0.7.1
Welcome to Excalibur 0.7! This release brings significant performance improvements, security improvements, new features, and numerous bug fixes. Here are some of the highlights:
- Speedier Crypto: We've migrated from the old polyfilled NodeJS crypto API to
@noble/ciphers, giving us a ~5x performance boost on encryption and decryption operations. - New Jobs Modal: The old, slightly janky jobs popup has been replaced with a new jobs modal that shows up at the bottom of the screen when a new job is added, and continuously updates as jobs progress.
- Argon2d Support: Excalibur now supports the Argon2d key derivation algorithm for enhanced security. Existing users can change their key derivation algorithm from PBKDF2 to Argon2d in the new preferences menu.
The Excalibur documentation website was also updated in this release.
Do note that there are several breaking changes to Excalibur in this version. Please follow the 0.7 upgrade guide to upgrade your Excalibur instance to version 0.7. Do also take note of all the breaking changes made to the server API if you are using it.
Read all about the changes to Excalibur below. Enjoy!
Version 0.7.0 was skipped due to misconfigured version fields. Version 0.7.1 contains no changes except for the version field.
Appโ
๐๏ธ Securityโ
- ๐๏ธ Overridden version minima of dependencies in
pnpm-workspace.yamlto address security vulnerabilities:- GHSA-vxpw-j846-p89q, GHSA-p88m-4jfj-68fv, GHSA-35p6-xmwp-9g52, GHSA-g8m3-5g58-fq7m:
undicito6.27.0
- GHSA-vxpw-j846-p89q, GHSA-p88m-4jfj-68fv, GHSA-35p6-xmwp-9g52, GHSA-g8m3-5g58-fq7m:
โจ New Featuresโ
- ๐ Added new preferences menu
- Users can change their username and password within the new preferences menu's "Account Preferences" section
- โจ Added support for Argon2d key derivation algorithm
- Existing users can change their key derivation algorithm from PBKDF2 to Argon2d in the preferences menu
๐ Changesโ
- ๐ Replaced old jobs popup with new jobs modal
- The modal will now show up at the bottom of the screen when a new job is added, and will continuously update as jobs progress
- ๐ Moved "server settings" to the new preferences menu
- The old "server settings" page is now named "Data Preferences"
- ๐ Edited the "new user" page's password input field to require re-entering new password
๐ Bug Fixesโ
- ๐ Fixed an issue that occurs when obfuscation is toggled whilst in a subfolder
โก๏ธ Performance Improvementsโ
-
โก๏ธ Use
@noble/ciphersinstead of the default polyfilled crypto for faster encryption- Benchmarking shows that the new
@noble/ciphersencryption/decryption implementation is ~5x faster than the original polyfillednode:crypto
===================================== 256 KiB =====================================polyfilled `crypto` โขโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 36.719 ms@noble/ciphers โขโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 7.425 msโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ0 600====================================== 1 MiB ======================================polyfilled `crypto` โขโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 145.738 ms@noble/ciphers โขโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 29.581 msโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ0 600====================================== 4 MiB ======================================polyfilled `crypto` โขโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 584.844 ms@noble/ciphers โขโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 117.138 msโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ0 600 - Benchmarking shows that the new
โฌ๏ธ Dependenciesโ
-
โ Added
@noble/ciphersdependency -
โ Added
@noble/hashesdependency -
โ Added
bufferdependency -
โ Added
create-hashdependency (as well as@types/create-hashdevelopment dependency) -
โ Added
create-hmacdependency (as well as@types/create-hmacdevelopment dependency) -
โ Added
crypto-browserifydependency -
โ Added
pbkdf2dependency (as well as@types/pbkdf2development dependency) -
โ Added
randombytesdependency (as well as@types/randombytesdevelopment dependency) -
โ Added
stream-browserifydependency -
โ Added
utildependency -
โ Added
vm-browserifydependency -
โ Removed
@capacitor-community/safe-areadependency- The changes made in the dependency have been incorporated into version
8.3.0of theSystemBarsplugin in Capacitor
- The changes made in the dependency have been incorporated into version
-
โ Removed
js-sha3dependency -
โฌ๏ธ Updated Capacitor dependencies:
@capacitor/androidfrom8.2.0to8.4.0@capacitor/corefrom8.2.0to8.4.0@capacitor/clifrom8.2.0to8.4.0
-
