SECURITY &
CONTROL.
What Changed
- 🔒
Cross-Tenant Protection — Critical fix preventing Bearer token auth from leaking data across organizations.
- ⚖️
Guest Challenge Limits — Configurable thresholds with proactive warnings and sign-in prompts at community level.
- 📊
Data Export Configuration — Azure storage settings for automated Parquet drop exports with connection testing.
Impact
Like a hawk's keen vision detecting threats from above, this release identifies and prevents security breaches while giving admins precise control over guest engagement boundaries.
Cross-Tenant Security Fix
Bearer token authentication now correctly isolates data by authenticated organization. Prevents domain-based org lookup from overriding token context, eliminating cross-tenant data leakage.
Guest Challenge Thresholds
Set maximum challenges guests can complete before requiring sign-in. Proactive detection prevents starting challenges beyond limit, with configurable warnings and conversion prompts.
FOR_THE_DEVS
Security Fix
- • getOrgContext() prioritized in platform config
- • AsyncLocalStorage org context from Bearer tokens
- • Centralized fix protects all 39 query functions
- • Priority: auth context → header → domain lookup
- • Prevents cross-tenant data leakage via MCP/API
Guest Limits
- • guestChallengeCompletionLimit field (community)
- • Admin UI in community settings (Advanced tab)
- • Proactive challenge start prevention
- • Login prompts when limit reached
- • Warning states at approach threshold
- • 0 or empty = unlimited mode
Data & Integrations
- • DataStorageConfig DTO and service layer
- • TRPC endpoints (get, set, delete, test)
- • Azure storage configuration UI
- • Parquet drop export settings
- • FriendBuy manual leaderboard script
- • Remove revoked RELEASE_PAT from pipeline
Shipped By
Nudj Team