Release notes

• The wire-server now uses quorum queues for user notifications, communicating
  with cells and for watching dead lettered user-notifications. These were
  previously declared without any type making them "classic" RabbitMQ queues.

  The transition is unfortunately not automatic. There are no official clients of
  wire-server which use these queues, so in most cases there should only be two
  queues which need to moved over:

  1. cells_events
  2. dead-user-notifications

  If there are no other classic queues and no cells server is deployed, the steps
  of upgrade are very simple:

  1. Delete these queues
  2. Deploy the new version of wire-server

  Please note that rolling back this deployment would not be possible unless these
  queues are deleted again.

  In case there are other classic queues of format
  user-notifications.<user-id>.<client-id> or if a cells server is configured,
  then this ugprade would require some downtime. The steps are documented on
  RabbitMQ blog:
  https://www.rabbitmq.com/blog/2023/03/02/quorum-queues-migration#in-place-migration

API changes

• New end-point GET /user-groups?... for filtering, sorting, and pagination. (#4607)

Features

• Allow team collaborators with implicit_connection permission to create and query a One2One conversation with a team member. (#4692)

• Introduce new feature config consumableNotifications, it should be used by
  clients to determine whether they should use the consumable-notifications
  feature. This will not be enforced by the server. (#4689)

• Do not deliver client specific notifications to temporary clients. (#4703)

Bug fixes and other updates

• Fix bug where reset action was returning "invalid-op" for non-group conversations (#4702)

Internal changes

• Move user creation to UserStore (#4695)

• Fixed 504 errors when trying to reach services in other namespaces. (#4701)

• charts/nginz: remove nginz_disco script and sidecar container, and replace outside upstreams.txt file by an inline block, making use of 'resolve' keyword to directly reference DNS names inside the kubernetes cluster. (#4663)

Release notes

• Galley now requires a connection to PostgreSQL. This can be configured similar to brig using configs galley.config.postgresql and galley.secrets.pgPassword. Galley must use the same PostgreSQL instance as brig. (#4677)

API changes

• Create new API version V11 and finalize V10 (#4510, #4684)

Features

• New immutable feature config allowedGlobalOperations with MLS conversation reset option (#4671)

• Add endpoints to add team collaborators ("bots") and query all for a team. (#4659)

• Add option to check group info consistency on every MLS commit (#4670)

• Allow team collaborators to create team conversations. (#4677)

Bug fixes and other updates

• Prevent typing indicator notification being send to own clients (#4658)

• background-worker: Set metric gauge wire_background_worker_running_workers to 1 when a worker is running instead of 0. (#4662)

Internal changes

• The chart for nginx-ingress-controller has been removed (#4675)

• Do not log KilledByHttp2ThreadManager error thrown by http2 client (#4672)

• A rate limit error from an internal call to i/users/:uid/reauthenticate will now be propagated to the external caller (#4673)

• Dedicated error label for MLS leaf node signature validation failure (#4665)

• Include the new group ID in the MLS conversation reset event (#4669)

• Log AMQP consumer cancellations in backend notification pusher. (#4634)

• Decrease backendNotificationPusher.remotesRefreshInterval for local
  integration tests to give it a better chance to run between test executions. (#4634)

• Make make devtest make rule work for other packages. (#4667)

Release notes

• charts/cannon: There is a new configuration value called
  config.notificationTTL, this defaults to the same value as gundeck. If it is
  overriden in gundeck, it must also be overriden in cannon. (#4631)

API changes

• Finalize API version V9 (#4645)

• Add the TeamId to the payload of conversation.delete events. The field's
  path is team. (#4618)

Features

• Allow team admin to query channel data (#4633, #4635)

• Brig setting to en-/disable ephemeral user creation (#4630)

• Allow team admin to remove members from a channel (#4620)

• background-worker: New gauge metric wire_background_worker_running_workers,
  contains label worker for each worker. Set to 1 when the worker is running,
  set to 0 when the worker is not running. (#4652)

• cannon: Replace message count mechanism with detecting the end of initial sync (#4631)

