Release 0.13.31#86
Merged
Merged
Conversation
verify: pin JWS algorithm allowlist (alg-confusion guard), add clockTolerance,
only enforce azp when a resource/client is configured.
nextjs: fix middleware returning 500 on auth failure (guard optional onFailure),
fix glob route matcher so '*' actually works and a trailing '/*' also matches
the bare base path, add cookieName option, loosen peerDeps to next>=13.5/react>=18.
js: set SameSite=Lax/Secure on the kcToken cookie, sanitize post-login return URL
(open-redirect), fix updateIAMToken/native getToken token handling, require
use_dpop_nonce before retrying a 401, and enable+enforce DPoP by default
(opt out with useDPoP:false or {mode:'auto'}).
react: memoize the context value, fix the 'ready' listener leak, guard
useAuthCallback for SSR and post-unmount, type authMode 'hybrid', clear tokenExp
on logout, fix the cjs exports/require path.
create-nextjs: fix middleware onError signature and tcinit subscription email,
populate the empty ts next.config.js, fix the route matcher, drop the
non-existent TideCloakContext import.
packaging: emit correct CJS/ESM per-package (tsconfig + dist type markers),
fix exports maps, add metadata, make @tidecloak/policy an optional peer.
tests/docs: add unit tests (verify, route matcher) and update READMEs/docs.
- New /encrypt page with full lifecycle: create -> approve (enclave) -> commit -> encrypt/decrypt
- Two access models via one Forseti contract: owner-bound ('private to me', owner:<vuid>) and role-shared
- Server-side in-memory policy store + /api/policies route; tideSerialization + forsetiContract helpers
- Voucher-gate roles (_tide_x.selfencrypt/.selfdecrypt) in realm.json
- next.config webpack workaround + 'next dev/build --webpack'; deps: @tideorg/js, heimdall-tide, asgard-tide
- 3-step stepper UI (commit locked until approved) + Home link
- README: policy-encryption section and updated project tree
- Mirrored across TypeScript and JavaScript templates
Revert the policy-governed (Forseti) encryption demo and replace it with simple self encrypt/decrypt directly on the home page: - Remove /encrypt page, /api/policies route, lib/ (policyStore, forsetiContract, tideSerialization), extra deps (@tideorg/js, heimdall-tide, asgard-tide), the webpack workaround/--webpack scripts, and the _tide_x voucher-gate roles - Add an inline Encrypt/Decrypt text field on the home page using doEncrypt/doDecrypt from useTideCloak() with the existing _tide_dob tag (self-encryption: only the user who encrypted can decrypt) - Keep the one-line protected/route.ts type fix (verifyTideCloakToken result cast) - Mirrored across TypeScript and JavaScript templates
- realm.json: _tide_dob.selfencrypt/.selfdecrypt -> _tide_message.* (roles + default composite) - home page: TAG 'dob' -> 'message' - TS and JS templates
- Home page now has one always-decrypted, editable field; Submit encrypts the
value, persists the ciphertext in localStorage (keyed by vuid), then decrypts
it back so the field keeps showing plaintext ('Message successfully stored')
- On login, the saved ciphertext is decrypted client-side so the note reappears
- Explanatory sentence: encrypted textbox under your own identity, only you can decrypt
- TS and JS templates
sashyo
approved these changes
May 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Features:
Bug fixes:
Release Notes
Harden and fix SDK packages; DPoP enabled by default
Add policy-governed (Forseti) encryption demo to create-nextjs templates
Simplify create-nextjs templates: self encrypt/decrypt on home page
Rename self-encrypt tag from dob to message in create-nextjs templates
create-nextjs templates: single encrypted-note field with persistence
Update tidecloak-js packages for release 0.13.31
Testing
Test Types