gorest

dependencies updated

• chore(deps): bump gorm.io/gorm from 1.25.4 to 1.25.5
• chore(deps): bump gorm.io/driver/postgres from 1.5.2 to 1.5.3
• chore(deps): bump gorm.io/driver/mysql from 1.5.1 to 1.5.2
• chore(deps): bump github.com/pilinux/argon2 from 0.3.0 to 0.4.0 by @dependabot in https://github.com/pilinux/gorest/pull/129
• chore(deps): bump gorm.io/driver/sqlite from 1.5.3 to 1.5.4 by @dependabot in https://github.com/pilinux/gorest/pull/128

Full Changelog: https://github.com/pilinux/gorest/compare/v1.6.20...v1.6.21

minor improvement

delete all hashes of active 2FA backup codes (if any) of a user when the user disables 2FA

Full Changelog: https://github.com/pilinux/gorest/compare/v1.6.19...v1.6.20

improvements

• when aborting from middleware, append abort reasons
• relational database connections
• handle and log database read operation errors
• email delivery process
• use time.Now() throughout the project to select current local time

fix

• HTTP response status codes

feature

• new controller and handler for replacing a user's email address with a new one

CI

• cache and restore only the go.sum files

commits

major update with full backward-compatibility

• option to save user email in encrypted form at rest
  by setting ACTIVATE_CIPHER=yes and adding a random
  secret to CIPHER_KEY. If there are existing accounts,
  the auth functionality will still work properly. Once
  encryption at rest is enabled and a new user account
  is registered, it is not possible to downgrade to
  insecure plaintext mode.

• option to harden SHA-based hashing algorithm for 2FA
  by setting TWO_FA_DOUBLE_HASH=yes.

• optionally use secrets BLAKE2B_SECRET for blake2b
  hashing.

• if ACTIVATE_CIPHER=yes, ChaCha20-Poly1305 (256-bit)
  is used for email encryption.

• for 2FA keys, AES-256 is used as before.

• a new controller and services are included to generate
  backup codes for 2FA.

• an improved go doc.

compare commits

new feature

• now it is possible to use secret (optional) when hashing using Argon2id
  by setting value to the new environment variable HASH_SECRET
• [fully backward compatible] for all existing applications in production,
  keeping HASH_SECRET empty will not break the auth functionality

ci

• do static analysis and test build process for all major OS
  (Linux, Mac, Windows) and CPU architectures (arm64, amd64)

minor fix

Load hostname or IP from .env.
To listen to all interfaces, keep APP_HOST empty.

dependency update

chore(deps): bump go.mongodb.org/mongo-driver from 1.12.0 to 1.12.1

improvement

• return error message from JWT middleware
• option to concatenate access and refresh tokens in authorization header [Authorization: Bearer access refresh]

refactor

JWT middleware

indirect dependencies update

• github.com/bytedance/sonic: v1.9.1 -> v1.9.2
• github.com/go-playground/validator/v10: v10.14.0 -> v10.14.1
• github.com/montanaflynn/stats: v0.7.1
• github.com/pelletier/go-toml/v2: v2.0.8 -> v2.0.9
• github.com/tilinna/clock: v1.0.2 -> v1.1.0
• golang.org/x/arch: v0.3.0 -> v0.4.0
• golang.org/x/crypto: v0.9.0 -> v0.11.0
• golang.org/x/net: v0.10.0 -> v0.12.0
• golang.org/x/sync: v0.1.0 -> v0.3.0
• golang.org/x/sys: v0.8.0 -> v0.10.0
• golang.org/x/text: v0.9.0 -> v0.11.0
• google.golang.org/protobuf: v1.30.0 -> v1.31.0

Refresh JWT

Client can send the refresh token from HttpOnly cookie, as a Bearer token in the Authorization header, or in the body as JSON.

.env file

User can remove all unused variables from the .env file to keep it clean

dependencies update

Bumps github.com/qiniu/qmgo from 1.1.7 to 1.1.8.

• Release notes
• Commits

Bumps go.mongodb.org/mongo-driver from 1.11.7 to 1.12.0.

• Release notes
• Commits

Bumps github.com/mediocregopher/radix/v4 from 4.1.2 to 4.1.3.

• Changelog
• Commits

Bumps gorm.io/gorm from 1.25.1 to 1.25.2.

• Tags
• Commits

Bumps gorm.io/driver/sqlite from 1.5.1 to 1.5.2.

• Commits

Bumps github.com/alexedwards/argon2id from v0.0.0-20211130144151-3585854a6387 to v0.0.0-20230305115115-4b3c3280a736.

• Commits

Bumps github.com/lib/pq from v1.10.4 to v1.10.9.

• Release notes
• Commits

Bumps github.com/rogpeppe/go-internal from v1.10.0 to v1.11.0.

