Releases: ever-co/ever-gauzy
v106.0.4
106.0.4 (2026-06-16)
Continuous Integration
- re-trigger (build-web timed out on contended runner; code green: build-api/desktop/monorepo + local libs) (db68916)
- re-trigger build (build-api/web timed out on contended runners; code validated locally + build-desktop green) (f161dfc)
What's Changed
Full Changelog: v106.0.3...v106.0.4
Contributors
Assets 2
v106.0.3
106.0.3 (2026-06-15)
Bug Fixes
- ci: run Nx without Nx Cloud in CircleCI (org disabled) (7f30c4e)
What's Changed
Full Changelog: v106.0.2...v106.0.3
Contributors
Assets 2
v106.0.2
106.0.2 (2026-06-12)
What's Changed
- chore(deps): bump @grpc/grpc-js from 1.14.3 to 1.14.4 by @dependabot[bot] in #9711
Full Changelog: v106.0.1...v106.0.2
Contributors
Assets 2
v106.0.1
Contributors
Assets 2
v106.0.0
106.0.0 (2026-06-06)
⚠ BREAKING CHANGES
-
JWT tokens now include organizationId field. Clients should handle the new token structure.
-
fix(ui): restore CHANGE_SELECTED_ORGANIZATION permission check for organization selector
Re-add permission verification that was removed - users without
CHANGE_SELECTED_ORGANIZATION permission should not see the organization
selector in the header.
- fix(migration): remove UNIQUE constraint on userId in SQLite UP migration
Remove CONSTRAINT REL_f4b0d329c4a3cf79ffe9d56504 UNIQUE (userId) from all
CREATE TABLE temporary_employee statements in sqliteUpQueryRunner to allow
many-to-one relationship (multiple employees can reference the same user).
The DOWN migration retains the UNIQUE constraint to restore the original
one-to-one relationship when reverting.
- fix(context): merge duplicate currentOrganizationId methods with proper fallback
Consolidate two currentOrganizationId() methods into one with priority:
- JWT token organizationId (most secure)
- User's employee organizationId (fallback for old tokens)
- Request header organization-id (legacy backward compatibility)
This ensures existing functionality continues to work while preferring
the secure JWT-based organization context when available.
- fix(auth): inject organizationId from JWT into user with fallback
Make organizationId follow the same pattern as employeeId:
- jwt.strategy.ts: inject organizationId from JWT into user.lastOrganizationId
- request-context.ts: currentOrganizationId() reads from user.lastOrganizationId
with fallback to user.employee.organizationId and header for backward compatibility
This ensures consistency across all context methods while maintaining
backward compatibility with old tokens.
- fix(auth): validate organization access in JWT strategy
- Add UserOrganizationService to validate user has access to organization
- Remove unvalidated header fallback from currentOrganizationId()
- organizationId is now only accepted from validated JWT tokens
- fix(employee): catch specific NotFoundException and validate input
- Catch only NotFoundException instead of all errors
- Add validation for input.user.email before accessing it
- fix(ui): add await for async selectOrganization calls
- Make updateOrganization, deleteOrganization, selectOrganizationById async
- Properly await selectOrganization to prevent race conditions
- fix(ui): add @deprecated to initialize() method
- Mark initialize() as deprecated with JSDoc
- Clean up comments in applyOrganizationData()
- docs(auth): clarify refresh token organization behavior
- Add note explaining refresh token is organization-specific
- Document that /auth/switch-organization should be used to change org
- refactor(ui): use inject() function instead of constructor injection
- Replace constructor parameter injection with inject() function
- Follow Angular modern DI pattern
- fix(auth): include organizationId in refresh token
- Pass organizationId to getJwtRefreshToken in login, signinWorkspaceByToken, and switchWorkspace
- Ensures refresh token contains same organization context as access token
- fix(auth): add cross-validation between employeeId and organizationId in JWT
- Validate that employee.organizationId matches the claimed organizationId
- Prevents JWT token manipulation attacks
- fix(employee): use BadRequestException and check for existing employee
- Use BadRequestException instead of generic Error for proper HTTP 400
- Check if employee already exists for user+organization to prevent duplicates
- fix(ui): validate response fields before applying to store
- Check token and user exist before updating store
- Return false and show error if validation fails
- fix(auth): update user.lastOrganizationId in memory after DB update
- Ensures returned user object has fresh lastOrganizationId value
- fix(employee): load role relation when finding existing user
- Use findOneByOptions with relations: { role: true }
- Fixes 'Cannot read properties of undefined (reading name)' error
- addUserToOrganization requires user.role.name for SUPER_ADMIN check
What's Changed
- fix: desktop gauzy server failed build: add build gauzy:server-ui pro… by @syns2191 in #9687
- chore(deps): bump fast-uri from 3.1.0 to 3.1.2 by @dependabot[bot] in #9689
- chore(deps): bump hono from 4.12.14 to 4.12.18 by @dependabot[bot] in #9686
- Fix/about window detail os by @syns2191 in #9691
- feat: desktop timer visible session timer list by @syns2191 in #9697
- fix: logs window add new export log button by @syns2191 in #9699
- chore(k8s): right-size resource requests for all gauzy deployments by @evereq in #9706
- Bump deps by @evereq in #9700
- Stage by @evereq in #9707
Full Changelog: v105.0.0...v106.0.0
