github ovumcy/ovumcy-web v1.6.0

5 hours ago

Added

  • Single-binary packaging. HTML templates, locales, and web/static are embedded into the binary via go:embed; the runtime image ships only the binary (FROM scratch) and the app runs from any working directory. Static asset URLs are cache-busted with ?v=<build revision> and served with Cache-Control: public, max-age=3600, so a release invalidates stale JS/CSS without operator action.

Changed

  • HSTS_ENABLED switch. Strict-Transport-Security is now governed by an explicit HSTS_ENABLED environment variable (default inherits COOKIE_SECURE, exact prior behavior). Operators can keep secure cookies without pinning browsers to HTTPS for a year, or opt in explicitly; enabling it logs a startup note about the one-year pin.
  • BBT stored as nullable. daily_logs.bbt drops NOT NULL DEFAULT 0 (migration 024, SQLite and Postgres; existing 0 rows are migrated to NULL). nil now means "not measured", retiring the 0°C sentinel.
  • Breaking (export shape): bbt (basal body temperature) is now omitted from JSON export entries on days without a measurement, instead of always being present as 0. Consumers parsing the export must treat a missing bbt key as "not measured". Restore stays fully backward-compatible — import reads an absent key, an explicit null, and the legacy 0 all as "not measured" (docs/export.md and docs/openapi.yaml updated).

Fixed

  • Light-theme accent contrast raised to WCAG AA. The two colours behind the only axe colour-contrast violation (2.96:1 against the hero gradient) now clear 4.5:1; hue preserved, dark theme untouched.

Removed

  • Breaking: removed the query-string form of the day-delete endpoint (DELETE /api/v1/days?date=YYYY-MM-DD). Use DELETE /api/v1/days/{date} instead (the optional source selector, if used, moves from the date-bearing query string to a plain ?source= query param on the path form). docs/openapi.yaml and the browser UI have been updated accordingly.
  • Redundant daily_logs date index dropped (migration 025, both dialects). Every query path is user-scoped and already served by the (user_id, date) index; the bare-date index only added write amplification.

Security

  • OIDC HTTP redirects are origin-pinned. The HTTP client used for OIDC discovery, the JWKS key fetch, and the authorization-code exchange now refuses to follow any redirect that leaves the configured issuer origin, extending the existing jwks_uri / token_endpoint / end_session_endpoint origin pins to the HTTP requests themselves. A provider that redirects these requests cross-origin now fails closed at sign-in; same-origin redirects (path normalization) keep working.
  • Request bodies are bounded (16 MiB). An explicit BodyLimit sized to the documented JSON-restore maximum; the transport-level 413 now returns the mapped, localized request_too_large envelope instead of fasthttp's bare text.

Internal

  • Lifted the transitive SQLite (modernc.org/sqlite) and fasthttp engines to current upstream.
  • Split base.html into a components library under internal/templates/components/ (byte-identical defines; base.html keeps only the page skeleton).
  • Retired the sentinel→enum error-classification layer across all domains; error mapping now switches directly on service sentinels.

Don't miss a new ovumcy-web release

NewReleases is sending notifications on new releases.