Releases: Forceu/Gokapi
v2.1.0
Changelog
- Added a CLI tool that supports e2e encrypted uploads and folder uploads, see documentation for installation and usage #280
- Upgraded to Go 1.25 which might result in better performance on some systems
- Added docker-compose file
- Fixed crash after uploading an e2e encrypted file, forcing the user to refresh the webpage before uploading a new file #283
- Fixed a bug where files with non-latin characters were not downloadable from AWS #302
- Fixed a bug where e2e encrypted files with non-latin characters had a corrupted filename after downloading #300
- Fixed bug where file was deleted after uploading through API if not supplying
allowedDownloadsorexpiryDaysinChunkComplete#282 - Fixed error message when username was less than 4 characters long #268
- Fixed incorrect mouse pointer on share menu #275
- Parallel uploads are now disabled, due to browser limit of 6 connections with HTTP1.1
Full Changelog: v2.0.1...v2.1.0
v2.0.1
Changelog
- Fixed uploads failing for files with non-ASCII filenames #269
- Fixed API documentation for API call
/chunk/complete - Fixed rare edge case, where a file with a cancelled deletion was still deleted
- Filenames can now be base64-encoded in API call
/chunk/complete - Added docker-compose file @SemvdH
Upgrading
If you are upgrading from an older version than v2.0.0, please make sure to read the v.2.0.0 upgrade notes first.
Full Changelog: v2.0.0...v2.0.1
Contributors
Assets 11
v2.0.0
This release adds user management and granular permission control. Some breaking changes are introduced, please make sure to read the section Upgrading.
Security
This releases fixes two XSS vulnerabilities (CVE-2025-48494 and CVE-2025-48495). The vulnerabilities let authorised users execute Javascript with passive interaction - if you are using Gokapi as a single user, this does not impact you, otherwise we recommend updating your instance to v2.0.0.
Changelog
- Added support for multiple different users with granular permissions
- Added API endpoints to manage users
- Added API endpoint to delete logs, added more logging, added filtering and deletion of logs in UI
- Added feature to restore a deleted file from the UI (has to be restored within 5 seconds)
- Added API endpoint for restoring a file with a pending delete
- Added experimental hotlinking for videos with env var
GOKAPI_ENABLE_HOTLINK_VIDEOS - Added a share button for mobile users and a button to share a URL via email
- Improved the UI
- Changed
GOKAPI_LENGTH_IDto be non-permanent, addedGOKAPI_LENGTH_HOTLINK_IDto change hotlink ID length #251 - Changed hotlink URLs to be shorter (#253) @lenisko
- Changed headers for cache control to stop unwanted caching with cloudflare #209
- Fixed email scope not being submitted #234, fix always being redirected after successful OIDC login
- Fixed DuplicateFile setting hotlink on wrong file object (#246)
- Fixed bug where picture files where not uploaded at all when encryption and cloud storage was active as well as
SaveToLocal#247 - Many other fixes and minor improvements @nilicule
Upgrading
Upgrade path: Requires v1.9.6 as base, config.json must be writable
Upgrading when using OAuth2/OIDC authentication:
- A valid email must now be set for all users in the authentication backend
- Authentication is now only done by email and can be restricted by user groups
- Set the env variable
GOKAPI_ADMIN_USERcontaining the email address of the super admin when upgrading
Upgrading when using Header authentication
- If restricting the users by username, make sure that you remove any wildcards (*) for usernames in the setup before upgrading.
- Set the env variable
GOKAPI_ADMIN_USERcontaining the email address of the super admin when upgrading
Upgrading when using no authentication
- If you are restricting access with a proxy, make sure that you block the following urls:
- /admin
- /apiKeys
- /changePassword
- /e2eInfo
- /e2eSetup
- /logs
- /uploadChunk
- /uploadStatus
- /users
Upgrading when using custom templates or static content
The previous way of replacing content has been removed and is now replaced with additive CSS and JS. If you want to change the layout (e.g. add your company logo or add/disable certain features), follow these steps:
- Create a new folder named custom where your executable is. When using Docker, mount a new folder to /
app/custom/. Any file in this directory will be publicly available in the sub-URL/custom/. - To have custom CSS included, create a file in the folder named
custom.css. The CSS will be applied to all pages. - To have custom JavaScript included, create the file
public.jsfor all public pages and/oradmin.jsfor all admin-related pages. Please note that theadmin.jswill be readable to all users. - In order to prevent caching issues, you can version your files by creating the file
version.txtwith a version number. - Restart the server. If the folders exist, the server will now add the local files.
