Tyk Gateway 2.3.13 and Tyk Dashboard 1.3.10

Tyk Gateway 2.3.13

• Added new strip_auth_data API definition boolean option, which removes authentication data from the request when "Auth token" middleware is used. Can be useful if you do not want pass token to upstream API
• Fix bug with wrong API load order
• Fixed Python loader issue introduced in 2.3.11, requiring middleware code be placed in fixed middleware.py file. Restored default behavior, now you can use files with any name.
• Additional improvements of DRL for small rate limits

Tyk Dashboard 1.3.10

• Added support for strip_auth_data feature
• Fixed bug when audit does not work if custom domains enabled

Tyk Gateway 2.3.12

Tyk Gateway

• Improved distributed rate limiter behavior with small rate limits on large number of servers
• Now you can update Session metadata inside gRPC and Python plugins #1249

Tyk Gateway 2.3.11

Tyk Gateway v2.3.11 continue addressing bugs in Python middleware and rate limiter.

• Fix Python bundle load on hot reloads
• Fixed potential rate-limiting issue, allowing to bypass rate limits

This release is fully compatible with Dashboard v1.3.9

Tyk Gateway v2.3.10

We have released Tyk Gateway v2.3.10 which addresses serious bugs in how Python middleware is executed and a the distributed rate limiter:

• Distributed rate limiter would randmoly crash after long periods of uptime, this has now been fixed.
• Python plugins in some OS versions would delete bundles on reload due to a PYTHONPATH misconfiguration
• Removed bug where the bundles directory is not created automatically

This release is fully compatible with Dashboard v1.3.9

v2.3.9

Tyk Gateway 2.3.9

• Fixed http_server_options.skip_url_cleaning option
• Fixed few possible JSVM leaks
• Improved JSVM middleware error messages

Tyk Gateway v2.3.8 and Tyk Dashboard v1.3.8

Tyk Gateway v2.3.8

• Support for custom error messages in middleware #986
• Fix API reloads when http_server_options.override_defaults turned on #940
• Add proxy_default_timeout option to configure default proxy timeout #983
• Allow URLs to be rewritten in coprocess middleware #928
• Fixed crash when loading multiple Python plugins #969
• Fixed memory leak when optimisations_use_async_session_write is turned on #966
• Fix JSVM rawlog function to properly support log hooks like syslog or graylog #998
• Fix panic when loading duplicate APIs #938
• Key metadata now support numeric values #944
• API definition config_data now support complex JSON objects #951

Tyk Dashboard 1.3.8

• Fix swagger docs validation badge
• Fix API spec validation for URL containing dot . symbol
• New Dashboard API to verify developer credentials /portal/developers/verify_credentials https://tyk.io/docs/tyk-dashboard-api/portal-developers/

With the new Portal API, it is now possible to create completely custom developer portals and even embed them into your own software. We prepared a guide on creating own developer portal: https://tyk.io/docs/publish/customise/custom-developer-portal/

In addition, our deb and rpm packages now properly handle config files upgrades and do not override user changes.

Tyk Gateway v2.3.7 and Tyk Dashboard v1.3.7

Tyk Gateway v2.3.7

• Added HTTPS support for Plugin Bundle downloader #925
• Fix path duplication when using URL rewrite #855
• JSVM middleware now has rawlog function, which prints unformatted data bypassing logger formatting #844
• JSVM middleware and VirtualEndpoint now support passing custom data from API definition using config_data object #829
• Added support for TLS connection with MDCB (Hybrid) using slave_option.use_ssl and slave_options.ssl_insecure_skip_verify #842
• Fix uptime tests bug, when traffic was sent to dead host #825
• Fix JSVM leak introduced in 2.3.5 #804
• Fix hot reload issues when used in MDCB or Hybrid environments

Tyk Dashboard v1.3.7

• Added config_data field to API designer user interface
• Updated Swagger documentation to support latest specification changes
• Added option to allow admin users reset password without additional permissions security.allow_admin_reset_password

MDCB v1.3.0

• Added support for secure TLS connections with Gateway
• Improved Gateway authentification mechanism to fix hot reload issues

UPGRADE NOTICE
New gateway version v2.3.7 require MDCB v1.3.0, thus MDCB should be upgraded first.

Tyk Gateway v2.3.6 and Tyk Dashboard v1.3.6

Tyk Gateway v2.3.6

• Improved handling of duplicate listen paths: now instead of ignoring API, it will bind it to random slug.
• Now you can inject request correlation ID (for example X-Request-ID) to your requests using Context Data variables https://tyk.io/tyk-documentation/transform-traffic/request-headers/#request-headers-context-variables. For example: "X-Request-ID":"$tyk_context.request_id".
• Fixed multiple issues while using Python plugins.
• Coprocess middleware (Python, Lua, gRPC), now able to override response code, headers and body using ReturnOverrides. See #763.

Tyk Dashboard v1.3.6

Password reset

Added ability to reset user passwords.
By default user can reset only their own password.

