Skip to content

v0.6.1

Latest

Choose a tag to compare

@github-actions github-actions released this 04 Jun 03:53

afauth v0.6.1 — security patch

Two High-severity hardening fixes to how the agent runtime handles redirects and attestation audiences. Upgrading is recommended for anyone running afauth against untrusted or third-party services.

Fixes

  • Cross-origin redirect credential leak. The signed-request, discovery, and trust-attestor HTTP clients followed cross-host redirects, and Go's default redirect policy does not strip custom headers on a host change — so a service (or on-path attacker) that returned a 30x to another origin would receive the live AFAuth-Attestation JWT and Signature header. All three clients now refuse cross-origin redirects.
  • Attestation audience confused-deputy. Auto-attest minted an attestation audience-bound to service_did taken verbatim from an unauthenticated discovery document — a host advertising service_did=did:web:bank.com could harvest a token replayable against the real bank.com. Auto-attest now requires a did:web service DID to be anchored at the host that served its discovery document before minting; non-did:web audiences (which carry no DNS anchor) emit a warning instead.

No CLI flags or commands changed — existing identities, links, and config carry over unchanged.

Install

brew install AFAuthHQ/tap/afauth   # or: brew upgrade afauth

Prebuilt binaries for macOS / Linux / Windows × amd64 / arm64 are attached below.