Releases: TykTechnologies/tyk
Tyk Gateway 5.5.0 and Tyk Dashboard 5.5.0
Tyk Gateway v5.3.2, Tyk Dashboard v5.3.2
Fixed
-
Fixed Dashboard Analytics for PostgreSQL
Resolved an issue in the
api/usage
endpoint where the Dashboard with PostgreSQL integration returned unfiltered results when one valid tag was used. Corrected the need for duplicating the same parameter as a workaround for filtering by multiple tags. Results are now properly filtered as expected, improving the accuracy and reliability of analytics data. -
Enhanced Password Reset security
Modified default OPA rules to prevent unauthorized admins from modifying other admins' passwords, mitigating potential 'rogue admin' behavior. Tyk Dashboard clients using custom OPA rules should update their rule set accordingly. Contact your assigned Tyk representative for assistance.
-
Fixed Universal Data Graph Schema Editor Import Issue
Resolved an issue in the GQL schema editor for Data Graphs, where users couldn't utilize the 'Import Schema' button. Now, it's possible to import files containing GQL schemas into the Dashboard.
-
Enhanced Dashboard UI language
Adjusted wording in Tyk's Dashboard UI to ensure inclusivity and clarity, removing any potentially oppressive language.
-
API Template not associated with Tyk Organization
Fixed an issue where API Templates were not correctly assigned to Tyk Organizations allowing the potential for accidental sharing of secret data between Organizations through use of the incorrect template.
-
Added control over access to context variables from middleware when using Tyk OAS APIs
Addressed a potential issue when working with Tyk OAS APIs where request context variables are automatically made available to relevant Tyk and custom middleware. We have introduced a control in the Tyk OAS API definition to disable this access if required.
-
Resolved PostgreSQL Dashboard Analytics issue
Fixed an issue in the api/usage endpoint where Dashboard+Postgres returned unfiltered results with one valid tag, requiring duplication of the parameter as a workaround for multiple tags. Analytics now correctly filter results as expected.
Tyk Gateway v5.3.4, Tyk Dashboard v5.3.4
Tyk Dashboard 5.3.4
Fixed
- Resolved an issue where Dashboard running on PostgreSQL setup didn't displayed logs for EDP users.
Tyk Gateway 5.3.4
No changes
Tyk Gateway v5.3.3, Tyk Dashboard v5.3.3
Tyk Gateway 5.3.3
Fixed
- Resolved an issue encountered in MDCB environments where changes to custom keys made via the Dashboard were not properly replicated to dataplanes.
- Resolved an issue, when a key was created or reset, the key creation sequence was erroneously repeated for every API in the access list.
- Resolved an issue where a Server Side Event (SSE) streaming response would be considered for caching. As caching needs to buffer the response, this also prevented SSE from correctly being proxied.
- Resolved an issue where Host and Latency fields (Total and Upstream) were not correctly reported for edge gateways in MDCB setups. The fix ensures accurate Host values and Latency measurements are now captured and displayed in analytics data.
Tyk Dashboard 5.3.3
Fixed
- Fixed bug where Dashboard UI would display blank page while creating Key with certificate
- Addressed an issue where the Dashboard displayed an empty page when accessing Activity by Endpoint information after upgrading to Tyk 5.3.1. Users can now see all necessary information.
- Fixed issue in SSO where user permissions were not applied, ensuring visibility of Save API button in Dashboard UI
Tyk Gateway 5.4.0 and Tyk Dashboard 5.4.0
Add RSA-PSS Support
v5.5.0-rc1 Add support for RSAPSS signed JWTs
Tyk Gateway 5.0.13 and Tyk Dashboard 5.0.13
Tyk Gateway 5.0.13
Fixed
- Resolved an issue encountered in MDCB environments where changes to custom keys made via the Dashboard were not properly replicated to dataplanes.
Tyk Dashboard 5.0.13
- No changes only version bump
Tyk Gateway 4.0.16 and Tyk Dashboard 4.0.16
Tyk Gateway 4.0.16
Fixed
- Fixed a bug where gateway logs were not honouring
enable_key_logging
setting - Fixed a bug where enforced timeout values wouldn't be correct on a per-request basis. As we enforced timeouts only on the transport level, and created the transport only once within
max_conn_time
, the timeout in effect was not deterministic. - Fixed a minor issue with Go Plugin virtual endpoints where a runtime log error was produced from a request, even if the response was successful. Thanks to @uddmorningsun for spotting this and proposing a fix.
- Fixed a bug where, when using MongoDB, Tyk could incorrectly grant access to an API using a key after that API had been deleted from a policy.
- Fixed a bug where Tyk could return the wrong error code when a websocket upstream responds with error
- Fixed a bug where keys linked to multiple policies become unusable if one of the policies is removed.
