Changelog

20220413

Added

• provide request info as a HAR file if flat/collect-request-info is enabled

Fixed

• More helpful error message for misspelled type names in Swagger schemas

• don't leak Authorization in FLAT::getRequestInfo()

• fixed a mixup of JSON DOM representation styles

20210623

Added

• The validate-request-security request option

Fixed

• set-env now does not produce unnecessary quotes for numeric values

• Problem in the split() function, if called with a string containing an ampersand

• Send Vary: Origin response headers for non-preflight requests if CORS is enabled but Origin was not sent

20210107

Added

• The uuid3() and uuid4() functions
• The ldap-query() function
• LDAP TLS configuration and LDAP timeout
• The scope-claim and post-check-flow properties
• Specifying the required token scope
• Merging directives into php.ini via environment variables

Fixed

• Path parameters were not usable in error flows

20200828

Added

• FLAT_DEBUG_ALLOW_HEADER to enable debugging using the Debug request header, defaults to false
• The request option force-cache-refresh
• The ldap-lookup() function
• The cacheHit property in the upstream response information ($upstream)

Fixed

• Empty objects are no longer logged as empty arrays.
• The json-to-csv() function allows null values in array entry objects.

Changed

The log action can no longer override system log fields.

20200519

Added

• Beta image now publicly available. More about Docker images…
• Warnings in debug log about invalid Swagger definitions
• Validation for the assert and set-env test action configurations.
• The error action
• additional configuration options for the PHP-FPM process management
• out-header property for easy JWT forwarding

Fixed

• Calls to the content() function affecting the result of the body() function

20200424

Added

• Swagger security requirements can now also be specified at the path level.
• x-flat-proxy to configure proxies without a flow
• Enhanced proxy-request action with origin, query, stripEndpoint and addPrefix properties

Fixed

• If a client URL path is below the API base path, does not match any defined route, and a path is defined which equals the API base path, so that a matching client URL path is the concatenation of the API base path with itself (e.g. /api/api if the basePath is /api), the fallback flow is now properly executed.
• Some PEM formatted keys could not be recognized during JWT processing.
• Multi-line values for environment variables are now supported.

Changed

• If the definition request option is given with either a proxy-request action or x-flat-proxy, the defaults for the exit-on-error, validate-request and validate-response request options are changed to true.

20200409

Added

• The json-to-csv() function
• The FLAT revision is shown when FLAT is started and is available in $env/FLAT_REVISION

Changed

• Enhanced flat_access log with new fields

Fixed

• When testing multiple test files with flat test, each test now tests its own response.
• Fatal errors when using certain combinations of jwt-decode() and <eval/>

20200323

Fixed

• Environment variables are shown in the debug log if the debug topic is env
• With activated upstream validation, a missing definition option or a definition value referencing a non-existant resource now results in a 500 response with a proper error message.
• Swagger security scheme objects without x-flat-jwt are ignored for security checks.

20200318

Added

• body() function
• pass-body action
• Security checks with JWT.

Changed

• set-response-headers action now accepts the empty object {}
• Reading swagger.yaml is faster because of caching

20200213

Added

• Validation for application/x-www-form-urlencoded encoded formData parameters
• The proxy-request action
• The functions verify-xmldsig() and decrypt-xml().

Fixed

• Parameter handling of the functions decrypt() and calc-signature().

Changed

• Padding scheme for encrypt() and decrypt() to RSAES-OAEP.
• Relative paths in the json-doc() function are resolved relative to the flow file's path.

20200110

Added

• The Swagger extension x-flat-validate is now also recognized below paths/<path> and paths/<path>/<operation>.
• The force-cache-ttl request option

Changed

• Only allow operations defined in OpenAPI version 2.0 to be used in the swagger.yaml

Fixed

• The default value for the use-http-cache request option is now false, even if no request options are configured.
• Segmentation fault (or double free) when eval is used to assign nodes from a node-set variable to another variable

20191210

Added

• The functions apply-codecs(), encrypt(), decrypt(), calc-signature() and verify-signature()
• The function file-exists()
• The $error variable is set and exit-on-error/error flow handling is triggered if a request error occurs
• The id and encoding properties in the JSON request configuration
• More environment variables for system configuration and tuning
• If a path in swagger.yaml ends with /**, this entry matches the given path as well as arbitrary paths below it.

Changed

• Swagger validation now gracefully accepts empty objects in the definition.
• Logging of template results for more flow actions

Fixed

• Some alert messages were logged twice
• Evaluating an undefined or null variable, as a string, now returns the empty string instead of the string null
• Incorrect default content-type text/xml for request bodies

• The set-response-headers action now replaces Cache-Control headers instead of merging them
• The serve action now correctly handles whitespace and other URL-Encoded characters in the name of the fallback-doc

20191018

Added

• Swagger definition supports discriminator, JSON schema $id references and JSON schema propertyNames
• The array-reverse() and sort(), xml-parse() and html-parse() functions
• Validation of the request, requests and set-response-headers action JSON bodies
• The expected result in an assert action's assertion can now be null
• The log action, the get-log() function

Changed

• The test search for flat-test is recursive
• Logs are sent to stderr in JSON format

Fixed

• The report-only validation modes
• The exit-on-error, mock and validate request options also for XML-configured requests
• Relative paths for e.g. in with copy in backend-flows

20190919

Added

• The $error variable containing error information for client request/response validation errors
• The error flow, called if an error occurs, and referenced by flow in x-flat-error in the swagger.yaml
• The exit-on-error request option (for JSON-configured requests) to trigger the error flow
• An additional parameter algorithm for the jwt-decode() function to limit the acceptable signing algorithms. Mandatory for RSASSA based signatures
• The contains and pattern compare flags for the assert action
• The flat test Framework with assert, test-request, backend-flow and set-env actions
• The json-stringify() and json-parse() functions

Changed

• The default User-Agent for upstream requests is FLAT
• Unless terminate="false" is set, the serve action will terminate the flow
• For the request action: values in headers may now also be numeric or boolean
• If the signature cannot be created, the jwt-encode() function returns an empty string and an error message is logged
• The key for the jwt-encode() and jwt-decode() functions must not be empty
• HTML error page only if HTML is accepted; plain text otherwise

Fixed

• Fatal error when creating requests with null query parameter
• Fatal error when creating requests with invalid body source
• Requests are now rejected if upstream validation is enabled, but no definition option is configured or the given definition is not found
• The results of the split() function can now be used as input for join() or fit-serialize()