Tyk Gateway 4.0.16

Fixed

• Fixed a bug where gateway logs were not honouring enable_key_logging setting
• Fixed a bug where enforced timeout values wouldn't be correct on a per-request basis. As we enforced timeouts only on the transport level, and created the transport only once within max_conn_time, the timeout in effect was not deterministic.
• Fixed a minor issue with Go Plugin virtual endpoints where a runtime log error was produced from a request, even if the response was successful. Thanks to @uddmorningsun for spotting this and proposing a fix.
• Fixed a bug where, when using MongoDB, Tyk could incorrectly grant access to an API using a key after that API had been deleted from a policy.
• Fixed a bug where Tyk could return the wrong error code when a websocket upstream responds with error
• Fixed a bug where keys linked to multiple policies become unusable if one of the policies is removed.
• Remove the extra chunked transfer encoding that was added to rawResponse analytics
• Updated the default Hybrid Pump RPC pool size from 20 to 5 connections in order to reduce default CPU and memory footprint
• Fixed a bug where the Gateway did not correctly close idle upstream connections (sockets) when configured to generate a new connection after a configurable period of time (using the max_conn_time configuration option).
• Fixed a bug where the URL Rewrite middleware did not correctly handle escaped characters in the URL.
• Fixed a potential performance issue related to high rates of Gateway reloads (when the Gateway is updated due to a change in APIs and/or policies)
• Fixed a memory leak that occurred when setting the strict routes option to change the routing to avoid nearest-neighbour requests on overlapping routes (TYK_GW_HTTPSERVEROPTIONS_ENABLESTRICTROUTES)
• Fixed one Critical and six High CVEs reported in the Plugin Compiler.
• Fixed automated token trimming in Redis, ensuring efficient management of OAuth tokens by implementing a new hourly job within the Gateway and providing a manual trigger endpoint.
• Fixed a bug that was introduced in the fix applied to the URL Rewrite middleware.

Tyk Dashboard 4.0.16

Fixed

• Fixed a bug where, if you created a Key which provided access to an inactive or draft API, you would be unable to subsequently modify that Key (via the Dashboard or directly via the Tyk Gateway API)
• Fixed a bug where Dashboard would take too long loading Policies to the Gateway
• Fixed a bug where the Dashboard could timeout while loading policies at startup. Added connection_timeout configuration option (defaults to 30 seconds)
• Adjusted the description for the Policy states, so that it reflects the actual behaviour of the policy, when attached to a key.
• Optimised the loading and re-loading of APIs and Policies for complex scenarios
• Fixed a bug where searching for a User in the Tyk Dashboard didn't match partial user names.
• Moved all HTML inline scripts to their own script files, to accommodate the Content security policies that have been enabled, to increase security.

Tyk Gateway 5.0.12

Fixed

• Fixed a bug where Tyk failed to properly reject custom plugin bundles with signature verification failures, allowing APIs to load without necessary plugins, potentially exposing upstream services. With the fix, if the plugin bundle fails to load (for example, due to failed signature verification) the API will not be loaded and an error will be logged in the Gateway.
• Fixed a panic scenario that occurred when a custom JavaScript plugin that requests access to the session metadata (require_session:true) is assigned to the same endpoint as the Ignore Authentication middleware. While the custom plugin expects access to a valid session, the configuration flag doesn't guarantee its presence, only that it's passed if available. As such, the custom plugin should be coded to verify that the session metadata is present before attempting to use it.
• Fixed a bug where the Gateway could crash when using custom Python plugins that access the Redis storage. The Tyk Python API methods store_data and get_data could fail due to connection issues with the Redis. With this fix, the Redis connection will be created if required, avoiding the crash.
• Fixed a bug where in some instances users were noticing gateway panics when using the "Persist GQL" middleware without arguments defined. This issue has been fixed and the gateway will not throw panics in these cases anymore.
• Fixed a bug where in some cases detailed_tracing was set to false and the client was sending a malformed request to a GraphQL API, the traces were missing GraphQL attributes (operation name, type and document). This has been corrected and debugging GraphQL with OTel will be easier for users.
• Fixed a bug where GQL Open Telemetry semantic conventions attribute names were missing graphql prefix and therefore were not in line with the community standard. This has been fixed and all attributes have the correct prefix.
• Fixed two bugs in the handling of usage quotas by the URL rewrite middleware when it was configured to rewrite to itself (e.g. to tyk://self). Quota limits were not observed and the quota related response headers always contained 0.
• Fixed a bug where in distributed deployments where the MDCB data plane gateway counter was inaccurately incremented when a Gateway was stopped and restarted.
• Addressed a bug where clearing the API cache from the Tyk Dashboard failed to invalidate the cache in distributed data plane (MDCB) gateways.
• Fixed a bug introduced in 5.3.0 which prevented custom Go plugins compiled in RHEL8 environments from loading into Tyk Gateway. An automation issue had caused the build environments for the Gateway and Plugin Compiler to use different base images. This fix restores the plugin functionality on RHEL8 environments, by fixing the plugin compiler base image to match the gateway build environment: Go 1.21 and Debian Bullseye.
• Removed several unused packages from the plugin compiler image. The packages include: docker, buildkit, ruc, sqlite, curl, wget, and other build tooling. The removal was done in order to address invalid CVE reporting, none of the removed dependencies are used to provide plugin compiler functionality.

