MentisDB 0.10.4.49 — Dashboard Login Fix, Session Lifetime, HNSW Unconditional
This hotfix fixes a dashboard login bug introduced in 0.10.2.47, corrects a session-lifetime
miscalculation, and simplifies the build by making HNSW and local-embeddings
unconditional default features. For the full feature list and benchmark numbers from the
prior release, see the 0.10.3.48 release notes.
Dashboard Login Fix (C5/C6 regression)
The 0.10.2.47 security audit replaced the mentisdb_pin cookie with a server-side
session token (mentisdb_session). The session cookie was hardcoded with the
Secure attribute, which browsers silently drop over plain HTTP. When the dashboard
sat behind a TLS-terminating reverse proxy (nginx, Caddy, Traefik) that talked plain HTTP to
the daemon, the browser would discard the cookie after a successful login — every
subsequent request to /dashboard looked unauthenticated and bounced back to
/dashboard/login.
The Secure attribute is now conditional: it is emitted only when the originating
request was HTTPS, detected via the de-facto standard X-Forwarded-Proto header.
When a proxy reports http, the cookie is sent as
HttpOnly; SameSite=Strict only. Direct access to the daemon's own TLS listener
(no forwarding header) keeps Secure on.
Session Lifetime Fix
The session timeout was 5 hours instead of the intended 8 hours.
The login handler and PIN middleware both used RATE_LIMIT_WINDOW_SECS * 60 for
session expiry — but RATE_LIMIT_WINDOW_SECS is already in seconds (300),
so the * 60 produced 18,000 seconds (5 hours) and coupled two unrelated concerns
(brute-force lockout vs. session lifetime). Replaced with an explicit
SESSION_TIMEOUT_SECS constant (8 hours), independent of the rate-limit window.
HNSW Is Now Unconditional
The hnsw-backend Cargo feature has been removed entirely. HNSW is always compiled
in — no feature flag needed. The hnsw, rand_pcg, and
space dependencies are now non-optional, all
#[cfg(feature = "hnsw-backend")] guards have been removed, and the
HnswBackendNotEnabled error variant has been deleted along with its test.
local-embeddings Is Now a Default Feature
local-embeddings (which enables the fastembed-minilm ONNX vector
provider) is now part of the default feature set. This means:
cargo install mentisdbjust works — no--featuresflag needed- The self-updater no longer needs
--features local-embeddingsin itscargo installargs - The Makefile
installtarget is simplified - The 0.10.3.48 hotfix that added
--features local-embeddingsto the self-updater is now superseded
Library users who don't need embeddings can still opt out with
--no-default-features.
Upgrade
cargo install mentisdb --force
No --features flag needed anymore — HNSW and local-embeddings are both
included by default.
Links
- GitHub Release: 0.10.4.49
- Prior release: 0.10.3.48 — HNSW Vector Search, Hardened Security, 16 Critical Fixes
- Changelog: changelog.txt
- Documentation: docs.mentisdb.com