Skip to content

v2.2.1

Choose a tag to compare

View all tags
@jridderbusch jridderbusch released this 11 Apr 14:56
· 438 commits to main since this release
v2.2.1
1f5e014
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

[v2.2.1] - 2024-04-11

Overview

This release addresses several security issues and adds minor improvements to the Authority Portal.

Detailed Changes

Patch

  • Fixed "Provided Connectors" view for Service Partners (#172)
  • Fixed red fields in organization create page (#122)
  • Fixed wrong path after onboarding (#103)
  • Fixed yellow inactive sidebar item (#123)
  • Fixed vulnerability from CVE-2024-2700
  • Adjusted headers for improved security (#176)
  • Adjusted Keycloak SSL settings for improved security (#183)
  • Adjusted documentation (#181)

Known issues

Deployment Migration Notes

  • Keycloak
    • Change SSL settings
      • Realm settings > General > Require SSL: All requests
  • Caddy
    • Headers to improve security are now set
    • Modified Caddyfile:
    # UI Requests: Internet -> Caddy 8080 -> Frontend
# Backend Requests: Internet -> Caddy 8080 -> Auth Proxy -> Caddy 8081 -> Backend

:8080 {
  map {path} {target_host} {target_port} {
    ~^/api/.*      {$AUTH_PROXY_UPSTREAM_HOST}   8080
    ~^/oauth2/.*   {$AUTH_PROXY_UPSTREAM_HOST}   8080
    default        {$FRONTEND_UPSTREAM_HOST}     8080
  }

  reverse_proxy {target_host}:{target_port} {
    header_down -Gap-Auth
  }

  # Set security headers for UI responses
  header {
    X-Frame-Options "DENY"
    +Content-Security-Policy "frame-ancestors 'none'"
  }

  # Set security headers for API responses
  header /api/* {
    X-Content-Type-Options nosniff
    +Content-Security-Policy "script-src 'none'"
    +Cache-Control "no-store"
  }

  # Set Cache-Control for UI assets
  header /assets/* {
    +Cache-Control "public, max-age=2592000, immutable"
  }
}

# Caddy 8081 -> Backend
# We need this second block because the auth proxy
# does not pass the token on the right header due to
# kubernetes conventions.
:8081 {
  reverse_proxy {$BACKEND_UPSTREAM_HOST}:8080 {
    header_up Authorization "Bearer {header.X-Forwarded-Access-Token}"
  }
}

Compatible Versions

  • Authority Portal Backend Docker Image: ghcr.io/sovity/authority-portal-backend:2.2.1
  • Authority Portal Frontend Docker Image: ghcr.io/sovity/authority-portal-frontend:2.2.1
  • Broker Server: 4.1.1
Assets 2
Loading