Skip to content

v0.2.2

Choose a tag to compare

View all tags
@rfaulhaber rfaulhaber released this 05 Jun 21:39
· 7 commits to main since this release
v0.2.2
This tag was signed with the committer’s verified signature.
rfaulhaber Ryan Faulhaber
GPG key ID: 0058496CD0320AF2
Verified
Learn about vigilant mode.
dacef9a
This commit was signed with the committer’s verified signature.
rfaulhaber Ryan Faulhaber
GPG key ID: 0058496CD0320AF2
Verified
Learn about vigilant mode.

cirrus-auth 0.2.3

Security and reliability fixes for the OAuth flow layer. No public API changes;
upgrade is recommended for all users.

Security

  • Stop leaking OAuth error_description through AuthError. The
    OAuthErrorResponse type already redacted error_description in its Debug
    impl (the field has historically echoed partial token material in some
    Salesforce error paths), but the value was reconstituted in cleartext the
    moment it became an AuthError::OAuth — both the derived Debug and the
    Display impl printed it verbatim, and AuthError is the type that actually
    escapes the crate and reaches logs. AuthError now has a hand-written Debug
    that redacts error_description, and its Display surfaces only the
    machine-readable error code. The description remains available
    programmatically by matching on the AuthError::OAuth { error_description, .. }
    field.

  • Stop echoing raw token-endpoint error bodies. When a non-2xx response from
    /services/oauth2/token did not parse as the standard OAuth error shape, the
    entire response body was folded into AuthError::Other and printed by
    Display/Debug. Non-standard bodies (proxy HTML, reflected request
    parameters) can carry token material. The error now reports only the HTTP
    status; the body is logged solely at TRACE (off by default, an explicit
    per-target opt-in for debugging).

Reliability

  • Proactive token refresh margin. Cached access tokens are now treated as
    expired once they fall within a 60-second margin of their real expiry, across
    the JWT bearer, refresh-token, and client-credentials flows. Previously a token
    expiring milliseconds after the validity check would be handed to an in-flight
    request and 401 at Salesforce, relying on the client's 401 auto-refresh to
    recover. This removes a class of avoidable round-trips at every TTL boundary.

  • Honor server-advertised token lifetime. Token responses that include
    expires_in (RFC 6749 §5.1) now drive the cache lifetime, taking precedence
    over the configured static TTL. The field is modeled as optional with a
    default, so its absence (Salesforce omits it on most flows) leaves existing
    behavior unchanged.

Behavior change to note

  • AuthError's Display output for the OAuth variant changed from
    OAuth error: {error} — {error_description} to OAuth error: {error}. Code
    that pattern-matches on the AuthError::OAuth variant is unaffected; only code
    that scraped the formatted string for the description needs to read the field
    directly instead.

cirrus 0.2.2

Bug fixes and an internal refactor. No public API changes.

Fixes

  • Percent-encode path segments in the Tooling sObject and Event Monitoring
    handlers.     ToolingSObjectHandler (describe, retrieve,
    retrieve_with_fields, create, update, delete) and
    EventMonitoringHandler::download built their request paths by string
    interpolation and routed through the unencoded path resolver, diverging from
    the regular SObjectHandler, which percent-encodes each segment via
    versioned_segments. They now use the same encoded-segment path, so a reserved
    character in a record ID or object name can no longer alter the request path.
    Low real-world exposure given Salesforce's ID/name character set, but it makes
    the path-safety contract uniform across all sObject-style handlers.

cirrus-metadata

No changes in this release.

Assets 2
Loading