- Replace nanosecond+pid with crypto/rand generated hex (16 chars)
- Fixes race condition where parallel tests starting at same nanosecond
would share the same database name
- Ensures true isolation even with hundreds of concurrent tests
- Resolves duplicate key constraint violations in CI (perf-doc, test-doc, etc.)
- Fix migration path lookup to check both './migrations' and './backend/migrations'
- Remove hardcoded test schema in admin handler tests
- Use database.SetupTestDB which applies all migrations automatically
- Ensures test schema matches production schema with all columns (deleted_at, doc_checksum, etc.)
- Fixes test failures in CI where admin handler tests returned empty responses
- Implement PKCE (Proof Key for Code Exchange) with S256 method
- Add crypto/pkce module with code verifier and challenge generation
- Modify OAuth flow to include code_challenge in authorization requests
- Update HandleCallback to validate code_verifier during token exchange
- Extend session lifetime from 7 to 30 days
- Add comprehensive unit tests for PKCE functions
- Maintain backward compatibility with fallback for non-PKCE sessions
- Add detailed logging for OAuth flow with PKCE tracking
PKCE enhances security by preventing authorization code interception
attacks, as recommended by OAuth 2.1 and OIDC standards.
feat: add encrypted refresh token storage with automatic cleanup
- Add oauth_sessions table for storing encrypted refresh tokens
- Implement AES-256-GCM encryption for refresh tokens using cookie secret
- Create OAuth session repository with full CRUD operations
- Add SessionWorker for automatic cleanup of expired sessions
- Configure cleanup to run every 24h for sessions older than 37 days
- Modify OAuth flow to store refresh tokens after successful authentication
- Track client IP and user agent for session security validation
- Link OAuth sessions to user sessions via session ID
- Add comprehensive encryption tests with security validations
- Integrate SessionWorker into server lifecycle with graceful shutdown
This enables persistent OAuth sessions with secure token storage,
reducing the need for frequent re-authentication from 7 to 30 days.
Major refactoring to modernize the application architecture:
Backend changes:
- Restructure API with v1 versioning and modular handlers
- Add comprehensive OpenAPI specification
- Implement RESTful endpoints for documents, signatures, admin
- Add checksum verification system for document integrity
- Add server-side runtime injection of ACKIFY_BASE_URL and meta tags
- Generate dynamic Open Graph/Twitter Card meta tags for unfurling
- Remove legacy HTML template handlers
- Isolate backend source on dedicated folder
- Improve tests suite
Frontend changes:
- Migrate from Go templates to Vue.js 3 SPA with TypeScript
- Add Tailwind CSS with shadcn/vue components
- Implement i18n support (fr, en, es, de, it)
- Add admin dashboard for document and signer management
- Add signature tracking with file checksum verification
- Add embed page with sign button linking to main app
- Implement dark mode and accessibility features
- Auto load file to compute checksum
Infrastructure:
- Update Dockerfile for SPA build process
- Simplify deployment with embedded frontend assets
- Add migration for checksum_verifications table
This enables better UX, proper link previews on social platforms,
and provides a foundation for future enhancements.
- Add documents with metadata (title, URL, checksum, description)
- Add metadata UI section in document details
- Replace JavaScript alerts/confirms with modern modal dialogs
- Make email language dynamic based on user's interface language
Enable admins to send reminder emails to expected signers who haven't signed yet.
This addresses the need to follow up with pending signers without manual tracking.
- Add reminder_logs table to track all email sends (success and failures)
- Implement ReminderService with SMTP integration
- Extend admin dashboard with reminder stats and send interface
- Support bulk send (all pending) or selective send (manual selection)
- Track reminder count and last sent date per signer
- Change terminology from "signature" to "lecture/confirmation de lecture" across all templates and emails
- Added a unified horizontal navigation menu in the header
- Redesigned the user/logout button into a single element
- Reversed priority for extracting OIDC names (name > preferred_username)
- Admin: display documents with/without expected signatures
- Admin: detailed badges “X signatures (+Y) out of Z”
- Admin: modal for adding expected signers
- Admin: display additional signatures in stats
- Simplification of expected signers table display
- Validation pattern for document creation
- Removal of redundant links in templates
- New, clearer dashboard showing the status of each document
- The administrator can create a list of expected signatures for a given document.
