github gristlabs/grist-core v1.7.15
on GitHub

6 hours ago

What's Changed

An infrastructure release. First, an upgrade for OAuth access token authentication in Grist's REST API: a new credential framework in grist-core, with the token validator and OIDC server (including CIMD registration and MCP server tools) shipping in the Full Grist edition, where OAuth apps also move from experiment to available by default. Second, a wave of security hardening: a metadata leakage in GET /forms is closed, server-rendered pages get stricter value escaping, websocket reconnection now requires a matching authenticated session, custom-widget URLs can no longer be same-origin, and triggers are disabled when a document is downloaded or copied. TypeScript was upgraded to 5.9.3, and several dependencies were bumped to clear known vulnerabilities.

Improvements

API

  • OAuth support extended to home API endpoints. GET /orgs, GET /orgs/:oid/workspaces, POST /workspaces/:wid/docs, and a new GET /profile/user now accept OAuth tokens, with resource-level filtering so a scoped token sees only the orgs and documents it was granted, and is rejected when creating documents in un-granted workspaces or orgs. (commit)

Internal / infrastructure

  • TypeScript upgraded to 5.9.3, with tsc and esbuild targets bumped to es2020. (commit)
  • External storage configuration tidied. Each storage backend now owns its option spec, and a configured S3 bucket is probed at startup so a misconfiguration (such as a missing AWS_REGION) fails fast at startup rather than mid-request. (commit)
  • Translation keys cleaned up to unblock auto-pruning. Five call sites passed a variable rather than a literal to t(), hiding the keys from the i18next scanner; each is now wrapped in a helper with an explicit switch so every key is visible. Orphaned onboarding-choice and theme-label keys were migrated to the scopes the runtime actually looks them up under, fixing labels that previously always showed in English. (#2368)
  • Dependency bumps. ws 8.18.0 to 8.20.1 (fixes an uninitialized memory disclosure in websocket.close()) (#2370), axios 1.15.2 to 1.16.0 (the fetch adapter now enforces maxBodyLength and maxContentLength) (#2375), tmp 0.2.5 to 0.2.6 (#2369), shell-quote 1.8.1 to 1.8.4 (#2386), and an upgrade of picomatch, minimatch, glob, and serialize-javascript that cuts the high-severity advisories reported by yarn audit (#2381).

Documentation

  • README updated for the Quick setup first-run flow. Quickstart, Admin Panel, Logins, and building-from-source sections now describe the boot-key login and Quick setup wizard, with a new GRIST_IN_SERVICE entry in the env var table. (#2366)

Fixes

Security

  • Harden value interpolation in server-rendered pages. Values embedded into inline <script> blocks in sendAppPage and OAuth2Clients are now escaped with jsesc and inserted without interpreting String.replace patterns (such as $' and $&), and openerOrigin is canonicalized to its bare origin. (commit)
  • Require a matching authenticated session to reconnect a websocket. A clientId alone is no longer enough to attach to an existing session; the new connection must belong to the same authenticated user, so a clientId cannot be used on its own to impersonate a user. (commit)
  • Disallow same-origin custom-widget URLs. A new disallowCustomWidgetUrl() helper refuses widgets whose URL is same-origin or on Grist's configured base domain, as defense in depth against an XSS payload being weaponized through a widget URL. (commit)
  • Disable triggers when a document is downloaded or copied. Webhooks and email triggers are turned off in a downloaded or copied document and must be re-enabled by hand, preventing accidental sends from forks and clones. Webhook secrets are also regenerated correctly when a document with webhooks is uploaded. (commit)
  • Sanitize link URLs in two more places. URLs from the next parameter on /welcome/select-account are now sanitized and required to be same-origin, and URLs in document tours are sanitized too. (commit)
  • Close a metadata leakage in GET /forms. The endpoint read table metadata directly instead of through fetchMetaTables, and did not check that the section was actually a form. Anyone could pass the section ID of a non-form widget and read metadata that access rules would otherwise censor. (commit)

Other

  • Crash instead of silently failing when login middleware cannot initialize. When GRIST_IN_SERVICE=true and the configured identity provider is unreachable at startup, the server now exits rather than falling back to the boot-key login page, so an auto-restart can retry instead of leaving users unable to sign in. (#2384)
  • Fix card widget bugs. New card widgets no longer borrow the record card's layout while record cards are disabled, and a card whose saved layout references only stale fields now falls back to a default layout instead of throwing and leaving the widget broken. (#2379)

Full Grist edition extensions

The Full Grist edition ships OAuth apps, an OIDC server, and an MCP server on top of grist-core.

OAuth apps

  • OAuth apps are now available by default. The experiment flag was removed now that the feature is ready, so all full Grist users can register and manage OAuth apps without opting in. (commit)

OIDC server

  • CIMD registration support. New GRIST_OIDC_CIMD_ENABLED and GRIST_OIDC_CIMD_ALLOWED_HOSTS environment variables enable Client ID Metadata Document registration, and the oidc-provider library was updated. (commit)
  • Optional client_id for OAuth grants, plus a portless loopback fix. Loopback redirect_uris from a terminal app or CIMD flow that omit application_type are now treated as native clients, so localhost callbacks are accepted instead of rejected. The CIMD flow no longer requires registering clients in the home database. (commit)
  • JWKS handling cleaned up. JWKS loading moved from ext/ to app/, removing a misleading warning when no JWKS is configured and surfacing a clear error only if a signing operation is ever actually needed. (commit)

MCP server

  • MCP server improvements. New list_attachments and get_attachment_url tools, stricter doc_id input validation, a grist_ prefix on all tool names to avoid collisions with other tools, and smoke tests for the remaining endpoints. (commit)
  • MCP endpoints put behind the API throttle. Throttle middleware moved to the usage tracker and is now wired through to the MCP doc endpoint. (commit)
  • Per-tool permission checks on the MCP endpoint. Each MCP tool now enforces the OAuth scopes it requires, a user-profile tool was added to the MCP home endpoint, OIDC token requests support resource indicators, and tool descriptors gained titles and annotations. (commit)

Other

  • Restore the missing site-settings page in the full Grist edition. The /site-settings route and its client rendering had been dropped, even though the "Site settings" menu item is shown in all non-SaaS deployments. The core billing pages are composed back into the enterprise and hosted factories, and the page now renders based on its pageType rather than the edition. (commit)

Contributions

Translations

  • Alberto Azzalini
  • Arif Budiman
  • Barna Kovács
  • Grégoire Cutzach
  • Kevin Kandlbinder
  • Martin Harari Thuresson
  • SadCivilian

Full Changelog: v1.7.14...v1.7.15

Join our Discord Community if you'd like to get into development of Grist.

Check out latest releases or
releases around gristlabs/grist-core v1.7.15

Don't miss a new grist-core release

NewReleases is sending notifications on new releases.

Get notifications