Releases: SibeiC/api-server
Release list
v1.10.1 — Live secret rotation via doppler run --watch
App-only secrets (Mongo URI, R2 keys, GitHub tokens, mail creds) now rotate with just a Doppler update: doppler run --watch restarts the JVM in place when the prd config changes (#143).
Notes:
- Batch multi-secret rotations into one
doppler secrets set K1=… K2=…call — each change event triggers one restart - nginx/p12-coupled secrets (
APP_MTLS_PROXY_SECRET,APP_TLS_KEYSTORE_PASSWORD) still require an ansible re-converge (workflow_dispatch) coordinated with the restart
🤖 Generated with Claude Code
v1.10.0 — Doppler secrets with per-env Cloudflare R2 + MongoDB access
Highlights
- Secrets migrated from sops/age to Doppler (project
api-server, configsdev/prd): the container now runsdoppler run -- javawith a read-only service token;.env.enc,.sops.yaml, and all age tooling are removed (#141) - Per-environment data isolation: dev uses a dedicated
api-server-devMongoDB user/database and a bucket-scoped R2 key for the newapi-server-devbucket (7-day object retention); prod credentials are scoped to theapi-serverbucket/database only - Ansible fetches the TLS keystore password + nginx proxy secret from Doppler (CI service token or logged-in CLI);
DOPPLER_TOKENreplaces theAGE_PRIVATE_KEY/TLS_KEYSTORE_PASSWORDGitHub secrets @Valuekeys renamed to kebab-case for clean env-var binding;.envconfig import removedhosts.inipins the ansible interpreter to the distro python (fixesopenssl_pkcs12under python3.14 discovery)- Clarified
doppler run --fallbacksemantics in the entrypoint (#142)
🤖 Generated with Claude Code
Dependency maintenance + Qodana CI hardening
Dependency updates
- Spring Boot parent 4.0.5 → 4.1.0 (#134)
- AWS SDK BOM 2.44.5 → 2.46.8 (#129, #131, #132, #135)
- Apache Tika 3.3.0 → 3.3.1 (#130)
- jaxws-rt 4.0.4 → 4.0.5 (#136)
- OkHttp MockWebServer 5.3.2 → 5.4.0 (#137)
- Docker base image alpine 3.23 → 3.24 (#133)
CI hardening (Qodana)
- Pin Qodana linter to 2026.1, matching the action CLI (#138)
- Pre-seed the Maven repository before scans and manage it with a pom-keyed cache (#139)
- Baseline the 54 false positives emitted when Qodana's Maven import degrades to its static preimport model — a JetBrains-side bug; genuinely new findings still fail the gate (#140)
v1.9.1 — Unified deploy workflow
First release on the unified deploy pipeline (PR #128). No app changes.
What's Changed
Full Changelog: v1.9.0...v1.9.1
mTLS hardening: loopback binds, X-Proxy-Secret, server-authoritative cert renewal
Closes two findings from the in-repo security review.
Vuln 1 — mTLS bypass via direct upstream access. Previously docker-compose.yml published 8080 and 8957 on every host interface; Spring binds 0.0.0.0 by default. Any peer that could reach the host on :8080 skipped nginx entirely and forged X-Client-Verify: SUCCESS plus any leaked PEM to satisfy the filter — which trusted both headers without cryptographic validation. The release fixes this in two layers: ports are now published on 127.0.0.1 only, and a new APP_MTLS_PROXY_SECRET env var (set in .env.enc, injected by nginx as X-Proxy-Secret) is verified by MtlsVerificationFilter using a constant-time compare. Empty/unset = permissive mode (warns at startup) so existing nodes roll forward without breakage; flipping the value on enforces.
Vuln 2 — renew deviceId spoofing. POST /secure/certificate/renew used to accept deviceId from the JSON body and only fall back to the verified cert CN when null. Any authenticated mTLS client could mint a fresh cert under another device's CN, which MTlsService.insertNewRecord then promoted by revoking the legitimate prior cert. The controller now always derives deviceId from the verified X-Client-Cert CN; the body field is ignored. Missing/unparseable cert → 401. CertificateRenewal.deviceId is retained for OpenAPI compatibility with its @Schema description updated to reflect the new behavior.
Deployment notes. kr1.chencraft.com has already had the playbook re-run, so nginx is injecting X-Proxy-Secret and reload is verified. The Spring container will pick up the new filter logic and loopback bindings on the next image pull triggered by this tag. APP_MTLS_PROXY_SECRET defaults to permissive when unset, so rotation needs both .env/.env.enc and the nginx render to move together — the ansible playbook handles both ends.
Full Changelog: v1.8.1...v1.9.0
Health-check recovery notifications and localized alert timestamps
Health-check email alerts are now paired. When a target that previously triggered a down alert returns to UP, operators receive a follow-up "recovery" email — so the end of an outage is signaled, not inferred from silence. Recovery emails fire only for outages that actually crossed the alert threshold; flapping that never alerted will not generate noise.
Alert timestamps in emails are now formatted in a configured timezone (default Asia/Shanghai) instead of raw ISO-8601 UTC, making "last successful probe", "down alert sent at", and "recovered at" lines readable at a glance. Override per-environment via the new app.alert.timezone property.
