Tyk Gateway 5.1.1

Fixed

• Fixed a bug where the Go Plugin compiler created output files with the wrong names
• Fixed a bug where Python Rich Plugin truncates HTTP headers with same name and returns just the first one. Multiple headers with same name can be supported now for Go, Python and Ruby plugin
• Fixed a bug where gateway logs were not honouring enable_key_logging setting
• Fixed a bug where Tyk could return HTTP 500 Internal Server Error when load balancing at very high API traffic levels
• Fixed a bug where URL rewrite failed when the request contains absolute URL as HTTP verb argument
• Fixed a bug with the Go plugin compiler not working on ARM64 architecture
• Fixed a bug where an mTLS request with an expired certificate allowed the request to be proxied upstream in static mTLS and dynamic mTLS
• Fixed a typo (log-intrumentation) in CLI flag (log-instrumentation) name and comment; thanks to WolfusFlow for the contribution.
• Fixed a bug where introspection not working for custom root operation types
• Fixed an issue where failure to load Otto (JS) middleware didn’t prevent the API from proxying traffic to the upstream; now Gateway logs an error when the plugin fails to load (during API creation/update) and responds with HTTP 500 if the API is called.
• Fixed a bug where UDG was not handling query parameters for REST data source correctly, when parameter was an array
• Fixed a bug where Tyk could return the wrong error code when a websocket upstream responds with error
• Fixed a bug where the basic auth password hash was included in the response when GETting the details of a key
• Fixed a bug where Tyk might not correctly complete mTLS authentication with the client before contacting the upstream service.
• Fixed a bug where upstream certificates can be ignored when API protocol is TCP/TLS
• Fixed a bug that prevented configuration of cache timeout or cached status codes if upstream cache control was enabled.
• Fixed a bug where Edge/Worker gateway does not load api's and policies on cold start when MDCB is down
• Fixed a bug where RAW keys were exposed in INFO log on gateway on keyspace sync
• Fixed a bug where the Dashboard could timeout while loading policies at startup. Added connection_timeout configuration option (defaults to 30 seconds)
• Adjusted the description for the Policy states, so that it reflects the actual behaviour of the policy, when attached to a key.
• Fixed a bug where Tyk might incorrectly apply rounding to 64-bit integer values provided in context. Thanks to @mortymacs for the contribution.