โฌ๏ธ Updated Electron dependencies:
electronfrom41.5.1to41.9.2electron-builderfrom26.8.1to26.15.3dmg-builderfrom26.8.1to26.15.3electron-builder-squirrel-windowsfrom26.8.1to26.15.3
-
โฌ๏ธ Updated Ionic dependencies:
@ionic/corefrom8.8.6to8.8.9@ionic/reactfrom8.8.6to8.8.9@ionic/react-routerfrom8.8.6to8.8.9
-
โฌ๏ธ Updated React dependencies (#75):
reactfrom19.2.5to19.2.7(and@types/reactdevelopment dependency from19.2.14to19.2.17)react-domfrom19.2.5to19.2.7
-
โฌ๏ธ Updated Vite dependencies:
vitefrom7.3.2to8.0.16vite-plugin-node-polyfillsfrom0.26.0to0.28.0@vitejs/plugin-reactfrom5.2.0to6.0.1electron-vitefrom5.0.0to6.0.0-beta.1
-
โฌ๏ธ Updated
@capawesome/capacitor-file-pickerfrom8.0.2to8.0.3(#94) -
โฌ๏ธ Updated
@types/nodedevelopment dependency from25.6.2to25.9.1 -
โฌ๏ธ Updated
baseline-browser-mappingdevelopment dependency from2.10.29to2.10.33 -
โฌ๏ธ Updated
cypressfrom15.14.2to15.16.0 -
โฌ๏ธ Updated
eslint-plugin-chai-friendlydevelopment dependency from1.2.0to1.2.1(#60) -
โฌ๏ธ Updated
eslint-plugin-cypressdevelopment dependency from6.4.1to6.4.2(#83) -
โฌ๏ธ Updated
eslint-plugin-react-refreshdevelopment dependency from0.5.2to0.5.3(#59) -
โฌ๏ธ Updated
globalsdevelopment dependency from17.6.0to17.7.0(#71) -
โฌ๏ธ Updated
immerfrom11.1.8to11.1.9(#93) -
โฌ๏ธ Updated
lint-stageddevelopment dependency from17.0.5to17.0.7 -
โฌ๏ธ Updated
prettierdevelopment dependency from3.8.4to3.9.4(#85) -
โฌ๏ธ Updated
semver-parserfrom4.1.8to4.2.1 -
โฌ๏ธ Updated
start-server-and-testdevelopment dependency from3.0.4to3.0.6 -
โฌ๏ธ Updated
typescript-eslintdevelopment dependency from8.61.0to8.62.1(#64, #77, #92) -
โฌ๏ธ Updated
vitestdevelopment dependency from4.1.5to4.1.9(#81)
๐งน Miscellaneousโ
- ๐ฅ We will now use
pnpm's11.x.xseries to build and install the main application package, updating the minimum version from10in the rootpackage.jsonand GitHub actions to11 - ๐๏ธ Changed point multiplication algorithm of
Ristretto255from double-and-add to Montgomery ladder - โฐ๏ธ Removed Secure Remote Password (SRP) related code
Serverโ
๐๏ธ Securityโ
-
๐๏ธ Addressed a security issue where the ExEF footer could have been left out when sending the request body and yet still accepted by the server, resulting in possibly tampered bodies being accepted by the server
-
๐๏ธ Changed the behaviour of encrypted routes so that they only accept encrypted payloads (i.e.,
X-Encryptedmust be set totrue)- This prevents an attacker from 'downgrading' the encryption level of a route by replacing a legitimate encrypted payload with an attacker-controlled malicious plaintext
- This setting can only be bypassed on debug mode (via the
--debugflag)
-
๐๏ธ Fixed a security issue where the nonce in the Proof-of-Possession header is consumed before the validity of the header is checked
- This could allow an attacker to flood the server with a bunch of nonces, exhausting the nonce cache
-
๐๏ธ Removed
encryptedquery parameter from the directory changes listener endpoint (/api/files/listen)- All communications over this endpoint are now encrypted by default
๐ฅ Breaking Changesโ
-
๐ฅ๐๏ธ Include query parameters in the Proof-of-Possession (PoP) header calculation
- This does not apply to WebSocket endpoints, as their PoP header is includes as one of the query parameters
-
๐ฅ Uses of the account creation key (ACK) have been replaced with the server's account creation public key
-
๐ฅ Changed the Proof of Possession (PoP) header name from
X-SRP-PoPtoX-Auth-PoP -
๐ฅ Changed vault file organization to be sorted by UUID instead of by usernames
-
๐ฅ Replaced the security details endpoint (
/api/users/security/{username}) with an authentication info endpoint (/api/auth/info/{username})- The authentication info endpoint only returns the authentication protocol
-
๐ฅ Combined the vault key endpoint (
/api/users/vault) and 'additional info' endpoints (/api/users/info/{username}and/api/users/edit-info/{username}) into a single vault info endpoint (/api/users/vault)- This endpoint returns the account unlock key (AUK) key generation function, the AUK salt, the encrypted vault key, and the 'additional info'
- Editing the AUK key generation function and the 'additional info' is done by sending a
PUTrequest to that endpoint
-
๐ฅ The OPAQUE login endpoint (
/api/auth/opaque)'s behaviour has changed:- It will no longer respond with
ERR: User does not existif the user does not exist. Instead, a fake user vector will be returned. Clients are expected to detect this and respond accordingly - The final authentication token is now sent as an ExEF message instead of a 3-part JSON object
Please read the updated documentation for more information.
