Skip to content

Tags: akoenig/usher

Tags

0.5.1

Toggle 0.5.1's commit message 
chore: release 0.5.1

0.5.0

Toggle 0.5.0's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode 
refactor: hardens proxy path and adds credential lifecycle management (

…#13)

* feat: harden proxy path and add credential lifecycle management

Security and correctness:
- Cache OAuth2 access tokens per credential until expiry and serialize
  refreshes with a per-credential lock; retry once on upstream 401 for
  cached tokens
- Use PKCE S256 instead of the plain code challenge method
- Enforce a configurable upstream timeout, stop following upstream
  redirects, and cap request/response body sizes (413 for oversized
  inbound requests)
- Strip stale Content-Encoding/Content-Length from decompressed upstream
  responses, preserve multiple Set-Cookie headers, and drop caller Host,
  Content-Length, Accept-Encoding, and Expect headers before forwarding
- Reject target URL paths containing percent-encoded traversal segments
- Preserve sanitized failure causes in upstream and token-exchange errors
- Add systemd sandboxing directives to the installed user unit

Operations and product:
- GET /health liveness endpoint without loopback restriction
- Optional audit log retention with hourly pruning and a created_at index
- credentials update / rotate-token / authorize CLI commands backed by
  PATCH /credentials/{id}; OAuth2 credentials can be re-authorized while
  active
- events filtering by credential and outcome (CLI flags + query params)
- New optional config fields upstreamTimeoutMillis, maxBodyBytes, and
  auditRetentionDays with USHER_* environment overrides

Code quality:
- Explicit error-code-to-HTTP-status registry preserving existing statuses
- normalizeAllowedRequest returns Either instead of throwing
- Replace decodeUnknownSync inside effects with decodeUnknown + orDie
- Share hop-by-hop header policy between application and infrastructure

All changes are backwards compatible: existing config files, databases,
and API callers continue to work unchanged. Adds CHANGELOG.md and README
sections for the new behavior, including backup/restore guidance.

* refactor: prefer Effect Predicate helpers over raw conditions

Replace raw undefined/instanceof/typeof checks with Predicate.isUndefined,
isNotUndefined, isError, isString, and isUint8Array where they read more
clearly, and compose the path traversal dot-segment check from small
predicates via Predicate.some.

0.4.2

Toggle 0.4.2's commit message 
chore: release 0.4.2

0.4.1

Toggle 0.4.1's commit message 
chore: release 0.4.1

0.4.0

Toggle 0.4.0's commit message 
chore: release 0.4.0

0.3.2

Toggle 0.3.2's commit message 
chore: release 0.3.2

0.3.1

Toggle 0.3.1's commit message 
chore: release 0.3.1

0.3.0

Toggle 0.3.0's commit message 
chore: release 0.3.0

0.2.1

Toggle 0.2.1's commit message 
fix: wrap cli entrypoint for systemd

0.2.0

Toggle 0.2.0's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode 
feat: add events command (#11)

* feat: add audit event read contract

* feat: read audit events from sqlite

* fix: skip incomplete audit rows in event reads

* feat: expose audit events admin endpoint

* fix: validate events admin query errors

* test: cover events admin query defaults

* feat: add admin client events reader

* fix: reject mixed events client requests

* fix: keep events branch verification clean

* feat: format audit events for cli

* feat: add events cli command

* fix: validate events cli follow options

* docs: document events command

* fix: clean events command verification

* docs: expand events command readme