Friend changelog
- The "classic" OpenId (i.e. OpenId 1.1/2.0) workflow provided by
cemerick.friend.openid
has been removed, along with the dependencies it alone required. See #45 (comment) for something like a justification for the change. (gh-45) - The "channel security" features (
requires-scheme*
set of middlewares) deprecated in0.2.3
have been removed. - Friend can now be used in IPv6 environments. (gh-154)
- Deprecated and un-documented friend's "channel security" features. You should use https://github.com/ring-clojure/ring-ssl instead, probably via https://github.com/ring-clojure/ring-defaults.
- Bumped some dependencies to prevent fatal errors when used in conjunction with other libraries, certain versions of Clojure (gh-116, gh-127)
- OpenId workflow can now be initialized via an HTTP GET request (contra the spec?) to interop with existing SSO systems (gh-114, gh-44)
wrap-authorize
now requires its role parameter to be non-empty (gh-99)robert-hooke
is now properly classified as a test dependency (gh-106)
There are other changes, please see the full list of issues resolved leading up to this release, and the commit history if you're super-interested.
- Added
:cemerick.friend/ensure-session
as an optional slot workflows can add to the metadata on authentication maps they return. By default, Friend will update (or set anew) the Ring session when a user is authenticated, redirecting them to where they were originally headed before hitting an authentication requirement. By setting:cemerick.friend/ensure-session
and:cemerick.friend/redirect-on-auth?
tofalse
, the user will not be redirected, and the session will not be set. This addresses the use cases of both the HTTP Basic workflow, as well as use cases where a request is made simply to establish authentication without a redirect, but while retaining the session-setting behaviour. (gh-83) - Fix the HTTP Basic workflow so that non-Basic authentication mechanisms that
use the
Authorization
HTTP header can be used (gh-85) - Workflows are now only ever run as needed (gh-90)
- Port numbers are no longer set if
X-Forwarded-Proto
is present in the original request (gh-84)
Friend now depends upon Ring 1.2.0 final. This means (due to the transitive dependency on tools.reader) that Friend now requires Clojure 1.3.0+.
This release contains a significant refactoring of the library to follow the interceptor pattern adopted by Ring 1.2.0 (see the note under "Misc" below). Note that this refactoring is not a breaking change, either from an end-user or workflow author/maintainer standpoint.
Core API
- The
default-unauthenticated-handler
now properly retains the query string of the initial requested unauthenticated URL (gh-68)
Workflows
- The OpenID workflow can now be used much more reliably behind reverse proxies
and load balancers:
- The
return_to
URL now automatically takes into account anyx-forwarded-proto
header provided by your reverse proxy - If your proxy/load balancer doesn't send
x-forwarded-proto
headers, then you can use middleware to add an appropriatereturn_to
URL to the request going into the OpenID middleware, keyed under:cemerick.friend.openid/return-url
(gh-74)
- The
- The interactive-form workflow now properly picks up
username
parameter value after a failed login attempt (gh-69)
Misc
- Friend's middlewares have been refactored internally to implement an interceptor pattern, to match Ring's middlewares >= 1.2.0. This makes Friend suitable for use with e.g. Pedestal and similar frameworks. (gh-54)
Friend is now tracking Ring v1.2.0 betas, minimally requiring
[ring/ring-core "1.2.0-beta1"]
.
Core API
:roles
in authentication maps may now optionally be a function returning a collection of roles (gh-21, gh-55)
Workflows
- All included workflows now properly account for the in-force Ring context, if any. (gh-52, gh-53, gh-56)
Core API
- Fixed handling of the optional authorization-error map that may be provided
to
authorize
(gh-46)
Misc
- Various minor documentation improvements.
Core API
cemerick.friend/current-authentication
can now accept either a ring request map or a Friend identity mapcemerick.friend/authenticated
can now accept more than one body form (gh-32)- A new
cemerick.friend/authenticate
option,:unauthenticated-handler
, allows one to provide a separate Ring handler to control how to respond to unauthenticated requests when authentication is required (either via setting:allow-anon
tofalse
, or via use ofcemerick.friend/authenticated
). The prior behaviour (redirecting to the URI specified by:login-uri
) is currently retained by the default:unauthenticated-handler
,cemerick.friend/default-unauthenticated-handler
. (gh-38)
Workflows
- The
http-basic
workflow no longer produces a 401 Unauthorized response when no HTTP Basic credentials are supplied. (gh-38) - The OpenID workflow now offers a
:consumer-manager
option for providing a fully-configuredorg.openid4java.consumer.ConsumerManager
(to be used instead of the in-memory default) (gh-35) - Usernames provided as part of an interactive-form workflow authentication are now URL-encoded in the resulting redirect when authentication fails (gh-41)
Misc
- New function
cemerick.friend.credentials/bcrypt-verify
now available to verify bcrypt-hashed strings outside ofcemerick.friend.credentials/bcrypt-credential-fn
and the workflow/authentication process - All HTTP redirect responses sent by Friend now use an absolute URL in the
Location
header per the HTTP spec (gh-42) - The transitive dependency on Google Guice (needed by the openid4java dependency) has been updated to use the coordinates available via Maven Central
Core API
- Credential functions may now return maps with a
:cemerick.friend.credentials/password-key
slot in their metadata to indicate the key within the credential map itself which holds the password. - The value of the
:cemerick.friend/redirect-on-auth?
key in workflow may now be a string URI to which the user will be redirected (instead of the:default-landing-uri
provided to theauthenticate
middleware). - Friend now plays much nicer with Ring sessions; in particular, it no longer quashes session data set by lower-level handlers and middleware. (gh-24, gh-26)
Workflows
- The
http-basic
workflow now properly supports empty usernames and passwords (gh-28)
Bricked, don't use.
Core API
:login-uri
now actually defaults to"/login"
as indicated in documentation (Yoshito Komatsu, gh-13)- Authorization failures are now handled more sanely (gh-19):
:unauthorized-redirect-uri
is no longer used (was nonsensical)- additional data may now be added to the stone thrown upon unauthorized
access (see
cemerick.friend/authorize
,cemerick.friend/authenticated
, andthrow-authorized
) - data added to stone thrown by
cemerick.friend/throw-authorized
is now added to the request passed to:unauthorized-handler
in the:cemerick.friend/authorization-failure
slot
- HTTP 401 is now used instead of 403 to properly indicate unauthorized authenticated request (gh-20)
cemerick.friend/logout*
is now public (John Szakmeister)
Workflows
- http-basic workflow now properly responds with www-authenticate challenge when
no credentials are provided and
:allow-anon?
is false (gh-16) - the OpenID workflow's
:max-nonce-age
must now be specified in milliseconds instead of seconds - the OpenID workflow no longer adds unprintable objects to the ring session
Misc
- Documentation for
cemerick.friend/identity
fixed