Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols

Overview

Tyk API Gateway

Go Report Card FOSSA Status

Tyk is an open source Enterprise API Gateway, supporting REST, GraphQL, TCP and gRPC protocols.

Tyk Gateway is provided ‘Batteries-included’, with no feature lockout. Enabling your organization to control who accesses your APIs, when they access, and how they access it.

Tyk Technologies uses the same API Gateway for all it’s applications. Protecting, securing, and processing APIs for thousands of organizations and businesses around the world. Ideal for Open Banking, building software in the clouds as well as exposing APIs to teams, partners & consumers.

Built from the ground up to be the fastest API gateway on the planet. It does not depend on a legacy proxy underneath. It has no 3rd party dependencies aside from Redis for distributed rate-limiting and token storage. Tyk Gateway can also be deployed as part of a larger Full Lifecycle API Management platform Tyk Self-Managed which also includes Management Control Plane, Dashboard GUI and Developer Portal.

image

Open Source API Gateway Features

Use any protocol: REST, SOAP, GraphQL, gRPC, and TCP.

Industry Standard Authentication: OIDC, JWT, bearer Tokens, Basic Auth, Client Certificates and more.

Open API Standards: Import your Swagger and OAS2/3 documents to scaffold APIs in Tyk.

Ultra performant: Low latency, and thousands of rps with just a single CPU, horizontally and vertically scalable.

Content mediation: Transform all the things, from request or response headers to converting between SOAP and GraphQL.

Extensible Plugin Architecture: Customize Tyk’s middleware chain by writing plugins in your language of choice - from Python to Javascript to Go, or any language which supports gRPC.

Rate Limiting & Quotas: Protect your upstreams from becoming overloaded and/or apply limits for each consumer.

API Versioning - API Versions can be easily set and deprecated at a specific time and date.

Granular Access Control - Grant access to one or more APIs on a per version and operation basis.

Blocklist/Allowlist/Ignored endpoint access - Enforce strict security models on a version-by-version basis to your access points.

Analytics logging - Record detailed usage data on who is using your API's (raw data only)

CORS - Enable CORS for certain APIs so users can make browser-based requests

Webhooks - Trigger webhooks against events such as Quota Violations and Authentication failures

IP AllowListing - Block access to non-trusted IP addresses for more secure interactions

Hitless reloads - Tyk configurations can be altered dynamically and the service restarted without affecting any active request

Kubernetes native declarative API: using Open Source Tyk Operator (more info in OSS section)

Quick Start on your platform

Get Started today with Tyk Gateway (standalone)

Install

  1. Docker (Recommended method)
  2. Kubernetes-Native
  3. Kubernetes-Helm
  4. Ansible
  5. Red Hat
  6. Ubuntu
  7. CentOS
  8. Compile from Source (see instructions below)

Compiling Tyk Gateway

Compile from Source

git clone https://github.com/TykTechnologies/tyk
go build

Go version 1.12 is required to build master, the current development version. Tyk is officially supported on linux/amd64, linux/i386 and linux/arm64.

Tests are run against both Go versions 1.12, 1.13, 1.14 and 1.15, however at present, only Go 1.12 is officially supported. In order to run tests locally use the following command:

go test ./...

Note that tests require Redis to be running on the same machine (default port).

In order to write your own test pls use this guide https://github.com/TykTechnologies/tyk/blob/master/TESTING.md

Contributing

For more information about contributing PRs and issues, see CONTRIBUTING.md.

Tyk OSS Integrations

Tyk Technologies maintains other Open Source Software which can be used in conjunction with Tyk API Gateway:

Tyk Pump - Pluggable analytics purger to move Analytics generated by your Tyk nodes to any back-end.

Tyk Operator - Brings API Management capabilities to Kubernetes. Configure Ingress, APIs, Security Policies, Authentication, Authorization, Mediation and more - all using Custom Resources and Kubernetes Native primitives

Tyk Identity Broker - Tyk Authentication Proxy for third-party login

Tyk Sync - Command line tool and library to manage and synchronise a Tyk installation with your version control system (VCS).

Tyk Mserv - Asset Server and gRPC host

image

Documentation

All the documentation for Tyk Gateway and other OSS can be found at https://tyk.io/docs/tyk-oss-gateway/

Community

Open Source License

Tyk is released under the MPL v2.0; please see LICENSE.md for a full version of the license.

FOSSA Status

Comments
  • Load go plugins that contains the prefix V

    Load go plugins that contains the prefix V

    Description

    The plugin path was modified multiple times, ending up in a nonsensepath and not loading the plugin.

    Related Issue

    https://tyktech.atlassian.net/browse/TT-6668

    Motivation and Context

    Fix https://tyktech.atlassian.net/browse/TT-6668?focusedCommentId=30359

    How This Has Been Tested

    • Load plugin with prefix
    • Load plugin without prefix
    • Load plugin with plain name

    Screenshots (if appropriate)

    Types of changes

    • [ ] Bug fix (non-breaking change which fixes an issue)
    • [ ] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)
    • [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality)

    Checklist

    • [ ] I ensured that the documentation is up to date
    • [ ] I explained why this PR updates go.mod in detail with reasoning why it's required
    • [ ] I would like a code coverage CI quality gate exception and have explained why
    opened by sredxny 62
  • [TT-6527] Fix middleware order, enabling virtual endpoint caching and cache control from jsvm

    [TT-6527] Fix middleware order, enabling virtual endpoint caching and cache control from jsvm

    Description

    Caching for JSVM virtual endpoints doesn't work. There are two code paths to VirtualEndpoint code (JSVM).

    • if caching is enabled, mw_redis_cache should be used, and
    • if caching is disabled, the mw_virtual_endpoint should be used;

    Ultimately it was a bug in how the RedisCacheMiddleware was implemented. It was wrapping virtual requests middleware to enable caching on them and breaking the middleware chain flow to capture the response.

    • RedisCacheMiddleware was split into the "reader" and "writer" middleware;
    • RedisCacheMiddleware becomes the Reader middleware, continuing the middleware chain on cache miss
    • ResponseCacheMiddleware was added that saves the *http.Request into the cache at the correct end of all the middlewares (after the response processors middleware).

    Minor changes and improvements have been made for type-efficient use, unit tests have been added on uncovered code, style of some functions has been improved for readability, removal of buggy-parallelism (removal of singleflight - cache reading was essentially single threaded).

    Related Issue

    Jira TT-6527 and GH issue https://github.com/TykTechnologies/tyk/issues/3853

    Motivation and Context

    How This Has Been Tested

    Screenshots (if appropriate)

    Types of changes

    • [x] Bug fix (non-breaking change which fixes an issue)
    • [ ] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)
    • [x] Refactoring or add test (improvements in base code or adds test coverage to functionality)

    Checklist

    • [x] I ensured that the documentation is up to date
    • [x] I explained why this PR updates go.mod in detail with reasoning why it's required
    • [ ] I would like a code coverage CI quality gate exception and have explained why
    opened by titpetric 47
  • Tyk Dashboard to run inside Apache Server not on 3000 port

    Tyk Dashboard to run inside Apache Server not on 3000 port

    Hey,

    Just want a quick thought on this. I want tyk-dashboard to run inside a Apache Web Server as I cannot open a 3000 or other ports. mod_proxy is also not working as your page might load other Urls as well. Can you tell me how can i put Dashboard under Apache web server and get access to dashboard.

    opened by tandonraghav 40
  • [TT-5477] Fix/jsvm memory usage

    [TT-5477] Fix/jsvm memory usage

    This is an alternative implementation of https://github.com/TykTechnologies/tyk/pull/4215/files

    Description

    Reloading APIs, which use JSVM, cause gateway memory growth, and eventual crash.

