12 releases 12 tags

RSS feed

• v0.6.0 cf74c2ad3e

  Compare

  v0.6.0 Stable

  patillacode released this 2026-04-20 18:11:48 +02:00 | 17 commits to main since this release

  Security hardening, publishing flow redesign, and polish

  Security (9 fixes)

  • HSTS + Permissions-Policy headers added to all responses; HSTS only sent when SECURE_COOKIES=true
  • Session versioning: session_version column on User; token format updated to include version; stale tokens
    rejected on every request
  • Session invalidation on password change: admin reset and self-change both increment session_version,
    logging out all other devices; self-change re-issues cookie so the current session stays valid
  • Login CSRF: double-submit cookie pattern on GET /login → POST /login; requests without a matching token get
    403
  • Image magic byte validation: upload endpoint validates actual file bytes, not the client-supplied Content-Type
  • TRUST_PROXY setting: opt-in X-Forwarded-For support for correct IP detection behind nginx/Caddy/Traefik; rate limiter uses real IP when enabled
  • CSP nonces: per-request nonces replace unsafe-inline on script-src; Google Fonts and esm.sh (Tiptap) whitelisted
  • Image access control: /uploads/{user_id}/{filename} requires auth or a valid ?share_token linked to an entry owned by that user
  • Share token revocation: DELETE /journal/{date}/share endpoint clears the token; images embedded in shared entries are rewritten to include ?share_token so they load for unauthenticated viewers

  Publishing flow redesign

  Replaced the fragile share popup with a clean two-action model:

  • Publish/Unpublish toggle in the toolbar: primary action, clear state label
  • Copy link icon button: appears inline only when the entry is published, copies directly to clipboard with a
    toast; no popup, no URL input field
  • Both buttons work dynamically without page reload
  • Mobile nav button mirrors the same publish toggle

  UI & calendar polish

  • Calendar now distinguishes four day states: today (dot below number), written (accent strikethrough),
    shared/published (accent ring), active/current (solid fill); states stack, active overrides all
  • CSS split into modular component files

  i18n

  • All templates fully wired to the translation system (account page, admin users table, journal toolbar)
  • New keys: account, publish, unpublish, copy_link, change_password, admin_role, user_role, stop_sharing,
    delete_confirm

  Docs & CI

  • README rewritten with inline Docker Compose quick-start
  • CONFIGURATION.md added with full prose-style config reference
  • CI pipeline updated to run tests on every push to main, build and push Docker image only on version tags (v*)

  Downloads

  • Source code (ZIP)
    0 downloads
  • Source code (TAR.GZ)
    0 downloads