• The /events websocket will close a connection when it detects client inactivity. The inactivity behaviour can be controlled by setting the cannon options wsOpts.activityTimeout and wsOpts.pongTimeout. After wsOpts.activityTimeout microseconds of client inactivity (including no pings), the server sends a ping, and waits for a corresponding pong for wsOpts.pongTimeout microseconds. If no pong is received within this time window, the connection is terminated. (#4636)

Bug fixes and other updates

• Team name removed from team invitation email template (#4654)

• gundeck: Send push notifications to clients with consumable-notifications capability (#4626)

• Avoid returning duplicate user search results when handle matches exactly (#4656)

• background-worker/dead-user-notifs-watcher: Reconnect when connection with RabbitMQ is broken (#4652)

• Generated Swagger docs differed from the ratified ones for versions up to V9
  regarding the get-all-registered-domains
  (/teams/{teamId}/registered-domains) endpoint: The backend_url became part
  of the backend object which should be introduced with V10. As teams do not
  set backend redirects this should not be seen in practice. (#4647)

Documentation

• Add documentation on self-deleting messages and setting custom time-frames for operators (#4650)

Internal changes

• Upgrade RabbitMQ to version 4.x locally and on CI (#4639)

• No ack for message_count event (#4625)

• More test on validation of scim-provisioned emails. Cleanup of code and internal APIs. (#4617)

• Fix false positive warning of members not being present in remote conversations. (#4644)

• Updated email templates to v1.0.130 (#4648)

• Updated email templates to v1.0.133 (#4655)

• Limit the amount of unacknowledged messages the RabbitMQ notifications consumer
  receives to 100. Beyond this limit, received messages have to be acknowledged
  to receive new ones. This prevents overloading the consumer with new messages. (#4615)

• Timestamps for failing integration tests. (#4638)

Release notes

• Behavior of email validation in the context of SCIM user provisioning has changed: if your users receive a validation email on address change, you need to do nothing. If they don't, the behavior changes: before this release, the email address was only used as SCIM external_id, not to send emails to the user, because there was no validation step. With this release, the default behavior is that SCIM has the authority to auto-validate email addresses, and no further user action is needed.

  Consider changing the validateSAMLEmails feature flag value for some teams, or the default for your instance accordingly.

  The old behavior for validateSAMLEmails == disabled (no validation email, but also no valid email address) is not supported any more. We suggest you use something as external_id that is not an email address if you want that. (#4612)

API changes

• Add a new endpoint /mls/reset-conversation which can be used to restore an MLS group that ended up in an invalid state for any reason. After resetting, the conversation has the same users, but the corresponding MLS group gets a new group ID and resets to epoch 0 with no clients.

  Users on backends that don't support reset are kicked out of the conversation upon reset, and no such user can join afterwards.

  A new event type conversation.mls-reset has been added, and is sent to all members of a conversation when it is reset. (#4558)

Features

• Auto activate SAML emails if validateSAMLEmails feature is disabled (#4612)

• Add update, delete, add/remove users to UserGroups. (#4600, #4604, #4605)

• Send notifications on user group updates (#4600)

• Team admin can add user to a channel (#4574)

• Allow team admin to change the name of a channel (#4584)

• Endpoint to get the current server time (#4606)

• Add support for AWS Signature V4 authentication header to ZAuth (#4593)

Bug fixes and other updates

• Do not allow ephemeral users to search for contacts (#4609)

Internal changes

• Send cells notification when cells feature is updated (#4614)

• Send message count to websocket on connect (#4608)

• Add proxy_connect_timeout to nginz's configuration. Otherwise, not answering
  services (e.g. due to network issues) can delay requests/response for a very
  long time. (#4610)

• nginz: Set Z-Timestamp header when proxying requests (#4593, #4611)

Release notes

• With this commit a dependency to postgres is introduced. Postgres must be available in the deployment environment and brig must be configured with the correct connection credentials. (#4545)

• Remove initialConfig setting for the mls feature flag (#4585)