Tyk Dashboard 5.1.1

Fixed

• Fixed a bug where the Tyk Dashboard could show a blank screen when clicking on policies on the Policy Management screen
• Fixed a bug where an API could be incorrectly labelled as using multi-auth in the Tyk Developer Portal catalogue view.
• Fixed a bug where UI bug in the API Designer when adding all API versions to a policy
• Fixed a ui bug when running mutiple operations containing subscriptions from graphiql
• Fixed a bug where the Tyk Dashboard did not display Key Alias on the analytics screens when using SQL for the analytics data store.
• Fixed a bug where when a JWT contains a claim as array and the values containing spaces, those not being parsed correctly
• When importing/creating and API by providing an API Definition that has Event handlers attached, we now store all the events properly in the definition
• When updating, using the Dashboard, an API that has custom event handlers, we now do not clear them anymore.
• Changed service discover cache settings contract, in the OAS API definition, so that it matches all the other cache contracts, defined in the definition. Both the Dasbhoard UI and API, offer support for backwards compatibility.
• The "Gateway Dashboard" page showing API analytics is now hidden if the logged in user doesn't have analytics rights.
• Fixed a bug where it was not possible to configure the rate limiter to count over a shorter period than 60 seconds when set by a partitioned policy.
• Fixed a bug where the Tyk Dashboard could show a blank screen when policies with custom policy IDs were added to an API key
• Fixed a bug where Tyk Dashboard did not properly display the list of organisations
• Fixed a bug where the HEAD option was not available in the Allowed Methods dropdown in the CORS section of the API Designer
• Fixed a bug when SSOOnlyForRegisteredUsers=true, also checks if user belongs to the organization
• Fixed a bug where keys linked to multiple policies become unusable if one of the policies is removed.
• Fixed a security bug where the key_id was unnecessarily returned when a hashed key is created for an API using basic auth.
• Fixed a bug that prevented manual allocation of api_id during API creation.
• Fixed a bug where security headers were not present when classic portal is configured with a custom domain.
• Fixed a bug where the Dashboard granted visibility of unfiltered analytics when API Ownership is enabled. New user permission (owned_analytics) restricts visibility only to analytics for the owned APIs: API Usage, API Errors and Request Logs.
• Fixed a bug where the Dashboard API granted unfiltered access to analytics endpoints with API Ownership enabled.
• Added processor to fill the MainStorage with the mongo configs in the root
• Fixed a bug where Dashboard would take too long loading Policies to the Gateway
• Fixed a bug where the Tyk Dashboard did not display the correct analytics when filtering by ‘tag’ and using SQL for the analytics data store.
• Fixed a bug in the Dashboard Analytics where the zoom would immediately reset to default
• Fixed a potential security issue which allowed search for keys by username; new flag disable_key_actions_by_username added to restrict this
• [Security] Set dashboard session cookies to be HttpOnly with SameSite: Strict
• [Security] Set classic portal session cookies to be HttpOnly with SameSite: Strict
• Fixed a security bug where node secret could be output in the Removed debug-level logging when authorizing requests.
• Fixed a bug where display API Activities by hour was not responding
• Fixed a bug where in Tyk 5.0.2, Dashboard goes into panic when portal manifest file is applied via Tyk Operator

Tyk Gateway 5.0.4 and Tyk Dashboard 5.0.4

Fixed

• Fixed a bug where python Rich Plugin truncates HTTP headers with same name and returns just the first one. Multiple headers with same name can be supported now.
• Fixed a bug where gateway logs were not honouring enable_key_logging setting
• Fixed a bug where Tyk could return HTTP 500 Internal Server Error when load balancing at very high API traffic levels
• Fixed a bug where URL rewrite failed when the request contains absolute URL as HTTP verb argument
• Fixed a typo (log-intrumentation) in CLI flag (log-instrumentation) name and comment; thanks to WolfusFlow for the contribution.
• Fixed a bug where introspection not working for custom root operation types
• Fixed a bug where UDG was not handling query parameters for REST data source correctly, when parameter was an array
• Adjusted the description for the Policy states, so that it reflects the actual behaviour of the policy, when attached to a key.
• Fixed a bug where Tyk might incorrectly apply rounding to 64-bit integer values provided in context. Thanks to @mortymacs for the contribution.

Tyk Dashboard 5.0.4

Fixed

• Fixed a bug when JWT contains a claim as array and the values containing spaces, those not being parsed correctly
• When importing/creating and API by providing an API Definition that has Event handlers attached, we now store all the events properly in the definition
• Fixed a bug when updating, using the Dashboard, an API that has custom event handlers, we now do not clear them anymore.
• Fixed a bug where it was not possible to configure the rate limiter to count over a shorter period than 60 seconds when set by a partitioned policy.
• Fixed a bug where keys linked to multiple policies become unusable if one of the policies is removed.
• Fixed a security bug where the key_id was unnecessarily returned when a hashed key is created for an API using basic auth.
• Fixed a bug where Dashboard would take too long loading Policies to the Gateway
• Fixed a potential security issue which allowed search for keys by username; new flag disable_key_actions_by_username added to restrict this
• Fixed a security bug where node secret could be output in the Removed debug-level logging when authorizing requests.