- Remove the extra chunked transfer encoding that was added to
rawResponse
analytics - Updated the default Hybrid Pump RPC pool size from 20 to 5 connections in order to reduce default CPU and memory footprint
- Fixed a bug where the Gateway did not correctly close idle upstream connections (sockets) when configured to generate a new connection after a configurable period of time (using the
max_conn_time
configuration option). - Fixed a bug where the URL Rewrite middleware did not correctly handle escaped characters in the URL.
- Fixed a potential performance issue related to high rates of Gateway reloads (when the Gateway is updated due to a change in APIs and/or policies)
- Fixed a memory leak that occurred when setting the strict routes option to change the routing to avoid nearest-neighbour requests on overlapping routes (
TYK_GW_HTTPSERVEROPTIONS_ENABLESTRICTROUTES
) - Fixed one Critical and six High CVEs reported in the Plugin Compiler.
- Fixed automated token trimming in Redis, ensuring efficient management of OAuth tokens by implementing a new hourly job within the Gateway and providing a manual trigger endpoint.
- Fixed a bug that was introduced in the fix applied to the URL Rewrite middleware.
Tyk Dashboard 4.0.16
Fixed
- Fixed a bug where, if you created a Key which provided access to an inactive or draft API, you would be unable to subsequently modify that Key (via the Dashboard or directly via the Tyk Gateway API)
- Fixed a bug where Dashboard would take too long loading Policies to the Gateway
- Fixed a bug where the Dashboard could timeout while loading policies at startup. Added connection_timeout configuration option (defaults to 30 seconds)
- Adjusted the description for the Policy states, so that it reflects the actual behaviour of the policy, when attached to a key.
- Optimised the loading and re-loading of APIs and Policies for complex scenarios
- Fixed a bug where searching for a User in the Tyk Dashboard didn't match partial user names.
- Moved all HTML inline scripts to their own script files, to accommodate the Content security policies that have been enabled, to increase security.
Tyk Gateway 5.0.12 and Tyk Dashboard 5.0.12
Tyk Gateway 5.0.12
Fixed
- Fixed a bug where Tyk failed to properly reject custom plugin bundles with signature verification failures, allowing APIs to load without necessary plugins, potentially exposing upstream services. With the fix, if the plugin bundle fails to load (for example, due to failed signature verification) the API will not be loaded and an error will be logged in the Gateway.
- Fixed a panic scenario that occurred when a custom JavaScript plugin that requests access to the session metadata (
require_session:true
) is assigned to the same endpoint as the Ignore Authentication middleware. While the custom plugin expects access to a valid session, the configuration flag doesn't guarantee its presence, only that it's passed if available. As such, the custom plugin should be coded to verify that the session metadata is present before attempting to use it. - Fixed a bug where the Gateway could crash when using custom Python plugins that access the Redis storage. The Tyk Python API methods
store_data
andget_data
could fail due to connection issues with the Redis. With this fix, the Redis connection will be created if required, avoiding the crash. - Fixed a bug where in some instances users were noticing gateway panics when using the "Persist GQL" middleware without arguments defined. This issue has been fixed and the gateway will not throw panics in these cases anymore.
- Fixed a bug where in some cases
detailed_tracing
was set tofalse
and the client was sending a malformed request to a GraphQL API, the traces were missing GraphQL attributes (operation name, type and document). This has been corrected and debugging GraphQL with OTel will be easier for users. - Fixed a bug where GQL Open Telemetry semantic conventions attribute names were missing
graphql
prefix and therefore were not in line with the community standard. This has been fixed and all attributes have the correct prefix. - Fixed two bugs in the handling of usage quotas by the URL rewrite middleware when it was configured to rewrite to itself (e.g. to
tyk://self
). Quota limits were not observed and the quota related response headers always contained0
. - Fixed a bug where in distributed deployments where the MDCB data plane gateway counter was inaccurately incremented when a Gateway was stopped and restarted.
- Addressed a bug where clearing the API cache from the Tyk Dashboard failed to invalidate the cache in distributed data plane (MDCB) gateways.
- Fixed a bug introduced in 5.3.0 which prevented custom Go plugins compiled in RHEL8 environments from loading into Tyk Gateway. An automation issue had caused the build environments for the Gateway and Plugin Compiler to use different base images. This fix restores the plugin functionality on RHEL8 environments, by fixing the plugin compiler base image to match the gateway build environment: Go 1.21 and Debian Bullseye.
- Removed several unused packages from the plugin compiler image. The packages include: docker, buildkit, ruc, sqlite, curl, wget, and other build tooling. The removal was done in order to address invalid CVE reporting, none of the removed dependencies are used to provide plugin compiler functionality.