Features

• API to create and get a User Group (#4545)

• New endpoint to get the self member of a conversation (#4592)

Bug fixes and other updates

• Unicode support: the last release contained a work-around for an issue with the hxt library. It turned out the issue was in wire-server all along, and hxt just did things in an unexpected, but sound way. This release removes the work-around and provides a proper fix. (#4587)

Internal changes

• Additional handlers for (un-)locking features via backoffice/stern (#4588)

• Fixed internal team feature patch (#4588)

• Support Redis >= 7.0 (#4598)

• galley: Make servant calls to brig/spar with requestId header and retries (#4589)

• Add tool to find users with unparseable emails (#4578)

• Upgrade nixpkgs to
  https://github.com/NixOS/nixpkgs/commits/b3582c75c7f21ce0b429898980eddbbf05c68e55
  . This not only updates our Haskell dependencies to a current state, but also
  leads to an implicit upgrade of the used GHC to version 9.8. (#4569)

API changes

• From API version V9 on, the POST /domain-verification/{domain}/backend and
  POST /get-domain-registration endpoints are adjusted to also carry the
  webapp_url in their payloads. The structure of these payloads changes as
  well: The former backend_url and the new webapp_url are now combined in one
  object in the backend field:

  {
  ...
    "backend": {
      "config_url": "{url}",
      "webapp_url": "{url}"
    }
  }

  The same change is applied to the internal endpoints PUT /i/domain-registration and GET /i/domain-registration. (#4559)

Features

• Team admins can create a channel without joining (#4527, #4553)

• Add adminHost setting for rabbitmq admin interface (#4581)

Bug fixes and other updates

• Only forward one conversation create event to pydio (#4535, #4551)

• Fixed channel permissions for external partners. They are allowed to add members if they are channel admins or if add-permissions are set to everyone. (#4534)

• gundeck: Send notifications to temp clients only when there are no rabbitmq clients in the recipient list. Before this, it was wrongly sending the notification to all recipients. (#4556)

• hxt doesn't support all of unicode (it decodes utf8-encoded bytestrings as ascii-encoded using LBS.unpack). the related code and fix are now in saml2-web-sso. (#4577)

• charts/{cannon,nginz}: Add the events endpoint to nginz config (#4540, #4540)

• Lazy streams were broken due to
  haskell-servant/servant#1781 . So, in specific cases,
  the playload of a streamed response was realised in the application's memory
  instead of streaming it piecewise. (#4538)

• Use multipart upload to S3 for all assets (#4548)

Internal changes

• Remove wai-routes, wai-predicates deps from proxy and translate routing table and handlers to servant. New integration tests for proxy featuring mock services. (#4525)

• Include untouched base64-encoded authentication response from http request body in error messages, not some intermediate parse result. (#4570)

• Move zauth logic from brig to wire-subsystems (part 1: Brig.ZAuth, simplify implementation) (#4479)

• Fix Redis replication in our docker-compose env (used to run integration tests
  locally): We allow only TLS connections to the Redis nodes. Thus, replication
  has to use TLS as well (by default it doesn't.) (#4566)

• Bump redis version used by redis-ephemeral to 6.2.16 (#4524)

• The backend now verifies that new leaf nodes occurring in an MLS commit match the signature key registered by the corresponding client (#4531)

Federation changes

• Federation API version V2 is finalized. (#4546)

Release notes

• Update the Docker (container) image of ldap-scim-bridge to the latest release (0.4 -> 0.10.4) in the corresponding Helm chart. (#4451)

API changes

• Freeze API version 8, create new dev version 9. (#4510, #4522)

• Add a new team feature for Cells support (#4473)

• The request body of POST /conversation can now contain a boolean field cells, which defaults to false, and determines whether Cells should be enabled for the new conversation. (#4503)

Features

• Added team feature to configure channels (#4471)

• Creating channels via the conversation API (#4489)

• The nginz chart now configures nginx to configure deeplink for each domain in multi-ingress setup. Check out nginx_conf.multi_ingress_deeplink. (#4486)