    Initialise JSVM only when needed

    First of all I found that JSVM get initialized when ANY plugin is used. So first fix is: Initialise JSVM only when VirtualEndpoint used, or plugin with JSVM engine is used. It was done by removing initialization code from here https://github.com/TykTechnologies/tyk/compare/fix/jsvm-memory-usage?expand=1#diff-0cf80174bbafb36f6d4f4308ebbd971b2833b76a936bad568220aa1a4ba0ee8bL337-L354 And putting it after we already know plugin type https://github.com/TykTechnologies/tyk/compare/fix/jsvm-memory-usage?expand=1#diff-cdf0b7f176c9d18e1a314b78ddefc2cb3a94b3de66f1f360174692c915734c68R233-R237

    Releasing pointers to easy GC

    JSVM code by itself, is "a bit of" circular pointer hell. Trying to fix it leads to huge rewrite (and some parts really non obvious on how to do without having links to spec/gateway), which I do not want do as part of this PR. So now it cleanups pointers inside JSVM object, before API gets reloaded, to make GC job easier https://github.com/TykTechnologies/tyk/compare/fix/jsvm-memory-usage?expand=1#diff-78cd278aba997558b7daa7897051a794ef860076d45c93be792791db39381ca0R374-R380

    Reloading only APIs which actually changed

    For each API we now calculate SHA256 checksum, and if during API reload event, API has not changed, re-use already loaded API and its resources instead. https://github.com/TykTechnologies/tyk/compare/fix/jsvm-memory-usage?expand=1#diff-cdf0b7f176c9d18e1a314b78ddefc2cb3a94b3de66f1f360174692c915734c68R886-R898

    How This Has Been Tested

    Screenshots (if appropriate)

    Types of changes

    • [ ] Bug fix (non-breaking change which fixes an issue)
    • [ ] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)
    • [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality)

    Checklist

    • [ ] Make sure you are requesting to pull a topic/feature/bugfix branch (right side). If pulling from your own fork, don't request your master!
    • [ ] Make sure you are making a pull request against the master branch (left side). Also, you should start your branch off our latest master.
    • [ ] My change requires a change to the documentation.
      • [ ] If you've changed APIs, describe what needs to be updated in the documentation.
      • [ ] If new config option added, ensure that it can be set via ENV variable
    • [ ] I have updated the documentation accordingly.
    • [ ] Modules and vendor dependencies have been updated; run go mod tidy && go mod vendor
    • [ ] When updating library version must provide reason/explanation for this update.
    • [ ] I have added tests to cover my changes.
    • [ ] All new and existing tests passed.
    • [ ] Check your code additions will not fail linting checks:
      • [ ] go fmt -s
      • [ ] go vet
    opened by buger 39
  • TT-4698 Support for protobuf as Analytics serialization method

    TT-4698 Support for protobuf as Analytics serialization method

    Description

    Added support to use protobuf as serialization method for the analytics. Gateway imports the implementation from tyk-pump, now you can select from msgpack and protobuf (defaults to msgpack). It will use the choosen serializer to encode the records and put them into redis, then tyk-pump will decode them and process as required. The new option added lives under analytics_config its name is serializer_type and valid values are: msgpack and protobuf

    This PR also reverts the analytics pkg created in https://github.com/TykTechnologies/tyk/pull/3981 and starts using Tyk pump analytics struct. We made that change in order to start using only 1 source of truth for our analytics records.

    Related Issue

    TT-4698

    Motivation and Context

    • Be consistent on how we serialize the data
    • Improve the processing time and resources
    • Gain some speed

    How This Has Been Tested

    It should be tested in tandem with https://github.com/TykTechnologies/tyk-pump/pull/436 For instructions on how to test it refer to https://github.com/TykTechnologies/tyk-pump/pull/436 and follow the instructions

    Screenshots (if appropriate)

    Types of changes

    • [ ] Bug fix (non-breaking change which fixes an issue)
    • [x] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)
    • [x] Refactoring or add test (improvements in base code or adds test coverage to functionality)

    Checklist

    • [x] Make sure you are requesting to pull a topic/feature/bugfix branch (right side). If pulling from your own fork, don't request your master!
    • [x] Make sure you are making a pull request against the master branch (left side). Also, you should start your branch off our latest master.
    • [ ] My change requires a change to the documentation.
      • [ ] If you've changed APIs, describe what needs to be updated in the documentation.
      • [ ] If new config option added, ensure that it can be set via ENV variable
    • [ ] I have updated the documentation accordingly.
    • [ ] Modules and vendor dependencies have been updated; run go mod tidy && go mod vendor
    • [ ] When updating library version must provide reason/explanation for this update.
    • [x] I have added tests to cover my changes.
    • [x] All new and existing tests passed.
    • [x] Check your code additions will not fail linting checks:
      • [x] go fmt -s
      • [x] go vet
    opened by tbuchaillot 38
  • Getting panic when trying to retrieve OIDC signature verification key

    Getting panic when trying to retrieve OIDC signature verification key

    Howdy

    Im trying to get tyk-gateway to validate against an OIDC access key. But im getting a panic in openid2go when its called to try to get the JWK signature verification key. But its odd because I get the panic only every 2nd call. The other call is still giving me "Key not authorised"

    This is with gateway 2.2.0.3 being run form the docker image

    The Panic

    2016/08/17 19:50:51 http: panic serving 192.168.99.1:52583: interface conversion: interface is nil, not string
    goroutine 85 [running]:
    net/http.(*conn).serve.func1(0xc82046a300)
        /usr/local/go/src/net/http/server.go:1389 +0xc1
    panic(0xd2c9e0, 0xc8204b92c0)
        /usr/local/go/src/runtime/panic.go:426 +0x4e9
    github.com/TykTechnologies/openid2go/openid.(*idTokenValidator).renewAndGetSigningKey(0xc8203737a0, , 0x0, 0x0, 0x0)
        /home/tyk/go/src/github.com/TykTechnologies/openid2go/openid/idtokenvalidator.go:60 +0x23a
    github.com/TykTechnologies/openid2go/openid.(*idTokenValidator).(github.com/TykTechnologies/openid2go/tSigningKey)-fm(0xc8200e2500, 0x0, 0x0, 0x0, 0x0)
        /home/tyk/go/src/github.com/TykTechnologies/openid2go/openid/idtokenvalidator.go:38 +0x46
    github.com/dgrijalva/jwt-go.(*Parser).ParseWithClaims(0xc820140a70, 0xc820387087, 0x567, 0x7ffb6311bda8, 8200dc1a0, 0x0, 0x0, 0x0)
        /home/tyk/go/src/github.com/dgrijalva/jwt-go/parser.go:96 +0x12c3
    github.com/dgrijalva/jwt-go.(*Parser).Parse(0xc820140a70, 0xc820387087, 0x567, 0xc8200dc1a0, 0xc8200e24b0, 
        /home/tyk/go/src/github.com/dgrijalva/jwt-go/parser.go:19 +0xb4
    github.com/dgrijalva/jwt-go.Parse(0xc820387087, 0x567, 0xc8200dc1a0, 0xc8200e24b0, 0x0, 0x0)
        /home/tyk/go/src/github.com/dgrijalva/jwt-go/token.go:89 +0x6a
    github.com/TykTechnologies/openid2go/openid.(*idTokenValidator).validate(0xc8203737a0, 0xc820387087, 0x567, 
        /home/tyk/go/src/github.com/TykTechnologies/openid2go/openid/idtokenvalidator.go:38 +0x141
    github.com/TykTechnologies/openid2go/openid.authenticate(0xc820373760, 0x7ffb6311bd48, 0xc8203b4b60, 82038a030, 0x7)
        /home/tyk/go/src/github.com/TykTechnologies/openid2go/openid/middleware.go:115 +0x117
    github.com/TykTechnologies/openid2go/openid.authenticateUserWithToken(0xc820373760, 0x7ffb6311bd48, 8204ee460, 0x0, 0x0, 0x13f0ea8)
        /home/tyk/go/src/github.com/TykTechnologies/openid2go/openid/middleware.go:157 +0x5e
    github.com/TykTechnologies/openid2go/openid.AuthenticateOIDWithUser(0xc820373760, 0x7ffb6311bd48, 8204ee460, 0xbca660, 0xc8200e7818, 0x0)
        /home/tyk/go/src/github.com/TykTechnologies/openid2go/openid/middleware.go:91 +0x3f
    main.(*OpenIDMW).ProcessRequest(0xc820373740, 0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460, 0x0, 0x0, 0x0, 0x0, 
        /home/tyk/go/src/github.com/lonelycode/tyk/middleware_openid.go:91 +0xb3
    main.CreateMiddleware.func1.1(0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460)
        /home/tyk/go/src/github.com/lonelycode/tyk/middleware.go:44 +0x178
    net/http.HandlerFunc.ServeHTTP(0xc8203926c0, 0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460)
        /usr/local/go/src/net/http/server.go:1618 +0x3a
    main.CreateMiddleware.func1.1(0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460)
        /home/tyk/go/src/github.com/lonelycode/tyk/middleware.go:61 +0x38b
    net/http.HandlerFunc.ServeHTTP(0xc820392700, 0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460)
        /usr/local/go/src/net/http/server.go:1618 +0x3a
    main.CreateMiddleware.func1.1(0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460)
        /home/tyk/go/src/github.com/lonelycode/tyk/middleware.go:61 +0x38b
    net/http.HandlerFunc.ServeHTTP(0xc820392740, 0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460)
        /usr/local/go/src/net/http/server.go:1618 +0x3a
    main.CreateMiddleware.func1.1(0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460)
        /home/tyk/go/src/github.com/lonelycode/tyk/middleware.go:61 +0x38b
    net/http.HandlerFunc.ServeHTTP(0xc820392780, 0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460)
        /usr/local/go/src/net/http/server.go:1618 +0x3a
    main.CreateMiddleware.func1.1(0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460)
        /home/tyk/go/src/github.com/lonelycode/tyk/middleware.go:61 +0x38b
    net/http.HandlerFunc.ServeHTTP(0xc8203927c0, 0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460)
        /usr/local/go/src/net/http/server.go:1618 +0x3a
    github.com/gorilla/mux.(*Router).ServeHTTP(0xc820274c80, 0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460)
        /home/tyk/go/src/github.com/gorilla/mux/mux.go:98 +0x29e
    net/http.(*ServeMux).ServeHTTP(0xc820010e70, 0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460)
        /usr/local/go/src/net/http/server.go:1910 +0x17d
    net/http.serverHandler.ServeHTTP(0xc820363380, 0x7ffb6311bd48, 0xc8203b4b60, 0xc8204ee460)
        /usr/local/go/src/net/http/server.go:2081 +0x19e
    net/http.(*conn).serve(0xc82046a300)
        /usr/local/go/src/net/http/server.go:1472 +0xf2e
    created by net/http.(*Server).Serve
        /usr/local/go/src/net/http/server.go:2137 +0x44e
    

