v12.109.0

🆕 Changelog

Added

• Role-Based Access Control (RBAC) system for managing app-level access permissions
• New reusable UI components for role selection and search (RoleSelect, SearchInput, RoleSelectionModal)
• Server-side API key generation with secure hashed storage
• Database functions for creating and regenerating hashed API keys
• 2FA enforcement for super admin operations when RBAC is enabled

Changed

• Refactored organization member management interface with improved role assignment workflow
• Updated app creation flow to properly check org-level write permissions
• Enhanced API key management to support both plain and hashed keys
• Modified org_member role to grant organization-level access only (removed app/channel/bundle permissions)
• Improved role display in app tables with proper internationalization

Fixed

• API key validation now correctly verifies user identity against key ownership
• App creation permissions now properly check org-level rights instead of non-existent app-level permissions
• API key triggers now correctly handle server-side key generation for all non-privileged users
• Privilege escalation protection now correctly validates super admin permissions in RBAC mode
• CORS and authentication middleware now apply to all routes using wildcard matchers

Security

• API keys are now generated exclusively on the server side, preventing client manipulation
• Hashed API keys strip plain text values after creation for enhanced security
• Added user validation in has_app_right_apikey function to prevent unauthorized access
• Super admin invitations now enforce 2FA requirements when organization policy is enabled
• Database constraints ensure API keys always have either a plain key or hash, never both or neither

---

🔗 Full Changelog: v12.108.19...v12.109.0