Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols
require_session:true
) is assigned to the same endpoint as the Ignore Authentication middleware. While the custom plugin expects access to a valid session, the configuration flag doesn't guarantee its presence, only that it's passed if available. As such, the custom plugin should be coded to verify that the session metadata is present before attempting to use it.store_data
and get_data
could fail due to connection issues with the Redis. With this fix, the Redis connection will be created if required, avoiding the crash.detailed_tracing
was set to false
and the client was sending a malformed request to a GraphQL API, the traces were missing GraphQL attributes (operation name, type and document). This has been corrected and debugging GraphQL with OTel will be easier for users.graphql
prefix and therefore were not in line with the community standard. This has been fixed and all attributes have the correct prefix.tyk://self
). Quota limits were not observed and the quota related response headers always contained 0
.GET
method for the /api/users/search
endpoint in favour of a POST
method with the same logic but with parameters supplied in the request body.Access-Control-Allow-Credentials
header from Dashboard API responses to prevent any potential misuse of the header by attackers. This allows simplification of the web application’s security configuration.$expr
operator in the solution - and discovered that this is supported by MongoDB but not by DocumentDB. We have now reimplemented the fix and removed the limitation introduced for DocumentDB users.require_session:true
) is assigned to the same endpoint as the Ignore Authentication middleware. While the custom plugin expects access to a valid session, the configuration flag doesn't guarantee its presence, only that it's passed if available. As such, the custom plugin should be coded to verify that the session metadata is present before attempting to use it.store_data
and get_data
could fail due to connection issues with the Redis. With this fix, the Redis connection will be created if required, avoiding the crash.detailed_tracing
was set to false
and the client was sending a malformed request to a GraphQL API, the traces were missing GraphQL attributes (operation name, type and document). This has been corrected and debugging GraphQL with OTel will be easier for users.graphql
prefix and therefore were not in line with the community standard. This has been fixed and all attributes have the correct prefix.tyk://self
). Quota limits were not observed and the quota related response headers always contained 0
.GET
method for the /api/users/search
endpoint in favour of a POST
method with the same logic but with parameters supplied in the request body.Access-Control-Allow-Credentials
header from Dashboard API responses to prevent any potential misuse of the header by attackers. This allows simplification of the web application’s security configuration.$expr
operator in the solution - and discovered that this is supported by MongoDB but not by DocumentDB. We have now reimplemented the fix and removed the limitation introduced for DocumentDB users.clientId
, cid
and client_id
) to identify certain external IDPs and, if the provided claim matches one of these "reserved" values then Tyk will attempt to contact that IDP. We have introduced a new flag that can be configured in the API Definition to skip this mapping: idp_client_id_mapping_disabled
(Tyk Classic API Definition) / idpClientIdMappingDisabled
(Tyk OAS API Definition).https://tyk.io/docs/product-stack/tyk-gateway/release-notes/version-5.3/
https://tyk.io/docs/product-stack/tyk-dashboard/release-notes/version-5.3/