Some of our dependencies are no longer supporting pre-4.0 versions of
Node.js. As a result, our CI builds are failing on these platforms.
This pull request removes 0.10 and 0.12 from our Travis CI build matrix
and also adds "engines" field to package.json to tell our internal
Jenkins CI to stop testing 0.10 and 0.12 versions too.
Rework the test verifying properties of `loopback` to ignore
new express properties added after the test was written.
Ignore "json" and "urlencoded" middleware that was added back
to Express, keep using our wrappers printing a deprecation message.
Currently any `currentUserLiteral` routes when accessed with a bad
token throw a 500 due to a SQL error that is raised because
`Model.findById` is invoked with `id={currentUserLiteral}`
(`id=me` in our case) when the url rewrite fails.
This commit changes the token middleware to return 401 Not Authorized
when the client is requesting a currentUserLiteral route without
a valid access token.
* Fix User.verify to convert uid to string (phairow)
* Configure Travis CI to cache phantomjs binaries (Miroslav Bajtoš)
* Improve "filter" arg description (Raymond Camden)
* Fix creation of verification links (Miroslav Bajtoš)
* Include link to docs in logoutSessions warning (Miroslav Bajtoš)
* Fix detection of logoutSessionsOnSensitiveChanges (Miroslav Bajtoš)
* Preserve sessions on User.save() making no changes (Miroslav Bajtoš)
* Remove unused dependencies (Miroslav Bajtoš)
* Fix logout to handle no or missing accessToken (Ritchie Martori)
* Use English when running Mocha tests (Miroslav Bajtoš)
* Role model: resolves related models by name (Benjamin Kroeger)
* Fix User methods to use correct Primary Key (Aris Kemper)
Applications using MongoDB connectors typically have `user.id`
property of type ObjectID.
This commit fixes the code building the verification URL to
correctly convert the user id value into string.
Fix User.prototype.verify to call `querystring.stringify` instead
of concatenating query-string components directly.
In particular, this fixes the bug where `options.redirect` containing
a hash fragment like `#/home?arg1=value1&arg2=value2` produced incorrect
URL, because the `redirect` value was not correctly encoded.
Modify the code detecting whether logoutSessionsOnSensitiveChanges
is enabled to correctly handle the case when the model is not attached
to any application, as is the case with loopback-component-passport
tests.
Return 401 when the request does not provide any accessToken argument
or the token was not found.
Also simplify the implementation of the `logout` method to make only
a single database call (`deleteById`) instead of `findById` + `delete`.
Disable invalidation of access tokens by default to restore backwards
compatibility with older 2.x versions.
Add a new application-wide flag logoutSessionsOnSensitiveChanges
that can be used to explicitly turn on/off the token invalidation.
When the flag is not set, a verbose warning is printed to nudge the user
to make a decision how they want to handle token invalidation.
Miroslav Bajtoš
Loay
Candy
Allen Boone
Diana Lau
Aaron Buchanan
Miroslav Bajtoš
Raymond Feng
phairow
Raymond Camden
Ritchie Martori
Benjamin Kroeger
Aris Kemper