Optional: If you require further changes or want to embedded the changes permanently, you can clone the source code and then modify the templates in internal/webserver/web/templates. Afterwards run make to build a new binary with these changes.
Breaking Changes
Since v1.9 there have been a lot of changes to the API, please take note if you are using the API:
- A valid API key is now always required, API authentication by session is not possible anymore
/chunk/completeand/files/duplicatenow expect the parameters as header, instead of encoded url form- Parameter
apiKeyToModifyhas been renamed totargetKeyfor/auth/modify,/auth/deleteand/auth/friendlyname - If a user, api key or file is not found, but a plausible ID was submitted, error 404 instead of 400 is returned now
- Before v2.0, if a boolean parameter was required, it was always false if anything else then "true" was sent, now it raises an error if any other value than 1, t, true, 0, f, or false is supplied
- Some API calls might be restricted by user permissions now, consult the API documentation for more information
- API keys now have a public ID as well, which can also be used for
/auth/modify,/auth/deleteand/auth/friendlynameastargetKeyinstead of the private ID - When uploading a file through the API, defaults of 14 days, max 1 download and no password will be used, unless the respective parameters were passed. In v1.9, the previous values were used.
💙 A huge thank you to all our users, bug reporters, and contributors who made this release possible!
Full Changelog: v1.9.6...v2.0.0
Contributors
Assets 11
v2.0.0-beta2: Custom CSS/JS
To install this beta with docker, please use the gokapi:latest-dev tag.
Upgrading
This beta removes the feature from v1.x to use a template or static folder to replace the content of the webserver. This is now replaced with a feature to add custom CSS or JavaScript, which does not replace any code and should not break as easily on updates.
In addition to that, a better logging system has been introduced and some bugs from previous versions were fixed.
Changelog
- Added API endpoint to delete logs, added more logging, added filtering and deletion of logs in UI
- Fix email scope not being submitted #234, fix always being redirected after successful OIDC login
- Fixed sqlite bug for e2e reset
- Fix DuplicateFile setting hotlink on wrong file object (#246)
- Fixed bug that prevented setting
Manage_Users APIpermission on new API key - Enable experimental hotlinking for videos with env var
GOKAPI_ENABLE_HOTLINK_VIDEOS - Fix bug where picture files where not uploaded at all when encryption and cloud storage was active as well as
SaveToLocal#247 - Fix that an empty line was inserted before
<!doctype html> - Make
GOKAPI_LENGTH_IDnon-permanent, addGOKAPI_LENGTH_HOTLINK_IDto change hotlink ID length #251 - Hotlink URL are now shorter (#253) @lenisko
- Allow file deletion without refreshing the page (#255)
- Other minor fixes and improvements @nilicule
Breaking changes
Upgrading when using custom templates or static content
If you want to change the layout (e.g. add your company logo or add/disable certain features), follow these steps:
- Create a new folder named custom where your executable is. When using Docker, mount a new folder to /
app/custom/. Any file in this directory will be publicly available in the sub-URL/custom/. - To have custom CSS included, create a file in the folder named
custom.css. The CSS will be applied to all pages. - To have custom JavaScript included, create the file
public.jsfor all public pages and/oradmin.jsfor all admin-related pages. Please note that theadmin.jswill be readable to all users. - In order to prevent caching issues, you can version your files by creating the file
version.txtwith a version number. - Restart the server. If the folders exist, the server will now add the local files.
Optional: If you require further changes or want to embedded the changes permanently, you can clone the source code and then modify the templates in internal/webserver/web/templates. Afterwards run make to build a new binary with these changes.
Contributors
Assets 11
v2.0.0-beta1: Multi-User Support
We are happy to announce that we have implemented multi-user support (along with some other features) and need your help to test it for bugs before release!
To install this beta with docker, please use the gokapi:latest-dev tag.
