mia-platform · ThisIsDemetrio · Nov 19, 2025 · Nov 21, 2025 · Nov 24, 2025
@@ -59,6 +59,19 @@ In this configuration, we expect that all the methods are written in uppercase.
 
 In this configuration authorization is separated between backoffice and frontend request. The header to match this condition is set by the env variable `BACKOFFICE_HEADER_KEY`.
 
+:::warning Route Matching Behavior (v3.0.0+)
+
+Starting from version 3.0.0, route matching has been made stricter. Non-defined routes will no longer match existing route configurations with prefix names, but only sub-routes (but only if their configuration end with `/`).
+
+For example:
+
+- A request to `/users-internal` will **NOT** match a `/users` configuration
+- A request to `/users/info` can match the configuration defined in `/users`
+
+If you're upgrading from a previous version, review your route configurations to ensure all expected routes are explicitly defined or properly structured with trailing slashes for parent route fallback.
+
+:::
+
 ### Configuration example
 
 ```json
@@ -104,30 +117,29 @@ In this configuration authorization is separated between backoffice and frontend
     }
   }
 }
-
 ```
 
 ## Environment variables
 
-* **LOG_LEVEL** (*default: `trace`*): level of the log. It can be `trace`, `debug`, `info`, `warn`, `error`, or `fatal`;
-* **HTTP_PORT** (*default: `3000`*): the port exposed by the service;
-* **CONFIGURATION_PATH** (*required, default: `./`*): the path to the configuration file. Do not include the file name;
-* **CONFIGURATION_FILE_NAME** (*required, default: `test-config.test`*): the name of the configuration file. Do not include the full path;
-* **BACKOFFICE_HEADER_KEY** (*required, default: `isbackoffice`*): the header key which identifies the value which determines if the service is considered backoffice;
-* **SERVICE_VERSION** (*default: `1.0.0`*): the service version, included in status routes responses;
-* **SERVICE_PREFIX**: the prefix used for the path of the service endpoints;
-* **USERINFO_URL** (*required*, if `TRUST_MIA_USER_HEADERS` is set to `false`): the url of the service that provides information about the user.
+- **LOG_LEVEL** (*default: `trace`*): level of the log. It can be `trace`, `debug`, `info`, `warn`, `error`, or `fatal`;
+- **HTTP_PORT** (*default: `3000`*): the port exposed by the service;
+- **CONFIGURATION_PATH** (*required, default: `./`*): the path to the configuration file. Do not include the file name;
+- **CONFIGURATION_FILE_NAME** (*required, default: `test-config.test`*): the name of the configuration file. Do not include the full path;
+- **BACKOFFICE_HEADER_KEY** (*required, default: `isbackoffice`*): the header key which identifies the value which determines if the service is considered backoffice;
+- **SERVICE_VERSION** (*default: `1.0.0`*): the service version, included in status routes responses;
+- **SERVICE_PREFIX**: the prefix used for the path of the service endpoints;
+- **USERINFO_URL** (*required*, if `TRUST_MIA_USER_HEADERS` is set to `false`): the url of the service that provides information about the user.
 If you rely on `auth0-client` or on the `authentication-service`, the value of this variable should be respectively `http://auth0-client/userinfo` or `http://authentication-service/userinfo`, where the hostname might be different if your service has been renamed;
-* **CUSTOM_USER_ID_KEY** : a unique identifier of the user, based on the response given by the endpoint set in **USERINFO_URL**.  If you use `auth0-client` it should be `sub`, if you use `authentication-service` it should be `userId`. Refer to the documentation of the external service you are using for more information about the user id.
-* **AUTHORIZATION_STRICT_MODE_ENABLED**: defines whether strict mode is enabled or not;
-* **USER_PROPERTIES_TO_PROXY**: the name of the fields in the response from **USERINFO_URL** that you want to be proxied to other services. They will be JSON encoded and set as value of the header configured in the env variable `USER_PROPERTIES_HEADER_KEY`.
-* **CLIENT_TYPE_HEADER_KEY** (*required, default: `client-type`*): the header key which identifies the value which determines the client type;
-* **BACKOFFICE_USERINFO_URL**: the backoffice url of the service that provides information about the user;
-* **CUSTOM_PERMISSIONS_KEY**: the name of the field in the response from **USERINFO_URL** to be used to retrieve permissions. The field must be at the first level of the response and must be an array of strings. Permissions can then be used in ACL expressions as described [here](/products/console/api-console/api-design/endpoints.md#manage-the-security-of-your-endpoints);
-* **DELAY_SHUTDOWN_SECONDS** (*default: `10`*): the amount of seconds waited before closing the service when performing a graceful shutdown;
