@/web-server
- It is now possible to access
WebEvent.current
within custom log formatters and request reporters. - It is now possible to subclass
HttpError
and have Alterior handle it as expected. This was not possible prior due to issues long since solved with how extended Error works (when Alterior targeted ES5, this was not possible in Typescript 2.1 or later). Since this is no longer an issue, this restriction has been lifted.
- It is now possible to access
@/web-server
- [(!!) Potential security issue / denial of service] Fixed a crash when the server receives invalid JSON during body parsing or other
errors raised by Connect middleware. Please update to this patch or higher. Issue existed between v3.8.0 and v3.11.1.
Fix has been backported to affected series with the following patch releases:
- Backported as v3.10.3
- Backported as v3.9.5
- Backported as v3.8.1
- Add
middleware
request reporting event (currently unused by the default request reporter)
- [(!!) Potential security issue / denial of service] Fixed a crash when the server receives invalid JSON during body parsing or other
errors raised by Connect middleware. Please update to this patch or higher. Issue existed between v3.8.0 and v3.11.1.
Fix has been backported to affected series with the following patch releases:
@/web-server
- Adds
globalMiddleware
option to@Controller()
. This has the same semantics asmiddleware
in previous releases, but with clarified naming. - The
middleware
option of@Controller()
is now deprecated in favor ofglobalMiddleware
. - Fixes a problem where JSON strings cannot be used with the new
@Body({ type: 'json' })
feature because ofbody-parser
's "strict mode". Disabled "strict mode" when using the JSON mode of thebody-parser
middleware internally.
- Adds
@/annotations
- Improves the return type of
Annotation.decorator()
so that it is dependent on the providedvalueTargets
(when possible). Issue
- Improves the return type of
@/web-server
- Adds ability to override the body parser in use via the
@Body()
decorator. This is useful for cases like trying to accept JSON strings (sincestring
normally causes atext
body parser to be used).
- Adds ability to override the body parser in use via the
@/web-server
- Fixes an issue where a request's body will be unparsed if the
Content-Type
passed does not match the typical content type associated with the expected body format. For instance, when expecting JSON (the default), the body would only be parsed when theContent-Type
header wasapplication/json
. When expecting text (ie when@Body()
has typestring
), the body would only be parsed when theContent-Type
header wastext/plain
. This is unexpected, since Alterior provides no manner to validate theContent-Type
field without using custom middleware. Now the body is parsed as the expected type regardless ofContent-Type
.
- Fixes an issue where a request's body will be unparsed if the
@/web-server
- Fixes an issue where
route
is not present onWebEvent
- Fixes an issue where
@/di
- You can now use
Injector.run()
to run a callback within an injection context for the given injector.
- You can now use
@/web-server
- Fixes a bug where failing to provide a body when using the
Response
class would cause an exception within Express. Failing to provide a body now ends the response without outputting a body. - Corrects the type of
ConnectMiddleware
to require thenext()
function to be passed. This fixes type errors when using many Connect middlewares.
- Fixes a bug where failing to provide a body when using the
@/express
ExpressEvent
now properly exposescurrent
as an Express-specificWebEvent
,request
asexpress.Request
andresponse
asexpress.Response
as intended. Previously this class returned the same values asWebEvent
which was not useful.
@/web-server
- Fixed an issue where
Session.current().foo = 123
would not set the session variable as expected.
- Fixed an issue where
@/web-server
- The
Session
class is now exported properly.
