v2.2.2

Changelog

• Fixed broken end-to-end encryption - files were uploaded in plain-text since v2.2.0. Affected files were not displayed as unencrypted. If your file had the "encrypted" tag in the download view, it was fully end-to-end encrypted.
• Added option to add CIDR for trusted proxies (e.g. 10.0.0.0/24)
• Docker subnets are automatically configured as trusted proxies. If this is not secure for your environment, set GOKAPI_DISABLE_DOCKER_TRUSTED_PROXY to true.
• Fixed caching issues with previous version

Updating

Please make sure to read the release notes for v2.2.1 and v2.2.0, as they contain important changes!

Full Changelog: v2.2.1...v2.2.2

v2.2.1

Changelog

• Fixed File Requests not working, when GOKAPI_LENGTH_ID > 15 #353
• Better rate limiting for invalid logins or IDs
• Better IP parsing
• Fixed gokapi-cli flag parsing for --output-path
• Fixed multiple incorrect parameters in API documentation

Updating

If your reverse proxy does not connect from 127.0.0.1, add its IP address to the GOKAPI_TRUSTED_PROXIES environment variable (comma-separated if there are multiple).

If Gokapi is running behind Cloudflare, make sure to set the GOKAPI_USE_CLOUDFLARE environment variable to true.

Full Changelog: v2.2.0...v2.2.1

v2.2.0

We are proud to release v2.2.0, one of our biggest updates so far with 15,000 lines of code changed!
This update contains the File Request feature, where a user can now generate a URL that lets external parties upload files to the server, visible only to the requester.
Also a lot of UI elements have been updated to look more modern and a new status page has been created with the most important server stats.
Although there was a lot of testing, with so many changes it is possible, that some bugs are included in this version. If you find any, please open an issue here on Github!

Changelog

• File Requests has been added, where you can request a file upload from other people
• Log Viewer has gotten a big overhaul and displays many other stats now
• It is now possible to use a custom favicon
• Short-lived tokens are used instead of user API keys to improve security
• Browser timezone is used instead of server timezone for UI
• Added env variable to set a minium password length @masterbender
• Downloads can be made from the UI without increasing the download counter
• gokapi-cli now supports downloads
• Add deprecation alerts @spaghetti-coder
• Gokapi now checks if enough free space is available, and otherwise rejects a new upload
• A lot of UI improvements
• Many small fixes and improvements

Updating

By default, new users are not allowed to create file requests. If you want to have all your old users gain that permission, set the environment variable GOKAPI_GUEST_UPLOAD_BY_DEFAULT to true before updating your instance.

Breaking Changes

• DOCKER_NONROOT has been deprecated in favour of docker --user. See documentation on how to migrate
• API output for FileList has slightly changed
• Chunks must be at least 5MB in size, except the last chunk
• To delete logs, the user has to be an admin now

Full Changelog: v2.1.0...v2.2.0

v2.1.0

Changelog

• Added a CLI tool that supports e2e encrypted uploads and folder uploads, see documentation for installation and usage #280
• Upgraded to Go 1.25 which might result in better performance on some systems
• Added docker-compose file
• Fixed crash after uploading an e2e encrypted file, forcing the user to refresh the webpage before uploading a new file #283
• Fixed a bug where files with non-latin characters were not downloadable from AWS #302
• Fixed a bug where e2e encrypted files with non-latin characters had a corrupted filename after downloading #300
• Fixed bug where file was deleted after uploading through API if not supplying allowedDownloads or expiryDays in ChunkComplete #282
• Fixed error message when username was less than 4 characters long #268
• Fixed incorrect mouse pointer on share menu #275
• Parallel uploads are now disabled, due to browser limit of 6 connections with HTTP1.1

Full Changelog: v2.0.1...v2.1.0

v2.0.1

Changelog

• Fixed uploads failing for files with non-ASCII filenames #269
• Fixed API documentation for API call /chunk/complete
• Fixed rare edge case, where a file with a cancelled deletion was still deleted
• Filenames can now be base64-encoded in API call /chunk/complete
• Added docker-compose file @SemvdH

Upgrading

If you are upgrading from an older version than v2.0.0, please make sure to read the v.2.0.0 upgrade notes first.

Full Changelog: v2.0.0...v2.0.1

v2.0.0

⚠️ Make sure that you have a backup of all data. It is not possible to downgrade afterwards.

This release adds user management and granular permission control. Some breaking changes are introduced, please make sure to read the section Upgrading.

Security

This releases fixes two XSS vulnerabilities (CVE-2025-48494 and CVE-2025-48495). The vulnerabilities let authorised users execute Javascript with passive interaction - if you are using Gokapi as a single user, this does not impact you, otherwise we recommend updating your instance to v2.0.0.

