From 2e5e6f82815ed0f23d63dd0f61a72bd1d1599d37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Bajto=C5=A1?= Date: Wed, 21 Sep 2016 16:27:33 +0200 Subject: [PATCH 1/2] Fix formatting in Migrating-to-3.0 --- pages/en/lb3/Migrating-to-3.0.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/en/lb3/Migrating-to-3.0.md b/pages/en/lb3/Migrating-to-3.0.md index 02e383f93..2751d62d6 100644 --- a/pages/en/lb3/Migrating-to-3.0.md +++ b/pages/en/lb3/Migrating-to-3.0.md @@ -158,7 +158,7 @@ details. at Layer.handle [as handle_request] (.../node_modules/express/lib/router/layer.js:95:5) ``` -#### Setting up "current context" in 3.x +### Setting up "current context" in 3.x To setup "current context" feature in your LoopBack 3.x application, you should use [loopback-context](https://www.npmjs.com/package/loopback-context) @@ -336,7 +336,7 @@ Use `PersistedModel` to report change-tracking errors via the existing method `PersistedModel.handleChangeError`. This method can be customized on a per-model basis to provide different error handling. -## `app.model(modelName, settings)` was removed +### `app.model(modelName, settings)` was removed `app.model(modelName, settings)`, a sugar for creating non-existing model, was now removed in favor of the following two methods: From 2333c01ad795736597ea6a6ee370d66c5a2bb906 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Bajto=C5=A1?= Date: Wed, 21 Sep 2016 16:50:07 +0200 Subject: [PATCH 2/2] Describe recent CORS-related changes - In 3.0, we are dropping built-in CORS middleware - In 2.x, the built-in CORS middleware was deprecated --- pages/en/lb2/Security-considerations.md | 49 +++++++++++++++++++++++++ pages/en/lb3/Migrating-to-3.0.md | 34 +++++++++++++++++ 2 files changed, 83 insertions(+) diff --git a/pages/en/lb2/Security-considerations.md b/pages/en/lb2/Security-considerations.md index fe94a0d23..dd7349cc4 100644 --- a/pages/en/lb2/Security-considerations.md +++ b/pages/en/lb2/Security-considerations.md @@ -74,6 +74,55 @@ myApp.config(['$httpProvider', function($httpProvider) { ]); ``` +### Deprecation of built-in CORS middleware + +In preparation for the LoopBack 3.0 release, which removes the built-in CORS +middleware entirely, we have deprecated the built-in CORS middleware in +versions 2.x. Applications scaffolded by an older version of `slc loopback` +will print the following warning when the first request is served: + +``` +strong-remoting deprecated The built-in CORS middleware provided by REST adapter was deprecated. See https://docs.strongloop.com/display/public/LB/Security+considerations for more details. +``` + +To suppress the warning, you should disable the built-in CORS middleware in +your `server/config.json` by setting the property `remoting.cors` to `false`: + +```js +{ + // ... + "remoting": { + // ... + "cors": false + } +} +``` + +If you would like to keep cross-site requests allowed, then you need to follow +these additional steps: + + 1. `npm install --save cors` + + 2. Edit the `initial` section in your `server/middleware.json` and add + a configuration block for `cors` middleware: + + ```js + { + // ... + "initial": { + // ... + "cors": { + "params": { + "origin": true, + "credentials": true, + "maxAge": 86400 + } + } + }, + // ... + } + ``` + ## Mitigating XSS exploits LoopBack stores the user's access token in a JavaScript object, which may make it susceptible to a cross-site scripting (XSS) security exploit. diff --git a/pages/en/lb3/Migrating-to-3.0.md b/pages/en/lb3/Migrating-to-3.0.md index 2751d62d6..e60827852 100644 --- a/pages/en/lb3/Migrating-to-3.0.md +++ b/pages/en/lb3/Migrating-to-3.0.md @@ -211,6 +211,40 @@ returning your Promise instances, then you have two options: 2. Rework your code to use Bluebird API instead of the API provided by your Promise implementation. +## Check your CORS configuration + +We have removed built-in CORS middleware from `loopback.rest()` handler. It's +up to the applications to setup and configure application-wide CORS policies. + +If you have scaffolded your application with a recent version of our generators +(`apic loopback` or `slc loopback`), then your application already comes with +a global CORS handler configured in `server/middleware.json`. + +If that's not the case, and you would like to allow cross-site requests to +your LoopBack server, then you need to follow these few steps: + + 1. `npm install --save cors` + + 2. Edit the `initial` section in your `server/middleware.json` and add + a configuration block for `cors` middleware: + + ```js + { + // ... + "initial": { + // ... + "cors": { + "params": { + "origin": true, + "credentials": true, + "maxAge": 86400 + } + } + }, + // ... + } + ``` + ## No need to check for `ctx.instance` in "loaded" hooks When implementing "loaded" hook for `DAO.find` method in 2.x, we have mistakenly