- The
@/web-server
- Adds support for "interceptors". Interceptors let you wrap the execution of all controller methods in
the web service. They can be defined in the optionss for
@WebService()
,@Controller
or the@Route()
family of decorators. They are similar to applying a mutator, but without needing to use decorators, and without needing to declare the interception on every controller method. UseWebEvent.current
to access details about the request. - Adds
@Intercept()
decorator as a convenient way to apply a function conforming to theInterceptor
type directly to a method definition. WebEvent.inject()
is a convenience function forWebEvent.current.get()
webEvent.inject()
is a convenience function forwebEvent.server.injector.get()
- Adds support for "interceptors". Interceptors let you wrap the execution of all controller methods in
the web service. They can be defined in the optionss for
@/web-server
- Route-specific middleware can now use
WebEvent.current
to acquire the web event being processed. While middleware has always had access to the request/response pair, the current WebEvent also provides access to the controller and method which is about to be executed, amongst other things. This enables middleware to introspect the method call that is about to occur, enabling a broad set of use cases that were previously impossible. NOTE: Global and controller-level middleware cannot accessWebEvent.current
as they occur before any Alterior-specific processing occurs. - Alterior-style middleware classes are now resolved per request, allowing dependency injection providers to
differ per call. This has been used to allow
WebEvent
to be dependency injected as an alternative way of acquiring it. - The new
preRouteMiddleware
andpostRouteMiddleware
options allow you to specify route-specific middleware at the global and controller levels, enabling you to use the new introspection capabilities without specifying middleware on every route. The order of application is: (1) global pre-middleware, (2) controller pre-middleware, (3) route-specific middleware, (4) controller post-middleware, (5) global post-middleware. - It is no longer necessary to mark middleware classes with
@Middleware()
. All classes are now treated as Alterior-style middleware (dependency injected, implements ahandle()
method). This is not a breaking change since passing a class not marked with@Middleware()
would have caused a runtime error prior. As a result of this@Middleware()
has been deprecated, and will be removed in 4.0.0. - Correctness change: The type safety of the middleware-related properties of
WebServerOptions
,@Controller()
and the@Route()
family of decorators has been strengthened.
- Route-specific middleware can now use
@/common
: AddsleftPad()
,rightPad()
,zeroPad()
andisConstructor()
@/web-server
: [(!!) Potential security issue] Fixes an issue which causes the optional secondary HTTP listener to be enabled even when not configured. This would cause Alterior web services to listen on a random high TCP port in addition to the primary port you configure. This may be security impacting for some deployment / firewall configurations.
@/web-server
:- Added the ability to override the default web server engine on specific
@WebService
classes - Fixes an issue where installing Express' Typescript types alongside
@/web-server
may have been needed even though@/web-server
does not have a direct dependency on Express
- Added the ability to override the default web server engine on specific
@/common
:getParameterNames()
will now look for a__parameterNames
property and use that before trying to introspect the function, which allows code that transforms/replaces functions to carry parameter name metadata across more easily.@/annotations
:- When running a mutator against a function, preserve parameter names by setting a
__parameterNames
property on the resulting function, containing the parameter names of the original function. - Type safety has been improved around
Mutator.create()
andMutator.define()
- When running a mutator against a function, preserve parameter names by setting a
@/runtime
: AddparentInjector
bootstrap option to allow for more complex application bootstrapping.
@/platform-angular
: Increase the Angular versions allowed by peer dependency
@/di
: Remove unusedzone.js
peer dependency
@/web-server
: Remove direct type references toexpress
@/di
: Fix type ofInjector#parent
when usingstrictNullChecks
@/runtime
: Add missing object type constraint onReflector#getTypeFromClass
@/runtime
- A new lifecycle event
altAfterStart
can be used to run code after all modules'altOnStart
callbacks have completed and all effective roles have been started (seeRolesService
).
- A new lifecycle event
@/runtime
RoleRegistration#instance
is now optional. When not specified, the only way to target a role is by its identifier.
@/common
- Alterior's standard error classes now extend from
Error
- The inaccessible
innerError
property has been removed. Use the ES standardcause
instead.
- Alterior's standard error classes now extend from
@/runtime
- Fixed an issue where using role identifiers within environment/command-line configuration could cause the wrong role to be enabled if multiple roles are defined within a single module.
- An error is now thrown if a role specified in the effective roles configuration does not exist.
RolesService#configure()
now accepts string identifiers of roles in addition to class references.RolesService#getForModule()
now throws if there are multiple roles defined for the given module.
@/platform-nodejs
- Upgrades Zone.js to 0.14.3
- Loads the Node.js specific Zone.js bundle
- Loads the RxJS zone patch
- Loads reflect-metadata and source-map-support before initializing
dotenv
.
@/web-server
- To help avoid accidentally using ES2017 or later (which is not supported by Alterior or any other libraries which use Zone.js), an error will now be thrown if a native async function is used as a route method.
@/runtime
: Fixes an issue where the short form of the new--roles-skip
command line option (-x
) was ignored.
@/runtime
: AddenabledByDefault
toRoleRegistration
and default to all services which are enabled by default. Allows for some roles to be disabled unless specifically asked for. Roles which are disabled by default are still included inall-except
configuration. Use the newdefault-except
(or viaALT_ROLES_DEFAULT_EXCEPT
environment variable) to enable all default services except those listed. Additionally there is now an--roles-skip
option which enables thedefault-except
mode.
