github sartoopjj/thefeed v0.0.18

latest releases: v0.30.4-rc0, v0.30.4, v0.30.3...
3 months ago

Release Notes

What's New

Access Control

  • Encryption passphrase (--key): for reading — share with trusted friends
  • Remote management (--allow-manage on server): enables send/channel management — disabled by default
  • If --allow-manage not set on server, send and admin features are completely disabled
  • Client --password now protects ALL web endpoints with global HTTP Basic Auth

Channel Management

  • Add/remove Telegram channels remotely via admin commands through DNS
  • Channel management UI in the web frontend (requires --allow-manage)
  • List/refresh channel configuration from the browser

Send Messages

  • Send messages to Telegram channels and private chats through the DNS tunnel
  • Full-stack implementation: client web UI → DNS query → server → Telegram API
  • GCM-encrypted message data split into DNS labels
  • Telegram RandomID fix — sending to own channels now works correctly

Message Compression

  • Deflate compression reduces the number of DNS queries needed
  • Backward compatible — clients auto-detect compressed vs raw data
  • 1-byte compression header (0x00=raw, 0x01=deflate)

Web UI Password

  • Protect the web UI with --password flag
  • HTTP Basic Auth on all endpoints (constant-time comparison)
  • Empty password = no authentication (default)

Web UI Overhaul

  • Channel type badges (Private / Public)
  • New message indicator badges
  • Next-fetch countdown timer
  • Send message panel (when Telegram is connected)
  • Media type tag highlighting ([IMAGE], [VIDEO], [DOCUMENT])
  • Channels grouped by type in sidebar
  • Telegram connection warning banner
  • Debug mode enabled by default
  • Footer with GitHub link

Android Support

  • android/arm64 build target for Termux
  • UPX compression for smaller binaries

Edit Detection

  • Detects message edits even when message count stays the same
  • CRC32 content hash per channel transmitted in metadata
  • Client skips refresh only when both message ID and content hash match

No-Telegram Mode

  • Server --no-telegram flag for users who can't or don't want to sign in to Telegram
  • Reads public channels without needing Telegram API credentials or phone number
  • Safer: no credentials stored on the server
  • Install script supports no-Telegram setup (recommended by default)

Install Script Improvements

  • Telegram mode selection during install (no-Telegram recommended by default)
  • Update flow: option to switch between Telegram and no-Telegram modes
  • Easy one-liner curl commands for update and uninstall
  • Passphrase sharing warning: anyone with your passphrase can read your messages

Protocol Improvements

  • Variable block sizes (400-700 bytes) for anti-DPI
  • DNS noise queries at random intervals (10-30s)
  • Metadata expansion: NextFetch, TelegramLoggedIn, ChatType, CanSend
  • Block retry on transient DNS failures

Security Hardening

  • HTTP server timeouts (read: 30s, write: 60s, idle: 120s)
  • DNS query name length validation for send messages
  • Generic error responses (no internal error leakage)
  • Constant-time password comparison
  • ⚠️ Never share your passphrase publicly — anyone with it can run their own client and read all your messages. --password only protects the web UI on your machine

Other Improvements

  • Auto-open browser on client start
  • Server next-fetch timer in protocol metadata
  • Skip refresh when no new messages
  • Prevent duplicate channel fetches
  • Handle invalid passphrase errors gracefully
  • Default rate limit: 5 QPS
  • Configurable DNS timeout
  • Persian README (README-FA.md)

Full Changelog: v0.0.17...v0.0.18

Don't miss a new thefeed release

NewReleases is sending notifications on new releases.