Skip to content

GPT Image Panel v0.7.3

Choose a tag to compare

View all tags
@Z1rconium Z1rconium released this 01 Jun 05:04
· 26 commits to main since this release
v0.7.3
09b3462

GPT Image Panel v0.7.3

v0.7.3 is a security-focused release that also adds scheduled Cloudflare R2 gallery backup sync. It tightens access-token signing, CSRF handling, upstream image downloads, version endpoint exposure, and SOCKS5 proxy observability while keeping the existing public API shapes and job lifecycle behavior stable.

Highlights

  • Added configurable scheduled R2 Gallery Sync via R2_SYNC_INTERVAL_HOURS.
  • Hardened access-token signing by removing the hard-coded fallback signing secret.
  • Tightened CSRF origin checks for unsafe browser requests, including auth-exempt mutation endpoints.
  • Moved version endpoints behind the access gate when ACCESS_KEY is configured.
  • Restricted upstream-returned image URL downloads to HTTPS.
  • Added startup warnings for unauthenticated deployments.
  • Added SOCKS5 upstream proxy trust-boundary logging when local DNS resolves the upstream host to private/internal IPs.
  • Tightened CSP style policy from broad inline styles to inline style attributes only.

Cloudflare R2 Gallery Sync

This release adds scheduled gallery backup sync for Cloudflare R2 compatible storage.

  • New R2_SYNC_INTERVAL_HOURS setting controls the background sync cadence.
  • 0 disables scheduled sync and is the default.
  • The scheduler starts regular Gallery Sync jobs using the same repository and job-state paths as manual sync.
  • R2 sync still only operates on the configured prefix and does not serve, overwrite, or delete gallery images from R2.
  • The setting is available through environment configuration, Docker Compose, backend settings, API schemas, and the frontend settings drawer.

Security Hardening

Access Token Signing

Access-token HMAC signing no longer falls back to the public development string gpt-image-panel-dev-secret.

The signing secret is now derived from:

  1. ACCESS_KEY
  2. resolved DEFAULT_API_KEY

If neither is available when a token is created or verified, the backend raises a runtime error instead of signing with a predictable secret.

CSRF Checks

Unsafe browser requests now require a trustworthy source signal:

  • matching Origin
  • matching Referer
  • or Sec-Fetch-Site: same-origin

Requests with Sec-Fetch-Site: cross-site are rejected. Requests with no Origin, Referer, or same-origin fetch metadata are also rejected, including auth-exempt mutation endpoints such as /api/access.

This preserves the existing same-origin development proxy workflow while closing the previous no-cookie/no-source bypass.

Version Endpoint Access

/api/version and /api/version/latest are no longer auth-exempt when ACCESS_KEY is configured. The frontend now loads version metadata only after access status passes or after the access key unlock succeeds.

This reduces unauthenticated version fingerprinting while preserving the header update badge for authenticated users.

HTTPS-Only Upstream Image Downloads

Upstream-returned image URLs must now use HTTPS. Plain HTTP image URLs are rejected before the backend attempts to fetch them.

This aligns image URL downloads with the stricter upstream API and webhook URL scheme requirements.

Unauthenticated Mode Warning

When ALLOW_UNAUTHENTICATED=true is set and ACCESS_KEY is unset, startup logs a warning that all non-health API routes are unauthenticated.

This does not remove local development support, but it makes production misconfiguration much more visible.

SOCKS5 Proxy Trust Boundary

The backend continues to perform pre-connection upstream URL validation. When a SOCKS5 upstream proxy is configured and the upstream hostname resolves locally to private/internal IPs, the backend logs a warning explaining that the SOCKS5 proxy is the trust boundary for remote DNS and network reachability.

CSP Style Policy

The CSP policy now uses:

  • style-src 'self'
  • style-src-attr 'unsafe-inline'

This avoids allowing arbitrary inline <style> blocks while retaining compatibility with the few existing inline style attributes used by the frontend.

Docker Images

Multi-architecture images are published to GHCR:

  • ghcr.io/z1rconium/gpt-image-linux:v0.7.3
  • ghcr.io/z1rconium/gpt-image-linux:latest

The v0.7.3 manifest digest is:

sha256:b63ed24c364d1733c6c0733480ae3b7ae3e8ad27c8cc6b787129b236bf2b9e9e

Supported platforms:

  • linux/amd64
  • linux/arm64

Run directly with Docker:

docker run -d \
  --name gpt-image-panel \
  -p 127.0.0.1:9090:9090 \
  -v ./images:/app/images \
  -v ./data:/app/data \
  --env-file .env \
  ghcr.io/z1rconium/gpt-image-linux:v0.7.3

Docker Compose

Download the release assets:

curl -LO https://github.com/Z1rconium/gpt-image-linux/releases/download/v0.7.3/docker-compose.yml
curl -Lo .env.example https://github.com/Z1rconium/gpt-image-linux/releases/download/v0.7.3/env.example
cp .env.example .env

Edit .env, set ACCESS_KEY, configure your upstream API settings, then start:

docker compose up -d

The release docker-compose.yml uses the published GHCR image directly:

ghcr.io/z1rconium/gpt-image-linux:v0.7.3

Release Assets

This release includes:

  • docker-compose.yml - image-based Compose file pinned to v0.7.3
  • env.example - environment template; download as .env.example if desired
  • gpt-image-panel-v0.7.3-prebuilt.tar.gz - prebuilt offline package with frontend/build/
  • SHA256SUMS - checksums for release assets

Verify downloads:

shasum -a 256 -c SHA256SUMS

Changelog

Full changelog:

v0.7.2...v0.7.3

Included commits:

  • 3331c2b - feat: add R2 sync interval configuration and scheduled sync functionality
  • ce36401 - Refactor authentication and security features
  • 09b3462 - chore: release v0.7.3
Assets 6
Loading