1.4.6

What's Changed

• Show admin section of Hub when Keycloak version is not available (#361)
• Updated Keycloak to 26.4.1
• Updated to Quarkus 3.20.3 LTS

Recommended actions for the 1.4.6 Update

We highly recommend updating Keycloak to version 26.4.1.

You can skip this step if you created your realm with script version 8 or above. If not:

Keycloak starting in version 26.4.0 does not expose it's version by default to non-master realm admins. To be able to see the version of Keycloak again in Hub, please execute the following:

1. Open Keycloak
2. Select Clients
3. Select realm-management
4. In Roles create a role with the name view-system
5. Select the cryptomatorhub-system client
6. Under Service Account Role assign the created view-system client role to this client

Now you can wait until the cryptomatorhub-system refreshes its token or you restart Hub (by default within a few minutes), then you will see again the Keycloak version e.g. in the Admin section of Hub.

Full Changelog: 1.4.5...1.4.6

1.4.5

What's Changed

• Fix Session Expiration Not Enforced in Cryptomator Hub Web Client (GHSA-69fp-wc9g-5778)

All instances must be updated as soon as possible to address a security vulnerability.

Full Changelog: 1.4.4...1.4.5

1.4.4

What's Changed

• Added Breadcrumb Navigation #345
• Added unsaved changes notice with undo in the WOT settings #346
• Added support for regionalized translations #350
• Added Latvian, Portuguese (Brazil), Russian, Ukrainian and Chinese (Taiwan) translation #350
• Updated Keycloak to 26.3.2
• Updated to Quarkus 3.20.2 LTS

Full Changelog: 1.4.3...1.4.4

1.4.3

What's Changed

• Fix health check in Docker Compose by adding curl to native images (#344)
• Bump dependencies

Full Changelog: 1.4.2...1.4.3

1.4.2

What's Changed

Fixed

• Fixed an issue where syncing of Keycloak users/groups would fail in very rare circumstances (#343)

Full Changelog: 1.4.1...1.4.2

1.4.1

What's Changed

Fixed

• Fixed licence refresh, which had not been executed since version 1.4.0 (#341)

Full Changelog: 1.4.0...1.4.1

1.4.0

What's Changed

Added

• This CHANGELOG file
• WoT: Users will now have an ECDH as well as ECDSA key (#282)
• WoT: Users can now mutually verify their identity, hardening Hub against injection of malicious public keys (#281)
• WoT: Admins can adjust WoT parameters (#297)
• Permission to create new vaults can now be controlled via the create-vaults role in Keycloak (#206)
• Preserver user locale setting (#313)
• New log event entries: UserAccountReset, UserKeysChange and UserSetupCodeChange (#310)
• Audit log filter by event type (#312)
• Show last IP address and last vault access timestamp of devices in user profile (#320)
• Dutch, French, Italian, Korean, Portuguese and Turkish translation
• Added provenance attestation for our container images (#322)
• Show legacy devices in user profile (#331)
• Show direct member count of groups in vault details (#329)

Changed

• Updated Keycloak to 26.1.5
• Updated to Java 21 (#272)
• Updated to Quarkus 3.15.4 LTS
• Updated to Tailwind CSS 4
• Updated to Vite 6
• Reduced number of transitive dependencies
• Bumped build time dependencies
• Migrated remaining commonjs modules in frontend build to ESM (#291)
• Memoize infrequently changing data, reducing XHR roundtrips
• Switched to JWK thumbprint format in user profile
• Switched to Repository Pattern (#273)
• Redesigned Admin Panel (#308)
• Enhanced audit log VaultKeyRetrievedEvent, contains now IP address and device ID (#320)
• Migrate syncer user to cryptomatorhub-system client (#336)

Fixed

• Fixed incorrect ARIA roles improving accessibility
• Fixed incorrect Content-Type header for /api/vaults/{vaultId}/access-token (#284)
• Show legacy device name in audit log (#331)
• Added "Browser Language" option to language selection dropdown, enabling users to revert to browser default language (#324)

