The main feature for this release is an in-memory ACL cache (auth-access-cache) that can help bring down the read load on the production database. The topic authorization queries are consistently the highest ranking queries on the database, so this will help quite a bit. The current database load is quite low, but I'm expecting it to increase as more users join and use ntfy.
Security issues:
- Fix case-insensitive ACL topic matching on SQLite: an access control rule for
secretno longer also matches a request forSECRET. SQLite'sLIKEis case-insensitive for ASCII by default. PostgreSQL was unaffected. It's honestly incredible that this issue remained undetected for so long, especially while ntfy.sh was running on SQLite (it now runs on PostgreSQL).
Features:
- Add opt-in in-memory ACL cache (
auth-access-cache) that serves topic authorization without a database round-trip; off by default, intended for high-volume servers - Add
ntfy --versionflag to the CLI (#1722, #1748, thanks to @sskender for the contribution, and @Saucy9607 for reporting)
Bug fixes + maintenance:
- Extend account token automatically from the PWA service worker, so installed PWAs don't get logged out (#1669, #1203, #1533, thanks to @nihalgonsalves for the contribution)
- Fix
relattribute on auto-linked notification URLs sonoreferrer/noopenerare actually applied (#1720, thanks to @dmitrylyzo for the contribution) - Add systemd sandboxing/hardening to the
ntfy.serviceunit (#1467, thanks to @Velocifyer for the contribution) - Fix
cmdpackage build on macOS (darwin) so the server compiles from source (#1631, #1696, thanks to @ShipItAndPray for the contribution, and @XYenon for reporting)