    The non-panic response:

    time="Aug 17 19:32:36" level=warning msg="JWT Invalid: Validation error. Jwt token validation failed."
    time="Aug 17 19:32:36" level=warning msg="Attempted access with invalid key." key="[JWT]"
    time="Aug 17 19:32:36" level=error msg="request error: Key not authorised" api_id=1 org_id=1 path="/ip" server_name="http://httpbin.org/" user_id= user_ip=192.168.99.1
    

    The API is has the following config

    {
      "name": "Test API",
      "slug": "test-api",
      "api_id": "1",
      "org_id": "1",
      "auth": {
        "auth_header_name": "Authorization"
      },
      "definition": {
        "location": "header",
        "key": "x-api-version"
      },
      "version_data": {
        "not_versioned": true,
        "versions": {
          "Default": {
            "name": "Default",
            "use_extended_paths": true
          }
        }
      },
      "proxy": {
        "listen_path": "/test-api/",
        "target_url": "http://httpbin.org/",
        "strip_listen_path": true
      },
      "active": true,
      "use_openid": true,
      "openid_options": {
        "providers": [
          {
            "issuer": "https://out-keycloak-url/auth/realms/adfs",
            "client_ids": {
              "c2FtcGxlX2xvZ2lu": "default"
            }
          }
        ],
        "segregate_by_client": false
      }
    }
    

    Im using Keycloak as the OIDC provider and I have it working elsewhere.

    bug 
    opened by wonderslug 36
  • Replicate changes of  custom keys in slave nodes (deletion/updates)

    Replicate changes of custom keys in slave nodes (deletion/updates)

    Description

    When create custom key in slave node, we must ensure that the hash is the same as in the master node, otherwise we could face issues updating and deleting tokens. Also in this PR was solved an issue where we would end up having 2 keys in redis when we used the key (when we used the key then a new key and quota key were registered)

    Related Issue

    • https://tyktech.atlassian.net/browse/TT-2820
    • https://tyktech.atlassian.net/browse/TT-2639

    Motivation and Context

    Fix CRUD of custom keys in slave nodes. Prevent the creation of 2 keys

    How This Has Been Tested

    Replicating the steps to reproduce the bug

    Screenshots (if appropriate)

    Types of changes

    • [x] Bug fix (non-breaking change which fixes an issue)
    • [ ] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)
    • [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality)

    Checklist

    • [x] Make sure you are requesting to pull a topic/feature/bugfix branch (right side). If pulling from your own fork, don't request your master!
    • [x] Make sure you are making a pull request against the master branch (left side). Also, you should start your branch off our latest master.
    • [ ] My change requires a change to the documentation.
      • [ ] If you've changed APIs, describe what needs to be updated in the documentation.
      • [ ] If new config option added, ensure that it can be set via ENV variable
    • [ ] I have updated the documentation accordingly.
    • [ ] Modules and vendor dependencies have been updated; run go mod tidy && go mod vendor
    • [ ] When updating library version must provide reason/explanation for this update.
    • [ ] I have added tests to cover my changes.
    • [x] All new and existing tests passed.
    • [x] Check your code additions will not fail linting checks:
      • [x] go fmt -s
      • [x] go vet
    opened by sredxny 34
  • Full OAuth 2 Support

    Full OAuth 2 Support

    First off, I know that there is a OAuth issue on https://trello.com/b/59d5kAZ5/tyk-api-gateway-roadmap . This is mainly for clarification/documentation purposes.

    What do you believe to be the current state of the OAuth 2 flow? We are in the process of evaluating different API gateways, and need them to fully support OAuth 2 in production with several million API calls a month.

    Needed features

    • Password Grant flow
    • Implicit Grant flow
    • Authorization Code flow
    • Client Credentials flow
    • Ability to revoke refresh and access tokens

    Of the above, it looked like to us that client credentials is missing from the current feature set. Is our conclusion correct? Furthermore, the we didn't see any support for refresh tokens either or revoking tokens based on a certain criteria (the authenticated user, for example).

    Your perspective on this would be much appreciated. The OAuth implementations of every other API gateway are incredibly young. A good implementation would set this project above the rest. If you have a general idea of what you planned out for this and were to note your plan here, I might be able to code up a pull request.

    needs documenting 
    opened by ivanmartinvalle 34
  • Potential memory leak in hot reload with JSVM enabled

    Potential memory leak in hot reload with JSVM enabled

    Do you want to request a feature or report a bug? bug

    What is the current behavior? If I run many hot-reloads (in this case I had removed the timer functionality that introduces limits on how many reloads you can run one after the other) then I can see memory consumption gradually increase with each reload. This behaviour is worse when the JSVM is enabled.

    When the reloads stopped, the RES and VIRT memory figures did not reduce back down

    What is the expected behavior? The memory should be reclaimed

    If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem

    1. Set "reload_wait_time": 1 in tyk.conf
    2. Comment out time.Sleep(10 * time.Second) in main.go in funvtion doReload()
    3. Compile and run
    4. Run a looped script that will call many hot reloads:
    #!/bin/bash
    while [ 1 ]
    do
            curl -H "x-tyk-authorization: $SECRET" http://$TYK_GATEWEAY:8181/tyk/reload/group
            sleep .5
    done
    
    1. Monitor the memory consumption (in this case, without JSVM it required about 2,600 iterations) to from a standing amount (279M or so) to 500M

    This isn't so bad as Gateways will not hot reload that often, and when they do, they do not do so very quickly right after each other, however it is concerning that the memory is not being reclaimed by the OS and in the long term could cause issues for the user.

    This also affect RPC reloads (MDCB).

    Which versions of Tyk affected by this issue? Did this work in previous versions of Tyk? 2.3.2

    bug 
    opened by lonelycode 33
  • Omit gateway tags if empty

    Omit gateway tags if empty

    Description

    The gateway provided segmentation tags behavior as an always-enabled option. In order to implement a config flag that wouldn't change existing behavior, "tags_disabled" was implemented. When converting between OAS and the Tyk API Definition, this means that the configuration flag for the tags is copied between the two API definitions. This means what is disabled=false for tags in the tyk apidef becomes enabled=true in the OAS document.

    This adds a cleanup for the OAS document that removes the gatewayTags entry if either the tags are disabled, or if they are enabled and no tags are defined (length=0).

    Related Issue

    https://tyktech.atlassian.net/browse/TT-5718

    Motivation and Context

    How This Has Been Tested

    Screenshots (if appropriate)

    Types of changes

    • [ ] Bug fix (non-breaking change which fixes an issue)
    • [ ] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)
    • [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality)

    Checklist

    • [ ] Make sure you are requesting to pull a topic/feature/bugfix branch (right side). If pulling from your own fork, don't request your master!
    • [ ] Make sure you are making a pull request against the master branch (left side). Also, you should start your branch off our latest master.
    • [ ] My change requires a change to the documentation.
      • [ ] If you've changed APIs, describe what needs to be updated in the documentation.
      • [ ] If new config option added, ensure that it can be set via ENV variable
    • [ ] I have updated the documentation accordingly.
    • [ ] Modules and vendor dependencies have been updated; run go mod tidy && go mod vendor
    • [ ] When updating library version must provide reason/explanation for this update.
    • [ ] I have added tests to cover my changes.
    • [ ] All new and existing tests passed.
    • [ ] Check your code additions will not fail linting checks:
      • [ ] go fmt -s
      • [ ] go vet
    opened by titpetric 31
  • TT-4354 Go plugins to support multiple Tyk versions

