Releases: taoensso/sente
v1.16.1 - 2021 Jan 31
v1.16.0 - 2020 Sep 19
[com.taoensso/sente "1.16.0"]Major feature release. Should be non-breaking, but see here for recommended steps when updating any Clojure/Script dependencies.
Same as v1.16.0-RC1, v1.16.0-alpha2.
Changes since v1.15.0
New since v1.15.0
- [#371 #375] Add Jetty 9 server adapter (@wavejumper)
- [#372] Add
ring-undertowserver adapter (@nikolap) - [#275 #374] Add Clj WebSocket client support (@kaosko)
- Add optional auth fn to
make-channel-socket-server!(@kaosko @ptaoussanis) - [#356] Expose
send-buffers_as implementation detail (@kaosko) - [#359 #360] Add :json-verbose format to Transit packer (@p-himik)
- [#362 #363] Allow additional keys in event-msg maps (@jjttjj)
- [#365] README: incl. example CSRF code (@mattford63)
Fixes since v1.15.0
- [#366 #353 #358] Make make-channel-socket-client! respect host option (@Rkiouak)
- Use new http-kit v2.4.0 server API internally to fix possible race conditions
- [#357 #247] Fix for React Native (@currentoor)
v1.16.0-RC1 - 2020 Sep 10
[com.taoensso/sente "1.16.0-RC1"]Same as v1.16.0-alpha2.
See here recommended steps when updating any Clojure/Script dependencies.
v1.16.0-alpha2 - 2020 Aug 24
[com.taoensso/sente "1.16.0-alpha2"]Major feature release. Should be non-breaking, but users of http-kit will need to update to >= http-kit v2.4.0.
See here for a tip re: general recommended steps when updating any Clojure/Script dependencies.
Changes since 1.15.0
- [NB] http-kit users must now use >= http-kit v2.4.0.
- [#362 #363] Allow additional keys in event-msg maps (@jjttjj).
- [#365] README: incl. example CSRF code (@mattford63).
New since 1.15.0
- [#371 #375] Add Jetty 9 server adapter (@wavejumper).
- [#372] Add
ring-undertowserver adapter (@nikolap). - [#275 #374] Add Clj WebSocket client support (@kaosko).
- Add optional auth fn to
make-channel-socket-server!(@kaosko @ptaoussanis). - [#356] Expose
send-buffers_as implementation detail (@kaosko). - [#359 #360] Add :json-verbose format to Transit packer (@p-himik).
Fixes since 1.15.0
- [#366 #353 #358] Make make-channel-socket-client! respect host option (@Rkiouak).
- Use new http-kit v2.4.0 server API internally to fix possible race conditions.
- [#357 #247] Fix for React Native (@currentoor).
v1.15.0 - 2019 Nov 27
v1.15.0 - 2019 Nov 27
[com.taoensso/sente "1.15.0"]Just updates some dependencies. Should be non-breaking.
- [#355] Fix: Bump encore dependency to fix deprecated
goog.structs/Mapissue.
v1.14.0 - 2019 Oct 19
[com.taoensso/sente "1.14.0"]As v1.14.0-RC2, but also includes:
- [#307] New: Add server adapter for Macchiato Framework on Node.js (@theasp)
- [#137 #338] New: Add support for origin/referrer checking (@eerohele)
- [#349 #348] New: Add support for specifying chsk port when connecting from client (@pieterbreed)
- [#337] Fix: Incorrect value (only udt) swapped into conns_ (@osbert)
- [#341] Fix: Make cljsbuild output-to resources/public/main.js directly (@shaolang)
v1.14.0-RC2 - 2019 Jan 12
[com.taoensso/sente "1.14.0-RC2"]This is a CRITICAL bugfix release, please upgrade ASAP
- [#137] SECURITY FIX, BREAKING: fix badly broken CSRF protection (@danielcompton, @awkay, @eerohele), more info below
My sincere apologies for this mistake. Please write if I can provide more details or any other assistance. Further testing/auditing/input very much welcome! - @ptaoussanis
Security bug details
- All previous versions of Sente (< v1.14.0) contain a critical security design bug identified and reported by @danielcompton, @awkay, @eerohele. (Thank you to them for the report!).
- Bug: Previous versions of Sente were leaking the server-side CSRF token to the client during the (unauthenticated) WebSocket handshake process.
- Impact: An attacker could initiate a WebSocket handshake against the Sente server to discover a logged-in user's CSRF token. With the token, the attacker could then issue cross-site requests against Sente's endpoints. Worse, since Sente often shares a CSRF token with the rest of the web server, it may be possible for an attacker to issue cross-site requests against the rest of the web server (not just Sente's endpoints).
Security fix details
- The fix commit stops the CSRF token leak, introducing a BREAKING API CHANGE (details below).
- Sente will now (by default) refuse to service any requests unless a CSRF token is detected (e.g. via
ring-anti-forgery).
Breaking changes
make-channel-socket-client! now takes an extra mandatory argment
It now takes an explicit csrf-token that you must provide. The value for the token can be manually extracted from the page HTML (example).
In most cases the change will involve three steps:
- You need to include the server's CSRF token somewhere in your page HTML: example.
- You need to extract the CSRF token from your page HTML: example.
- You'll then use the extracted CSRF token as an argument when calling
make-channel-socket-client!: example.
Client-side :chsk/handshake event has changed
It now always has nil where it once provided the csrf-token provided by the server.
I.e. before: [:chsk/handshake [<?uid> <csrf-token> <?handshake-data> <first-handshake?>]]
after: [:chsk/handshake [<?uid> nil <?handshake-data> <first-handshake?>]]
Most users won't be affected by this change.
v1.13.1 - 2018 Aug 22
[com.taoensso/sente "1.13.1"]This is a hotfix release, should be non-breaking
- [#327 #326] Fix broken ws->ajax downgrade logic (@michaelcameron)
v1.13.0 - 2018 Aug 4
[com.taoensso/sente "1.13.0"]This is a maintenance release, should be non-breaking in most cases
- Updated all dependencies
v1.12.1 - 2018 Aug 4
[com.taoensso/sente "1.12.1"]This is a non-breaking maintenance release
- [#323] Fix: Work correctly with new versions of
ring-anti-forgery(@timothypratley)