Tyk Dashboard 5.0.12

Fixed

• Improved the behaviour of the Dashboard when searching for users to avoid transmitting sensitive information (user email addresses) in the request query parameters. Deprecated the GET method for the /api/users/search endpoint in favour of a POST method with the same logic but with parameters supplied in the request body.
• As Tyk Dashboard and Tyk Classic Portal do not accept cross origin requests we have removed the Access-Control-Allow-Credentials header from Dashboard API responses to prevent any potential misuse of the header by attackers. This allows simplification of the web application’s security configuration.
• Implemented a randomised delay to obscure login response times, mitigating brute force attacks that rely on response time analysis.
• Fixed a bug where a user was still able to log into an Organisation on the Tyk Dashboard after that Organisation had been deleted. Now, when an Organisation is deleted, it will not be offered as an option when logging in.
• Fixed an issue where access keys could accidentally also be printed to the Dashboard’s stdout when a call was made to /api/keys to retrieve the keys. This has now been suppressed.
• The Endpoint Designer did not correctly display a GraphQL policy’s allow or block list if a wildcard character () was used in the list’s definition. This has been fixed and now, if the wildcard () is present in the allow/block list definition, the UI correctly displays the list of allowed/blocked fields.
• Fixed an issue that was preventing the OPA editor from being visible using the keyboard shortcut when using Microsoft Windows.
• Fixed an issue where common keyboard shortcuts (Cmd + X, A, C, V) were not working correctly when configuring the URL field for a UDG data source.
• Fixed an issue in the Tyk OAS API Designer where there was no input validation of the OAuth Introspection URL. The Gateway reported an HTTP 400 error when attempting to save an API with an illegal value, however the API Designer did not guide the user to the source of the error. Now there is automatic validation of the text entered in the Introspection URL field.
• Fixed an issue with the text editor in the Tyk OAS API Designer where the cursor was misaligned with where characters would be entered. We have replaced the text editor module throughout the Tyk Dashboard to use a more modern, supported library.
• The ‘Top 5 Errors by Graph’ bar chart in the Activity by Graph dashboard experienced display issues with long graph names and sometimes showed empty bars. This has been resolved, and the chart now displays accurately.
• Fixed a bug where some Tyk Dashboard analytics screens stopped working when the analytics aggregates collection grew too large.
• In Tyk 5.0.7/5.2.2 we fixed an issue in the policy-API link deletion code. This introduced an unintended side-effect for users of DocumentDB such that they were unable to delete APIs from the persistent storage. We identified that this was due to the use of the $expr operator in the solution - and discovered that this is supported by MongoDB but not by DocumentDB. We have now reimplemented the fix and removed the limitation introduced for DocumentDB users.
• Fixed an issue when using MongoDB and Tyk Security Policies where Tyk could incorrectly grant access to an API after that API had been deleted from the associated policy. This introduced an unintended side-effect for users of DocumentDB such that they were unable to delete APIs from the persistent storage. We identified that this was due to the use of the $expr operator in the solution - and discovered that this is supported by MongoDB but not by DocumentDB. We have now reimplemented the fix and removed the limitation introduced for DocumentDB users.
• Addressed a bug where clearing the API cache from the Tyk Dashboard failed to invalidate the cache in distributed data plane gateways.