    TT-4354 Go plugins to support multiple Tyk versions

    Description

    In order to support plugins with multiple tyk versions then was added a logic on how to load them using information such as: tyk version, operative system and architecture in which its running. The load Go Plugin logic will find first if there's an exact match with the provided path, if that file doesn't exist then it will build a path+pluginName like this:

    1- Gather information like: os, tyk version and architecture 2- Obtain the clean name of the plugin 3- Obtain the directory where the plugins are stored 4- Build a new plugin name in the format: {plugin-dir}/{plugin-name}_{GW-version}_{OS}_{arch}.so 5- Load the plugin using the new name

    Related Issue

    https://tyktech.atlassian.net/browse/TT-4354

    Motivation and Context

    Allow users to upload multiple version of a go plugin, and load it based on where its running

    How This Has Been Tested

    • created go plugin following the instructions available in https://tyk.io/docs/plugins/supported-languages/golang/#plugin-development-flow
    • Created api and added a plugin like:
     "custom_middleware": {
          "pre": [],
          "post": [
            {
              "name": "AddFooBarHeader",
              "path": "./mygoplugin/mygoplugin.so",
              "require_session": false,
              "raw_body_only": false
            }
          ],
          "post_key_auth": [],
          "auth_check": {
            "name": "",
            "path": "",
            "require_session": false,
            "raw_body_only": false
          },
          "response": [],
          "driver": "goplugin",
          "id_extractor": {
            "extract_from": "",
            "extract_with": "",
            "extractor_config": {}
          }
        },
    
    • Name the plugin: mygoplugin_v4.1.0_darwin_amd64.so
    • Curl the api: curl -i http://tyk-gateway:8081/goplugin/get
    • In the result I can see the header Foo: Bar

    Testing the Plugin compiler Now the plugin compiler have the ability to generate the plugins with the name format set as explained above, in order to test it we need to create the plugin and check that the name is set as expected. The plugin compiler have the ability to receive by params the OS and Arch as 3rd and 4th param. To test, lets do:

    • Create the plugin directory
    • go mod init tyk_plugin
    • go mod edit -replace github.com/jensneuse/graphql-go-tools=github.com/TykTechnologies/graphql-go-tools@f818861b88dc
    • go get github.com/TykTechnologies/tyk@af8883a
    • Write the plugin following the instructions of https://tyk.io/docs/3-lts/plugins/supported-languages/golang/#write-the-plugin
    • Then, to build the plugin lets use the docker image: tykio/tyk-plugin-compiler:v4.1.0-rc3 and at this point we need to test it in 2 ways: sending the arch and os, and not sending thos params:

    1- Sending OS/Arch (Skip this section as cross compilation is not working):

    • Type docker run --rm -vpwd:/plugin-source tykio/tyk-plugin-compiler:v4.1.0-rc5 plugin.so pluginid testOS testArch and as output it will generate a file named: plugin_v4.1.0_testOS_testArch.so The bad side of this approach is that is always required to send a pluginID.

    If we attempt to send an invalid OS or arch, we will receive a message like this: Captura de Pantalla 2022-02-13 a la(s) 8 50 44 p  m

    2- Without sending the OS/Arch:

    • Type docker run --rm -vpwd:/plugin-source tykio/tyk-plugin-compiler:v4.1.0-rc5 plugin.so as the docker container is running linux it will detect that OS and architecture and will create a file with a name like: plugin_v4.1.0_linux_amd64.so
    Captura de Pantalla 2022-02-13 a la(s) 8 50 17 p  m

    Screenshots (if appropriate)

    Types of changes

    • [ ] Bug fix (non-breaking change which fixes an issue)
    • [x] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)
    • [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality)

    Checklist

    • [x] Make sure you are requesting to pull a topic/feature/bugfix branch (right side). If pulling from your own fork, don't request your master!
    • [x] Make sure you are making a pull request against the master branch (left side). Also, you should start your branch off our latest master.
    • [ ] My change requires a change to the documentation.
      • [ ] If you've changed APIs, describe what needs to be updated in the documentation.
      • [ ] If new config option added, ensure that it can be set via ENV variable
    • [ ] I have updated the documentation accordingly.
    • [ ] Modules and vendor dependencies have been updated; run go mod tidy && go mod vendor
    • [ ] When updating library version must provide reason/explanation for this update.
    • [x] I have added tests to cover my changes.
    • [ ] All new and existing tests passed.
    • [x] Check your code additions will not fail linting checks:
      • [x] go fmt -s
      • [x] go vet
    opened by sredxny 31
  • TT-6968 GroupLogin synchronization force

    TT-6968 GroupLogin synchronization force

    [changelog] fixed: force synchronization for the edge group when slave_options.synchroniser_enabled is set to true.

    Description

    This PR adds a new groupLogin callback function for RPC connections when slave_options.synchroniser_enabled=true. This changes the groupLogin function, adding an extra param to force the group synchronization in MDCB. It also adds a sync group key in Redis for the group to avoid multiple synchronizations force.

    This is complementary to the work done in https://github.com/TykTechnologies/tyk-sink/pull/307

    Related Issue

    https://tyktech.atlassian.net/browse/TT-6968

    Motivation and Context

    https://tyktech.atlassian.net/browse/TT-6968

    How This Has Been Tested

    Added unit tests

    Screenshots (if appropriate)

    Types of changes

    • [ ] Bug fix (non-breaking change which fixes an issue)
    • [ ] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)
    • [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality)

    Checklist

    • [ ] I ensured that the documentation is up to date
    • [ ] I explained why this PR updates go.mod in detail with reasoning why it's required
    • [ ] I would like a code coverage CI quality gate exception and have explained why
    opened by tbuchaillot 4
  • Merging to release-4.3: [TT-7455] Delete golangci-lint github action (#4597)

    Merging to release-4.3: [TT-7455] Delete golangci-lint github action (#4597)

    TT-7455 Delete golangci-lint github action (#4597)

    Description

    This PR removes the duplicate/misconfigured golangci-lint github action.

    Related Issue

    https://tyktech.atlassian.net/browse/TT-7455

    Motivation and Context

    Housekeeping GH actions:

    1. We already have a golangci-lint action in ci-tests, which nicely surfaces issues in sonarcloud,
    2. Failure from GH action being removed doesn't produce file/line info for errors (misconfiguration?)
    3. Github Actions reuse (in future).

    Removing this workflow doesn't hurt us, as we cover raising of errors in CI Tests.

    https://github.com/TykTechnologies/tyk/actions/runs/3795785568/jobs/6455252799#step:3:87

    How This Has Been Tested

    Screenshots (if appropriate)

    Types of changes

    • [ ] Bug fix (non-breaking change which fixes an issue)
    • [ ] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)
    • [x] Refactoring or add test (improvements in base code or adds test coverage to functionality)

    Checklist

    • [ ] I ensured that the documentation is up to date
    • [ ] I explained why this PR updates go.mod in detail with reasoning why it's required
    • [ ] I would like a code coverage CI quality gate exception and have explained why

    Co-authored-by: Tit Petric [email protected]

    opened by buger 2
  • Merging to release-4: [TT-7455] Delete golangci-lint github action (#4597)

    Merging to release-4: [TT-7455] Delete golangci-lint github action (#4597)

    TT-7455 Delete golangci-lint github action (#4597)

    Description

    This PR removes the duplicate/misconfigured golangci-lint github action.

    Related Issue

    https://tyktech.atlassian.net/browse/TT-7455

    Motivation and Context

    Housekeeping GH actions:

    1. We already have a golangci-lint action in ci-tests, which nicely surfaces issues in sonarcloud,
    2. Failure from GH action being removed doesn't produce file/line info for errors (misconfiguration?)
    3. Github Actions reuse (in future).

