v0.6.0-beta.1

This is the first beta of prvt 0.6, which contains a lot of new features, including a preview of In-browser End-to-End Encryption!

Highlights:

• It's now possible to select a repo and unlock it using the web UI. The list of connections is stored in a config file.
• Preview: Experimental support for "In-browser end-to-end encryption", made possible by decrypting the data directly in the browser, using code from prvt compiled to WebAssembly. This feature is considered in preview and it does not support all the features of prvt: in particular, it offers read-only access to repositories for now. Read more about in-browser E2EE.
• The prvt add command now supports the --force flag that causes prvt to overwrite existing files at the same destination, if any. This is also available in the REST API.
• The index is now split in multiple chunks, and when changes are made to it, only the modified parts are uploaded. This should make uploads faster and use less data, especially on connections that are slower or with higher latency. Additionally, when adding multiple files, operations on the index are batched so the index is uploaded only once at the end, rather than after every file change.
• Repositories are now locked when accessed, so only one instance of prvt at a time can perform commands (with some exceptions). This is to improve consistency and reduce the risk of index corruption. Also added the command prvt repo lock-break for forcefully-remove locks (use this with caution).

Other new features:

• Parameters for key derivation with Argon2 have been improved, and they can now be set manually too when adding a key. This requires a new version of the info file (v5).
• GET /info endpoint returns information about whether a repo is selected or unlocked; the GET /repo/info route was merged into this one too.
• New POST /repo/close route that closes any open repository.
• New GET /rawfile endpoint that returns a file from storage as-is, without parsing or decryption. Added a POST /rawfile route as a companion, to store a file as-is.
• Many improvements to the web interface, including better support for when prvt is running in multiple tabs.
• Added routes in the server to manage the list of connections: saving and listing connections.
• The index file now stores each file's SHA-256 digest and the file size too.

Changes:

• Switched library for embedding static files in the binary from packr2 to pkger.
• Switched JS bundler from Rollup to Webpack, to have better control.

Fixes:

• Updated Go and JS dependencies.
• Other fixes and improvements.

v0.5.1

This update contains a few new features and fixes.

New features:

• prvt serve offers a new --read-only flag. When in read-only mode, operations that alter the repository are disabled.
• New prvt repo info command and GET /api/repo/info route that return information on the repository, such as its version and the number of files stored.

Changes:

• The index file is now cached for as long as the server is running, and it's not refreshed every 5 minutes anymore.
• The info modal for folders shows the number of files inside a folder.

Fixes:

• Photos and videos shown within the web UI that are in portrait mode now are displayed not taller than the viewport, so can be seen entirely without scrolling the page.
• /repo/keytest and /repo/unlock routes work with legacy info files v1 too again.
• Other code improvements, refactorings, and cleanups.

v0.5.0

prvt 0.5 is the largest update to date, with lots of new features and improvements! 🥳🎉

To recap the biggest changes since version 0.4:

New features:

• Redesigned user interface, with a leaner look.
• prvt's server now supports requests for partial content when returning files (i.e. supports HTTP Range requests). This means that it's now possible to skip ahead when downloading a video or audio file (as long as it's using a container/format that supports that, such as mp4 or mp3). It's also possible to pause and resume downloads, for example when using download managers.
• Inline file viewer: images, videos, audios, and text files are now displayed inline within the web UI's frame.
• In the web UI, clicking on the three dots next to a file now brings up a panel with details about the file. Additionally, the "Download" and "Delete" buttons have been moved to this panel.
• Using the web UI, it's now possible to select multiple files at once to upload them at the same time.
• The prvt serve command now supports two new flags for launching a server without selecting a repository (--no-repo), or without unlocking the selected repository (--no-unlock). These are useful when you want to select and unlock repositories using the REST APIs, although they're not used in the web UI (yet).
• Added API routes for almost all operations for a repository: selecting a repository, unlocking a repository, listing keys, adding and removing keys. The only operations that remain available exclusively in the CLI are initializing a new repository and upgrading repositories from older versions of prvt. However, these APIs are not (yet) used in the web UI.
• Added prvt ls command to return the list of files and folders in a repository, at a given path.
• Passphrases are now identified by their "hash" in prvt repo key * commands, which ensures that their IDs never change.

Changes:

• Enabled Continuous Integration with automated tests for prvt, both on Linux and Windows.
• prvt is now developed against Go 1.15, which is also used to generate all pre-compiled binaries.
• Updated info file (_info.json) to version 4, which adds an id field. This contains a random UUID that's used to identify a repository.
• File metadata has been updated to version 2, increasing the maximum size of the metadata to ~32KB and switched serialization to use the more efficient protobuf rather than JSON.
• The codebase underwent some refactoring to better support automated testing.
• Operations that involve accessing the cached index file (such as listing files in a directory, etc) are now faster, especially when there are lots of files, thanks to an optimized in-memory tree.
• GET /api/metadata/:object route how supports a path too in addition to the file's UUID.
• You cannot add the same passphrase or GPG key more than once anymore, using prvt repo key add or the equivalent REST API.
• Identifiers for GPG keys are normalized by using their last 64 bits only.
• When listing keys, prvt shows the user ID of a GPG key when that's available.
• Added GET /api/info route that shows information on the app (just like prvt version).
• When adding files, their paths and names are now normalized using the NFKC form.

Fixes:

• Fixed a number of Goroutine leaks when downloads were interrupted or when requesting partial ranges.
• (Potential) Security fix: when comparing password confirmation hashes, use constant-time compare functions. This had the potential to allow side-channel attacks, although those were not demonstrated in practice. We also believe the impact of those attacks would have been minimal.
• S3 FS: Fixed a bug that caused files being reported as existing when they did not exist in fact.
• Local FS: file writes are now done atomically to ensure consistency.
• Web UI: multiple fixes for Safari.
• Web UI: Added timeouts to network requests from the web UI to the APIs (but not for file uploads).
• CLI: Improved error reporting.
• Updated Go and JavaScript module dependencies.
• Many other (minor) fixes and improvements.

