v1.3.2

v1.3.1...v1.3.2

#34 - Hides local log-in form unless "local" provider is enabled.

Note: This change is also available in v1.2.1 for amphora-auth users not ready to adopt the "secure" session cookie.

v1.2.1

v1.2.0...v1.2.1

#34 - Backport: Hides local log-in form unless "local" provider is enabled.
#29 - Backport: Enables HEAD as an allowed unauthenticated method.

v1.3.1

v1.3.0...v1.3.1

#31 - Adds Secure: true for clay-session cookies.

⚠️ ⚠️ ⚠️

Setting Secure requires app.use('trust proxy', <val>); when performing early SSL termination.

Even if using trust proxy the value of X-Forwarded-Proto must be https for the cookie to be set.

Projects that use multiple proxy layers may need to get creative to convince express-session to set the cookie.

Example:

// Only do this if you trust your proxy configuration!                                                                         
function xProtocolMiddleware(req, res, next) {                                   
  req.headers['x-forwarded-proto'] = 'https';                                    
  next();                                                                        
}

app.use(xProtocolMiddleware);                                                  
app.set('trust proxy', true);

v1.3.0

#29 - Enables HEAD as an allowed unauthenticated method.

The logic for determining whether a route is protected only allowed GET as a read-only method.
This meant that whenever a HEAD request is issued a user would be redirected to the authentication page.

Feature: Subsite Support

Checks for a site's subsiteSlug so that subsites can now authenticate.

Subsites will be available in Amphora v7.6.0

Feature: AWS Cognito authentication support

Thanks to @brienhodges !