Tyk Gateway 5.3.1

Fixed

• Fixed a bug where Tyk failed to properly reject custom plugin bundles with signature verification failures, allowing APIs to load without necessary plugins, potentially exposing upstream services. With the fix, if the plugin bundle fails to load (for example, due to failed signature verification) the API will not be loaded and an error will be logged in the Gateway.
• Fixed a panic scenario that occurred when a custom JavaScript plugin that requests access to the session metadata (require_session:true) is assigned to the same endpoint as the Ignore Authentication middleware. While the custom plugin expects access to a valid session, the configuration flag doesn't guarantee its presence, only that it's passed if available. As such, the custom plugin should be coded to verify that the session metadata is present before attempting to use it.
• Fixed a bug where the Gateway could crash when using custom Python plugins that access the Redis storage. The Tyk Python API methods store_data and get_data could fail due to connection issues with the Redis. With this fix, the Redis connection will be created if required, avoiding the crash.
• Fixed a bug where in some instances users were noticing gateway panics when using the "Persist GQL" middleware without arguments defined. This issue has been fixed and the gateway will not throw panics in these cases anymore.
• Fixed a bug where in some cases detailed_tracing was set to false and the client was sending a malformed request to a GraphQL API, the traces were missing GraphQL attributes (operation name, type and document). This has been corrected and debugging GraphQL with OTel will be easier for users.
• Fixed a bug where GQL Open Telemetry semantic conventions attribute names were missing graphql prefix and therefore were not in line with the community standard. This has been fixed and all attributes have the correct prefix.
• Fixed two bugs in the handling of usage quotas by the URL rewrite middleware when it was configured to rewrite to itself (e.g. to tyk://self). Quota limits were not observed and the quota related response headers always contained 0.
• Fixed a bug where in distributed deployments where the MDCB data plane gateway counter was inaccurately incremented when a Gateway was stopped and restarted.
• Addressed a bug where clearing the API cache from the Tyk Dashboard failed to invalidate the cache in distributed data plane (MDCB) gateways.
• Fixed a bug introduced in 5.3.0 which prevented custom Go plugins compiled in RHEL8 environments from loading into Tyk Gateway. An automation issue had caused the build environments for the Gateway and Plugin Compiler to use different base images. This fix restores the plugin functionality on RHEL8 environments, by fixing the plugin compiler base image to match the gateway build environment: Go 1.21 and Debian Bullseye.
• Removed several unused packages from the plugin compiler image. The packages include: docker, buildkit, ruc, sqlite, curl, wget, and other build tooling. The removal was done in order to address invalid CVE reporting, none of the removed dependencies are used to provide plugin compiler functionality.

Tyk Dashboard 5.3.1

Fixed

• Improved the behaviour of the Dashboard when searching for users to avoid transmitting sensitive information (user email addresses) in the request query parameters. Deprecated the GET method for the /api/users/search endpoint in favour of a POST method with the same logic but with parameters supplied in the request body.
• As Tyk Dashboard and Tyk Classic Portal do not accept cross origin requests we have removed the Access-Control-Allow-Credentials header from Dashboard API responses to prevent any potential misuse of the header by attackers. This allows simplification of the web application’s security configuration.
• Implemented a randomised delay to obscure login response times, mitigating brute force attacks that rely on response time analysis.
• Fixed a bug where a user was still able to log into an Organisation on the Tyk Dashboard after that Organisation had been deleted. Now, when an Organisation is deleted, it will not be offered as an option when logging in.
• Fixed an issue where access keys could accidentally also be printed to the Dashboard’s stdout when a call was made to /api/keys to retrieve the keys. This has now been suppressed.
• The Endpoint Designer did not correctly display a GraphQL policy’s allow or block list if a wildcard character () was used in the list’s definition. This has been fixed and now, if the wildcard () is present in the allow/block list definition, the UI correctly displays the list of allowed/blocked fields.
• Fixed an issue that was preventing the OPA editor from being visible using the keyboard shortcut when using Microsoft Windows.
• Fixed an issue where common keyboard shortcuts (Cmd + X, A, C, V) were not working correctly when configuring the URL field for a UDG data source.
• Fixed an issue in the Tyk OAS API Designer where there was no input validation of the OAuth Introspection URL. The Gateway reported an HTTP 400 error when attempting to save an API with an illegal value, however the API Designer did not guide the user to the source of the error. Now there is automatic validation of the text entered in the Introspection URL field.
• Fixed an issue with the text editor in the Tyk OAS API Designer where the cursor was misaligned with where characters would be entered. We have replaced the text editor module throughout the Tyk Dashboard to use a more modern, supported library.
• The ‘Top 5 Errors by Graph’ bar chart in the Activity by Graph dashboard experienced display issues with long graph names and sometimes showed empty bars. This has been resolved, and the chart now displays accurately.
• Fixed a bug where some Tyk Dashboard analytics screens stopped working when the analytics aggregates collection grew too large.
• In Tyk 5.07/5.22 (delete as appropriate - include link to change log) we fixed an issue in the policy-API link deletion code. This introduced an unintended side-effect for users of DocumentDB such that they were unable to delete APIs from the persistent storage. We identified that this was due to the use of the $expr operator in the solution - and discovered that this is supported by MongoDB but not by DocumentDB. We have now reimplemented the fix and removed the limitation introduced for DocumentDB users.
• In Tyk 5.2.2 we fixed an issue when using MongoDB and Tyk Security Policies where Tyk could incorrectly grant access to an API after that API had been deleted from the associated policy. This introduced an unintended side-effect for users of DocumentDB such that they were unable to delete APIs from the persistent storage. We identified that this was due to the use of the $expr operator in the solution - and discovered that this is supported by MongoDB but not by DocumentDB. We have now reimplemented the fix and removed the limitation introduced for DocumentDB users.
• Addressed a bug where clearing the API cache from the Tyk Dashboard failed to invalidate the cache in distributed data plane gateways.