-* **HEADERS_TO_PROXY**: specifies which headers need to be proxied (to the url set by **USERINFO_URL** variable). If you are using `auth0-client` or `authentication-service`, its value should be `x-request-id,request-id,cookie,authorization,client-type,host,x-forwarded-host`;
-* **AUTHORIZATION_HEADERS_TO_PROXY**: specifies which headers could contain the authorization headers used by the user services in a comma separated list of headers. For example, in an oidc flow where the session is saved as bearer token, here should be set `authorization`.
-* **TRUST_MIA_USER_HEADERS** (*default: `false`*): specifies if the service should trust the request headers which contain the user data (**be careful**: do not set this to `true` if this authorization service is used by an API Gateway exposed to internet. This is intended for the API Gateways of the projects protected by an Edge Gateway).
-* **USERID_HEADER_KEY** (*default: `miauserid`*): the request header containing the user id.
-* **GROUPS_HEADER_KEY** (*default: `miausergroups`*): the request header containing the user groups.
-* **USER_PROPERTIES_HEADER_KEY** (*default: `miauserproperties`*): the request header containing the user properties.
+- **CUSTOM_USER_ID_KEY** : a unique identifier of the user, based on the response given by the endpoint set in **USERINFO_URL**.  If you use `auth0-client` it should be `sub`, if you use `authentication-service` it should be `userId`. Refer to the documentation of the external service you are using for more information about the user id.
+- **AUTHORIZATION_STRICT_MODE_ENABLED**: defines whether strict mode is enabled or not;
+- **USER_PROPERTIES_TO_PROXY**: the name of the fields in the response from **USERINFO_URL** that you want to be proxied to other services. They will be JSON encoded and set as value of the header configured in the env variable `USER_PROPERTIES_HEADER_KEY`.
+- **CLIENT_TYPE_HEADER_KEY** (*required, default: `client-type`*): the header key which identifies the value which determines the client type;
+- **BACKOFFICE_USERINFO_URL**: the backoffice url of the service that provides information about the user;
+- **CUSTOM_PERMISSIONS_KEY**: the name of the field in the response from **USERINFO_URL** to be used to retrieve permissions. The field must be at the first level of the response and must be an array of strings. Permissions can then be used in ACL expressions as described [here](/products/console/api-console/api-design/endpoints.md#manage-the-security-of-your-endpoints);
+- **DELAY_SHUTDOWN_SECONDS** (*default: `10`*): the amount of seconds waited before closing the service when performing a graceful shutdown;
+- **HEADERS_TO_PROXY**: specifies which headers need to be proxied (to the url set by **USERINFO_URL** variable). If you are using `auth0-client` or `authentication-service`, its value should be `x-request-id,request-id,cookie,authorization,client-type,host,x-forwarded-host`;
+- **AUTHORIZATION_HEADERS_TO_PROXY**: specifies which headers could contain the authorization headers used by the user services in a comma separated list of headers. For example, in an oidc flow where the session is saved as bearer token, here should be set `authorization`.
+- **TRUST_MIA_USER_HEADERS** (*default: `false`*): specifies if the service should trust the request headers which contain the user data (**be careful**: do not set this to `true` if this authorization service is used by an API Gateway exposed to internet. This is intended for the API Gateways of the projects protected by an Edge Gateway).
+- **USERID_HEADER_KEY** (*default: `miauserid`*): the request header containing the user id.
+- **GROUPS_HEADER_KEY** (*default: `miausergroups`*): the request header containing the user groups.
+- **USER_PROPERTIES_HEADER_KEY** (*default: `miauserproperties`*): the request header containing the user properties.
@@ -11,6 +11,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 3.0.0 - 18-11-2025
+
+### Breaking Change
+
+- fixed a bug where non-defined routes used to match existing route configurations with prefix names instead of subroute configurations (e.g. `/foo-bar` used to match `/foo` authorization config, if any, or fallbacks to `/`). This causes routes to be more strictier and can fallback to parent routes only if ends with `/`.
+
+### Updates
+
+- Updated several dependencies, including `go` to _v1.24_
+
 ## 2.4.3 - 04-12-2024
 
 ### Added
@@ -86,6 +96,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## 2.0.0 - 05-10-2020
 
 **BREAKING CHANGE**
+
 - updated glogger v2.0.3 which brings new logging format, potentially breaking for log processing stack
 
 ## 1.2.0
@@ -96,6 +107,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - add conditional user info url between frontend and backoffice endpoint.
 
 ### Fixed
+
 - extended regular expression that checks that `!` is followed only by `=` and `(` to also match `i` (as in `isBackoffice`)
 - fix log in main before log initialization
 - upgrade deps