6. Changelog#

This changelog documents all notable changes to the ICS app. Keep a Changelog is the format and this project adheres to Semantic Versioning.

6.1. 1.4#

Released: 13. December 2022

6.1.1. Changed#

  • Refresh Nextcloud token when expired before proxying the request.

  • Improved logging messages with JSON formatting.

6.1.2. Added#

  • UCR variable to set the log level.

  • Logging to files and standard output.

6.1.3. Security#

  • Intercom service requests Nextcloud tokens with the Nextcloud audience, instead of the audience of OX App Suite.

6.2. 1.3#

Released: 28. October 2022

6.2.1. Changed#

  • Treat expired refresh tokens as no token, triggering a silent login attempt.

  • Matrix login type set to m.login.application_service and is not configurable any more.

  • Switch to v3 Matrix client API.

6.3. 1.2#

Released: 29. September 2022

6.3.1. Added#

  • Various debug logs

6.3.2. Changed#

  • Apply firewall rules during installation to make ICS accessible from outside of UCS.

  • Set Docker DNS based on the UCR variables nameserver1, nameserver2 and nameserver3.

6.3.3. Security#

  • The Filepicker functionality of ICS now fetches a separate token for authenticating with the file hosting application Nextcloud. The OX OIDC-client in the IdP must be allowed, to fetch a token for the Nextcloud OIDC-client. This was always intended, but not correctly enforced in earlier versions.

6.3.4. Fixed#

  • Update deprecated usage of express.urlencoded.

  • ICS health check failed because of Nordeck URL returning 404.

  • Video conferences created as the wrong user.

  • Central navigation returning navigation.json for the wrong user under certain circumstances.

6.4. 1.1#

Released: 16. September 2022

6.4.1. Added#

Stability
  • ICS split the cookie headers by a logic that didn’t consider certain cases. Now, ICS uses a standard cookie library for the handling cookie headers.

  • During app installation, ICS tests the URLs of the required services Keycloak, Nextcloud, Nordeck, and UCS Portal, if it can reach them. The installation shows a warning, if the test can’t reach the services. Additionally, ICS runs a health check within the Docker container every 60 seconds to test, if it can reach the services.

Refreshing Access Tokens

A middleware that automatically refreshes access tokens when they expire.

6.4.2. Changed#

  • Improve the readability of user documentation.

6.4.3. Security#

  • The Redis database provides persistence for app sessions. The update applies the following security fixes to Redis:

    • Password protection provided in /etc/intercom-redis.secret.

    • The Redis container is only accessible from the docker-compose internal network (external: false).

  • Verify the JWT (JSON Web Token) access or ID token with the public key of the Keycloak issuer.

  • Enable backchannel-logout and remove the appropriated app-session from ICS.

6.4.4. Fixed#

  • Convert the uppercase value for the environment variable PROXY to lowercase. Using the variable in JavaScript requires the value in a lowercase string.

6.5. 1.0#

Released: 22. August 2022

6.5.1. Added#

  • Endpoint for OIDC silent login against Keycloak on /silent.

  • Endpoint to securely proxy requests from Open-Xchange to Nordeck on /nob, allowing the creation of Element videoconferences from Open-Xchange.

  • Endpoint to securely proxy requests from Open-Xchange to Nextcloud on /fs, allowing to use the email Filepicker with Nextcloud.

  • Endpoint to securely proxy requests from Open-Xchange to UCS Portal /navigation.json, allowing for use of UCS Portal central navigation from Open-Xchange.

  • Session storage with Redis.