Update dependency @redwoodjs/api to v2 [SECURITY] #86
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.47.1->2.2.5GitHub Vulnerability Alerts
GHSA-3qmc-2r76-4rqp
Impact
What kind of vulnerability is it? Who is impacted?
This is an API vulnerability in Redwood's [dbAuth], specifically the dbAuth forgot password feature:
User Accounts are Vulnerable to Takeover (Hijacking)
A reset token for any user can be obtained given knowledge of their username or email via the forgot-password API. With the leaked reset token, a malicious user could request to reset a user's password, changing their credentials and gaining access to their account.
How to Determine if Projects have been Attacked
To determine if a project has been attacked, we recommend checking logs for suspicious activity; namely, the volume of requests to the forgot-password API using emails that don't exist. Another indication is if users inform you that they can't access their accounts.
If you have question or concerns, reach out via the "For More Information" section below.
Patch Releases Available
The problem has been patched on the v3 and v2 release lines. Users should upgrade to v3.3.1+ or v2.2.5+ respectively.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
We recommend upgrading to the Patch Releases above. If upgrading is not possible, there are several workarounds:
Manually strip out
resetTokenandresetTokenExpiresAtin theforgotPassword.handler()Users on all release lines can have their
forgotPassword.handler()function strip out the sensitive fields manually before returningUse
yarn patchto manually apply the fixUsers on v3 and v2 can use [
yarn patch] to apply the fix if they're using yarn v3. See the dbAuth "forgot-password" Account Takeover Vulnerability high gist for instructions.Disable the forgot password flow entirely v3 only
Users on v3 can disable the forgot password flow entirely.
Release Notes
redwoodjs/redwood (@redwoodjs/api)
v2.2.5Compare Source
v2.2.4Compare Source
v2.2.3Compare Source
v2.2.2Compare Source
v2.2.1Compare Source
v2.2.0Compare Source
v2.1.1Compare Source
v2.1.0Compare Source
v2.0.0Compare Source
v1.5.2Compare Source
v1.5.1Compare Source
v1.5.0Compare Source
v1.4.3Compare Source
v1.4.2Compare Source
v1.4.1Compare Source
v1.4.0Compare Source
v1.3.3Compare Source
v1.3.2Compare Source
v1.3.1Compare Source
v1.3.0Compare Source
v1.2.1Compare Source
v1.2.0Compare Source
v1.1.1Compare Source
v1.1.0Compare Source
v1.0.2Compare Source
v1.0.1Compare Source
v1.0.0Compare Source
v0.50.0Compare Source
Changelog
Unique contributors: 19
PRs merged: 76
Features
Fixed
Chore
Package Dependencies
View all Dependency Version Upgrades
Removed Deprecations and Breaking Changes
This release removes prior deprecations and has breaking changes.
Removed binary
rw-api-server; replaced withrw-server [side]This bin is used for running the Fastify server, which is called when you run
yarn rw serve.Projects should use
yarn rw-server api. Also takeswebpositional (or both).dbAuth: removed COOKIE_META cookies
PR #4722 dbAuth cookie config has moved to
api/src/function/auth.jsfor better customization. See:Refer to Code Modification below to update.
DevFatalErrorPage now pretty prints query
PR #4696 updates
src/components/FatalErrorPage.tsxRefer to Code Modification below to update.
Private routes and Set now use roles (instead of role)
PR #4681 Changes the use of Router
roleto be replaced byrolesplural.Projects using
rolefor RBAC will need to make a Code ModificationCode Modifications
Update DevFatalErrorPage
We've made a small change to FatalErrorPage make sure your bundle sizes are as small as possible!
If you only have the default FatalErrorPage, you can run our automatic codemod to pull in the latest changes.
If you've customised your error page, just a small tweak is needed:
// src/components/FatalErrorPage.tsx if (process.env.NODE_ENV === 'development') { - RedwoodDevFatalErrorPage = require('@​redwoodjs/web').DevFatalErrorPage + RedwoodDevFatalErrorPage = require('@​redwoodjs/web/dist/components/DevFatalErrorPage').DevFatalErrorPage }Update
rolesforrolein Private routes and SetsProjects using roles and RBAC will need to change any prop in
Routes.ts|jsnamedroletoroles. The value can be a string or array of strings, which is consistent with previous behavior.Example:
Netlify Deploy: Update .toml
PR #4782 improves prerender performance on Jamstack deploy providers. For most cases, the changes are automatic.
