Skip to content

Add upgrade notes entry for auth cookie changes #1070

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cognifloyd merged 5 commits into from
Mar 28, 2022
Merged

Add upgrade notes entry for auth cookie changes #1070

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
46251a1
Add upgrade notes entry for auth cookie changes.
Kami Apr 24, 2021
d344220
Fix typo, reword, add links with more info.
Kami Apr 24, 2021
064d697
Merge branch 'master' into auth_cookie_changes
amanda11 Jun 14, 2021
cdd628a
Merge branch 'master' into auth_cookie_changes
cognifloyd Mar 28, 2022
18756e3
Move upgrade entry to v3.7.0
cognifloyd Mar 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions docs/source/upgrade_notes.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,21 @@ Upgrade Notes
|st2| v3.7
----------

* API will now set ``Secure`` and ``Samesite=lax`` cookie attribute for the auth cookie which
is set when authenticating via auth token / API key in query parameter (this approach is
primarily used by st2web).

If you need to change those default values, you can do that using
``api.auth_cookie_secure`` and ``api.auth_cookie_same_site`` config options.

To revert to the old behavior, you can set ``api.auth_cookie_secure = False`` and
``api.auth_cookie_same_site = None``, but this is not recommended unless you have a valid
reason to not host StackStorm behind an HTTPs proxy such as nginx.

You can read more about those attribute on the following links:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite,
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies.

* As part of introducing the override pack metadata functionality, the name ``_global`` is
reserved, and cannot be used for pack names or pack references, to avoid conflict between
the global override file and individual pack override files.
Expand Down Expand Up @@ -50,15 +65,19 @@ Upgrade Notes

* Node was upgraded from v10 to v14. Node 14 repository will be required to be
setup, prior to upgrade of st2chatops.

* Support for Ubuntu 16.04 (Xenial) was removed.

* Redis server is installed and configured as backend for the coordination service
by default to support workflows with multiple branches and tasks with items.
Upgrade requires coordination service to be setup manually.
For workflows to be executed properly, setup the coordination service
accordingly.

* Validation of action definitions are stricter. If an action definition has duplicate keys, |st2|
will complain when ``st2ctl reload`` is performed at upgrade. Action/workflow definitions should be checked
for duplicate keys before upgrade.

* ``%`` interpolation in st2 configuration parameters is no longer supported. Update your configuration
parameters to fix strings if you use ``%`` interpolation to lookup keys as part of your parameter.

Expand Down