Release 0.3.5

Changes since Release 0.3.4

• Bump golang.org/x/crypto from 0.24.0 to 0.31.0

Release 0.3.4

Changes since Release 0.3.3

• update dependencies
• rebuilt with Go 1.22.5

Release 0.3.3

Changes since Release 0.3.2

• update dependencies
• rebuilt with Go 1.22.2

Release 0.3.2

Changes since Release 0.3.1

• switch to use go embed
• add Docker image

Release 0.3.1

Changes since Release 0.3

• fix nil-pointer dereference when loading ca-certificates

Release 0.3

Changes since Release 0.2

• add support for Prometheus Metrics

Release 0.2

Changes since Release 0.1.1

Breaking

• The signed part of session cookies now contain an ID field. Because of this, cookies generated by previous versions will no longer be accepted. This means after upgrading to this version every pre-existing session is logged-out and users will need to re-login.
• All tls configuration sections now support the same options. For the LDAP auth backend this means that the start-tls option has been moved out of the tls section
• The cookie signing key options in the configuration have been renamed to harmonize the naming convention with the tls sections. This means that private-key and public-key now expect a file name to load the keys from. To configure keys inline use the new options private-key-data and public-key-data.
• The exact changes for the config file format can bee seen here

Improvements

• Revoke-able Sessions
  • Every new session is now stored in a local database either in-memory (volatile) or inside Bolt (non-volatile).
  • Clicking the logout button at the built-in web UI now marks the session as revoked and then instructs the browser to delete the session cookie.
  • The logged-in template of the built-in web UI also shows other active sessions by the same user as well as logout buttons for those sessions.
  • Verify-only instances can sync revocations using HTTPs requests secured with Bearer tokens. The transferred revocation lists are singed.

Release 0.2 Release Candidate 2

Changes since Release 0.2 Release Candidate 1

• allow for situations where HTTP client requests (revocation sync and whawty remote upgrades) can use a HTTP Host Header that differs from the host name in the url to connect to.

Release 0.2 Release Candidate 1

Changes since Release 0.1.1

Breaking

• The signed part of session cookies now contain an ID field. Because of this, cookies generated by previous versions will no longer be accepted. This means after upgrading to this version every pre-existing session is logged-out and users will need to re-login.
• All tls configuration sections now support the same options. For the LDAP auth backend this means that the start-tls option has been moved out of the tls section
• The cookie signing key options in the configuration have been renamed to harmonize the naming convention with the tls sections. This means that private-key and public-key now expect a file name to load the keys from. To configure keys inline use the new options private-key-data and public-key-data.
• The exact changes for the config file format can bee seen here

Improvements

• Revoke-able Sessions
  • Every new session is now stored in a local database either in-memory (volatile) or inside Bolt (non-volatile).
  • Clicking the logout button at the built-in web UI now marks the session as revoked and then instructs the browser to delete the session cookie.
  • The logged-in template of the built-in web UI also shows other active sessions by the same user as well as logout buttons for those sessions.
  • Verify-only instances can sync revocations using HTTPs requests secured with Bearer tokens. The transferred revocation lists are singed.

Release 0.1.1

Changes since Release 0.1

Somehow i overlooked that the redirect after a successful login used the wrong status code 307. This is now changed to use the correct code 303.