github melosso/portway v1.6.0

5 hours ago

Note

We're happy to announce the latest update of Portway. This release focuses on change control, security hardening, and a major internal overhaul, with no breaking changes to routes, configuration formats, or runtime behavior. Backup your application folder before upgrading as usual.


New features in v1.6.0:

  • Web UI Change Controls: Every configuration change made through the UI is now recorded in an audit trail, and the previous file version is backed up automatically (last 10 per file). Changes can be reviewed and restored from Settings → Security & Change Controls.
  • CSRF Protection: All mutating Web UI API calls are protected by a double-submit CSRF check. The bundled pages handle this transparently.
  • Security Posture Panel: The Settings page now leads with a live security overview: admin key strength, HTTPS, secure cookies, CSRF, CORS and public origin counts, and database maintenance status.
  • Database Self-Tuning (#17): A nightly maintenance service runs SQLite ANALYZE and a conditional VACUUM on the auth, metrics, MCP, and traffic databases, so instances stay fast as they grow. Configurable via the new DatabaseMaintenance section; enabled by default at 03:00.
  • ETag Revalidation: Successful GET /api responses carry a strong ETag; clients sending If-None-Match receive 304 Not Modified when nothing changed. Polling integrations get near-free refreshes.
  • OData $count: $count=true on SQL endpoints adds a totalCount property with the unpaged total matching your filter.
  • Endpoint Config Validation API: POST /ui/api/endpoints/{type}/validate dry-runs an entity.json against the loader's own rules without saving.
  • Composed Web UI Rendering: Admin pages are now served from a shared shell plus per-page view fragments, and the Settings page gained a left sub-navigation with deep-linkable sections.
  • Documentation on Bark: The documentation site moved from VitePress to Bark, with a full editorial pass, refreshed security guidance, and branded theming.

Fixes and improvements in v1.6.0:

  • refactor(core): Decomposed Program.cs from 895 to ~260 lines into focused extension classes (web host, CORS, forwarded headers, metrics, navigation, fallback, startup init).
  • refactor(endpoints): Unified the Proxy, SQL, Static, and File endpoint loaders into a single directory loader with per-type specs; routing keys, namespace handling, and log semantics are unchanged.
  • refactor(types): Replaced the six-element endpoint tuple with the ProxyEndpointInfo record and split ~60 multi-type files into one type per file.
  • security(deps): Resolved two high-severity NU1903 advisories by pinning Microsoft.OpenApi 2.9.0 and SQLitePCLRaw.lib.e_sqlite3 3.50.3. Builds are now warning-free.
  • fix(ui): Endpoint delete dialogs now mention the automatic backup and restore path.
  • fix(docs): Corrected the Web UI session lifetime (12 hours) and the hosting description in Getting Started; documented admin key handling (environment variable or Key Vault, never appsettings.json).
  • tests: Suite grew from 307 to 335 tests, covering CSRF enforcement, audit and restore, page composition, database maintenance, ETag behavior, $count conversion, and config validation.

Migration guide

No breaking changes: routes, configuration formats, and runtime behavior are unchanged. A few things are worth knowing:

  1. A .backups/ directory appears next to your endpoints/ and environments/ folders once configuration changes are made through the UI. It is safe to exclude from version control.
  2. Database maintenance is on by default (nightly at 03:00, local time). Set DatabaseMaintenance:Enabled to false or adjust DatabaseMaintenance:Schedule if your backup window conflicts.
  3. GET /api responses now include an ETag header. Existing clients are unaffected; caching proxies will simply get better.

Check our documentation for guidance. If you encounter issues, open a new Issue.

Full Changelog: v1.5.6...v1.6.0

Don't miss a new portway release

NewReleases is sending notifications on new releases.