Changelog

20220413

Added

• provide request info as a HAR file if flat/collect-request-info is enabled

Fixed

• More helpful error message for misspelled type names in Swagger schemas

• don't leak Authorization in FLAT::getRequestInfo()

• fixed a mixup of JSON DOM representation styles

20210623

Added

• The validate-request-security request option

Fixed

• set-env now does not produce unnecessary quotes for numeric values

• Problem in the split() function, if called with a string containing an ampersand

• Send Vary: Origin response headers for non-preflight requests if CORS is enabled but Origin was not sent

20210107

Added

• The uuid3() and uuid4() functions

• The ldap-query() function

• LDAP TLS configuration and LDAP timeout

• The scope-claim and post-check-flow properties

• Specifying the required token scope

• Merging directives into php.ini via environment variables

Fixed

• Path parameters were not usable in error flows

20200828

Added

• FLAT_DEBUG_ALLOW_HEADER to enable debugging using the Debug request header, defaults to false

• The request option force-cache-refresh

• The ldap-lookup() function

• The cacheHit property in the upstream response information ($upstream)

Fixed

• Empty objects are no longer logged as empty arrays.

• The json-to-csv() function allows null values in array entry objects.

Changed

The log action can no longer override system log fields.

20200519

Added

• Beta image now publicly available. More about Docker images…

• Warnings in debug log about invalid Swagger definitions

• Validation for the assert and set-env test action configurations.

• The error action

• additional configuration options for the PHP-FPM process management

• out-header property for easy JWT forwarding

Fixed

• Calls to the content() function affecting the result of the body() function

20200424

Added

• Swagger security requirements can now also be specified at the path level.

• x-flat-proxy to configure proxies without a flow

• Enhanced proxy-request action with origin, query, stripEndpoint and addPrefix properties

Fixed

• If a client URL path is below the API base path, does not match any defined route, and a path is defined which equals the API base path, so that a matching client URL path is the concatenation of the API base path with itself (e.g. /api/api if the basePath is /api), the fallback flow is now properly executed.

• Some PEM formatted keys could not be recognized during JWT processing.

• Multi-line values for environment variables are now supported.

Changed

• If the definition request option is given with either a proxy-request action or x-flat-proxy, the defaults for the exit-on-error, validate-request and validate-response request options are changed to true.

20200409

Added

• The json-to-csv() function

• The FLAT revision is shown when FLAT is started and is available in $env/FLAT_REVISION

Changed

• Enhanced flat_access log with new fields

Fixed

• When testing multiple test files with flat test, each test now tests its own response.

• Fatal errors when using certain combinations of jwt-decode() and <eval/>

20200323

Fixed

• Environment variables are shown in the debug log if the debug topic is env

• With activated upstream validation, a missing definition option or a definition value referencing a non-existant resource now results in a 500 response with a proper error message.

• Swagger security scheme objects without x-flat-jwt are ignored for security checks.

20200318

Added

• body() function

• pass-body action

• Security checks with JWT.

Changed

• set-response-headers action now accepts the empty object {}

• Reading swagger.yaml is faster because of caching

20200213

Added

• Validation for application/x-www-form-urlencoded encoded formData parameters

• The proxy-request action

• The functions verify-xmldsig() and decrypt-xml().

Fixed

• Parameter handling of the functions decrypt() and calc-signature().

Changed

• Padding scheme for encrypt() and decrypt() to RSAES-OAEP.

• Relative paths in the json-doc() function are resolved relative to the flow file's path.

20200110

Added

• The Swagger extension x-flat-validate is now also recognized below paths/<path> and paths/<path>/<operation>.

• The force-cache-ttl request option

Changed

• Only allow operations defined in OpenAPI version 2.0 to be used in the swagger.yaml

Fixed

• The default value for the use-http-cache request option is now false, even if no request options are configured.

• Segmentation fault (or double free) when eval is used to assign nodes from a node-set variable to another variable

20191210

Added

• The functions apply-codecs(), encrypt(), decrypt(), calc-signature() and verify-signature()

• The function file-exists()

• The $error variable is set and exit-on-error/error flow handling is triggered if a request error occurs

• The id and encoding properties in the JSON request configuration

• More environment variables for system configuration and tuning

• If a path in swagger.yaml ends with /**, this entry matches the given path as well as arbitrary paths below it.

Changed

• Swagger validation now gracefully accepts empty objects in the definition.

• Logging of template results for more flow actions

Fixed

• Some alert messages were logged twice

• Evaluating an undefined or null variable, as a string, now returns the empty string instead of the string null

• Incorrect default content-type text/xml for request bodies

• The set-response-headers action now replaces Cache-Control headers instead of merging them

• The serve action now correctly handles whitespace and other URL-Encoded characters in the name of the fallback-doc

20191018

Added

• Swagger definition supports discriminator, JSON schema $id references and JSON schema propertyNames

• The array-reverse() and sort(), xml-parse() and html-parse() functions

• Validation of the request, requests and set-response-headers action JSON bodies

• The expected result in an assert action's assertion can now be null

• The log action, the get-log() function

Changed

• The test search for flat-test is recursive

• Logs are sent to stderr in JSON format

Fixed

• The report-only validation modes

• The exit-on-error, mock and validate request options also for XML-configured requests

• Relative paths for e.g. in with copy in backend-flows

20190919

Added

• The $error variable containing error information for client request/response validation errors

• The error flow, called if an error occurs, and referenced by flow in x-flat-error in the swagger.yaml

• The exit-on-error request option (for JSON-configured requests) to trigger the error flow

• An additional parameter algorithm for the jwt-decode() function to limit the acceptable signing algorithms. Mandatory for RSASSA based signatures

• The contains and pattern compare flags for the assert action

• The flat test Framework with assert, test-request, backend-flow and set-env actions

• The json-stringify() and json-parse() functions

Changed

• The default User-Agent for upstream requests is FLAT

• Unless terminate="false" is set, the serve action will terminate the flow

• For the request action: values in headers may now also be numeric or boolean

• If the signature cannot be created, the jwt-encode() function returns an empty string and an error message is logged

• The key for the jwt-encode() and jwt-decode() functions must not be empty

• HTML error page only if HTML is accepted; plain text otherwise

Fixed

• Fatal error when creating requests with null query parameter

• Fatal error when creating requests with invalid body source

• Requests are now rejected if upstream validation is enabled, but no definition option is configured or the given definition is not found

• The results of the split() function can now be used as input for join() or fit-serialize()