Skip to content

Releases: SibeiC/api-server

v1.10.1 — Live secret rotation via doppler run --watch

Choose a tag to compare

@SibeiC SibeiC released this 12 Jun 06:48
Immutable release. Only release title and notes can be modified.
v1.10.1
853bffa

App-only secrets (Mongo URI, R2 keys, GitHub tokens, mail creds) now rotate with just a Doppler update: doppler run --watch restarts the JVM in place when the prd config changes (#143).

Notes:

  • Batch multi-secret rotations into one doppler secrets set K1=… K2=… call — each change event triggers one restart
  • nginx/p12-coupled secrets (APP_MTLS_PROXY_SECRET, APP_TLS_KEYSTORE_PASSWORD) still require an ansible re-converge (workflow_dispatch) coordinated with the restart

🤖 Generated with Claude Code

v1.10.0 — Doppler secrets with per-env Cloudflare R2 + MongoDB access

Choose a tag to compare

@SibeiC SibeiC released this 12 Jun 03:13
Immutable release. Only release title and notes can be modified.
v1.10.0
cf59880

Highlights

  • Secrets migrated from sops/age to Doppler (project api-server, configs dev/prd): the container now runs doppler run -- java with a read-only service token; .env.enc, .sops.yaml, and all age tooling are removed (#141)
  • Per-environment data isolation: dev uses a dedicated api-server-dev MongoDB user/database and a bucket-scoped R2 key for the new api-server-dev bucket (7-day object retention); prod credentials are scoped to the api-server bucket/database only
  • Ansible fetches the TLS keystore password + nginx proxy secret from Doppler (CI service token or logged-in CLI); DOPPLER_TOKEN replaces the AGE_PRIVATE_KEY/TLS_KEYSTORE_PASSWORD GitHub secrets
  • @Value keys renamed to kebab-case for clean env-var binding; .env config import removed
  • hosts.ini pins the ansible interpreter to the distro python (fixes openssl_pkcs12 under python3.14 discovery)
  • Clarified doppler run --fallback semantics in the entrypoint (#142)

🤖 Generated with Claude Code

Dependency maintenance + Qodana CI hardening

Choose a tag to compare

@SibeiC SibeiC released this 11 Jun 15:40
Immutable release. Only release title and notes can be modified.
v1.9.2
b44f5ac

Dependency updates

  • Spring Boot parent 4.0.5 → 4.1.0 (#134)
  • AWS SDK BOM 2.44.5 → 2.46.8 (#129, #131, #132, #135)
  • Apache Tika 3.3.0 → 3.3.1 (#130)
  • jaxws-rt 4.0.4 → 4.0.5 (#136)
  • OkHttp MockWebServer 5.3.2 → 5.4.0 (#137)
  • Docker base image alpine 3.23 → 3.24 (#133)

CI hardening (Qodana)

  • Pin Qodana linter to 2026.1, matching the action CLI (#138)
  • Pre-seed the Maven repository before scans and manage it with a pom-keyed cache (#139)
  • Baseline the 54 false positives emitted when Qodana's Maven import degrades to its static preimport model — a JetBrains-side bug; genuinely new findings still fail the gate (#140)

v1.9.1 — Unified deploy workflow

Choose a tag to compare

@SibeiC SibeiC released this 17 May 07:42
Immutable release. Only release title and notes can be modified.
v1.9.1
6323f88

First release on the unified deploy pipeline (PR #128). No app changes.

What's Changed

  • Unify deploy: tag push runs ansible converge in one workflow by @SibeiC in #128

Full Changelog: v1.9.0...v1.9.1

mTLS hardening: loopback binds, X-Proxy-Secret, server-authoritative cert renewal

Choose a tag to compare

@SibeiC SibeiC released this 14 May 12:18
Immutable release. Only release title and notes can be modified.
bb4e061

Closes two findings from the in-repo security review.

