docs: Modify security documentation to indicate Cerberus is enabled by default
test: Adjust frontend feature flag tests to align with new Cerberus flag
feat: Integrate feature flags into Layout component for conditional rendering
test: Enhance Layout component tests for feature flag visibility
feat: Implement Optional Features section in System Settings page
test: Add tests for Optional Features toggles in System Settings
fix: Remove unused Cerberus state from System Settings component
- Added functionality to select SSL Provider (Auto, Let's Encrypt, ZeroSSL) in the Caddy Manager.
- Updated the ApplyConfig method to handle different SSL provider settings and staging flags.
- Created unit tests for various SSL provider scenarios, ensuring correct behavior and backward compatibility.
- Enhanced frontend System Settings page to include SSL Provider dropdown with appropriate options and descriptions.
- Updated documentation to reflect new SSL Provider feature and its usage.
- Added QA report detailing testing outcomes and security verification for the SSL Provider implementation.
- Created detailed QA testing report documenting the authentication issues with certificate endpoints, including test results and root cause analysis.
- Added final QA report confirming successful resolution of the authentication issue, with all tests passing and security verifications completed.
- Included test output logs before and after the fix to illustrate the changes in endpoint behavior.
- Documented the necessary code changes made to the route registration in `routes.go` to ensure proper application of authentication middleware.
- Documented certificate management security features in security.md, including backup and recovery processes.
- Implemented CertificateCleanupDialog component for confirming deletion of orphaned certificates when deleting proxy hosts.
- Enhanced ProxyHosts page to check for orphaned certificates and prompt users accordingly during deletion.
- Added tests for certificate cleanup prompts and behaviors in ProxyHosts, ensuring correct handling of unique, shared, and production certificates.
feat: add modular Security Dashboard implementation plan with environment-driven security service activation
fix: update go.mod and go.sum for dependency version upgrades and optimizations
feat: enable gzip compression for API responses to reduce payload size
fix: optimize SQLite connection settings for better performance and concurrency
refactor: enhance RequireAuth component with consistent loading overlay
feat: configure global query client with optimized defaults for performance in main.tsx
refactor: replace health check useEffect with React Query for improved caching and auto-refresh
build: add code splitting in vite.config.ts for better caching and parallel loading
- Added unit tests for CrowdSec handler, including listing, banning, and unbanning IPs.
- Implemented mock command executor for testing command execution.
- Created tests for various scenarios including successful operations, error handling, and invalid inputs.
- Developed CrowdSec configuration tests to ensure proper handler setup and JSON output.
- Documented security features and identified gaps in CrowdSec, WAF, and Rate Limiting implementations.
- Established acceptance criteria for feature completeness and outlined implementation phases for future work.
- Change 'changed' check from truthy string to explicit 'true' comparison
- GitHub Actions treats non-empty strings as truthy, causing step to run unexpectedly
- This was causing the workflow to attempt updating v0.3.0 release when it shouldn't
The test was failing intermittently when run with -race flag due to a race
condition between:
1. CertificateService constructor spawning a background goroutine that
immediately queries the database
2. The test's HTTP request handler also querying the database
On CI runners, the timing window is wider than on local machines, causing
frequent failures. Solution: Add a 200ms sleep to allow the background
goroutine to complete its initial sync before the test proceeds.
This is acceptable in test code as it mirrors real-world usage where the
service initializes before receiving HTTP requests.
Fixes intermittent failure:
Error: Not equal: expected: 200, actual: 500
no such table: ssl_certificates
CodeQL flagged critical vulnerabilities in mail_service.go where
untrusted input could be used to inject additional email headers
via CRLF sequences.
Changes:
- Add sanitizeEmailHeader() to strip CR, LF, and control characters
- Sanitize all header values (from, to, subject) in buildEmail()
- Add validateEmailAddress() using net/mail.ParseAddress
- Add comprehensive security tests for header injection prevention
This addresses the 3 critical CodeQL alerts:
- Line 199: buildEmail header construction
- Line 260: sendSSL message usage
- Line 307: sendSTARTTLS message usage
Security: CWE-93 (Improper Neutralization of CRLF Sequences)
Packages like cmd/api, cmd/seed, internal/logger, and internal/metrics
are entrypoints and infrastructure code that don't benefit from unit
tests. These were being counted as 0% coverage in CI (which has the
full Go toolchain including covdata) but excluded locally (due to
'no such tool covdata' error), causing a ~2.5% coverage discrepancy.
Standard Go practice is to exclude such packages from coverage
calculations. This fix filters them from the coverage profile before
computing the total.
The commit c06c282 (feat: add SMTP settings page and user management
features) removed userHandler.RegisterRoutes(api) and manually
registered only some of the routes, missing the critical /setup
endpoints.
This restores GET /api/v1/setup and POST /api/v1/setup which are
required for initial admin setup flow.
- Remove SQLite cache=shared from certificate handler tests to prevent
database locking issues in parallel test runs
- Add JSON validation before jq parsing in integration-test.sh to
provide clear error messages when setup endpoint returns invalid response
- Remove unused fmt import from certificate_handler_coverage_test.go
- Added custom manager in renovate.json to track Go dependencies patched in Dockerfile for Caddy CVE fixes.
- Updated Dockerfile to pre-fetch and override vulnerable module versions for dependencies (expr, quic-go, smallstep/certificates) during the build process.
- Improved build resilience by implementing a fallback mechanism for Caddy versioning.
- Introduced tests for user SMTP audit, covering invite token security, input validation, authorization, and SMTP config security.
- Enhanced user invite functionality with duplicate email protection and case-insensitive checks.
- Updated go.work.sum to include new dependencies and ensure compatibility.
- Added a new SMTP settings page with functionality to configure SMTP settings, test connections, and send test emails.
- Implemented user management page to list users, invite new users, and manage user permissions.
- Created modals for inviting users and editing user permissions.
- Added tests for the new SMTP settings and user management functionalities.
- Updated navigation to include links to the new SMTP settings and user management pages.
