Skip to content

Release 1.2

Choose a tag to compare

View all tags
@leodip leodip released this 20 Nov 13:22
· 122 commits to main since this release
v1.2
7cff8c2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v1.2 introduces important architectural refactoring and enhancements.

Architecture improvements

  • Admin console refactoring: The admin console previously communicated with the database directly. In this release, it now communicates with the auth server using secure HTTP calls (OAuth2), ensuring only the auth server accesses the database directly. This separation of concerns improves security and scalability.

  • Enhanced session management: Introduced a new Chunked Cookie Store for improved HTTP session handling, enabling support for larger session data with automatic chunking and metadata management.

New features

  • Dynamic Client Registration (RFC 7591) #24 . Added standards-compliant Dynamic Client Registration, allowing OAuth2 clients to self-register programmatically. Good for MCP servers and native applications. Thanks @katesclau for the suggestion!

  • 'nbf' (Not Before) claim #25 . JWT tokens now include the nbf claim (defaulting to the same value as iat) for improved token validation and security. Thanks @Henelik for the suggestion!

Bug fixes

  • Session deletion handling #26 . Fixed session deletion to properly trigger logout for current sessions, ensuring users are immediately logged out when their sessions are removed. Thanks @mur4s4m3 for reporting!

Maintenance

  • Dependency updates: Updated all dependencies to their latest versions, including Go 1.25.4, Tailwind CSS 4.1.12, DaisyUI 5.5.5, and PostgreSQL 18.3

⚠️ Breaking Changes - Migration from v1.1 to v1.2

Version 1.2 requires configuration changes for existing installations. Follow these migration steps carefully before upgrading.

Before upgrading to v1.2:

  • Backup your database (important for rollback if needed).
  • Plan for brief downtime. Users will be logged out during upgrade.
  • Prepare environment variable changes (detailed below).

Step-by-step migration guide

Step 1: generate session keys

Version 1.2 requires four new session keys (previously stored in the database). Generate them using OpenSSL:

# Generate auth server authentication key (64 bytes = 128 hex characters)
openssl rand -hex 64

# Generate auth server encryption key (32 bytes = 64 hex characters)
openssl rand -hex 32

# Generate admin console authentication key (64 bytes = 128 hex characters)
openssl rand -hex 64

# Generate admin console encryption key (32 bytes = 64 hex characters)
openssl rand -hex 32

Save these keys. You'll add them to your configuration in the next steps.

Step 2: retrieve admin console OAuth credentials

The admin console now authenticates to the auth server using OAuth2. You need to retrieve the OAuth client secret from your v1.1 installation.

To get the client secret:

  1. Log in to your v1.1 admin console (before upgrading)
  2. Navigate to Clients in the menu
  3. Find and click on the client named admin-console-client
  4. Go to the Authentication tab
  5. Copy the client secret and save it securely

Note: The client identifier is always "admin-console-client". You only need to copy the secret. Save this secret.

Step 3: update environment variables

Auth Server - add these variables

# Session keys (generated in Step 1) - REQUIRED
GOIABADA_AUTHSERVER_SESSION_AUTHENTICATION_KEY=<your-128-char-hex-key>
GOIABADA_AUTHSERVER_SESSION_ENCRYPTION_KEY=<your-64-char-hex-key>

# Internal base URL for container-to-container communication - REQUIRED
GOIABADA_AUTHSERVER_INTERNALBASEURL=http://goiabada-authserver:9090

# Optional but recommended for production
GOIABADA_AUTHSERVER_RATELIMITER_ENABLED=true

Admin Console - add these variables

# Session keys (generated in Step 1) - REQUIRED
GOIABADA_ADMINCONSOLE_SESSION_AUTHENTICATION_KEY=<your-128-char-hex-key>
GOIABADA_ADMINCONSOLE_SESSION_ENCRYPTION_KEY=<your-64-char-hex-key>

# OAuth credentials (retrieved in Step 2) - REQUIRED
GOIABADA_ADMINCONSOLE_OAUTH_CLIENT_ID=admin-console-client
GOIABADA_ADMINCONSOLE_OAUTH_CLIENT_SECRET=<your-client-secret>

# Auth server internal URL - REQUIRED
GOIABADA_AUTHSERVER_INTERNALBASEURL=http://goiabada-authserver:9090

Admin Console - remove these variables

The admin console no longer accesses the database. Remove these variables from your configuration:

GOIABADA_ADMINCONSOLE_LOG_SQL
GOIABADA_ADMINCONSOLE_AUDIT_LOGS_IN_CONSOLE
GOIABADA_DB_TYPE
GOIABADA_DB_USERNAME
GOIABADA_DB_PASSWORD
GOIABADA_DB_HOST
GOIABADA_DB_PORT
GOIABADA_DB_NAME
GOIABADA_DB_DSN

Step 4: upgrade and verify

  1. Stop your current v1.1 deployment:
    docker-compose down
  2. Backup your database (if not already done)
  3. Pull the v1.2 images:
    docker-compose pull
  4. Start the services:
    docker-compose up -d
  5. Monitor the logs:
# Watch auth server logs
docker-compose logs -f goiabada-authserver

# Watch admin console logs
docker-compose logs -f goiabada-adminconsole
  1. Verify startup:
  • Auth server should start without session key validation errors
  • Database migrations (000003, 000004) should run automatically
  • Admin console should successfully authenticate with auth server
  1. Test functionality:
  • Log in to the admin console
  • Verify you can access user management, client management, etc.
  • Check that all features work as expected

Contributors

katesclau, Henelik, and mur4s4m3
Assets 7
Loading