Release Notes – ms-nodejs-backend Update

Overview

This release enhances the authentication mechanism by introducing a debug bypass that allows returning a test user with global admin privileges when certain environment variables are set and token expiration checks are ignored. Additionally, the internal IAM object construction has been refactored for consistency and clarity in property assignments.

New Features

Introduced a conditional debug bypass to token validation that, when enabled via environment configuration (jwkConfig.ignoreExpiration() and ORG_ID), returns a predefined test user with the GLOBAL_ADMIN role. This mode logs a fatal message alerting that the user is logged in without OAuth.

Improvements / Changes

Refactored the Internal Access Management (IAM) object construction by changing from returning new objects to directly mutating the existing iamObject. This improves consistency and simplifies the code path.
Added inclusion of the environment variable ORG_ID as orgId within the user object to maintain organization identification across debug sessions.
Removed the previous inclusion of the full organisation object and empty decodedToken in the returned structure during debug bypass to streamline the IAM object properties and avoid redundant data.

Bug Fixes

N/A (No explicit bug fixes identified in this update.)

Technical / Developer Notes

The debug bypass triggers only if token expiration checks are ignored and ORG_ID is available in environment variables, serving as a development aid or emergency fallback.
When the debug bypass is active, a fatal log entry records the non-standard login event, providing traceability for security reviews.
Consumers of the IAM object should now expect orgId available directly on the user object during debug mode, replacing previous reliance on the full organisation object.
Ensure environment variables ORG_ID and debug flags are carefully managed to avoid accidental use of insecure login bypass in production.

Acknowledgements / Contributors