Required actions for the 1.4.0 Update

1. Migrate to System OIDC Client

Perform the following steps during the update for #336:

cat << 'EOF' > partial-realm-import.json
{
	"users": [
		{
			"username": "system",
			"email": "system@localhost",
			"enabled": true,
			"serviceAccountClientId": "cryptomatorhub-system",
			"clientRoles": {
				"realm-management": [
					"realm-admin"
				]
			},
			"attributes": {
				"picture": "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9IiMwMDAiIHZpZXdCb3g9IjAgMCAxMDAgMTAwIj4KCTxtYXNrIGlkPSJjbGlwIj4KCQk8Y2lyY2xlIGZpbGw9IiNGRkYiIHI9IjUwIiBjeD0iNTAiIGN5PSI1MCIvPgoJCTxnIGZpbGw9IiMwMDAiPgoJCTxjaXJjbGUgcj0iMjUiIGN4PSI1MCIgY3k9IjUwIiAvPgoJCTxjaXJjbGUgcj0iMTIiIGN4PSIwIiBjeT0iNTAiIC8+CgkJPGNpcmNsZSByPSIxMiIgY3g9IjUwIiBjeT0iMCIgLz4KCQk8Y2lyY2xlIHI9IjEyIiBjeD0iODUiIGN5PSIxNSIgLz4KCQk8Y2lyY2xlIHI9IjEyIiBjeD0iMTAwIiBjeT0iNTAiIC8+CgkJPGNpcmNsZSByPSIxMiIgY3g9Ijg1IiBjeT0iODUiIC8+CgkJPGNpcmNsZSByPSIxMiIgY3g9IjUwIiBjeT0iMTAwIiAvPgoJCTxjaXJjbGUgcj0iMTIiIGN4PSIxNSIgY3k9Ijg1IiAvPgoJCTxjaXJjbGUgcj0iMTIiIGN4PSIwIiBjeT0iNTAiIC8+CgkJPGNpcmNsZSByPSIxMiIgY3g9IjE1IiBjeT0iMTUiIC8+CgkJPC9nPgoJPC9tYXNrPgoJPGNpcmNsZSByPSI1MCIgY3g9IjUwIiBjeT0iNTAiIG1hc2s9InVybCgjY2xpcCkiIC8+Cjwvc3ZnPg=="
			}
		}
	],
	"clients": [
		{
			"clientId": "cryptomatorhub-system",
			"name": "Cryptomator Hub System",
			"clientAuthenticatorType": "client-secret",
			"standardFlowEnabled": false,
			"serviceAccountsEnabled": true,
			"publicClient": false,
			"enabled": true,
			"secret": "TODO"
		}
	],
	"roles": {
		"realm": [
			{
				"name": "create-vaults",
				"description": "Can create vaults",
				"composite": false
			}
		]
	}
}
EOF

In Keycloak

1. Set secret in partial-realm-import.json to a secure value
2. Partially import the partial-realm-import.json realm (make sure you select user, client and role)
3. Remove the syncer user and syncer role

In the deployment

1. Remove HUB_KEYCLOAK_SYNCER_USERNAME, HUB_KEYCLOAK_SYNCER_PASSWORD and HUB_KEYCLOAK_SYNCER_CLIENT_ID
2. Add HUB_KEYCLOAK_SYSTEM_CLIENT_ID with value cryptomatorhub-system
3. Add HUB_KEYCLOAK_SYSTEM_CLIENT_SECRET with the secret value of your partial-realm-import.json

2. Vault Creation Permissions

Starting with version 1.4.0, only users with the admin role can create vaults by default.

If you migrate from an earlier version of Hub you need to configure the create-vaults role behaviour to your needs:

To use the new default bahaviour

1. Log in to Keycloak with admin privileges.
2. Navigate to Realm Roles > admin > Assign Role.
3. Select and apply the create-vaults role.

To restore the pre-1.4.0 behavior where all users can create vaults follow the steps above but use the user role instead of the admin role.

Recommended Steps for the 1.4.0 Update

1. Allow Proxy Address Forwarding

If Hub is running behind a reverse proxy, make sure to apply QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: true to the deployment file (required for #320).

2. Update Keycloak to 26.0.5

We highly recommend updating Keycloak to version 26.0.5. Prior to the update, please verify the following changes:

1. Health Check URL Update

   Modify the Keycloak health check URL as follows:

   - http://localhost:8080/health/live
   + http://localhost:9000/health/live

2. Environment Variable Adjustments

   Update the Keycloak environment variables to the following values:

   - KC_HOSTNAME: keycloak_url
   - KC_PROXY: edge
   + KC_HOSTNAME: https://keycloak_url
   + KC_PROXY_HEADERS: xforwarded

Important Considerations after the 1.4.0 Update

Optional configuration of Web of Trust parameters. See https://docs.cryptomator.org/hub/admin/#hub-admin-wot for more information on this topic.