It is recommended that projects deploying to Netlify should update
netlify.toml:Nhost Auth: Upgrade to v2
PR #4770 updates Nhost Auth provider to use Nhost v2.
Existing projects using Nhost need to use the new Nhost SDK. Make the following changes to
Auth.ts|js:dbAuth: Set Secure Cookie Attribute in Config Template
If you're using dbAuth with the new
cookieconfig that we added toapi/src/functions/auth.jsin the last release, you'll need to make a change if you use Safari as your dev browser, or if you access your dev server at a host other thanlocalhost(you may have noticed that you can't stay logged in).Change the
Secureconfig to this:cookie: { HttpOnly: true, Path: '/', SameSite: 'Strict', - Secure: true, + Secure: process.env.NODE_ENV !== 'development' ? true : false, },This will set the cookie to not secure when in a development environment, but otherwise
trueeverywhere else (like in production). Chrome has an exception that you can set a secure cookie over HTTP, but only if the domain islocalhost. Safari does not have this exception!Deploy Redwood Record on Netlify (experimental)
See #4618
Redwood Record datamodel file
In order to fix the Netlify deploy when using Redwood Record the
datamodel.jsongenerated by runningyarn rw record initwas moved and will now be tracked under git.How to Update
If you are using the RedwoodRecord lib the only thing you have to do is run
yarn rw record initagain and you'll be good to go.v0.49.1Compare Source
Patch Release
This release includes the following fixes:
v0.49.0Compare Source
Changelog
Unique contributors: 4
PRs merged: 7
Features
Fixed
Chore
Package Dependencies
View all Dependency Version Upgrades
Recommended Code Modification
dbAuth Cookie Configuration
If you are using dbAuth, we've moved the configuration for the dbAuth cookie alongside the rest of the configuration in
api/src/functions/auth.js. The original configuration, which was internal to Redwood itself, is now deprecated. If you do not add this cookie config to auth.js your app will continue to work for now, but will show a deprecation notice in your api logs. The old behavior will be removed in a future version of Redwood.To preserve the existing cookie settings, add the
cookieproperty to the options sent intonew DbAuthHandler():const authHandler = new DbAuthHandler(event, context, { db: db, authModelAccessor: 'user', authFields: { id: 'id', username: 'email', hashedPassword: 'hashedPassword', salt: 'salt', resetToken: 'resetToken', resetTokenExpiresAt: 'resetTokenExpiresAt', }, forgotPassword: forgotPasswordOptions, login: loginOptions, resetPassword: resetPasswordOptions, signup: signupOptions, + cookie: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, })The cookie
Domainis now set here instead of in an ENV var. When do you need to setDomain? If your web side and api side are served from different domains (such aswww.example.comandapi.example.com). To read more aboutDomainconfig: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookiesv0.48.0Compare Source
Highlight: 🧶 Yarn 3 (Preview)
This release adds preview support for using Yarn v3 with Redwood projects. Why would you want to bump from Yarn v1 to v3? Because it's amazingly superior. And it's SuperEasy™ to upgrade and try it out. Just run the codemod:
Let us know how it goes!
Code Modification: Webhook timestamp verifiers
This is a required modification for projects using the the
timestampwebhook verifier option.PR #4608 introduces a new option called
eventTimestamp. Together with the existing tolerance option it's possible to add timestamp diff checks to all verifiers. But do note that all webhook events won't have the needed timestamp info to implement. That's up to the vendor you're integrating with to include or not include. Currently we know Svix, Clerk and Stripe have the required info.🚨This PR renames the
timestampwebhook verifier option tocurrentTimestampOverride.To automatically update your code, simply run this code modification in your Redwood project:
Manual Upgrade Step
Only necessary if you do not use the automated code mod above.
timestampvalue, you'll need to rename the timestamp object key tocurrentTimestampOverride. A simple find and replace should do the trick!Changelog
Unique contributors: 9
PRs merged: 22
Features
Fixed
rw prisma migrate diff#4590 by @thedavidpriceChore
#4623#4626 by @thedavidpricesetTimeoutoutside test block #4638 by @jtoarPackage Dependencies
View all Dependency Version Upgrades
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.