Release 1.4.2

Bug fixes

• Fixed AuthContext preservation when session is invalidated (#46) - The authorization flow now correctly preserves the AuthContext when a user's session is invalidated mid-flow, preventing authentication failures.

Improvements

• Replaced Mailhog with Mailpit in devcontainer and tests - Mailpit provides a more modern and actively maintained email testing solution.
• Enhanced version management script - Refactored update-versions.sh with an interactive menu for better usability.
• Added Node.js/npm to devcontainer - Enables npm package management for test integration apps.

Test integration apps

• Updated react-vite demo app - Significant improvements including new TokenInspector component, AdminArea page, improved auth context, and better styling.
• Updated go-webapp test application - Various improvements and updates.
• Updated js-only (browser-based) test application - Improved OAuth2 browser-only integration example.

Dependencies

• Updated dependencies across multiple Go modules and npm packages

Release 1.4.1

Multi-architecture docker images

#45

Docker images now support both linux/amd64 and linux/arm64 architectures. This enables native support for:

• Intel/AMD x86_64 servers and PCs
• ARM64 devices (Raspberry Pi 4/5, Orange Pi, AWS Graviton, Apple Silicon Macs)

No more platform mismatch warnings when running on ARM64 devices.

Thanks for reporting @sehogas

Release 1.4.0

New Features

1. Granular API Scopes (#43) - Fine-grained admin authorization with new scopes for precise API access control instead of the single authserver:manage permission
2. OAuth2 Implicit Flow - Configurable implicit flow support for legacy clients (response_type=token, id_token, id_token token). Disabled by default, can be enabled globally or per-client
3. OAuth2 Resource Owner Password Credentials (ROPC) Flow - RFC 6749 Section 4.3 implementation for direct username/password authentication. Disabled by default, can be enabled globally or per-client
4. User Profile Pictures (#18) - Upload/manage profile pictures with OIDC picture claim support:
   - Self-service and admin management
   - Public /userinfo/picture/{subject} endpoint
   - Client-side image cropping with Cropper.js
   - Server-side validation (PNG, JPEG, GIF; max 2MB; 64-2000px)
5. Configurable PKCE - PKCE can now be configured globally or per-client (required/optional)
6. Client Secret Basic Authentication - Support for client_secret_basic authentication method (Authorization header)
7. POST Body Access Token for Userinfo - Support for access token in POST body per OIDC 5.3.1

Security Improvements

1. Constant-time client secret comparison - Prevents timing attacks on client authentication
2. Timing-safe user enumeration protection - DummyPasswordHash implementation prevents user enumeration via timing analysis
3. Improved error handling for redirect URI parsing - Better validation in authorization flows

Bug Fixes & Compliance

1. RFC 6749 compliant error responses - Detailed error codes and WWW-Authenticate headers for client authentication failures
2. Refresh token scope compliance - Refresh tokens now match original scope per RFC 6749
3. AMR claim format fix - Now correctly returns JSON array per OIDC Core 1.0 Section 2
4. Session ACR/AMR step-up fix - Centralized ACR comparison logic for proper step-up authentication
5. Removed typ claim from ID token - Satisfies OIDC conformance suite requirements
6. auth_time handling - Properly set based on current authentication completion in implicit flow

Updated docs

Release 1.3.0

What's new in release v1.3.0

OpenAPI Specification

• Added complete OpenAPI 3.0 specification accessible at {authserver-base-url}/openapi.yaml for automatic client generation and API testing tools integration

REST API Documentation

• Complete REST API documentation with step-by-step setup instructions

Configuration simplification

• Removed internal base URL configuration for admin console and streamlined environment variable documentation

⚠️ BREAKING CHANGE

This release includes a database schema change for permission management. The migration runs automatically on startup but requires a brief downtime:

• Admin console permissions have been migrated from adminconsole resource to authserver resource
• Migration 000005_move_adminconsole_permissions will execute automatically
• Applies to all database types (MySQL, PostgreSQL, SQL Server, SQLite)
• Recommendation: backup your database before upgrading!

