Releases: iress/cloudfront-auth
Releases · iress/cloudfront-auth
v4.1.1
v4.1.0
This is a minor feature release.
Changes
- Set
SameSitecookie attribute toLaxfor CV and NONCE in #47- This change re-enables the ability to have authentication that isn't embedded into the same site.
e.g. changing host to Okta to log in, then back to site once authenticated.
- This change re-enables the ability to have authentication that isn't embedded into the same site.
Full Changelog: v4.0.1...v4.1.0
v4.0.1
Merge pull request #46 from iress/fix-aws-sdk default runtime to nodejs16.x
v4.0.0
This is a major security release.
Breaking
Due to cookie attributes added, this module now only supports HTTPS and requires cookies from the same site. This change is unlikely to cause problems because authentication should already be over a secure connection.
Changes
- HTML encoding template replacements to avoid potential cross-site scripting issue. #38
It was found that the _callback page utilized in the authorization flow reflects potentially dangerous user input, though there a number of caveats to this that prevented the successful execution of meaningful attacks such as XSS and HTML Injection. - Setting
SameSitecookie attribute tostrict. #40 & #42
SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. - Setting
Securecookie attribute. #39 & #42
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. - Include appropriate
Content-Typein error responses. #44 - Update npm dependencies to remove vulnerabilities.
Allnpm auditvulnerability severities removed by updating referenced versions. - Update returned footer information to reference this repository instead of upstream. #43
- Include testing against nodejs v18 (current latest nodejs version for Lambda@Edge). #41
Full Changelog: v3.3.2...v4.0.0
v3.3.2
AWS provider 3.28.0
v3.3.1
Correct default logout route
v3.3.0
Add logout route
v3.2.2
Remove max version constraint on provider
v3.2.1
Ensure permissions are deployed before the secret rotation is applied