Changelog

• Added support for multiple different users with granular permissions
• Added API endpoints to manage users
• Added API endpoint to delete logs, added more logging, added filtering and deletion of logs in UI
• Added feature to restore a deleted file from the UI (has to be restored within 5 seconds)
• Added API endpoint for restoring a file with a pending delete
• Added experimental hotlinking for videos with env var GOKAPI_ENABLE_HOTLINK_VIDEOS
• Added a share button for mobile users and a button to share a URL via email
• Improved the UI
• Changed GOKAPI_LENGTH_ID to be non-permanent, added GOKAPI_LENGTH_HOTLINK_ID to change hotlink ID length #251
• Changed hotlink URLs to be shorter (#253) @lenisko
• Changed headers for cache control to stop unwanted caching with cloudflare #209
• Fixed email scope not being submitted #234, fix always being redirected after successful OIDC login
• Fixed DuplicateFile setting hotlink on wrong file object (#246)
• Fixed bug where picture files where not uploaded at all when encryption and cloud storage was active as well as SaveToLocal #247
• Many other fixes and minor improvements @nilicule

Upgrading

Upgrade path: Requires v1.9.6 as base, config.json must be writable

Upgrading when using OAuth2/OIDC authentication:

• A valid email must now be set for all users in the authentication backend
• Authentication is now only done by email and can be restricted by user groups
• Set the env variable GOKAPI_ADMIN_USER containing the email address of the super admin when upgrading

Upgrading when using Header authentication

• If restricting the users by username, make sure that you remove any wildcards (*) for usernames in the setup before upgrading.
• Set the env variable GOKAPI_ADMIN_USER containing the email address of the super admin when upgrading

Upgrading when using no authentication

• If you are restricting access with a proxy, make sure that you block the following urls:
  • /admin
  • /apiKeys
  • /changePassword
  • /e2eInfo
  • /e2eSetup
  • /logs
  • /uploadChunk
  • /uploadStatus
  • /users

Upgrading when using custom templates or static content

The previous way of replacing content has been removed and is now replaced with additive CSS and JS. If you want to change the layout (e.g. add your company logo or add/disable certain features), follow these steps:

1. Create a new folder named custom where your executable is. When using Docker, mount a new folder to /app/custom/. Any file in this directory will be publicly available in the sub-URL /custom/.
2. To have custom CSS included, create a file in the folder named custom.css. The CSS will be applied to all pages.
3. To have custom JavaScript included, create the file public.js for all public pages and/or admin.js for all admin-related pages. Please note that the admin.js will be readable to all users.
4. In order to prevent caching issues, you can version your files by creating the file version.txt with a version number.
5. Restart the server. If the folders exist, the server will now add the local files.

Optional: If you require further changes or want to embedded the changes permanently, you can clone the source code and then modify the templates in internal/webserver/web/templates. Afterwards run make to build a new binary with these changes.

Breaking Changes

Since v1.9 there have been a lot of changes to the API, please take note if you are using the API:

• A valid API key is now always required, API authentication by session is not possible anymore
• /chunk/complete and /files/duplicate now expect the parameters as header, instead of encoded url form
• Parameter apiKeyToModify has been renamed to targetKey for /auth/modify, /auth/delete and /auth/friendlyname
• If a user, api key or file is not found, but a plausible ID was submitted, error 404 instead of 400 is returned now
• Before v2.0, if a boolean parameter was required, it was always false if anything else then "true" was sent, now it raises an error if any other value than 1, t, true, 0, f, or false is supplied
• Some API calls might be restricted by user permissions now, consult the API documentation for more information
• API keys now have a public ID as well, which can also be used for /auth/modify, /auth/delete and /auth/friendlyname as targetKey instead of the private ID
• When uploading a file through the API, defaults of 14 days, max 1 download and no password will be used, unless the respective parameters were passed. In v1.9, the previous values were used.

💙 A huge thank you to all our users, bug reporters, and contributors who made this release possible!

Full Changelog: v1.9.6...v2.0.0

v2.0.0-beta2: Custom CSS/JS

To install this beta with docker, please use the gokapi:latest-dev tag.

Upgrading

⚠️ Make sure that you have a backup of all data! This beta might break your instance. It is not possible to downgrade afterwards

⚠️ If you are upgrading from v1.9.6, please read through the v2.0.0.-beta1 release notes first!

This beta removes the feature from v1.x to use a template or static folder to replace the content of the webserver. This is now replaced with a feature to add custom CSS or JavaScript, which does not replace any code and should not break as easily on updates.
In addition to that, a better logging system has been introduced and some bugs from previous versions were fixed.

