian internal only) Use staging oauth 2 authorization server when performing user impersonation against dev jira or confluence sites ## 4.1.0 * Use {{appKey}} variable in atlassian-connect.json * Use the correct sqlite dialect string. * Set urijs to static version because of recent bug in library * Add retryWrites=false and correct option order * Bumping Sequilize to fix the vulnerability * Handle errors thrown by store adapter during installation verification * Add eslint support / Add some more eslint rules * bump atlassian-oauth2 for new oauth-2-authorisation-server service URL * Add back colors import * Allow the import of dialectOptions via config ## 4.0.1 * Moved ngrok dependency back to dev ## 4.0.0 * Corrected version and incrementing major version due to drop of ngrok 2 in support of 3 from ACE version 3.5.0 (breaking change) * Support for the qs parameter ## 3.5.2 Security fixes - updated Bitbucket ## 3.5.1 Security fixes ## 3.5.0 * Fixes dependency on ngrok 3, and drops support for ngrok 2 ## 3.4.3 * Add descriptor validator - app developer should add a 'validateDescriptor' in config file to enable this in development mode ## 3.4.2 * Allow passing of Sequelize pool options * Alignment of Jira, Conf, and Bitbucket SDK * Documented events ## 3.4.0 * Updates dependency libraries to fix `npm audit` warnings ## 3.3.0 * Added MongoDB storage adapter ## 3.2.0 * Expose JWT `context` claim as context variable * `userAccountId` context variable now set for JWT with `context` claim without `user` field ## 3.1.0 * Deprecates existing (stored) `userKeys` for identifying users when using OAuth 2.0 JWT Bearer Tokens (`asUser()`). * Introduces support for OAuth 2.0 JWT Bearer Token using Atlassian Account ID, using `asUserByAccountId()`. * Please see migration guide on developer.atlassian.com for an overview of how to migrate from `userKey` to `userAccountId`. The README.md also covers this * Removes JWT User Impersonation logic altogether * Deprecates `userId`, `locale` and `timezone` request context parameters. * Introduces `userAccountId` request context parameter. * Please see [ACEJS-115](https://ecosystem.atlassian.net/browse/ACEJS-115) for more details. ## 3.0.2 * Accept JWTs without query string hash claim ## 3.0.0 * Removes JugglingDB as the default adapter, replacing with Sequelize. This is in part due to Juggling no longer being maintained, and (consequently) having several security issues as per npm audit. Removing Juggling removes these issues. ## 2.0.1 * Fixes bug with auto registration for HipChat add-ons that are generated with `atlas-connect`. ## 2.0.0 * Adds support for Bitbucket add-ons. * Adds support for user impersonation in JIRA and Confluence using OAuth 2.0 ([AC-1080](https://ecosystem.atlassian.net/browse/AC-1080)). To leverage this feature, use the `httpClient` as follows: ```javascript var httpClient = addon.httpClient(req); httpClient.asUser('barney').get('/rest/api/latest/myself', function (err, res, body) { ... }); ``` * Setting the JWT `sub` claim from the userKey is no longer supported. Please use the `asUser()` method instead. * The attribute `appKey` in the render context is now `addonKey`. ## 1.0.1 * Explicit support for multipart form data and url-encoded form data: A bug caused some multipart form uploads (e.g. for JIRA attachments) to fail. The ambiguous `options.form` parameter for HTTP requests back to the product host is now deprecated. Please use these parameters instead: * `multipart/form-data`: Use `options.multipartFormData` * `application/x-www-form-urlencoded`: Use `options.urlEncodedFormData` ## 1.0.0-beta5 * The token mechanism for iframe to add-on service communication is using JWT now. The old token mechanism continues to work, but is deprecated. Please see the updated [README.md](README.md) for details. * __Breaking Change__: We removed support for sessions in ACE, in favor of the standard JWT token approach. If your code relies on `req.session.*`, you will need to change that to `req.context.*` or `res.locals.*`.