Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols
OTHER License
Bot releases are hidden (Show)
Published by ilijabojanovic 5 months ago
enable_key_logging
settingmax_conn_time
, the timeout in effect was not deterministic.rawResponse
analyticsmax_conn_time
configuration option).TYK_GW_HTTPSERVEROPTIONS_ENABLESTRICTROUTES
)Published by ilijabojanovic 6 months ago
require_session:true
) is assigned to the same endpoint as the Ignore Authentication middleware. While the custom plugin expects access to a valid session, the configuration flag doesn't guarantee its presence, only that it's passed if available. As such, the custom plugin should be coded to verify that the session metadata is present before attempting to use it.store_data
and get_data
could fail due to connection issues with the Redis. With this fix, the Redis connection will be created if required, avoiding the crash.detailed_tracing
was set to false
and the client was sending a malformed request to a GraphQL API, the traces were missing GraphQL attributes (operation name, type and document). This has been corrected and debugging GraphQL with OTel will be easier for users.graphql
prefix and therefore were not in line with the community standard. This has been fixed and all attributes have the correct prefix.tyk://self
). Quota limits were not observed and the quota related response headers always contained 0
.GET
method for the /api/users/search
endpoint in favour of a POST
method with the same logic but with parameters supplied in the request body.Access-Control-Allow-Credentials
header from Dashboard API responses to prevent any potential misuse of the header by attackers. This allows simplification of the web application’s security configuration.$expr
operator in the solution - and discovered that this is supported by MongoDB but not by DocumentDB. We have now reimplemented the fix and removed the limitation introduced for DocumentDB users.Published by ilijabojanovic 6 months ago
require_session:true
) is assigned to the same endpoint as the Ignore Authentication middleware. While the custom plugin expects access to a valid session, the configuration flag doesn't guarantee its presence, only that it's passed if available. As such, the custom plugin should be coded to verify that the session metadata is present before attempting to use it.store_data
and get_data
could fail due to connection issues with the Redis. With this fix, the Redis connection will be created if required, avoiding the crash.detailed_tracing
was set to false
and the client was sending a malformed request to a GraphQL API, the traces were missing GraphQL attributes (operation name, type and document). This has been corrected and debugging GraphQL with OTel will be easier for users.graphql
prefix and therefore were not in line with the community standard. This has been fixed and all attributes have the correct prefix.tyk://self
). Quota limits were not observed and the quota related response headers always contained 0
.GET
method for the /api/users/search
endpoint in favour of a POST
method with the same logic but with parameters supplied in the request body.Access-Control-Allow-Credentials
header from Dashboard API responses to prevent any potential misuse of the header by attackers. This allows simplification of the web application’s security configuration.$expr
operator in the solution - and discovered that this is supported by MongoDB but not by DocumentDB. We have now reimplemented the fix and removed the limitation introduced for DocumentDB users.Published by ilijabojanovic 6 months ago
Published by ilijabojanovic 7 months ago
https://tyk.io/docs/product-stack/tyk-gateway/release-notes/version-5.3/
https://tyk.io/docs/product-stack/tyk-dashboard/release-notes/version-5.3/
Published by ilijabojanovic 8 months ago
No changes
Published by sedkis 8 months ago
Published by sedkis 8 months ago
Published by ilijabojanovic 10 months ago
No changes
Published by ilijabojanovic 10 months ago
No changes
Published by ilijabojanovic 10 months ago
sub
claim but different scopes in each policy. Now the session will be correctly configured for the claims provided in the policy used for each API request.tyk version
command that provides more details about the Tyk Dashboard build. This prints the release version, git commit, Go version used, architecture and other build details.allow_unsafe_oas
is not enabled.Published by ilijabojanovic 11 months ago
build_id
argument with the Tyk Plugin Compiler that prevents users from hot-reloading different versions of the same plugin compiled with different build_id
. The bug was introduced with the plugin module build change implemented in the upgrade to Go version 1.19 in Tyk 5.1.0.sub
claim but different scopes in each policy. Now the session will be correctly configured for the claims provided in the policy used for each API request.tyk version
command that provides more details about the Tyk Dashboard build. This prints the release version, git commit, Go version used, architecture and other build details.allow_unsafe_oas
is not enabled.Published by ilijabojanovic 11 months ago
enable_http2
to false
.tyk version
command that provides more details about the Tyk Gateway build. This prints the release version, git commit, Go version used, architecture and other build details.fallbackToDefault
, for Tyk Classic APIs it is fallback_to_default
.p
to the /api/logs
endpoint could lead to an out-of-memory scenario as the Dashboard would attempt to retrieve all logs in the system. Tyk will now return an HTTP 400 Bad Request
response if a non-integer value is provided. This fix mitigates the risk of accidentally or deliberately causing Tyk Dashboard to stop responding.use_standard_auth
to true, which actually enables Auth Token authentication.Published by ilijabojanovic 11 months ago
tyk version
command that provides more details about the Tyk Gateway build. This prints the release version, git commit, Go version used, architecture and other build details. It's used to provide more detailed information when raising support tickets, as well as facilitating some CI automation with the use of --json
flag.p
to the /api/logs
endpoint could lead to an out-of-memory scenario as the Dashboard would attempt to retrieve all logs in the system. Tyk will now return an HTTP 400 Bad Request
response if a non-integer value is provided. This fix mitigates the risk of accidentally or deliberately causing Tyk Dashboard to stop responding.use_standard_auth
to true, which actually enables Auth Token authentication.Published by ilijabojanovic 12 months ago
{ulid}
placeholder for analytics. This matches the existing UUID normalization. Thanks to @atkrad for the contribution.max_conn_time
, the timeout in effect was not deterministic. Timeouts larger than 0 seconds are now enforced for each request.allow_unsafe_oas
. This permits the modification of Tyk OAS APIs via the Tyk Classic API endpoints. This is not recommended action due to the risk of inconsistent behaviour and potential for breaking changes while Tyk OAS is in Early Access. This is provided for early adopters and will be deprecated later, once Tyk OAS reaches full maturity.api_version
and api_id
query parameters were potential targets for SQL injection attack.uptime_tests.check_list
were not correctly handled. Uptime tests can now be configured for Tyk Classic APIs using the Raw API Definition editor.Published by ilijabojanovic 12 months ago
allow_unsafe_oas
. This permits the modification of Tyk OAS APIs via the Tyk Classic API endpoints. This is not recommended action due to the risk of inconsistent behaviour and potential for breaking changes while Tyk OAS is in Early Access. This is provided for early adopters and will be deprecated later, once Tyk OAS reaches full maturity.api_version
and api_id
query parameters were potential targets for SQL injection attack.uptime_tests.check_list
were not correctly handled. Uptime tests can now be configured for Tyk Classic APIs using the Raw API Definition editor.Published by ilijabojanovic 12 months ago