Added Fixed Security

KeyCloud - Changelog: v13.8.17

1 month ago

🚀 ADDED

  • standalone project now uses platform toolset v143 to match sdk lib toolchain and avoid linker mismatch
  • forward declaration for env_or_default in standalone main for clean release builds
  • sdk download() now auto-detects encrypted artifacts via /meta and decrypts at runtime using app secret
  • backend upload flow now supports encryption toggle without requiring manual encryption_key
  • server-side app secret lookup for encrypted file storage path
  • files/modules upload modal now auto-calculates sha256 from selected file (browser-side) and displays it in-step
  • files/modules upload modal now includes optional manual sha256 override input for operator use
  • standalone downloader now asks for manual sha256 override only when explicitly requested; default flow is automatic
  • files upload modal now auto-extracts scope encryption key from selected app and shows it directly in step 1
  • added 'Extract Key' button in upload modal to copy the scope encryption key to clipboard

🛠️ FIXED

  • sdk download path now reports "transport policy blocked url" explicitly instead of empty request-failed fallback
  • sdk no longer resets http status to 0 on local write-open failure (preserves real http status context)
  • sdk download error handling no longer replays a second diagnostic GET when the first response was already http 2xx
  • sdk download now reports "local write failed" for 2xx responses that fail at local file write step (prevents huge binary payload in error dialogs)
  • sdk download requests now include explicit user-agent and accept headers to satisfy backend ua checks
  • rebuilt sdk + standalone release binaries after user-agent patch
  • backend request_user_agent now falls back to x-keycloud-sdk-client
  • rebuilt and redeployed live auth service container with UA fallback patch
  • sdk now sends x-keycloud-sdk-client header on json and binary download requests
  • sdk now sets CURLOPT_USERAGENT explicitly for both json and binary requests (libcurl-level ua)
  • removed manual passphrase/sha requirement from normal encrypted download path
  • removed upload requirement for manual encryption key entry in the files/modules modal when encryption is enabled
  • rebuilt standalone sample after download-flow patch so the new prompt behavior is active in release binary
  • removed live modal requirement to manually type an encryption key before continuing
  • deployed new dashboard build to vps and synced updated static assets so the dashboard uses the new modal
  • dashboard/index.html now points to /dashboard/assets/index-AaqffFsG.js (new modal build with Extract Key)
View post
Added Removed Changed Fixed Security

KeyCloud - Changelog: v13.8.16

1 month ago

🚀 [ADDED]

- Loader auth now sends app_name + owner_id and supports env overrides.

- Default auth base URL fallback added.

- Admin app lists now read from Postgres (primary + scoped).

- Create‑app flow mirrors new apps into Postgres in primary mode.

- Reseller panel rebuilt: new layout, key table, logs, and create‑license modal.

- Per‑key actions added (pause, unpause, delete, ban, extend, copy).

- Balance controls expanded (add/remove/set).

- Reseller duration toggles added (day/week/month/lifetime).

- Backend Postgres primary mode added with async read/write paths.

- Metrics, admin presence, auth/profile, and user management now Postgres‑backed.

- Shadow sync system added (service + timer + logs).

- Postgres/Valkey stack provisioned on backend VPS.

- Increased request body limit to 200MB.

- Default compose runtime switched to Postgres primary.

🛠️ [FIXED]

- Loader no longer hard‑fails without AUTH_SERVER_BASE_URL.

- App list mismatch resolved between SQLite/Postgres during migration.

- Manager/reseller assignment updates fixed and stale scoped accounts cleaned.

- Reseller panel nav restored and access locked to reseller‑only pages.

- Modal overflow issues fixed across reseller UI.

- Key generation normalized and capped at 50 per request.

- Scoped app filtering fixed for reseller/manager accounts.

- CSP block for ChangeCrab fixed and widget load race resolved.

- Backend Postgres runtime crashes fixed (sync client removed, env wiring corrected).

- Admin user write paths no longer depend on SQLite.

- Login/register Postgres lookup issues fixed.

- SQLite mutex/await issues resolved in admin list endpoints.

- Docker networking issues on backend VPS recovered.

- Migration quoting/command issues fixed.

- Postgres credential injection fixed in containers.

- Upload size errors resolved after raising max_request_bytes.

❌ [REMOVED]

- Old reseller card‑list inventory.

- Bulk‑only key controls in reseller panel.

