realm-object-server/CHANGELOG.md

Realm Object Server

# Release 3.28.5 (2020-05-11)

Changes since 3.28.4:

### Enhancements
* None

### Fixed
* When trace logging was enabled, the request and response body was logged, which may have included sensitive information for login calls. The request and response bodies for `/auth` requests are no longer logged.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Using Sync 4.9.4, and thereby Core 5.23.8

# Release 3.28.4 (2020-01-28)

Changes since 3.28.3:

### Enhancements
* None

### Fixed
* Fixed an issue that would cause the old schema of a Realm to be recreated by the GraphQL service after the Realm has been deleted. (HELP-12274)

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Using Sync 4.9.4, and thereby Core 5.23.8
* Added support for `historyCompactionIgnoreClients` option in SyncService.

# Release 3.28.3 (2020-01-21)

Changes since 3.28.2:

### Enhancements
* None

### Fixed
* None

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Using Sync 4.9.4, and thereby Core 5.23.8
* Sync Server: New configuration option for enabling the 'ignore clients' mode of in-place history compaction.
* Improve the message returned by std::error_code::message() for the SecureTransport error code category.
* Uses new JS binding, realm-3.6.3.
# Release 3.28.2 (2020-01-07)

Changes since <???>:

### Enhancements
* None

### Fixed
* Fixed an issue which could lead to messages like `Error: Invalid credentials - failed to parse token data at SyncProxyService` in the logs while ROS is shutting down.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Using Sync ???, and thereby Core ???
OR
* Updated Sync from ??? to ???, and thereby Core from ??? to ???
*

# Release 3.28.1 (2019-12-13)

Changes since 3.28.0: 

### Enhancements
* In-place history compaction can now be invoked in a mode where it ignores
  recorded last access times for clients, and instead looks at the apparent age
  of history entries. This is not something that should be done except in
  situations of emergency, as it should be expected to force some (especially
  new) clients to go through a reset operation regardless of how recently they
  have been active. In-place history compaction can be invoked only by use of
  the command line tool `realm-vacuum`, and only by specifying the
  `--ignore-clients` option. When using `realm-vacuum` for the purpose of
  invoking in-place history compaction, be sure to specify an appropriate "time
  to live" value (`--server-history-ttl`).

### Fixed
* Under special circumstances, the server or client could become unresponsive during automatic conflict resolution. In most cases, the server would be more severely affected than the client.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Updated Sync from 4.9.0 to 4.9.2, and thereby Core from 5.23.6 to 5.23.7
# Release 3.28.0 (2019-11-27)

**WARNING** This version performs irreversible migration to the server Realm files, so you can not revert back to an earlier version of ROS (3.27.x or lower). It is backwards compatible with existing clients, but previous versions of ROS will not be able to manipulate the migrated files. It is recommended that you backup your data in case you need to perform a rollback.

Changes since 3.27.3:

### Enhancements
* [Sync Server] Improvements to in-place history compaction. Compaction in a reference file is no longer artificially held back by clients of partial views. The improvement will take immediate effect for new reference files. For preexisting reference files, time will need to pass before the change becomes fully effective. The amount of time that needs to pass, corresponds to the "time to live" configuration parameter setting for the in-place history compaction feature.

### Fixed
* None

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).
* The synchronization protocol version has been bumped. The server side remains compatible with all SDK versions that ROS 3.27.x was compatible with.
* Server: Server-side history schema has changed. Transparent forward migration is provided, but, as usual, there is no provision for migration in the reverse direction, so it is effectively irreversible.
* Server: Backup protocol version bumped from 3 to 4. All nodes in a backup cluster must run the same backup protocol version.

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Updated Sync from 3.8.4 to 3.9.0

# Release 3.27.3 (2019-11-25)

Changes since 3.27.2:

### Enhancements
* Added the ability to set the disk usage stats polling interval. Set `DISK_STATS_INTERVAL` to the number of seconds between polls.

