Release Explorer
- Current release
- Release - 10/10/2025
- Release - 11/10/2025
- Release - 12/10/2025
- Release - 13/10/2025
- Release - 14/10/2025
- Release - 15/10/2025
- Release - 16/10/2025
- Release - 17/10/2025
- Release - 18/10/2025
- Release - 19/10/2025
- Release - 20/10/2025
- Release - 21/10/2025
- Release - 22/10/2025
- Release - 23/10/2025
- Release - 24/10/2025
- Release - 25/10/2025
- Release - 26/10/2025
- Release - 27/10/2025
- Release - 28/10/2025
- Release - 29/10/2025
- Release - 30/10/2025
- Release - 31/10/2025
- Release - 01/11/2025
- Release - 02/11/2025
- Release - 03/11/2025
- Release - 04/11/2025
- Release - 05/11/2025
- Release - 07/11/2025
- Release - 07/11/2025
- Release - 08/11/2025
- Release - 09/11/2025
- Release - 10/11/2025
- Release - 11/11/2025
- Release - 12/11/2025
Release Notes – ms-nodejs-backend (Debug Branch Update)
Overview
This release disables the platform ID-based permission check for users with the GLOBAL_ADMIN role, allowing these users to bypass the validation that restricts access based on associated platform IDs. Additionally, it introduces a debug mode that bypasses token validation and permission enforcement when certain environment variables are set, facilitating internal testing and debugging workflows.
Improvements / Changes
- Commented out the platform ID permission checks that enforce validation of user platformIds against provider platform IDs. This effectively disables the related authorization error throw (
ApplicationError(errorCodes.B001)), allowing GLOBAL_ADMIN users to perform actions without platform-specific restrictions. - Added trailing commas to some role declarations (specifically after
"GLOBAL_ADMIN") to correct syntax/formatting. - Introduced a debug bypass mode in the token validation logic:
- When
jwkConfig.ignoreExpiration()returns true and the environment variableORG_IDis set:- Token validation is skipped.
- A test user with
GLOBAL_ADMINrole and predefined attributes is injected into the IAM object (iamObject). - The corresponding organization is loaded and assigned for this test user.
- A fatal log is recorded warning that a user is logged in without OAuth.
- This bypass disables all platform ID permission validations for that session.
- When
- These changes facilitate internal debugging by allowing privileged access without standard OAuth token validation and platform ID checks.
Bug Fixes
- Fixed minor syntax issues related to missing trailing commas in role declarations.
Technical / Developer Notes
- The permission check that verifies
iamObject.user.platformIdsincludes the provider’s_idby throwing anApplicationErrorhas been disabled by commenting out the relevant code. - The new debug mode relies on the presence of the
ORG_IDenvironment variable and a configuration that ignores token expiration to inject a default "test" user with global admin privileges, bypassing normal security checks. - Logging was enhanced to record when a user is forcefully logged in without OAuth in this debug mode for audit and troubleshooting.
- These modifications are intended purely for debugging and internal testing environments. They circumvent normal security mechanisms and must not be enabled in production.
Breaking Changes
- Permission validation for users based on platform ID association with providers is currently disabled for global admins, which modifies access control behavior. Ensure this aligns with your environment security requirements before deploying.
- The debug bypass can drastically alter authentication and authorization flows when enabled via environment variables.
These changes are intended to speed up developer debugging and testing by relaxing usual permission constraints and OAuth token validation. Please ensure that these debug features are disabled or removed in production deployments to maintain platform security integrity.