All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
1.2.8 - 2025-12-15
Version majeure de sΓ©curitΓ© introduisant l'isolation des donnΓ©es par tenant avec PostgreSQL Row Level Security (RLS).
-
Row Level Security (RLS)
- Isolation des donnΓ©es au niveau PostgreSQL avec politiques RLS
- Protection de 11 tables : documents, signatures, expected_signers, webhooks, reminder_logs, email_queue, checksum_verifications, webhook_deliveries, oauth_sessions, magic_link_tokens, magic_link_auth_attempts
- Fonction
current_tenant_id()pour rΓ©cupΓ©rer le tenant de la session FORCE ROW LEVEL SECURITYpour appliquer les politiques mΓͺme aux propriΓ©taires des tables- Comportement sΓ©curisΓ© par dΓ©faut : aucune donnΓ©e accessible si tenant non dΓ©fini
-
Support Multi-Tenant
- Nouvelle table
instance_metadatastockant l'UUID unique du tenant - Colonne
tenant_id(UUID) ajoutΓ©e Γ toutes les tables mΓ©tier et d'authentification - Index optimisΓ©s sur
tenant_idpour des performances optimales - Triggers d'immutabilitΓ© empΓͺchant la modification du
tenant_idaprès création - Backfill automatique des données existantes avec le tenant de l'instance
- Nouvelle table
-
Gestion du RΓ΄le Applicatif
- CrΓ©ation automatique du rΓ΄le
ackify_apppar l'outil de migration - Séparation des privilèges (rôle applicatif vs rôle superuser)
- Variable d'environnement
ACKIFY_APP_PASSWORDpour définir le mot de passe du rôle - Privilèges par défaut configurés pour les futures tables
- CrΓ©ation automatique du rΓ΄le
Nouvelles migrations :
0015_add_tenant_support.{up,down}.sql- Support multi-tenant0016_add_rls_policies.{up,down}.sql- Politiques RLS
Fichiers modifiΓ©s :
backend/cmd/migrate/main.go- CrΓ©ation du rΓ΄leackify_app
SΓ©curitΓ© :
- Les politiques RLS utilisent
USINGetWITH CHECKpour filtrer lectures et Γ©critures - Les tokens magic link acceptent
tenant_id IS NULLpour les requΓͺtes de login - Les sessions OAuth sont isolΓ©es par tenant aprΓ¨s authentification
1.2.6 - 2025-12-08
Version de maintenance amΓ©liorant l'architecture interne et la stabilitΓ© du pipeline CI/CD.
-
Architecture Clean Architecture RenforcΓ©e
- SΓ©paration stricte des couches avec interfaces privΓ©es
- Extraction des packages
coreapppour l'injection de dΓ©pendances - PrΓ©paration de l'architecture pour le support multi-tenant
-
Système de Migrations Amélioré
- Commande
forcepour forcer la version de migration - Commande
gotopour migrer vers une version spΓ©cifique - Meilleure gestion des bases de donnΓ©es existantes sans schΓ©ma de migration
- Commande
-
CI/CD Pipeline
- Ajout de QEMU pour le build Docker multi-plateforme (linux/amd64, linux/arm64)
- Correction du chemin go.mod dans le dossier backend
- Chemins absolus pour les templates et locales dans les tests E2E
- Meilleure gestion des logs de dΓ©marrage serveur pour le debug
-
Internationalisation
- Sujets des emails de rappels maintenant internationalisΓ©s (respectent la langue configurΓ©e)
-
Tests E2E
- Correction du test de crΓ©ation de document par URL
Fichiers modifiΓ©s :
.github/workflows/build-docker.yml- Ajout setup QEMU.github/workflows/test-e2e.yml- Chemins absolus et meilleure gestion des erreursbackend/cmd/migrate/main.go- Nouvelles commandes force et gotobackend/internal/infrastructure/email/- Internationalisation des sujets
1.2.5 - 2025-12-01
Patch release adding full support for Microsoft Azure AD / Entra ID as OAuth provider.