### Fixed
* Client: Resume sync with correct server version after failure to integrate. Since Sync 2.3.1 (star topology). RSYNC-48.
* [Sync] Server no longer returns error code 214 when clients perform state requests on partial realms. It now returns an empty state, which allows the client to resync.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Updated Sync from 4.8.2 to 4.8.4, and thereby Core 5.23.6

# Release 3.27.2 (2019-11-12)

Changes since 3.27.1:

### Enhancements
* None

### Fixed
* Fixed an issue where the server did not return the correct error code when the request contains an expired refresh token.
* Fixed an issue with custom refresh tokens where the `userIdFieldName` option was not respected.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Updated Sync from 4.8.1 to 4.8.2
* Updated realm-js from 3.3.0 to 3.4.1

# Release 3.27.1 (2019-11-07)

Changes since 3.27.0:

### Enhancements
* None

### Fixed
* Fixed bug in newly introduced migration of history schema from version 8 to 9 (incorrect initialization of column accessors). Since 3.27.0

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Updated Sync from 4.8.0 to 4.8.1, and thereby Core to 5.23.6

# Release 3.27.0 (2019-11-05)

Changes since 3.26.12:

### Enhancements
* None

### Fixed
* Fixed a bug when deleting the Realm file when state Realms are disabled. (Since 3.21.0)

### Compatibility
* This release upgrades the file format of the files on the server. A transparent forward migration is provided, but reverse migration **is not**, which means that reverting back to 3.26.x or lower requires restoring files from backup.
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Updated Sync from 4.7.10 to 4.8.0 and thereby Core to 5.23.6

# Release 3.26.12 (2019-10-25)

Changes since 3.26.11:

### Enhancements
* None

### Fixed
* Fixed structured error logging when an error occurs when starting the permission service.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Using Sync 4.7.10, and thereby Core 5.23.3

# Release 3.26.11 (2019-10-24)

Changes since 3.26.10:

### Enhancements
* None

### Fixed
* Fixed an issue that would prevent the server from starting with messages similar to `warn: Failed to setup listeners. Retry #2`.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Using Sync 4.7.10, and thereby Core 5.23.3

# Release 3.26.10 (2019-10-24)

Changes since 3.26.9

### Enhancements
* Added `requiredClaims` field to `JwtAuthProviderConfig` and `CustomTokenValidatorConfig` - it allows defining a set of JSONPath expressions that a JWT payload will be validated against.
  This new field deprecates and replaces `requiredAttributes` on `JwtAuthProviderConfig`, which will be removed in a future version.
* Added `isAdminQuery` field to `JwtAuthProviderConfig` and `CustomTokenValidatorConfig` - it allows defining a JSONPath expression that will be evaluated against a JWT payload to determine whether the user has admin privileges.
  This new field deprecates and replaces `isAdminFieldName` and `isAdminValue` on `JwtAuthProviderConfig`, which will be removed in a future version.
* Added `userIdFieldName` field to `CustomTokenValidatorConfig` - it allows specifying which field in the JWT payload denotes the logical user id. The default value is `sub`.
* `KubernetesCoreServices` now understands the `TokenValidators` service configuration key which enables configuring custom refresh token validators.

### Fixed
* Fixed an issue that would cause the server to crash with `Detected an unhandled promise rejection at: [object Promise] reason: undefined` when the sync worker is unreachable.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Using Sync 4.7.10, and thereby Core 5.23.3
* Upgraded realm-js to 3.3.0.
* Added support for the TokenValidator to accept JWT access tokens containing the path, sync label, and access levels in an embedded object called stitch_data instead of at the top level, in anticipation of future support for Stitch-backed authentication flow.

# Release 3.26.9 (2019-10-17)

Changes since 3.26.8:

### Enhancements
* Added an optional `appId` config parameter to the Azure Auth provider.

### Fixed
* None

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Using Sync 4.7.10, and thereby Core 5.23.3

# Release 3.26.8 (2019-10-16)

Changes since 3.26.7:

### Enhancements
* Exposes a few extra config options to the AzureAD provider.
  * `audience`: optional - validates the audience of the token (that will be applicationID).
  * `allowConsumerLogins`: optional, default `false` - enables logins from regular microsoft accounts.
  * `userIdField`: optional, default `sub` - controls which field in the JWT will be used as unique identifier for the user. Main difference between `sub` and `oid` is that the former is app-unique, while the latter is tenant-unique.

