Skip to content

v1.4.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 13 Jun 09:47
· 10 commits to main since this release
v1.4.0
77d96f5

⚠️ BREAKING — set TOKEN_ENCRYPTION_KEY before upgrading

v1.4.0 encrypts Google OAuth tokens at rest and adds a new required production secret, TOKEN_ENCRYPTION_KEY. A %prod deployment fails to boot until it is set (fail-closed by design).

Upgrade steps (from v1.3.x):

  1. Generate a permanent key: openssl rand -hex 32 (64 hex chars).
  2. Set TOKEN_ENCRYPTION_KEY to that value on every replica (same value everywhere, like SESSION_ENCRYPTION_KEY).
  3. Deploy. On first boot, existing plaintext tokens are encrypted in place — no user has to reconnect their calendar.

Do not rotate this key — changing it strands all encrypted tokens and disconnects every calendar.

Also in this release: Google OAuth redirect URIs now derive from APP_BASE_URL automatically (fixes redirect_uri_mismatch when the redirect env vars were unset). Ensure ${APP_BASE_URL}/api/google/callback and ${APP_BASE_URL}/api/google/login/callback are registered in your Google OAuth client.

What's Changed

  • Security audit remediation (2026-06-12 audit) by @asm0dey in #26
  • chore(deps): update github/codeql-action action to v4 by @renovate[bot] in #29
  • chore(deps): pin dependencies by @renovate[bot] in #28
  • build(deps): bump github/codeql-action from 3 to 4 by @dependabot[bot] in #27
  • fix(google): derive OAuth redirect URIs from APP_BASE_URL by @asm0dey in #30

New Contributors

Full Changelog: v1.3.1...v1.4.0

Contributors

asm0dey, renovate, and dependabot
Assets 2
Loading