- Microsoft OAuth Authentication
- Fixed "missing email in user info response" error with Microsoft Graph API
- Added support for
mailfield (Microsoft) as fallback foremail(OIDC standard) - Added support for
userPrincipalNameas last resort email fallback - Added support for
displayName(camelCase) for Microsoft user names - Email field priority:
emailβmailβuserPrincipalName - Name field priority:
nameβgiven_name+family_nameβdisplayNameβcnβdisplay_nameβpreferred_username
- Modified
parseUserInfo()inbackend/internal/infrastructure/auth/oauth_provider.go - Added 3 new test cases for Microsoft Graph API response formats
- 100% backward compatible with existing OAuth providers (Google, GitHub, GitLab, custom)
1.2.4 - 2025-11-28
Minor release adding the ability to import expected signers from a CSV file.
- CSV Import for Expected Signers
- CSV file upload directly from admin interface
- Data preview before import with validation
- Automatic separator detection (comma or semicolon)
- Smart column detection (email, name)
- Support for files with or without headers
- Email validation with detailed error report
- Selective import: ability to modify list before confirmation
- Configurable limit on number of signers per import (
ACKIFY_IMPORT_MAX_SIGNERS, default: 500)
- New
CSVParserservice for robust CSV file parsing - API endpoints:
POST /api/v1/admin/documents/{docId}/signers/preview-csvandPOST /api/v1/admin/documents/{docId}/signers/import - Drag-and-drop upload interface for CSV files
- Preview modal with valid/invalid signers table
1.2.3 - 2025-11-24
Maintenance release focused on improving code quality, test coverage, and build stability.
- Frontend Test Coverage
- Comprehensive unit tests for Pinia stores (documents, signatures, users)
- API services testing (document, signature, auth)
- Critical UI components testing
- Significant improvement in frontend code coverage
- Early regression detection through automated testing
-
Build & Dependencies
- Eliminated vue-i18n
currentInstancewarning during build - Removed deprecated npm dependencies warnings (glob, rimraf, inflight)
- Frontend build now completely clean without warnings
- Improved Node.js 20+ compatibility
- Eliminated vue-i18n
-
Internationalization
- Fixed handling of translation keys with literal dots (e.g.,
document.created) - Robust i18n file validation script
- Consistent translation key validation across all locales
- Fixed handling of translation keys with literal dots (e.g.,
-
CI/CD Pipeline
- Stabilized E2E test pipeline with proper configuration
- Fixed
go:embeddirective compatibility in backend tests - Configured rate limits for automated test environments
- Improved locales and templates path handling
- E2E code coverage maintained and functional
- Multi-version Node.js compatibility (18/20/22)
- Infrastructure
- More robust CI/CD pipeline configuration
- Optimized test execution with proper environment setup
- Enhanced error handling in test workflows
Frontend Improvements:
- Test coverage for stores:
useDocumentsStore,useSignaturesStore,useUsersStore - Test coverage for services:
documentService,signatureService,authService - Test coverage for components:
DocumentCard,SignatureForm,UserProfile - Rollup configuration for suppressing vue-i18n warnings
- npm overrides for compatible dependency versions
Backend Improvements:
- Rate limit configuration variables for test environments
- Proper locales and templates directory handling
- Empty
web/distdirectory creation for embed directive
CI/CD Fixes:
- Node.js 20 for E2E tests (nyc@15 compatibility)
- Proper rate limits:
ACKIFY_*_RATE_LIMIT=1000for tests - Environment variables:
ACKIFY_LOCALES_DIR,ACKIFY_TEMPLATES_DIR - Compatible dependency versions for code coverage
1.2.1 - 2025-11-05
Minor release adding Magic Link authentication, improved metadata extraction, and professional installation tooling.