The migration is backward-compatible and handles the transition automatically.

Release 1.2.1

What's new in v1.2.1?

• goiabada-setup CLI tool: new interactive command line setup wizard to help users configure and deploy Goiabada with Docker Compose and Kubernetes. No more complicated two-staged bootstraps.
• New documentation site: migrated from Mkdocs to Astro Starlight with improved UX
• Updated dependency modernc.org/libc to v1.67.1
• Improved GitHub Actions workflows with Go module caching for faster builds

Check out the new website! https://goiabada.dev

Release 1.2

v1.2 introduces important architectural refactoring and enhancements.

Architecture improvements

• Admin console refactoring: The admin console previously communicated with the database directly. In this release, it now communicates with the auth server using secure HTTP calls (OAuth2), ensuring only the auth server accesses the database directly. This separation of concerns improves security and scalability.

• Enhanced session management: Introduced a new Chunked Cookie Store for improved HTTP session handling, enabling support for larger session data with automatic chunking and metadata management.

New features

• Dynamic Client Registration (RFC 7591) #24 . Added standards-compliant Dynamic Client Registration, allowing OAuth2 clients to self-register programmatically. Good for MCP servers and native applications. Thanks @katesclau for the suggestion!

• 'nbf' (Not Before) claim #25 . JWT tokens now include the nbf claim (defaulting to the same value as iat) for improved token validation and security. Thanks @Henelik for the suggestion!

Bug fixes

• Session deletion handling #26 . Fixed session deletion to properly trigger logout for current sessions, ensuring users are immediately logged out when their sessions are removed. Thanks @mur4s4m3 for reporting!

Maintenance

• Dependency updates: Updated all dependencies to their latest versions, including Go 1.25.4, Tailwind CSS 4.1.12, DaisyUI 5.5.5, and PostgreSQL 18.3

---

⚠️ Breaking Changes - Migration from v1.1 to v1.2

Version 1.2 requires configuration changes for existing installations. Follow these migration steps carefully before upgrading.

Before upgrading to v1.2:

• Backup your database (important for rollback if needed).
• Plan for brief downtime. Users will be logged out during upgrade.
• Prepare environment variable changes (detailed below).

Step-by-step migration guide

Step 1: generate session keys

Version 1.2 requires four new session keys (previously stored in the database). Generate them using OpenSSL:

# Generate auth server authentication key (64 bytes = 128 hex characters)
openssl rand -hex 64

# Generate auth server encryption key (32 bytes = 64 hex characters)
openssl rand -hex 32

# Generate admin console authentication key (64 bytes = 128 hex characters)
openssl rand -hex 64

# Generate admin console encryption key (32 bytes = 64 hex characters)
openssl rand -hex 32

Save these keys. You'll add them to your configuration in the next steps.

Step 2: retrieve admin console OAuth credentials

The admin console now authenticates to the auth server using OAuth2. You need to retrieve the OAuth client secret from your v1.1 installation.

To get the client secret:

1. Log in to your v1.1 admin console (before upgrading)
2. Navigate to Clients in the menu
3. Find and click on the client named admin-console-client
4. Go to the Authentication tab
5. Copy the client secret and save it securely

Note: The client identifier is always "admin-console-client". You only need to copy the secret. Save this secret.

Step 3: update environment variables

Auth Server - add these variables

# Session keys (generated in Step 1) - REQUIRED
GOIABADA_AUTHSERVER_SESSION_AUTHENTICATION_KEY=<your-128-char-hex-key>
GOIABADA_AUTHSERVER_SESSION_ENCRYPTION_KEY=<your-64-char-hex-key>

# Internal base URL for container-to-container communication - REQUIRED
GOIABADA_AUTHSERVER_INTERNALBASEURL=http://goiabada-authserver:9090