### Fixed
* Log a warning as opposed to throwing an exception when a user tries to authenticate an admin user via nickname auth. The logged in user will **NOT** be an admin - they'll get logged in as a regular user.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Using Sync 4.7.10, and thereby Core 5.23.3

# Release 3.26.7 (2019-10-14)

Changes since <???>:

### Enhancements
* Updated realm-js to 3.3.0-rc.1
* Updated sync to 4.7.10
* [SyncService] Adds an option to disable state realm generation, `disableStateRealms`. Defaults to `false`.

### Fixed
* None

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Using Sync 4.7.10, and thereby Core 5.23.3

# Release 3.26.6 (2019-10-10)

Changes since 3.26.5:

### Enhancements
* None

### Fixed
* None

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Internals
* Changed the upload location for the hotfix publish job to avoid conflicting with release jobs.
# Release 3.26.5 (2019-10-10)


Changes since 3.26.4:

### Enhancements
* Exposed a config option to disable state realm generation for `KubernetesSyncWorker`.

### Fixed
* None

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.
* Server side Realm files do not compact automatically. The standalone commandline tool "realm-vacuum" can be manually executed to compress free space and old history (See https://docs.realm.io/platform/self-hosted/manage/server-side-file-growth#vacuum-utility).

### Internals
* Using Sync 4.7.5

# Release 3.26.4 (2019-09-20)

Changes since 3.26.3:

### Enhancements
* None

### Fixed
* Fixed an issue where using the GraphQL service to open a partial Realm could cause it to crash under certain conditions. ([SYNC-32](https://jira.mongodb.org/browse/SYNC-32))

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/server/installation#version-compatibility-table).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/server/manage/upgrading) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.

### Internals
* Using Sync 4.7.5, realm-js 3.1.0, and core 5.23.3
* Updated realm-js from 3.0.0 to 3.1.0

# Release 3.26.3 (2019-09-16)

Changes since <???>:

### Enhancements
* Added more logs in code paths where "Invalid Credentials" or "Token is Revoked" errors are returned.

### Fixed
* Fixed an issue where the GraphQL service could crash when creating a subscription for a partial Realm that has more than 10 subscriptions. ([SYNC-32](https://jira.mongodb.org/browse/SYNC-32))

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.

### Internals
* Using Sync 4.7.5, realm-js 3.0.0, and core 5.23.3
* Updated realm-js from 2.29.2 to 3.0.0

# Release 3.26.0 (2019-09-03)

Changes since 3.25.1:

### Enhancements
* [AuthService] Exposed the `clockTolerance` configuration option on the JWT auth provider. This can be used to work around small clock differences between ROS and the server issuing the JWT token that cause an otherwise valid token to be rejected. The default value for this new configuration option is 15 seconds.(Issue ROS-89)
* [Query-based Sync] Performance improved for queries comparing a constant value to a property over unary link path (eg: "someLink.Id == 42").

### Fixed
* [Sync] Fixed a bug where clients using protocol versions 25 through 28 would receive Bad server version errors, with log messages on the server such as "Upload progress (x, y) is mutually inconsistent with threshold (a, b)". (Issue SYNC-14, since 3.25.0).
* [AuthService] Fixed a bug where a malformed auth provider configuration prevented startup of ROS.
* [AuthService, GraphQLService, PermissionsService] Changed the behavior of the runtime config of these services to merge with the build time config as opposed to completely override it.
* [PermissionsService] Added ability to configure the permissions service at runtime via the __configuration Realm.
* [GraphQLService] Fixed a bug where failing to open a Realm would cache the result and keep failing to open the Realm on subsequent requests.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.

### Internals
* Using Sync 4.7.5, realm-js 2.29.2, and core 5.23.3

# Release 3.25.1 (2019-08-07)

Changes since 3.25.0:

### Enhancements
* None

### Fixed
* Throw an error when trying to login as an admin via nickname auth.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.

