Prepare v0.27.2 (#656)

* bump version

* bump dependencies

* update openapi doc

* update changelog

* rebuild docs

CHANGELOG.md

@@ -1,6 +1,6 @@
 # Changelog
 
-## UNRELEASED
+## v0.27.2
 
 ### Changes
 
@@ -30,6 +30,13 @@ DISABLE_REFRESH_TOKEN_NBF=false
 
 [#651](https://github.com/sebadob/rauthy/pull/653)
 
+### Bugfix
+
+The Rauthy deployment could get stuck in Kubernetes when you were running a HA-Cluster with Postgres as your database
+of choice. The cache raft re-join had an issue sometimes because of a race condition, which needed a full restart of the
+cluster. This has been fixed in [hiqlite-0.3.2](https://github.com/sebadob/hiqlite/releases/tag/v0.3.2) and the
+dependency has been bumped.
+
 ## v0.27.1
 
 ### Bugfix

Cargo.toml

@@ -4,7 +4,7 @@ members = ["src/*"]
 exclude = ["rauthy-client"]
 
 [workspace.package]
-version = "0.27.2-20241211"
+version = "0.27.2"
 edition = "2021"
 authors = ["Sebastian Dobe <[email protected]>"]
 license = "Apache-2.0"
@@ -19,7 +19,7 @@ strip = true
 panic = "abort"
 
 [patch.crates-io]
-#hiqlite = { git = "https://github.com/sebadob/hiqlite.git", package = "hiqlite" }
+#hiqlite = { git = "https://github.com/sebadob/hiqlite.git", branch = "prepare-v0.3.3", package = "hiqlite" }
 #hiqlite = { path = "../../hiqlite/hiqlite", package = "hiqlite" }
 
 [workspace.dependencies]

docs/config/config.html

@@ -221,6 +221,22 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # default: false
 #DANGER_DISABLE_INTROSPECT_AUTH=false
 
+# By default, `refresh_token`s will have an `nbf` claim, making them valid
+# at `access_token_lifetime - 60 seconds`. Any usage before this time will
+# result in invalidation of not only the token itself, but also all other
+# linked sessions and tokens for this user to prevent damage in case a client
+# leaked the token by accident.
+# However, there are bad / lazy client implementations that do not respect
+# either `nbf` in the `refresh_token`, or the `exp` claim in `access_token`
+# and will refresh early while the current access_token is still valid.
+# This does not only waste resources and time, but also makes it possible
+# to have multiple valid `access_token`s at the same time for the same
+# session. You should only disable the `nbf` claim if you have a good
+# reasons to do so.
+# If disabled, the `nbf` claim will still exist, but always set to *now*.
+# default: false
+#DISABLE_REFRESH_TOKEN_NBF=false
+
 # Can be used when 'OPEN_USER_REG=true' to restrict the domains
 # for a registration. For instance, set it to
 # 'USER_REG_DOMAIN_RESTRICTION=gmail.com' to allow only

docs/print.html

@@ -3422,6 +3422,22 @@ <h2 id="rotation-event"><a class="header" href="#rotation-event">Rotation Event<
 # default: false
 #DANGER_DISABLE_INTROSPECT_AUTH=false
 
+# By default, `refresh_token`s will have an `nbf` claim, making them valid
+# at `access_token_lifetime - 60 seconds`. Any usage before this time will
+# result in invalidation of not only the token itself, but also all other
+# linked sessions and tokens for this user to prevent damage in case a client
+# leaked the token by accident.
+# However, there are bad / lazy client implementations that do not respect
+# either `nbf` in the `refresh_token`, or the `exp` claim in `access_token`
+# and will refresh early while the current access_token is still valid.
+# This does not only waste resources and time, but also makes it possible
+# to have multiple valid `access_token`s at the same time for the same
+# session. You should only disable the `nbf` claim if you have a good
+# reasons to do so.
+# If disabled, the `nbf` claim will still exist, but always set to *now*.
+# default: false
+#DISABLE_REFRESH_TOKEN_NBF=false
+
 # Can be used when 'OPEN_USER_REG=true' to restrict the domains
 # for a registration. For instance, set it to
 # 'USER_REG_DOMAIN_RESTRICTION=gmail.com' to allow only

src/api/src/generic.rs

@@ -607,7 +607,6 @@ pub async fn get_health() -> impl Responder {
     tag = "health",
     responses(
         (status = 200, description = "Ok"),
-        (status = 503, description = "ServiceUnavailable"),
     ),
 )]
 #[get("/ready")]