Compared to beta 6, this release contains a very large number of bug fixes, many of those identified thanks to having (finally) implemented automated tests using the CI. As part of this effort, some refactoring for the codebase was necessary, to enable developing automated tests.

v0.5.0-beta.6

This will be the latest beta in the 0.5 branch, which is now in a feature freeze! 🎉

This beta contains a lot of new features and improvements, all focused on the internals–although users will see their effects too. Additionally, it contains a couple of major bug fixes too.

New features:

• Added API routes for almost all operations for a repository: selecting a repository, unlocking a repository, listing keys, adding and removing keys. Essentially, the only operations that are now available in the CLI only are initializing a new repo and upgrading them. However, these APIs are not (yet) used in the web UI.
• The prvt serve command now supports two new flags for launching a server without selecting a repository (--no-repo), or without unlocking it (--no-unlock). These are useful when you want to select and unlock repositories using the REST APIs, although they're not used in the web UI (yet).
• Added prvt ls command to return the list of files and folder in a repository, at a given path.
• Passphrases are now identified by their "hash" in prvt repo key * commands, which ensures that their IDs never change.

Changes:

• Updated info file (_info.json) to version 4, which adds an id field. This contains a random UUID that's used to identify a repository.
• GET /api/metadata/:objec route how supports a path too in addition to a UUID.
• You cannot add the same passphrase or GPG key more than once using prvt repo key add or the equivalent REST API.
• Identifiers for GPG keys are normalized, by using their last 64 bits only.
• When listing keys, prvt shows the user ID of a GPG key when that's available.
• Added GET /api/info route that shows information on the app (just like prvt version).
• When adding files, their paths and names are now normalized using the NFKC form.

Fixes:

• Fixed a number of Goroutine leaks when downloads were interrupted or when requesting partial ranges.
• Fixed a bug that caused files on S3 being reported as existing when they did not exist in fact.
• Other minor fixes.

v0.5.0-beta.5

This release contains under-the-hood improvements and a bug fix.

Changes:

• File metadata has been updated to version 2, increasing the maximum size of the metadata to ~32KB and switched serialization to use the more efficient protobuf rather than JSON.

Fixes:

• Fixed a bug introduced in the earlier betas that caused crashes when the index file was empty.

v0.5.0-beta.4

This new beta for the 0.5 release is all about the UI!

New features:

• The web UI has a new look thanks to a redesigned header. The navbar now contains the full path of the folder or file you're looking at, and allows navigating up multiple levels.
• It's now possible to select multiple files at once to upload them at the same time.
• Inline file viewer: images, videos, audios, and text files are now displayed inline within the web UI's frame.

Fixes:

• Added timeouts to network requests from the web UI to the APIs (not for file upload)
• Fixed modals not looking correctly on Safari
• A bunch of other minor fixes in the web UI

v0.5.0-beta.3

This is the second public beta for the 0.5 branch (beta 1 was withdrawn because of an issue).

prvt 0.5 includes a major new feature: the web interface now supports requests for partial content! Please help us by testing this new feature and let us know if you encounter any issue, in particular if opening files fail. Note: the changes only impacted file retrievals, so there's no risk that your files get corrupted while storing them.

In addition to the changes from beta 2, here's what's new in this release:

New features:

• In the web UI, clicking on the three dots next to a file now brings up a panel with details about the file. The "Download" and "Delete" buttons have been moved to this panel too.
• UI improvements throughout the web app

Changes:

• Operations that involve accessing the cached index file (such as listing files in a directory, etc) are now faster, especially when there are lots of files. Whilst before each operation iterated through the list of files each time, it now uses an optimized in-memory tree for faster searches.

Fixes:

• Updated Go and JavaScript (UI) module dependencies

v0.5.0-beta.2

This beta is the first release in the 0.5 branch ^{see note}, and it includes a major new feature: prvt's web interface now supports requests for partial content!

Please help us by testing this new feature and let us know if you encounter any issue, in particular if opening files fail. Note: the changes only impacted file retrievals, so there's no risk that your files get corrupted while storing them.

New features:

• prvt's web interface now supports requests for partial content when returning files (i.e. supports HTTP Range requests). This means that it's now possible to skip ahead when downloading a video or audio file (as long as it's using a container/format that supports that, such as mp4 or mp3). It's also possible to pause and resume downloads, for example when using download managers.

Fixes:

• (Potential) Security fix: when comparing password confirmation hashes, use constant-time compare functions. This had the potential to allow side-channel attacks, although those were not demonstrated in practice. We also believe the impact of those attacks would have been minimal.
• Fix: some filesystems were potentially leaking stream descriptors.
• Updated Go and JavaScript (UI) module dependencies

Note: Technically, this is the second beta; the first one was short-lived and was retired within one hour because of a bug that should have been caught earlier.

v0.4.2

This release contains minor fixes and improvements.

Changes:

• Responding to HEAD requests for the /file/:fileId route, to enable various scenarios

Fixes:

• When releasing prvt, publish the UI too (will be very useful for Homebrew)

v0.4.1

This release contains some important bug fixes.

Fixes:

• Removed all timeouts on the web UI, which were causing operations on large files (reading or uploading) to file.
• Added a check for when browsers cancel a request to retrieve or upload a file, so we can stop reading or writing on the store too.
• Fixed an issue that caused a app in a hanging state to not terminate when sending SIGINT (CTRL+C).
• Better error reporting in the UI, when the list fails to be fetched.
• Do not encode the path separator when requesting a list of files from the API server.
• Other minor fixes.