View post
Added Changed Fixed Security

KeyCloud - Changelog: v13.8.14

1 month ago

🚀 Added

  • Manager role alias support in frontend role system and display mapping
  • Manager‑specific page access rules (Apps, Licenses, Files/Modules, Webhooks, Variables, Team Members, Reseller Panel)
  • Manager label rendering in top header
  • Scoped owner resolver for reseller/admin operations
  • Manager support in reseller claims guard
  • Manager owner‑resolution support in reseller profile resolver
  • Global KeyCloud favicon enforcement for public pages
  • Animated KeyCloud tab‑title behavior on public pages and dashboard
  • Manager‑specific plan badge (“ASSIGNED MANAGER”)
  • Manager‑specific sidebar labeling (“Manager Controls”)
  • Backend guard requiring manager accounts to have at least one active app assignment
  • Backend auto‑cleanup for unassigned manager accounts
  • Backend app‑delete cascade cleanup for app‑linked data
  • Manager added to account‑layer role schema/seed and legacy‑role normalization
  • Manager role permissions in account‑layer defaults
  • Manager subscription override to Developer‑tier usage
  • New purple KeyCloud favicon asset wired to public + dashboard HTML
  • Backend role re‑resolution in admin_claims
  • Team Members access editor modal with permission toggles
  • Per‑account side‑nav visibility toggles saved in metadata
  • updateAdminUser(...) helper
  • Metadata field added to AdminUser type
  • Backend permission resolver support for manager/reseller metadata permissions
  • Team Members account actions: edit username/password and delete
  • Backend support for username/password updates
  • Centered overlay portal behavior for Manage App Access modal
  • Strict default‑deny navigation gating for manager/reseller accounts
  • Changecrab widget integration on public homepage and dashboard
  • “What’s New” trigger in public nav and dashboard top bar
  • Widget script loading before </body> on public and dashboard pages

🛠️ Fixed

  • Team Members role dropdown to show only Manager/Reseller in scoped context
  • Team Members default role assignment to manager in scoped context
  • Sidebar now hides inaccessible items instead of showing locked entries
  • Scoped reseller/admin backend paths to use owner scope
  • Reseller profile, balance, subscriptions, logs, and key generation to resolve manager actions against owner scope
  • Reseller key generation accounting/logging to include manager actor metadata
  • Role‑alias permission handling for developer‑plan access on protected admin endpoints
  • Team Members UX with success notice after creation
  • Team Members data loading for Developer/Manager contexts
  • Dashboard access gate to normalize role aliases/casing
  • Scoped backend role comparisons to be case‑insensitive
  • Frontend legacy‑role normalization for developer/normal_user aliases
  • Backend login gate rejecting manager accounts
  • Inconsistent tab branding between public pages and dashboard
  • Dashboard HTML entry favicon links
  • Manager navigation permissions to allow only scoped pages
  • Manager header label previously showing FREE USER
  • Orphan manager login by blocking/pruning unassigned managers
  • App deletion to remove app‑linked keys and runtime records
  • Manager role downcast bug (manager → free_user)
  • Manager scope leakage causing unscoped visibility
  • Manager usage panel mismatch by returning Developer limits
  • Browser tab icon mismatch by replacing old icon paths
  • Stale default tab icon fallback
  • Manager privilege leak on team accounts and app‑assignment mappings
  • Manager permission map to remove manage_users
  • Frontend manager visibility to hide Team Members page
  • Dashboard data loader to stop fetching admin users for manager sessions
  • Manager role‑scoping consistency by enforcing DB role at request time
  • Manager app‑scope leak on /api/admin/apps
  • Manager app selector to show only assigned app IDs
  • Backend deployment state by rebuilding license‑auth
  • Frontend deployment state by rebuilding dashboard bundle
  • Backend permission resolver to read manager metadata permissions
  • Reseller accounts to include management permission aliases
  • Manager edit flow to preserve manager role
  • Manager hard‑blocks on team endpoints by switching to permission + scope checks
  • Page gating logic to follow backend metadata instead of static defaults
  • Team Members access modal layout to centered dialog with backdrop
  • Modal usability with scrollable content and sticky footer
  • Modal mounting via portal
  • Team Members page layout to license‑style table and removed deprecated fields
  • Frontend admin API typing for username/password edits
  • Team Members access toggles to correctly hide sidebar/pages after saving
  • Changecrab widget initialization by loading script before </body>
View post
ChangeCrab Powered by ChangeCrab
Free Changelogs & User Suggestions