Skip to main content

Version 0.9.x

Overview

Version 0.9.x is a major release that introduces a comprehensive User Access Control & Security System. This release transforms duplistatus from an open-access application into a secure, multi-user system with role-based access control, comprehensive audit logging, and enterprise-grade security features. All existing functionality is now protected behind authentication, ensuring that only authorised users can access and manage backup monitoring.

Breaking Changes

Authentication Required

  • All pages now require authentication - Users must log in to access the application
  • Default admin account is created automatically:
    • Username: admin
    • Password: Duplistatus09 (must be changed on first login)
  • Existing sessions are invalidated - All users must log in after upgrade
  • API endpoints now require authentication - External integrations must include session cookies or use authenticated requests
warning

All users must log in after upgrading to version 0.9.x. The default admin credentials are admin/Duplistatus09. Change the password immediately after first login.

Database Schema Migration

  • Automatic migration from v3.1 to v4.0 for existing installations
  • New tables added: users, sessions, audit_log
  • Database backup created automatically before migration
  • New installations start directly with schema v4.0 (no migration needed)

New Features

User Access Control & Security System

Authentication System

  • User login/logout functionality with secure session management
  • Password-based authentication with bcrypt hashing (cost factor 12)
  • Account lockout mechanism (5 failed attempts, 15-minute lockout)
  • Forced password change on first login
  • Password policy enforcement:
    • Minimum 8 characters
    • At least one uppercase letter
    • At least one lowercase letter
    • At least one number
    • Special characters optional
  • "Remember me" functionality with username persistence in localStorage
  • Session-based authentication with database-backed sessions (replaces in-memory)
  • CSRF protection integrated with authentication
  • HTTP-only cookies for session security
  • IP address and user agent tracking for security monitoring

User Management (Admin Only)

  • User creation with automatic temporary password generation
  • User list with search, pagination, and filtering
  • User editing (username, admin status, password change requirement)
  • Password reset functionality with temporary password display
  • User deletion with safeguards (prevents deletion of last admin)
  • Role-based access control (Admin/User roles)
  • Status indicators (Active, Locked, Must Change Password)
  • Last login tracking and display

Audit Logging System

  • Comprehensive audit trail for all system changes and user actions
  • Audit log viewer with advanced filtering:
    • Date range filtering
    • User filtering
    • Action filtering
    • Category filtering
    • Status filtering
  • Export functionality (CSV and JSON formats)
  • Audit log statistics and analytics
  • Configurable retention period (30-365 days, default: 90 days)
  • Automatic cleanup cron job (runs daily at 2 AM UTC)
  • Manual cleanup API with dry-run support
  • Audit logging for:
    • Authentication events (login, logout, password changes, account lockouts)
    • User management operations (create, update, delete, password resets)
    • Configuration changes (email, NTFY, templates, overdue tolerance, backup settings)
    • Backup operations (collection, deletion, cleanup)
    • Server management (add, update, delete)
    • System operations (migrations, cleanup, notifications)

Settings Page Redesign

  • Modern sidebar navigation with collapsible sidebar
  • User-specific sidebar state persistence (collapsed/expanded preference saved per user)
  • Grouped settings sections:
    • Notifications: Backup Notifications, Overdue Monitoring, Templates
    • Integrations: NTFY, Email
    • System: Servers, Users (admin only), Audit Log
  • Sticky sidebar that remains visible while scrolling
  • Responsive design with optimised spacing
  • Settings icon and "System Settings" title in sidebar header
  • Back button integrated into app header

User Interface Enhancements

  • Standalone login page with modern design
  • "Remember me" checkbox on login form for username persistence
  • Show/hide password buttons on login and password change forms
  • Change password modal with real-time validation checklist
  • User indicator and logout button in app header
  • Role-based UI visibility (admin-only features hidden from regular users)
  • Status badges and indicators throughout the UI
  • User-specific preferences stored in localStorage (e.g., sidebar collapsed state)