    Removing this workflow doesn't hurt us, as we cover raising of errors in CI Tests.

    https://github.com/TykTechnologies/tyk/actions/runs/3795785568/jobs/6455252799#step:3:87

    How This Has Been Tested

    Screenshots (if appropriate)

    Types of changes

    • [ ] Bug fix (non-breaking change which fixes an issue)
    • [ ] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)
    • [x] Refactoring or add test (improvements in base code or adds test coverage to functionality)

    Checklist

    • [ ] I ensured that the documentation is up to date
    • [ ] I explained why this PR updates go.mod in detail with reasoning why it's required
    • [ ] I would like a code coverage CI quality gate exception and have explained why

    Co-authored-by: Tit Petric [email protected]

    opened by buger 4
  • only useSignature when bundleVerifier is set

    only useSignature when bundleVerifier is set

    Description

    Related Issue

    Motivation and Context

    How This Has Been Tested

    Screenshots (if appropriate)

    Types of changes

    • [ ] Bug fix (non-breaking change which fixes an issue)
    • [ ] New feature (non-breaking change which adds functionality)
    • [ ] Breaking change (fix or feature that would cause existing functionality to change)
    • [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality)

    Checklist

    • [ ] I ensured that the documentation is up to date
    • [ ] I explained why this PR updates go.mod in detail with reasoning why it's required
    • [ ] I would like a code coverage CI quality gate exception and have explained why
    opened by mativm02 3
Releases(v4.3.1)
  • v4.3.1(Dec 15, 2022)

    Tyk Gateway 4.3.1

    Fixed

    • Reduced logs verbosity from error to debug, when using JWT middleware, and it has client_id scopes, but no oAuth integration configured.
    • Virtual Endpoints, Go plugins and response plugins are now properly cached if the option is enabled.
    • Fixed a problem with fetching data in UDG - the same datasource will no longer make several calls to upstream to get the same response, instead the response will be reused for multiple fields connected to the datasource
    • Fixed analytics latency tracking when caching is enabled on the API.
    • Fixed and issue where Persisted queries middleware would sometimes not parse the URL variables correctly

    Tyk Dashboard 4.3.1

    Fixed

    • Listen path field is now hidden in the API Designer for versioned OAS APIs, since the listen path is already displayed on the base API
    Source code(tar.gz)
    Source code(zip)
  • v4.0.10(Dec 12, 2022)

    Tyk Gateway 4.0.10

    Fixed

    • Reduced logs verbosity from error to debug, when using JWT middleware, and it has client_id scopes, but no oAuth integration configured.
    • Virtual Endpoints, Go plugins and response plugins are now properly cached if the option is enabled.
    • Fixed a problem with fetching data in UDG - the same datasource will no longer make several calls to upstream to get the same response, instead the response will be reused for multiple fields connected to the datasource
    • Fixed analytics latency tracking when caching is enabled on the API.
    Source code(tar.gz)
    Source code(zip)
  • v4.3.0(Dec 7, 2022)

  • v4.2.4(Nov 14, 2022)

    Tyk Gateway 4.2.4

    Fixed

    • Fixed chaining APIs from external API with Tyk native API definition to internal API with Tyk OAS API definition.
    • Fixed memory allocations overheads causing OOM issues in restricted memory environments
    • Fixed gateway crash when bad user input is passed in query variables for GraphQL

    Tyk Dashboard 4.2.4

    Fixed

    • Fixed portal developer search by partial text not returning developers list.
    • Fixed portal developer search by email not returning portal developer.
    • Fixed a limitation where API definitions were not “backwards portable” from newer to older versions of the Tyk Gateway
    Source code(tar.gz)
    Source code(zip)
  • v4.0.9(Nov 14, 2022)

    Tyk Gateway 4.0.9

    Fixed

    • Fixed chaining APIs from external API with Tyk native API definition to internal API with Tyk OAS API definition.
    • Fix memory allocations overheads causing OOM issues in restricted memory environments

    Tyk Dashboard 4.0.9

    Fixed

    • Fixed portal developer search by partial text not returning developers list.
    • Fixed portal developer search by email not returning portal developer.
    • Fixed a limitation where API definitions were not “backwards portable” from newer to older versions of the Tyk Gateway
    Source code(tar.gz)
    Source code(zip)
  • v4.2.3(Oct 25, 2022)

    Tyk Gateway 4.2.3

    Fixed

    • No code changes, version bump to keep release numbers aligned

    Tyk Dashboard 4.2.3

    Fixed

    • Fixed an issue where login to the dashboard with empty username was possible.
    • Fixed an issue where login to the portal with empty username was possible.
    Source code(tar.gz)
    Source code(zip)
  • v4.0.8(Oct 25, 2022)

    Tyk Gateway 4.0.8

    Fixed

    • Fixed panic while proxying traffic to internal API.

    Tyk Dashboard 4.0.8

    Fixed

    • Fixed an issue where login to the dashboard with empty username is prevented.
    • Fixed an issue where login to the portal with empty username is prevented.
    Source code(tar.gz)
    Source code(zip)
  • v4.2.2(Oct 17, 2022)

    Tyk Gateway 4.2.2

    Fixed

    • Fixed memory leaks during API reloads when using JSVM
    • Fixed an issue where Response Headers deleted by a custom plugin are still received by the downstream
    • Fixed an issue where the key quota stored in the MDCB worker cluster would be reset if an un-hashed key was updated via the Dashboard
    • Fixed an issue where the tyk bundle command would incorrectly return an error when trying to sign custom plugin bundles
    • Improved the performance of MDCB deployments when no Organisation Quota is configured in the controller/management GW

    Tyk Dashboard 4.2.2

    Fixed

    • Fixed an issue where the security.private_certificate_encoding_secret did not default to the expected value
    • Fixed an issue where the Dashboard would throw an error if the TYK_DB_HTTPSERVEROPTIONS_CERTIFICATES environment variable was not set
    • Fixed API Name not found in log browser when using SQL for storage.
    Source code(tar.gz)
    Source code(zip)
  • v4.0.7(Oct 10, 2022)

    Tyk Gateway 4.0.7

    Fixed

    • Fixed memory leaks during API reloads when using JSVM
    • Fixed an issue where Response Headers deleted by a custom plugin are still received by the downstream
    • Fixed an issue where the key quota stored in the MDCB worker cluster would be reset if an un-hashed key was updated via the Dashboard
    • Fixed an issue where the tyk bundle command would incorrectly return an error when trying to sign custom plugin bundles
    • Improved the performance of MDCB deployments when no Organisation Quota is configured in the controller/management GW

    Tyk Dashboard 4.0.7

    Fixed

    • Fixed an issue where the security.private_certificate_encoding_secret did not default to the expected value
    • Fixed an issue where the Dashboard would throw an error if the TYK_DB_HTTPSERVEROPTIONS_CERTIFICATES environment variable was not set
    • Fixed API Name not found in log browser when using SQL for storage.
    Source code(tar.gz)
    Source code(zip)
  • v4.2.1(Sep 28, 2022)

    Tyk Gateway 4.2.1

    Fixed

    • Fixed using environment variable to allow definition of ports_whitelist
    • Fixed caching of responses with Transfer-Encoding set to "chunked"
    • Fixed raw log analytics for responses with Transfer-Encoding set to "chunked"
    • Fixed an issue where the Gateway would panic if you attempt to use JS plugins with disabled JSVM
    • Fixed an issue where MDCB would automatically propagate keys to all workers if updated in the controller gateway; this meant that users were unable to constrain keys to specific data centres/worker clusters
    • Fixed an issue with the calculation of TTL for keys in an MDCB deployment such that TTL could be different between worker and controller gateways
    • Fixed an issue where due to incorrect validation of certificates, a defect in the client_certificates list allowed any certificate to be used against MTLS API.

    Changed

    • The cookie and query param auth sources are now enabled only if flags set to true and no longer rely on param_name and cookie_name being non empty.

    Tyk Dashboard 4.2.1

    Fixed

    • Adding APIs with Swagger doesn't correctly combine basePath and API paths
    • Fixed URL Rewrite advanced triggers in Endpoint Designer
    • Fixed Dashboard UI permissions screen - now correctly the user permissions for "Identity management" and "Real-time notifications".
    • Fix case sensitive email duplication checks, Dashboard now check emails case insensitive.
    • Fix SMTP driver did not offering text/html multipart as preferred content for MIME enabled email clients
    • Fixed a front-end issue where a dashboard graph of API endpoints didn’t populate on activity, due to issuing a GET request rather than POST.
    Source code(tar.gz)
    Source code(zip)
  • v4.0.6(Sep 16, 2022)

    Tyk Gateway 4.0.6

    Fixed

    • Fixed using environment variable to allow definition of ports_whitelist
    • Fixed caching of responses with Transfer-Encoding set to "chunked"
    • Fixed raw log analytics for responses with Transfer-Encoding set to "chunked"
    • Fixed an issue where the Gateway would panic if you attempt to use JS plugins with disabled JSVM
    • Fixed an issue where MDCB would automatically propagate keys to all workers if updated in the controller gateway; this meant that users were unable to constrain keys to specific data centres/worker clusters
    • Fixed an issue with the calculation of TTL for keys in an MDCB deployment such that TTL could be different between worker and controller gateways
    • Fixed an issue where due to incorrect validation of certificates, a defect in the client_certificates list allowed any certificate to be used against MTLS API.

    Changed

    • The cookie and query param auth sources are now enabled only if flags set to true and no longer rely on param_name and cookie_name being non empty.

