6. Changelog#
This changelog documents all notable changes to the ICS app. Keep a Changelog is the format and this project adheres to Semantic Versioning.
6.1. 1.4#
Released: 13. December 2022
6.1.1. Changed#
Refresh Nextcloud token when expired before proxying the request.
Improved logging messages with JSON formatting.
6.1.2. Added#
UCR variable to set the log level.
Logging to files and standard output.
6.1.3. Security#
Intercom service requests Nextcloud tokens with the Nextcloud audience, instead of the audience of OX App Suite.
6.2. 1.3#
Released: 28. October 2022
6.2.1. Changed#
Treat expired refresh tokens as no token, triggering a silent login attempt.
Matrix login type set to m.login.application_service and is not configurable any more.
Switch to v3 Matrix client API.
6.3. 1.2#
Released: 29. September 2022
6.3.1. Added#
Various debug logs
6.3.2. Changed#
Apply firewall rules during installation to make ICS accessible from outside of UCS.
Set Docker DNS based on the UCR variables nameserver1, nameserver2 and nameserver3.
6.3.3. Security#
The Filepicker functionality of ICS now fetches a separate token for authenticating with the file hosting application Nextcloud. The OX OIDC-client in the IdP must be allowed, to fetch a token for the Nextcloud OIDC-client. This was always intended, but not correctly enforced in earlier versions.
6.3.4. Fixed#
Update deprecated usage of express.urlencoded.
ICS health check failed because of Nordeck URL returning 404.
Video conferences created as the wrong user.
Central navigation returning navigation.json for the wrong user under certain circumstances.
6.4. 1.1#
Released: 16. September 2022
6.4.1. Added#
- Stability
ICS split the cookie headers by a logic that didn’t consider certain cases. Now, ICS uses a standard cookie library for the handling cookie headers.
During app installation, ICS tests the URLs of the required services Keycloak, Nextcloud, Nordeck, and UCS Portal, if it can reach them. The installation shows a warning, if the test can’t reach the services. Additionally, ICS runs a health check within the Docker container every 60 seconds to test, if it can reach the services.
- Refreshing Access Tokens
A middleware that automatically refreshes access tokens when they expire.
6.4.2. Changed#
Improve the readability of user documentation.
6.4.3. Security#
The Redis database provides persistence for app sessions. The update applies the following security fixes to Redis:
Password protection provided in
/etc/intercom-redis.secret
.The Redis container is only accessible from the docker-compose internal network (
external: false
).
Verify the JWT (JSON Web Token) access or ID token with the public key of the Keycloak issuer.
Enable
backchannel-logout
and remove the appropriated app-session from ICS.
6.4.4. Fixed#
Convert the uppercase value for the environment variable
PROXY
to lowercase. Using the variable in JavaScript requires the value in a lowercase string.
6.5. 1.0#
Released: 22. August 2022
6.5.1. Added#
Endpoint for OIDC silent login against Keycloak on
/silent
.Endpoint to securely proxy requests from Open-Xchange to Nordeck on
/nob
, allowing the creation of Element videoconferences from Open-Xchange.Endpoint to securely proxy requests from Open-Xchange to Nextcloud on
/fs
, allowing to use the email Filepicker with Nextcloud.Endpoint to securely proxy requests from Open-Xchange to UCS Portal
/navigation.json
, allowing for use of UCS Portal central navigation from Open-Xchange.Session storage with Redis.