Authorizer Files

What's Changed

• fix(crypto): switch AES-CFB to AES-GCM with HKDF key derivation [C1+H3] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/543
• fix(parsers): validate host headers to prevent injection [C2] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/544
• fix(token): add reserved claim blocklist for custom scripts [C3] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/545
• fix(cookie): make HttpOnly unconditional on all cookies [C4] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/546
• fix(oauth): verify Apple ID token signature via OIDC [C5] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/547
• fix(graphql): add SSRF protection to _test_endpoint [C6] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/548
• fix(token): verify JWT algorithm in parse keyfunc [H1] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/550
• fix(token): use safe type assertions for JWT claims [H2] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/551
• fix(token): fix bearer extraction case-sensitivity bug [H4] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/552
• fix(token): reduce session and refresh token lifetimes [H5] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/553
• fix(arangodb): parameterize AQL query in UpdateUsers [H6] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/554
• fix(graphql): constant-time admin secret comparison [H7] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/555
• fix(cassandra): enable TLS verification [H8+L6] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/556
• fix(crypto): RSA 4096, DecryptRSA error handling, b64 naming [L1+L2+L5] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/566
• fix(graphql): add query complexity limit [H10] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/558
• feat(middleware): add CSRF protection [H11] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/559
• fix(crypto): use crypto/rand for HMAC key generation [M3] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/560
• fix(sql): disable GORM AllowGlobalUpdate [M6] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/561
• fix(email): explicit TLS ServerName for SMTP [M10] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/563
• fix: template.JS XSS, GitHub name bug, POST logout [M11+L7+L9] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/564
• fix(schemas): exclude password hash from JSON serialization [M9] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/562
• fix(graphql): prevent user enumeration via error messages [M12] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/565
• fix(storage): implement DeleteSession for SQL and ArangoDB [M5] by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/567
• feat(security): add per-IP rate limiting with Redis + in-memory support by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/568
• fix(security): use constant-time comparison for client secret and OTP by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/569
• fix(security): prevent HMAC key leak in JWKS and fix redirect URI wildcard by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/570
• fix(security): add security headers, fix CORS credentials, set SameSite on admin cookie by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/573
• fix(security): add SSRF protection, HMAC signatures, and response limit for webhooks by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/572
• fix(security): use html/template for email rendering to prevent SSTI by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/574
• fix(security): reduce cookie max-age, sanitize errors, replace panic with error by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/575
• fix(security): harden Dockerfiles - secure defaults, signal handling, healthcheck by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/576
• fix(security): enhance client ID audit logging and CSRF origin validation by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/577
• fix(security): add 5-second execution timeout for custom access token scripts by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/571
• fix(security): update MongoDB driver and fix compilation issues by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/578
• fix(security): validate redirect_uri to prevent open redirect attacks by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/579
• fix(tests+security): custom script timeout tests, client-id metric, test fixes, ArangoDB hardening by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/580
• Fix/CVE 2026 34986 go jose go OIDC by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/581
• security: normalize login error messages to prevent user enumeration (#6) by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/583
• security: reject query response_mode for token flows; harden GET /logout against CSRF (#9, [#10]) by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/589
• security: add HTTP server timeouts, graceful shutdown, and security headers (#11, [#12], [#13]) by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/588
• security: GraphQL depth/complexity/alias limits and disable GET transport (#14) by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/584
• security: prevent SSRF DNS rebinding by dialing validated IP directly (#3) by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/582
• security: harden CSRF Origin check and CORS credentials handling (#5, [#16]) by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/585
• security: require admin secret at startup and add configurable refresh token lifetime (#1, [#15]) by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/586
• security: fix rate limiter bypass, error swallowing, race, window math (#2, [#4], [#17], [#18]) by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/587
• security: hash OTPs and encrypt TOTP secrets at rest with idempotent migration (#7, [#8]) by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/590
• feat(oidc)!: phase 1 spec conformance fixes (with /userinfo breaking change) by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/591
• feat(oidc): phase 2 — standard params, ID token claims, logout polish by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/592
• feat(oidc): phase 3 — introspection, hybrid flows, JWKS multi-key, back-channel logout by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/593
• chore: slim CLAUDE.md to reference skills + 3 agents by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/601
• fix: 12 logical issues across HTTP handlers and GraphQL modules by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/602
• fix(oauth): RFC-compliant PKCE, redirect_uri validation, and security hardening by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/603
• fix(oidc): Enterprise IdP compatibility — RFC-compliant errors, auth_time, TTL, discovery by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/604
• feat: migrate admin dashboard from Chakra UI to shadcn/ui + Tailwind CSS by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/605
• fix(security): introspect auth bypass, backchannel SSRF, session rollover by @lakhansamani in https://github.com/authorizerdev/authorizer/pull/606

Full Changelog: https://github.com/authorizerdev/authorizer/compare/2.2.0...2.2.1