• Team admins have conversation admin permissions in channels (#4500)

• New permission for channels to allow members to add users (#4504, #4518)

• Allow multiple SAML ServiceProviders (SP) to be configured in spar. The idea is
  to have one SP per multi-ingress domain/endpoint. (#4490)

• Cells integration. Conversations now have a new field "cells_state", which defaults to "disabled", but can be set to "pending" and "ready". When set to "pending" or "ready", events relevant for tracking conversation members and metadata are forwarded to a RabbitMQ queue, which can be configured in gundeck. (#4442)

• Read receipts are now automatically disabled for MLS conversations and cannot be enabled. (#4508)

Bug fixes and other updates

• Handle login flow for Backend and SSO domains when the user already exists (#4493)

• Emulate IdP-initiated login with a redirect. (#4513)

• Allow setting domain_redirect for team registered domains (#4496)

• Make saml2-web-sso library more robust against forged authentication responses.

  • only process signed xml data from authentication requests (to the extent permitted by the standards)
  • compare issuer in stored authentication request with issuer(s) from assertions.

  neither of these changes fix any known vulnerabilities, but the changes make the code more defensive in case other weaknesses are still lurking. (#4497)

• Dedicated endpoint for teams to verify domain registration challenge (#4501)

• Channels default feature flag can be configured for server (#4498)

• Prevent duplicate clients from being added to a conversation (#4519)

• When fakeS3 is enabled, nginx-ingress-services creates an ingress for
  Minio. This ingress' name is now configurable to allow multiple of them
  ("multi-ingress".) (#4516)

• Fix issue with the (redis/cannon) reaper chart, which was sometimes killing cannon pods for no good reasons during transient networking errors. (#4499)

Documentation

• Migration from sphinx based documentation to mkdocs and moving the documentation to wire-docs repository and enabling versioning on the documentation (#4464)

• Fix pregenerated Swagger URL for v7 (#4495)

Internal changes

• Improve cassandra dump script (#4514)

• Remove legacy team feature storage support (#4470)

• Reduce the log level of "federation denied" errors to Warn (#4511)

• Move the saml2-web-sso library into this project / git repository. According
  to the Github search, this library is only used by wire-server anyways. Stopping
  to pretend that it's of general usage, gives us opportunities to write Wire
  specific code in a better way and simplifies CI processes. (#4492)

Release notes

• Fix logging of skipped entries in feature migration tool (#4485)

Release notes

• This release is compatible to ElasticSearch 6.8 and OpenSearch 1.3. It is meant
  as a migration release to switch to the newer OpenSearch 1.3 index search.
  Later releases may drop support of ElasticSearch 6.8. (#4444)

• This release introduces a new data storage format for team features and a corresponding migration. To migrate to the new format, a new tool called migrate-features has been added. This tool needs to be run after deployment of this release, and before deploying the next release. (#4459)

  While the migration tool is running, team features are going to operate in read-only mode for the team that is currently being migrated. After migration, the new storage is going to be used. No other action should be required on the part of instance operators besides running the migration tool.

  This tool can be run in kubernetes using a job like this:

  apiVersion: batch/v1
  kind: Job
  metadata:
    name: migrate-features
    namespace: <namespace>
  spec:
    template:
      spec:
        containers:
          - name: migrate-features
            image: quay.io/wire/migrate-features:5.13.0 # note: use 5.13.0 here, not 5.12.0
            args:
              [
                --cassandra-host-galley,
                <galley-host>,
                --cassandra-port-galley,
                "9042",
                --cassandra-keyspace-galley,
                galley,
              ]
        restartPolicy: Never
    backoffLimit: 4

Features

• Enforce no activation for email domains that are registered for another team or backend (#4455)

• For SAML authenticated users: Do not require email verification for registered email domains. (#4466)

• Enforce that users cannot use emails from domains which are registered for a particular team or another backend (#4452)

• Rate limit password hashing operations (#4353)

Bug fixes and other updates

• Allow transition of the domain redirect value to and from no-registration and backend. (#4465)