Security Features

  • Password hashing with bcrypt (industry-standard)
  • Sensitive data sanitization in audit logs (passwords, tokens, secrets never logged)
  • Rate limiting for login attempts
  • Session expiration (24 hours)
  • CSRF token validation for all state-changing operations
  • Admin recovery CLI tool for password reset if locked out

Developer Tools

  • Admin recovery CLI script (admin-recovery) for easy execution in Docker containers
  • Works both locally and in Docker with automatic path detection
  • Comprehensive TypeScript interfaces (no any types)
  • Authentication middleware for route protection
  • Audit logger utility class with convenience methods

🚀 Migration Notes

From Version 0.8.x

This release introduces authentication and requires all users to log in. When upgrading from version 0.8.x:

  1. Automatic Database Migration: The application will automatically migrate your database schema from v3.1 to v4.0
  2. Database Backup: An automatic backup is created before migration
  3. Default Admin Account: A default admin account is created:
    • Username: admin
    • Password: Duplistatus09
    • You must change this password on first login
  4. Session Invalidation: All existing sessions are invalidated
  5. User Login Required: All users must log in after upgrade
  6. API Authentication: External integrations must be updated to include authentication

Security Considerations

  • Change Default Password: Change the default admin password immediately after first login
  • Create User Accounts: Create individual user accounts for each person who needs access
  • Review Audit Logs: Check audit logs regularly for security monitoring
  • Configure Retention: Set appropriate audit log retention period based on your compliance requirements
  • Backup Master Key: If upgrading from 0.8.x, ensure the .duplistatus.key file is backed up

First Login Steps

  1. Log in with default credentials (admin / Duplistatus09)
  2. Change password when prompted (forced on first login)
  3. Create user accounts for other users (Settings → Users)
  4. Configure audit log retention if needed (Settings → Audit Log)
  5. Review audit logs to verify system is working correctly

🐛 Bug Fixes

  • Fixed session persistence issues across server restarts
  • Improved error handling for authentication failures
  • Enhanced password validation feedback
  • Fixed UI inconsistencies in settings page
  • Improved audit log filtering performance

API Endpoints

Authentication Endpoints

  • POST /api/auth/login - User authentication
  • POST /api/auth/logout - Session termination
  • GET /api/auth/me - Current user information
  • POST /api/auth/change-password - Password change

User Management Endpoints (Admin Only)

  • GET /api/users - List users
  • POST /api/users - Create user
  • PATCH /api/users/{id} - Update user
  • DELETE /api/users/{id} - Delete user

Audit Log Endpoints

  • GET /api/audit-log - Query audit logs
  • GET /api/audit-log/download - Export audit logs
  • GET /api/audit-log/stats - Audit statistics
  • POST /api/audit-log/cleanup - Manual cleanup (admin only)
  • GET /api/audit-log/retention - Get retention setting
  • PATCH /api/audit-log/retention - Update retention (admin only)
note

All API endpoints now require authentication. See the API Reference for details on authentication.

Support

Getting Help

Reporting Bugs

When reporting bugs, please include:

  • Version: 0.9.x
  • Operating system and version
  • Docker version
  • Error messages and logs
  • Steps to reproduce
  • User role (admin/user) if relevant

Changelog

Detailed Changes

  • Added: Complete authentication and authorisation system
  • Added: User management with role-based access control
  • Added: Comprehensive audit logging system
  • Added: Settings page redesign with collapsible sidebar
  • Added: Admin recovery CLI tool
  • Added: Password policy enforcement
  • Added: Account lockout mechanism
  • Added: Session management with database persistence
  • Changed: All pages now require authentication
  • Changed: Database schema from v3.1 to v4.0
  • Changed: Session storage from in-memory to database-backed
  • Changed: Settings page layout and navigation
  • Fixed: Session persistence across server restarts
  • Fixed: Various UI inconsistencies
  • Improved: Security posture with comprehensive audit logging
  • Improved: User experience with modern login and settings pages
  • Improved: Code quality with TypeScript interfaces and DRY principles

License

This project is licensed under the Apache License 2.0.

Copyright © 2025 Waldemar Scudeller Jr.