Tyk Dashboard 5.0.12
Fixed
- Improved the behaviour of the Dashboard when searching for users to avoid transmitting sensitive information (user email addresses) in the request query parameters. Deprecated the
GET
method for the/api/users/search
endpoint in favour of aPOST
method with the same logic but with parameters supplied in the request body. - As Tyk Dashboard and Tyk Classic Portal do not accept cross origin requests we have removed the
Access-Control-Allow-Credentials
header from Dashboard API responses to prevent any potential misuse of the header by attackers. This allows simplification of the web application’s security configuration. - Implemented a randomised delay to obscure login response times, mitigating brute force attacks that rely on response time analysis.
- Fixed a bug where a user was still able to log into an Organisation on the Tyk Dashboard after that Organisation had been deleted. Now, when an Organisation is deleted, it will not be offered as an option when logging in.
- Fixed an issue where access keys could accidentally also be printed to the Dashboard’s stdout when a call was made to /api/keys to retrieve the keys. This has now been suppressed.
- The Endpoint Designer did not correctly display a GraphQL policy’s allow or block list if a wildcard character () was used in the list’s definition. This has been fixed and now, if the wildcard () is present in the allow/block list definition, the UI correctly displays the list of allowed/blocked fields.
- Fixed an issue that was preventing the OPA editor from being visible using the keyboard shortcut when using Microsoft Windows.
- Fixed an issue where common keyboard shortcuts (Cmd + X, A, C, V) were not working correctly when configuring the URL field for a UDG data source.
- Fixed an issue in the Tyk OAS API Designer where there was no input validation of the OAuth Introspection URL. The Gateway reported an HTTP 400 error when attempting to save an API with an illegal value, however the API Designer did not guide the user to the source of the error. Now there is automatic validation of the text entered in the Introspection URL field.
- Fixed an issue with the text editor in the Tyk OAS API Designer where the cursor was misaligned with where characters would be entered. We have replaced the text editor module throughout the Tyk Dashboard to use a more modern, supported library.
- The ‘Top 5 Errors by Graph’ bar chart in the Activity by Graph dashboard experienced display issues with long graph names and sometimes showed empty bars. This has been resolved, and the chart now displays accurately.
- Fixed a bug where some Tyk Dashboard analytics screens stopped working when the analytics aggregates collection grew too large.
- In Tyk 5.0.7/5.2.2 we fixed an issue in the policy-API link deletion code. This introduced an unintended side-effect for users of DocumentDB such that they were unable to delete APIs from the persistent storage. We identified that this was due to the use of the
$expr
operator in the solution - and discovered that this is supported by MongoDB but not by DocumentDB. We have now reimplemented the fix and removed the limitation introduced for DocumentDB users. - Fixed an issue when using MongoDB and Tyk Security Policies where Tyk could incorrectly grant access to an API after that API had been deleted from the associated policy. This introduced an unintended side-effect for users of DocumentDB such that they were unable to delete APIs from the persistent storage. We identified that this was due to the use of the $expr operator in the solution - and discovered that this is supported by MongoDB but not by DocumentDB. We have now reimplemented the fix and removed the limitation introduced for DocumentDB users.
- Addressed a bug where clearing the API cache from the Tyk Dashboard failed to invalidate the cache in distributed data plane gateways.
Tyk Gateway 5.3.1 and Tyk Dashboard 5.3.1
Tyk Gateway 5.3.1
Fixed
- Fixed a bug where Tyk failed to properly reject custom plugin bundles with signature verification failures, allowing APIs to load without necessary plugins, potentially exposing upstream services. With the fix, if the plugin bundle fails to load (for example, due to failed signature verification) the API will not be loaded and an error will be logged in the Gateway.
- Fixed a panic scenario that occurred when a custom JavaScript plugin that requests access to the session metadata (
require_session:true
) is assigned to the same endpoint as the Ignore Authentication middleware. While the custom plugin expects access to a valid session, the configuration flag doesn't guarantee its presence, only that it's passed if available. As such, the custom plugin should be coded to verify that the session metadata is present before attempting to use it. - Fixed a bug where the Gateway could crash when using custom Python plugins that access the Redis storage. The Tyk Python API methods
store_data
andget_data
could fail due to connection issues with the Redis. With this fix, the Redis connection will be created if required, avoiding the crash. - Fixed a bug where in some instances users were noticing gateway panics when using the "Persist GQL" middleware without arguments defined. This issue has been fixed and the gateway will not throw panics in these cases anymore.