### Internals
* Using Sync 4.7.0, and thereby Core 5.23.1

# Release 3.25.0 (2019-08-06)

Changes since 3.24.1:

### Enhancements
* Added an option to specify custom `refreshTokenValidators`. It can be used if your app generates/receives signed refresh tokens from external provider and would like to use them instead of the Realm-provided ones. You need to specify at least an `issuer` and `publicKey` and when an access token is requested, ROS will parse the JWT and validate it against the token validator config with the matching issuer. Since the `Realm` token validator is always enabled, you cannot add a token validator with the `realm` issuer. (Issue [ROS-65](https://jira.mongodb.org/browse/ROS-65))

### Fixed
* Fixed a bug that would demote an admin nickname user next time they login, even if they had admin permissions.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.

### Internals
* Using Sync 4.7.0, and thereby Core 5.23.1

# Release 3.24.1 (2019-08-02)

Changes since 3.23.6:

**WARNING** This version performs irreversible migration to Realm files, so you can not revert back to an earlier version of ROS (3.23.x or lower). It is backwards compatible with existing clients, but previous versions of ROS will not be able to manipulate the migrated files. It is recommended that you backup your data in case you need to perform a rollback.

### Enhancements
* [sync] New options --server-history-ttl and --log-level added to commandline tool realm-vacuum.

### Fixed
* [sync] Pinned snapshot exposed history corruption after client reset. History is now trimmed during client reset to avoid the problem.
* [sync] Eliminated a race condition that could cause a request for "state size recomputation" to be ignored.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).
* [sync] A change was needed in the history schema on the client side. This bumps the client-side history schema version from 1 to 2. Transparent forward migration is provided, but, as usual, there is no provision for the reverse migration, so it is effectively irreversible.
* [sync] A change was needed in the history schema on the server side. This bumps the server-side history schema version from 7 to 8. Transparent forward migration is provided, but, as usual, there is no provision for the reverse migration, so it is effectively irreversible.

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.

### Internals
* Using Sync 4.7.0, and thereby Core 5.23.1
* Changed the format of the returned refresh tokens to use JWT ([PR #1557](https://github.com/realm/realm-object-server-private/pull/1557))

# Release 3.23.6 (2019-08-01)

Changes since 3.23.5:

### Enhancements
* Added more detailed error message when a user creation is rejected due to the userId requiring url encoding (only when logging in via JWT). The new message will return both the encoded and non-encoded userId to make it easier to spot the invalid characters.

### Fixed
* Fixed an issue that would cause the JWT provider to not replace all invalid characters in a userId. For example, a user with the Id `foo|bar|email` would result in an error being thrown even if the `|` character is marked for escaping.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.

### Internals
* Using Sync 4.6.3, and thereby Core 5.23.1
* Changed the format of the returned refresh tokens to use JWT ([PR #1557](https://github.com/realm/realm-object-server-private/pull/1557))


# Release 3.23.5 (2019-07-23)

Changes since 3.23.4:

### Enhancements
* None

### Fixed
* Fixed an issue that could cause GraphQL mutations not to update `int?` values when `updatePolicy` was set to `MODIFIED`. ([Issue HELP-10578](https://jira.mongodb.org/browse/HELP-10578))
* Updated vulnerable dependencies to patched versions.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.

### Internals
* Updated realm-js from 2.27.0 to 2.29.1.

# Release 3.23.4 (2019-07-17)

Changes since 3.23.1:

### Enhancements
* Added `@` to the list of characters escaped by default by the JWT provider. (Issue [#1140](https://github.com/realm/realm-object-server-private/issues/1140))

### Fixed
* None

### Breaking changes
* Removed the ability to specify `is_admin` for logins with the nickname provider (Issue [#1554])

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.

### Internals
* Using Sync 4.6.3, and thereby Core 5.23.1
* New metrics for query and transaction performance have been exposed.

# Release 3.23.1 (2019-06-07)

Changes since 3.23.0:

### Enhancements
* None

### Fixed
* [GraphQL Service]: Fixed an issue when using Query-based Sync that would result in `JS value must be of type 'object', got (undefined)` when creating a subscription without a name. ([Issue #1544](https://github.com/realm/realm-object-server-private/issues/1544))

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.

