diff --git a/CHANGELOG.md b/CHANGELOG.md index 498214146..6465b2c25 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## Unreleased +## [5.3.2] - 2023-02-05 + +### Changed +- Tweak fields sent to zapier triggers for users/members + +### Fixed +- Fix oAuth authorization code flow + ## [5.3.1] - 2023-02-01 ### Fixed diff --git a/api/hooks/oidcRoutes.js b/api/hooks/oidcRoutes.js index 6773fffc0..674a819de 100644 --- a/api/hooks/oidcRoutes.js +++ b/api/hooks/oidcRoutes.js @@ -2,10 +2,12 @@ import { get } from 'lodash/fp' import oidc from '../services/OpenIDConnect' // This is needed for local dev, for some reason it is using :3001 for the port when we want :3000 -// And on staging to make sure we use the right base URL +// And on staging and prod make sure we use the right base URL +// Don't know exactly why the request is getting a baseUrl that looks like http://node1.hylo.com 🤷‍♂️ const adjustRedirectUrl = (url, req) => { const redirectUrl = (process.env.PROTOCOL === 'https') ? url.replace('http://', 'https://') : url - return redirectUrl.replace(req.baseUrl, process.env.PROTOCOL + '://' + process.env.DOMAIN) + const baseUrl = (process.env.PROTOCOL === 'https') ? req.baseUrl.replace('http://', 'https://') : req.baseUrl + return redirectUrl.replace(baseUrl, process.env.PROTOCOL + '://' + process.env.DOMAIN) } module.exports = function (app) { @@ -39,6 +41,7 @@ module.exports = function (app) { 'POST /noo/oidc/:uid/login': async (req, res, next) => { try { + const details = await oidc.interactionDetails(req, res) const { uid, prompt, params } = details diff --git a/api/models/User.js b/api/models/User.js index 09a852c19..931505754 100644 --- a/api/models/User.js +++ b/api/models/User.js @@ -485,9 +485,9 @@ module.exports = bookshelf.Model.extend(merge({ if (!isEmpty(this.changed)) { // Save the updated fields to send a Zapier trigger for, before we save and lose the changes const changedForTrigger = pick(this.changed, [ - 'avatar_url', 'banner_url', 'bio', 'contact_email', 'contact_phone', + 'avatar_url', 'bio', 'contact_email', 'contact_phone', 'facebook_url', 'linkedin_url', 'location', 'location_id', - 'name', 'settings', 'tagline', 'twitter_name', 'url' + 'name', 'tagline', 'twitter_name', 'url' ]) await this.save(Object.assign({ updated_at: new Date() }, this.changed), { patch: true, transacting }) diff --git a/api/models/post/updatePost.test.js b/api/models/post/updatePost.test.js index de266f789..e2c3c172a 100644 --- a/api/models/post/updatePost.test.js +++ b/api/models/post/updatePost.test.js @@ -46,7 +46,6 @@ describe('afterUpdatingPost', () => { const followers = await post.followers().fetch() - console.log('!!! followers', followers) expect(followers.pluck('id').sort()).to.deep.equal([u1.id, u2.id].sort()) }) diff --git a/api/services/OpenIDConnect.js b/api/services/OpenIDConnect.js index b8eee5359..0b6f12918 100644 --- a/api/services/OpenIDConnect.js +++ b/api/services/OpenIDConnect.js @@ -31,13 +31,19 @@ const configuration = { path: '/', // XXX: a hack since for some reason on heroku the redirects go to the underlying proxied domain like api-staging.hylo.com but then cookie doesnt work when staging.hylo.com domain: process.env.NODE_ENV === 'development' ? 'localhost' : '.hylo.com', - signed: true + signed: true, + httpOnly: true, + overwrite: true, + sameSite: 'none' }, short: { // XXX: needed since we redirect our interactions to evo routes. Is this dangerous? path: '/', domain: process.env.NODE_ENV === 'development' ? 'localhost' : '.hylo.com', - signed: true + signed: true, + httpOnly: true, + overwrite: true, + sameSite: 'lax' } }, extraClientMetadata: { diff --git a/package.json b/package.json index 714512eae..6177fead1 100644 --- a/package.json +++ b/package.json @@ -5,7 +5,7 @@ "author": "Tibet Sprague ", "license": "GNU AFFERO GENERAL PUBLIC LICENSE v3", "private": true, - "version": "5.3.1", + "version": "5.3.2", "repository": { "type": "git", "url": "git://github.com/Hylozoic/hylo-node.git"