Tyk Gateway 5.0.11

Fixed

• Updated Tyk OAS API definition json schema to validate the domain name in upstream certificates and public key pinning
• Prefetch session expiry information from MDCB to reduce API call duration in case gateway is temporarily disconnected from MDCB
• Fixed automated token trimming in Redis, ensuring efficient management of OAuth tokens by implementing a new hourly job within the Gateway and providing a manual trigger endpoint
• Fixed a bug in the Tyk OAS Validate Request middleware where we were not correctly validating date-time format schema, which could lead to invalid date-time values reaching the upstream services.
• Fixed a performance issue when certain claims are present in the JWT.
• Fixed a bug where the encoding from the GQL upstream cache was causing readability problems in the response body.
• Fixed an issue where reloading a bundle containing JS plugins could cause the Gateway to panic.
• Addressed a memory leak issue in Tyk Gateway linked to a logger mutex change introduced in v5.2.4. Reverting these changes has improved connection management and enhanced system performance.
• Optimised the allocation behaviour of our sliding window log rate limiter implementation (Redis Rate Limiter). Previously the complete request log would be retrieved from Redis. With this enhancement only the count of the requests in the window is retrieved, optimising the interaction with Redis and decreasing the Gateway memory usage.

Tyk Dashboard 5.0.11

Fixed

• Improved the documentation to explain the usage of PUT /admin/organisations/{ORG_ID}
• Fixed an issue where applying security policies to large numbers of APIs took a long time. We’ve implemented bulk processing in the validation step at the api/portal/policies/POLICY_ID endpoint, resulting in an 80% reduction in the time taken to apply a policy to 2000 APIs.
• Fixed SSO flow for classic developer portal
• Moved all HTML inline scripts to their own script files, to accommodate the Content security policies that have been enabled, to increase security.
• Removed strict validation over description field in mock response when using Tyk OAS, for the response status codes and headers.

Tyk Gateway 5.3.0

https://tyk.io/docs/product-stack/tyk-gateway/release-notes/version-5.3/

Tyk Dashboard 5.3.0

https://tyk.io/docs/product-stack/tyk-dashboard/release-notes/version-5.3/

Tyk Gateway v5.2.6

Fixed

• Fixed a memory leak happening on high concurrency; improved connection management and enhanced system performance.

Tyk Dashboard v5.2.6

No changes

Tyk Gateway v5.0.10

Fixed

• Fixed an issue where custom keys over 24 characters in length were deleted from the Data Plane Redis on key update.

Tyk Dashboard v5.0.10

No changes

Tyk Gateway v5.2.5

Fixed

• Fixed an issue where custom keys over 24 characters in length were deleted from the Data Plane Redis on key update.