### Internals
* Using Sync ???, and thereby Core ???
OR
* Updated Sync from ??? to ???, and thereby Core from ??? to ???


# Release 3.23.0 (2019-06-04)

Changes since 3.21.1:

### Enhancements
* [GraphQL Service]: Added new properties to the `NamedSubscription` object to align it with realm-js version 2.26.0. Particularly, these relate to the expiration of subscriptions.
* [GraphQL Service]: Added an ability to specify `timeToLive` (in ms) for a query-based subscription. This only works for named subscriptions.
* [GraphQL Service]: Added the ability to update an existing query-based subscription. To do so, pass in `update: true` and the name of the subscription to the `createXXXSubscription` mutation.
* [Permissions Service]: Added two config options (`enablePermissionRealmReflection` and `enableManagementRealmReflection`) to the permissions service constructor to allow disabling permission reflection and observing the management Realms. If you're upgrading an existing server, running in production, it is advised to leave these enabled to avoid breaking permission functionality of your existing deployments. If you don't use the path-level permission system in your app (i.e. you're not granting or reading path-level permissions), you can set them to `false` to improve the performance of the server.
* [Sync Server]: Improved the performance of query-based sync with many readers. ([PR #1541](https://github.com/realm/realm-object-server-private/pull/1541))
* Decreased the size of the npm module. ([PR #1541](https://github.com/realm/realm-object-server-private/pull/1541))
* [Permissions Service]: Exposed an HTTP interface for manipulating path-level permissions. This is more scalable and performant than the existing Realm-based interface and all client SDKs will be gradually updated to use that. It's enabled by default, but requires an update to the client SDKs to take advantage of it. Pay attention to the SDK's changelog for more details on upgrading your app. ([PR #1539](https://github.com/realm/realm-object-server-private/pull/1539))

### Fixed
* Fixed a bug that could cause ROS to attempt to write to a socket that has been closed, resulting in `Error [ERR_STREAM_DESTROYED]: Cannot call write after a stream was destroyed` being output in the log and the process terminating. (Issue [#1524](https://github.com/realm/realm-object-server-private/issues/1524))
* Fixed a race condition that could result in ROS consuming 100% CPU after a user has been deleted. ([PR #1541](https://github.com/realm/realm-object-server-private/pull/1541))

### Breaking Changes
* Removed the following API because they no longer have any effect on the server ([PR #1541](https://github.com/realm/realm-object-server-private/pull/1541)):
  * The `shouldCompactRealmsAtStart` and `shouldPerformPartialSyncAtStart` properties from `BasicServer`'s config.
  * The `sync.realm.io/enable-debug-mode`, `sync.realm.io/should-perform-partial-sync-at-start`, `sync.realm.io/disable-precheck-in-child-proc`, and `sync.realm.io/skip-verify-realms-at-start` annotations from KubernetesSyncWorker.
  * The `shouldCompactRealmsAtStart`, `shouldPerformPartialSyncAtStart`, `skipVerifyRealmsAtStart`, `disablePrecheckInChildProc`, `verifyRealmsAtStart`, and `runPrecheckInChildProcess` properties from the SyncService config object.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.

### Internals
* Updated realm-js from 2.25.0 to 2.27.0.
* Updated realm-sync-server from 4.4.4 to 4.5.1

# Release 3.21.1 (2019-04-26)

Changes since 3.21.0:

### Enhancements
* None

### Fixed
*  A regression was introduced in version 3.21.0 that could cause the server to decide to perform full history compaction on every upload, causing severe performance degradation. (Issue [#2962](https://github.com/realm/realm-sync/issues/2962), since 3.21.0)

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.

### Internals
* Updated Sync from 4.4.2 to 4.4.4. Core remains 5.19.1.

# Release 3.21.0 (2019-04-10)

Changes since 3.20.1:

### Enhancements
* Added support for a new way to quickly download a Full Realm file and to automatically resolve client-reset type errors. Client SDKs need to be updated to take advantage of this feature. Keep an eye on the SDK's changelog for more information.
* Added support for including user specified backlinks in a query based subscription. Client SDKs need to be updated to take advantage of this feature. Keep an eye on the SDK's changelog for more information.

