Hi there!
Another month has passed, and it’s time to recap the updates that have landed in the Vernissage codebase. I’m thrilled to report that the changelog is quite extensive - and some of the changes are particularly exciting, as they open up new ways to interact with the API. Let’s dive in!
OAuth 2.0 Dynamic Client Registration Protocol (RFC7591)
A new controller and endpoint have been added, allowing dynamic registration of new (public) OAuth clients on demand. This endpoint implements the standard described in RFC7591.
You can find more information about how this endpoint works, its parameters, and usage examples in the documentation.
OAuth 2.0 Authorization Framework (RFC6749)
Another important implementation is the OAuth 2.0 Authorization Framework, also known as RFC6749. With a new controller and endpoints in place, third-party clients can now request user authorization to access their data.
Why is this such a big deal? It means native mobile apps for Vernissage are now entirely possible - and as we all know, native apps typically outperform web or PWA-based alternatives. You can read more about the authorization flow here.
CAPTCHA Implementation
Opening registration to the public requires protection against bots and automated sign-ups. While I’ve used Google reCAPTCHA in past projects, I didn’t want to go down that path here. Privacy matters, and I know many users are uncomfortable with third-party tracking.
After searching for alternatives that would work well in a Vapor/Angular setup - and finding none that met my needs - I created a very simple in-house CAPTCHA solution. It’s lightweight but should be effective for now. In the future, I may add an option to have the code read aloud to improve accessibility for visually impaired users.
Temporary Account Lockout
To further improve security, Vernissage now monitors failed login attempts. If too many incorrect passwords are entered in a short time, the account will be temporarily locked (for a maximum of 5 minutes). This measure helps protect against brute-force attacks and password guessing.
It’s also worth noting that all of the above features are covered by numerous unit tests to help catch regressions early. We’re now approaching a total of 900 unit tests!
Smaller Updates
- Keyboard shortcuts - You can now navigate pages and tabs using just your keyboard. The full list of shortcuts is available here.
- Retry logic for queues - Most background queues now support automatic retry logic. This helps recover from temporary failures, such as when a photo upload to a remote instance is interrupted.
- User profile photo counter - Fixes were made to improve the accuracy of photo counts on user profiles.
- Boost notifications - Notifications for boosts from remote accounts are now displayed properly (they were previously missing).
- Content Warning improvements - Better readability for content warnings (CW), especially over light photos.
- Exif improvements - Improvements to how photo metadata is parsed, including creation date and software used.
- Gallery photo count - You can now choose to display the number of photos in each post directly in the timeline (thanks to: @michael).
- Auto-scroll photos - A new preference allows you to toggle automatic photo scrolling on and off (thanks to: @michael).
- Homepage timeline config - Admins can now choose whether the default homepage timeline (before login) should show local or featured content (thanks to: @michael).
- and more…
As you can see, it’s been a productive month! I hope the next one will be just as fruitful. There are still plenty of issues and feature requests waiting for attention on GitHub - keep them coming!
Lastly, a heartfelt thank you to everyone who supports this project. Vernissage wouldn’t exist without your help. If you enjoy what I’m building, please consider supporting me on Patreon. Your contributions help keep the infrastructure behind vernissage.photos running smoothly. And don’t forget to support the admin of your local Vernissage instance - I know there are a few already live, which makes me very happy.