-
Magic Link Authentication (Passwordless)
- Email-based passwordless authentication system
- No password required - users receive a secure link via email
- Multi-method support: configure OAuth and/or MagicLink independently
- Intelligent authentication method selection page
- Auto-redirect to login when only one method is configured
- Secure token generation with crypto/rand (32 bytes)
- 15-minute expiration with automatic cleanup
- HTML and text email templates for magic links
- New migration
0012_magic_link_authenticationwithmagic_linkstable - Indexes on token, email, and expires_at for optimal performance
- Background worker for cleaning expired magic links
-
Enhanced Installation Experience
- Interactive installation script with step-by-step guidance
- Automatic environment detection (Docker, PostgreSQL, etc.)
- System prerequisites validation
- Assisted configuration of environment variables
- Support for multi-authentication method setup
- Complete installation documentation in
install/README.md - Comprehensive
.env.examplewith detailed comments - Docker Compose templates for quick deployment
-
E2E Testing with Cypress
- Complete end-to-end test suite for Magic Link authentication
- MailHog integration for email testing in development
- GitHub Actions workflow for automated E2E tests
- Dedicated
compose.e2e.ymlfor isolated test environment - Test utilities for email verification and link extraction
-
Smart Document Title Extraction
- Enhanced automatic title detection from HTML metadata
- Support for Open Graph tags (
og:title) - Support for Twitter Card tags (
twitter:title) - Intelligent fallback hierarchy: OG β Twitter β title β h1
- Comprehensive unit tests (233 test cases)
- Better handling of edge cases and malformed HTML
-
Architecture Improvements
- Refactored OAuth code into reusable
OAuthProvidercomponent - New
SessionServicefor centralized session management - New
MagicLinkServicefor passwordless authentication logic - Better separation of concerns between authentication methods
- Cleaner dependency injection in main.go
- Refactored OAuth code into reusable
-
Configuration System
- Auto-detection of available authentication methods
- New
ACKIFY_AUTH_OAUTH_ENABLEDflag (optional, auto-detected) - New
ACKIFY_AUTH_MAGICLINK_ENABLEDflag (optional, auto-detected) - MagicLink enabled automatically if
ACKIFY_MAIL_HOSTis configured - OAuth enabled automatically if OAuth credentials are present
- Enhanced email configuration with detailed SMTP options
- Better validation and error messages for configuration issues
-
Session Management
- 30-day persistent sessions (increased from 7 days)
- Encrypted refresh token storage with AES-256-GCM
- New
oauth_sessionstable for refresh token persistence - Automatic cleanup of expired sessions (background worker)
- Session tracking with IP address and User-Agent
-
User Interface
- New authentication choice page when multiple methods available
- Auto-redirect behavior when single authentication method
- Window variables for dynamic config (
ACKIFY_OAUTH_ENABLED,ACKIFY_MAGICLINK_ENABLED) - Updated localization files (en, fr, es, de, it) with Magic Link strings
- Improved robustness of document metadata extraction
- Better error handling in authentication flows
- More descriptive error messages for configuration issues
- Edge case handling in title extraction
New Files:
backend/internal/application/services/magic_link_service.go- MagicLink servicebackend/internal/domain/models/magic_link.go- MagicLink domain modelbackend/internal/infrastructure/auth/oauth_provider.go- OAuth provider refactoredbackend/internal/infrastructure/auth/session_service.go- Session managementbackend/internal/infrastructure/auth/session_worker_test.go- Session cleanup testsbackend/internal/infrastructure/database/magic_link_repository.go- MagicLink repositorybackend/internal/infrastructure/workers/magic_link_cleanup.go- Cleanup workerbackend/internal/presentation/api/auth/magic_link_handler.go- MagicLink endpointsbackend/templates/magic_link.html.tmpl- HTML email templatebackend/templates/magic_link.txt.tmpl- Text email templatebackend/migrations/0012_magic_link_authentication.{up,down}.sqlwebapp/src/pages/AuthChoicePage.vue- Authentication method selectionwebapp/cypress/- Complete E2E test suite.github/workflows/e2e-tests.yml- E2E CI workflowinstall/README.md- Installation documentation
Modified Files:
backend/internal/infrastructure/config/config.go- Enhanced configurationbackend/internal/infrastructure/auth/oauth.go- Refactored to use OAuthProviderbackend/internal/presentation/api/router.go- New Magic Link endpointsbackend/pkg/web/server.go- Multi-auth method supportbackend/pkg/web/static.go- New window variables injectionwebapp/src/router/index.ts- Auth choice routeREADME.md,README_FR.md- Updated with Magic Link documentation.env.example- Comprehensive email and auth configuration
For users upgrading from v1.2.0 to v1.2.1:
- No Breaking Changes: v1.2.1 is 100% backward compatible
- Optional MagicLink: Add email configuration to enable passwordless auth
- Migrations: Applied automatically at startup
- Environment Variables: Review new optional variables in
.env.example
To enable Magic Link authentication:
# Add SMTP configuration
ACKIFY_MAIL_HOST="smtp.example.com"
ACKIFY_MAIL_PORT=587
ACKIFY_MAIL_USERNAME="user"
ACKIFY_MAIL_PASSWORD="pass"
ACKIFY_MAIL_FROM="noreply@example.com"
# Optional: explicitly control auth methods
ACKIFY_AUTH_OAUTH_ENABLED=true
ACKIFY_AUTH_MAGICLINK_ENABLED=true1.2.0 - 2025-10-27
Complete architectural overhaul to a modern API-first architecture with Vue 3 SPA frontend, signed webhooks, and improved security.
-
RESTful API v1
- Versioned API with
/api/v1prefix - Structured JSON responses with consistent error handling
- Public endpoints: health, documents, signatures, expected signers
- Authentication endpoints: OAuth flow, logout, auth check
- Authenticated endpoints: user profile, signatures, signature creation
- Admin endpoints: document management, signer management, reminders
- OpenAPI specification endpoint
/api/v1/openapi.json
- Versioned API with
-
Vue 3 SPA Frontend
- Modern single-page application with TypeScript
- Vite build tool with hot module replacement (HMR)
- Pinia state management for centralized application state
- Vue Router for client-side routing
- Tailwind CSS for utility-first styling
- Responsive design with mobile support
- Version number display in footer for better traceability
- Enhanced footer visibility with improved UX
- Pages: Home, Sign, Signatures, Embed, Admin Dashboard, Document Details
-
Signed Webhooks Support
- Webhook signature verification for secure event notifications
- HMAC-based authentication for webhook endpoints
- Prevents unauthorized webhook injection
- Configurable webhook endpoints for document events
-
Comprehensive Logging System
- Structured JSON logging with
slogpackage - Log levels: debug, info, warn, error (configurable via
ACKIFY_LOG_LEVEL) - Request ID tracking through entire request lifecycle
- HTTP request/response logging with timing
- Authentication flow logging
- Signature operation logging
- Reminder service logging
- Database query logging
- OAuth flow progression logging
- Structured JSON logging with
-
Enhanced Security
- OAuth 2.0 Authorization Code Flow with PKCE (Proof Key for Code Exchange)
- CSRF token protection for all state-changing operations
- Rate limiting (5 auth attempts/min, 100 general requests/min)
- Hard rate limiting on embed document creation endpoint
- CORS configuration for development and production
- Security headers (CSP, X-Content-Type-Options, X-Frame-Options, etc.)
