Skip to main content

0.7.1

ยท 15226 words
Downloads for 0.7.1

Welcome to Excalibur 0.7! This release brings significant performance improvements, security improvements, new features, and numerous bug fixes. Here are some of the highlights:

  • Speedier Crypto: We've migrated from the old polyfilled NodeJS crypto API to @noble/ciphers, giving us a ~5x performance boost on encryption and decryption operations.
  • New Jobs Modal: The old, slightly janky jobs popup has been replaced with a new jobs modal that shows up at the bottom of the screen when a new job is added, and continuously updates as jobs progress.
  • Argon2d Support: Excalibur now supports the Argon2d key derivation algorithm for enhanced security. Existing users can change their key derivation algorithm from PBKDF2 to Argon2d in the new preferences menu.

The Excalibur documentation website was also updated in this release.

Do note that there are several breaking changes to Excalibur in this version. Please follow the 0.7 upgrade guide to upgrade your Excalibur instance to version 0.7. Do also take note of all the breaking changes made to the server API if you are using it.

Read all about the changes to Excalibur below. Enjoy!

note

Version 0.7.0 was skipped due to misconfigured version fields. Version 0.7.1 contains no changes except for the version field.

Appโ€‹

๐Ÿ”’๏ธ Securityโ€‹

  • ๐Ÿ”’๏ธ Overridden version minima of dependencies in pnpm-workspace.yaml to address security vulnerabilities:
    • GHSA-vxpw-j846-p89q, GHSA-p88m-4jfj-68fv, GHSA-35p6-xmwp-9g52, GHSA-g8m3-5g58-fq7m: undici to 6.27.0

โœจ New Featuresโ€‹

  • ๐Ÿ’„ Added new preferences menu
    • Users can change their username and password within the new preferences menu's "Account Preferences" section
  • โœจ Added support for Argon2d key derivation algorithm
    • Existing users can change their key derivation algorithm from PBKDF2 to Argon2d in the preferences menu

๐Ÿ”„ Changesโ€‹

  • ๐Ÿ’„ Replaced old jobs popup with new jobs modal
    • The modal will now show up at the bottom of the screen when a new job is added, and will continuously update as jobs progress
  • ๐Ÿ’„ Moved "server settings" to the new preferences menu
    • The old "server settings" page is now named "Data Preferences"
  • ๐Ÿ’„ Edited the "new user" page's password input field to require re-entering new password

๐Ÿ› Bug Fixesโ€‹

  • ๐Ÿ› Fixed an issue that occurs when obfuscation is toggled whilst in a subfolder

โšก๏ธ Performance Improvementsโ€‹

  • โšก๏ธ Use @noble/ciphers instead of the default polyfilled crypto for faster encryption

    • Benchmarking shows that the new @noble/ciphers encryption/decryption implementation is ~5x faster than the original polyfilled node:crypto
    ===================================== 256 KiB =====================================
    polyfilled `crypto` โ•ขโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ 36.719 ms
    @noble/ciphers โ•ขโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ 7.425 ms
    โ• โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
    0 600

    ====================================== 1 MiB ======================================
    polyfilled `crypto` โ•ขโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ 145.738 ms
    @noble/ciphers โ•ขโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ 29.581 ms
    โ• โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
    0 600

    ====================================== 4 MiB ======================================
    polyfilled `crypto` โ•ขโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘ 584.844 ms
    @noble/ciphers โ•ขโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘ 117.138 ms
    โ• โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
    0 600

โฌ†๏ธ Dependenciesโ€‹

  • โž• Added @noble/ciphers dependency

  • โž• Added @noble/hashes dependency

  • โž• Added buffer dependency

  • โž• Added create-hash dependency (as well as @types/create-hash development dependency)

  • โž• Added create-hmac dependency (as well as @types/create-hmac development dependency)

  • โž• Added crypto-browserify dependency

  • โž• Added pbkdf2 dependency (as well as @types/pbkdf2 development dependency)

  • โž• Added randombytes dependency (as well as @types/randombytes development dependency)

  • โž• Added stream-browserify dependency

  • โž• Added util dependency

  • โž• Added vm-browserify dependency

  • โž– Removed @capacitor-community/safe-area dependency

  • โž– Removed js-sha3 dependency

  • โฌ†๏ธ Updated Capacitor dependencies:

    • @capacitor/android from 8.2.0 to 8.4.0
    • @capacitor/core from 8.2.0 to 8.4.0
    • @capacitor/cli from 8.2.0 to 8.4.0
  • โฌ†๏ธ Updated Electron dependencies:

    • electron from 41.5.1 to 41.9.2
    • electron-builder from 26.8.1 to 26.15.3
    • dmg-builder from 26.8.1 to 26.15.3
    • electron-builder-squirrel-windows from 26.8.1 to 26.15.3
  • โฌ†๏ธ Updated Ionic dependencies:

    • @ionic/core from 8.8.6 to 8.8.9
    • @ionic/react from 8.8.6 to 8.8.9
    • @ionic/react-router from 8.8.6 to 8.8.9
  • โฌ†๏ธ Updated React dependencies (#75):

