Tyk Gateway 5.0.4 and Tyk Dashboard 5.0.4
Fixed
- Fixed a bug where python Rich Plugin truncates HTTP headers with same name and returns just the first one. Multiple headers with same name can be supported now.
- Fixed a bug where gateway logs were not honouring enable_key_logging setting
- Fixed a bug where Tyk could return HTTP 500 Internal Server Error when load balancing at very high API traffic levels
- Fixed a bug where URL rewrite failed when the request contains absolute URL as HTTP verb argument
- Fixed a typo (log-intrumentation) in CLI flag (log-instrumentation) name and comment; thanks to WolfusFlow for the contribution.
- Fixed a bug where introspection not working for custom root operation types
- Fixed a bug where UDG was not handling query parameters for REST data source correctly, when parameter was an array
- Adjusted the description for the Policy states, so that it reflects the actual behaviour of the policy, when attached to a key.
- Fixed a bug where Tyk might incorrectly apply rounding to 64-bit integer values provided in context. Thanks to @mortymacs for the contribution.
Tyk Dashboard 5.0.4
Fixed
- Fixed a bug when JWT contains a claim as array and the values containing spaces, those not being parsed correctly
- When importing/creating and API by providing an API Definition that has Event handlers attached, we now store all the events properly in the definition
- Fixed a bug when updating, using the Dashboard, an API that has custom event handlers, we now do not clear them anymore.
- Fixed a bug where it was not possible to configure the rate limiter to count over a shorter period than 60 seconds when set by a partitioned policy.
- Fixed a bug where keys linked to multiple policies become unusable if one of the policies is removed.
- Fixed a security bug where the key_id was unnecessarily returned when a hashed key is created for an API using basic auth.
- Fixed a bug where Dashboard would take too long loading Policies to the Gateway
- Fixed a potential security issue which allowed search for keys by username; new flag
disable_key_actions_by_username
added to restrict this - Fixed a security bug where node secret could be output in the Removed debug-level logging when authorizing requests.
Changes
- Added processor to fill the MainStorage with the mongo configs in the root
- Set dashboard session cookies to be HttpOnly with SameSite: Strict
- Set classic portal session cookies to be HttpOnly with SameSite: Strict