[MIRROR ONLY] A correct and efficient ATProto blob proxy for secure content delivery.
codeberg.org/Blooym/porxie
docs: changelog
+22
-16
+18
-11
CHANGELOG.md
+18
-11
CHANGELOG.md
···
1
1
# Changelog
2
2
3
+
## [0.2.0] - 2026-05-02
4
+
5
+
- The configuration flag `--server-auth-token` has been changed to `--server-admin-password`.
6
+
7
+
- Most endpoints have been migrated to use XRPC.
8
+
- [GET] `/:did/:cid` now has an alias endpoint available at `/xrpc/dev.blooym.porxie.getBlob` with the query parameters `?did=did&cid=cid`. The original endpoint remains fully supported for the foreseeable future, and it is the caller's decision of which endpoint is preferred for now.
9
+
- [DELETE] `/cache/:did` has been moved to [POST] `/xrpc/dev.blooym.porxie.cache.purgeActor` with a JSON body containing `{ "did": "did" }`
10
+
- [DELETE] `/cache/:cid` has been moved to [POST] `/xrpc/dev.blooym.porxie.cache.purgeBlob` with a JSON body containing `{ "cid": "cid" }`.
11
+
- Authentication for all administrative endpoints now use authentication type 'Basic' instead of 'Bearer'. Per the temporary ATProtocol specification, the username field is expected to be set to `admin`.
12
+
13
+
- The policy service has been migrated to use XRPC.
14
+
- Calls will now be made to `/xrpc/dev.blooym.porxie.getBlobPolicy` with the query parameters `?did=did&cid=cid`.
15
+
- As part of this change, Porxie will now expect a JSON response containing the status of the blob instead of using the previous method of handling based on status code. You can find the permitted responses in the [lexicon definition](lexicons/dev/blooym/porxie/getBlobPolicy.json).
16
+
- The configuration option to append custom headers remains as-is and can be used to use whatever authentication scheme you see fit. Please note that Porxie does not support service authentication at this time, so your best choice would be using [admin tokens](https://atproto.com/specs/xrpc#admin-token-temporary-specification).
17
+
18
+
3
19
## [0.1.2] - 2026-04-30
4
20
5
-
### Security Fixes
21
+
### Security Fixes:
6
22
7
23
- **Fix broken logic for enabling HTTPS only in release mode.**
8
24
- **Fix broken authentication check logic that allows invalid tokens to clear the internal cache.**
9
25
10
26
## [0.1.1] - 2026-04-30
11
27
12
-
### Features
13
-
14
28
- Improve compliance with blob cid specification by only accepting v1 hashes with accepted codecs
15
29
16
-
### Performance
17
-
18
-
- Use jemallocator instead of the system allocator on all plat forms.
19
-
20
-
### Security Fixes
30
+
- Use jemallocator instead of the system allocator on all platforms.
21
31
22
32
- Make authentication checks constant time.
23
33
24
-
### Other
25
-
26
34
- Refactored codebase for future maintainability
27
-
28
35
29
36
## [0.1.0] - 2026-03-26
30
37
+2
-2
README.md
+2
-2
README.md
···
104
104
[default: ip:127.0.0.1:6314]
105
105
106
106
--server-admin-password <SA_SERVER_ADMIN_PASSWORD>
107
-
Admin password for authenticating privileged requests.
107
+
Admin password for authenticating priviledged requests.
108
108
109
109
When unset, all authenticated endpoints will reject requests with HTTP 401.
110
110
111
111
Authenticated requests always expect the username `admin` as per specification.
112
112
113
-
[env: PORXIE_SERVER_ADMIN_TOKEN=]
113
+
[env: PORXIE_SERVER_ADMIN_PASSWORD=]
114
114
```
115
115
116
116
### Blob
+1
-1
crates/porxie/src/main.rs
+1
-1
crates/porxie/src/main.rs
+1
-2
crates/porxie/src/server/extractors/admin_xrpc_auth.rs
+1
-2
crates/porxie/src/server/extractors/admin_xrpc_auth.rs
···
30
30
return Err(StatusCode::UNAUTHORIZED);
31
31
};
32
32
33
-
// Enforce admin as username as per specification.
33
+
// 'admin' must be the username as per specification.
34
34
if basic_auth.username() != "admin" {
35
35
return Err(StatusCode::UNAUTHORIZED);
36
36
}
37
37
38
-
// Check password with a constant time check.
39
38
if !state
40
39
.admin_password
41
40
.as_ref()