github Forceu/Gokapi v2.0.0
on GitHub

latest releases: v2.1.0, v2.0.1
3 months ago

⚠️ Make sure that you have a backup of all data. It is not possible to downgrade afterwards.

This release adds user management and granular permission control. Some breaking changes are introduced, please make sure to read the section Upgrading.

Security

This releases fixes two XSS vulnerabilities (CVE-2025-48494 and CVE-2025-48495). The vulnerabilities let authorised users execute Javascript with passive interaction - if you are using Gokapi as a single user, this does not impact you, otherwise we recommend updating your instance to v2.0.0.

Changelog

  • Added support for multiple different users with granular permissions
  • Added API endpoints to manage users
  • Added API endpoint to delete logs, added more logging, added filtering and deletion of logs in UI
  • Added feature to restore a deleted file from the UI (has to be restored within 5 seconds)
  • Added API endpoint for restoring a file with a pending delete
  • Added experimental hotlinking for videos with env var GOKAPI_ENABLE_HOTLINK_VIDEOS
  • Added a share button for mobile users and a button to share a URL via email
  • Improved the UI
  • Changed GOKAPI_LENGTH_ID to be non-permanent, added GOKAPI_LENGTH_HOTLINK_ID to change hotlink ID length #251
  • Changed hotlink URLs to be shorter (#253) @lenisko
  • Changed headers for cache control to stop unwanted caching with cloudflare #209
  • Fixed email scope not being submitted #234, fix always being redirected after successful OIDC login
  • Fixed DuplicateFile setting hotlink on wrong file object (#246)
  • Fixed bug where picture files where not uploaded at all when encryption and cloud storage was active as well as SaveToLocal #247
  • Many other fixes and minor improvements @nilicule

Upgrading

Upgrade path: Requires v1.9.6 as base

Upgrading when using OAuth2/OIDC authentication:

  • A valid email must now be set for all users in the authentication backend
  • Authentication is now only done by email and can be restricted by user groups
  • Set the env variable GOKAPI_ADMIN_USER containing the email address of the super admin when upgrading

Upgrading when using Header authentication

  • If restricting the users by username, make sure that you remove any wildcards (*) for usernames in the setup before upgrading.
  • Set the env variable GOKAPI_ADMIN_USER containing the email address of the super admin when upgrading

Upgrading when using no authentication

  • If you are restricting access with a proxy, make sure that you block the following urls:
    • /admin
    • /apiKeys
    • /changePassword
    • /e2eInfo
    • /e2eSetup
    • /logs
    • /uploadChunk
    • /uploadStatus
    • /users

Upgrading when using custom templates or static content

The previous way of replacing content has been removed and is now replaced with additive CSS and JS. If you want to change the layout (e.g. add your company logo or add/disable certain features), follow these steps:

  1. Create a new folder named custom where your executable is. When using Docker, mount a new folder to /app/custom/. Any file in this directory will be publicly available in the sub-URL /custom/.
  2. To have custom CSS included, create a file in the folder named custom.css. The CSS will be applied to all pages.
  3. To have custom JavaScript included, create the file public.js for all public pages and/or admin.js for all admin-related pages. Please note that the admin.js will be readable to all users.
  4. In order to prevent caching issues, you can version your files by creating the file version.txt with a version number.
  5. Restart the server. If the folders exist, the server will now add the local files.

Optional: If you require further changes or want to embedded the changes permanently, you can clone the source code and then modify the templates in internal/webserver/web/templates. Afterwards run make to build a new binary with these changes.

Breaking Changes

Since v1.9 there have been a lot of changes to the API, please take note if you are using the API:

  • A valid API key is now always required, API authentication by session is not possible anymore
  • /chunk/complete and /files/duplicate now expect the parameters as header, instead of encoded url form
  • Parameter apiKeyToModify has been renamed to targetKey for /auth/modify, /auth/delete and /auth/friendlyname
  • If a user, api key or file is not found, but a plausible ID was submitted, error 404 instead of 400 is returned now
  • Before v2.0, if a boolean parameter was required, it was always false if anything else then "true" was sent, now it raises an error if any other value than 1, t, true, 0, f, or false is supplied
  • Some API calls might be restricted by user permissions now, consult the API documentation for more information
  • API keys now have a public ID as well, which can also be used for /auth/modify, /auth/delete and /auth/friendlyname as targetKey instead of the private ID
  • When uploading a file through the API, defaults of 14 days, max 1 download and no password will be used, unless the respective parameters were passed. In v1.9, the previous values were used.

💙 A huge thank you to all our users, bug reporters, and contributors who made this release possible!

Full Changelog: v1.9.6...v2.0.0

Check out latest releases or
releases around Forceu/Gokapi v2.0.0

Don't miss a new Gokapi release

NewReleases is sending notifications on new releases.

Get notifications