github bscott/subtrackr v0.5.0
v0.5.0 - Optional Login Support 🔐
on GitHub

latest releases: v0.5.8, v0.5.7, v0.5.6...
3 months ago

SubTrackr v0.5.0 introduces optional authentication to protect your subscription data, while maintaining our commitment to simplicity and privacy-first design.

⚠️ Important: Backup Your Data

Before upgrading, we strongly recommend backing up your data:

  1. Navigate to Settings → Data Management
  2. Click "Download Backup" to save your database
  3. Store the backup file in a safe location

This ensures you can restore your data if anything goes wrong during the upgrade.

🎉 New Features

🎄 Holiday Themes (New!)

Spread holiday cheer with our new theming system!

  • 5 Beautiful Themes: Default, Dark, Christmas, Midnight, Ocean
  • 🎅 Christmas Theme: Festive red & green colors, gold accents, and gentle snowfall animation ❄️
  • Easy Switching: Change themes instantly from Settings → Appearance
  • Persistent: Your theme choice is saved automatically
  • Accessible: Respects prefers-reduced-motion for animations

Perfect for the holiday season! Switch to the Christmas theme and enjoy the festive atmosphere while tracking your subscriptions.

Optional Authentication System

  • OFF by default - Zero breaking changes for existing installations
  • Single-user authentication with bcrypt password hashing
  • Session-based login with secure cookies (HttpOnly, SameSite)
  • "Remember me" option (30-day sessions)
  • SMTP prerequisite check - ensures password recovery is always available

Password Reset Flow

  • Complete forgot password → email reset link → set new password flow
  • 1-hour token expiry for security
  • Works seamlessly with existing SMTP configuration

CLI Password Reset (Perfect for Docker!)

  • Reset admin password without email: ./subtrackr --reset-password
  • Non-interactive mode: ./subtrackr --reset-password --new-password "yourpassword"
  • Disable authentication: ./subtrackr --disable-auth
  • Essential for Docker deployments when SMTP isn't configured

Security Section in Settings

  • Easy toggle to enable/disable authentication
  • Shows current authentication status
  • Warns if SMTP is not configured (required for password recovery)
  • Disable authentication option preserves credentials for re-enabling

🔒 Security Improvements

This release includes fixes for several security vulnerabilities identified during security review:

  • Fixed: Open redirect vulnerability in authentication handlers
  • Fixed: Timing attack in CLI password confirmation (now uses constant-time comparison)
  • Fixed: Timing attack in token validation (constant-time string comparison)
  • Fixed: Username enumeration via timing (always validates both username and password)
  • Fixed: Password validation order in reset handler (prevents information leakage)
  • Improved: Redirect URL validation with length limits (max 2048 characters)
  • Improved: Error handling prevents authentication bypass

All authentication operations now use constant-time comparisons via crypto/subtle to prevent timing-based attacks.

📝 How to Enable Authentication

  1. Configure SMTP first (Settings → Email Configuration)

    • Required for password recovery
    • Cannot enable login without email configured

  2. Enable Login (Settings → Security)

    • Toggle "Require Login"
    • Set username and password (min 8 characters)
    • Click "Enable Authentication"

  3. You'll be redirected to login on next page load

🐳 Docker Best Practices

Version Pinning (Recommended)

Always pin to specific versions instead of using latest: 

# ❌ NOT RECOMMENDED - unpredictable updates
image: bscott/subtrackr:latest

# ✅ RECOMMENDED - controlled, predictable deployments
image: bscott/subtrackr:v0.5.0

Why Pin Versions?

  1. Predictability - Know exactly what version is running
  2. Stability - Avoid unexpected breaking changes
  3. Reproducibility - Same image across all environments
  4. Rollback Safety - Easy to revert to previous version
  5. Testing - Test specific versions before upgrading production

Version Update Strategy

# docker-compose.yml
services:
  subtrackr:
    image: bscott/subtrackr:v0.5.0  # Pin to specific version
    volumes:
      - ./data:/app/db
    ports:
      - "8080:8080"
    restart: unless-stopped

Upgrade process:

  1. Backup your data (via Settings UI)
  2. Update version in docker-compose.yml
  3. Pull new image: docker-compose pull
  4. Recreate container: docker-compose up -d
  5. Verify everything works
  6. Keep backup until confident in new version

Using latest (Not Recommended)

Only use latest if you:

  • Are testing/development (not production)
  • Want automatic updates (understand the risks)
  • Have good backup/restore procedures
  • Monitor for breaking changes in releases

Even then, consider using version tags for better control.

Docker CLI Commands

# Reset Password (when locked out)
docker exec -it subtrackr /app/subtrackr --reset-password

# Disable Authentication
docker exec -it subtrackr /app/subtrackr --disable-auth

🔄 Upgrade Instructions

Standard Installation

# Backup your data first (via Settings UI)
# Then pull the latest version
git pull
go build -o subtrackr ./cmd/server
./subtrackr

Docker (Pinned Version)

# 1. Backup your data first (via Settings UI)

# 2. Update docker-compose.yml to new version
#    image: bscott/subtrackr:v0.5.0

# 3. Pull new image
docker-compose pull

# 4. Recreate container
docker-compose up -d

# 5. Verify logs
docker-compose logs -f subtrackr

⚙️ Technical Details

  • Zero Breaking Changes - Authentication is OFF by default
  • Backward Compatible - Existing installations work without modification
  • Session Secret - Auto-generated 64-byte random key stored in database
  • Password Hashing - bcrypt with DefaultCost (10 rounds)
  • Token Security - Constant-time comparisons prevent timing attacks
  • Public Routes - Login, password reset, and static assets remain accessible

🐛 Bug Fixes

  • Fixed public routes not including forgot password pages
  • Fixed middleware redirect parameter encoding
  • Fixed error handling in authentication username retrieval

📚 Dependencies

  • Added golang.org/x/term for secure CLI password input
  • Added crypto/subtle for constant-time comparisons (standard library)

🔮 What's Next?

Future enhancements being considered:

  • CSRF protection
  • Rate limiting for auth endpoints
  • Account lockout after failed attempts
  • Stronger password requirements

🎁 Happy Holidays!

We hope SubTrackr helps you manage your subscriptions effortlessly as we head into the new year. Try out the festive Christmas theme and enjoy the snowfall while you work! ❄️🎄

Wishing you and your loved ones a wonderful holiday season and a prosperous 2026!

Full Changelog: v0.4.9...v0.5.0

Check out latest releases or
releases around bscott/subtrackr v0.5.0

Don't miss a new subtrackr release

NewReleases is sending notifications on new releases.

Get notifications