### Fixed
* None

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.

### Internals
* Updated Sync from 4.2.3 to 4.4.2. Core is remains 5.19.1.

# Release 3.20.1 (2019-04-04)

Changes since ROS 3.19.0:

**IMPORTANT: This version will perform an automatic file-format upgrade of certain files used for Query Based Sync. The server cannot be downgraded without restoring those files from backup. So it's recommended to do a full backup before the server is upgraded.**

### Enhancements
* Reduced the performance impact of authenticating users with invalid credentials when using the username/password provider.
* A new argument for the Sync Service has been added.  `numAuxPsyncThreads` enables multithreading during query-based sync fan-out operations. Specify the number of additional worker threads desired in addition to the main worker thread. Defaults to `0` (disabled).
* The GraphQL service has two new mutations added: `create**type**(input: **type**, updatePolicy)` and `create**type**s(input: [**type**], updatePolicy)` where `updatePolicy` is optional and may be `NEVER`, `ALL`, and `MODIFIED`. These correspond to the now deprecated mutations `add**type**`, `update**type**` and `diffUpdate**type**`. If `updatePolicy` is not specified, `NEVER` will be used. (Issue [#1496](https://github.com/realm/realm-object-server-private/issues/1496))
* The server no longer rejects subscriptions based on queries with distinct and/or limit clauses.
* Realm files used for query based sync have had all non-essential state removed, to reduce the file size on disk and improve query based sync performance. In some scenarios, this improves the latency of query-based sync by up to 25%, depending on the user's schema.
* Various performance improvements for queries results in faster query based sync performance.
* Memory usage has been decreased when using encryption.
* Performance when using encryption has been significantly improved.
* Commit performance is improved for realms with a long lifetime and many changes due to better handling of the free space in the file.
* Added a warning when the nickname auth provider is started to more prominently alert developers of the fact it's not a secure provider.

### Fixed
* Fixed an issue that could cause the GraphQL service to end up always throwing an Internal Server Error for a particular Realm. This could happen when a reference Realm is deleted, then an access token, issued before the deletion, is used to connect to it via query-based sync. (PR [#1504](https://github.com/realm/realm-object-server-private/pull/1504) Since v3.16.6)
* A Realm file deletion (including deletion of partial files as a result of history compaction) could cause various kinds of crashes, and even corruption within the server. (since v3.0.0).
* A bug was fixed where if a user had `canCreate` but not `canUpdate` privileges on a class, the user would be able to create the object, but not actually set any meaningful values on that object, despite the rule that objects created within the same transaction can always be modified. (Issue #2574, since v3.0.0).
* A segfault could occur under certain circumtances when queries compared two integer fields.
* Fixed an issue that could prevent the server from starting with a message like `Cannot read property 'findIndex' of undefined`. This was caused when explicitly specifying the auth providers as opposed to using the runtime configuration API. (Issue [#1506](https://github.com/realm/realm-object-server-private/issues/1506), Since 3.19.0)

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

NOTE: This version will perform an automatic file-format upgrade of certain files used for Query Based Sync. The server cannot be downgraded without restoring those files from backup. So it's highly recommended to do a full backup before the server is upgraded.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption.

### Internals
* Updated Sync from 3.15.2 to 4.2.3 (all relevant changes included above)
* Via above sync update, indirectly updated Core from 5.14.0 to 5.19.1
* Removed logic to reflect permissions in `__perm` Realms as those were unused. A migration to remove the existing `__perm` Realm is **not** provided and they will linger around until we decide it's okay to delete them.
# Release 3.19.0 (2019-03-14)

### Enhancements
* Updated some services to inherit from event emitter to emit events when processing some requests. The updated services are:
  * AuthService
    * `userCreated` emitted with argument `{ user: User, totalUsers: number }` when a user is created.
  * SyncProxyService
    * `socketConnected` emitted with argument `{ path: string, socketId: number, userAgent: string }` when a socket connection is established with the sync service.
    * `socketDisconnected` emitted with argument `{ path: string, socketId: number, userAgent: string }` when a socket connection is terminated.
  * RealmDirectoryService
    * `realmCreated` emitted with argument `{ type: RealmType, path: string, syncLabel: string }` when a new Realm is created.
* Added 2 more buckets for changeset_integrated histogram.
* Added an option to `AuthService` called `allowAnyUserToRetrieveUserInfo` that enables any registered user to call the
  `GET /auth/users/:user_id` and `GET /auth/users/:provider/:provider_id` HTTP APIs, either directly or with SDK methods
  such as the JavaScript SDK's `Realm.Sync.User.retrieveAccount` method.
* Reduced the performance impact of authenticating users with invalid credentials when using the username/password provider.

