Tags: sahat/hackathon-starter
Tags
v9.0.0 New Features - Introduced "Logout Everywhere" functionality for enhanced security (Thanks to @vimark1). - Added support for Google Analytics 4, Facebook Pixel, and Open Graph metadata. Enhancements - Removed unnecessary session saves for uninitialized sessions. - Cleaned up GitHub Actions by removing unnecessary CodeQL references. - Updated documentation for improved clarity and relevance. - Optimized Dockerfile and updated Docker image for better performance (Thanks to @akarys2304). - Replaced favicon.png with favicon.ico to match browser default requests. - Added Apple touch icons. - Refactored Nodemailer calls into config/nodemailer.js for unified security and configuration settings. - Removed redundant installation of body-parser, now included with ExpressJS. - Renamed getValidateReCAPTCHA to validateReCAPTCHA for better clarity. - Adopted Prettier for consistent code formatting. - Suppressed unactionable Sass import deprecation warnings. - Renamed handleOAuth2Callback to saveOAuth2UserTokens for clarity. Security Updates - Addressed Host-header Injection vulnerability in Password Reset & Email Verification (CVE-2025-29036). - Added upload size limit for Multer and moved its configuration to api.js. - Replaced MD5 with SHA256 for Gravatar generation. Bug Fixes - Updated to the latest HERE Maps API as the prior API version calls were no longer working. - Corrected the path for popper.js. - Fixed pre-commit test and lint execution. - Updated the default privacy policy to comply with Facebook terms and other regulations. - Improved OAuth2 token handling logic: - Properly save tokens without expiration dates. - Consolidated token-saving logic across all providers to fix multiple issues. - Prevented infinite redirect loops in isAuthorized during failed token refresh attempts. Chore & Maintenance - [Breaking] Upgraded to Express 5.x. - [Breaking] Migrated from axios to Node.js's built-in fetch, reducing dependencies and improving performance. - Switched from the deprecated nyc to c8 for code coverage reporting. - Updated all dependencies. Tests - Added unit tests for isAuthorized and saveOAuth2UserTokens in config/passport.js. - Fixed unit tests for app.js.
v8.1.0 Security Enhancements - Added URL validation for redirects through session.returnTo (CWE-601). - Fixed OAuth state parameter generation and handling to address CSRF attack vectors in the OAuth workflow. - Added additional sanitization for user input in database queries using $eq in MongoDB. API and Integration: - Unified formatting for authentication parameters in route definitions and passport.js configuration. - Refactored common code for OAuth 2 token processing in passport strategies to improve maintainability. - Reworked the GitHub and Twitch API integration examples with additional data from the APIs. - Reworked the Twilio API integration example to use Twilio’s sandbox servers and test phone numbers. - Upgraded the Pinterest API example to use v5 calls instead of the broken v1. - Reworked the Tumblr API integration example with additional data from the API. - Added a properly working OAuth 1.0a integration for Tumblr. - Removed sign-in by Snapchat due to increased difficulty for developers and a focus on hackathon participants. - Removed Foursquare OAuth authorization and updated the API demo with new examples. - Renamed Twitter to X (Some of the backend and code still reference Twitter due to upstream dependencies, and the login button is using Twitter colors pending X addition to bootstrap-social). Update/Upgrades: - Dropped support for Nodejs < 22 due to ESM module import issues prior to that version. - Migrated from the unmaintained passport-linkedin-oauth2 to a passport-openidconnect strategy. --- Added support and examples for openid-client. - Migrated from the deprecated paypal-rest-sdk to an example without the SDK, providing OAuth calls depending on the page state. - Migrated from the unmaintained bootstrap-social to a fork that can be easily patched and updated. - Migrated eslint to v9, and its new config format (breaking change). - Migrated Husky to v9, and its new config format (breaking change). Fixed Windows commit issue. - Updated dependencies. - Added temporary patch files for connect-flash and passport-openidconnect based on pending pull requests or issues on GitHub. Other: - Fixed a bug that prevented profile pictures from being displayed. - Added authentication link/unlink options to the user profile page for all OAuth/Identity providers. - Fixed typos, broken links, and minor formatting alignment issues on various pages. - Fixed spelling errors in startup information displayed in the console. - Refactored URL validation in unit tests for Gravatar generation to conform with CodeQL rules. Even though CodeQL does vulnerability checks, this is not a security issue since it is unit tests. - Updated the placeholder main.js to use the current format (not deprecated JS). - Updated the GitHub repo worker/runner configs to use proper permissions - Return exit code 1 if there is a database connection issue at startup. - Added the --trace-deprecation flag to startup to provide better information on runtime deprecation warnings. - .gitignore file to exclude the uploads path. - Updated the copyright year. - Updated documentation.