Full Changelog: v1.8.0...v1.8.1
Adds health check endpoint and services
What's Changed
- Bump software.amazon.awssdk:bom from 2.42.26 to 2.42.31 by @dependabot[bot] in #116
- Bump org.springdoc:springdoc-openapi-starter-webmvc-ui from 3.0.2 to 3.0.3 by @dependabot[bot] in #117
- Bump org.bouncycastle:bcpkix-jdk18on from 1.83 to 1.84 by @dependabot[bot] in #118
- Bump software.amazon.awssdk:bom from 2.42.31 to 2.42.39 by @dependabot[bot] in #120
Full Changelog: v1.7.6...v1.8.0
Send alert email for one-time file sharing
What's Changed
- Bump docker/setup-docker-action from 4 to 5 by @dependabot[bot] in #101
- Bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #100
- Bump actions/download-artifact from 7 to 8 by @dependabot[bot] in #99
- Bump docker/login-action from 3 to 4 by @dependabot[bot] in #98
- Bump software.amazon.awssdk:bom from 2.42.6 to 2.42.11 by @dependabot[bot] in #103
- Bump ansible/ansible-lint from 26.2.0 to 26.3.0 by @dependabot[bot] in #104
- Bump docker/build-push-action from 6 to 7 by @dependabot[bot] in #102
- Bump docker/setup-buildx-action from 3 to 4 by @dependabot[bot] in #105
- Bump software.amazon.awssdk:bom from 2.42.11 to 2.42.16 by @dependabot[bot] in #106
- Bump software.amazon.awssdk:bom from 2.42.16 to 2.42.21 by @dependabot[bot] in #107
- Bump com.sun.xml.ws:jaxws-rt from 4.0.3 to 4.0.4 by @dependabot[bot] in #111
- Bump org.openapitools:jackson-databind-nullable from 0.2.9 to 0.2.10 by @dependabot[bot] in #110
- Bump org.apache.tika:tika-core from 3.2.3 to 3.3.0 by @dependabot[bot] in #108
- Bump org.springframework.boot:spring-boot-starter-parent from 4.0.3 to 4.0.4 by @dependabot[bot] in #109
- Bump org.springframework.boot:spring-boot-starter-parent from 4.0.4 to 4.0.5 by @dependabot[bot] in #113
- Bump software.amazon.awssdk:bom from 2.42.21 to 2.42.26 by @dependabot[bot] in #114
- Bump ansible/ansible-lint from 26.3.0 to 26.4.0 by @dependabot[bot] in #112
- Send alert email for one-time file sharing in SecureFileApiController… by @SibeiC in #115
Full Changelog: v1.7.5...v1.7.6
Various dependency updates
What's Changed
- Bump org.apache.maven.plugins:maven-compiler-plugin from 3.14.1 to 3.15.0 by @dependabot[bot] in #87
- Bump software.amazon.awssdk:bom from 2.41.17 to 2.41.22 by @dependabot[bot] in #88
- Bump software.amazon.awssdk:bom from 2.41.22 to 2.41.27 by @dependabot[bot] in #89
- Bump org.openapitools:jackson-databind-nullable from 0.2.8 to 0.2.9 by @dependabot[bot] in #90
- Refactor LocalFileService for in-memory storage support by @SibeiC in #91
- Bump software.amazon.awssdk:bom from 2.41.27 to 2.41.32 by @dependabot[bot] in #92
- Bump org.springframework.boot:spring-boot-starter-parent from 4.0.2 to 4.0.3 by @dependabot[bot] in #95
- Bump software.amazon.awssdk:bom from 2.41.32 to 2.42.2 by @dependabot[bot] in #93
- Bump ansible/ansible-lint from 26.1.1 to 26.2.0 by @dependabot[bot] in #94
- Bump org.springdoc:springdoc-openapi-starter-webmvc-ui from 3.0.1 to 3.0.2 by @dependabot[bot] in #96
- Bump software.amazon.awssdk:bom from 2.42.2 to 2.42.6 by @dependabot[bot] in #97
Full Changelog: v1.7.4...v1.7.5
Various dependency updates
What's Changed
- Bump software.amazon.awssdk:bom from 2.41.1 to 2.41.4 by @dependabot[bot] in #79
- Bump ansible/ansible-lint from 25.12.2 to 26.1.0 by @dependabot[bot] in #80
- Bump software.amazon.awssdk:bom from 2.41.4 to 2.41.8 by @dependabot[bot] in #81
- Bump ansible/ansible-lint from 26.1.0 to 26.1.1 by @dependabot[bot] in #82
- Bump software.amazon.awssdk:bom from 2.41.8 to 2.41.12 by @dependabot[bot] in #83
- Bump software.amazon.awssdk:bom from 2.41.12 to 2.41.17 by @dependabot[bot] in #86
- Bump appleboy/ssh-action from 1.2.4 to 1.2.5 by @dependabot[bot] in #84
- Bump org.springframework.boot:spring-boot-starter-parent from 4.0.1 to 4.0.2 by @dependabot[bot] in #85
Full Changelog: v1.7.3...v1.7.4