Add context.Context parameter to checksum computation functions
to enable request cancellation, timeout propagation, and better
observability for remote document downloads.
Add context.Context parameter to cryptographic signature operations
to enable distributed tracing, timeout propagation, and cancellation
handling throughout the signature creation pipeline.
This is a breaking change for the cryptoSigner interface but
maintains backward compatibility at the API level.
Improve the email retry mechanism by adding 0-30% random jitter
to the exponential backoff calculation. This prevents multiple
failed emails from retrying at exactly the same time, which could
cause load spikes on the SMTP server.
Example retry times (with jitter):
- 1st retry: 1.0-1.3 minutes
- 2nd retry: 2.0-2.6 minutes
- 3rd retry: 4.0-5.2 minutes
Changes:
- Replace fmt.Println with logger.Logger.Warn in config loading
- Remove client_id and auth URLs from OAuth provider logs
- Remove user email, name, and sub from authentication logs
- Use structured logging for worker shutdown errors
- Fix MagicLink status logging (only log when actually enabled)
Backend:
- Add Search() method to DocumentRepository for ILIKE pattern matching on doc_id, title, url, description
- Add Count() method to accurately count total matching documents (used for pagination)
- Update admin handler to support search query parameter with proper pagination
- Implement full public documents API with search support (previously stub)
- Update test mocks to include new repository methods
Frontend:
- Replace client-side filtering with server-side search in admin dashboard
- Add debounced search input (300ms delay) to reduce API calls
- Separate loading states: initial page load vs. search/pagination (prevents input focus loss)
- Add visual feedback: spinning loader icon in search field during active search
- Enable pagination during search (previously disabled)
- Pass search parameter to API service
* feat(mail): add option to skip TLS certificate verification
Add ACKIFY_MAIL_INSECURE_SKIP_VERIFY environment variable to allow
bypassing TLS certificate verification for self-signed certificates.
This is useful for development/testing environments with self-signed
SMTP certificates while maintaining secure defaults (false by default).
* docs: add ACKIFY_MAIL_INSECURE_SKIP_VERIFY documentation
Backend changes:
- Add SMTPEnabled flag to distinguish SMTP service from MagicLink authentication
- Fix URL-encoded email decoding in DELETE /signers/{email} endpoint
- Add detailed error logging for expected signer removal operations
- Initialize ReminderAsync and MagicLink services unconditionally
- Update config tests to reflect new MagicLink requires explicit enabling
Frontend changes:
- Add ACKIFY_SMTP_ENABLED window variable for feature detection
- Hide delete button for expected signers who have already signed
- Show email reminders card only when SMTP enabled or history exists
- Display informative alert when SMTP disabled but reminder history present
- Add i18n translations for email service disabled message (5 languages)
These changes improve admin experience by preventing invalid operations
(deleting signers who signed, sending emails without SMTP) and providing
clear feedback about feature availability.
- Move /logout route outside OAuth-only block to support both OAuth
and MagicLink authentication methods.
- Also fix notification icon alignment in AuthChoicePage.
- And add press-kit inside /docs
Add new configuration option ACKIFY_ONLY_ADMIN_CAN_CREATE (default: false) to control who can create documents.
Backend changes:
- Add OnlyAdminCanCreate config field to AppConfig
- Implement authorization checks in document handlers
- Protect POST /documents and GET /documents/find-or-create endpoints
- Add unit tests for admin-only document creation (4 tests)
Frontend changes:
- Inject ACKIFY_ONLY_ADMIN_CAN_CREATE to window object
- Hide DocumentForm component for non-admin users when enabled
- Add i18n translations (en, fr, es, de, it)
- Display warning message for non-admin users
Documentation:
- Update .env.example files with new variable
- Update configuration docs (en/fr)
- Update install script to prompt for restriction option
- Update install/README.md
When enabled, only users listed in ACKIFY_ADMIN_EMAILS can create new documents. Both direct creation and find-or-create endpoints are protected.
Add authentication tokens embedded in reminder emails allowing users to
authenticate and sign documents in one click.
Changes:
- Add 'purpose' (login/reminder_auth) and 'doc_id' columns to magic_link_tokens
- Implement CreateReminderAuthToken (24h validity) and VerifyReminderAuthToken
- Create reminder auth handler and route (/api/v1/auth/reminder-link/verify)
- Update ReminderService and ReminderAsyncService to generate auth tokens
- Fix table name mismatch: magic_links → magic_link_tokens throughout
- Reorder service initialization in server.go for proper dependencies
Token validity:
- Magic Link: 15 minutes (login)
- Reminder Auth: 24 hours (document signature)
The reminder auth flow:
1. Admin sends reminder
2. User receives email with auth link
3. User clicks link → auto-authenticated if not logged in
4. User redirected to document signature page
5. If already authenticated with correct account, skip auth step
The magic link email is now sent in the same language as the frontend
at the time of the request, matching the behavior of reminder emails.