    • react from 19.2.5 to 19.2.7 (and @types/react development dependency from 19.2.14 to 19.2.17)
    • react-dom from 19.2.5 to 19.2.7
  • โฌ†๏ธ Updated Vite dependencies:

    • vite from 7.3.2 to 8.0.16
    • vite-plugin-node-polyfills from 0.26.0 to 0.28.0
    • @vitejs/plugin-react from 5.2.0 to 6.0.1
    • electron-vite from 5.0.0 to 6.0.0-beta.1
  • โฌ†๏ธ Updated @capawesome/capacitor-file-picker from 8.0.2 to 8.0.3 (#94)

  • โฌ†๏ธ Updated @types/node development dependency from 25.6.2 to 25.9.1

  • โฌ†๏ธ Updated baseline-browser-mapping development dependency from 2.10.29 to 2.10.33

  • โฌ†๏ธ Updated cypress from 15.14.2 to 15.16.0

  • โฌ†๏ธ Updated eslint-plugin-chai-friendly development dependency from 1.2.0 to 1.2.1 (#60)

  • โฌ†๏ธ Updated eslint-plugin-cypress development dependency from 6.4.1 to 6.4.2 (#83)

  • โฌ†๏ธ Updated eslint-plugin-react-refresh development dependency from 0.5.2 to 0.5.3 (#59)

  • โฌ†๏ธ Updated globals development dependency from 17.6.0 to 17.7.0 (#71)

  • โฌ†๏ธ Updated immer from 11.1.8 to 11.1.9 (#93)

  • โฌ†๏ธ Updated lint-staged development dependency from 17.0.5 to 17.0.7

  • โฌ†๏ธ Updated prettier development dependency from 3.8.4 to 3.9.4 (#85)

  • โฌ†๏ธ Updated semver-parser from 4.1.8 to 4.2.1

  • โฌ†๏ธ Updated start-server-and-test development dependency from 3.0.4 to 3.0.6

  • โฌ†๏ธ Updated typescript-eslint development dependency from 8.61.0 to 8.62.1 (#64, #77, #92)

  • โฌ†๏ธ Updated vitest development dependency from 4.1.5 to 4.1.9 (#81)

๐Ÿงน Miscellaneousโ€‹

  • ๐Ÿ’ฅ We will now use pnpm's 11.x.x series to build and install the main application package, updating the minimum version from 10 in the root package.json and GitHub actions to 11
  • ๐Ÿ”’๏ธ Changed point multiplication algorithm of Ristretto255 from double-and-add to Montgomery ladder
  • โšฐ๏ธ Removed Secure Remote Password (SRP) related code

Serverโ€‹

๐Ÿ”’๏ธ Securityโ€‹

  • ๐Ÿ”’๏ธ Addressed a security issue where the ExEF footer could have been left out when sending the request body and yet still accepted by the server, resulting in possibly tampered bodies being accepted by the server

  • ๐Ÿ”’๏ธ Changed the behaviour of encrypted routes so that they only accept encrypted payloads (i.e., X-Encrypted must be set to true)

    • This prevents an attacker from 'downgrading' the encryption level of a route by replacing a legitimate encrypted payload with an attacker-controlled malicious plaintext
    • This setting can only be bypassed on debug mode (via the --debug flag)
  • ๐Ÿ”’๏ธ Fixed a security issue where the nonce in the Proof-of-Possession header is consumed before the validity of the header is checked

    • This could allow an attacker to flood the server with a bunch of nonces, exhausting the nonce cache
  • ๐Ÿ”’๏ธ Removed encrypted query parameter from the directory changes listener endpoint (/api/files/listen)

    • All communications over this endpoint are now encrypted by default

๐Ÿ’ฅ Breaking Changesโ€‹

  • ๐Ÿ’ฅ๐Ÿ”’๏ธ Include query parameters in the Proof-of-Possession (PoP) header calculation

    • This does not apply to WebSocket endpoints, as their PoP header is includes as one of the query parameters
  • ๐Ÿ’ฅ Uses of the account creation key (ACK) have been replaced with the server's account creation public key

  • ๐Ÿ’ฅ Changed the Proof of Possession (PoP) header name from X-SRP-PoP to X-Auth-PoP

  • ๐Ÿ’ฅ Changed vault file organization to be sorted by UUID instead of by usernames

  • ๐Ÿ’ฅ Replaced the security details endpoint (/api/users/security/{username}) with an authentication info endpoint (/api/auth/info/{username})

    • The authentication info endpoint only returns the authentication protocol
  • ๐Ÿ’ฅ Combined the vault key endpoint (/api/users/vault) and 'additional info' endpoints (/api/users/info/{username} and /api/users/edit-info/{username}) into a single vault info endpoint (/api/users/vault)

    • This endpoint returns the account unlock key (AUK) key generation function, the AUK salt, the encrypted vault key, and the 'additional info'
    • Editing the AUK key generation function and the 'additional info' is done by sending a PUT request to that endpoint
  • ๐Ÿ’ฅ The OPAQUE login endpoint (/api/auth/opaque)'s behaviour has changed:

    • It will no longer respond with ERR: User does not exist if the user does not exist. Instead, a fake user vector will be returned. Clients are expected to detect this and respond accordingly
    • The final authentication token is now sent as an ExEF message instead of a 3-part JSON object

    Please read the updated documentation for more information.