- The administrator can manage the list of users who must confirm that they have read the document
Add SMTP configuration section to both English and French README files:
- Optional email notifications setup with ACKIFY_MAIL_* variables
- SMTP configuration examples for development and production
- Architecture diagram updated with email/ infrastructure component
- Technology stack updated to include SMTP service
Add configurable SMTP service for sending signature reminder emails.
Features:
- Configurable via ACKIFY_MAIL_* environment variables
- Multilingual templates (en/fr) with HTML + text versions
- Template rendering with automatic variable injection
- Graceful degradation when SMTP not configured
- TLS/STARTTLS support with configurable timeout
- MailHog integration for local testing
When users click logout, they are now redirected to the SSO provider's
logout endpoint to ensure complete session termination. This prevents
users from remaining logged in at the provider level after logging out
of the application.
Changes:
- Add LogoutURL configuration for OAuth providers (Google, GitHub, GitLab)
- Implement GetLogoutURL method with post-logout redirect parameter
- Update HandleLogout to redirect to SSO logout when configured
- Add ACKIFY_OAUTH_LOGOUT_URL environment variable for custom providers
- Add tests for both local and SSO logout scenarios
Each document now maintains its own independent blockchain chain
with its own genesis signature. GetLastSignature now filters by
doc_id to prevent cross-document chain corruption.
Changes:
- Add docID parameter to GetLastSignature interface and implementation
- Update SQL query to filter by document ID
- Add comprehensive test for multi-document blockchain isolation
- Update all test mocks and integration tests
Move all template variables out of locale JSON files into separate keys.
Update templates to concatenate locale strings with dynamic values.
Replace inline conditionals with proper locale key lookups for pluralization.
Add scanSignature helper to convert sql.NullString to string type.
Update Create method to insert NULL for empty UserName values.
Fix integration tests to work with string type instead of pointer.
Changed UserName field from *string to string to fix blockchain integrity
validation issues. The pointer was causing non-deterministic hash computation
due to memory address comparison instead of value comparison.
This change:
- Fixes blockchain validation for signatures with UserName
- Simplifies code by removing pointer dereferencing logic
- Maintains backward compatibility (NULL DB values map to empty string)
- Updates i18n templates to display values directly
Add comprehensive internationalization support:
- Browser language detection via Accept-Language header
- Cookie-based language preference persistence (1 year)
- Language switcher with flag emojis (🇫🇷🇬🇧)
- 71 translation keys covering all UI elements
- Context-based translation injection via middleware
Replace Tailwind CDN with production build:
- Tailwind CLI v3.4.16 for CSS compilation
- Minified CSS output (5.9KB from several MB)
- Docker build integration
- Custom color palette configuration
Update all templates with i18n support:
- Main pages: home, sign, signatures, error
- Admin dashboard and document details
- Embed iframe widget (English only for international use)
- Language switcher preserves current page URL
Technical implementation:
- golang.org/x/text for language matching
- Middleware pattern for consistent i18n injection
- Fallback chain: Cookie → Accept-Language → English
- Separate translation files (locales/fr.json, locales/en.json)
- Load configuration once in main.go and inject through dependencies
- Remove duplicate config.Load() calls in admin routes and server init
- Add AdminEmails field to AppConfig with lowercase normalization
- Implement HTML error pages for 403 Forbidden responses
- Add comprehensive debug logging for admin access verification
- Improve template conditional formatting for readability
- Add test coverage for admin email parsing (6 test cases)
- Added structured logs in HandleError() for each error type in middleware
- Explicit log of the OAuth callback error before handling
feat: add configurable log level via ACKIFY_LOG_LEVEL
- Add ParseLevel function to logger package
- Extend config structure with LoggerConfig
- Apply log level during server initialization
- Update documentation and .env.example
- Add chain integrity verification system for document signatures
- Implement VerifyDocumentChainIntegrity method in AdminRepository
- Add ChainIntegrityResult struct to track validation status
- Display chain integrity status in admin document details page
- Add API endpoint for programmatic chain integrity checks
- Add admin access link in main interface for authorized users
- Update templates to show integrity verification results
- Add admin configuration to docker-compose environment