v8.0.0 - Security: Renamed the cookie and set secure attribute for cookie transmission when https is present - Security: Migrated off known deprecated, vulnerable or unmaintained dependencies - Security: Added express rate limiter - Added additional sanitization and validation for external inputs. Lusca provides input protection. The additional sanitization and validation are to add another layer of protection. - Added patch-package for temporary patching dependencies - Temporary patch for passportjs to handle logout failures - Temporary patch for passport-oauth2: better auth failure reporting - Removed broken Instagram oauth support as Meta no longer supports it - Added handler for 404(page not found) to avoid 500 errors when a route is not found - Fixed unhandled error during logout - Fixed pug tags with multiple attributes (thanks to @soundz77) - Added Lint-stage and Husky to lint all commits - Fix req.logout for passport 0.6 - Fix broken unit test - Update default gravatar - Visual UI improvements - Added Github Actions: NodeJS CI check unit test and lint - Upgrade nodejs for docker - Removed express-handlebars npm package as it was not used and is not that popular compared to pug (breaking change) - Removed chalk npm package as it was not used (breaking change) - Updated documentation - Upgraded to mongoose 7 (breaking change) - Upgraded to popper2 - Migrated from googleapis npm package to @googleapis/drive and @googleapis/sheets to reduce size and improve performance (breaking change) - Migrated from passport-twitch-new to twitch-passport (breaking change) - Migrated from lob to @lob/lob-typescript-sdk (breaking change) - Migrated from deprecated node-sass to Dart Sass - Migrated off passport-openid (breaking change) - Migrated off nodemailer-sendgrid (breaking change) - Migrated off passport-twitter and twitter-lite (breaking change) - Migrated off node-quickbooks (breaking change) - Updated dependencies - Removed travis.yml API example changes: - Removed the twitter API example as the APIs are actively changing and mostly not free (breaking change) - Removed the Instagram API example as it was broken and Meta has significantly reduced the API scope and availablity for devs - Improved the Chartjs+AlphaVantage to handle API failures - Fix minor formatting issues and missing images - Tumblr - Fixed the Tumblr example and moved off tumblrjs (breaking change) - Added missing parameters for the Lob's new API requirements - Improved the Last.fm API example as the artist image is no longer vended by last.fm
6.0.0 - Dropped support for NodeJS 8.x, due to its EOL - Use HTML5 native client form validation (thanks to @peterblazejewicz) - Fix navbar rendering issues when using themes (thanks to @peterblazejewicz) - Fix button formatting issues when applying themes (thanks to @peterblazejewicz) - Fixed drop down menu to show correct formatting from the theme (thanks to @jonasroslund) - Config mongoose to use the new Server Discovery and Monitoring - Fix validation bug in Twitter, Pinterest, and Twilio API examples - Fix HERE icon in the API examples - Fix minor issues in Stripe and Lob API examples - Update dependencies - Update documentation (thanks in part to @noftaly, @yanivm)
5.1.4 (May 14, 2019) - Migrate from requestjs to axios (thanks to @FX-Wood) - Enable page templates to add items to the HTML head element - Fix bold font issue on macs (thanks to @neighlyd) - Use BASE_URL for github - Update min node engine to require Feb 2019 NodeJS security release - Add Node.js 12 to the travis build - Update dependencies - Update documentation (thanks in part to @anubhavsrivastava, @Fullchee, @luckymurari)
5.1.3 (April 7, 2019) - Update Steam API Integration - Upgrade flatly theme files to 4.3.1 - Migrate from bcrypt-nodejs to bcrypt - Use BASE_URL for twitter and facebook callbacks - Add a ChartJS example in combination with Alpha Vantage API usage (thanks to @T-travis) - Improve Github integration – use the user’s private email address if there is no public email listed (thanks to @danielhunt) - Improve the error handling for the NYT API Example - Add lodash 4.7 - Fixed gender radio buttons spacing - Fixed alignment Issue for login / sign in buttons at certain screen widths. (thanks to @eric-sciberras) - Remove Mozilla Persona information from README since it has been deprecated - Remove utils - Remove GSDK since it does not support Bootstrap 4(thanks to @laurenquinn5924) - Adding additional tests to cover some of the API examples - Add prod-checklist.md - Update dependencies - Update documentation (thanks in part to @GregBrimble)
5.1.2 Added Login by Snapchat (thanks to @nicholasgonzalezsc) Migrate the Foursquare API example to use Axios calls instead of the npm library Fixed minor visual issue in the web scraping example. Fixed issue with Popper.js integration (thanks to @binarymax and @Furchin) Fixed wrapping issues in the navbar and logo indentation (thanks to @estevanmaito) Fixed MongoDB deprecation warnings Add production error handler middleware that returns 500 to handle errors. Also handle server errors in the lastfm API example (thanks to @jagatfx) Added autocomplete properties to the views to address Chrome warnings (thanks to @peterblazejewicz) Fixed issues in the unit tests. Fixed issues in the modern theme variables and imports to be consistent (thanks to @monkeywithacupcake) Upgraded to Fontawesome to the latest version (thanks in part to @gesa) Upgraded eslint to v5. Updated dependencies Updated copyright year to include 2019 Minor code formatting improvements Replaced mLab instructions with MongoDB Atlas instructions (thanks to @mgautam98) Fixed issues in the readme (thanks to @nero-adaware , @empurium, @aschwtzr)
PreviousNext