@/runtime
: Allow specifying additional providers when bootstrapping an application@/platform-nodejs
dotenv
version 16.3.1- Please note these changes
- Comments are now supported
- Multiline strings are now supported
- Backtick quotes are now supported
- Please note these changes
ws
version 8.16.0source-map-support
version 0.5.21
@/logging
:- Added missing
fatal()
convenience function - Added static shortcuts to
Logger
(ieLogger.info()
meansLogger.current.info()
)
- Added missing
@/web-server
:- Fixes a bug where TLS options are not properly initialized in some cases, causing a crash.
- Fixes a bug where automatically generated self-signed certificates (when requesting HTTP/2 or SPDY without specifying a certificate) are not used, causing the server to boot into HTTP only mode instead of HTTPS.
@/web-server
:- Fixes more semantic issues with certificate generator on Forge
- Re-release of packages to resolve package resolution issues
@/web-server
: Fix a semantic issue with the Forge library in certificate generation
- Sources are now included with packages to enable easier sourcemap debugging of the Alterior packages.
@/di
: Better type safety for TypeProvider (must be concrete type) while still allowing for injection tokens to be abstract. Fixes an issue whereinject()
could not accept an abstract class, even though that is a common pattern for swappable injectables.
@/runtime
:ExecutionContext.current.application
is now available beforealtOnInit
runs
@/logging
:Logger.current
does not use theLogger
instance configured in application injector
@/di
:inject()
now supportsskipSelf
,self
, andoptional
options.@/web-server
- Add support for SNI
- Add support for serving both HTTP and HTTPS via a secondary port
@/fastify
- Fix missing support for Alterior seamless websockets
- Fix missing support for Alterior TLS certificate generation
- Fix missing support for serving TLS/SPDY
@/platform-nodejs
: Add support fordotenv-flow
style usage of theNODE_ENV
environment variable. WhenNODE_ENV
is set, the filename searched is.env.{NODE_ENV}
to allow you to configure multiple environments in separate.env
files.
@/di
: Support for imperative injection via theinject()
function.
@/web-server
: Request logging has been improved, and is now highly customizable. Support has been added for filtering sensitive parameters during request logging.
- All packages now depend on RxJS 7.8.0 or later.
@/common
:clone()
Now properly handles undefined/null and primitive values
@/web-server
: Support path-limited middleware
@/web-server
: Fix a memory leak when many requests are processed in a single HTTP session
@/logging
: It is now possible to change the configured log listeners on the fly@/terminal
: Introducing theTerminalUI
class which can be used to create real-time terminal UI applications
@/terminal
: Accept numbers (in addition to strings) instyle
functions
@/terminal
: Fixes some issues in the implementation ofread
@/terminal
: Introduced
@/annotations
: Fixes a bug where method decorators would be misapplied if the name of the method was the same as the name of a method of the Array class
@/platform-angular
: Supports more Angular versions
@/common
: Fixes an issue inBase64
which caused incorrect padding to be applied
- Minimum Node.js version is now 14
- Updated dependencies
- Cleans up a number of unused dependencies
- Now uses NPM workspaces for managing the Alterior codebase
@/common
: Fixes several bugs in theBase64
class
@/web-server
: Fixes a crash inWebEvent.request
et al when called outside of an@alterior/web-server
request context@/platform-nodejs
: Support loading.env
files from parent directories of the current working directory
@/web-server
: Remove@types/supertest
dependency
- Properly expose
@alterior/cli
types
- Released all packages under 3.0.2 for consistency
- Fixed an issue where
console
patch did not work properly on the web
Final release of Alterior v3
@/web-server
: The message attached toHttpError
will now hint that you shouldn't be catching this error, since it's used for aborting the active request and sending an HTTP status codse@/web-server
: WhenWebServer.for()
fails to resolve the currentWebServer
instance, an error is now thrown instead of returningundefined
. This helps to identify "split brain" packaging issues, most commonly when usingnpm link
or other developer tooling.@/platform-angular
: List peer dependency support for Angular 10, 11, 12, 13, and 14
- Bugfix: Wait until web service engine start is complete before proceeding
@/web-server
:WebServer#httpServer
is now public (read only)@/web-server
: Service classes can now receive analtOnListen(server : WebServer)
event, useful for configuring aspects of the underlying Node.js http.Server instance directly.
- Alterior is now built using Typescript 4.5.4, previous versions used Typescript 4.1.5.