Tyk Dashboard v5.2.5

No changes

Tyk Gateway v5.0.9

Fixed

• Fixed a bug that was introduced in the fix applied to the URL Rewrite middleware in Tyk 5.0.5/5.1.2. The previous fix did not correctly handle escaped characters in the query parameters. Now you can safely include escaped characters in your query parameters and Tyk will not modify them in the URL Rewrite middleware.
• Enhanced management of custom keys in edge gateway mode. When a key is modified using its custom identifier, the update is now accurately propagated to the edge gateway.
• Fixed a bug where the gateway didn't correctly apply Path-Based Permissions from different policies when using the same sub claim but different scopes in each policy. Now the session will be correctly configured for the claims provided in the policy used for each API request.
• Fixed an issue where the Validate Request middleware provided too much information when reporting a schema validation failure in a request to a Tyk OAS API.

Tyk Dashboard v5.0.9

Fixed

• Fixed an issue where TLS 1.3 was not offered as an option in the "Minimum TLS version" dropdown in the API Designer. Also we now give better (human readable) names to the options, such as TLS 1.0, TLS 1.1 etc. instead of their corresponding numbers 769, 770 etc.
• Implemented a tyk version command that provides more details about the Tyk Dashboard build. This prints the release version, git commit, Go version used, architecture and other build details.
• Fixed minor issues in the Dashboard UI when configuring the user access controls for the Identity Management (TIB) and Real Time Notifications permissions.
• Fixed a situation where Tyk Dashboard could panic when using the mongo-go driver
• Fixed two UI issues with the Open Policy Agent editor in the Tyk Dashboard to improve experience when using this feature. Scrolling beyond the end of the OPA window does not now start to scroll the API Designer window, and minimising then re-expanding the OPA editor no longer limits the text to one line.
• Improved the error message that is returned when a user tries to update a Tyk OAS API using a Tyk Classic API endpoint when allow_unsafe_oas is not enabled.

Tyk Gateway v5.2.4

Fixed

• Fixed a bug that was introduced in the fix applied to the URL Rewrite middleware in Tyk 5.0.5/5.1.2. The previous fix did not correctly handle escaped characters in the query parameters. Now you can safely include escaped characters in your query parameters and Tyk will not modify them in the URL Rewrite middleware.
• Enhanced management of custom keys in edge gateway mode. When a key is modified using its custom identifier, the update is now accurately propagated to the edge gateway.
• Fixed a bug when using the build_id argument with the Tyk Plugin Compiler that prevents users from hot-reloading different versions of the same plugin compiled with different build_id. The bug was introduced with the plugin module build change implemented in the upgrade to Go version 1.19 in Tyk 5.1.0.
• Fixed a bug where the gateway didn't correctly apply Path-Based Permissions from different policies when using the same sub claim but different scopes in each policy. Now the session will be correctly configured for the claims provided in the policy used for each API request.
• Fixed an issue where the Validate Request middleware provided too much information when reporting a schema validation failure in a request to a Tyk OAS API.

Tyk Dashboard v5.2.4

Fixed

• Fixed an issue where TLS 1.3 was not offered as an option in the "Minimum TLS version" dropdown in the API Designer. Also we gave better (human readable) names to the options, like TLS 1.0, TLS 1.1 etc. instead of their corresponding numbers 769, 770 etc.
• Implemented a tyk version command that provides more details about the Tyk Dashboard build. This prints the release version, git commit, Go version used, architecture and other build details.
• Fixed "Cannot access 'writePanelHeightToLocalStorage' before initialization" error by reordering function declarations.
• Fixed minor issues in the Dashboard UI when configuring the user access controls for the Identity Management (TIB) and Real Time Notifications permissions.
• Fixed a situation where Tyk Dashboard could panic when using the mongo-go driver
• Fixed two UI issues with the Open Policy Agent editor in the Tyk Dashboard to improve experience when using this feature. Scrolling beyond the end of the OPA window does not now start to scroll the API Designer window, and minimising then re-expanding the OPA editor no longer limits the text to one line.
• Improved the error message that is returned when user tries to update a Tyk OAS API using a Tyk Classic API endpoint when allow_unsafe_oas is not enabled.

