Ovumcy v0.9.4

Release date: 2026-05-14

Highlights

• TOTP two-factor authentication for owner accounts.
• Comprehensive 2026-05 security audit: sealed register pickup cookie, login timing hardening, OIDC step-up re-auth, session rotation on recovery-code regeneration, new security headers, and rate limiting for register and logout endpoints.
• Docker healthcheck fixed for scratch-based images.

Added

• TOTP 2FA. Owners can enable time-based one-time passwords in Settings → Security. When active, each login requires a 6-digit TOTP code in addition to the password. A step-up re-authentication challenge is issued for OIDC sessions that require verification.

Security

• Sealed register pickup cookie closes the per-request Set-Cookie enumeration oracle on POST /api/auth/register. The endpoint returns an identical status, body, and sealed ovumcy_register_pickup cookie for both new and duplicate emails. GET /register/welcome issues a decoy pickup for duplicate addresses and redirects to /login with a neutral flash message. The residual two-step timing oracle is documented in SECURITY.md.
• TOTP replay protection: step counter validated to reject codes already consumed within the same 30-second window.
• Login timing side-channel: constant-time bcrypt invocation now applies uniformly to OIDC-only accounts and missing-user paths, preventing user enumeration via response-time differences.
• OIDC step-up re-authentication: expired OIDC sessions trigger a re-authentication challenge instead of relying solely on the upstream provider's session state.
• Strict-Transport-Security strengthened with includeSubDomains.
• Permissions-Policy now explicitly denies accelerometer, gyroscope, payment, usb, interest-cohort, and ambient-light-sensor.
• Cross-Origin-Opener-Policy: same-origin added to prevent cross-window opener attacks.
• Rate limiting on /api/auth/register (8 requests per 15 minutes by default) closes the register enumeration probe surface. Configurable via RATE_LIMIT_REGISTER_MAX / RATE_LIMIT_REGISTER_WINDOW.
• Per-account rate limit on /api/auth/logout (60 requests per 15 minutes by default) prevents session-disruption attacks. Configurable via RATE_LIMIT_LOGOUT_MAX / RATE_LIMIT_LOGOUT_WINDOW.
• Session rotation on recovery-code regeneration: all other active sessions are atomically revoked; the originating request receives a fresh auth cookie so the current device stays signed in.

Fixed

• DailyLog.Date and User.LastPeriodStart are now canonicalized to UTC midnight on write. A one-time migration backfill corrects existing rows with non-canonical timestamps; observable calendar behavior is unchanged.
• Docker HEALTHCHECK no longer relies on wget/curl, which are absent from the scratch-based runtime image. The binary ships an ovumcy healthcheck subcommand that performs the /healthz probe in-process. The Dockerfile and all bundled compose examples invoke it directly. Without this fix the container was reported as unhealthy.

Changed

• Updated github.com/gofiber/fiber/v2 dependency.

Upgrade notes

• No database schema migration is required. The date canonicalization is a write-side fix; the one-time backfill migration runs automatically at startup and is idempotent.
• Two new optional environment variables are available: RATE_LIMIT_REGISTER_MAX (default 8) / RATE_LIMIT_REGISTER_WINDOW (default 15m) and RATE_LIMIT_LOGOUT_MAX (default 60) / RATE_LIMIT_LOGOUT_WINDOW (default 15m). See .env.example for details.
• Tagged images publish under ghcr.io/ovumcy/ovumcy-web:v0.9.4.
• Existing deployments can upgrade in place by pulling the new image or by setting OVUMCY_IMAGE=ghcr.io/ovumcy/ovumcy-web:v0.9.4.

Full changelog

• Compare: v0.9.3...v0.9.4
• Changelog entry: CHANGELOG.md section 0.9.4.