@alterior/platform-nodejs
now provides a global implementation ofWebSocket
implementation usingws
if one is not already available- Fixes
deepClone()
to handle cyclical object graphs correctly - The
@SessionValue()
parameter decorator has been removed in preparation for the 3.0.0 release. This decorator was deprecated inv3.0.0-beta.76
released on 2/27/2021. Use theSession
class instead. - Added
@QueryParams()
parameter decorator as a way to get aRecord<string,string>
containing all query parameters passed via URL. You can use a specific interface type for such parameters, but please note that Alterior does not perform automatic coercion of the fields of the@QueryParmas()
object- all values will be strings. - The
accessControl()
built-in middleware has been removed in preparation for the 3.0.0 release. This feature was deprecated inv3.0.0-beta.2
released on 9/6/2018. Please use a Connect-compatible middleware package or create your own instead. Feel free to start from Alterior's implementation, you can find it at https://github.com/alterior-mvc/alterior/blob/c4e6730c98d7f2a6d20764612af0b7b2cd51c1e6/packages/web-server/src/accesscontrol.ts. - The
@Request()
parameter decorator has been removed in preparation for the 3.0.0 release. This decorator was deprecated inv3.0.0-beta.76
released on 2/27/2021. UseWebEvent.request
instead to access parameters of the underlying HTTP request. - The
RolesService#getRoleForModule()
method has been renamed toRolesService#getForModule()
RolesService#getById()
has been added.- The
RolesService#start()
andRolesService#stop()
methods have been removed. UseRolesService#getById()
orRolesService#getForModule()
and callstart
/stop
on the resultingRole
object instead.
- Documentation improvements
- Factors out Express and Fastify specific code to
@alterior/express
and@alterior/fastify
. As part of this, you must now import@alterior/express
or@alterior/fastify
and specify it as the web server engine from this version on. For example:Alternatively you can specify an engine via dependency injection:// main.ts import { WebServerEngine } from '@alterior/web-server'; import { ExpressEngine } from '@alterior/express'; WebServerEngine.default = ExpressEngine;
This change reduces the complexity of Alterior's dependency tree by ensuring that excess web server dependencies will not be present (ie fastify on an express app or express on a fastify app). It also fixes an issue where Alterior users were required to install a lot of Express-related@WebService({ providers: [ { provide: WebServerEngine, useClass: ExpressEngine } ] }) export class MyService { // ... }
@types/*
packages to avoid Typescript errors during development.
@/annotations
- The
@NgMetadataName()
and related Angular compatibility features have been entirely removed. They do not work with newer versions of Angular. The recommended way to use Alterior with Angular is via@alterior/platform-angular
@/runtime
- The
--self-test
option no longer starts the application (so theOnStart
lifecycle method does not execute)
@/web-server
- Adds support for
boolean
values on input parameters (ie@QueryParam()
) when a parameter annotated withboolean
type is used. The values''
,'no'
,'0'
,'false'
, and'off'
producefalse
, all other values producetrue
. - Adds support for
Date
values on input parameters (ie@QueryParam
et al) when a parameter annotated withDate
type is used. Any string value that produces a validDate
object vianew Date(str)
will be accepted, otherwise a400 Bad Request
will be returned without executing the route method. Caution: Because this accepts values in milliseconds (not seconds), it is not suitable for receiving UNIX timestamps. - Adds support for receiving the ID for the request from a request header (ie
X-Trace
or so). Not enabled by default. UserequestIdHeader
option when configuring the web server to enable this functionality. - Fixes an issue where request ID was wastefully generated twice
- Removed the
engine
option fromWebServerOptions
. Either setWebServerEngine.default
or provideWebServerEngine
as a dependency to specify the web engine. See above for details. @QueryParam()
no longer requires thename
parameter. Similar to the offer input decorators,@QueryParam()
already supported auto-detectingname
, this just adjusts the function signature to match the behavior.CertificateGenerator
is now properly exported for external use- Routes which do not return any result content now generate
204 No Content
, provided the headers have not already been sent, and the status code selected by the end of the request is200 OK
. If you need to return an empty body with status200 OK
instead of204 No Content
, callWebEvent.response.end()
before completing the request.
@/common
- Adds ability to get an entry from
Cache<T>
without doing a fetch operation - Fixes an issue with
Cache<T>
wherenull
andundefined
are cached incorrectly.null
now caches correctly andundefined
is never cached.
3.0.0-rc.3 hotfixes CommonJS support via downgrade to node-fetch@2
@/platform-nodejs
fetch()
is now made available globally usingnode-fetch
- First release candidate for v3.0.0