@sync-in/server 1.5.1 → 1.6.0

package/CHANGELOG.md

@@ -1,4 +1,31 @@
 
+## [1.6.0](https://github.com/Sync-in/server/compare/v1.5.2...v1.6.0) (2025-09-26)
+
+🔥🚀 Support for Multi-Factor Authentication (MFA) & App Passwords
+
+### Features
+
+* **feat: mfa and app passwords** ([5ed579f](https://github.com/Sync-in/server/commit/5ed579fd31dcf51770abe52f385b4ed306a22bd8) [431a988](https://github.com/Sync-in/server/commit/431a988c6d0b88711b50b642bd440c42f80283ce) [43a8b10](https://github.com/Sync-in/server/commit/43a8b10eb8869eafd3014cdad034c2b093237edf) [91eda5c](https://github.com/Sync-in/server/commit/91eda5cbc396da3bd6cfddf5e1e4001466327575))
+* **backend:sync:** handle 2FA during client registration ([b0aadde](https://github.com/Sync-in/server/commit/b0aadde6323ffc9a61f43ea424b7cff8922f718d))
+* **backend:auth:** add support for AD-specific LDAP attributes ([1b6a8fc](https://github.com/Sync-in/server/commit/1b6a8fc139db54a71a4aaa5cba7715d349ffef0f))
+* **backend:infrastructure:** allow configuration of ignoreTLS and rejectUnauthorized for SMTP transport ([c1b3f5a](https://github.com/Sync-in/server/commit/c1b3f5a810e2cdc6977b48022f491e602b70ee9f))
+* **backend:notifications:** add email notifications for two-factor authentication security events ([b207f33](https://github.com/Sync-in/server/commit/b207f336c2dc75deec7992975b7aa1376289ee42))
+* **backend:notifications:** include link password in sent emails ([1a3ed0a](https://github.com/Sync-in/server/commit/1a3ed0a7624c16986ced259d8e272eaa2872c8a8))
+* **backend:users:** add email notifications when account is locked ([954bb10](https://github.com/Sync-in/server/commit/954bb1061e6399768aad13d9822491975a843b9b))
+
+
+### Bug Fixes
+
+* **backend:auth:** improve handling of sql errors ([f4b78fa](https://github.com/Sync-in/server/commit/f4b78fa2779d2fea01d7dd554d861cb6272b594e))
+* **backend:users:** ensure default value for user secrets when null ([090eb6e](https://github.com/Sync-in/server/commit/090eb6e61f4973522f201879e611b744aa0677e8))
+
+## [1.5.2](https://github.com/Sync-in/server/compare/v1.5.1...v1.5.2) (2025-09-09)
+
+
+### Bug Fixes
+
+* crash on non-AVX CPUs with musl: @napi-rs/canvas >=0.1.7.8 triggers "Illegal Instruction" when AVX is not supported ([de2f983](https://github.com/Sync-in/server/commit/de2f98348395fa7e711c52c30d1e1d59579282d3))
+
 ## [1.5.1](https://github.com/Sync-in/server/compare/v1.5.0...v1.5.1) (2025-09-07)
 
 

package/README.md

@@ -41,6 +41,7 @@ Sync-in fits seamlessly into any environment — from small teams to large enter
 - 🔒 Security & Data Ownership
   - Full control over data security and compliance
   - Designed to protect sensitive documents and prevent unauthorized access
+  - **Multi-Factor Authentication (MFA)**: TOTP (authenticator apps), recovery codes, app passwords
 - 🔑 Advanced User Access Control
   - **Spaces & Shares**: Organize files with fine-grained access permissions
   - Role-based permission system ensuring secure file management

package/environment/environment.dist.min.yaml

@@ -1,6 +1,7 @@
 mysql:
   url: mysql://user:MySQLRootPassword@localhost:3306/database
 auth:
+  encryptionKey: changeEncryptionKeyWithStrongKey
   token:
     access:
       secret: changeAccessWithStrongSecret

