v1.16.0 - 2020 Sep 19

[com.taoensso/sente "1.16.0"]

Major feature release. Should be non-breaking, but see here for recommended steps when updating any Clojure/Script dependencies.

Same as v1.16.0-RC1, v1.16.0-alpha2.

Changes since v1.15.0

• [NB] http-kit users must now use >= http-kit v2.4.0 (v2.5.0 is latest as of writing)

New since v1.15.0

• [#371 #375] Add Jetty 9 server adapter (@wavejumper)
• [#372] Add ring-undertow server adapter (@nikolap)
• [#275 #374] Add Clj WebSocket client support (@kaosko)
• Add optional auth fn to make-channel-socket-server! (@kaosko @ptaoussanis)
• [#356] Expose send-buffers_ as implementation detail (@kaosko)
• [#359 #360] Add :json-verbose format to Transit packer (@p-himik)
• [#362 #363] Allow additional keys in event-msg maps (@jjttjj)
• [#365] README: incl. example CSRF code (@mattford63)

Fixes since v1.15.0

• [#366 #353 #358] Make make-channel-socket-client! respect host option (@Rkiouak)
• Use new http-kit v2.4.0 server API internally to fix possible race conditions
• [#357 #247] Fix for React Native (@currentoor)

v1.16.0-RC1 - 2020 Sep 10

[com.taoensso/sente "1.16.0-RC1"]

Same as v1.16.0-alpha2.

See here recommended steps when updating any Clojure/Script dependencies.

v1.16.0-alpha2 - 2020 Aug 24

[com.taoensso/sente "1.16.0-alpha2"]

Major feature release. Should be non-breaking, but users of http-kit will need to update to >= http-kit v2.4.0.
See here for a tip re: general recommended steps when updating any Clojure/Script dependencies.

Changes since 1.15.0

• [NB] http-kit users must now use >= http-kit v2.4.0.
• [#362 #363] Allow additional keys in event-msg maps (@jjttjj).
• [#365] README: incl. example CSRF code (@mattford63).

New since 1.15.0

• [#371 #375] Add Jetty 9 server adapter (@wavejumper).
• [#372] Add ring-undertow server adapter (@nikolap).
• [#275 #374] Add Clj WebSocket client support (@kaosko).
• Add optional auth fn to make-channel-socket-server! (@kaosko @ptaoussanis).
• [#356] Expose send-buffers_ as implementation detail (@kaosko).
• [#359 #360] Add :json-verbose format to Transit packer (@p-himik).

Fixes since 1.15.0

• [#366 #353 #358] Make make-channel-socket-client! respect host option (@Rkiouak).
• Use new http-kit v2.4.0 server API internally to fix possible race conditions.
• [#357 #247] Fix for React Native (@currentoor).

v1.15.0 - 2019 Nov 27

v1.15.0 - 2019 Nov 27

[com.taoensso/sente "1.15.0"]

Just updates some dependencies. Should be non-breaking.

• [#355] Fix: Bump encore dependency to fix deprecated goog.structs/Map issue.

v1.14.0 - 2019 Oct 19

[com.taoensso/sente "1.14.0"]

As v1.14.0-RC2, but also includes:

• [#307] New: Add server adapter for Macchiato Framework on Node.js (@theasp)
• [#137 #338] New: Add support for origin/referrer checking (@eerohele)
• [#349 #348] New: Add support for specifying chsk port when connecting from client (@pieterbreed)
• [#337] Fix: Incorrect value (only udt) swapped into conns_ (@osbert)
• [#341] Fix: Make cljsbuild output-to resources/public/main.js directly (@shaolang)

v1.14.0-RC2 - 2019 Jan 12

[com.taoensso/sente "1.14.0-RC2"]

This is a CRITICAL bugfix release, please upgrade ASAP

• [#137] SECURITY FIX, BREAKING: fix badly broken CSRF protection (@danielcompton, @awkay, @eerohele), more info below

My sincere apologies for this mistake. Please write if I can provide more details or any other assistance. Further testing/auditing/input very much welcome! - @ptaoussanis

Security bug details

• All previous versions of Sente (< v1.14.0) contain a critical security design bug identified and reported by @danielcompton, @awkay, @eerohele. (Thank you to them for the report!).
• Bug: Previous versions of Sente were leaking the server-side CSRF token to the client during the (unauthenticated) WebSocket handshake process.
• Impact: An attacker could initiate a WebSocket handshake against the Sente server to discover a logged-in user's CSRF token. With the token, the attacker could then issue cross-site requests against Sente's endpoints. Worse, since Sente often shares a CSRF token with the rest of the web server, it may be possible for an attacker to issue cross-site requests against the rest of the web server (not just Sente's endpoints).

Security fix details

• The fix commit stops the CSRF token leak, introducing a BREAKING API CHANGE (details below).
• Sente will now (by default) refuse to service any requests unless a CSRF token is detected (e.g. via ring-anti-forgery).

Breaking changes

make-channel-socket-client! now takes an extra mandatory argment

It now takes an explicit csrf-token that you must provide. The value for the token can be manually extracted from the page HTML (example).

In most cases the change will involve three steps:

1. You need to include the server's CSRF token somewhere in your page HTML: example.
2. You need to extract the CSRF token from your page HTML: example.
3. You'll then use the extracted CSRF token as an argument when calling make-channel-socket-client!: example.

Client-side :chsk/handshake event has changed

It now always has nil where it once provided the csrf-token provided by the server.

   I.e. before: [:chsk/handshake [<?uid> <csrf-token> <?handshake-data> <first-handshake?>]]
         after: [:chsk/handshake [<?uid> nil          <?handshake-data> <first-handshake?>]]

Most users won't be affected by this change.

v1.13.1 - 2018 Aug 22

[com.taoensso/sente "1.13.1"]

This is a hotfix release, should be non-breaking

• [#327 #326] Fix broken ws->ajax downgrade logic (@michaelcameron)

v1.13.0 - 2018 Aug 4

[com.taoensso/sente "1.13.0"]

This is a maintenance release, should be non-breaking in most cases

• Updated all dependencies

v1.12.1 - 2018 Aug 4

[com.taoensso/sente "1.12.1"]

This is a non-breaking maintenance release

• [#323] Fix: Work correctly with new versions of ring-anti-forgery (@timothypratley)

v1.12.0 - 2017 Dec 10

[com.taoensso/sente "1.12.0"]

This is a non-breaking bugfix release which updates some dependencies

• [#315 #314 #311] Fix: Updated dependencies (@theasp)