Skip to content

Release Notes v2.50

Jump to bottom
NeySlim edited this page Feb 23, 2026 · 1 revision

Release Notes - v2.50

Release Date: 2026-02-22
Previous Version: v2.49
Download: GitHub Releases

Highlights

  • 🔐 Login Architecture Redesign — Complete rewrite of the authentication flow
  • 🔑 mTLS Auto-Login — Zero-interaction certificate-based authentication
  • 🛡️ 6 mTLS Bug Fixes — Comprehensive fixes for mutual TLS authentication

Added

  • Login state machine — Complete rewrite with proper states: init → username → auth → 2fa/ldap. Each auth method is standalone with clean transitions
  • mTLS auto-login — Client certificate authentication now happens entirely during the TLS handshake via middleware. No explicit POST needed — browser presents cert → session created → auto-redirect to dashboard (zero user interaction)
  • AuthContext session check on all routes — Removed the /login skip guard. checkSession() now always calls /auth/verify on mount, enabling mTLS auto-login discovery
  • sessionChecked state — New boolean in AuthContext prevents flash of login form during session verification
  • Enhanced /auth/methods endpoint — Now returns mtls_status (auto_logged_in, present_not_enrolled, not_present), mtls_user, and sso_providers in a single call

Changed

  • mTLS middleware — Clean rewrite with _extract_certificate() helper (DRY), g.mtls_cert_info for cross-endpoint reuse, proper stale session handling
  • LoginPage — Removed cascade login logic. Each auth method is standalone with proper state transitions. WebAuthn auto-prompts after username entry if keys detected
  • App.jsx /login route — Shows PageLoader while session is being checked, then redirects if already authenticated

Fixed

  • mTLS peercert injection — Custom Gunicorn worker (MTLSWebSocketHandler) now correctly extracts peercert DER bytes into WSGI environ
  • OpenSSL 3.x CA names — Added ctypes integration in gunicorn_config.py to send client CA names in CertificateRequest (required for browser cert dialog)
  • Timezone-aware datetime comparison — Fixed crash in mtls_auth_service.py when comparing naive vs aware datetimes
  • Serial number format mismatch — Normalized hex/decimal serial matching in mtls_auth_service.py with fingerprint fallback
  • Scheduler SSL errors at startup — Added 30-second grace period before first scheduled task execution
  • Stale sessions blocking mTLS — Middleware now validates existing sessions before skipping certificate processing
  • checkSession() false positive — Now properly checks userData.authenticated before setting isAuthenticated=true

Technical Details

Login Flow Architecture

Browser connects → TLS handshake
  ├─ Client cert presented? → mTLS middleware auto-login → session created
  └─ No cert → continue to LoginPage

LoginPage state machine:
  init → (detect methods) → username → (enter username) → auth
    ├─ WebAuthn available? → auto-prompt hardware key
    ├─ Password → enter password → (2FA required?) → 2fa
    └─ LDAP provider selected → ldap credentials

Auth Detection Response

GET /api/v2/auth/methods
{
  "data": {
    "password": true,
    "webauthn": true,
    "mtls": true,
    "mtls_status": "auto_logged_in",
    "mtls_user": "admin",
    "sso_providers": [],
    "api_keys": true
  }
}

Upgrade Notes

  • No breaking API changes
  • No database migration required
  • Frontend assets are rebuilt — clear browser cache if login page looks stale
  • If using mTLS: users will now be auto-logged in when presenting a valid enrolled certificate

Test Results

Suite Result
Frontend (Vitest) 450 passed
Backend (pytest) 1364 passed
i18n sync ✅ All 9 locales in sync

← Back to Wiki Home | View on GitHub

Clone this wiki locally