Crossview 3.5.0 Release Announcement

[MoeidHeidari]

Release v3.5.0

We’re excited to announce v3.5.0 of our project! This release introduces flexible authentication options, database-optional setups, enhanced CI pipelines, and several improvements to our frontend and Helm chart configurations.

New Features

Authentication Modes

You can now choose the authentication mode that fits your environment:

• session (existing): Username/password or SSO; identity stored in session (PostgreSQL).
• header: Trust identity from an HTTP header set by an upstream proxy (e.g., OAuth2 Proxy, Ingress auth). No login form or database required.
• none: No authentication (development or trusted networks). All requests are anonymous; no database required.

Header auth configuration:

• server.auth.mode (or AUTH_MODE): session | header | none
• server.auth.header.trustedHeader (default: X-Auth-User)
• server.auth.header.createUsers (default: true)
• server.auth.header.defaultRole (default: viewer)

When using header or none, the app will skip database connections, migrations, and pings. The UserRepository is nil-safe when no database is configured.

Helm Chart

• Configure authentication with config.server.auth and config.server.auth.header.* in values.
• ConfigMap and Deployment now pass AUTH_MODE, AUTH_TRUSTED_HEADER, AUTH_CREATE_USERS, AUTH_DEFAULT_ROLE.
• Default auth mode is none.
• Header auth example supports database.enabled: false.

Frontend Updates

• /api/auth/check now returns authMode.
• UI hides logout button in header/none and hides User Management when not in session mode.

CI Pipeline

• Runs on pull requests and pushes to main (with path filters).
• Jobs: Frontend Lint, Frontend Build, Go Vet, Go Build, Go Tests.
• Concurrency cancels in-progress runs for the same PR or branch.

---

⚡ Changes & Improvements

• Session middleware is only active in session mode.
• Single AuthMiddleware now handles session, header, or none.
• RequireAdmin resolves userId from context first, then session; returns Forbidden when userId = 0.
• Auth controller Check supports header and none modes, returning synthetic users and auth mode info.
• Documentation updated for authentication modes, DB requirements, Helm deployment, and security guidance.

---

🔒 Security Notes

• Header mode should only be used behind a trusted proxy that sets the identity header. Exposing it directly is insecure.
• None mode is intended for development or trusted environments only.

---

For detailed configuration examples and usage, see our updated docs and examples:

• config/examples/config-header.yaml.example
• config/examples/config-none.yaml.example
• config/examples/config-session.yaml.example
• config/examples/config-session-sso.yaml.example

---

This release includes 423 commits since the previous version. Thank you to everyone who contributed!