1.10.0 Breaking Changes

baris

Please see the following issues for breaking changes to plugins and themes.

https://github.com/NodeBB/NodeBB/issues?utf8=✓&q=is%3Aissue+milestone%3A1.10.0+label%3A"breaking+change+(themes)"+
https://github.com/NodeBB/NodeBB/issues?q=is%3Aissue+milestone%3A1.10.0+label%3A"breaking+change+(plugins)"

If you have plugins that are affected, please update your plugin and add the below to your package.json

"nbbpm": {
   "compatibility": "^1.10.0"
}

julian

Each issue with a breaking change should contain commits referenced within that show the changes that need to be made (if applicable).

If you are confused at any point please let us know here so we can add more detail to the issue.

attis

Hi,
I think I have discovered another breaking change that you didn't mention, though it is probably super-niche.

This commit: https://github.com/NodeBB/NodeBB/commit/ec91ef1c644044bba44198b031913655e784b4bb
broke our custom SSO plugin. The result was that after successfully logging in our external identity provider and being redirected to our Forum's callback endpoint, I was ending up not logged in (the button in the header still said "Log in") and stuck on /register/complete roadblock. It looked like our Passport strategy verify callback, that parses output from the identity provider and fetches user data via OAuth2 was not invoked at all.

It turns out that the changes in this commit don't play well together with passport-oauth2 (https://github.com/jaredhanson/passport-oauth2) internal ability to protect against CSRF (which we were using). This strategy was already using state parameter to pass its own CSRF token. I don't have more time to investigate but I suspect things shipwrecked when NodeBB overwrote the state parameter with its own CSRF token.

Turning off passport-oauth2 internal CSRF protection (by removing state: true from its options) fixed the issue.