Upgrading
Upgrading when using OAuth2/OIDC authentication:
- A valid email must now be set for all users in the authentication backend
- Authentication is now only done by email and can be restricted by user groups
- Make sure that the env variable
GOKAPI_ADMIN_USERis set when upgrading and contains the email of the super admin
Upgrading when using Header authentication:
- If restricting the users by username, make sure that you remove any wildcards (*) for usernames in the setup before upgrading.
- Make sure that the env variable
GOKAPI_ADMIN_USERis set when upgrading and contains the username of the super admin (must be the same as passed in the header)
Upgrading when using no authentication:
- If you are restricting access with a proxy, make sure that you block the following urls:
- /admin
- /apiKeys
- /changePassword
- /e2eInfo
- /e2eSetup
- /logs
- /uploadChunk
- /uploadStatus
- /users
Breaking changes
Since v1.9 there have been a lot of changes to the API, please take note if you are using the API:
- A valid API key is now always required, API authentication by session is not possible anymore
/chunk/completeand/files/duplicatenow expect the parameters as header, instead of encoded url form- Parameter
apiKeyToModifyhas been renamed totargetKeyfor/auth/modify,/auth/deleteand/auth/friendlyname - If a user, api key or file is not found, but a plausible ID was submitted, error 404 instead of 400 is returned now
- Before v2.0, if a boolean parameter was required, it was always false if anything else then "true" was sent, now it raises an error if any other value than 1, t, true, 0, f, or false is supplied
- Some API calls might be restricted by user permissions now, consult the API documentation for more information
- API keys now have a public ID as well, which can also be used for
/auth/modify,/auth/deleteand/auth/friendlynameastargetKeyinstead of the private ID - When uploading a file through the API, defaults of 14 days, max 1 download and no password will be used, unless the respective parameters were passed. In v1.9, the previous values were used.
v1.9.6
Changelog
- Add API call and GUI option to replace content of files (can be disabled with the env variable
GOKAPI_DISABLE_REPLACE) #128 - Display error if encrypted download fails due to invalid SSL or CORS
- Better error handling for AWS setup check
- Fixed upload defaults being deleted when resetting e2e key
- Update download count in real time #206
- Fixed race condition that could lead to crash
- Change download count atomically to prevent race condition
- Renamed "Access Restriction" to indicate that authentication is disababled
- Make upload non blocking (#224), to prevent timouts after uploading large files
- Added API call
/files/list/{id} - Better handling for E2E errors
- Other minor changes
Breaking Changes
- API: API now returns 404 on invalid file IDs
Full Changelog: v1.9.5...v1.9.6
v1.9.5
v1.9.3
Changelog
- Fixed editing of API permissions or existing files not working, when using external authentication #210
- Fixed not showing an error message if file is larger than allowed file size #213
- Upload defaults are now saved locally instead of server-side #196
- Internal API key is now used for all API actions on the GUI
- Added API endpoint
/auth/deleteto delete API key - Added parameter in
/auth/createto include basic permissions - Added warning in docker container, if data or config volume are not mounted
- Minor changes
Breaking Changes
- API: Session authentication has been removed, an API key is now required
- API: When not adding a parameter for maximum downloads or expiry, the default values of 1 download or 14 days are used instead of previous used values for calls
/files/addand/chunk/complete
Full Changelog: v1.9.2...v1.9.3
v1.9.2
Changelog
- Added preview meta-data, enabling preview for services like WhatsApp
- Added hotlink support for avif and apng format
- Fixed headers not set when proxying S3 storage, resulting in incorrect filename and not forcing download #199
Upgrading
- If running an older version than 1.9.2 please check the 1.9.1 changelog for upgrading and breaking changes
Full Changelog: v1.9.1...v1.9.2
v1.9.1
Changelog
- Fixed processing/uploading status not showing after upload #193
- Fixed crash when OIDC returns nil for groups #198
- Fixed crash after running setup and changing encryption #197
- Changed versioning of css/js files to prevent caching of old versions #195
- Other minor changes
Breaking changes
If you are using a custom theme, make sure that you change the CSS and JS filenames. Instead of e.g. main.min.css, the files are versioned now to include the version number in the filename, in this example the filename would be main.min.5.css
Upgrading
- If running an older version than 1.9.0, please check the 1.9.0 changelog for upgrading and breaking changes
Full Changelog: v1.9.0...v1.9.1