From 0ecd53979eece612294af75400349581a8c33d7b Mon Sep 17 00:00:00 2001 From: Allisson Azevedo Date: Fri, 6 Mar 2026 07:52:16 -0300 Subject: [PATCH] docs(release): Prepare documentation for v0.27.0 Update changelog, version variable, and reference documentation to reflect all changes since v0.26.0, including secret size limits, HTTP body size limits, and token revocation features. --- CHANGELOG.md | 9 +++++++++ cmd/app/main.go | 2 +- docs/auth/authentication.md | 22 ++++++++++++++++++++++ docs/configuration.md | 6 ++++++ 4 files changed, 38 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0dceb9a..f264bd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [0.27.0] - 2026-03-06 + +### Added +- Added global `SECRET_VALUE_SIZE_LIMIT_BYTES` (default 512KB) to prevent DoS attacks via excessively large secret payloads. +- Added global HTTP request payload size limit middleware (`MAX_REQUEST_BODY_SIZE`, default 1MB). +- Added Auth Token Revocation endpoints (`DELETE /v1/token`, `DELETE /v1/clients/:id/tokens`), state tracking in the database, and `purge-auth-tokens` CLI command. +- Added optional AEAD `context` parameter for Transit key encryption and decryption to cryptographically bind ciphertext to additional context data. + ## [0.26.0] - 2026-03-04 ### Added @@ -433,6 +441,7 @@ If you are using `sslmode=disable` (PostgreSQL) or `tls=false` (MySQL) in produc - Security model documentation - Architecture documentation +[0.27.0]: https://github.com/allisson/secrets/compare/v0.26.0...v0.27.0 [0.26.0]: https://github.com/allisson/secrets/compare/v0.25.0...v0.26.0 [0.25.0]: https://github.com/allisson/secrets/compare/v0.24.0...v0.25.0 [0.24.0]: https://github.com/allisson/secrets/compare/v0.23.0...v0.24.0 diff --git a/cmd/app/main.go b/cmd/app/main.go index 75686c7..8465db1 100644 --- a/cmd/app/main.go +++ b/cmd/app/main.go @@ -12,7 +12,7 @@ import ( // Build-time version information (injected via ldflags during build). var ( - version = "v0.26.0" // Semantic version with "v" prefix (e.g., "v0.12.0") + version = "v0.27.0" // Semantic version with "v" prefix (e.g., "v0.12.0") buildDate = "unknown" // ISO 8601 build timestamp commitSHA = "unknown" // Git commit SHA ) diff --git a/docs/auth/authentication.md b/docs/auth/authentication.md index aae8278..ce2f286 100644 --- a/docs/auth/authentication.md +++ b/docs/auth/authentication.md @@ -100,6 +100,28 @@ Rate limiting note: - `POST /v1/token` is rate-limited per client IP when `RATE_LIMIT_TOKEN_ENABLED=true` - Protected endpoints called with issued tokens are rate-limited per authenticated client +## Token Revocation + +Tokens can be revoked before they naturally expire. Revoked tokens are immediately rejected by the authentication middleware. + +**Revoke Current Token:** + +```bash +curl -X DELETE http://localhost:8080/v1/token \ + -H "Authorization: Bearer " +``` + +**Revoke All Tokens for a Client:** + +Requires `delete` capability on `/v1/clients/:id/tokens`. + +```bash +curl -X DELETE http://localhost:8080/v1/clients//tokens \ + -H "Authorization: Bearer " +``` + +*Note: Expired and revoked tokens can be permanently deleted from the database using the `purge-auth-tokens` CLI command.* + ## Account Lockout `POST /v1/token` enforces account lockout to prevent brute-force attacks. diff --git a/docs/configuration.md b/docs/configuration.md index 556690a..451b3d6 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -151,6 +151,12 @@ This timeout controls how long idle connections are kept open between requests. | High-security/low-trust | 5 | 5 | 30 | Aggressive timeouts reduce attack surface | | Large payload operations | 60 | 60 | 120 | Accommodate large secret transfers | +### MAX_REQUEST_BODY_SIZE + +Maximum size of incoming HTTP request bodies in bytes (default: `1048576` - 1 MB). + +This limit protects the server from Denial-of-Service (DoS) attacks via excessively large payloads. Requests exceeding this limit receive a `413 Payload Too Large` error. + ### LOG_LEVEL Logging level. Supported values: `debug`, `info`, `warn`, `error`, `fatal`, `panic` (default: `info`).