Release v2.12.0

🌟 Features

• Add endpoint POST /auth/logout to terminate current Session
  • Deletes currently used SessionToken
  • redirects to defaultLogoutRedirectUrl set via AppProperties (app.default-logout-redirect-url, see MIGRATION.md)
  • Redirection can be overwritten by QueryParam redirectUrl (POST /auth/logout?redirectUrl=https...)
  • redirect Urls have to be whitelisted in allowedLogoutRedirectUrls (app.allowed-logout-redirect-urls). This list of Strings is defaulting to an empty list. Ensure defaultLogoutRedirectUrl is listed here. Regex-Matching using * is supported.
  • Any redirection is overridden for OAuth users by the value of OAuth2ClientRegistrationProperties.ClientProvider#logoutUri.

🐞 Bug Fixes

🔨 Dependency Upgrades

• upgraded org.springframework.boot:spring-boot-starter-parent from 3.5.4 to 3.5.5
• upgraded io.sentry:sentry-spring-boot-starter-jakarta from 8.18.0 to 8.19.1
• upgraded io.jsonwebtoken:jjwt.version from 0.12.6 to 0.13.0
• upgraded org.wiremock.integrations:wiremock-spring-boot from 3.10.0 to 3.10.6
• upgraded org.springdoc:springdoc-openapi-starter-webmvc-ui from 2.8.8 t0 2.8.10

🧰 Migration

• The environment variable app.default-logout-redirect-url or APP_DEFAULT_LOGOUT_REDIRECT_URL must be set. Otherwise, the application will not start.
• The environment variable app.allowed-logout-redirect-urls or APP_ALLOWED_LOGOUT_REDIRECT_URLS must be defined as a list of stings. Otherwise, the application will not start. default-logout-redirect-url must exist in this list (either as a RegEx match or as an exact match)

Example:

app:
  default-logout-redirect-url: "http://localhost:3000/login"
  allowed-logout-redirect-urls:
    - "http://localhost:3000/*" # RegEx-match to default url
    - "https://example.com/logout/success" # for exact match
    - "https://*.example.com/*" # matching via RegEx, e.g. `https://prod.example.com/logout`, `https://staging.example.com/logout` or `https://testing.example.com/`, but not `https://testing.example.com`