• Fixed CVEs in sftd_disco image (#4416)

• Ignore MLS self conversation while requesting LH device (#4480)

• Prevent removal of MLS protocol support (#4478)

• Prevent guest users from migrating to teams (#4477)

• Prevent SAML issuer from being deleted on IdP update (#4481)

• Return HTTP status 400 in case of interrupted file uploads. Previously, the AWS
  S3 error due to the wrong "content length" was interpreted as application error
  (HTTP status 500.) This led to false alerts in monitoring systems. (#4458)

Internal changes

• Alpine version bump to v3.21.3 for cassandra-migrations and cannon helm charts (#4457)

• Avoid rehashing Scrypt hashed passwords if the backend config is to keep passwords as Scrypt hashed. (#4353)

• Use ElasticSearch 6.8.23 in our local dev setups (docker-compose.) This is the version we use on CI, staging and prod. (#4446)

• Fix issue with cleanup of resources after integration tests, namely fix 'helmfile destroy' (#4450)

• For internal CI: Cleanup nginx ingress class objects after running integration tests. (#4449)

• OpenSearch 1.3 has been added to the local and CI integration test setup. (#4444)

• Introduce a new feature table in Cassandra: team_features_dyn. This table has a fixed number of fields, as opposed to the ever-growing collection of all the fields of all the features that we were using before. (#4459)

• update fake-aws-sqs chart / elasticmq-native from v1.5.2 to v1.6.11 (#4463)

• reaper helm chart: bump bitnami/kubectl docker image from 1.24.12 to 1.32.2 (#4462)

• Update redis-ephemeral helm chart to use the latest 6.2.X (6.2.7) image of redis. Note that this changes the default hostname of the redis kubernetes service from redis-ephemeral-master to databases-ephemeral-redis-ephemeral-master (if installing through the databases-ephemeral chart). (#4440)

• Use Nix flake (tom-bombadil) to create and upload SBOM files in CI. (#4448)

API changes

• New endpoints for domain registration and verification (#4389, #4422, #4433, #4434, #4438)

  • POST /domain-verification/:domain/team
  • POST /domain-verification/:domain/backend
  • POST /domain-verification/:domain/challenges
  • POST /domain-verification/:domain/challenges/:challengeId
  • POST /domain-verification/:domain/authorize-team
  • POST /get-domain-registration
  • GET /teams/:tid/registered-domains
  • DELETE /teams/:tid/registered-domains/:domain

• Deprecated API endpoints were removed from API version V8. (#4407)

• Add a flag to the response body of POST /get-domain-registration to indicate
  whether domain_redirect is set to none due to the existence of a registered
  account. This makes it possible for clients to let a user log in with an
  existing cloud account even if a redirection to an on-prem backend is set up
  for their domain. (#4441)

Features

• Team feature config for domain registration (#4429)

Bug fixes and other updates

• Fix 503 on user registration when the enterprise service is disabled (#4421)

• Fix 503 on team invitation when wire-server-enterprise is disabled (#4439)

• Fix bug in nginz: /consent/<foo> requests not correctly forwarded to galeb. (#4376)

• MLS: when recreating external (backend) proposals, these are now propagated to
  the clients only after the corresponding external commit has been forwarded to
  the clients. (#4412)

• MLS group info is now saved with the commit lock held. This prevents a bug where group info on a later commit was overwritten by an earlier group info, leading to out-of-sync MLS state between backends and clients. (#4436)

Internal changes

• Internal spar endpoint to retrieve the team's identity providers (#4417)

• Adjust existing onboarding flow to new domain registration constraints.

  Endpoints:

  • POST /teams/{id}/invitations
  • POST /register (#4409)

• federator: Install signal handlers for SIGINT and SIGTERM, close sockets when receiving these signals (#4398)

• /i/index/refresh now uses the correct URL for additional indices. Thus, the
  refreshed indices can reside on different ElasticSearch instances. This
  endpoint is exclusively called from tests. (#4413)

• Test single consumer behaviour of notifications (#4443)