Changes

• Added processor to fill the MainStorage with the mongo configs in the root
• Set dashboard session cookies to be HttpOnly with SameSite: Strict
• Set classic portal session cookies to be HttpOnly with SameSite: Strict

Tyk Gateway 4.0.8-p3

Fixed

• Fixed a bug where gateway didn't handled sockets properly
• Fixed a bug where client certificate check without announcing ClientCAs during TLS handshake

Tyk Gateway 4.3.5

Fixed

• Fixed a bug where url was not decoded when we enable url-rewrite middleware

Tyk Gateway 4.3.5

Fixed

• Fixed a bug where RAW keys were exposed in INFO log on gateway on keyspace sync
• Optimized the loading and re-loading of APIs and Policies for complex scenarios

Tyk Dashboard 4.3.5

Fixed

• Fixed a bug where the Dashboard could timeout while loading policies at startup. Added connection_timeout configuration option (defaults to 30 seconds)
• Fixed a bug where Dashboard would take too long loading Policies to the Gateway

Tyk Gateway 4.0.14

Fixed

• Fixed a bug where Tyk could return HTTP 500 Internal Server Error when load balancing at very high API traffic levels
• Fixed a bug where invalid IP addresses could be added to the IP allow list
• Fixed a bug where an mTLS request with an expired certificate allowed the request to be proxied upstream in static mTLS and dynamic mTLS
• Fixed a bug where OAuth access keys were physically removed from Redis on expiry; behaviour for OAuth is now the same as for other authorisation methods.
• Added support for the :authority header when making grpc requests. Thanks to vanhtuan0409 from the Tyk Community for this contribution.
• Fixed a bug where the global_size_limit setting didn't enable Request Size Limit middleware. Thanks to @PatrickTaibel for the contribution!
• Fixed a bug where null on required scalar variables are now being catched as expected
• Fixed a bug where upstream JSON error message was not passed to the consumer. It is now included in "extensions" section of GQL error response
• Fixed an issue where failure to load Otto (JS) middleware didn’t prevent the API from proxying traffic to the upstream; now Gateway logs an error when the plugin fails to load (during API creation/update) and responds with HTTP 500 if the API is called.
• Fixed a bug where the basic auth password hash was included in the response when GETting the details of a key
• Fixed a bug where Tyk might not correctly complete mTLS authentication with the client before contacting the upstream service.
• Fixed a bug where upstream certificates can be ignored when API protocol is TCP/TLS
• Fixed a bug where gateway panics when redis cache_storage is down
• Fixed a bug that prevented configuration of cache timeout or cached status codes if upstream cache control was enabled.
• Fixed a bug where Edge/Worker gateway does not load api's and policies on cold start when MDCB is down
• Fixed a bug where RAW keys were exposed in INFO log on gateway on keyspace sync