  • ๐Ÿ’ฅ The OPAQUE registration endpoint (/api/auth/opaque/register) now requires clients to negotiate a shared session key with the server using the Noise-NK protocol before continuing with OPAQUE registration

    • Please check the updated documentation for more information
  • ๐Ÿ’ฅ The check user endpoint (/api/user/check/{username}) is now only accessible in debug mode

โœจ New Featuresโ€‹

  • ๐Ÿ—ƒ๏ธ A fake user will be created upon server start
  • โœจ Added a new WebSocket endpoint (/api/auth/opaque/edit-record) for changing the OPAQUE record of a user
    • This encompasses both changing the username and password of a user
    • This also allows changing of the saved key generation function on the server
      • This is just a record of what key generation function was used to generate the user's keys

๐Ÿ”„ Changesโ€‹

  • ๐Ÿ”’๏ธ Changed the JWT signing key from a per-run randomly generated key to a static value in config.toml
  • ๐Ÿ”’๏ธ Tightened the timestamp Proof-of-Possession (PoP) validity window to be half of the previous window
  • โšฐ๏ธ Removed redundant username path parameter and 404 Not Found response code from /api/users/vault/{username} (now is /api/users/vault)
  • โšฐ๏ธ Removed the security.srp table from the Excalibur configuration
  • ๐Ÿ”จ Added --validate-config and --silent flags to the excalibur config generate-keys command
  • ๐Ÿ—ƒ๏ธ Modified the User table:
    • Added new id and keygen_algorithm fields
    • Changed the primary key of the table from username to id
    • Renamed the additional_info field to vault_info
  • ๐Ÿ—ƒ๏ธ Removed SRP-related fields from the User table
  • ๐Ÿ—ƒ๏ธ Updated DuckDB from 1.4 Andium to 1.5 Variegata
  • ๐Ÿ›‚ Changed subject (sub) of the authentication token to be the user's ID instead of the username
  • ๐Ÿ’„ Enhanced the look and feel of the excalibur backup command
  • ๐Ÿ—‘๏ธ Removed comms_uuid query parameter from the OPAQUE registration endpoint (/auth/opaque/register)
  • ๐Ÿ—‘๏ธ Removed srp_salt from the security details returned by the security details endpoint (/api/auth/info)
  • ๐Ÿ—‘๏ธ Removed SRP login endpoint (/api/auth) in favour of OPAQUE-3DH login
  • ๐Ÿ—‘๏ธ Removed add user endpoint using SRP (/api/user/add/{username}) in favour of OPAQUE-3DH user creation
  • ๐Ÿ—‘๏ธ Removed the SRP group size endpoint (/api/auth/group-size) as SRP is no longer supported

๐Ÿ› Bug Fixesโ€‹

  • ๐Ÿ› Fixed a bug where the server was not actually obeying the X-Content-Type header
  • ๐Ÿ› Fixed a bug where invalid JWT tokens that are missing required fields would cause the server to throw 500 Internal Server Error
  • ๐Ÿ› Fixed a bug where PersistentTTLCache's pop() method does not update the local disk copy of the cache

โฌ†๏ธ Dependenciesโ€‹

  • โž• Added httpx2 test dependency
  • โž– Removed httpx test dependency
  • โฌ†๏ธ Updated duckdb from 1.4.4 to 1.5.3
  • โฌ†๏ธ Updated fastapi from 0.136.3 to 0.139.0 (#63, #68, #72, #88)
  • โฌ†๏ธ Updated ipython development dependency from 9.14.1 to 9.15.0 (#86)
  • โฌ†๏ธ Updated pydantic-settings from 2.14.1 to 2.14.2 (#78)
  • โฌ†๏ธ Updated pytest test dependency from 9.0.3 to 9.1.1 (#66, #74)
  • โฌ†๏ธ Updated ruff development dependency from 0.15.16 to 0.15.20 (#61, #76, #91)
  • โฌ†๏ธ Updated sqlmodel from 0.0.38 to 0.0.39 (#82)

๐Ÿงน Miscellaneousโ€‹

  • ๐Ÿ’ฅ We will now use uv's 0.11.x series to build and install the server package, updating the minimum version from 0.10.9 in pyproject.toml and GitHub actions to 0.11.26
  • ๐Ÿง‘โ€๐Ÿ’ป Added additional safeguards and warnings when using debug mode (--debug)
  • ๐Ÿ”’๏ธ Changed point multiplication algorithm of Ristretto255 from double-and-add to Montgomery ladder
  • ๐Ÿ”จ Updated the configuration migration strategy used by excalibur config update