Skip to content

v107.0.0

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 18 Jun 19:00
· 46 commits to develop since this release
v107.0.0
1dd60db
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

107.0.0 (2026-06-18)

⚠ BREAKING CHANGES

  • JWT tokens now include organizationId field. Clients should handle the new token structure.

  • fix(ui): restore CHANGE_SELECTED_ORGANIZATION permission check for organization selector

Re-add permission verification that was removed - users without
CHANGE_SELECTED_ORGANIZATION permission should not see the organization
selector in the header.

  • fix(migration): remove UNIQUE constraint on userId in SQLite UP migration

Remove CONSTRAINT REL_f4b0d329c4a3cf79ffe9d56504 UNIQUE (userId) from all
CREATE TABLE temporary_employee statements in sqliteUpQueryRunner to allow
many-to-one relationship (multiple employees can reference the same user).

The DOWN migration retains the UNIQUE constraint to restore the original
one-to-one relationship when reverting.

  • fix(context): merge duplicate currentOrganizationId methods with proper fallback

Consolidate two currentOrganizationId() methods into one with priority:

  1. JWT token organizationId (most secure)
  2. User's employee organizationId (fallback for old tokens)
  3. Request header organization-id (legacy backward compatibility)

This ensures existing functionality continues to work while preferring
the secure JWT-based organization context when available.

  • fix(auth): inject organizationId from JWT into user with fallback

Make organizationId follow the same pattern as employeeId:

  • jwt.strategy.ts: inject organizationId from JWT into user.lastOrganizationId
  • request-context.ts: currentOrganizationId() reads from user.lastOrganizationId
    with fallback to user.employee.organizationId and header for backward compatibility

This ensures consistency across all context methods while maintaining
backward compatibility with old tokens.

  • fix(auth): validate organization access in JWT strategy
  • Add UserOrganizationService to validate user has access to organization
  • Remove unvalidated header fallback from currentOrganizationId()
  • organizationId is now only accepted from validated JWT tokens
  • fix(employee): catch specific NotFoundException and validate input
  • Catch only NotFoundException instead of all errors
  • Add validation for input.user.email before accessing it
  • fix(ui): add await for async selectOrganization calls
  • Make updateOrganization, deleteOrganization, selectOrganizationById async
  • Properly await selectOrganization to prevent race conditions
  • Mark initialize() as deprecated with JSDoc
  • Clean up comments in applyOrganizationData()
  • docs(auth): clarify refresh token organization behavior
  • Add note explaining refresh token is organization-specific
  • Document that /auth/switch-organization should be used to change org
  • refactor(ui): use inject() function instead of constructor injection
  • Replace constructor parameter injection with inject() function
  • Follow Angular modern DI pattern
  • fix(auth): include organizationId in refresh token
  • Pass organizationId to getJwtRefreshToken in login, signinWorkspaceByToken, and switchWorkspace
  • Ensures refresh token contains same organization context as access token
  • fix(auth): add cross-validation between employeeId and organizationId in JWT
  • Validate that employee.organizationId matches the claimed organizationId
  • Prevents JWT token manipulation attacks
  • fix(employee): use BadRequestException and check for existing employee
  • Use BadRequestException instead of generic Error for proper HTTP 400
  • Check if employee already exists for user+organization to prevent duplicates
  • fix(ui): validate response fields before applying to store
  • Check token and user exist before updating store
  • Return false and show error if validation fails
  • fix(auth): update user.lastOrganizationId in memory after DB update
  • Ensures returned user object has fresh lastOrganizationId value
  • fix(employee): load role relation when finding existing user
  • Use findOneByOptions with relations: { role: true }
  • Fixes 'Cannot read properties of undefined (reading name)' error
  • addUserToOrganization requires user.role.name for SUPER_ADMIN check

What's Changed

  • chore(k8s): scale gauzy-prod-api down to 2 replicas (was 4) by @evereq in #9710
  • chore(deps): bump @grpc/grpc-js from 1.14.3 to 1.14.4 by @dependabot[bot] in #9711
  • chore(deps): consolidate dependency bumps across the monorepo by @evereq in #9714
  • chore(deps): migrate TypeORM 0.3 -> 1.0 by @evereq in #9716
  • ci: restore build caching via CircleCI Nx cache (fix timeout regression) by @evereq in #9731
  • fix(typeorm-v1): convert legacy string[] relations/select at runtime (P0 — app unusable after login) by @evereq in #9734
  • fix(docker): move patch-package to dependencies so --production image builds succeed by @evereq in #9735
  • Stage by @evereq in #9738

Full Changelog: v106.0.0...v107.0.0

Contributors

evereq, deprecated, and dependabot
Assets 2
Loading