header auth

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)

new features

• initial work on #62 (support identity providers, oauth/SSO/...); see readme
  • only authentication so far; no authorization yet, and users must exist in the copyparty config with bogus passwords
• new option --ipa rejects connections from clients outside of a given allowlist of IP prefixes
• environment variables can be used almost everywhere that takes a filesystem path; should make it way more comfy to write configs for docker / systemd
• #59 added a basic docker-compose yaml and an example config
  • probably much room for improvement on everything docker still

bugfixes

• the nftables-based port-forwarding in the systemd example was buggy; replaced with CAP_NET_BIND_SERVICE
• palemoon-specific js crash if a text selection was dragged
• text selection in messageboxes was jank

other changes

• improved systemd example with hardening and a better example config
• logfiles are flushed for every line written; can be disabled with --no-logflush for ~3% more performance best-case
• iphones probably won't broadcast cover-art to car stereos over bluetooth anymore since the thingamajig in iOS that's in charge of that doesn't have cookie-access, and strapping in the auth is too funky so let's stop doing that b7723ac
  • can be remedied by enabling filekeys and granting unauthenticated people access that way, but that's too much effort for anyone to bother with I'm sure

---

⚠️ not the latest version!