Full Changelog: 1.3.4...1.4.0

1.4.0-rc3

What's Changed

• Migrate syncer user to cryptomatorhub-system client (#336)
• Updated to Quarkus 3.15.4 LTS

Important Considerations for the 1.4.0-rc3 Update

Perform the following steps during the update for #336:

cat << 'EOF' > partial-realm-import.json
{
	"users":[
		{
			"username": "system",
			"email": "system@localhost",
			"enabled": true,
			"serviceAccountClientId": "cryptomatorhub-system",
			"clientRoles" : {
				 "realm-management" : [ "realm-admin" ]
			 },
			"attributes": {
				 "picture": "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9IiMwMDAiIHZpZXdCb3g9IjAgMCAxMDAgMTAwIj4KCTxtYXNrIGlkPSJjbGlwIj4KCQk8Y2lyY2xlIGZpbGw9IiNGRkYiIHI9IjUwIiBjeD0iNTAiIGN5PSI1MCIvPgoJCTxnIGZpbGw9IiMwMDAiPgoJCTxjaXJjbGUgcj0iMjUiIGN4PSI1MCIgY3k9IjUwIiAvPgoJCTxjaXJjbGUgcj0iMTIiIGN4PSIwIiBjeT0iNTAiIC8+CgkJPGNpcmNsZSByPSIxMiIgY3g9IjUwIiBjeT0iMCIgLz4KCQk8Y2lyY2xlIHI9IjEyIiBjeD0iODUiIGN5PSIxNSIgLz4KCQk8Y2lyY2xlIHI9IjEyIiBjeD0iMTAwIiBjeT0iNTAiIC8+CgkJPGNpcmNsZSByPSIxMiIgY3g9Ijg1IiBjeT0iODUiIC8+CgkJPGNpcmNsZSByPSIxMiIgY3g9IjUwIiBjeT0iMTAwIiAvPgoJCTxjaXJjbGUgcj0iMTIiIGN4PSIxNSIgY3k9Ijg1IiAvPgoJCTxjaXJjbGUgcj0iMTIiIGN4PSIwIiBjeT0iNTAiIC8+CgkJPGNpcmNsZSByPSIxMiIgY3g9IjE1IiBjeT0iMTUiIC8+CgkJPC9nPgoJPC9tYXNrPgoJPGNpcmNsZSByPSI1MCIgY3g9IjUwIiBjeT0iNTAiIG1hc2s9InVybCgjY2xpcCkiIC8+Cjwvc3ZnPg=="
			}
		}
	],
	"clients":[
		{
			"clientId": "cryptomatorhub-system",
			"name": "Cryptomator Hub System",
			"clientAuthenticatorType": "client-secret",
			"standardFlowEnabled": false,
			"serviceAccountsEnabled": true,
			"publicClient": false,
			"enabled": true,
			"secret": "TODO"
		}
	]
}
EOF

In Keycloak

1. Set secret in partial-realm-import.json to a secure value
2. Partially import the partial-realm-import.json realm (make sure you select user and client)
3. Remove the syncer user and syncer role

In the deployment

1. Remove HUB_KEYCLOAK_SYNCER_USERNAME, HUB_KEYCLOAK_SYNCER_PASSWORD and HUB_KEYCLOAK_SYNCER_CLIENT_ID
2. Add HUB_KEYCLOAK_SYSTEM_CLIENT_ID with value cryptomatorhub-system
3. Add HUB_KEYCLOAK_SYSTEM_CLIENT_SECRET with the secret value of your partial-realm-import.json

Full Changelog: 1.4.0-rc2...1.4.0-rc3

1.4.0-rc2

What's Changed

• Show direct member count of groups in vault details (#329)
• Added "Browser Language" option to language selection dropdown, enabling users to revert to browser default language (#324)
• Reload device lists upon device removal
• Added pointer cursor to device remove "button" text
• Show device only when available in audit log vault key retrieve event

Full Changelog: 1.4.0-rc1...1.4.0-rc2

1.4.0-rc1

What's Changed

• Show legacy devices in user profile (#331)
• Show legacy device name in audit log (#331)
• Updated to Quarkus 3.15.3.1 LTS
• Updated Keycloak to 26.1.4

Full Changelog: 1.4.0-beta3...1.4.0-rc1