Release Explorer
- Current release
- Release - 10/10/2025
- Release - 11/10/2025
- Release - 12/10/2025
- Release - 13/10/2025
- Release - 14/10/2025
- Release - 15/10/2025
- Release - 16/10/2025
- Release - 17/10/2025
- Release - 18/10/2025
- Release - 19/10/2025
- Release - 20/10/2025
- Release - 21/10/2025
- Release - 22/10/2025
- Release - 23/10/2025
- Release - 24/10/2025
- Release - 25/10/2025
- Release - 26/10/2025
- Release - 27/10/2025
- Release - 28/10/2025
- Release - 29/10/2025
- Release - 30/10/2025
- Release - 31/10/2025
- Release - 01/11/2025
- Release - 02/11/2025
- Release - 03/11/2025
- Release - 04/11/2025
- Release - 05/11/2025
- Release - 07/11/2025
- Release - 07/11/2025
- Release - 08/11/2025
- Release - 09/11/2025
- Release - 10/11/2025
- Release - 11/11/2025
- Release - 12/11/2025
Release Notes – Debug Mode Enhancement for ms-nodejs-backend
Overview
This release introduces a debug mode in the backend authentication flow that allows bypassing token validation and permission checks, enabling developers to simulate a user with global admin privileges conveniently. It facilitates debugging and local development when token expiration is ignored and an organizational context is set via environment variables.
New Features
- Added a conditional bypass that disables token validation when
jwkConfig.ignoreExpiration()returns true and the environment variableORG_IDis set, allowing direct login without OAuth. - The bypass sets up a test user object with a GLOBAL_ADMIN role and fetches the associated organisation by
ORG_ID. This simulates authenticated context for debugging.
Improvements / Changes
- Disabled the platform ID permission check that verifies whether the authenticated user has access to the specified provider by commenting out the related error throwing logic. This prevents permission errors during debugging sessions.
- Enhanced logging with a fatal-level log entry—"USER logged in without oauth"—to indicate when debug bypass is active.
Bug Fixes
- N/A for this release.
Technical / Developer Notes
- When debugging and
jwkConfig.ignoreExpiration()is enabled along withORG_IDin the environment, the server setsiamObject.userto a test user with:_id: "test"name: "test"orgIdfrom environment variablerole: "GLOBAL_ADMIN"
- Permission checks related to user-platform ID matching have been commented out to ease testing without access restrictions.
- The decoded token is replaced with an empty object in debug mode to bypass actual token parsing.
Breaking Changes
- None; however, note that debug bypass only activates when explicitly configured by environment variables and does not affect normal production flows.
Acknowledgements / Contributors
- N/A
This update is intended for development and debugging phases and should be carefully controlled in deployment environments to prevent unintentional security bypass.