package/environment/environment.dist.yaml

@@ -1,97 +1,155 @@
 server:
-  # default host : 0.0.0.0
+  # default host : `0.0.0.0`
   host: 0.0.0.0
-  # default port : 8080
+  # default port : `8080`
   port: 8080
-  # workers: auto (use all cpus) | number
+  # workers: `auto` (use all cpus) | number
   # regardless of the value, starts with at least 2 workers, 1 worker is dedicated to scheduled tasks
-  workers: 4
-  # trust proxy: true | false | 127.0.0.1,192.168.1.1/24
-  trustProxy: false
-  # restartOnFailure : automatically restart workers if they are killed or die
+  workers: 2
+  # trust proxy: number (trust the nth hop from the front-facing proxy server as the client) | `true` | `false` | `127.0.0.1,192.168.1.1/24`
+  # default: 1
+  trustProxy: 1
+  # restartOnFailure: automatically restart workers if they are killed or die
+  # default: `true`
   restartOnFailure: true
 logger:
-  # level: trace | debug | info | warn | error | fatal
+  # level: `trace` | `debug` | `info` | `warn` | `error` | `fatal`
+  # default: `info`
   level: info
-  # stdout : if false logs are written to the run directory (default: true)
+  # stdout: if false logs are written to the run directory
+  # default: `true`
   stdout: true
   # colorize output
+  # default: `true`
   colorize: true
   # path to the log file used when stdout is set to false
   filePath:
 mysql:
+  # required
   url: mysql://user:MySQLRootPassword@localhost:3306/database
+  # default: `false`
   logQueries: false
 cache:
-  # adapter: mysql (default) | redis (requires optional dependency: redis)
+  # adapter: `mysql` | `redis`
+  # default: `mysql`
   adapter: mysql
-  # default ttl in seconds
+  # ttl in seconds
+  # default: `60`
   ttl: 60
   # redis adapter url
+  # default: `redis://127.0.0.1:6379`
   redis: redis://127.0.0.1:6379
 websocket:
-  # adapter: cluster (Node.js Workers: default) | redis (requires optional dependency: @socket.io/redis-adapter)
+  # adapter: `cluster` (Node.js Workers: default) | `redis`
+  # default: `cluster`
   adapter: cluster
   # cors origin allowed
+  # default: `*`
   corsOrigin: '*'
   # redis adapter url
+  # default: `redis://127.0.0.1:6379`
   redis: redis://127.0.0.1:6379
 mail:
   host: smtp.server.com
-  port: 587
+  # default: `25`
+  port: 25
+  # default: `Sync-in<notification@sync-in.com>`
   sender: 'Sync-in<notification@sync-in.com>'
+  # optional
   auth:
     user: user
     pass: password
   # secure: defines if the connection should use SSL (if true) or not (if false)
+  # note: setting `secure: false` does not necessarily mean messages are sent in plaintext
+  # if the server supports STARTTLS, the connection is usually upgraded to TLS automatically
+  # default: `false`
   secure: false
+  # ignoreTLS: if true, disables the use of STARTTLS even if the server advertises it
+  # default: false
+  ignoreTLS: false
+  # rejectUnauthorized: reject the connection if the server's TLS certificate is invalid
+  # default: false
+  rejectUnauthorized: false
   # enable logger
+  # default: `false`
   logger: false
   # set log level to debug
+  # default: `false`
   debug: false
 auth:
-  # adapter : mysql (default) | ldap
+  # adapter : `mysql` | `ldap`
+  # default: `mysql`
   method: mysql
-  # sameSite (cookie settings) : lax | strict
-  sameSite: strict
+  # key used to encrypt user secret keys in the database
+  # optional, but strongly recommended
+  # warning: do not change or remove the encryption key after MFA activation, or the codes will become invalid
+  encryptionKey: changeEncryptionKeyWithStrongKey
+  # multifactor authentication
+  mfa:
+    # totp configuration
+    totp:
+      # enable TOTP authentication
+      # default: true
+      enabled: true
+      # name displayed in the authentication app (FreeOTP, Proton Authenticator, Aegis Authenticator etc.)
+      # default: Sync-in
+      issuer: Sync-in
+  # cookie sameSite setting: `lax` | `strict`
+  # default: `strict`
+  cookieSameSite: strict
   token:
     access:
-      name: sync-in-access
-      # used for token & cookie signatures
+      # used for token and cookie signatures
+      # required
       secret: changeAccessWithStrongSecret
+      # token expiration = cookie maxAge
+      # default: `30m`
       expiration: 30m
-      cookieMaxAge: 30m
     refresh:
-      name: sync-in-refresh
-      # used for token & cookie signatures
+      # used for token and cookie signatures
+      # required
       secret: changeRefreshWithStrongSecret
+      # token expiration = cookie maxAge
+      # default: `4h`
       expiration: 4h
-      cookieMaxAge: 4h
   ldap:
     # e.g: [ldap://localhost:389, ldaps://localhost:636] (array required)
     servers: []
-    # baseDN: distinguished name, e.g: (ou=people,dc=ldap,dc=sync-in,dc=com)
+    # baseDN: distinguished name ( e.g.ou=people,dc=ldap,dc=sync-in,dc=com)
     baseDN:
     # filter, e.g: (acl=admin)
     filter:
-    # login attribute: uid (default) or mail
-    loginAttribute:
+    attributes:
+      # login attribute (e.g. `uid` | `sAMAccountName` | `userPrincipalName`)
+      # default: `uid`
+      login: uid
+      # email attribute: `mail` or `email`
+      # default: `mail`
+      email: mail
 applications:
   files:
+    # required
     dataPath: /home/sync-in
-    # Default to 5 GB if not specified
+    # default: 5368709120 (5 GB)
     maxUploadSize: 5368709120
-    # Show files starting with a dot in the file explorer (default: false)
+    # Show files starting with a dot in the file explorer
+    # default: false
     showHiddenFiles: false
     onlyoffice:
+      # enable onlyoffice integration
+      # default: false
       enabled: false
-      # for an external server (e.g: https://onlyoffice.domain.com), remember the url must be accessible from browser !
+      # for an external server (e.g., https://onlyoffice.domain.com), remember the url must be accessible from browser !
       # if externalServer is empty (case of official docker compose), we use the local instance
+      # default: null
       externalServer:
       # secret used for jwt tokens, it must be the same on the onlyoffice server
+      # required
       secret: onlyOfficeSecret
-      # if you use https, set to true
+      # if you use https, set to `true`
+      # default: `false`
       verifySSL: false
   appStore:
-    # repository: public (default) | local
+    # repository: `public` | `local`
+    # default: `public`
     repository: public

package/migrations/0002_sleepy_korath.sql

@@ -0,0 +1 @@
+ALTER TABLE `users` ADD `secrets` json;