- It will no longer respond with
-
๐ฅ The OPAQUE registration endpoint (
/api/auth/opaque/register) now requires clients to negotiate a shared session key with the server using the Noise-NK protocol before continuing with OPAQUE registration- Please check the updated documentation for more information
-
๐ฅ The check user endpoint (
/api/user/check/{username}) is now only accessible in debug mode
โจ New Featuresโ
- ๐๏ธ A fake user will be created upon server start
- โจ Added a new WebSocket endpoint (
/api/auth/opaque/edit-record) for changing the OPAQUE record of a user- This encompasses both changing the username and password of a user
- This also allows changing of the saved key generation function on the server
- This is just a record of what key generation function was used to generate the user's keys
๐ Changesโ
- ๐๏ธ Changed the JWT signing key from a per-run randomly generated key to a static value in
config.toml - ๐๏ธ Tightened the timestamp Proof-of-Possession (PoP) validity window to be half of the previous window
- โฐ๏ธ Removed redundant
usernamepath parameter and404 Not Foundresponse code from/api/users/vault/{username}(now is/api/users/vault) - โฐ๏ธ Removed the
security.srptable from the Excalibur configuration - ๐จ Added
--validate-configand--silentflags to theexcalibur config generate-keyscommand - ๐๏ธ Modified the
Usertable:- Added new
idandkeygen_algorithmfields - Changed the primary key of the table from
usernametoid - Renamed the
additional_infofield tovault_info
- Added new
- ๐๏ธ Removed SRP-related fields from the
Usertable - ๐๏ธ Updated DuckDB from 1.4 Andium to 1.5 Variegata
- ๐ Changed subject (
sub) of the authentication token to be the user's ID instead of the username - ๐ Enhanced the look and feel of the
excalibur backupcommand - ๐๏ธ Removed
comms_uuidquery parameter from the OPAQUE registration endpoint (/auth/opaque/register) - ๐๏ธ Removed
srp_saltfrom the security details returned by the security details endpoint (/api/auth/info) - ๐๏ธ Removed SRP login endpoint (
/api/auth) in favour of OPAQUE-3DH login - ๐๏ธ Removed add user endpoint using SRP (
/api/user/add/{username}) in favour of OPAQUE-3DH user creation - ๐๏ธ Removed the SRP group size endpoint (
/api/auth/group-size) as SRP is no longer supported
๐ Bug Fixesโ
- ๐ Fixed a bug where the server was not actually obeying the
X-Content-Typeheader - ๐ Fixed a bug where invalid JWT tokens that are missing required fields would cause the server to throw
500 Internal Server Error - ๐ Fixed a bug where
PersistentTTLCache'spop()method does not update the local disk copy of the cache
โฌ๏ธ Dependenciesโ
- โ Added
httpx2test dependency - โ Removed
httpxtest dependency - โฌ๏ธ Updated
duckdbfrom1.4.4to1.5.3 - โฌ๏ธ Updated
fastapifrom0.136.3to0.139.0(#63, #68, #72, #88) - โฌ๏ธ Updated
ipythondevelopment dependency from9.14.1to9.15.0(#86) - โฌ๏ธ Updated
pydantic-settingsfrom2.14.1to2.14.2(#78) - โฌ๏ธ Updated
pytesttest dependency from9.0.3to9.1.1(#66, #74) - โฌ๏ธ Updated
ruffdevelopment dependency from0.15.16to0.15.20(#61, #76, #91) - โฌ๏ธ Updated
sqlmodelfrom0.0.38to0.0.39(#82)
๐งน Miscellaneousโ
- ๐ฅ We will now use
uv's0.11.xseries to build and install the server package, updating the minimum version from0.10.9inpyproject.tomland GitHub actions to0.11.26 - ๐งโ๐ป Added additional safeguards and warnings when using debug mode (
--debug) - ๐๏ธ Changed point multiplication algorithm of
Ristretto255from double-and-add to Montgomery ladder - ๐จ Updated the configuration migration strategy used by
excalibur config update