Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 27 additions & 7 deletions docs/migrate-to-3.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@
with [`migrate-config`](#migrating-your-config).
- If you set list or map environment variables, their syntax changed, see
[List and map syntax](#list-and-map-syntax).
- API tokens are no longer returned in the GET endpoints and are only exposed
on creation or rotation. See [Tokens are only shown once](#tokens-are-only-shown-once).
- If you have scripts hitting client-token endpoints, they may now need
[elevation](#adapting-your-scripts).

Expand Down Expand Up @@ -78,34 +80,52 @@ GOTIFY_SERVER_RESPONSEHEADERS={"X-Custom-Header":"custom value"}

## API Changes

### Tokens are only shown once

As part of an effort to align with secure API design principles,
tokens will no longer be returned via the API or WebUI except when the token is issued via creation or rotation.
Workflows dependent on introspecting existing clients or applications for their token will stop working.

::: tip
The post message endpoint now accepts an "appid" parameter, which allows clients
to impersonate applications they control without knowing the corresponding application token.
:::

Tokens for existing applications can now be rotated via the _application security update_ endpoint.

Existing tokens (starting with `A` and `C`) will continue to work.
Plugin tokens (starting with `P`) used to access web resources are not affected by this change.

### Step-up Authentication

Introduces step-up authentication via time-limited [session
elevation](./session-elevation.md). A session/client token must re-authenticate
before sensitive, hard-to-undo actions.

HTTP Basic auth and application tokens are unaffected.

### Endpoints that now require elevation

With a non-elevated client token these return `403`:

| Endpoint | Action |
| :-------------------------------------------- | :----------------------------- |
| `POST /current/user/password` | Change current user's password |
| `DELETE /client/{id}` | Delete a client |
| `DELETE /application/{id}` | Delete an application |
| `PUT /application/{id}/security` | Application security update |
| `POST /client/{id}/elevate` | Elevate a client token |
| `GET /user`, `GET`/`POST`/`DELETE /user/{id}` | Manage users (admin) |

The `Client` and `CurrentUser` models have gotten elevation-related fields. See the
[API documentation](/api-docs) for details.

### Adapting your scripts
::: tip

To update your workflow that uses the endpoints above with a client token. Perform a separate elevation process before the call. Either:

Scripts that hit the endpoints above with a client token now need that token to
be elevated. Either:
- Transitition to use HTTP Basic auth as they are elevated by default.
- Elevate the client in the WebUI or the api with basic auth before calling these APIs.

- Use HTTP Basic auth as they are elevated by default.
- Elevate the client in the WebUI or the api with basic auth.
:::

## CLI Changes

Expand Down