v16.0.1: Streams & Tests

@evantahler evantahler released this Feb 24, 2017

Do not require a fileLength when sending a stream

(web server) Allows Actionhero to pipe streams of unknown length to web clients, skipping the Content-Length header

Error on duplicated initializer name

When booting Actionhero, if you have initializers with duplicated names (including those which would overwrite a core initializer) the server will exit with a relevant error message.

Fixes socket helper functions

(when booting the web server) cleanSocket and chmodSocket both assumed port to be a string. While this should be the case, there are no prior checks for this condition so the error thrown is quite confusing for the end user. The code has been modified to check that the port is a string type before calling indexOf on it.


  • Better testing of redis shutdown behavior
  • use cross-env in test environment so windows users can play along at home
  • Ensure that generator and test examples pass Standard lint
  • Move to the Chai assertion library in tests, dropping should

Upgrade dependent packages to latest versions


v16.0.0 Javascript Standard Style

@evantahler evantahler released this Nov 23, 2016 · 63 commits to master since this release

Javascript Standard Style

Version 16 is a re-write of many parts of ActionHero's internals to follow the Standard JavaScript Style Guide. This new guide replaces ESLint as our linting tool, and comes with good opinions on how to write safe, readable JS code. ActionHero now passes this linter, and as such, should be much easier to work with

All new contributions to ActionHero must follow this style, and will be tested as part of the test suite automatically.

To conform with proper JS style, some breaking changes were introduced:

  • api.Connection() rather than api.connection()
  • api.GenericServer() rather than api.genericServer()
  • api.ActionProcessor() rather than api.actionProcessor()
  • require("actionhero") not require("actionhero").actionheroPrototype should you be using ActionHero programatically.

By @evantahler via #983

Remove "uncaught" from error message (Taks)

Disable file request logging by default on production

Update all dependent packages to latest versions

  • This includes replacing node-uuid with uuid (#984)


v15.3.0: Redirection and SpecHelper Updates

@evantahler evantahler released this Nov 4, 2016 · 83 commits to master since this release

Maintain path when redirecting web client whose host did not match host

  • If a web client's Host header/request does not match those found in api.config.servers.web.allowedRequestHosts, we will noe maintain the path of the request when redirecting
  • via @evantahler via #977

Response type saftey for action errors and spec helper

  • If your action returns a string or array, and there is an error, we should return the error as a string, and not attempt to return response.error = error, as this creates an improper javascript object. This may be a breaking change if you relied on this improper behavior
  • This extends to the specHelper, whose response types should follow this same pattern. Actions with string responses will remain as string or array responses will have errors returned as strings.
  • via @evantahler via #979

Enable/disable spechelper metadata

  • In your tests, if you do not want the specHelper actions to include metadata (data.response.serverInformation, data.response.requesterInformation, and data.response.messageCount) from the server, you can configure api.specHelper.returnMetadata = false in your tests.
  • via @evantahler via #980


v15.2.0: System Logging Updates

@evantahler evantahler released this Oct 31, 2016 · 93 commits to master since this release

This release updates the logger (api.log) in 2 meaningful ways:

  • Fixes the localization of many system messages which were not using interpolation. This causes many system-specific strings to be append to your locale files when they should not have been.
  • Creates a new config option api.config.logger.localizeLogMessages which allows developers to opt-into localizing all system log messages (api.log).
    • If you are migrating for an older version of ActionHero, your log messages will not be localized by default
    • The default changes in this pull request from the previous "enabled implicitly" to "disabled explicitly"
    • by @evantahler via #976


v15.1.5: HTTP Rediection Fix

@evantahler evantahler released this Oct 29, 2016 · 99 commits to master since this release

Fixes a bug introduced with v15.1.4 which was improperly detecting client protocols (http vs https) when using the new api.config.servers.web.allowedRequestHosts host restrictions.


v15.1.4: HTTP Rediection

@evantahler evantahler released this Oct 29, 2016 · 101 commits to master since this release

ActionHero now allows you to define a collection of host headers which this API server will allow access from. You can set these via api.config.servers.web.allowedRequestHosts. If the Host header of a client does not match one of those listed (protocol counts!), they will be redirected to the first one present.

You can also set process.env.ALLOWED_HOSTS which will be parsed as a comma-separated list of Hosts which will set api.config.servers.web.allowedRequestHosts

By @evantahler via #973


v15.1.3: re-tagging

@evantahler evantahler released this Oct 28, 2016 · 106 commits to master since this release

This release contains no fixes over v15.1.2.
We re-published on NPM to ensure that this was the latest version.


v15.1.2: Security Release

@evantahler evantahler released this Oct 27, 2016 · 107 commits to master since this release

This is a security release which solves the following:

404 Web Request with malicious file name

Previously, the default error responder when a client asked for a static-file which was missing (404) returned the name the of that file

api.config.errors.fileNotFound = function(connection){
  return connection.localize(['That file is not found (%s)', connection.params.file]);

This is dangerous because a malicious actor could request a filename with an executable javascript tag and harm the requester. We now will no longer return the file name:

api.config.errors.fileNotFound = function(connection){
  return connection.localize(['That file is not found']);

Malicious callback provided when requesting an action via JSONp

When requesting an action via JSONp, it was possible (though unlikely) that the callback string you were providing contained malicious javascript which would harm the requester. We will now sanitize the provided callback in the following way:

function callbackHtmlEscape(str){
  return str
    .replace(/&/g, '&')
    .replace(/"/g, '"')
    .replace(/'/g, ''')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/\)/g, '')
    .replace(/\(/g, '');

This fix has been backported to:

A huge thank you to @submitteddenied is earned for reporting these issues and working to fix them.