- Fixed a bug where in some cases
detailed_tracing
was set tofalse
and the client was sending a malformed request to a GraphQL API, the traces were missing GraphQL attributes (operation name, type and document). This has been corrected and debugging GraphQL with OTel will be easier for users. - Fixed a bug where GQL Open Telemetry semantic conventions attribute names were missing
graphql
prefix and therefore were not in line with the community standard. This has been fixed and all attributes have the correct prefix. - Fixed two bugs in the handling of usage quotas by the URL rewrite middleware when it was configured to rewrite to itself (e.g. to
tyk://self
). Quota limits were not observed and the quota related response headers always contained0
. - Fixed a bug where in distributed deployments where the MDCB data plane gateway counter was inaccurately incremented when a Gateway was stopped and restarted.
- Addressed a bug where clearing the API cache from the Tyk Dashboard failed to invalidate the cache in distributed data plane (MDCB) gateways.
- Fixed a bug introduced in 5.3.0 which prevented custom Go plugins compiled in RHEL8 environments from loading into Tyk Gateway. An automation issue had caused the build environments for the Gateway and Plugin Compiler to use different base images. This fix restores the plugin functionality on RHEL8 environments, by fixing the plugin compiler base image to match the gateway build environment: Go 1.21 and Debian Bullseye.
- Removed several unused packages from the plugin compiler image. The packages include: docker, buildkit, ruc, sqlite, curl, wget, and other build tooling. The removal was done in order to address invalid CVE reporting, none of the removed dependencies are used to provide plugin compiler functionality.
Tyk Dashboard 5.3.1
Fixed
- Improved the behaviour of the Dashboard when searching for users to avoid transmitting sensitive information (user email addresses) in the request query parameters. Deprecated the
GET
method for the/api/users/search
endpoint in favour of aPOST
method with the same logic but with parameters supplied in the request body. - As Tyk Dashboard and Tyk Classic Portal do not accept cross origin requests we have removed the
Access-Control-Allow-Credentials
header from Dashboard API responses to prevent any potential misuse of the header by attackers. This allows simplification of the web application’s security configuration. - Implemented a randomised delay to obscure login response times, mitigating brute force attacks that rely on response time analysis.
- Fixed a bug where a user was still able to log into an Organisation on the Tyk Dashboard after that Organisation had been deleted. Now, when an Organisation is deleted, it will not be offered as an option when logging in.
- Fixed an issue where access keys could accidentally also be printed to the Dashboard’s stdout when a call was made to /api/keys to retrieve the keys. This has now been suppressed.
- The Endpoint Designer did not correctly display a GraphQL policy’s allow or block list if a wildcard character () was used in the list’s definition. This has been fixed and now, if the wildcard () is present in the allow/block list definition, the UI correctly displays the list of allowed/blocked fields.
- Fixed an issue that was preventing the OPA editor from being visible using the keyboard shortcut when using Microsoft Windows.
- Fixed an issue where common keyboard shortcuts (Cmd + X, A, C, V) were not working correctly when configuring the URL field for a UDG data source.
- Fixed an issue in the Tyk OAS API Designer where there was no input validation of the OAuth Introspection URL. The Gateway reported an HTTP 400 error when attempting to save an API with an illegal value, however the API Designer did not guide the user to the source of the error. Now there is automatic validation of the text entered in the Introspection URL field.
- Fixed an issue with the text editor in the Tyk OAS API Designer where the cursor was misaligned with where characters would be entered. We have replaced the text editor module throughout the Tyk Dashboard to use a more modern, supported library.
- The ‘Top 5 Errors by Graph’ bar chart in the Activity by Graph dashboard experienced display issues with long graph names and sometimes showed empty bars. This has been resolved, and the chart now displays accurately.
- Fixed a bug where some Tyk Dashboard analytics screens stopped working when the analytics aggregates collection grew too large.
- In Tyk 5.07/5.22 (delete as appropriate - include link to change log) we fixed an issue in the policy-API link deletion code. This introduced an unintended side-effect for users of DocumentDB such that they were unable to delete APIs from the persistent storage. We identified that this was due to the use of the
$expr
operator in the solution - and discovered that this is supported by MongoDB but not by DocumentDB. We have now reimplemented the fix and removed the limitation introduced for DocumentDB users. - In Tyk 5.2.2 we fixed an issue when using MongoDB and Tyk Security Policies where Tyk could incorrectly grant access to an API after that API had been deleted from the associated policy. This introduced an unintended side-effect for users of DocumentDB such that they were unable to delete APIs from the persistent storage. We identified that this was due to the use of the $expr operator in the solution - and discovered that this is supported by MongoDB but not by DocumentDB. We have now reimplemented the fix and removed the limitation introduced for DocumentDB users.
- Addressed a bug where clearing the API cache from the Tyk Dashboard failed to invalidate the cache in distributed data plane gateways.