Skip to content

v1.37.3

Latest
Latest

Choose a tag to compare

View all tags
@mathsgod mathsgod released this 11 Jun 04:42
v1.37.3
9be1f3d

Highlights

WebAuthn: per-browser session for request challenge

WebAuthn request options (webAuthnRequestOptions) used a single global
cache key (webauthn_request) for the challenge, so concurrent logins
from different browsers/devices would overwrite each other's challenge
and one side would get "Invalid challenge". Challenge is now scoped to
a server-issued HttpOnly webauthn_sid cookie that the browser sends
back automatically, so each browser session has its own pending
challenge.

Also renamed the GraphQL field getter to getWebAuthnRequestOptions
so GraphQLite exposes it as the webAuthnRequestOptions field that
the frontend already queries.

Refresh token: /api/refresh_token route

The Nuxt client's axios instance posts to apiBase + '/refresh_token',
which resolves to /api/refresh_token when apiBase='/api/'. The Nitro
dev proxy forwards to /api/refresh_token but the route was only
registered at /refresh_token, so auto-refresh 500'd. The refresh
handler is now registered at both paths.

API: GET /api/ returns a plain "Light API" text response

Useful for quick health checks from curl.

All changes since v1.37.2

  • 9be1f3d feat(api): add GET handler returning "Light API"
  • b3f6701 fix(webauthn): scope request challenge to per-browser session cookie
  • 276c1b5 fix(auth): expose refresh_token route at /api/refresh_token
  • 2742fa8 fix(graphql): add pages/api/index.php GraphQL endpoint
  • ab7ed7f refactor(test): centralize pages/ directory setup in TestCase
  • 5602411 test(config): add ConfigTest covering Value/Invalidate/cache behavior
  • f3c23a0 perf(config): cache Config::Value via App cache (60s TTL)
  • c58cab9 refactor(user): rename misleading lockout variable + safe IP fallback
  • 31bf946 security(auth): status check + timing-safe + 2FA guard on password endpoints
  • 2107cc5 security(auth): timing-safe login + status check + CSPRNG 2FA secret
  • 5d191fb security(auth): forgetPassword rate limit + cryptographically secure code
  • 8e02825 security(auth): TOTP code replay protection via cache
  • 7c38639 security(auth): refresh token rotation + reuse detection
  • 073cd67 chore(db): add APIKey table schema to db.json
  • 398dbf7 chore(MakeInputCommand): adjust ClassGenerator namespace
  • c3c9e18 chore(PropertyGenerator, MakeInputCommand, CustomField): adjust property types and defaults

Full diff: v1.37.2...v1.37.3

Assets 2
Loading