Releases: maxbolgarin/servex
Releases Β· maxbolgarin/servex
Release list
v2.8.2
v2.8.1
2.8.1 (2026-07-06)
π Bug Fixes
- auth: apply documented 2FA EmailFallback default of true (faa8dd1)
- config: fail loudly on dead email/2FA config, apply token duration defaults (94a4a9c)
- security: honor CSRFCookieHttpOnly with secure nil default (be749cc)
- auth: honor NotRegisterRoutes for auth and API key routes (9b250cb)
- static: implement StripPrefix and make static options order-independent (b5d06a3)
- audit: keep IncludeHeaders regardless of audit option order (ca6f1ef)
- config: load env vars into pointer-to-struct config fields (07b0208)
- apikey: merge WithAuthConfig APIKey settings instead of overwriting (3b1d7e8)
βοΈ Continuous Integration
- release: remove Docker Hub login and image metadata (675e093)
v2.8.0
2.8.0 (2026-04-05)
π Features
- context: add custom error handler hook (9a352e4)
- auth: add database-backed API key authentication with scopes (9a69cfa)
- filter: add path-based request blocking and ScannerBlockPreset (faa787d)
- examples: add production usage examples (bdb0054)
- auth: add SQL auth database and update dependencies (fdd45b0)
- testing: add TestServer, TestRequest, and TestResponse helpers (f48463c)
- websocket: add websocket support with coder/websocket integration and upgrade helpers (9a6128e)
- context: add XML, Stream, and Negotiate response helpers (2487781)
- middleware_core: implement http.Hijacker for websocket support in response writers (5930d37)
- presets: make tls certificate optional in production preset for reverse proxy support (36108aa)
π Bug Fixes
- body size off-by-one, rawhttp CRLF, apikey goroutine bound (420a005)
- websocket,metrics,swagger: close race, atomic alignment, XSS escape (733492e)
- server: concurrent HTTP/HTTPS shutdown, remove duplicate WS CloseAll (d2902aa)
- middleware: CSRF HttpOnly default, header removal writer, rate limit wildcards, static cleanup (bf02893)
- middleware: enforce size limit on chunked requests, harden CSRF defaults (6b45fd9)
- static,ws,swagger,cli: ETag, Hijacker, ping wait, env overwrite (bb201f9)
- core: fix context leak in init loop, proxy shutdown, and PathRegex dead code (06acf69)
- config: handle *bool env vars, wire MinPasswordLength, fix handlerSetter (5a9ad71)
- audit: hex-encode event ID and use canonical header keys (25042db)
- auth: hide sensitive User fields from JSON, separate 2FA pending key, explicit reset cooldown (524ee9e)
- context: nil body guard, marshal error response, SetCookie defaults, Redirect safety (3967492)
- context: off-by-one in ReadAndValidateWithLimit, string content-type, nil panic (1606acd)
- auth: password reset cooldown, 2FA timing oracle, OAuth cookie SameSite (ccda875)
- server: race conditions on http/https fields, catch-all route, wsHub access (6cb4964)
- security: remove CSRF query param fallback, fix path traversal and static 404 (6a0eacf)
- core: resolve 4 bugs found in code review (67fc8f1)
- auth: security hardening β crypto backup codes, cookie path, token validation (f752c0d)
- config: shutdown timeout, validation additions, preset hardening, audit nil guard (8679971)
- proxy: trusted-proxy gating for getClientIP, health TLS config, recovery WaitGroup (54b828c)
- security: update header presets to modern best practices (5f17e92)
- proxy: URL mutation race, health check transport leak, shutdown sleep (e7e8d8b)
π Documentation
- skill: add comprehensive servex app development guide with server lifecycle, routing, auth, and security (b5cd5a0)
- websocket: add comprehensive websocket documentation and configuration examples (1894ce6)
- add table of contents, path filtering docs, Caddy migration guide, fix examples (b5a27ad)
π¦ Code Refactoring
- v2: bulk updates β metrics, proxy, router, health probes, trace propagation, examples (f4b2217)
π§ Chores
v2.7.0
v2.6.0
v2.5.0
2.5.0 (2026-03-21)
π Features
- auth: add 2FA with TOTP, backup codes, email fallback, and attempt tracking (6c90211)
- auth: add email verification and password reset with SMTP support (79e7784)
- auth: add EmailConfig, OAuthConfig, TwoFactorConfig with With* options (1816b69)
- auth: add EmailVerified() and TwoFactorEnabled() context helpers (dadba87)
