NeoNeko/Arcane-Status
2
1
Fork 0
Code Issues Pull requests Projects Releases 4 Packages Wiki Activity Actions
4 releases 4 tags
  • 0.6.1 3999b53a49

    0.6.1 (Beta) Pre-release

    Rinanyae released this 2026-06-10 19:47:34 +00:00 | 0 commits to main since this release

    Arcane Status v0.6.1

    This release focuses primarily on security improvements and account protection.

    Improved Login Security

    Authentication protections have been strengthened to better defend against brute-force attacks.

    What changed

    • Locked accounts can no longer be accessed, even with the correct password.
    • IP-based rate limiting is now more secure by default.
    • Client IP addresses can no longer be spoofed through X-Forwarded-For headers unless a reverse proxy is explicitly configured.

    These changes help prevent attackers from bypassing account lockouts or avoiding login rate limits.

    Stronger Session Security

    Password changes now provide better protection for existing sessions.

    What changed

    • Changing a password now invalidates previously issued login tokens.
    • Users that have been deleted or deactivated can no longer continue using existing tokens.
    • When changing your password, your current session is automatically refreshed so you stay signed in.

    This improves account security while avoiding unnecessary logouts for the user performing the password change.

    More Secure Initial Setup

    The setup process has been hardened to prevent rare race conditions during installation.

    What changed

    • Admin account creation during setup is now performed safely inside a transaction.
    • This prevents multiple administrators from accidentally being created at the same time during initial setup.

    Encryption Configuration Warnings

    Arcane Status now performs additional checks during startup.

    What changed

    • A warning is displayed if ENCRYPTION_KEY has not been configured.
    • A warning is also shown if ENCRYPTION_KEY is the same as JWT_SECRET.

    Using separate values for these settings is strongly recommended for better security.

    Summary

    Arcane Status v0.6.1 is a security-focused release that improves:

    • Account lockout protection
    • Login rate limiting
    • Session invalidation after password changes
    • Protection against deleted or disabled account access
    • Setup reliability
    • Encryption configuration awareness

    No user-facing changes have been introduced in this release.

    Downloads
  • 0.6.0 04db7e9f63

    0.6.0 (Beta) Pre-release

    Rinanyae released this 2026-06-10 06:24:19 +00:00 | 3 commits to main since this release

    Arcane Status v0.6.0

    This is a big release with new notification options, better maintenance windows, SSL certificate monitoring, audit logs, public incident feeds, and improved background worker support.

    Note: v0.5.0 was skipped, so this release goes straight to v0.6.0.
    Note: with v0.6.0 makes Arcane Status a beta, we will now only add a few smaller features and our main focus will be on bug fixes and polishing Arcane Status for 1.0.

    New: Webhook Notifications

    Admins can now add webhook endpoints to receive automatic notifications when important events happen.

    Webhooks are sent for:

    • Endpoint status changes
    • Incident creation and updates
    • Incident resolution
    • Maintenance window start and end events

    Webhook notifications now include:

    • Signed JSON payloads using HMAC
    • Retry handling for failed deliveries
    • Safer verification for receiving systems

    This makes it easier to connect Arcane Status with external tools, custom automations, chat systems, and internal dashboards.

    New: SSL/TLS Certificate Monitoring

    Arcane Status can now monitor SSL/TLS certificate health for HTTPS endpoints.

    This helps detect certificates that are:

    • Valid
    • Expiring soon
    • Expired
    • Recovered after renewal

    Admins can now:

    • Enable or disable SSL checks per endpoint
    • Set the warning window in days
    • View SSL status in the admin endpoint list
    • Open detailed SSL information for an endpoint

    The public status page now also shows certificate status, including whether a certificate is valid, expiring, or expired.

    SSL alerts are supported through:

    • Email notifications
    • Discord webhooks

    Certificate checks run automatically every 6 hours.

    New: Improved Maintenance Windows

    Maintenance windows received a major upgrade.

    What’s new

    • Maintenance descriptions now support Markdown
    • Line breaks are preserved
    • Admins can preview descriptions before publishing
    • Maintenance windows can now affect multiple services
    • Existing maintenance windows can now be edited
    • Public maintenance notices can be dismissed and remembered

    Maintenance statuses

    Maintenance windows now move through a full lifecycle:

    • Scheduled
    • In progress
    • Completed
    • Cancelled

    Admins can also:

    • Start maintenance immediately
    • End maintenance immediately
    • Cancel maintenance

    Recurring maintenance is now supported for:

    • Daily schedules
    • Weekly schedules
    • Monthly schedules

    Maintenance start and end events can also trigger webhooks automatically.

    New: Audit Log

    Arcane Status now records important admin and system actions in a dedicated audit log.