    Tyk Dashboard 4.0.6

    Fixed

    • Adding APIs with Swagger doesn't correctly combine basePath and API paths
    • Fixed URL Rewrite advanced triggers in Endpoint Designer
    • Fixed Dashboard UI permissions screen - now correctly the user permissions for "Identity management" and "Real-time notifications".
    • Fix case sensitive email duplication checks, Dashboard now check emails case insensitive.
    • Fix SMTP driver did not offering text/html multipart as preferred content for MIME enabled email clients
    • Fixed a front-end issue where a dashboard graph of API endpoints didn’t populate on activity, due to issuing a GET request rather than POST.
    Source code(tar.gz)
    Source code(zip)
  • v4.0.5(Aug 22, 2022)

    Fixed

    • Fixed an issue where the Gateway would not create the circuit breaker events (BreakerTripped and BreakerReset) for which the Tyk Dashboard offers webhooks
    • Fixed an issue where GraphQL subscriptions could fail, if keep alive message was received before acknowle message.
    • Fixed an issue where Gateway could panic and crash when receiving a malformed subscription with WSS protocol
    Source code(tar.gz)
    Source code(zip)
  • v4.0.4(Jul 26, 2022)

    Tyk Gateway v4.0.4

    Added

    • Requests to listen paths without trailing slash will no longer match with the closest listen path configured when http_server_options.enable_strict_routes or environment variable TYK_GW_HTTPSERVEROPTIONS_ENABLESTRICTROUTES is set to be true.
    • Add new config flag to define the hashing algorithm to be used for HTTP Basic Auth, the default continues to be “bcrypt”, users can now choose a less CPU-intensive hashing algorithm, by setting basic_auth_hash_key_function to bcrypt, sha256 or murmur64, murmur128. This is a backward compatible change with default being bcrypt.

    Fixed

    • Fix panic in gateway with incorrect value being set to context which blocked proxy traffic if enforce_org_data_detail_logging is enabled
    Source code(tar.gz)
    Source code(zip)
  • v4.0.4-rc1(Jun 28, 2022)

  • v4.0.3(Jun 20, 2022)

    Tyk Gateway v4.0.3

    Fixed

    • Strip listen path option works as expected now if configured, even if there are path parameters defined using regex.
    • Fixed a bug where the Tyk Gateway could return 401 errors when using multiple APIs with same domain and different mTLS rules in an MDCB deployment.
    • Fixed a bug where in certain circumstances MDCB worker gateways ignore the allow_explicit_policy_id setting, resulting in "policy not found" errors.
    • Fixed an issue where users were not able to introspect GraphQL APIs managed by Tyk

    Tyk Dashboard v4.0.3

    Fixed

    • Fixed an issue where users were not able to highlight and delete text in Data Source URL field while configuring UDG
    • Fixed a problem with long Data Source URL overflowing the URL field corder in UDG config page
    Source code(tar.gz)
    Source code(zip)
  • v3.0.12(Jun 29, 2022)

    Tyk Gateway v3.0.12

    Fixed

    • Fix issue with key object growth when multiple policies with path based rules are used
    • Fixed issue with mutual TLS, when there are multiple APIs with the same domain, and some APIs has mTLS and some not.
    • Pinpoint version of protobuf package in Docker images, to ensure that it will work with Python 3.7/3.9
    Source code(tar.gz)
    Source code(zip)
    tyk-gateway_3.0.12_linux_amd64.deb(26.85 MB)
    tyk-gateway_3.0.12_linux_arm64.deb(25.69 MB)
    tyk-gateway_3.0.12_linux_arm64.rpm(25.72 MB)
    tyk-gateway_3.0.12_linux_x86_64.rpm(26.83 MB)
    tyk_3.0.12_checksums.txt(797 bytes)
    tyk_3.0.12_checksums.txt.sig(566 bytes)
    tyk_3.0.12_darwin_amd64.tar.gz(15.18 MB)
    tyk_3.0.12_linux_amd64.tar.gz(25.98 MB)
    tyk_3.0.12_linux_arm64.tar.gz(25.05 MB)
    tyk_3.0.12_static_linux_amd64.tar.gz(14.06 MB)
  • v4.0.2(May 26, 2022)

    Tyk Gateway v4.0.2

    Added

    • Added support for custom plugins using Python 3.9.

    Changed

    • Updated the version of Debian in our gateway standard and hybrid Docker images, in order to address the identified CVEs.

    Fixed

    • Policy object has been optimised in size, by reducing the number of duplicate data in its data structure. Fixed the methods field in the policy object to not contain duplicate http method values.
    • Fixed Gateway panic, when creating an organisation level API key.
    • Fixed a bug where in hashed environemnt, in MDCB worker node, full key Id was exposed in the Redis DB

    Tyk Dashboard v4.0.2

    Added

    • Added new Dashboard configuration option: security.hide_login_failure_limit_error, which hides the login retry attempts failure message "Retry in N seconds", as exposing the number of seconds can be seen as a vulnerability.

    Changed

    • Replaced the REST word with HTTP on the API Creation screen, as the API definition resulted can describe different types of API structures and not only REST (i.e. TCP)

    Fixed

    • Fixed the request of changing the CNAME for the developer portal, from within the Dashboard. Previously this action was returning a 404 http code, which prevented the change of the CNAME.
    • Fixed the leakage of Dashboard admins password history (only bcrypt hashes), when security.enforce_password_history configuration option was enabled.
    • Fixed an issue where the usage of an object placeholder (e.g. {{.object.name}}) won't remove the quotes of a string in UDG resulting in undesired behavior like in URL paths /user/"johndoe"
    • Fixed some displaying issues of the API listing table with some of them related to shrinking the viewport.
    Source code(tar.gz)
    Source code(zip)
  • v4.0.1(Apr 28, 2022)

    Tyk Gateway 4.0.1

    • Tags that are configured on the api spec are now forwarded to an analytics record that can be used with the data pump.
    • Added new use_param and param_name fields to the auth token signature configuration, in order to be able to pass the signature as a query parameter.
    • Improved JWT Error messages response to prevent leaking information in case of wrong signing method. This will return generic error message as API response, but in logs it will be still fully visible error.
    • Fixed support of GraphQL @extends directive alongside “extend” keyword - both provide the same behaviour when used
    • Added a parameter disable_query_batching in API definition that controls if federation uses batching for GQL queries or not - users can choose if they want the queries to be executed with batching or not (this is connected to solving N+1 problem in federation)
    • UDG Proxy config generator now supports union types
    • Fixed behaviour of SSE stopping to work when websockets are enabled.
    • Fixed unexpected behavior for grpc/coprocess middleware, where the request body sent from the client is not received in the grpc/coprocess application.
    • Fixed invalidating cache through gateway API
    • Fixed issue when client certificates enabled auth token mode, when key ID is passed as authorization header client certificate checking should work without needing to append client certificate to the request.
    • Fixed same Go plugins to be referenced in multiple APIs
    • Log body is now properly displayed, when enable_detailed_recording is on and 'Transfer-Encoding: chunked' is set.
    • Fixed the auth data not being stripped from cookie although stripping auth data is enabled when cookie name is custom.
    • Fixed an issue where GraphQL Federation was crashing gateway during performance testing
    • Improved handling of optional query parameters in REST data sources, so that correct configuration is possible via GUI, not only via manual manipulation of API definition
    • A GraphQL field selected by the user on an interface type is no longer ignored and is sent to the upstream
    • GraphQL Engine will now correctly validate nested object variables instead of ignoring them
    • Fixed an issue with templating syntax for UDG REST data sources in UDG which wasn’t working due to regression defect
    • Fixed issues in the LocalTypeFieldExtractor GetAllNodes
method in graphql-go-tools which improved performance of the code and library
    • Fixed an issue which was causing supergraph schema to be created incomplete when user was using @extends directive for a type that was not defined in any other subgraph
    • Fixed an issue where sending arrays as variable for input types was not working
    • Fixed an issue where GraphQL query failed to leave Tyk when it contained optional variables that had no value provided - it now works with a missing value or a value null
    • Fixed an GraphQL issue where panic was occurring while gateway was accessing union and interface types
    • Changed the way websocket connections are opened for GraphQL subscriptions - for multiple subscriptions from a single downstream just one connection is opened, for subscriptions with different auth headers separate connections are opened
    • Body transformation templates now has access to new functions http://masterminds.github.io/sprig/
    • Fixed concurrency issue where the wrong session object is returned when policies are applied, causing the Gateway to report an 403 error on first call
    • Fixed an issue where sometimes the Gateway on first start would fail to load a certificate from Redis
    • Fixed certificate revoking the in MDCB environment
    • Fixed an issue where the Gateway would throw an error when you attempt to load a Python plugin with multiple modules
    • Fixed an issue building Golang auth plugins

