BREAKING CHANGE: ACKIFY_APP_PASSWORD environment variable is now required for RLS support. The migrate tool creates the ackify_app role before running migrations, ensuring compatibility with existing deployments.
Changes:
- Add ensureAppRole() in cmd/migrate to create/update ackify_app role
- Remove docker/init-scripts/01-create-app-user.sh (no longer needed)
- Update compose.yml: add ACKIFY_APP_PASSWORD, backend connects as ackify_app
- Update migration 0016: remove conditional role creation
- Add RLS documentation (docs/en/configuration/rls.md, docs/fr/configuration/rls.md)
- Update configuration docs with RLS section and security checklist
Migration path for existing deployments:
1. Set ACKIFY_APP_PASSWORD in .env
2. Run docker compose up (migrate will create the role automatically)
* feat(mail): add option to skip TLS certificate verification
Add ACKIFY_MAIL_INSECURE_SKIP_VERIFY environment variable to allow
bypassing TLS certificate verification for self-signed certificates.
This is useful for development/testing environments with self-signed
SMTP certificates while maintaining secure defaults (false by default).
* docs: add ACKIFY_MAIL_INSECURE_SKIP_VERIFY documentation
Add new configuration option ACKIFY_ONLY_ADMIN_CAN_CREATE (default: false) to control who can create documents.
Backend changes:
- Add OnlyAdminCanCreate config field to AppConfig
- Implement authorization checks in document handlers
- Protect POST /documents and GET /documents/find-or-create endpoints
- Add unit tests for admin-only document creation (4 tests)
Frontend changes:
- Inject ACKIFY_ONLY_ADMIN_CAN_CREATE to window object
- Hide DocumentForm component for non-admin users when enabled
- Add i18n translations (en, fr, es, de, it)
- Display warning message for non-admin users
Documentation:
- Update .env.example files with new variable
- Update configuration docs (en/fr)
- Update install script to prompt for restriction option
- Update install/README.md
When enabled, only users listed in ACKIFY_ADMIN_EMAILS can create new documents. Both direct creation and find-or-create endpoints are protected.
- Now can activate OIDC and/or MagicLink for user authentication.
- Add page to choose authentication method (if only OIDC is enabled, auto redirecting to login screen)
When users click logout, they are now redirected to the SSO provider's
logout endpoint to ensure complete session termination. This prevents
users from remaining logged in at the provider level after logging out
of the application.
Changes:
- Add LogoutURL configuration for OAuth providers (Google, GitHub, GitLab)
- Implement GetLogoutURL method with post-logout redirect parameter
- Update HandleLogout to redirect to SSO logout when configured
- Add ACKIFY_OAUTH_LOGOUT_URL environment variable for custom providers
- Add tests for both local and SSO logout scenarios
- Added structured logs in HandleError() for each error type in middleware
- Explicit log of the OAuth callback error before handling
feat: add configurable log level via ACKIFY_LOG_LEVEL
- Add ParseLevel function to logger package
- Extend config structure with LoggerConfig
- Apply log level during server initialization
- Update documentation and .env.example
- Move templates from webtemplates/templates/ to templates/
- Replace embedded filesystem with filesystem-based template loading
- Add ACKIFY_TEMPLATES_DIR environment variable for custom template paths
- Update Dockerfile to copy templates and set default template directory
- Improve template resolution with fallback paths for development
- Remove webtemplates package and embedded filesystem dependencies
- Update BUILD.md documentation for template configuration
- Move web server logic to pkg/web package for external imports
- Rename cmd/ackify to cmd/community for clarity
- Create NewServer(multitenant bool) function for EE integration
- Add basic unit tests for Community Edition
- Update Dockerfile to build from cmd/community
- Add comprehensive build and deployment documentation
This change enables the Enterprise Edition to import and extend
the Community Edition while maintaining clean separation.
Add complete Go application for cryptographic document signature validation with OAuth2 authentication, Ed25519 signatures, and PostgreSQL storage following clean architecture principles.
