Tinyauth v5.0.5
This patch addresses a vulnerability in the OAuth flow discovered by @kq5y, for more information see GHSA-9q5m-jfc4-wc92. Additionally, most of the proxy handling code has been rewritten to work better with proxies other than Traefik like Nginx which uses auth_request and Envoy which uses ext_authz.
Warning
This release contains a security fix, please update as soon as possible.
Note
For Envoy/Istio users, you may need to include user-agent in your includeRequestHeadersInCheck config to get browser detection working.
Improvements
- OAuth now supports multiple simultaneous login attempts
- Improved browser detection based on the
User-Agentheader - Improved proxy support with new proxy-specific modules
- Automatically rate-limit entire instance on multiple login attempts
- Allow root-level domains as app URL for testing purposes
- Attempt to extract context only on routes that need it
Fixes
- Fix proxy controller not extracting request information from Nginx deployments
Technical
- Update dependencies
- Update translations
- Fix wrong tag being used for metadata in release workflow @jacekkow
- Rework controller tests for much more thorough, robust and extensible testing
Please let me know of any issues so I can fix them as soon as possible.
New Contributors
Full Changelog: v5.0.4...v5.0.5