    Tracked activity includes:

    • Endpoint changes
    • Incident changes
    • Maintenance changes
    • Category changes
    • User changes
    • API key changes
    • Settings changes
    • Authentication events

    Admins can view the audit log from a new tab in the admin dashboard.

    The audit log supports:

    • Filtering by resource type
    • Filtering by user
    • Filtering by action
    • Search
    • Pagination
    • Expandable event details

    Audit log entries are automatically cleaned up after 365 days.

    New: Public Atom Feed for Incidents

    Arcane Status now provides a public Atom feed for recent incidents.

    Available feed URLs:

    • /api/v1/feed.xml
    • /feed.atom

    The feed includes the 50 most recent incidents with:

    • Incident severity
    • Incident status
    • Affected services
    • Latest update

    The public status page now includes:

    • Feed autodiscovery
    • A subscribe icon

    This makes it easier for users to follow incident updates from feed readers and other tools.

    New: Separate Background Worker Support

    Background jobs can now run separately from the main web server.

    This includes:

    • Monitoring checks
    • Notification delivery
    • Realtime event publishing

    Arcane Status can still run workers inside the main process, but larger installs can now run them as a separate worker process.

    This improves flexibility for deployments where the web server and background jobs need to be scaled or managed separately.

    New worker-related options

    • RUN_WORKERS
    • WORKER_SECRET
    • API_INTERNAL_URL

    SQLite handling was also improved with WAL mode and a busy timeout, helping the API and worker share the same database more safely.

    Fixed

    Incident Page Crash

    Fixed an issue where the incident page could crash when the endpoints API returned data in an unexpected object format.

    Admin Notes

    Before upgrading, admins should review the new configuration options if they plan to use separate workers.

    Recommended checks:

    • Confirm webhook secrets are configured where needed
    • Review SSL monitoring settings per endpoint
    • Check maintenance windows after upgrade
    • Review worker settings if using a separate worker process
    • Confirm notification delivery is working as expected

    Summary

    Arcane Status v0.6.0 is a major release focused on:

    • More notification options
    • Better maintenance management
    • SSL certificate visibility
    • Stronger admin accountability
    • Easier public incident subscriptions
    • More flexible deployment options
    • Improved reliability for larger setups
    Downloads
  • 0.4.2 16bc2ab81b

    0.4.2 (Alpha) Pre-release

    Rinanyae released this 2026-05-20 15:37:20 +00:00 | 11 commits to main since this release

    Arcane Status v0.4.2

    Security & Reliability Improvements

    Safer URL Monitoring

    Fixed an issue where monitored websites could redirect checks to private or internal network addresses. In rare cases, this could have allowed requests to reach internal systems or cloud metadata services.

    What changed

    • Redirects are no longer automatically followed during monitor checks.
    • Redirect responses are still treated as healthy when appropriate, keeping previous behavior consistent.

    Better Protection Against DNS Redirect Abuse

    Previously, website addresses were only validated when a monitor was created or updated. If the DNS record later changed to point somewhere private or internal, Arcane Status could still attempt the request.

    What changed

    • Endpoint validation now runs on every check.
    • DNS records are re-verified before each request.
    • Unsafe or invalid destinations are automatically blocked and marked as down with a clear reason.

    Improved Authentication Security

    Arcane Status previously generated a temporary JWT_SECRET automatically if one was missing. This caused all login sessions to become invalid after every restart and could also break encrypted SMTP credentials without making the issue obvious.

    What changed

    • Arcane Status now refuses to start if JWT_SECRET is missing.
    • Encryption and decryption failures now produce proper errors instead of silently failing.
    • SMTP credential issues are now much easier to diagnose.

    Reduced Risk of Email Address Discovery

    Some authentication flows responded differently depending on whether an email address existed in the system. This timing difference could potentially be used to discover valid accounts.

    What changed

    • Login responses now take a consistent amount of time whether the email exists or not.
    • Profile update errors no longer reveal whether another account is using a specific email address.

    SMTP Test Endpoint Restrictions

    The SMTP test feature previously allowed admins to send test emails to any address using the configured mail server.

    What changed

    • Test emails can now only be sent to the email address of the currently logged-in admin.
    • This keeps the feature focused on verifying mail configuration instead of acting like a mail relay.

    Summary

    This release focuses on:

    • Stronger security protections
    • Safer monitoring behavior
    • More reliable authentication handling
    • Clearer configuration errors

    Important: Administrators must ensure JWT_SECRET is configured before upgrading to this version.

    Downloads
  • 0.4.1 9c36fa4583

    0.4.1 (Alpha) Pre-release

    Rinanyae released this 2026-05-05 17:11:55 +00:00 | 17 commits to main since this release

    This release is an Alpha, there will be bugs and missing features. Please report any issues.

    First initial release.

    Downloads