Tyk Gateway v5.2.3

Fixed

• Improved the behaviour when using JWTs if the MDCB (Multi Data Centre Bridge) link is down: the Gateway will no longer be blocked attempting to fetch OAuth client info. We’ve also enhanced the error messages to specify which type of resource (API key, certificate, OAuth client) the data plane Gateway failed to retrieve due to a lost connection with the control plane.
• Fixed an issue where the session object generated when creating a Custom Key in a Go Plugin did not inherit parameters correctly from the Security Policy.
• Fixed a minor issue with Go Plugin virtual endpoints where a runtime log error was produced from a request, even if the response was successful. Thanks to @uddmorningsun for spotting this and proposing a fix.
• Fixed a bug where a customer could accidentally provide a Public Key instead of a Certificate to an mTLS request. This would bring down all the Gateways it’s published on, making them unresponsive to any attempt to communicate over HTTPS. Now Tyk will not announce the Public Key during the mTLS handshake.
• Fixed a bug where Tyk would not automatically detect the installed Python version if that had multiple digits in the minor version (e.g. Python 3.11).
• Bumped golang.org/x/net to 0.17.0, updating the direct dependency to partially resolve CVE-2023-44487. As Go embeds this in the standard library, we only partially resolve the CVE due to an older Go version in use. To mitigate the vulnerability, users are advised to disable HTTP/2 at this time by setting enable_http2 to false.

Added

• Implemented a tyk version command that provides more details about the Tyk Gateway build. This prints the release version, git commit, Go version used, architecture and other build details.
• Implemented a backoff limit for GQL subscription connection retry. Previously the Gateway was attempting to reconnect endlessly, with this limit the reconnection attempts will happen in the following intervals: 2s, 4s, 8s, 16s and 32s and after that the Websocket connection will be closed.
• Added a new option for Tyk to use the default version of an API if the requested version does not exist. This is referred to as falling back to default and is enabled using a configuration flag in the API defintion; for Tyk OAS APIs the flag is fallbackToDefault, for Tyk Classic APIs it is fallback_to_default.

Tyk Dashboard v5.2.3

Fixed

• Fixed a bug in the Tyk Dashboard API where passing a non-integer value as the pagination query parameter p to the /api/logs endpoint could lead to an out-of-memory scenario as the Dashboard would attempt to retrieve all logs in the system. Tyk will now return an HTTP 400 Bad Request response if a non-integer value is provided. This fix mitigates the risk of accidentally or deliberately causing Tyk Dashboard to stop responding.
• Fixed a bug in the API Designer that prevented dragging to re-size the OPA editor.
• Fixed a bug where searching for a User in the Tyk Dashboard didn't match partial user names.
• Fixed a bug where Tyk Dashboard was unable to retrieve certificates from a Tyk Gateway if the Gateway version was <4.1 and Dashboard version was >=4.1. This was due to a change made in the 4.1 versions to the way certificate details are retrieved in dashboard; in the newer versions, we can view more detail of the certificates. Now you can use Tyk Dashboard with any version of the Tyk Gateway and still retrieve and view certificate details.
• Fixed a bug in the Tyk Classic API Designer where if you changed the protocol for an API (for example from HTTP to HTTPS) then the authentication mechanism would be automatically set to Authentication Token.
• Fixed a bug in the Tyk Classic API Designer where it was not possible to configure External OAuth authentication for an API using the Raw API Definition screen. The Dashboard would always set use_standard_auth to true, which actually enables Auth Token authentication.
• Fixed a bug with failed GQL subscriptions between the upstream and the Dashboard UI. When an upstream subscription was disconnected and later reconnected, the UI did not update to reflect the reconnection, preventing the seamless consumption of messages. Now the Dashboard UI can continue consuming messages after upstream reconnects.

Tyk Gateway v5.0.8

Fixed

• Improved Error Messaging: Enhanced the error messages to specify which type of resource (API keys, certs, OAuth clients) failed to sync from MDCB due to lost connection.
• Fixed a bug which ensures that the Response Body Transform now correctly applies when using Persist GraphQL. Previously when using Persist GraphQL and Body Transform middleware in conjunction, there was a problem with modifying the response correctly.
• Fixed a bug we've implemented a backoff limit for GQL subscription connection retry. Previously the Gateway was attempting to reconnect endlessly, with this limit the reconnection attempts will happen in the following intervals: 2s, 4s, 8s, 16s and 32s and after that the Websocket connection will be closed.
• Fixed a bug by Implemented a tyk version command that provides more details about the Tyk Gateway build. This prints the release version, git commit, Go version used, architecture and other build details. It's used to provide more detailed information when raising support tickets, as well as facilitating some CI automation with the use of --json flag.
• Fixed an issue where the session object generated when creating a Custom Key in a Go Plugin did not inherit parameters correctly from the Security Policy.
• Fixed a minor issue with Go Plugin virtual endpoints where a runtime log error was produced from a request, even if the response was successful. Thanks to @uddmorningsun for spotting this and proposing a fix.
• Fixed a bug where a customer could accidentally provide a Public Key instead of a Certificate to an mTLS request. This would bring down all the Gateways it’s published on, making them unresponsive to any attempt to communicate over HTTPS. Now Tyk will not announce the Public Key during the mTLS handshake.