Tyk Dashboard 4.0.14

Fixed

• Fixed a bug where the Tyk Dashboard could show a blank screen when clicking on policies on the Policy Management screen
• Fixed a bug where Custom Authentication could not be selected to provide the base identity when multi-auth selected
• Fixed a bug where an API could be incorrectly labelled as using multi-auth in the Tyk Developer Portal catalogue view.
• Fixed a bug where in the API Designer when adding all API versions to a policy
• Fixed a bug where the Tyk Dashboard did not display Key Alias on the analytics screens when using SQL for the analytics data store.
• Fixed a bug where it was not possible to download Activity by API or Activity by Key from the Dashboard when using PostgreSQL for the analytics store.
• Improved Dashboard Analytics experience to respect API Ownership (including versions) for log browser and some charts
• Fixed a bug where a new user could be stuck in a password reset loop in the dashboard if TYK_DB_SECURITY_FORCEFIRSTLOGINPWRESET was enabled.
• The "Gateway Dashboard" page showing API analytics is now hidden if the logged in user doesn't have analytics rights.
• Fixed: Redirect unregistered user to new page when SSOOnlyForRegisteredUsers is set to true
• Fixed a bug where the Tyk Dashboard could show a blank screen when policies with custom policy IDs were added to an API key
• Fixed a bug where Tyk Dashboard did not properly display the list of organisations
• Fixed a bug when migrating a portal catalogue with deleted policy from MongoDB to SQL.
• Fixed a bug where the HEAD option was not available in the Allowed Methods dropdown in the CORS section of the API Designer
• Fixed a bug where SSOOnlyForRegisteredUsers=true, also checks if user belongs to the organization
• Fixed a bug where storing the ssl_force_common_name_check field in the API Definition, if this was set via raw API editor or by updating the API Definition via the GW/DB API.
• Fixed a bug where API Ownership was not respected in the API Activity Dashboard Requests and Average Errors Over Time charts in the Tyk Dashboard; note that it is not currently possible to respect API Ownership in other aggregated charts
• Fixed a bug where a user could update their email address to match that of another user within the same Organisation..
• Fixed a bug where users without user:write permission were able to update their permissions through manipulation of Dashboard API calls.
• Fixed a bug that prevented manual allocation of api_id during API creation.
• Fixed a bug where the versions endpoint returned APIs not owned by the logged-in user.
• Fixed a bug where the log browser showed analytics for APIs not owned by the logged-in user.
• Fixed a bug where security headers were not present when classic portal is configured with a custom domain.
• Fixed a bug that prevented non-admin users from seeing Endpoint Popularity data in the Tyk Dashboard
• Fixed a bug where additional data was returned when requesting analytics with p=-1 query when using SQL for the analytics store.
• Fixed a bug where the Dashboard granted visibility of unfiltered analytics when API Ownership is enabled. New user permission (owned_analytics) restricts visibility only to analytics for the owned APIs: API Usage, API Errors and Request Logs.
• Fixed a bug where the Dashboard API granted unfiltered access to analytics endpoints with API Ownership enabled.
• Fixed a bug where the Tyk Dashboard did not display the correct analytics when filtering by ‘tag’ and using SQL for the analytics data store.
• Fixed a bug in the Dashboard Analytics where the zoom would immediately reset to default

Tyk Gateway 5.0.3 and Tyk Dashboard 5.0.3

Fixed

• Fixed a bug where invalid IP addresses could be added to the IP allow list
• Fixed a bug where the Go Plugin compiler created output files with the wrong names
  -Fixed a bug when the control API is not protected with mTLS then we should not ask for a cert even if all the apis registered have mtls as authorization mechanism.
• Fixed a bug where an mTLS request with an expired certificate allowed the request to be proxied upstream in static mTLS and dynamic mTLS
• Fixed a bug where OAuth access keys were physically removed from Redis on expiry; behaviour for OAuth is now the same as for other authorisation methods.
• Added support for the :authority header when making grpc requests. Thanks to vanhtuan0409 from the Tyk Community for this contribution.
• Fixed a bug where the global_size_limit setting didn't enable Request Size Limit middleware. Thanks to @PatrickTaibel for the contribution!
• Fixed a bug where null on required scalar variables are now being catched as expected
• Fixed a bug where upstream JSON error message was not passed to the consumer. It is now included in "extensions" section of GQL error response
• Fixed an issue where failure to load Otto (JS) middleware didn’t prevent the API from proxying traffic to the upstream; now Gateway logs an error when the plugin fails to load (during API creation/update) and responds with HTTP 500 if the API is called.
• Fixed a bug where Tyk could return the wrong error code when a websocket upstream responds with error
• Fixed a bug where the basic auth password hash was included in the response when GETting the details of a key
• Fixed a bug where Tyk might not correctly complete mTLS authentication with the client before contacting the upstream service.
• Fixed a bug where upstream certificates can be ignored when API protocol is TCP/TLS
• Fixed a bug where gateway panics when redis cache_storage is down
• Updated the default Hybrid Pump RPC pool size from 20 to 5 connections in order to reduce default CPU and memory footprint. See [Pump configurations]({{< ref "tyk-pump/tyk-pump-configuration/tyk-pump-environment-variables.md" >}})
• Fixed a bug that prevented configuration of cache timeout or cached status codes if upstream cache control was enabled.
• Fixed a bug where Edge/Worker gateway does not load api's and policies on cold start when MDCB is down
• Fixed a bug where RAW keys were exposed in INFO log on gateway on keyspace sync
• Fixed a bug where the Dashboard could timeout while loading policies at startup. Added connection_timeout configuration option (defaults to 30 seconds)

