endurain-project/endurain v0.19.0-beta1

on Codeberg

⚠️ Warning:

• The DB has schema changes. Backup your DB before applying the update.
• This is a beta pre-release and is intended for validation before stable release.
• Review new environment variable defaults and configuration changes below.

Environment Variables & Configuration

New Variables

• ALLOW_API_KEY_QUERY_PARAM (default: False) - Allows API keys to be passed as a ?api_key= query parameter. Disabled by default because query-string credentials appear in access logs and browser history. Enable only if you have integrations that cannot set custom headers.
• CSP_ADDITIONAL_CONNECT_SRC (default: empty) - Comma-separated list of extra origins appended to the Content-Security-Policy connect-src directive. Set this when Endurain is behind a forward-auth reverse proxy (e.g. Pangolin) that redirects API calls to its own domain for session validation. Without its origin here the browser blocks the redirect with a CSP error and the app fails to load.

Changed Defaults

• ALLOWED_REDIRECT_SCHEMES - Now defaults to endurain instead of being empty. This enables OAuth redirect flows for the built-in Endurain URI scheme on mobile. If you set this explicitly, the provided list replaces the default (doesn't merge). To allow only relative paths (old behavior), set to empty: ALLOWED_REDIRECT_SCHEMES=.

Backend

• Refactored auth boundaries around IdentityService and canonical auth modules (#625).
• Consolidated auth/users boundaries and removed deprecated auth paths/properties (#625).
• Migrated MFA data model and logic toward users_mfa/auth_mfa structure (#625).
• Improved activity-stream ingestion by pre-computing HR zone percentages (#700, #693).
• Added hostname support in TRUSTED_PROXIES (#667).
• Fixed profile export/import silent data loss risk (#669).
• Improved logging handler setup to support multiple handlers (#692).
• Fixed multi-sport Garmin Connect activity retrieval query handling.
• Fixed Strava CSV gear matching by trimming trailing whitespace (#668).
• Added secret generation tooling and related backend updates.
• Continued type-safety and mypy-driven backend improvements (#679).

Frontend

• Added a new login image for version 0.19.0.
• Added explicit config error display when ENDURAIN_HOST is misconfigured (#663).
• Resolved frontend lint/format debt and dependency maintenance updates (#648).
• Added newsletter subscription form and styling updates.

Testing

• Expanded backend test coverage from about 57% to about 80% (#658).
• Added comprehensive auth module tests: identity providers, MFA workflow, token hashing, maintenance paths (#625).
• Added CI backend unit test workflow for pull requests (#653).
• Improved exception-path testing across auth and MFA flows (#685).

CI/CD and Security

• Hardened dependency supply chain and automation strategy in workflows (#670).
• Added and refined Conventional Commits validation workflow/rules.
• Updated workflow trigger strategy and PR automation (including AI review workflow).
• Improved HMAC handling in CI with Python/OpenSSL fallback behavior.
• Migrated docs workflow steps to uv and reduced redundant setup (#671).
• Enforced stricter renovate/pinning behavior: minimum release age (#689) and digest handling (#687, #681).
• Updated runner usage and workflow reliability adjustments (#688).
• Added format and lint check to CI (#630).

Docs and Maintenance

• Fixed docs references and module placement alignment with codebase structure.
• Updated feature freeze and project process documentation.
• Removed obsolete Forgejo runner docs/config remnants.
• Performed broad dependency and lint maintenance across backend/frontend (#644, #646, #654).
• Refactored test structure and removed import path hacks (#654).

Contributors

• @hugobatista
• @joaovitoriasilva
• @emon in #708 and #710