- auth: add Google, GitHub, Apple, Telegram, Yandex OAuth providers (c09d0ed)
- auth: add OAuth flow with state HMAC, auto-link, and link/unlink handlers (8db97b2)
- auth: add TokenPurpose and user flags to JWT claims (cbb6e34)
- auth: add YAML config parsing for email, OAuth, and 2FA (8d3f18f)
- auth: extend User/UserDiff with email, OAuth, and 2FA fields (0215d3e)
- auth: integrate email verification into registration and 2FA check into login (d09c04f)
π Bug Fixes
- auth: address code review findings β security and correctness fixes (a56c8a8)
- auth: address second review β 2FA token in cookie, code expiry, docs (30ba881)
π Documentation
- auth: add design spec for auth expansion (email, OAuth, 2FA) (5b11f34)
- auth: add implementation plan for auth expansion (494dd39)
- auth: address spec review findings (3 iterations) (9b3811f)
- update README and CLAUDE.md with email, OAuth, and 2FA documentation (e90cdbd)
π¨ Tests
- auth: add cross-feature integration tests for email, OAuth, and 2FA (52c0670)
π Build System
- go: update golang.org/x and add missing checksum hashes (f6e355c)
v2.4.0
2.4.0 (2026-03-20)
π Features
- options_core: add ForceSecureCookies option for tls-terminating reverse proxies (67bce3a)
- auth: add minimum password length validation and enforcement (52ca92f)
- proxy: add shutdown callback to RegisterProxyMiddleware for graceful health check goroutine cleanup (d9010f5)
π Bug Fixes
- context_response: prevent nil pointer dereference when logging error response write failures (572f1d9)
- static: remove debug println statement from exclude path check (5ec52ca)
π Documentation
- claude: add authentication system setup guide and configuration reference (508d713)
- claude: add development guide and architecture overview (30e2b95)
π¦ Code Refactoring
- auth: extract secure cookie logic into helper method and optimize jwt claims generation (2280a3b)
- context: simplify random byte generation and fix request body limit check (4386e7b)
π Build System
- go: upgrade maxbolgarin/lang to v1.9.1 and add missing go.mod entries (7aebbc7)
βοΈ Continuous Integration
- add go 1.26 to test matrix and update node.js to version 24 (e2498c5)
v2.3.1
v2.3.0
2.3.0 (2025-11-06)
π Features
- add comprehensive Auth configuration tests (250b606)
- implement servex backlog improvements (be25ea9)
- improve test coverage and fix all TODOs (516038d)
π Bug Fixes
- critical bug fixes and performance improvements (cbc9130)
- implement improvements from ANALYSIS.md (39e9593)
- improve error handling and fix linter errors (c7a4995)
- make TestServerUtilityMethods more robust against timing issues (fe51f37)
- reduce flakiness in random load balancing test (94bcc32)
- remove test that causes data race in CI (b7967d2)
π Documentation
- add comprehensive refactoring plan for large files (3daf0a7)
- fix list (173c214)
- make README better (f1eba33)
π¦ Code Refactoring
- break down context.go into 5 focused modules (43171ab)
- break down middleware.go into 4 focused modules (7ea16a3)
- break down options.go into 13 focused modules (12cf2ec)
π¨ Tests
- improve test coverage from 77.6% to 80.2% (0a52c92)
βοΈ Continuous Integration
- new releaser and code coverage (2527a27)
π§ Chores
v2.2.0
Release new version of Servex
Compared to the first version there have been incredible changes. Versions v2.0 and v2.1 are working and not relevant. This is first stable version of v2. Changelog from v1 may be omitted because it is totally new code.
Servex is the HTTP server package that eliminates boilerplate and lets you focus on what mattersβyour business logic. Whether you're building APIs, web applications, or need a powerful reverse proxy, Servex provides the technical foundation so you don't have to. It's built using Go's net/http and gorilla/mux. This package is designed to easy integrate into existing net/http servers.
Servex gives you production-ready features out of the box:
- π Zero Boilerplate - Configure once, code business logic
- π Security First - JWT auth, rate limiting, security headers included
- π Dual Purpose - Use as a library OR standalone proxy server
- β‘ Native Compatibility - Works seamlessly with existing net/http code
- π― Gorilla/Mux Powered - Flexible routing with middleware support