Tyk Dashboard 5.0.3

Fixed

• Fixed a bug where the Tyk Dashboard could show a blank screen when clicking on policies on the Policy Management screen
• Fixed a bug where an API could be incorrectly labelled as using multi-auth in the Tyk Developer Portal catalogue view.
• Fix a UI bug in the API Designer when adding all API versions to a policy
• Fixed a bug where the Tyk Dashboard did not display Key Alias on the analytics screens when using SQL for the analytics data store.
• Fixed a bug where it was not possible to download Activity by API or Activity by Key from the Dashboard when using PostgreSQL for the analytics store.
• Improved Dashboard Analytics experience to respect API Ownership (including versions) for log browser and some charts
• Fixed a bug where a new user could be stuck in a password reset loop in the dashboard if TYK_DB_SECURITY_FORCEFIRSTLOGINPWRESET was enabled.
• Changed service discover cache settings contract, in the OAS API definition, so that it matches all the other cache contracts, defined in the definition. Both the Dasbhoard UI and API, offer support for backwards compatibility.
• The "Gateway Dashboard" page showing API analytics is now hidden if the logged in user doesn't have analytics rights.
• Feature: Improve portal performance by pre-fetching required data by a few calls instead of thousands.
• Fixed a bug where the Tyk Dashboard could show a blank screen when policies with custom policy IDs were added to an API key
• Fixed a bug where Tyk Dashboard did not properly display the list of organisations
• Fixed a bug where the HEAD option was not available in the Allowed Methods dropdown in the CORS section of the API Designer
• Fixed a bug where SSOOnlyForRegisteredUsers=true, also checks if user belongs to the organization
• Fixed storing the ssl_force_common_name_check field in the API Definition, if this was set via raw API editor or by updating the API Definition via the GW/DB API.
• Fixed a bug where ui data graph is created with multiple words
• Fixed a bug where API Ownership was not respected in the API Activity Dashboard Requests and Average Errors Over Time charts in the Tyk Dashboard; note that it is not currently possible to respect API Ownership in other aggregated charts
• Fixed a bug where a user could update their email address to match that of another user within the same Organisation..
• Fixed a bug where users without user:write permission were able to update their permissions through manipulation of Dashboard API calls.
• Fixed a bug that prevented manual allocation of api_id during API creation.
• Fixed a bug where the versions endpoint returned APIs not owned by the logged-in user.
• Fixed a bug where the log browser showed analytics for APIs not owned by the logged-in user.
• Fixed a bug where security headers were not present when classic portal is configured with a custom domain.
• Fixed a bug that prevented non-admin users from seeing Endpoint Popularity data in the Tyk Dashboard
• Fixed a bug where additional data was returned when requesting analytics with p=-1 query when using SQL for the analytics store.
• Fixed a bug where the Dashboard granted visibility of unfiltered analytics when API Ownership is enabled. New user permission (owned_analytics) restricts visibility only to analytics for the owned APIs: API Usage, API Errors and Request Logs.
• Fixed a bug where the Dashboard API granted unfiltered access to analytics endpoints with API Ownership enabled.
• Fixed a bug where the Tyk Dashboard did not display the correct analytics when filtering by ‘tag’ and using SQL for the analytics data store.
• Fixed a bug in the Dashboard Analytics where the zoom would immediately reset to default
• Fixed a bug where in Tyk 5.0.2, Dashboard goes into panic when portal manifest file is applied via Tyk Operator

Tyk Gateway 5.1.0

https://tyk.io/docs/release-notes/version-5.1/

Tyk Dashboard 5.1.0

https://tyk.io/docs/release-notes/version-5.1/

Tyk Gateway 5.0.2, Tyk Dashboard 5.0.2,

Support for MongoDB 5 and 6

From Tyk 5.0.2, we added support for MongoDB 5.0.x and 6.0.x. To enable this, you have to set new Dashboard config option driver to mongo-go.
The driver setting defines the driver type to use for MongoDB. It can be one of the following values:

• mgo (default): Uses the mgo driver. This driver supports Mongo versions lower or equal to v4. You can get more information about this driver here
• mongo-go: Uses the official MongoDB driver. This driver supports Mongo versions greater or equal to v4. You can get more information about this driver here.

