Go's http.DetectContentType fails to recognize minimal/malformed image
files and returns application/octet-stream. Added common image extensions
(.png, .jpg, .jpeg, .gif, .webp) to the extension-based fallback map
so content type is correctly determined from filename when magic byte
detection fails.
Reader options (readMode, allowDownload, requireFullRead, verifyChecksum)
were not being saved during document upload.
SimpleAuthorizer now reads the setting dynamically from ConfigService
instead of using a static value set at startup. This allows admins to
toggle document creation permissions via the settings UI without
requiring a server restart.
Fixes#14Fixes#15
Move all service creation (I18n, Email, MagicLink, Session, Config)
from main.go into ServerBuilder.Build(), making main.go minimal and
self-contained.
- ServerBuilder now only requires WithDB() and WithTenantProvider()
- AuthProvider and Authorizer have sensible CE defaults
- Rename DynamicAuthProvider → auth.Provider for simplicity
- Remove unused With* methods for internal services
- Add new config handler to serve public app configuration
- Create Pinia config store to load and cache configuration
- Remove window variable injection from static.go and index.html
- Update all components to use config store instead of window vars
- Remove deprecated /api/v1/auth/config endpoint (merged into /config)
- Update Cypress tests with proper type annotations
- Add extractErrorDetails() to get both error code and message
- Use error codes to show appropriate translated messages in DocumentCreateForm
- Add translation keys for auth and permission errors
Replace static window variables (ACKIFY_OAUTH_ENABLED, ACKIFY_MAGICLINK_ENABLED)
with dynamic API call to /api/v1/auth/config. This allows auth methods to be
changed without rebuilding the frontend and supports dynamic tenant configuration.
Instead of failing when bucket doesn't exist, attempt to create it.
This improves the initial setup experience with MinIO and other S3
compatible storage providers.
MagicLinkRepository was bypassing RLS by using r.db directly instead of
dbctx.GetQuerier(ctx, r.db). This meant queries ran outside the
transaction with app.tenant_id set, causing RLS policies to not apply.
All methods now use dbctx.GetQuerier to properly participate in the
RLS transaction context.
- Move service initialization (MagicLink, Email, i18n) to main.go
- Change signature lookup from user_sub to email for cross-auth consistency
- Remove OauthService wrapper, simplify auth layer
- Pass parent context to workers for graceful shutdown
- Fix IP extraction from RemoteAddr with port
- Add compact mode to SignatureList component
- Update Cypress tests with new data-testid attributes
- Create unified AuthProvider interface in pkg/providers/interfaces.go
supporting OIDC, MagicLink, and session management
- Implement DynamicAuthProvider that reads config from ConfigService
on each request, enabling hot-reload of auth settings
- Simplify ServerBuilder by removing separate oauthProvider and flags
- Consolidate auth handlers into single handler.go using unified interface
- Remove obsolete providers (oauth_provider.go, magiclink_provider.go)
- Remove separate magic_link_handler.go and reminder_auth_handler.go
- Update tests with new mockAuthProvider implementing full interface
- Fix config_service_test.go SMTP validation (requires Host + From)
- Add extension-based MIME type refinement for text formats (.md, .docx, .xlsx, .odt, .ods)
- Add charset=utf-8 for text-based MIME types in Content-Type header
- Support ODF formats (OpenDocument Text/Spreadsheet)
- Unify compose templates into single compose.yml.template with region markers
- Add update mode to install script to preserve existing configuration
- Extend file upload accept list in DocumentCreateForm
- Remove binary file from repository
- New design system (IBM Plex fonts, slate palette, dark mode)
- Complete refactor of components and pages
- Add favicon, PWA icons and new logo
- Minor fixes (null handling, translations, navigation)
BREAKING CHANGE: ACKIFY_APP_PASSWORD environment variable is now required for RLS support. The migrate tool creates the ackify_app role before running migrations, ensuring compatibility with existing deployments.
Changes:
- Add ensureAppRole() in cmd/migrate to create/update ackify_app role
- Remove docker/init-scripts/01-create-app-user.sh (no longer needed)
- Update compose.yml: add ACKIFY_APP_PASSWORD, backend connects as ackify_app
- Update migration 0016: remove conditional role creation
- Add RLS documentation (docs/en/configuration/rls.md, docs/fr/configuration/rls.md)
- Update configuration docs with RLS section and security checklist
Migration path for existing deployments:
1. Set ACKIFY_APP_PASSWORD in .env
2. Run docker compose up (migrate will create the role automatically)
