cbSecurity 2.13 Released with Refresh Tokens Support

ColdBox MVC, Modules, News, Releases, Security

Luis Majano September 02, 2021

Spread the word

Luis Majano

September 02, 2021

Spread the word

Share your thoughts

We are incredibly excited to release cbSecurity version 2.13.0 today. This release packs a big punch in terms of features for our JWT support for RESTFul APIs. We are excited to announce full refresh token support and much more.


# Install
install cbsecurity

# Update
update cbsecurity

Refresh Tokens

ColdBox Security supports the concept of refresh tokens alongside the normal JWT access tokens.

What Is a Refresh Token?

A refresh token is a credential artifact that lets a client application get new access tokens without having to ask the user to log in again. Access tokens may be valid for a short amount of time. Once they expire, client applications can use a refresh token to "refresh" the access token.

The client application can get a new access token as long as the refresh token is valid and unexpired. Consequently, a refresh token that has a very long lifespan could theoretically give infinite power to the token bearer to get a new access token to access protected resources anytime. The bearer of the refresh token could be a legitimate user or a malicious user.

You can read all about how we implemented refresh tokens for ColdBox security here: https://coldbox-security.ortusbooks.com/jwt/refresh-tokens

What's New With 2.13.0

Added

Adobe 2021 Support
Migration to GitHub Actions from Travis CI
Refresh tokens support
Refresh token endpoint /cbsecurity/refreshToken for secure refresh token generation
Manual refresh token method on the JwtService : refreshToken( token )
Auto refresh token header interceptions for JWT validators
Detect on authenticate() if the payload is empty and throw the appropriate exceptions
Added ability for the authenticate( payload ) to receive a payload to authenticate
Added ability to recreate the token storage using a force argument getTokenStorage( force = false )
Ability for the parseToken() to choose to store and authenticate or just parse

Fixed

Unique jti could have collisions if tokens created at the same time, add randomness to it
TokenExpirationException not relayed from the base jwt library
If variables.settings.jwt.tokenStorage.enabled is disabled all invalidations failed, make sure if the storage is disabled to not throw storage exceptions.

MatchBox and WebAssembly: Running BoxLang in the Browser and at the Edge

The MatchBox open beta is live at https://boxlang.ortusbooks.com/boxlang-framework/matchbox, and it brings something genuinely new to the BoxLang ecosystem: a path into WebAssembly.

That means BoxLang code can now move into browser applications, static-site deployments, edge runtimes, and WASI-style containers - without requiring a JVM. The feature is still beta, but the core direction is already useful: write BoxLang, compile it with MatchBox, and ship the generated WASM artifact to wherever a small portable runtime makes sense.

BoxLang 1.14.0 : BoxSet is Here: BoxLang's New First-Class Set Type

BoxLang 1.14.0 ships something that JVM developers have wanted for a long time: a true first-class Set type baked directly into the language. Not a wrapper you reach for manually, not a createObject( "java", "java.util.HashSet" ) incantation you paste from a Stack Overflow answer years ago. A real BoxSet with literal syntax, operator overloads, a full functional pipeline, change listeners, JSON serialization, and deep Java interop.

BoxLang 1.14.0 : Sets, Ranges, Inner Classes, and a Runtime That Talks Back

BoxLang has never stood still, but 1.14.0 is something different. This is the release where the language stops filling gaps and starts defining what a modern dynamic JVM language looks like on its own terms. Sixty-five issues closed. Four innovative language features. A formatter that has grown up. And a companion module - bx-mcp - that fundamentally changes how you operate a running BoxLang application with AI.

Blog