Tyk Dashboard v5.0.8

Fixed

• Fixed a bug where passing a non-integer value as the pagination query parameter p to the /api/logs endpoint could lead to an out-of-memory scenario as the Dashboard would attempt to retrieve all logs in the system. Tyk will now return an HTTP 400 Bad Request response if a non-integer value is provided. This fix mitigates the risk of accidentally or deliberately causing Tyk Dashboard to stop responding.
• Fixed a bug in the OPA editor that prevented dragging has been fixed.
• Fixed a bug where searching for a User in the Tyk Dashboard didn't match partial user names.
• Fixed a bug where Tyk Dashboard was unable to retrieve certificates from a Tyk Gateway if the Gateway version was <4.1 and Dashboard version was >=4.1. This was due to a change made in the 4.1 versions to the way certificate details are retrieved in dashboard; in the newer versions, we can view more detail of the certificates. Now you can use Tyk Dashboard with any version of the Tyk Gateway and still retrieve and view certificate details.
• Fixed a bug in the Tyk Classic API Designer where if you changed the protocol for an API (for example from HTTP to HTTPS) then the authentication mechanism would be automatically set to Authentication Token.
• Fixed a bug in the Tyk Classic API Designer where it was not possible to configure External OAuth authentication for an API using the Raw API Definition screen. The Dashboard would always set use_standard_auth to true, which actually enables Auth Token authentication.
• Fixed a bug with failed GQL subscriptions between the upstream and the Dashboard UI. When an upstream subscription was disconnected and later reconnected, the UI did not update to reflect the reconnection, preventing the seamless consumption of messages. Now the Dashboard UI can continue consuming messages after upstream reconnects.

Tyk Gateway v5.2.2

Fixed

• Fixed an issue where the Tyk Gateway logs would include sensitive information when the incorrect signature is provided in a request to an API protected by HMAC authentication.
• Fixed a performance issue where JWT middleware introduced latency which significantly reduced the overall request/response throughput.
• Fixed a performance issue encountered when Tyk Gateway retrieves a key via MDCB for a JWT API. The token is now validated against JWKS or the public key in the API Deinfition.
• Fixed a potential race condition where the DRL manager was not properly protected against concurrent read/write operations in some high load scenarios.
• Fixed High Priority CVEs identified in Tyk Gateway.
• Fixed a bug where a duplicate error message was returned when a custom Go Plugin returned an error. Thanks to @PatrickTaibel for highlighting the issue and suggesting a fix.
• Implemented ULID Normalization, replacing valid ULID identifiers in the URL with a {ulid} placeholder for analytics. This matches the existing UUID normalization. Thanks to @atkrad for the contribution.
• Fixed an issue where enforced timeout values were incorrect on a per-request basis. Since we enforced timeouts only at the transport level and created the transport only once within the value set by max_conn_time, the timeout in effect was not deterministic. Timeouts larger than 0 seconds are now enforced for each request.

Tyk Dashboard v5.2.2

Fixed

• Embeded TIB v1.4.2 which fixed SSO Integration: Resolved issues affecting SAML and Azure-based Single Sign-On authentication.
• Added a new Dashboard configuration option allow_unsafe_oas. This permits the modification of Tyk OAS APIs via the Tyk Classic API endpoints. This is not recommended action due to the risk of inconsistent behaviour and potential for breaking changes while Tyk OAS is in Early Access. This is provided for early adopters and will be deprecated later, once Tyk OAS reaches full maturity.
• Fixed a security vulnerability with the Tyk Dashboard API where the api_version and api_id query parameters were potential targets for SQL injection attack.
• Fixed an issue encountered with the API Designer where fields defined in uptime_tests.check_list were not correctly handled. Uptime tests can now be configured for Tyk Classic APIs using the Raw API Definition editor.
• Fixed a problem for Azure SAML2.0 Identity provider that prevented users from authenticating.
• Fixed High Priority CVEs identified in Tyk Dashboard.
• Fixed an issue in the Dashboard Service Uptime page where the number of success hits was being incorrectly reported as the total number of hits, inclusive of failures. After this fix, the Success Column displays only the number of success hits.
• Fixed an issue where Tyk would not store the Policy Id in the API Definition for a policy that did not exist. When using JWT Authentication, the JWT Default Policy Id is stored in the API Definition. If this policy had not been created in Tyk at the time the API Definition was created, Tyk Dashboard would invalidate the field in the API Definition. When the policy was later created, there would be no reference to it from the API Definition. This was a particular issue when using Tyk Operator to manage the creation of assets on Tyk.
• Fixed an issue in the Tyk Dashboard where a user might not correctly inherit all permissions from their user group, and could incorrectly be granted visibility of Identity Management.
• Fixed an issue when using MongoDB and Tyk Security Policies where Tyk could incorrectly grant access to an API after that API had been deleted from the associated policy. This was due to the policy cleaning operation that is triggered when an API is deleted from a policy in a MongoDB installation. With this fix, the policy cleaning operation will not remove the final (deleted) API from the policy; Tyk recognises that the API record is invalid and denies granting access rights to the key.
• On the Licensing Statistics screen we have renamed the Licence Limit to Licence Entitlement. We’ve also improved the experience when there is no limit in the licence by hiding the Licence Entitlement line if no limit is set.

