This release fixes issues for SREs watching stability and regressions.
✓ No known CVEs patched in this version
Topics
+1 more
Affected surfaces
Summary
AI summaryFixed me-from-cookie not refreshing the media_token cookie, eliminating persistent 401 Unauthorized errors on Live View.
Full changelog
🐛 Bug Fixes
-
media_token cookie not refreshed on session bootstrap (
routers/auth.py)
Theme-from-cookieendpoint (used to restore the session on page reload) was not re-setting themedia_tokencookie. This caused persistent401 Unauthorizederrors on Live View in the following scenarios:- Session was originally established with
COOKIE_SECURE=true(HTTPS) and then accessed over HTTP - The
media_tokenhad expired while theauth_tokenwas still valid - The user upgraded from a version prior to the HttpOnly cookie migration
me-from-cookienow always refreshes themedia_tokencookie using the currentCOOKIE_SECUREsetting. - Session was originally established with
📦 What Changed
| File | Change |
|------|--------|
| backend/routers/auth.py | me-from-cookie now re-sets the media_token cookie on every call |
| frontend/package.json | Version bump 1.20.1 → 1.20.2 |
| backend/package.json | Version bump 1.20.1 → 1.20.2 |
⬆️ How to Update
docker compose -f docker-compose.prod.yml pull
docker compose -f docker-compose.prod.yml down
docker compose -f docker-compose.prod.yml up -d
Still seeing 401 on Live View after updating? Do a hard refresh (Ctrl+Shift+R) to clear the cached JavaScript bundle.
No .env changes required.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About spupuz/VibeNVR
All releases →Related context
Related tools
Earlier breaking changes
- v1.28.3 Must update docker-compose.yml with TZ variable for all services
Beta — feedback welcome: [email protected]