Changes:
- Modified MagicLinkService.RequestMagicLink to accept locale parameter
- Handler extracts locale using i18n.GetLangFromRequest() from HTTP headers
- Falls back to "en" if locale is empty
- Consistent with reminder email locale detection
- feat(admin): accept URLs, file paths, and IDs in document creation form
- Modified AdminDashboard to use findOrCreateDocument service
- Now matches user UI functionality for flexible document references
- feat(i18n): replace all hardcoded French texts with translation keys
- Added 50+ new translation keys across admin and user interfaces
- Updated 7 Vue components: AdminDashboard, AdminDocumentDetail,
DocumentForm, SignButton, SignatureList, SignaturesPage, EmbedPage
- Synchronized all new keys to 5 languages (fr, en, es, de, it)
- All templates now use vue-i18n with proper parameterized translations
- Zero hardcoded texts remaining in HTML templates
Change test URLs from '/sign?doc=' to '/?doc=' to match the correct
frontend route after the URL path correction in reminder emails.
Updated base64 encoded state in callback test:
- Old: L3NpZ24_ZG9jPXRlc3Q (decodes to /sign?doc=test)
- New: Lz9kb2M9dGVzdA (decodes to /?doc=test)
Change signature URL in reminder emails from '/sign?doc=' to '/?doc='
to match the correct frontend route.
Updated in:
- ReminderService.sendSingleReminder
- ReminderAsyncService.queueSingleReminder
- Email helper tests
Backend changes:
- Use 'else if' to prevent activating both TLS and STARTTLS simultaneously
- Add StartTLSPolicy = MandatoryStartTLS for proper STARTTLS enforcement
- Add comments explaining TLS modes (implicit SSL vs explicit STARTTLS)
Install script changes:
- Auto-detect TLS configuration based on port number
- Port 465 → TLS=true, STARTTLS=false (implicit SSL)
- Port 587 → TLS=false, STARTTLS=true (explicit TLS/STARTTLS)
- Non-standard ports → manual configuration with clear prompts
This fixes timeout errors when sending emails via Gmail SMTP (port 587)
which requires STARTTLS, not direct TLS connection.
- Add ACKIFY_AUTH_OAUTH_ENABLED=true when OAuth is configured
- Add ACKIFY_AUTH_OAUTH_ENABLED=false when OAuth is not configured
- Write ACKIFY_AUTH_MAGICLINK_ENABLED with true/false value explicitly
- Provides clear visibility of enabled authentication methods in .env
These variables are already passed to containers via compose files.
Complete both compose.yml and compose-traefik.yml with missing environment
variables:
OAuth variables:
- OAUTH_SCOPES, OAUTH_GITLAB_URL, OAUTH_AUTO_LOGIN
- AUTH_OAUTH_ENABLED, AUTH_MAGICLINK_ENABLED
- Add fallback defaults (:-) for all OAuth variables
Mail/SMTP variables:
- MAIL_USERNAME, MAIL_PASSWORD, MAIL_TIMEOUT
- MAIL_SUBJECT_PREFIX, MAIL_TEMPLATE_DIR, MAIL_DEFAULT_LOCALE
- Fix MAIL_TLS and MAIL_STARTTLS to use env variables instead of hardcoded false
This ensures MagicLink authentication works properly when SMTP is configured.
- Add ACKIFY_LOG_LEVEL=info to prevent Docker Compose warning
- Fix ACKIFY_ED25519_PRIVATE_KEY_B64 -> ACKIFY_ED25519_PRIVATE_KEY
to match expected variable name in backend code
- Use cut with dot counting for more robust subdomain removal
(sign.kolapsis.com -> kolapsis.com)
- Redirect password prompt newline to stderr to avoid polluting
captured variable value
The rate limiting test was failing in CI because after reloading the page
with cy.visitWithLocale('/auth'), it immediately tried to access form
elements without waiting for the page to be fully loaded.
In local environments this worked because it's faster, but in CI the timing
was different causing the test to fail with 'expected to find content:
Check your email but never did'.
Added explicit waits for #app and 'Sign in to Ackify' after each page
reload to ensure the page is fully loaded before continuing.
The Go binary embeds static files from backend/cmd/community/web/dist
via go:embed directive. The e2e-tests workflow was building the frontend
in webapp/dist but not copying it to the embed location before compiling,
resulting in an empty app (no Vue frontend loaded).
This commit adds the missing copy step, matching the Dockerfile build process.
The e2e-tests workflow was failing because the application couldn't find
the locales/en.json and templates files. These files are in backend/locales
and backend/templates, but the standalone binary expects them at the root.
This commit adds a step to copy these directories before starting the server.
- Now can activate OIDC and/or MagicLink for user authentication.
- Add page to choose authentication method (if only OIDC is enabled, auto redirecting to login screen)
- Envoi des événements vers des URLs configurées
- Signature HMAC-SHA256 via en-tête X-Signature (secret partagé)
- Retentatives avec backoff exponentiel et jitter
- Timeout réseau et gestion des erreurs/transitoires
- Idempotence par event_id et journalisation structurée
- Paramètres: WEBHOOK_URLS, WEBHOOK_SECRET, WEBHOOK_TIMEOUT_MS, WEBHOOK_MAX_RETRIES
- Replace nanosecond+pid with crypto/rand generated hex (16 chars)
- Fixes race condition where parallel tests starting at same nanosecond
would share the same database name
- Ensures true isolation even with hundreds of concurrent tests
- Resolves duplicate key constraint violations in CI (perf-doc, test-doc, etc.)
- Fix migration path lookup to check both './migrations' and './backend/migrations'
- Remove hardcoded test schema in admin handler tests
- Use database.SetupTestDB which applies all migrations automatically
- Ensures test schema matches production schema with all columns (deleted_at, doc_checksum, etc.)
- Fixes test failures in CI where admin handler tests returned empty responses