- Session-based authentication with secure cookies
- Request ID propagation for distributed tracing
- Authorization middleware for embed endpoints
-
Public Embed Route
/embed?doc={docId}route for public embedding (no authentication required)- Protected document creation with rate limiting and authorization
- oEmbed protocol support for unfurl functionality
- CSP headers configured to allow iframe embedding on embed routes
- Suitable for integration in documentation tools and wikis
-
Auto-Login Feature
- Optional
ACKIFY_OAUTH_AUTO_LOGINconfiguration - Silent authentication when OAuth session exists
/api/v1/auth/checkendpoint for session verification- Seamless user experience when returning to application
- Optional
-
Docker Multi-Stage Build
- Optimized Dockerfile with separate Node and Go build stages
- Improved build stage efficiency
- Smaller final image size
- SPA assets built during Docker build process
- Production-ready containerized deployment
-
Architecture
- Migrated from template-based rendering to API-first architecture
- Introduced clear separation between API and frontend
- Organized API handlers into logical modules (admin, auth, documents, signatures, users)
- Centralized middleware in
sharedpackage (logging, CORS, CSRF, rate limiting, security headers)
-
Routing
- Chi router now serves both API v1 and Vue SPA
- SPA fallback routing for all unmatched routes
- API endpoints prefixed with
/api/v1 - Static assets served from
/assetsfor SPA and/staticfor legacy
-
Authentication
- Standardized session-based auth across API and templates
- CSRF protection on all authenticated API endpoints
- Rate limiting on authentication endpoints
-
Documentation
- Updated BUILD.md with Vue SPA build instructions
- Updated README.md with API v1 endpoint documentation
- Updated README_FR.md with French translations
- Added logging configuration documentation
- Added development environment setup instructions
- Consistent error handling across all API endpoints
- Proper HTTP status codes for all responses
- CORS issues in development environment
- Integration tests concurrency issues and database collisions
- Random hex generation for test database names to prevent collisions
- Migrations directory discovery in CI environment
- Missing hardcoded database struct columns removed
- Split unit and integration test coverage for better reliability
- CI/CD pipeline now pushes releases to latest tag on DockerHub
New Files:
internal/presentation/api/- Complete API v1 implementationadmin/handler.go- Admin endpointsauth/handler.go- Authentication endpointsdocuments/handler.go- Document endpointssignatures/handler.go- Signature endpointsusers/handler.go- User endpointshealth/handler.go- Health check endpointshared/- Shared middleware and utilitieslogging.go- Request logging middlewaremiddleware.go- Auth, admin, CSRF, rate limiting middlewareresponse.go- Standardized JSON response helperserrors.go- Error code constants
router.go- API v1 router configuration
webapp/- Complete Vue 3 SPAsrc/components/- Reusable Vue componentssrc/pages/- Page components (Home, Sign, Signatures, Embed, Admin)src/services/- API client servicessrc/stores/- Pinia state storessrc/router/- Vue Router configurationvite.config.ts- Vite build configurationtsconfig.json- TypeScript configuration
Modified Files:
pkg/web/server.go- Updated to serve both API and SPAinternal/infrastructure/auth/oauth.go- Added structured logginginternal/application/services/signature.go- Added structured logginginternal/application/services/reminder.go- Added structured loggingDockerfile- Multi-stage build for Node and Godocker-compose.yml- Updated for new architecture
Deprecated:
- Template-based admin routes (will be maintained for backward compatibility)
- Legacy
/statusand/status.pngendpoints (superseded by API v1)
For users upgrading from v1.1.x to v1.2.0:
- Environment Variables: Add optional
ACKIFY_LOG_LEVELandACKIFY_OAUTH_AUTO_LOGINif desired - Docker: Rebuild images to include Vue SPA build with multi-stage optimization
- API Clients: Consider migrating to new API v1 endpoints for better structure and consistency
- Embed URLs: Update to use
/embed?doc={docId}for public document embedding - Webhooks: Configure webhook endpoints if you want to receive signed event notifications
- None - v1.2.0 maintains backward compatibility with all v1.1.x features