Vuln 1 — mTLS bypass via direct upstream access. Previously docker-compose.yml published 8080 and 8957 on every host interface; Spring binds 0.0.0.0 by default. Any peer that could reach the host on :8080 skipped nginx entirely and forged X-Client-Verify: SUCCESS plus any leaked PEM to satisfy the filter — which trusted both headers without cryptographic validation. The release fixes this in two layers: ports are now published on 127.0.0.1 only, and a new APP_MTLS_PROXY_SECRET env var (set in .env.enc, injected by nginx as X-Proxy-Secret) is verified by MtlsVerificationFilter using a constant-time compare. Empty/unset = permissive mode (warns at startup) so existing nodes roll forward without breakage; flipping the value on enforces.

Vuln 2 — renew deviceId spoofing. POST /secure/certificate/renew used to accept deviceId from the JSON body and only fall back to the verified cert CN when null. Any authenticated mTLS client could mint a fresh cert under another device's CN, which MTlsService.insertNewRecord then promoted by revoking the legitimate prior cert. The controller now always derives deviceId from the verified X-Client-Cert CN; the body field is ignored. Missing/unparseable cert → 401. CertificateRenewal.deviceId is retained for OpenAPI compatibility with its @Schema description updated to reflect the new behavior.

Deployment notes. kr1.chencraft.com has already had the playbook re-run, so nginx is injecting X-Proxy-Secret and reload is verified. The Spring container will pick up the new filter logic and loopback bindings on the next image pull triggered by this tag. APP_MTLS_PROXY_SECRET defaults to permissive when unset, so rotation needs both .env/.env.enc and the nginx render to move together — the ansible playbook handles both ends.

Full Changelog: v1.8.1...v1.9.0

Health-check recovery notifications and localized alert timestamps

Choose a tag to compare

@SibeiC SibeiC released this 27 Apr 14:42
Immutable release. Only release title and notes can be modified.
7b2e8b4

Health-check email alerts are now paired. When a target that previously triggered a down alert returns to UP, operators receive a follow-up "recovery" email — so the end of an outage is signaled, not inferred from silence. Recovery emails fire only for outages that actually crossed the alert threshold; flapping that never alerted will not generate noise.

Alert timestamps in emails are now formatted in a configured timezone (default Asia/Shanghai) instead of raw ISO-8601 UTC, making "last successful probe", "down alert sent at", and "recovered at" lines readable at a glance. Override per-environment via the new app.alert.timezone property.

Full Changelog: v1.8.0...v1.8.1

Adds health check endpoint and services

Choose a tag to compare

@SibeiC SibeiC released this 26 Apr 08:37
Immutable release. Only release title and notes can be modified.
339a276

What's Changed

  • Bump software.amazon.awssdk:bom from 2.42.26 to 2.42.31 by @dependabot[bot] in #116
  • Bump org.springdoc:springdoc-openapi-starter-webmvc-ui from 3.0.2 to 3.0.3 by @dependabot[bot] in #117
  • Bump org.bouncycastle:bcpkix-jdk18on from 1.83 to 1.84 by @dependabot[bot] in #118
  • Bump software.amazon.awssdk:bom from 2.42.31 to 2.42.39 by @dependabot[bot] in #120

Full Changelog: v1.7.6...v1.8.0

Send alert email for one-time file sharing

Choose a tag to compare

@SibeiC SibeiC released this 04 Apr 14:57
Immutable release. Only release title and notes can be modified.
0c17bc4

