nightly

chore: add openssf scorecard to readme

v5.0.7

Tinyauth v5.0.7

Hello everyone! This is officially the last release under my username. After this last patch, Tinyauth will move to its new home tinyauthapp, no breaking changes for now. As for this release, it addresses some further issues with the Envoy proxy and improves the OpenID Connect experience.

Improvements

• The OpenID Connect server now supports PKCE
• The OpenID Connect user information endpoint now supports POST requests @scottmckendry
• The OpenID Connect user information endpoint now supports the access token in the POST request body @scottmckendry
• The OAuth flow now supports the OpenID Connect parameters and stores CSRF states server-side for anti-tampering
• Add X-Tinyauth-Location header for Nginx instances to support redirect to login and unauthorized pages automatically
• Support unsigned OpenID Connect request objects @scottmckendry
• Accessibility improvements

Fixes

• Use 307 redirects for Envoy proxy
• Fix TOTP field auto-fill not working in some password managers @scottmckendr

Technical

• Update dependencies
• Update translations
• Use own fork of the paerser library for better flexibility in configuration parsing
• Fail app early when the app URL is missing

Please let us know of any issues so we can address them as soon as possible.

Full Changelog: v5.0.6...v5.0.7

v5.0.7-beta.1

New Crowdin updates (#797)

* New translations en.json (Romanian)

* New translations en.json (Spanish)

* New translations en.json (Afrikaans)

* New translations en.json (Norwegian)

* New translations en.json (Polish)

* New translations en.json (Portuguese)

* New translations en.json (Russian)

* New translations en.json (Serbian (Cyrillic))

* New translations en.json (Swedish)

* New translations en.json (Turkish)

* New translations en.json (Vietnamese)

* New translations en.json (Portuguese, Brazilian)

* New translations en.json (Korean)

* New translations en.json (Arabic)

* New translations en.json (Catalan)

* New translations en.json (Czech)

* New translations en.json (Danish)

* New translations en.json (German)

* New translations en.json (Finnish)

* New translations en.json (Hebrew)

* New translations en.json (Italian)

* New translations en.json (Japanese)

* New translations en.json (Dutch)

* New translations en.json (Chinese Traditional)

v5.0.7-alpha.1

chore(deps): bump the minor-patch group across 1 directory with 15 up…

v5.0.6

Tinyauth v5.0.6

Before the release notes

I would like to apologize for the recent spamming of patch releases. While everything is tested properly after each release, almost always something slips through and requires another patch. I want to feel confident that everything introduced/changed in v5 is working perfectly and without any issues before proceeding to adding more features.

Fixes

• Fix browser detection not working correctly for some proxies

Technical

• Update dependencies

Please let me know of any issues so I can fix them as soon as possible.

v5.0.6-beta.1

chore(deps): bump docker/build-push-action from 6 to 7 (#749)

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6 to 7.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6...v7)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

v5.0.5

Tinyauth v5.0.5

This patch addresses a vulnerability in the OAuth flow discovered by @kq5y, for more information see GHSA-9q5m-jfc4-wc92. Additionally, most of the proxy handling code has been rewritten to work better with proxies other than Traefik like Nginx which uses auth_request and Envoy which uses ext_authz.

Warning

This release contains a security fix, please update as soon as possible.

Note

For Envoy/Istio users, you may need to include user-agent in your includeRequestHeadersInCheck config to get browser detection working.

Improvements

• OAuth now supports multiple simultaneous login attempts
• Improved browser detection based on the User-Agent header
• Improved proxy support with new proxy-specific modules
• Automatically rate-limit entire instance on multiple login attempts
• Allow root-level domains as app URL for testing purposes
• Attempt to extract context only on routes that need it

Fixes

• Fix proxy controller not extracting request information from Nginx deployments

Technical

• Update dependencies
• Update translations
• Fix wrong tag being used for metadata in release workflow @jacekkow
• Rework controller tests for much more thorough, robust and extensible testing

Please let me know of any issues so I can fix them as soon as possible.

New Contributors

• @jacekkow made their first contribution in #725

Full Changelog: v5.0.4...v5.0.5

v5.0.5-rc.2

refactor: use better ignore paths in context middleware (#743)

v5.0.5-rc.1

New translations en.json (Ukrainian) (#740)

v5.0.5-beta.3

fix: handle oauth provider id mismatch correctly