Release Explorer
- Current release
- Release - 10/10/2025
- Release - 11/10/2025
- Release - 12/10/2025
- Release - 13/10/2025
- Release - 14/10/2025
- Release - 15/10/2025
- Release - 16/10/2025
- Release - 17/10/2025
- Release - 18/10/2025
- Release - 19/10/2025
- Release - 20/10/2025
- Release - 21/10/2025
- Release - 22/10/2025
- Release - 23/10/2025
- Release - 24/10/2025
- Release - 25/10/2025
- Release - 26/10/2025
- Release - 27/10/2025
- Release - 28/10/2025
- Release - 29/10/2025
- Release - 30/10/2025
- Release - 31/10/2025
- Release - 01/11/2025
- Release - 02/11/2025
- Release - 03/11/2025
- Release - 04/11/2025
- Release - 05/11/2025
- Release - 07/11/2025
- Release - 07/11/2025
- Release - 08/11/2025
- Release - 09/11/2025
- Release - 10/11/2025
- Release - 11/11/2025
- Release - 12/11/2025
Release Notes – ms-nodejs-backend Debug Update
Overview
This update introduces a debug-mode enhancement that conditionally bypasses OAuth token validation under specific environment configurations. The change is designed to facilitate testing or local development by allowing a default global admin user login without full OAuth authentication. Additionally, the internal IAM object construction has been refactored to improve clarity and consistency in handling user organization associations.
New Features
- Added a debug bypass mechanism that, when enabled via the
jwkConfig.ignoreExpiration()flag and presence of anORG_IDenvironment variable, logs a fatal warning and returns a test user with global admin privileges without performing standard OAuth token validation.
Improvements / Changes
- Refactored IAM (Identity and Access Management) object construction: instead of returning a newly constructed object, the system now assigns properties directly onto an existing IAM object.
- User object within IAM now explicitly includes an
orgIdfield populated from the environment variableORG_ID. This replaces embedding the full organisation data object in the IAM structure. - Removed redundant embedding of organization details (
organisation) and emptydecodedTokenobjects from the IAM return payload when using the debug bypass. - Enhanced logging by recording a fatal-level log entry whenever a user login occurs without OAuth due to the debug bypass being active.
- Maintained standard token validation flow when debug bypass conditions are not met, ensuring normal security behavior.
Bug Fixes
- Not applicable in this update.
Technical / Developer Notes
- The debug bypass logic is triggered only if both
jwkConfig.ignoreExpiration()returns true and the environment variableORG_IDis set. - This update introduces a logging side-effect intended to flag and monitor scenarios where users login without OAuth authentication, potentially serving as a security or audit checkpoint during development.
- Consumers of the IAM object should now expect
orgIdto be part of the user object, and no longer rely on a nestedorganisationproperty. - Refactoring aimed at standardizing IAM object handling improves maintainability and aligns with permission setup expectations based on
orgId.
Breaking Changes
- The IAM object structure returned under debug bypass no longer includes the full
organisationobject ordecodedTokenfield. Code depending on these fields must be updated to accommodate this change. - Direct assignment to an existing IAM object replaces previous return of a new object for the test user scenario; calling code should verify compatibility.
This release enhances developer experience during debug sessions by enabling simulated global admin authentication, while preserving expected production security behavior and improving internal object consistency.