    Tyk Dashboard 4.0.1

    • Fixed the Oauth clients page in the Dashboard UI to render properly.
    • Fixed error when creating APIs while using CosmosDB
    • Fixed polices to be visible in Dashboard UI when using CosmosDB
    • Fixed the dashboard license update via API when the existing license is expired.
    • Fixed an issue with finding existing keys via key lookup - it is now possible to find previously created keys
    • Fixed UI popups which show full Key ID
    • Fixed an issue where UDG UI could cause an infinite loop and eventually app crash
    • Fixed an issue that prevented users from deleting newly created UDG schema objects via GUI
    • Fixed an issue where “Upstream protected” checkbox was visible for REST/TCP/Federation API types
    • Fixed an issue where key search by substring in the UI stopped working after switching to graphQL query
    • Fixed an issue where the Dashboard reported an error when trying to retrieve last login date for an SSO user due to Tyk not storing temporary users in its database
    Source code(tar.gz)
    Source code(zip)
  • v3.0.11(Apr 21, 2022)

    Tyk Gateway v3.0.11

    • Fixed performance issue causing growth of Redis calls when using mutual TLS in MDCB environment #3983 Increase time for in-memory certificate cache to 1 hour. Configurable via slave_options.rpc_cert_cache_expiration
    • Fixed issue causing 403 errors on the first call if Key not found in local worker cluster cache, when using MDCB environment https://github.com/TykTechnologies/tyk/pull/3993
    Source code(tar.gz)
    Source code(zip)
    tyk-gateway_3.0.11_linux_amd64.deb(26.83 MB)
    tyk-gateway_3.0.11_linux_arm64.deb(25.69 MB)
    tyk-gateway_3.0.11_linux_arm64.rpm(25.75 MB)
    tyk-gateway_3.0.11_linux_x86_64.rpm(26.83 MB)
    tyk_3.0.11_checksums.txt(797 bytes)
    tyk_3.0.11_checksums.txt.sig(566 bytes)
    tyk_3.0.11_darwin_amd64.tar.gz(15.18 MB)
    tyk_3.0.11_linux_amd64.tar.gz(25.98 MB)
    tyk_3.0.11_linux_arm64.tar.gz(25.05 MB)
    tyk_3.0.11_static_linux_amd64.tar.gz(14.06 MB)
  • v3.2.3(Mar 30, 2022)

    Tyk Gateway 3.2.3

    • Fixed loading of APIs when dealing with large amount (>2000 APIs)

    • For Hybrid Gateways added a way to configure interval for synchronizing analytics data: analytics_config.purge_interval. Default 10 seconds.

    • Fixed getting and setting session inside Go plugins

    • Fixed loading same Go plugin bundle for Multiple APIs

    • Go plugin compiler now accepts second argument which allow setting plugin ID: `<plugin_name> <plugin_id>.

      Go plugin "unique" names are based on file names. E.g. two plugins called "plugin.so" will look like the same plugin from Tyk point of view. You need need to use unique names for different plugins, or with new change, use new optional plugin_id argument, to specify plugin unique ID. Like this: docker run --rm -vpwd:/plugin-source tykio/tyk-plugin-compiler:v3.2.3 plugin.so my_unique_plugin

    Tyk Dashboard 3.2.3

    • Improved SAML SSO compatibility with some servers
    • Fixed SAML vulnerability CVE-2020-29509
    • GraphQL: fixed selecting fields on interfaces types
    • Developer Portal: Fixed issue when Developers logged via SSO can loose keys section from the UI screen
    • Developer Portal: Fixed Dynamic Client Registration flow when Using Authorization Code with PKCE workflow
    • Developer Portal: Now it is not possible to change developer email via developer portal (Admin UI still allows it).
    Source code(tar.gz)
    Source code(zip)
  • v4.0.0(Feb 10, 2022)

    Our next major release is here!

    End-to-end support for your enterprise GraphQL journey through Tyk’s Federated gateway, bringing Federated Subscriptions for the first time on any APIM platform, and supporting PostgreSQL for your data management needs!

    Read full annoucement and release notes https://tyk.io/releases/v4-0/ https://tyk.io/docs/release-notes/version-4.0/

    Source code(tar.gz)
    Source code(zip)
  • v3.0.9(Jan 10, 2022)

    Tyk Gateway 3.0.9

    • Improved Mutual TLS auth, now it reads full client certificate directly from HTTP request, instead of relying on its fingerprint
    • Fixed removal of keys from workers gateways in MDCB environment, when key gets updated
    • Add support for using query parameters in request signature validation. Signature configuration options now have new options, example: {“use_param”: true, “param”: “foo”}
    • In MDCB environment ensure that certificate removal gets propagated to worker gateways.
    • Fixed uptime checks when threshold is bigger then time_wait values (30s+)
    • Fixed stripping authentication value from cookies
    • Fixed SSE and websockets working together
    • Fixed cache invalidation in MDCB environment
    • Fixed using of uploaded certificates when specifying them in gateway config via http_server_options.ssl_certificates option
    • Make JWT errors lets verbose in order to not expose security configuration
    • Ensure that duplicate analytics tags is removed
    • Fix HTTP version in analytics when using Virtual Endpoints

    Tyk Dashboard 3.0.9

    • Fixed CosmosDB 4.0 issues
    • Added support for new request signature configuration options (see above)
    • Fixed adding multiple advanced URL triggers of the same type
    • Fixed SSO SAML vulnerability CVE-2020-29509 CVE-2020-29510 CVE-2020-29511
    • Fixed errors in the dashboard logs during SSO login for temporary users
    Source code(tar.gz)
    Source code(zip)
  • v3.0.8(Oct 20, 2021)

    Tyk Gateway 3.0.8

    • Fixed Dynamic Client mTLS for legacy hash algorithms (murmur3, murmur32), trying to access API returns 403: Attempted access with non-existent cert.. Access to an API is now authorised again, by just providing the authorisation header together with the key value, when the token is generated based on a provided certificate. https://github.com/TykTechnologies/tyk/pull/3704.
    Source code(tar.gz)
    Source code(zip)
  • v3.2.2(Oct 11, 2021)

    Important

    If you're upgrading from Tyk Gateway/Dashboard 3.2.1, due to packaging bug introduced in those versions, after doing upgrade, you need to run systemctl daemon-reload (this command also mentioned in logs during upgrade as well).

    Deprecation notice

    enable_health_checks option is deprecated, and going to be disabled by default starting from 4.0.0. This option enable special API level health check endpoint, with was no longer used, and duplicate information provided by Tyk Pump. Note that it is not related to Gateway health check endpoint. This option can cause significant performance issues, so ensure that you have it turned off in your installation, if not used.

    Tyk Gateway 3.2.2

    • Fixed small amount of panics happening on high concurrency when using API level limits https://github.com/TykTechnologies/tyk/pull/3644
    • Fixed signature validation for custom tokens https://github.com/TykTechnologies/tyk/pull/3634
    • Fixed propagation of update/delete events in MDCB environments https://github.com/TykTechnologies/tyk/pull/3638
    • Fix quota reset in MDCB environment if "per api quota" is set https://github.com/TykTechnologies/tyk/pull/3619
    • Fixed Go plugins with dependencies
    • Fixed deadlock causing performance degradation happening when gRPC middleware in MDCB environment with high concurrency https://github.com/TykTechnologies/tyk/pull/3592
    • Fix gRPC streaming https://github.com/TykTechnologies/tyk/pull/3602 https://github.com/TykTechnologies/tyk/pull/3603
    • Fixed gRPC -> h2c and h2c -> gRPC communication https://github.com/TykTechnologies/tyk/pull/3496
    • Added default template for XML content https://github.com/TykTechnologies/tyk/pull/3510
    • Fixed detection of content type, when content type header contains charset directive https://github.com/TykTechnologies/tyk/pull/3501
    • Request headers added by middlewares now should be visible in detailed logs https://github.com/TykTechnologies/tyk/pull/3585
    • Fixed issue when gateway register multiple times with dashboard with different IDs https://github.com/TykTechnologies/tyk/pull/3563
    • Fixed Go plugin compiler with Go modules

    Tyk Dashboard 3.2.2

    • Fixed package upgrades issue introduce in 3.2.1
    • In Portal, add a way to re-use certificates when subscribing to another API
    • Fixed Dashboard policy behaviour when environment was created using Tyk Sync
    • Fixed when users belonging to user-group, and have user permissions, can't edit users
    • Disallow changing email in portal user profile
    • Fixed double organisation IDs when searching certificates
    • Security vulnerability in SAML identity management
    • Fixed security issue when users with "read" user permissions, were able to access another user API token though Tyk Dashboard API
    • Portal session now stored in mongo instead of cookies, which means that on user logout cookies can't be re-used
    • Fixed uptime tests page UI
    • Fixed “Per api” toggle button on Keys page
    • Fixed propagation of toggling GraphQL field permissions
    • Fixed UDG internal REST data source window endpoint field
    • Fixed performance issues with Uptime test reports
    • Fixed wrong Identity management “login” url
    • Fixed password update functionality for non-admin users
    • Fixed Identity Broker UI when using SAML with user group mapping
    • Fixed Identity Broker UI provider name when using ProxyProvider
    • Fixed Dynamic Client Registration flow when using authorisation code with PKCE flow
    Source code(tar.gz)
    Source code(zip)
  • v3.0.7(Sep 23, 2021)

    Important

    If you're upgrading from Tyk Gateway/Dashboard 3.0.5 or 3.0.6, or from Tyk MDCB 1.7.9, due to packaging bug introduced in those versions, after doing upgrade, you need to run systemctl daemon-reload (this command also mentioned in logs during upgrade as well).