Add a new permission ResetPassword, but it can be granted only via the admin API using new endpoints: /admin/users/:userId/actions/allow_reset_passwords /admin/users/:userId/actions/disallow_reset_passwords

You need to make the request using the PUT HTTP method, for example:
curl -X PUT -H "admin-auth: <your secret>" http://<dashboard>/admin/users/:userId/actions/allow_reset_passwords

Password recovery

It's now possible for users to recover their dashboard password using email. To enable this feature, ensure that you have configured email https://tyk.io/tyk-documentation/configure/outbound-email-configuration/. Do not forget about the new email_backend.dashboard_domain option which should be your public dashboard hostname.

Other

• Updated user interface branding.
• Added support for Mongo SSL protocol, using new mongo_ssl_insecure_skip_verify and mongo_use_ssl boolean variables.
• Current user now can't revoke themselves.
• Dashboard session timeout now configurable using dashboard_session_lifetime option and reduced to 1 hour by default.
• Fixed missing API name on analytics pages for newly created APIs.
• Fixed Dashboard API key reset, if there were issues with old key.

Binaries built with Go 1.7.6

Tyk Gateway v2.3.5 and Tyk Dashboard v1.3.5

Tyk Gateway v2.3.5

• New: Added http_server_options.ssl_insecure_skip_verify boolean option to allow self-signed certificates for Gateway. #693
• New: Added proxy_ssl_insecure_skip_verify boolean option to skip SSL check for upstream APIs with self-signed certificates. #693
• Fix: Control API was not working when both hostname and control_api_hostname set. #670
• Fix: Uptime tests when failure_trigger_sample_size set to 1. #632
• Fix: Uptime tests when uptime_tests.time_wait is not explicitly set in config. #669
• Fix: Log flooding when management_node is turned on. #660
• Fix: /keys/* endpoint when api_id param is provided but API not loaded on this node (due to tags). Now tagged gateways have access to all keys. #663
• Fix: Reduced default values for uptime test in default tyk.config. Old ones has 20 minutes wait time. #668
• Fix: Duplicated hostnames in uptime logs. #678
• Fix: IP whitelisting using X-Fowarder-IP header. #704
• Fix: Potential memory leak in hot reload with JSVM enabled. #496

Tyk Dashboard v1.3.5

New: Dashboard and Portal login rate limiting

Login rate limiting applies both to dashboard and developer portal.
Once user reached limit, they will see an error, and will not be able to login into dashboard/portal.

Added new configuration section:

"security": {
  "login_failure_username_limit": 3,
  "login_failure_ip_limit": 10,
  "login_failure_expiration": 900
}

By default, limit values are zero and login_failure_expiration is 15 minutes (900).

New: Audit log

Now you can enable audit log by setting security.audit_log_path configuration option. It will log all user actions and responses statuses to it. Security information like password gets removed from this log.

Other

• New: Added new host_config.secure_cookie boolean option which enables "secure" cookies, working only under https.
• Fix: Dashboard for authorization now internally uses HTTP Only cookies instead of Headers to improve defense against Cross-Site scripting attacks.
• Fix: Ensure that API responses not cached by explicitly adding Cache-Control: no-cache header.
• Fix: Potential Content-Type sniffing issues by setting X-Content-Type-Options: nosniff header.
• Set proper mime types for font assets.
• Fix: Deny API Catalogue documentation access, if catalog was set to inactive or portal is only for logged-in users.
• Fix: Policy selector in the developer view only shows 10 policies, it should show all of them.
• Fix: Saving developer should not flush their password.
• Fix: Fix broken URLs to get free or commercial license on first start screen.
• Fix: Use canonical casing for X-Frame-Options header.
• Fix: Improved protection for Cross-Frame scripting.
• Fix: Fixed checks for duplicate listen path and slugs (including Swagger import). To make it work, ensure that enable_duplicate_slugs option is set to false.
• Fix: Swagger APIs import now properly set Slug and ListenPath based on basePath.
• Fix: Attached key to a policy does not inherit the expiration date.
• UX: Hide access token generator for disabled users.

Tyk Gateway v2.3.4 and Tyk Dashboard v1.3.4

Tyk Gateway v2.3.4

• Added new management_node boolean configuration option. When turned on, it will exclude the node from distributed rate limiter.
• /tyk/api endpoint, used for managing APIs, now can be accessed without trailing slash to avoid confusion.

Tyk Dashboard v1.3.4: security focused release

• Fix: Deactivating a user now disables their API access and logs them out from existing dashboard sessions.
• Fix: Updating user permissions now does not empty user password.
• Fix: Updating user permissions now updates both current API session and all opened dashboard sessions, and does not require user to re-login.
• User access to OAuth tokens now controlled using separate permission group.
• Disabled auto-completion for all forms with passwords.
• Enable HSTS for all requests to improve HTTPS security.
• Added new disable_parallel_sessions boolean configuration option. When turned on it allows only one active dashboard session. When a user logs in, all of their other active sessions are automatically logged out.
• Using Admin API you now can set the password. If the password field is empty, it gets ignored.