codeberg endurain-project/endurain v0.19.0-beta3

pre-release3 hours ago

⚠️ Warning:

  • The DB has schema changes. Backup your DB before applying the update.
  • This is a beta pre-release and is intended for validation before stable release.
  • Review new environment variable defaults and configuration changes below.

Environment Variables & Configuration

New Variables

  • ALLOW_API_KEY_QUERY_PARAM (default: False) - Allows API keys to be passed as a ?api_key= query parameter. Disabled by default because query-string credentials appear in access logs and browser history. Enable only if you have integrations that cannot set custom headers.
  • CSP_ADDITIONAL_CONNECT_SRC (default: empty) - Comma-separated list of extra origins appended to the Content-Security-Policy connect-src directive. Set this when Endurain is behind a forward-auth reverse proxy (e.g. Pangolin) that redirects API calls to its own domain for session validation. Without its origin here the browser blocks the redirect with a CSP error and the app fails to load.
  • SMTP_FROM (default: empty) - Sets the "From" address on outgoing emails. If unset, it is auto-detected (usually SMTP_USERNAME). Set this when your provider requires a verified sender that differs from the login username (e.g. Brevo)

Changed Defaults

  • ALLOWED_REDIRECT_SCHEMES - Now defaults to endurain instead of being empty. This enables OAuth redirect flows for the built-in Endurain URI scheme on mobile. If you set this explicitly, the provided list replaces the default (doesn't merge). To allow only relative paths (old behavior), set to empty: ALLOWED_REDIRECT_SCHEMES=.

Frontend v2: Rebuilt on Tailwind v4 + shadcn-vue

The web frontend has been rebuilt from the ground up (#742). The legacy Bootstrap 5 app (frontend/app, v1) has been removed and v2 (frontend) is now the default served app.

Why v2 over v1:

Area v1 v2
Components Options API, mixed typing <script setup lang="ts">, fully typed
API layer Hand-written calls & types (drift-prone) Generated client from the backend OpenAPI schema; contract drift = TypeScript error
Server state Ad-hoc fetch + manual loading/error handling TanStack Query (caching, dedupe, background refetch, cancellation)
UI primitives Bootstrap JS components shadcn-vue / reka-ui (headless, accessible)
Styling Generic Bootstrap theme, hard to customize Token-based design system, dark-mode-first
Tests None Vitest + @vue/test-utils
Quality gate npm run check (type-check + lint + format + test)
Performance Single bundle + full Bootstrap CSS Route-level code splitting, lazy i18n locales, smaller CSS
Security Tokens in HTTP-only cookies, SafeHtml/DOMPurify, CSP-friendly markup

And of course it looks better, we think.

Changes from v0.19.0-beta2

  • New logo and a refreshed brand color palette, plus formal Brand & UX guidelines documenting the design system, typography, and component conventions for anyone contributing to the UI.
  • i18n coverage expanded with Polish, Turkish, Ukrainian, Romanian, Norwegian, Danish, Finnish, Czech, Greek, Hungarian, Bulgarian, Croatian, Serbian, Slovak, Lithuanian, Latvian, and Estonian (AI-translated).
  • Rebuild the frontend UI on Tailwind v4 + shadcn-vue (#742)
  • Add SMTP_FROM to fix email sender validation failure on strict providers (e.g. Brevo) (#746)
  • Migrate gears CRUD to Pydantic schemas and improve processing robustness (#743)
  • Migrate health CRUD to Pydantic schemas and improve processing robustness (#734)
  • Migrate migrations CRUD to Pydantic schemas and improve processing robustness (#715)
  • Replace WebSocket URL access token with a short-lived, single-use ticket (#732)
  • Add support for China accounts in Garmin Connect integration (#731)
  • Fix refresh token rotation reuse detection and cleanup boundary race (#735)
  • Gracefully handle Strava activities with no streams (Apple Health imports) (#736)
  • Exclude zero heart rate values from average/max HR calculations (#737)
  • Convert several async backend routes/CRUD (users, health, server settings) to sync; clean up unused notification/fasting code

Changes from v0.19.0-beta1

  • Show sleep stage tooltip times in local timezone (#504) #733
  • Restore admin user identity-provider endpoints removed in #685 (#728)
  • Skip read-only computed properties in edit_user mass-assignment (#727)
  • Add major.minor Docker manifest tags for version pinning (#724)
  • Repair health_sleep columns left as numeric by v0.16.0 pre-release (#719)
  • Fix issue on manufacturer .fit file import (#717)
  • Update activity graph selector menu labels on language switch (#713) #714
  • Show graph summary stats on desktop activity view (#538) #711
  • Fixes bug when constructing some asset paths (#702)
  • Continued type-safety and mypy-driven backend improvements #712.

Backend

  • Refactored auth boundaries around IdentityService and canonical auth modules (#625).
  • Consolidated auth/users boundaries and removed deprecated auth paths/properties (#625).
  • Migrated MFA data model and logic toward users_mfa/auth_mfa structure (#625).
  • Improved activity-stream ingestion by pre-computing HR zone percentages (#700, #693).
  • Added hostname support in TRUSTED_PROXIES (#667).
  • Fixed profile export/import silent data loss risk (#669).
  • Improved logging handler setup to support multiple handlers (#692).
  • Fixed multi-sport Garmin Connect activity retrieval query handling.
  • Fixed Strava CSV gear matching by trimming trailing whitespace (#668).
  • Added secret generation tooling and related backend updates.
  • Continued type-safety and mypy-driven backend improvements (#679).

Frontend

  • Added a new login image for version 0.19.0.
  • Added explicit config error display when ENDURAIN_HOST is misconfigured (#663).
  • Resolved frontend lint/format debt and dependency maintenance updates (#648).
  • Added newsletter subscription form and styling updates.

Testing

  • Expanded backend test coverage from about 57% to about 80% (#658).
  • Added comprehensive auth module tests: identity providers, MFA workflow, token hashing, maintenance paths (#625).
  • Added CI backend unit test workflow for pull requests (#653).
  • Improved exception-path testing across auth and MFA flows (#685).

CI/CD and Security

  • Hardened dependency supply chain and automation strategy in workflows (#670).
  • Added and refined Conventional Commits validation workflow/rules.
  • Updated workflow trigger strategy and PR automation (including AI review workflow).
  • Improved HMAC handling in CI with Python/OpenSSL fallback behavior.
  • Migrated docs workflow steps to uv and reduced redundant setup (#671).
  • Enforced stricter renovate/pinning behavior: minimum release age (#689) and digest handling (#687, #681).
  • Updated runner usage and workflow reliability adjustments (#688).
  • Added format and lint check to CI (#630).

Docs and Maintenance

  • Fixed docs references and module placement alignment with codebase structure.
  • Updated feature freeze and project process documentation.
  • Removed obsolete Forgejo runner docs/config remnants.
  • Performed broad dependency and lint maintenance across backend/frontend (#644, #646, #654).
  • Refactored test structure and removed import path hacks (#654).

Contributors

  • @hugobatista
  • @joaovitoriasilva
  • @emon in #708, #710, #711, #714, #717, #719, #727, #728 and #733
  • @SethGower in #702

Don't miss a new endurain release

NewReleases is sending notifications on new releases.