4 Releases 4 Tags

RSS Feed

• v1.1.0 c080c51aec

  Compare

  v1.1.0 Stable

  MiauRizius released this 2026-06-10 03:33:27 +02:00 | 21 commits to main since this release

  Release v1.1.0

  Project Overview

  MiauInv is a web-based inventory management system designed for tracking, organizing, and managing assets. This release focuses on strengthening account security, expanding authentication capabilities, improving user account management, and refining repository governance and CI workflows.

  Core Features & Improvements

  • Multi-Factor Authentication: Added TOTP-based MFA with QR-code enrollment, manual setup support, recovery-code generation, recovery-code regeneration, and account-level 2FA management.
  • Passkey Authentication: Introduced WebAuthn-based passkey support with discoverable login, passkey registration, passkey removal, and passkey management from the account settings interface.
  • Account Settings: Added a dedicated account settings page for changing usernames, updating passwords, managing 2FA, handling recovery codes, and managing passkeys.
  • Authentication Hardening: Improved session security by revoking refresh sessions after sensitive account changes such as password updates, 2FA changes, and passkey modifications.
  • Recovery-Code Management: Recovery codes are now generated securely, stored only as hashes, shown only after generation, and consumed as single-use fallback credentials.
  • Rate Limiting: Added basic in-memory rate limiting for authentication and sensitive account endpoints to reduce brute-force and abuse potential.
  • Improved Password UI: Replaced separate password visibility buttons with inline icon-based controls and removed unfinished avatar placeholder elements from the account settings UI.

  Security & Authentication

  • TOTP Setup Flow: TOTP secrets are no longer stored before confirmation. Setup secrets are held temporarily and only persisted after the first valid authenticator code.
  • Passkey Login Flow: Passkey login now works without requiring a username and is treated as a complete phishing-resistant sign-in flow.
  • Session Revocation: Existing refresh tokens are revoked after password changes, 2FA activation or deactivation, recovery-sensitive changes, and passkey management actions.
  • Secure Credential Storage: Refresh tokens, recovery codes, and passkey credential data are stored server-side with appropriate hashing or structured persistence depending on the credential type.
  • Updated Security Documentation: Expanded authentication, database, and security documentation to describe MFA, passkeys, recovery codes, rate limiting, and session behavior.

  Repository & Workflow Improvements

  • Contribution Guidelines: Added dedicated contribution guidelines covering signed commits, protected main branch rules, pull request requirements, issue usage, branch naming, and release branch conventions.
  • Signed Commit Policy: Documented that all commits must be signed and all changes must be submitted through pull requests.
  • CI Workflow Optimization: Updated the test-and-lint workflow to use a dedicated Go runner image and reduce unnecessary setup overhead.
  • Documentation Cleanup: Removed outdated testing documentation references where no full test suite exists yet and aligned README documentation links with the current repository structure.

  Deployment & Infrastructure

  • Database Schema Extensions: Added persistent storage for MFA recovery codes, WebAuthn passkey credentials, and WebAuthn challenge state.
  • Automatic Migration Support: Existing SQLite databases are migrated forward with the new account security fields and authentication-related tables.
  • Docker Image Updates: Release images should be rebuilt and published for v1.1.0 and latest.

  Repository Visuals

  • Updated documentation to reflect the current account settings, authentication, and security capabilities of the application.

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)