Skip to content

Latest commit

 

History

History
283 lines (155 loc) · 13.3 KB

CHANGELOG.md

File metadata and controls

283 lines (155 loc) · 13.3 KB

Change log

November 29th 2024 - Moving to the new monitoring library

There's a new set of shared libraries which should allow us to share code more efficiently than current approaches.

The first of these is a new library which wraps the 3 common endpoints used for monitoring and strives to ensure that services have health monitoring of it's dependencies.

The library will attempt to self-install itself by running it via npx: npx @ministryofjustice/hmpps-monitoring

It will then prompt you to perform some manual tasks - if you have stub tests for your health endpoints you might need add some additional stubbing.

See PR #479

November 18th 2024 - Moving away from csurf and to csrf-sync

csurf has been deprecated for some time and this removes that dependency and implements the synchronizer token pattern using csrf-sync.

Note: Previously csurf used to generate new tokens on every request. The new library generates tokens once per session which is preferrable due to the extra calls to redis that per-request would generate. It is possible to force a refresh/revocation of a token by explicitly calling: req.csrfToken(true)

See PR #481

November 5th 2024 - Disable 301 redirects on missing static content folders

Previously a non-existent static resource returned a 301 without the appropriate CSP response header. Now it will return a 404 with the correct header. This was an issue flagged by ZAP

See PR #383

October 29th 2024 - Move to node 22

Node 22 is now LTS. Notes here

See PR #474

September 25th 2024 - Removing dependency on dotenv

Removing dependency on dotenv. Use Node's -env-file mechanism instead of requiring the dotenv module.

See PR #441

September 25th 2024 - Removing dependency on uuid

Removing dependency on uuid. Use Node's crypto.randomUUID() instead of requiring the uuid module - there's no need if just using v4 UUIDs.

See PR #439

September 19th 2024 - Renaming config domain

The config.domain property has been renamed to config.ingressUrl to reflect the fact that it should be set to a URL rather than just a domain name.

See PR #435

September 6th 2024 - Authentication and credentials tidy-up

We have recently tidied up some of the authentication process. To begin with, we added default credentials in HMPPS Auth (PR: hmpps-auth#1777) to support the template project out of the box. The necessary updates for using these credentials were made in PR: #412 and PR: #414. We also updated the documentation to clarify the OIDC/OAuth2 process.

Additionally, we cleaned up both the authentication middleware and the user details population middleware. These changes can be found in PR: #413 and PR: #415.

As part of this change we also renamed the env var names used for configuring our client's credentials. It was felt that the previous names were confusing/misleading.

We've now renamed the client that is used to authenticate new users using the auth code oauth2 grant:

API_CLIENT_ID -> AUTH_CODE_CLIENT_ID
API_CLIENT_SECRET -> AUTH_CODE_CLIENT_SECRET

and we've renamed the client used to request tokens using the client credentials grant as follows:

SYSTEM_CLIENT_ID -> CLIENT_CREDS_CLIENT_ID
SYSTEM_CLIENT_SECRET -> CLIENT_CREDS_CLIENT_SECRET

July 13th 2024 - ESBuild and asset caching improvements

We have recently introduced several enhancements to the ESBuild process to improve stability, logging, and basic type annotations. These are part of

PR: #388 and PR: #378

Additionally, we have integrated a new and improved process for handling asset cache-busting. Previously, we appended a query string representing the build number or Git commit hash to our assets for cache-busting. With the recent introduction of ESBuild, we have implemented a more common asset-revving solution, using the hash of the asset in the asset's output filename, like /assets/js/app.UG7VY7MS.js.

In brief, this implementation creates a manifest.json file during the asset build process, which maps the original asset name to it's new rev'd name. We then use the assetMap filter, introduced as part of this PR, to match the original asset names to their hashed versions, like so

<script type="module" src="{{ '/assets/js/app.js' | assetMap }}"></script>

To see the full conversation see the #typescript slack channel

PR: #377


July 11th 2024 – Remove Typescript outdated checks

We originally added these checks to the template project to try to nudge people into performing major version updates rather than solely focusing on security patches. This has led to a lot of confusion and queries from teams asking why we're enforcing these draconian checks. Previously we added some guidance suggesting developers remove it but this was not generally read.

Rather than add to the complexity of the rewrite script we've decided to remove these checks entirely.