### Fixed
* Fixed a bug that would prevent the GraphQL Service's `diffUpdate` method from working with lists of primitive values.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.
* Server side Realm files do not compact automatically. The standalone commandline tool "realm-vacuum" can be manually executed to compress free space and old history (See https://docs.realm.io/platform/self-hosted/manage/server-side-file-growth#vacuum-utility).

### Internals
* Add metrics in the GraphQL service.
* Added support for more arguments to the `copyfile` Kubernetes operation:
  * `pause` will stop the server before copying the files. It can be useful when trying to obtain a reference and a partial Realm without the possibility for intermediate changes.
  * `files` replaces `file` and allows you to specify multiple files that will be copied to the archive.
* Fixed a case where the `copyfile` operation would retry infinitely in the case of a non-existent file.
* Performance of invalid credentials auth: [PR#1475](https://github.com/realm/realm-object-server-private/pull/1475)
* Removed `yarn` in favor of `npm`. [PR#1481](https://github.com/realm/realm-object-server-private/pull/1481)
* Updated buckets, name and help for change propagation metric in sync. [PR#1491](https://github.com/realm/realm-object-server-private/pull/1491)
* Verify that the user identified by a refresh token is still currently an admin when the token is tagged as admin. [PR#1387](https://github.com/realm/realm-object-server-private/pull/1387)

# Release 3.18.5 (2019-02-20)

### Enhancements
* None

### Fixed
* Fixed a TypeScript build error in `ros init`-created applications. (Issue [#413](https://github.com/realm/realm-object-server/issues/413))

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.
* Server side Realm files do not compact automatically. The standalone commandline tool "realm-vacuum" can be manually executed to compress free space and old history (See https://docs.realm.io/platform/self-hosted/manage/server-side-file-growth#vacuum-utility).

### Internals
* Adjusted the bucket sizes for all histograms converted from statsd timings coming from the sync server. The defaults for these buckets are suited for measuring request times based on a 1-second unit. Since sync reports changeset integration times, et al, in milliseconds, the defaults are not suitable.

# Release 3.18.4 (2019-02-14)

### Breaking
* Node 6 support has been deprecated and we'll drop it completely in a future version. We recommend upgrading to node 10 LTS.

### Enhancements
* None

### Fixed
* None

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.
* Server side Realm files do not compact automatically. The standalone commandline tool "realm-vacuum" can be manually executed to compress free space and old history (See https://docs.realm.io/platform/self-hosted/manage/server-side-file-growth#vacuum-utility).

### Internals
* Stopped testing against Node 6 as support will be dropped.
* Fixed a bug that would remove the Github release notes when publishing a public release.
* Refactored some event handlers in SyncProxyService in order to provide better log messages.
* Updated kubernetes-client dependency to 6.8.3

# Release 3.18.3 (2019-02-11)

### Enhancements
* None

### Fixed
* Fixed an issue where metric names would be incorrectly decoded and the following message would be printed in the logs: Failed processing a metric: URI is not defined.

### Compatibility
* Server API's are backwards compatible with all previous ROS releases in the 3.x series.
* The server is compatible with all previous [SDKs supporting the ROS 3.x series](https://docs.realm.io/platform/using-synced-realms/troubleshoot/version-compatibilities).

### Installation & rollback instructions
Please see the [Realm Docs](https://docs.realm.io/platform/self-hosted/installation) for installation, upgrade and rollback instructions.

### Notable known issues
* Encrypting existing realm files is not possible. Only fresh deployments with zero state can use realms encryption. We're working on a migration path for existing deployments.
* Server side Realm files do no