Changelog

• Added API endpoint to delete logs, added more logging, added filtering and deletion of logs in UI
• Fix email scope not being submitted #234, fix always being redirected after successful OIDC login
• Fixed sqlite bug for e2e reset
• Fix DuplicateFile setting hotlink on wrong file object (#246)
• Fixed bug that prevented setting Manage_Users API permission on new API key
• Enable experimental hotlinking for videos with env var GOKAPI_ENABLE_HOTLINK_VIDEOS
• Fix bug where picture files where not uploaded at all when encryption and cloud storage was active as well as SaveToLocal #247
• Fix that an empty line was inserted before <!doctype html>
• Make GOKAPI_LENGTH_ID non-permanent, add GOKAPI_LENGTH_HOTLINK_ID to change hotlink ID length #251
• Hotlink URL are now shorter (#253) @lenisko
• Allow file deletion without refreshing the page (#255)
• Other minor fixes and improvements @nilicule

Breaking changes

Upgrading when using custom templates or static content

If you want to change the layout (e.g. add your company logo or add/disable certain features), follow these steps:

1. Create a new folder named custom where your executable is. When using Docker, mount a new folder to /app/custom/. Any file in this directory will be publicly available in the sub-URL /custom/.
2. To have custom CSS included, create a file in the folder named custom.css. The CSS will be applied to all pages.
3. To have custom JavaScript included, create the file public.js for all public pages and/or admin.js for all admin-related pages. Please note that the admin.js will be readable to all users.
4. In order to prevent caching issues, you can version your files by creating the file version.txt with a version number.
5. Restart the server. If the folders exist, the server will now add the local files.

Optional: If you require further changes or want to embedded the changes permanently, you can clone the source code and then modify the templates in internal/webserver/web/templates. Afterwards run make to build a new binary with these changes.

v2.0.0-beta1: Multi-User Support

We are happy to announce that we have implemented multi-user support (along with some other features) and need your help to test it for bugs before release!

To install this beta with docker, please use the gokapi:latest-dev tag.

Upgrading

⚠️ Make sure that you have a backup of all data! This beta might break your instance. It is not possible to downgrade afterwards

Upgrading when using OAuth2/OIDC authentication:

• A valid email must now be set for all users in the authentication backend
• Authentication is now only done by email and can be restricted by user groups
• Make sure that the env variable GOKAPI_ADMIN_USER is set when upgrading and contains the email of the super admin

Upgrading when using Header authentication:

• If restricting the users by username, make sure that you remove any wildcards (*) for usernames in the setup before upgrading.
• Make sure that the env variable GOKAPI_ADMIN_USER is set when upgrading and contains the username of the super admin (must be the same as passed in the header)

Upgrading when using no authentication:

• If you are restricting access with a proxy, make sure that you block the following urls:
  • /admin
  • /apiKeys
  • /changePassword
  • /e2eInfo
  • /e2eSetup
  • /logs
  • /uploadChunk
  • /uploadStatus
  • /users

Breaking changes

Since v1.9 there have been a lot of changes to the API, please take note if you are using the API:

• A valid API key is now always required, API authentication by session is not possible anymore
• /chunk/complete and /files/duplicate now expect the parameters as header, instead of encoded url form
• Parameter apiKeyToModify has been renamed to targetKey for /auth/modify, /auth/delete and /auth/friendlyname
• If a user, api key or file is not found, but a plausible ID was submitted, error 404 instead of 400 is returned now
• Before v2.0, if a boolean parameter was required, it was always false if anything else then "true" was sent, now it raises an error if any other value than 1, t, true, 0, f, or false is supplied
• Some API calls might be restricted by user permissions now, consult the API documentation for more information
• API keys now have a public ID as well, which can also be used for /auth/modify, /auth/delete and /auth/friendlyname as targetKey instead of the private ID
• When uploading a file through the API, defaults of 14 days, max 1 download and no password will be used, unless the respective parameters were passed. In v1.9, the previous values were used.

v1.9.6

Changelog

• Add API call and GUI option to replace content of files (can be disabled with the env variable GOKAPI_DISABLE_REPLACE) #128
• Display error if encrypted download fails due to invalid SSL or CORS
• Better error handling for AWS setup check
• Fixed upload defaults being deleted when resetting e2e key
• Update download count in real time #206
• Fixed race condition that could lead to crash
• Change download count atomically to prevent race condition
• Renamed "Access Restriction" to indicate that authentication is disababled
• Make upload non blocking (#224), to prevent timouts after uploading large files
• Added API call /files/list/{id}
• Better handling for E2E errors
• Other minor changes

Breaking Changes

• API: API now returns 404 on invalid file IDs

Full Changelog: v1.9.5...v1.9.6

v1.9.5

Changelog

• Fixed a crash caused by an incorrectly upgraded database version #215, #216

Full Changelog: v1.9.4...v1.9.5