Skip to content

v110.0.0

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 28 Jun 00:56
· 0 commits to develop since this release
v110.0.0
7d8d69f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

110.0.0 (2026-06-28)

⚠ BREAKING CHANGES

  • JWT tokens now include organizationId field. Clients should handle the new token structure.

  • fix(ui): restore CHANGE_SELECTED_ORGANIZATION permission check for organization selector

Re-add permission verification that was removed - users without
CHANGE_SELECTED_ORGANIZATION permission should not see the organization
selector in the header.

  • fix(migration): remove UNIQUE constraint on userId in SQLite UP migration

Remove CONSTRAINT REL_f4b0d329c4a3cf79ffe9d56504 UNIQUE (userId) from all
CREATE TABLE temporary_employee statements in sqliteUpQueryRunner to allow
many-to-one relationship (multiple employees can reference the same user).

The DOWN migration retains the UNIQUE constraint to restore the original
one-to-one relationship when reverting.

  • fix(context): merge duplicate currentOrganizationId methods with proper fallback

Consolidate two currentOrganizationId() methods into one with priority:

  1. JWT token organizationId (most secure)
  2. User's employee organizationId (fallback for old tokens)
  3. Request header organization-id (legacy backward compatibility)

This ensures existing functionality continues to work while preferring
the secure JWT-based organization context when available.

  • fix(auth): inject organizationId from JWT into user with fallback

Make organizationId follow the same pattern as employeeId:

  • jwt.strategy.ts: inject organizationId from JWT into user.lastOrganizationId
  • request-context.ts: currentOrganizationId() reads from user.lastOrganizationId
    with fallback to user.employee.organizationId and header for backward compatibility

This ensures consistency across all context methods while maintaining
backward compatibility with old tokens.

  • fix(auth): validate organization access in JWT strategy
  • Add UserOrganizationService to validate user has access to organization
  • Remove unvalidated header fallback from currentOrganizationId()
  • organizationId is now only accepted from validated JWT tokens
  • fix(employee): catch specific NotFoundException and validate input
  • Catch only NotFoundException instead of all errors
  • Add validation for input.user.email before accessing it
  • fix(ui): add await for async selectOrganization calls
  • Make updateOrganization, deleteOrganization, selectOrganizationById async
  • Properly await selectOrganization to prevent race conditions
  • Mark initialize() as deprecated with JSDoc
  • Clean up comments in applyOrganizationData()
  • docs(auth): clarify refresh token organization behavior
  • Add note explaining refresh token is organization-specific
  • Document that /auth/switch-organization should be used to change org
  • refactor(ui): use inject() function instead of constructor injection
  • Replace constructor parameter injection with inject() function
  • Follow Angular modern DI pattern
  • fix(auth): include organizationId in refresh token
  • Pass organizationId to getJwtRefreshToken in login, signinWorkspaceByToken, and switchWorkspace
  • Ensures refresh token contains same organization context as access token
  • fix(auth): add cross-validation between employeeId and organizationId in JWT
  • Validate that employee.organizationId matches the claimed organizationId
  • Prevents JWT token manipulation attacks
  • fix(employee): use BadRequestException and check for existing employee
  • Use BadRequestException instead of generic Error for proper HTTP 400
  • Check if employee already exists for user+organization to prevent duplicates
  • fix(ui): validate response fields before applying to store
  • Check token and user exist before updating store
  • Return false and show error if validation fails
  • fix(auth): update user.lastOrganizationId in memory after DB update
  • Ensures returned user object has fresh lastOrganizationId value
  • fix(employee): load role relation when finding existing user
  • Use findOneByOptions with relations: { role: true }
  • Fixes 'Cannot read properties of undefined (reading name)' error
  • addUserToOrganization requires user.role.name for SUPER_ADMIN check

What's Changed

  • fix(security): inject JWT_VERIFICATION_TOKEN_SECRET in all prod/stage deploys (GHSA-chm8-2ggf-pgjq) by @evereq in #9756
  • fix(security): require a server-minted state nonce for GitHub App installs (GHSA-4rwq-65wh-45h4) by @evereq in #9757
  • fix(ci): resolve @electron/node-gyp to npm package (fixes Docker/MCP image builds) by @evereq in #9761
  • fix(core): relax prod CORP to same-site so app.gauzy.co can embed API assets + enable Secure session cookie by @evereq in #9762
  • release: cascade develop -> stage (CORP same-site image fix #9762 + security batch #9756/#9757 + CI #9761) by @evereq in #9763

Full Changelog: v109.0.1...v110.0.0

Contributors

evereq and deprecated
Assets 11
Loading