What's Changed

  • Bump docker/setup-docker-action from 4 to 5 by @dependabot[bot] in #101
  • Bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #100
  • Bump actions/download-artifact from 7 to 8 by @dependabot[bot] in #99
  • Bump docker/login-action from 3 to 4 by @dependabot[bot] in #98
  • Bump software.amazon.awssdk:bom from 2.42.6 to 2.42.11 by @dependabot[bot] in #103
  • Bump ansible/ansible-lint from 26.2.0 to 26.3.0 by @dependabot[bot] in #104
  • Bump docker/build-push-action from 6 to 7 by @dependabot[bot] in #102
  • Bump docker/setup-buildx-action from 3 to 4 by @dependabot[bot] in #105
  • Bump software.amazon.awssdk:bom from 2.42.11 to 2.42.16 by @dependabot[bot] in #106
  • Bump software.amazon.awssdk:bom from 2.42.16 to 2.42.21 by @dependabot[bot] in #107
  • Bump com.sun.xml.ws:jaxws-rt from 4.0.3 to 4.0.4 by @dependabot[bot] in #111
  • Bump org.openapitools:jackson-databind-nullable from 0.2.9 to 0.2.10 by @dependabot[bot] in #110
  • Bump org.apache.tika:tika-core from 3.2.3 to 3.3.0 by @dependabot[bot] in #108
  • Bump org.springframework.boot:spring-boot-starter-parent from 4.0.3 to 4.0.4 by @dependabot[bot] in #109
  • Bump org.springframework.boot:spring-boot-starter-parent from 4.0.4 to 4.0.5 by @dependabot[bot] in #113
  • Bump software.amazon.awssdk:bom from 2.42.21 to 2.42.26 by @dependabot[bot] in #114
  • Bump ansible/ansible-lint from 26.3.0 to 26.4.0 by @dependabot[bot] in #112
  • Send alert email for one-time file sharing in SecureFileApiController… by @SibeiC in #115

Full Changelog: v1.7.5...v1.7.6

Various dependency updates

Choose a tag to compare

@SibeiC SibeiC released this 05 Mar 03:19
Immutable release. Only release title and notes can be modified.
adb1e09

What's Changed

  • Bump org.apache.maven.plugins:maven-compiler-plugin from 3.14.1 to 3.15.0 by @dependabot[bot] in #87
  • Bump software.amazon.awssdk:bom from 2.41.17 to 2.41.22 by @dependabot[bot] in #88
  • Bump software.amazon.awssdk:bom from 2.41.22 to 2.41.27 by @dependabot[bot] in #89
  • Bump org.openapitools:jackson-databind-nullable from 0.2.8 to 0.2.9 by @dependabot[bot] in #90
  • Refactor LocalFileService for in-memory storage support by @SibeiC in #91
  • Bump software.amazon.awssdk:bom from 2.41.27 to 2.41.32 by @dependabot[bot] in #92
  • Bump org.springframework.boot:spring-boot-starter-parent from 4.0.2 to 4.0.3 by @dependabot[bot] in #95
  • Bump software.amazon.awssdk:bom from 2.41.32 to 2.42.2 by @dependabot[bot] in #93
  • Bump ansible/ansible-lint from 26.1.1 to 26.2.0 by @dependabot[bot] in #94
  • Bump org.springdoc:springdoc-openapi-starter-webmvc-ui from 3.0.1 to 3.0.2 by @dependabot[bot] in #96
  • Bump software.amazon.awssdk:bom from 2.42.2 to 2.42.6 by @dependabot[bot] in #97

Full Changelog: v1.7.4...v1.7.5

Various dependency updates

Choose a tag to compare

@SibeiC SibeiC released this 29 Jan 08:51
Immutable release. Only release title and notes can be modified.
8d5cf5a

What's Changed

  • Bump software.amazon.awssdk:bom from 2.41.1 to 2.41.4 by @dependabot[bot] in #79
  • Bump ansible/ansible-lint from 25.12.2 to 26.1.0 by @dependabot[bot] in #80
  • Bump software.amazon.awssdk:bom from 2.41.4 to 2.41.8 by @dependabot[bot] in #81
  • Bump ansible/ansible-lint from 26.1.0 to 26.1.1 by @dependabot[bot] in #82
  • Bump software.amazon.awssdk:bom from 2.41.8 to 2.41.12 by @dependabot[bot] in #83
  • Bump software.amazon.awssdk:bom from 2.41.12 to 2.41.17 by @dependabot[bot] in #86
  • Bump appleboy/ssh-action from 1.2.4 to 1.2.5 by @dependabot[bot] in #84
  • Bump org.springframework.boot:spring-boot-starter-parent from 4.0.1 to 4.0.2 by @dependabot[bot] in #85

Full Changelog: v1.7.3...v1.7.4