-
-
Notifications
You must be signed in to change notification settings - Fork 240
Releases: tinyauthapp/tinyauth
nightly
a0e74cd refactor: move oidc handling to backend and add support for oidc post...
Assets 4
v5.0.7
479f165 Tinyauth v5.0.7
Hello everyone! This is officially the last release under my username. After this last patch, Tinyauth will move to its new home tinyauthapp, no breaking changes for now. As for this release, it addresses some further issues with the Envoy proxy and improves the OpenID Connect experience.
Improvements
- The OpenID Connect server now supports PKCE
- The OpenID Connect user information endpoint now supports POST requests @scottmckendry
- The OpenID Connect user information endpoint now supports the access token in the POST request body @scottmckendry
- The OAuth flow now supports the OpenID Connect parameters and stores CSRF states server-side for anti-tampering
- Add
X-Tinyauth-Locationheader for Nginx instances to support redirect to login and unauthorized pages automatically - Support unsigned OpenID Connect request objects @scottmckendry
- Accessibility improvements
Fixes
- Use 307 redirects for Envoy proxy
- Fix TOTP field auto-fill not working in some password managers @scottmckendr
Technical
- Update dependencies
- Update translations
- Use own fork of the paerser library for better flexibility in configuration parsing
- Fail app early when the app URL is missing
Please let us know of any issues so we can address them as soon as possible.
Full Changelog: v5.0.6...v5.0.7
Assets 4
v5.0.7-beta.1
36c7872 New Crowdin updates (#797) * New translations en.json (Romanian) * New translations en.json (Spanish) * New translations en.json (Afrikaans) * New translations en.json (Norwegian) * New translations en.json (Polish) * New translations en.json (Portuguese) * New translations en.json (Russian) * New translations en.json (Serbian (Cyrillic)) * New translations en.json (Swedish) * New translations en.json (Turkish) * New translations en.json (Vietnamese) * New translations en.json (Portuguese, Brazilian) * New translations en.json (Korean) * New translations en.json (Arabic) * New translations en.json (Catalan) * New translations en.json (Czech) * New translations en.json (Danish) * New translations en.json (German) * New translations en.json (Finnish) * New translations en.json (Hebrew) * New translations en.json (Italian) * New translations en.json (Japanese) * New translations en.json (Dutch) * New translations en.json (Chinese Traditional)
Assets 4
v5.0.7-alpha.1
c1dd37e chore(deps): bump the minor-patch group across 1 directory with 15 up...
Assets 4
v5.0.6
Tinyauth v5.0.6
Before the release notes
I would like to apologize for the recent spamming of patch releases. While everything is tested properly after each release, almost always something slips through and requires another patch. I want to feel confident that everything introduced/changed in v5 is working perfectly and without any issues before proceeding to adding more features.
Fixes
- Fix browser detection not working correctly for some proxies
Technical
- Update dependencies
Please let me know of any issues so I can fix them as soon as possible.
Assets 4
v5.0.6-beta.1
7ad1393 chore(deps): bump docker/build-push-action from 6 to 7 (#749) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6 to 7. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v6...v7) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Assets 4
v5.0.5
fc1d4f2 Tinyauth v5.0.5
This patch addresses a vulnerability in the OAuth flow discovered by @kq5y, for more information see GHSA-9q5m-jfc4-wc92. Additionally, most of the proxy handling code has been rewritten to work better with proxies other than Traefik like Nginx which uses auth_request and Envoy which uses ext_authz.
Warning
This release contains a security fix, please update as soon as possible.
Note
For Envoy/Istio users, you may need to include user-agent in your includeRequestHeadersInCheck config to get browser detection working.
Improvements
- OAuth now supports multiple simultaneous login attempts
- Improved browser detection based on the
User-Agentheader - Improved proxy support with new proxy-specific modules
- Automatically rate-limit entire instance on multiple login attempts
- Allow root-level domains as app URL for testing purposes
- Attempt to extract context only on routes that need it
Fixes
- Fix proxy controller not extracting request information from Nginx deployments
Technical
- Update dependencies
- Update translations
- Fix wrong tag being used for metadata in release workflow @jacekkow
- Rework controller tests for much more thorough, robust and extensible testing
Please let me know of any issues so I can fix them as soon as possible.
New Contributors
Full Changelog: v5.0.4...v5.0.5
Assets 4
v5.0.5-rc.2
fc1d4f2 refactor: use better ignore paths in context middleware (#743)
Assets 4
v5.0.5-rc.1
cec0a73 New translations en.json (Ukrainian) (#740)
Assets 4
v5.0.5-beta.3
fix: handle oauth provider id mismatch correctly