Recently released Tyk Pump 1.8.0 and MDCB 2.2 also support new driver option

Tyk Dashboard 5.0.2

Fixed

• Fixed a bug on migration of a portal catalogue with deleted policy to SQL.
• Fixed: Redirect unregistered user to new page when SSOOnlyForRegisteredUsers is set to true

Tyk Gateway 5.0.2

• Internal refactoring and making storage related parts more stable, and less affected to potential race issues

Tyk Gateway

Added

• Added a new enable_distributed_tracing to the NewRelic config to enable support for Distributed Tracer

Fixed

• Fixed panic when JWK method was used for JWT authentication and the token didn't include kid.
• Fixed an issue where failure to load GoPlugin middleware didn’t prevent the API from proxying traffic to the upstream; now Gateway logs an error when the plugin fails to load (during API creation/update) and responds with HTTP 500 if the API is called. At the moment fixed only for file based plugins.
• Fixed MutualTLS issue causing leak of allowed CAs during TLS handshake when there are multiple mTLS APIs
• Fixed a bug during hot reload of Tyk Gateway where APIs with JSVM plugins stored in filesystem were not reloaded.
• Fixed a bug where the gateway would remove the trailing /at the end of a URL
• Fixed a bug where nested field-mappings in UDG weren't working as intended
• Fixed a bug when using Tyk OAuth 2.0 flow on Tyk Cloud where a request for an Authorization Code would fail with a 404 error.
• Fixed a bug where mTLS negotiation could fail when there are a large number of certificates and CAs; added an option (http_server_options.skip_client_ca_announcement) to use the alternative method for certificate transfer.
• Fixed CVE issue with go.uuid package
• Fixed a bug where rate limits were not correctly applied when policies are partitioned to separate access rights and rate limits into different scopes.

Tyk Dashboard

Added

• Improved security for people using the Dashboard by adding the Referrer-Policy header with the value no-referrer.
• Added ability to select the plugin driver within the Tyk OAS API Designer.

Changed

• When creating a new API in the Tyk OAS API Designer, caching is now disabled by default.

Fixed

• Fixed a bug where a call to the /hello endpoint would unnecessarily log http: superfluous response.WriteHeader call.
• Fixed a bug where the Dashboard was showing Average usage over time for all Developers, rather than just those relevant to the logged in developer.
• Fixed a bug where logged in users could see Identity Management pages, even if they didn't had the rights to use these features.
• Fixed a bug that prevented Tyk Dashboard users from resetting their own passwords.
• Fixed issue with GraphQL proxy headers added via UI
• Fixed a bug where the Dashboard would not allow access to any screens if a logged in user didn’t have access to the APIs resource regardless of other access rights.
• Fixed a bug on the key management page where searching by key_id did not work - you can now initiate the search by pressing enter after typing in the key_id.
• Fixed a bug where Dashboard API could incorrectly return HTTP 400 when deleting an API.
• Fixed UDG UI bug that caused duplicate data source creation on renaming
• Fixed schema validation for custom domain in Tyk OAS API definition
• Fixed a bug where the left menu did not change when Dashboard language was changed.
• Fixed a bug that caused the Dashboard to report errors when decoding multiple APIs associated with a policy.
• Fixed a bug where it was not possible to disable the Use Scope Claim option when using JWT authentication
• Fixed a bug in the default OPA rule that prevented users from resetting their own password
• Fixed a bug where authToken data was incorrectly stored in the JWT section of the authentication config when a new API was created