# Optional but recommended for production
GOIABADA_AUTHSERVER_RATELIMITER_ENABLED=true

Admin Console - add these variables

# Session keys (generated in Step 1) - REQUIRED
GOIABADA_ADMINCONSOLE_SESSION_AUTHENTICATION_KEY=<your-128-char-hex-key>
GOIABADA_ADMINCONSOLE_SESSION_ENCRYPTION_KEY=<your-64-char-hex-key>

# OAuth credentials (retrieved in Step 2) - REQUIRED
GOIABADA_ADMINCONSOLE_OAUTH_CLIENT_ID=admin-console-client
GOIABADA_ADMINCONSOLE_OAUTH_CLIENT_SECRET=<your-client-secret>

# Auth server internal URL - REQUIRED
GOIABADA_AUTHSERVER_INTERNALBASEURL=http://goiabada-authserver:9090

Admin Console - remove these variables

The admin console no longer accesses the database. Remove these variables from your configuration:

GOIABADA_ADMINCONSOLE_LOG_SQL
GOIABADA_ADMINCONSOLE_AUDIT_LOGS_IN_CONSOLE
GOIABADA_DB_TYPE
GOIABADA_DB_USERNAME
GOIABADA_DB_PASSWORD
GOIABADA_DB_HOST
GOIABADA_DB_PORT
GOIABADA_DB_NAME
GOIABADA_DB_DSN

Step 4: upgrade and verify

1. Stop your current v1.1 deployment:
   docker-compose down
2. Backup your database (if not already done)
3. Pull the v1.2 images:
   docker-compose pull
4. Start the services:
   docker-compose up -d
5. Monitor the logs:

# Watch auth server logs
docker-compose logs -f goiabada-authserver

# Watch admin console logs
docker-compose logs -f goiabada-adminconsole

7. Verify startup:

• Auth server should start without session key validation errors
• Database migrations (000003, 000004) should run automatically
• Admin console should successfully authenticate with auth server

8. Test functionality:

• Log in to the admin console
• Verify you can access user management, client management, etc.
• Check that all features work as expected

Release 0.6

• Fixed a bug where the application crashed when admin was searching for members of a group.
• Improved error message when there's a panic.
• Added integration tests.
• Bumped dependencies.
• Other minor UI/text updates.

Release 0.5

• Removed GORM. It's a great library, but it was causing issues while I was trying to add support to Microsoft SQL server. Some of the update statements generated by GORM were huge, and the MSSQL engine was unable to process them. I think having control over the generated SQL is more important than the development convenience given by GORM.
• Added an HTTP rate limiter, to enhance security against brute force attacks.
• Improved errors output in the console log. They will now show the stack trace, to help with troubleshooting.
• Replaced the HTML sanitization library for better protection against XSS.
• Introduced max length for password, and max string length for some user-agent strings, for security (thanks @aboyadzhiev).
• Updated docs.
• Added more integration tests.
• Bumped dependencies.
• Changed the Goiabada version schema. We're cutting out the middle number, so from v0.0.4 we're jumping to v0.5.

Breaking change ⚠️

The GORM dependency removal involved some serious refactoring. As part of that, the DB schema has changed and Goiabada won't migrate it automatically from v0.0.4 to this release. The next releases will support automatic migrations, but not this one.

To mitigate issues for current users, I'm making available two SQL scripts (for MySQL and SQLite). You can use the scripts to migrate the database schema if you need to keep your v0.0.4 data in this new version. The scripts are attached to this release.

Release 0.0.4

• Fixing a bug in the Audit code where user self-registration was causing a panic.

Thanks very much to @aboyadzhiev for identifying this bug and sending the pull request.

Docker images: https://hub.docker.com/r/leodip/goiabada/tags

Release 0.0.3

• GORM http session store
• SQLite database support
• Better defaults for environment variables
• Better support for running Goiabada outside of a container
• Increased test coverage
• Bumped dependencies versions
• Updated docs

Big thanks to @bukodi for the contributions to this release!

goiabada.linux-amd64.zip

goiabada.linux-arm64.zip

Docker images: https://hub.docker.com/r/leodip/goiabada/tags