• Release notes
• Commits

dependency update

⚡ github.com/qiniu/qmgo: v1.1.6 -> v1.1.7

supported JWT signing algorithms

• HS256: HMAC-SHA256
• HS384: HMAC-SHA384
• HS512: HMAC-SHA512
• ES256: ECDSA Signature with SHA-256
• ES384: ECDSA Signature with SHA-384
• ES512: ECDSA Signature with SHA-512
• RS256: RSA Signature with SHA-256
• RS384: RSA Signature with SHA-384
• RS512: RSA Signature with SHA-512

CI

• gosec security scanner Github action added

modified

⚡ ValidateAccessJWT and ValidateRefreshJWT functions are now exported

dependency update

⚡ github.com/onrik/logrus: v0.10.0 -> v0.11.0

⚡ github.com/sirupsen/logrus: v1.9.2 -> v1.9.3

⚡ go.mongodb.org/mongo-driver: v1.11.6 -> v1.11.7

added feature

⚡ optional parameter to activate debug mode for sentry

⚡ optional parameter to attach app release number for sentry logger

dependency update

⚡ gin-gonic/gin: v1.9.0 -> v1.9.1

Solved security vulnerability in gin: issue

new feature

⚡ handle authentication tokens on client devices' cookies

⚡ logout (individually enable option - delete tokens from cookies, ban active tokens)

dependency update

• gorm.io/gorm: v1.24.5 -> v1.25.1
• gorm.io/driver/mysql: v1.4.7 -> v1.5.1
• gorm.io/driver/postgres: v1.4.8 -> v1.5.2
• gorm.io/driver/sqlite: v1.4.4 -> v1.5.1
• github.com/go-sql-driver/mysql: v1.7.0 -> v1.7.1
• go.mongodb.org/mongo-driver: v1.11.2 -> v1.11.6
• github.com/qiniu/qmgo: v1.1.5 -> v1.1.6
• github.com/sirupsen/logrus: v1.9.0 -> v1.9.2
• github.com/mrz1836/postmark: v1.3.0 -> v1.4.0

new feature

⚡ option to use encrypted connections to MySQL instance
please check newly added environment variables for .env file

dependency update

⚡ bumped gin from v1.8.2 to v1.9.0

⚡ bumped golang-jwt/jwt/v4 from v4.4.3 to v4.5.0

improvement

⚡ when environment variables are loaded during config settings,
remove leading and trailing whitespaces

test file

⚡ new test files added for lib middleware

direct dependencies

⚡ github.com/qiniu/qmgo from v1.1.4 to v1.1.5

⚡ github.com/mediocregopher/radix/v4 from v4.1.1 to v4.1.2

⚡ gorm.io/gorm from v1.24.3 to v1.24.5

⚡ github.com/joho/godotenv from v1.4.0 to v1.5.1

⚡ gorm.io/driver/mysql from v1.4.5 to v1.4.7

⚡ gorm.io/driver/postgres from v1.4.6 to v1.4.8

⚡ go.mongodb.org/mongo-driver from v1.11.1 to v1.11.2

indirect dependencies

⚡ github.com/jackc/pgx/v5 from v5.2.0 to v5.3.0

⚡ github.com/lib/pq from v1.10.2 to v1.10.4

⚡ github.com/youmark/pkcs8 set to v0.0.0-20181117223130-1be2e3e5546d

⚡ golang.org/x/crypto from v0.4.0 to v0.6.0

⚡ golang.org/x/net from v0.4.0 to v0.7.0

⚡ golang.org/x/sync from v0.0.0-20220923202941-7f9b1623fab7 to v0.1.0

⚡ golang.org/x/sys from v0.3.0 to v0.5.0

⚡ golang.org/x/text from v0.5.0 to v0.7.0

security fix

CWE-400

Details: https://cwe.mitre.org/data/definitions/400.html

test files

added test files for middleware package

Dependency update

⚡ gin bumped to v1.8.2

⚡ gorm bumped to 1.24.3

⚡ gorm mysql driver bumped to 1.4.5

⚡ gorm postgres driver bumped to 1.4.6

⚡ gorm sqlite driver bumped to 1.4.4

⚡ mongodb mongo driver bumped to 1.11.1

Fix

⚡ after activating 2-FA for an account, JSON was sending wrong 2-FA status

⚡ abort when sentry NewHook fails

Refactor

⚡ perform all checks in TwoFA middleware

⚡ handle and return the error from config

Minor changes

Please modify your existing code to load all environment variables properly

import (
	"fmt"

	gconfig "github.com/pilinux/gorest/config"
)

func main() {
	// set configs
	err := gconfig.Config()
	if err != nil {
		fmt.Println(err)
		return
	}

	// read configs
	configure := gconfig.GetConfig()

	... ...
}

New feature

If you need to add additional environment variables for your application,

⚡ add them to the .env file

⚡ create a separate internal package

⚡ implement your own logic

⚡ and use gconfig.Env() to load your custom environment variables

You can study config package to get a better understanding of the process.

💎 go bumped to v1.19
🔑 golang-jwt/jwt bumped to v4.4.3
📚 gorm.io/gorm bumped to v1.24.2
📒 getsentry/sentry-go sdk bumped to v0.15.0
🎨 flosch/pongo2 bumped to v6.0.0

⚡ gorm updated to 1.24.1

⚡ gorm mysql driver updated to 1.4.4

⚡ gorm postgres driver updated to 1.4.5

⚡ gorm sqlite driver updated to 1.4.3

⚡ mongodb mongo driver updated to 1.11.0

⚡ Qmgo updated to 1.1.4

⚡ mrz1836 postmark driver updated to 1.3.0

🧱 CORS updated for OPTIONS method - used by browser-based HTTP clients

🕵️ tuned CORS implementation