Skip to content

v1.14.0

Latest
Latest

Choose a tag to compare

View all tags
@malud malud released this 25 Feb 07:52
· 5 commits to main since this release
v1.14.0
702eb72
This commit was signed with the committer’s verified signature.
malud Marcel Ludwig
SSH Key Fingerprint: AzG6Ckftw1RyVI/4u12gFD/uduMh8xENat87AvIKyk0
Verified
Learn about vigilant mode.

1.14.0

  • Added

    • argon2i and argon2id password hash support for basic_auth htpasswd_file (#866)
    • beta_rate_limiter access control for fixed/sliding window rate limiting (#881)
    • beta_introspection block in jwt block to facilitate token introspection in order to detect revoked tokens (#649)
    • startup_delay attribute for job block to delay the first job execution after startup (#836)
    • OpenTelemetry tracing documentation with configuration reference for beta_traces, trace propagation settings, and CLI flags (#672)
    • Access control metrics: couper_access_control_total, couper_access_control_duration_seconds, couper_access_control_rate_limited_total, and couper_access_control_rate_limiter_active_keys; Grafana dashboard updated with Access Control row (#924)
    • Documentation website dark theme support and improved styling for readability (#931)
    • Devcontainer feature to install Couper in development containers (ghcr.io/coupergateway/features/couper) (#931)
    • Couper documentation available as Context7 MCP library for LLM-assisted development (#931)
    • SAML IdP metadata auto-update: idp_metadata_url attribute to fetch IdP metadata from a URL with automatic refresh via metadata_ttl and metadata_max_stale attributes (#912)

  • Changed

    • beta_rate_limit block in backend block has left beta and is renamed to throttle; the old name is deprecated and will be removed in version 1.15 (#914)
    • beta_backend_rate_limit_exceeded error type is renamed to backend_throttle_exceeded; the old name is deprecated and will be removed in version 1.15 (#914)
    • beta_job block has left beta and is renamed to job; the old name is deprecated and will be removed in version 1.15 (#898)

  • Fixed

    • Fix traceparent header not being propagated to backends when using beta_traces due to trace context injection into the wrong (request) headers; now correctly injected into response headers by TraceHandler and into outgoing request headers by InstrumentedRoundTripper (#923)
    • Fix redundant span creation in producers and innerRoundTrip when using beta_traces; consolidate all backend tracing into a single InstrumentedRoundTripper with correct SpanKindClient (#923)
    • Fix TraceContext propagator missing Baggage support when using beta_traces; use composite propagator with both TraceContext and Baggage (#923)
    • Fix backend_response not being available in custom_log_fields for OIDC/OAuth2 token and userinfo backend requests; also fixes request name showing as <nil> in upstream logs for these requests (#797)

  • Security

    • Return explicit error when backend origin evaluates to empty string instead of falling back to the client request URL (#920)
    • Sanitize \r, \n, and \0 characters from header values set via HCL expressions to prevent header injection (#920)
    • Reject path traversal sequences (.., %2e%2e) in path and path_prefix attributes (#920)
    • Remove rate limiter key value from error messages to prevent information leakage (#920)
    • Use constant-time comparison for username in basic_auth (#920)

  • Dependencies

    • build with go 1.26 (#926)
    • hcl 2.23.0 and go-cty 1.16.2 (#816)
Assets 10
Loading
0 Join discussion