github PegaProx/project-pegaprox v0.9.9.2
v0.9.9.2 — hotfix: OIDC admin lockout regression
on GitHub

latest release: v0.9.9.3
7 hours ago

Hotfix on top of v0.9.9.1. If you upgraded to v0.9.9.1 and you have OIDC / Entra admin users, please move to v0.9.9.2 — the TOTP step-up gate that 0.9.9.1 added was incorrectly strict.

What was wrong

v0.9.9.1 introduced TOTP step-up for sensitive admin operations (delete cluster, rotate creds, etc.) for OIDC / Entra users. The intent was to close a stolen-cookie-replay risk: previously a session cookie alone could pass the re-auth gate.

The bug: PegaProx already blocks OIDC users from enrolling TOTP at /api/auth/2fa/setup (with the message "2FA is managed by your OIDC provider" — the IdP is supposed to handle MFA for OIDC accounts). Combined with the new strict-TOTP-only re-auth, the result was that OIDC admins could not perform any re-auth-gated operation in v0.9.9.1.

Caught by the project owner during release review, before it had been running long enough to affect users. Hotfix shipped.

What changed in v0.9.9.2

The OIDC re-auth path is now a three-tier ladder:

  1. WebAuthn proof (preferred). WebAuthn enrolment is independent of auth_source — OIDC admins can register a security key in Settings → Account → Security keys. If a WebAuthn credential is registered, re-auth requires a fresh WebAuthn proof.
  2. TOTP code if the user happens to have a totp_secret (covers users that were originally local accounts and later converted to OIDC).
  3. Session-validity fallback when neither is enrolled, with an audit-log warning that recommends WebAuthn enrolment. The stolen-cookie-replay risk that v0.9.9.1 was meant to address remains open in this fallback path; proper closure needs an OIDC prompt=login redirect flow which is a bigger piece of work and is tracked separately.

Non-admin OIDC users are still blocked at "Admin access required" before any of the three paths runs — the gate isn't loosened for unprivileged accounts.

If you're an OIDC admin running PegaProx in an environment where stolen-cookie replay is a meaningful threat: enrol a security key. PegaProx supports any FIDO2 authenticator (YubiKey, Nitrokey, Touch ID, Windows Hello).

Other than this fix

No other changes — everything else from v0.9.9.1 (CSRF rewrite, plugin frontend system, defusedxml, paramiko / urllib3 CVE bumps, plugin HTML hardening, disconnect-banner names, theme-aware logos, the seven Marcus / Semgrep patches) is in this release as well.

Acknowledgements

PegaProx is donation-funded — every line of code in this release is paid for by the community.

Platinum sponsors:

Want to back the next release? https://opencollective.com/pegaprox

Upgrading

Built-in updater picks up v0.9.9.2 from the next poll. Or: 

./update.sh

— PegaProx team

Check out latest releases or
releases around PegaProx/project-pegaprox v0.9.9.2

Don't miss a new project-pegaprox release

NewReleases is sending notifications on new releases.

Get notifications