3.6.0

Security

• CRITICAL: Fixed open redirect vulnerability in _securedURL handling. The saveSecuredUrl() method now validates redirect URLs to ensure they belong to the same host as the current request, preventing attackers from crafting malicious URLs that redirect users to external sites after login. Added isSafeRedirectUrl() validation using java.net.URI to compare hosts.

Fixed

• BOX-164 Allow Visualizer to show settings when firewall.logging not enabled
• JWT Handler improperly returns a value causing it to skip ColdBox's RestHandler's response formatting logic. This results in the entire response object being returned rather than just invoking getDataPacket()

3.5.0

Added

• Upgraded test harness
• BoxLang certification
• Github Actions updates
• ColdBox 8 Support and certification
• Added .github/copilot-instructions.md — concise AI-agent guidance covering module architecture, validators, interceptor flows, and developer workflows (install, test, server start).
• Documented test-harness and TestBox runner details for local integration testing (see test-harness/tests/runner.cfm and box.json scripts).

3.4.1

Fixed

• Parenthesis on top statements for MSSQL Server on the DBLogger thanks to @irvirv

3.4.0

Added

• Official Adobe 2023 Support
• Gitflows for testing all engines and all versions of ColdBox
• Added transientCache=false to auth User to avoid any issues when doing security operations
• Added population control for auth User for extra security

Fixed

• User auth was not serializing the id of the user in the mementifier config

v3.3.0

Added

• Added guest() method to CBSecurity model and Authorizable delegate

v3.2.0

Added

• Migrations table for security logs
• New bootsrap icons + css + js
• New github support files

Fixed

• getActionsReport() was not defaulting the type's structure, so exceptions would arise when there was no data in the visualizer

v3.1.0

Added

• Added a new helper: createPassword() on the CBSecurity model to generate secure, random passwords with letters, symbols and numbers.
• cbcsrf upgraded to version 3, we missed in the previous release.

v3.0.0

Changed / COMPATIBILITY

• Dropped ACF2016
• Separated routes to it's own module Router
• COMPAT New JwtAuthValidator instead of mixing concerns with the JwtService. You will have to update your configuration to use this validator instead of the JwtService
• useSSL is now defaulted to true for all security relocations as the default
• Encapsulation of jwt settings from the ModuleConfig to the JwtService
• CBAuthValidator has been renamed to just AuthValidator this way it can be used with ANY authentication service instead of binding it to just cbauth. This validator just relies on the IAuthUser interface now.

Added

• New AuthValidator now can validate permissions and roles according to our IAuthUser interface but can be used on ANY authentication service that implements IAuthService
• New authorization and authentication delegates for usage in cb7
• New ability for the firewall to log all action events to a database table.
• New visualizer that can visualize all settings and all firewall events via the log table if enabled.
• New Basic Auth validator and basic auth user credentials storage system. This will allow you to secure your apps where no database interaction is needed or required.
• New global and rule action: block and the fireall will block the request with a 401 Unathorized page.
• New event cbSecurity_onFirewallBlock announced whenever the firewall blocks a request into the system with a 403.
• DBTokenStorage now rotates using async scheduler and not direct usage anymore.
• Ability to set the cbcsrf module settings into the cbsecurity settings as csrf.
• We now default the user service class and the auth token rotation events according to used authentication service (cbauth, etc), no need to duplicate work.
• New rule based IP security. You can add a allowedIPs key into any rule and add which IP Addresses are allowed into the match. By default, it matches all IPs.
• New rule based HTTP method security. You can add a httpMethods key into any rule and add which HTTP methods are allowed into the match. By default, it matches all HTTP Verbs.
• New securityHeaders configuration to allow a developer to protect their apps from common exploits: xss, HSTS, Content Type Options, host header validation, ip validation, click jacking, non-SSL redirection and much more.
• Authenticated user is now stored by the security firewall according to the prcUserVariable on authenticated calls via preProcess() no matter the validator used
• Dynamic Custom Claims: You can pass a function/closure as the value for a custom claim and it will be evaluated at runtime passing in the current claims before being encoded
• Allow passing in custom refresh token claims to attempt() and fromUser() and refreshToken() : refreshCustomClaims
• Added TokenInvalidException and TokenExpiredException to the refreshToken endpoint

Fixed

• Disable lastAccessTimeouts for JWT CacheTokenStorage BOX-128
• Fix spelling of property datasource on queryExecute that was causing a read issue.

v2.12.0

[2.12.0] => 2021-MAR-29

Added

• More and more apps will need real ip's from request, so expose it via the CBSecurity model service as : getRealIp()

Fixed

• When using getHTTPREquestData() send false so we DON'T retrieve the http body when we just need the headers
• More updates to getRealIp() when dealing with lists

v2.11.1

[2.11.1] => 2021-MAR-10

Fixed

• Fix getRealIP() to only return originating user's source IP, if the forwarded ip is a list