- Implement PKCE (Proof Key for Code Exchange) with S256 method
- Add crypto/pkce module with code verifier and challenge generation
- Modify OAuth flow to include code_challenge in authorization requests
- Update HandleCallback to validate code_verifier during token exchange
- Extend session lifetime from 7 to 30 days
- Add comprehensive unit tests for PKCE functions
- Maintain backward compatibility with fallback for non-PKCE sessions
- Add detailed logging for OAuth flow with PKCE tracking
PKCE enhances security by preventing authorization code interception
attacks, as recommended by OAuth 2.1 and OIDC standards.
feat: add encrypted refresh token storage with automatic cleanup
- Add oauth_sessions table for storing encrypted refresh tokens
- Implement AES-256-GCM encryption for refresh tokens using cookie secret
- Create OAuth session repository with full CRUD operations
- Add SessionWorker for automatic cleanup of expired sessions
- Configure cleanup to run every 24h for sessions older than 37 days
- Modify OAuth flow to store refresh tokens after successful authentication
- Track client IP and user agent for session security validation
- Link OAuth sessions to user sessions via session ID
- Add comprehensive encryption tests with security validations
- Integrate SessionWorker into server lifecycle with graceful shutdown
This enables persistent OAuth sessions with secure token storage,
reducing the need for frequent re-authentication from 7 to 30 days.
Major refactoring to modernize the application architecture:
Backend changes:
- Restructure API with v1 versioning and modular handlers
- Add comprehensive OpenAPI specification
- Implement RESTful endpoints for documents, signatures, admin
- Add checksum verification system for document integrity
- Add server-side runtime injection of ACKIFY_BASE_URL and meta tags
- Generate dynamic Open Graph/Twitter Card meta tags for unfurling
- Remove legacy HTML template handlers
- Isolate backend source on dedicated folder
- Improve tests suite
Frontend changes:
- Migrate from Go templates to Vue.js 3 SPA with TypeScript
- Add Tailwind CSS with shadcn/vue components
- Implement i18n support (fr, en, es, de, it)
- Add admin dashboard for document and signer management
- Add signature tracking with file checksum verification
- Add embed page with sign button linking to main app
- Implement dark mode and accessibility features
- Auto load file to compute checksum
Infrastructure:
- Update Dockerfile for SPA build process
- Simplify deployment with embedded frontend assets
- Add migration for checksum_verifications table
This enables better UX, proper link previews on social platforms,
and provides a foundation for future enhancements.
Add comprehensive internationalization support:
- Browser language detection via Accept-Language header
- Cookie-based language preference persistence (1 year)
- Language switcher with flag emojis (🇫🇷🇬🇧)
- 71 translation keys covering all UI elements
- Context-based translation injection via middleware
Replace Tailwind CDN with production build:
- Tailwind CLI v3.4.16 for CSS compilation
- Minified CSS output (5.9KB from several MB)
- Docker build integration
- Custom color palette configuration
Update all templates with i18n support:
- Main pages: home, sign, signatures, error
- Admin dashboard and document details
- Embed iframe widget (English only for international use)
- Language switcher preserves current page URL
Technical implementation:
- golang.org/x/text for language matching
- Middleware pattern for consistent i18n injection
- Fallback chain: Cookie → Accept-Language → English
- Separate translation files (locales/fr.json, locales/en.json)
- Move templates from webtemplates/templates/ to templates/
- Replace embedded filesystem with filesystem-based template loading
- Add ACKIFY_TEMPLATES_DIR environment variable for custom template paths
- Update Dockerfile to copy templates and set default template directory
- Improve template resolution with fallback paths for development
- Remove webtemplates package and embedded filesystem dependencies
- Update BUILD.md documentation for template configuration
- Fix ackify-migrate service to run migrate binary instead of main server
- Add entrypoint override to bypass default ENTRYPOINT in Docker image
- Copy migrations directory to Docker image for migrate binary access
- Update migrate binary with better error handling and code quality
- Rename binary from ackify-ce to ackify for consistency
- Add migrate binary build and deployment
- Add migration service to docker-compose with proper dependency chain
- Ensure migrations run before main service startup
- Update dependencies from migration system integration
- Move templates from web/templates/ to webtemplates/templates/
- Replace file-based template loading with Go embed
- Remove external template directory dependency from Dockerfile
- Add webtemplates package with embedded template functionality
- Include comprehensive tests for embedded templates
- Update server initialization to use new embedded template system
This change makes the application self-contained by embedding templates
directly in the binary, eliminating the need for external template files
at runtime.
- Move web server logic to pkg/web package for external imports
- Rename cmd/ackify to cmd/community for clarity
- Create NewServer(multitenant bool) function for EE integration
- Add basic unit tests for Community Edition
- Update Dockerfile to build from cmd/community
- Add comprehensive build and deployment documentation
This change enables the Enterprise Edition to import and extend
the Community Edition while maintaining clean separation.
Add complete Go application for cryptographic document signature validation with OAuth2 authentication, Ed25519 signatures, and PostgreSQL storage following clean architecture principles.
Benjamin