PR: #388


June 19th 2024 – Add ESBuild!

This is a bit of a WiP but rapidly speeds up the time to redeploy on changes. It does that by running typescript compiler in a side channel. It's worth adopting now but there are subsequent commits and changes that will continue to be integrated to improve this.

To see the full conversation see the #typescript slack channel

PR: #375


May 22nd 2024 – Remove prometheus metrics middleware and metrics app. We had discussed that very few teams actually go on to set up a dashboard to surface the information and tend to use application insights instead for the information. In addition it had also caused a memory leak and production issues (manifesting in increased 502 error rates) in at least two applications that had inherited from the template so it seems wise to remove this tooling by default.

PR: #365


May 10th 2024 – Derive user details from the authorization_code "user" token instead of making an API call to hmpps-manage-users-api, thereby removing an unnecessary dependency.

PR: #352


February 29th 2024 – Use same node version for outdated check and security scan. This currently defaults to node 16

PR: #321


February 15th 2024 – Move over to use Debian 12 based image (bookworm)

PR: #316


January 9th 2024 – Move over to Gov UK Frontend 5.0 and MoJ Frontend 2.0

Note, this removed support for IE8,9,10 etc.

PR: #297


November 29th 2023 – Remove getUserRoles as an api call and add as decoded from the token #274

This is to encourage services not to make additional calls to retrieve a user's role information. Usually roles are cached with the session meaning that the user has to log out and in again to bring in changes to roles - as user details are also cached this will not change this behaviour.

PR: #274


November 29th 2023 – Use in-memory token store when developing locally

PR: #273


November 6th 2023 – Add HMPPS Manage Users API to health checks

PR: #255


October 27th 2023 – Update to 4.0.0 of jwt-decode module

This had breaking changes and required an update to the import statement

PR: #252


October 27th 2023 – Update application to use node.js version 20 and npm version 10

Application updated to node 20.8 along with one minor node module tweaks

PR: #249


October 25th 2023 – Replace deprecated HMPPS Auth API endpoints with calls to HMPPS Manage Users API

/api/user/me -> /users/me
/api/user/me/roles -> /users/me/roles

PR: #247


October 4th 2023 – Improve REST client and propagate user types into res.locals

The base REST client now supports GET, DELETE, PATCH, POST, PUT methods all allowing query parameters and generic response types.

The user object built by setUpCurrentUser middleware is exposed in res.locals of request handlers preventing the need for type assertions.

PR: #238


September 28th 2023 - Add in environment name to the header

For dev and pre-prod we now display the environment name in the header to let people know that the service isn't production. This brings the template into line with the new micro frontend components header.


September 22nd 2023 - Ensure health/info endpoints are the same information as the Kotlin templates

As part of the work on the service catalogue we are trying to ensure all services and applications present standard /health and /info endpoints. As the Kotlin template is provided with a standard set of information as part of Spring Boot, it made sense to make sure the Typrscript template was made to match. This ensures these endpoints can be processed programmatically without needing to know what format the information is being presented.

For more details ask on the #hmpps-service-catalogue channel.

PR: here


August 3rd 2023 - Add /info endpoint and expose product ids

As part of the work on the service catalogue we are giving all applications their own product id. This change adds a new info endpoint to expose this id in a consistent place.

For more details ask on the #hmpps-service-catalogue channel.

PR: here


June 9th 2023 - Do not retry POST requests by default

It's not safe to retry idempotent calls as this introduces the risk of creating multiple resources. This fix changes the default to not carry out any retries but allows switching on retrying if desired.

PR: here


April 13th 2023 - Caching fix

Asset caching was only set to 20 seconds. This fix changes the default to 1 hour which has a profound effect on the number of requests the application serves.

PR: here


April 4th 2023 - Remove unnecessary build step

There was an additional unnecessary build step as part of start:dev npm task. This more than doubled the start time on the initial run.

PR: here


March 20th 2023 - CSP fix for redirects during POST on session timeout

Updates the Content Security Policy to fix issues when users would be stuck on pages after submitting a form after their session times out. (Lots more detail in the PR)

PR: here


February 3rd 2023 - Revert multi build docker image

Multibuild docker images ended up taking a very long time after the upgrade to node 18 (1hr+). Some work needs to be done to move to support multi host builds in our circle orb, in the meantime we’ve removed this and are just building images solely for deployment.

PR: here