- Template-based admin interface remains functional alongside new Vue SPA
- Legacy endpoints continue to work
1.1.3 - 2025-10-08
-
Document Metadata Management System
- New
documentstable for storing metadata (title, URL, checksum, description) - Document repository with full CRUD operations
- Comprehensive integration tests for document operations
- Admin UI section for viewing and editing document metadata
- Copy-to-clipboard functionality for checksums
- Support for SHA-256, SHA-512, and MD5 checksum algorithms
- Automatic
updated_attimestamp tracking with PostgreSQL trigger
- New
-
Modern Modal Dialogs
- Replaced native JavaScript
alert()andconfirm()with styled modal dialogs - Consistent design across all confirmation actions
- Better UX with warning (orange) and delete (red) visual indicators
- Confirmation modal for email reminder sending
- Delete confirmation modal for removing expected readers
- Replaced native JavaScript
-
SVG Favicon
- Added modern vector favicon with brand identity
- Responsive and works across all modern browsers
-
Email Reminder Improvements
- Email language now matches user's interface language (fr/en)
- Document URL automatically fetched from metadata instead of manual input
- Simplified reminder form by removing redundant URL field
- Document URL displayed as clickable link in reminder section
-
Admin Dashboard Enhancement
- Document listing now includes documents from
documentstable - Shows documents with metadata even without signatures or expected readers
- Document listing now includes documents from
-
UI Refinements
- Removed "Admin connectΓ©" status indicator from dashboard header
- Document URL in metadata displayed as hyperlink instead of input field
- Cleaner and more focused admin interface
- Template syntax error with
notoperator requiring parentheses
- Added database migration
0005_create_documents_table - New domain model:
models.Documentandmodels.DocumentInput - New infrastructure:
DocumentRepositorywith full test coverage - New presentation:
DocumentHandlerswith GET/POST/DELETE endpoints - Routes:
/admin/docs/{docID}/metadata(GET, POST, DELETE) - Updated
ReminderService.SendReminders()signature to include locale parameter - Modified files:
internal/domain/models/document.go(new)internal/infrastructure/database/document_repository.go(new)internal/infrastructure/database/document_repository_test.go(new)internal/presentation/admin/handlers_documents.go(new)internal/application/services/reminder.gointernal/infrastructure/database/admin_repository.gointernal/presentation/admin/handlers_expected_signers.gointernal/presentation/admin/routes_admin.gotemplates/admin_dashboard.html.tpltemplates/admin_document_expected_signers.html.tpltemplates/base.html.tplstatic/favicon.svg(new)migrations/0005_create_documents_table.{up,down}.sql(new)
1.1.2 - 2025-10-03
- SSO Provider Logout: Complete session termination at OAuth provider level
- Added
LogoutURLconfiguration for OAuth providers - Automatic redirect to provider logout (Google, GitHub, GitLab, custom)
- New environment variable
ACKIFY_OAUTH_LOGOUT_URLfor custom providers - Users are now properly logged out from both the application and the SSO provider
- Added
- Blockchain chain isolation: Each document now has its own independent blockchain
GetLastSignaturenow filters bydoc_idto prevent cross-document chain corruption- Genesis signatures are correctly created per document
- Prevents blockchain chains from mixing between different documents
- Added comprehensive tests for multi-document blockchain integrity
GetLastSignaturemethod signature updated to includedocIDparameter- All repository implementations updated to support document-scoped blockchain queries
- Modified files:
internal/application/services/signature.gointernal/infrastructure/database/repository.gointernal/infrastructure/auth/oauth.gointernal/infrastructure/config/config.gointernal/presentation/handlers/auth.gointernal/presentation/handlers/interfaces.gopkg/web/server.go
- All existing tests updated and passing
1.1.1 - 2025-01-XX
- Refactor template variables to separate from locale strings
- Improve database operations for UserName handling
1.1.0 - 2025-01-XX
- Blockchain hash determinism improvements
- ED25519 key generation documentation
- NULL UserName handling in database operations
- Proper string conversion for UserName field