    Deprecation notice

    enable_health_checks option is deprecated, and going to be disabled by default starting from 4.0.0. This option enable special API level health check endpoint, with was no longer used, and duplicate information provided by Tyk Pump. Note that it is not related to Gateway health check endpoint. This option can cause significant performance issues, so ensure that you have it turned off in your installation, if not used.

    Tyk Gateway 3.0.7

    • Fixed small amount of panics happening on high concurrency when using API level limits https://github.com/TykTechnologies/tyk/pull/3644
    • Fixed signature validation for custom tokens https://github.com/TykTechnologies/tyk/pull/3634
    • Fixed propagation of update/delete events in MDCB environments https://github.com/TykTechnologies/tyk/pull/3638
    • Fix quota reset in MDCB environment if "per api quota" is set https://github.com/TykTechnologies/tyk/pull/3619
    • Fixed Go plugins with dependencies
    • Fixed deadlock causing performance degradation happening when gRPC middleware in MDCB environment with high concurrency https://github.com/TykTechnologies/tyk/pull/3592
    • Fix gRPC streaming https://github.com/TykTechnologies/tyk/pull/3602 https://github.com/TykTechnologies/tyk/pull/3603
    • Fixed gRPC -> h2c and h2c -> gRPC communication https://github.com/TykTechnologies/tyk/pull/3496
    • Added default template for XML content https://github.com/TykTechnologies/tyk/pull/3510
    • Fixed detection of content type, when content type header contains charset directive https://github.com/TykTechnologies/tyk/pull/3501
    • Request headers added by middlewares now should be visible in detailed logs https://github.com/TykTechnologies/tyk/pull/3585
    • Fixed issue when gateway register multiple times with dashboard with different IDs https://github.com/TykTechnologies/tyk/pull/3563

    Tyk Dashboard 3.0.7

    • Fixed issue with large number of APIs. Approximately when bigger then 2000, but actually depends on their total bytes size.
    • Fixed package upgrades issue introduce in 3.0.6
    • In Portal, add a way to re-use certificates when subscribing to another API
    • Fixed Dashboard policy behaviour when environment was created using Tyk Sync
    • Fixed when users belonging to user-group, and have user permissions, can't edit users
    • Disallow changing email in portal user profile
    • Fixed double organisation IDs when searching certificates
    • Security vulnerability in SAML identity management
    • Fixed security issue when users with "read" user permissions, were able to access another user API token though Tyk Dashboardd API
    • Portal session now stored in mongo instead of cookies, which means that on user logout cookies can't be re-used
    • Fixed uptime tests page UI

    Tyk MDCB 1.7.10

    • Fix memory leaks which can happen on high amount of APIs and Policies
    Source code(tar.gz)
    Source code(zip)
    tyk-gateway_3.0.7_linux_amd64.deb(26.09 MB)
    tyk-gateway_3.0.7_linux_arm64.deb(25.14 MB)
    tyk-gateway_3.0.7_linux_arm64.rpm(25.08 MB)
    tyk-gateway_3.0.7_linux_x86_64.rpm(25.99 MB)
    tyk_3.0.7_checksums.txt(789 bytes)
    tyk_3.0.7_checksums.txt.sig(566 bytes)
    tyk_3.0.7_darwin_amd64.tar.gz(15.16 MB)
    tyk_3.0.7_linux_amd64.tar.gz(25.96 MB)
    tyk_3.0.7_linux_arm64.tar.gz(25.06 MB)
    tyk_3.0.7_static_linux_amd64.tar.gz(14.05 MB)
  • v3.2.1(May 20, 2021)

Owner
Tyk Technologies
Tyk Technologies - Maintainers of Tyk
Tyk Technologies
GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations

BatchQL BatchQL is a GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations. This script is not complex, and

Assetnote 267 Dec 24, 2022
A Django GraphQL Starter that uses graphene and graphene_django to interface GraphQL.

Django GraphQL Starter GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data... According to the doc

0101 Solutions 1 Jan 10, 2022
MGE-GraphQL is a Python library for building GraphQL mutations fast and easily

MGE-GraphQL Introduction MGE-GraphQL is a Python library for building GraphQL mutations fast and easily. Data Validations: A similar data validation w

MGE Software 4 Apr 23, 2022
A Python 3.6+ port of the GraphQL.js reference implementation of GraphQL.

GraphQL-core 3 GraphQL-core 3 is a Python 3.6+ port of GraphQL.js, the JavaScript reference implementation for GraphQL, a query language for APIs crea

GraphQL Python 458 Dec 13, 2022
Django Project with Rest and Graphql API's

Django-Rest-and-Graphql # 1. Django Project Setup With virtual environment: mkdir {project_name}. To install virtual Environment sudo apt-get install

Shubham Agrawal 5 Nov 22, 2022
A plug and play GraphQL API for Wagtail, powered by Strawberry 🍓

Strawberry Wagtail ?? A plug and play GraphQL API for Wagtail, powered by Strawberry ?? ⚠️ Strawberry wagtail is currently experimental, please report

Patrick Arminio 27 Nov 27, 2022
A python graphql api, which serves ECB currency rates from last 90 days.

Exchange Rate Api using GraphQL Get Code git pull https://github.com/alaturqua/exchangerate-graphql.git Create .env file with following content and s

Isa 1 Nov 4, 2021
Pygitstats - a package that allows you to use the GitHub GraphQL API with ease in your Python programs

Pygitstats - a package that allows you to use the GitHub GraphQL API with ease in your Python programs

Dillon Barnes 4 Mar 29, 2022
GraphQL is a query language and execution engine tied to any backend service.

GraphQL The GraphQL specification is edited in the markdown files found in /spec the latest release of which is published at https://graphql.github.io

GraphQL 14k Jan 1, 2023
Django registration and authentication with GraphQL.

Django GraphQL Auth Django registration and authentication with GraphQL. Demo About Abstract all the basic logic of handling user accounts out of your

pedrobern 301 Dec 9, 2022
Generate a FullStack Playground using GraphQL and FastAPI 🚀

FastQL - FastAPI GraphQL Playground Generate a FullStack playground using FastAPI and GraphQL and Ariadne ?? . This Repository is based on this Articl

OBytes 109 Dec 23, 2022
This is a minimal project using graphene with django and user authentication to expose a graphql endpoint.

Welcome This is a minimal project using graphene with django and user authentication to expose a graphql endpoint. Definitely checkout how I have mana

yosef salmalian 1 Nov 18, 2021
🔪 Facebook Messenger to email bridge based on reverse engineered auth and GraphQL APIs.

Unzuckify This repository has a small Python application which allows me to receive an email notification when somebody sends me a Facebook message. W

Radon Rosborough 33 Dec 18, 2022
Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce.

Graphinder Graphinder is a tool that extracts all GraphQL endpoints from a given domain. Run with docker docker run -it -v $(pwd):/usr/bin/graphinder

Escape 76 Dec 28, 2022
GraphQL framework for Python

Graphene ?? Join the community on Slack We are looking for contributors! Please check the ROADMAP to see how you can help ❤️ The below readme is the d

GraphQL Python 7.5k Jan 1, 2023
tartiflette-aiohttp is a wrapper of aiohttp which includes the Tartiflette GraphQL Engine, do not hesitate to take a look of the Tartiflette project.

tartiflette-aiohttp is a wrapper of aiohttp which includes the Tartiflette GraphQL Engine. You can take a look at the Tartiflette API documentation. U

tartiflette 60 Nov 8, 2022
ASGI support for the Tartiflette GraphQL engine

tartiflette-asgi is a wrapper that provides ASGI support for the Tartiflette Python GraphQL engine. It is ideal for serving a GraphQL API over HTTP, o

tartiflette 99 Dec 27, 2022
GraphQL framework for Python

Graphene ?? Join the community on Slack We are looking for contributors! Please check the ROADMAP to see how you can help ❤️ The below readme is the d

GraphQL Python 7.5k Jan 1, 2023
Integrate GraphQL into your Django project.

Graphene-Django A Django integration for Graphene. ?? Join the community on Slack Documentation Visit the documentation to get started! Quickstart For

GraphQL Python 4k Dec 31, 2022