Tyk Gateway v5.0.7

Fixed

• Fixed an issue where the Tyk Gateway logs would include sensitive information when the incorrect signature is provided in a request to an API protected by HMAC authentication.
• Fixed a performance issue where JWT middleware introduced latency which significantly reduced the overall request/response throughput.
• Fixed a performance issue when Tyk Gateway retrieves a key via MDCB for a JWT API. The token is now validated against JWKS or the public key in the API Definition.
• Fixed a potential race condition where the DRL manager was not properly protected against concurrent read/write operations in some high load scenarios.
• Fixed High Priority CVEs identified in Tyk Gateway.
• Fixed a bug where a duplicate error message was returned when a custom Go Plugin returned an error. Thanks to @PatrickTaibel for highlighting the issue and suggesting a fix.
• Fixed an issue where enforced timeout values were incorrect on a per-request basis. Since we enforced timeouts only at the transport level and created the transport only once within the value set by max_conn_time, the timeout in effect was not deterministic. Timeouts larger than 0 seconds are now enforced for each request.

Tyk Dashboard v5.0.7

Fixed

• Embeded TIB v1.4.2 which fixed SSO Integration: Resolved issues affecting SAML and Azure-based Single Sign-On authentication.
• Added a new Dashboard configuration option allow_unsafe_oas. This permits the modification of Tyk OAS APIs via the Tyk Classic API endpoints. This is not recommended action due to the risk of inconsistent behaviour and potential for breaking changes while Tyk OAS is in Early Access. This is provided for early adopters and will be deprecated later, once Tyk OAS reaches full maturity.
• Fixed a security vulnerability with the Tyk Dashboard API where the api_version and api_id query parameters were potential targets for SQL injection attack.
• Fixed an issue encountered with the API Designer where fields defined in uptime_tests.check_list were not correctly handled. Uptime tests can now be configured for Tyk Classic APIs using the Raw API Definition editor.
• Fixed a problem for Azure SAML2.0 Identity provider that prevented users from authenticating.
• Fixed High Priority CVEs identified in Tyk Dashboard.
• Fixed an issue in the Dashboard Service Uptime page where the number of success hits was being incorrectly reported as the total number of hits, inclusive of failures. After this fix, the Success Column displays only the number of success hits.
• Fixed an issue where Tyk would not store the Policy Id in the API Definition for a policy that did not exist. When using JWT Authentication, the JWT Default Policy Id is stored in the API Definition. If this policy had not been created in Tyk at the time the API Definition was created, Tyk Dashboard would invalidate the field in the API Definition. When the policy was later created, there would be no reference to it from the API Definition. This was a particular issue when using Tyk Operator to manage the creation of assets on Tyk.
• Fixed an issue in the Tyk Dashboard where a user might not correctly inherit all permissions from their user group, and could incorrectly be granted visibility of Identity Management.
• Fixed an issue when using MongoDB and Tyk Security Policies where Tyk could incorrectly grant access to an API after that API had been deleted from the associated policy. This was due to the policy cleaning operation that is triggered when an API is deleted from a policy in a MongoDB installation. With this fix, the policy cleaning operation will not remove the final (deleted) API from the policy; Tyk recognises that the API record is invalid and denies granting access rights to the key.

Tyk Gateway v4.0.15

Fixed

• Fixed bug where HMAC authentication gives sensitive info in logs.