feat: add new options for v4.1.0

steveiliop56 · steveiliop56 · commit 8791b1a3dba0 · 2025-11-21T16:55:52.000+02:00
diff --git a/content/docs/breaking-updates/3-to-4.mdx b/content/docs/breaking-updates/3-to-4.mdx
@@ -168,10 +168,10 @@ The following options are deprecated:
 
 Changed options:
 
-| Current                             | New                                 |
-| ----------------------------------- | ----------------------------------- |
-| `COOKIE_SECURE` (`--cookie-secure`) | `SECURE_COOKIE` (`--secure-cookie`) |
-| `LOG_LEVEL` (`--log-level`)         | `LOG_LEVEL` (`--log-level`)         |
+| Current                             | New                                 | Values                                                      |
+| ----------------------------------- | ----------------------------------- | ----------------------------------------------------------- |
+| `COOKIE_SECURE` (`--cookie-secure`) | `SECURE_COOKIE` (`--secure-cookie`) | `true`, `false`                                             |
+| `LOG_LEVEL` (`--log-level`)         | `LOG_LEVEL` (`--log-level`)         | `trace`, `debug`, `info`, `warn`, `error`, `fatal`, `panic` |
 
 ## API Changes
 
diff --git a/content/docs/changelog.mdx b/content/docs/changelog.mdx
@@ -3,9 +3,36 @@ title: Changelog
 description: Overview of changes and updates in Tinyauth versions.
 ---
 
+## v4.1.0
+
+### New Features
+
+- Light mode
+- Support for listening on UNIX sockets
+- Support for logging in JSON
+- Log new sessions in `TRACE`
+
+### Improvements
+
+- Generate OAuth verifier on every login attempt
+- Add routine to cleanup expired sessions
+
+### Fixes
+
+- Ensure OAuth providers have the `PROVIDERS_` prefix
+- Allow for all sub-domains to be considered safe for redirects
+
+### Technical
+
+- Use Gorm generics for all database actions
+- Attempt to clean-up the decoders logic
+- Make air development workflow faster by not installing delve on every reload
+- Bump dependencies
+- Update translations
+
 ## v4.0.1
 
-<Callout>
+<Callout type="warning">
   This release contains a security fix regarding label discovery, please update
   as soon as possible.
 </Callout>
diff --git a/content/docs/reference/configuration.mdx b/content/docs/reference/configuration.mdx
@@ -26,12 +26,14 @@ Tinyauth can be configured using environment variables or CLI flags. The table b
 | `LOG_LEVEL`               | `--log-level`               | Log level (`trace`, `debug`, `info`, `warn`, `error`, `fatal`, `panic`).                         | `info`              | no       |
 | `LOGIN_MAX_RETRIES`       | `--login-max-retries`       | Maximum login attempts before timeout (0 to disable).                                            | `5`                 | no       |
 | `LOGIN_TIMEOUT`           | `--login-timeout`           | Login timeout in seconds after max retries reached (0 to disable).                               | `300`               | no       |
+| `LOG_JSON`                | `--log-json`                | Enable JSON formatted logs.                                                                      | `false`             | no       |
 | `OAUTH_AUTO_REDIRECT`     | `--oauth-auto-redirect`     | Auto redirect to the specified OAuth provider.                                                   | ``                  | no       |
 | `OAUTH_WHITELIST`         | `--oauth-whitelist`         | Comma-separated list of email addresses to whitelist when using OAuth.                           | ``                  | no       |
 | `PORT`                    | `--port`                    | Port to run the server on.                                                                       | `3000`              | no       |
 | `RESOURCES_DIR`           | `--resources-dir`           | Path to a directory containing custom resources (e.g., background image).                        | `/data/resources`   | no       |
 | `SECURE_COOKIE`           | `--secure-cookie`           | Send cookie over secure connection only.                                                         | `false`             | no       |
 | `SESSION_EXPIRY`          | `--session-expiry`          | Session (cookie) expiration time in seconds.                                                     | `86400`             | no       |
+| `SOCKET_PATH`             | `--socket-path`             | Path to the Unix socket to bind the server to.                                                   | ``                  | no       |
 | `TRUSTED_PROXIES`         | `--trusted-proxies`         | Comma-separated list of trusted proxies (IP addresses or CIDRs) for correct client IP detection. | ``                  | no       |
 | `USERS`                   | `--users`                   | Comma-separated list of users in the format `username:hash`.                                     | ``                  | yes      |
 | `USERS_FILE`              | `--users-file`              | Path to a file containing users in the format `username:hash`.                                   | ``                  | no       |
diff --git a/content/docs/reference/headers.mdx b/content/docs/reference/headers.mdx
@@ -28,6 +28,11 @@ The `Remote-Name` header contains the full name of the currently logged-in user.
 
 The `Remote-Groups` header contains the groups of the currently logged-in user, retrieved from the `groups` claim in the OIDC server. These can be used to allow access to specific user groups configured by the OIDC server. More details are available in the [OIDC access controls](/docs/guides/access-controls.md#access-controls-using-oidc-groups) guide.
 
+<Callout type="warning">
+  Remote groups are only available for OIDC providers that support the `groups`
+  claim. LDAP groups are **not** supported.
+</Callout>
+
 ### Custom headers
 
 Custom headers can be set using the `tinyauth.headers` label on any container that uses the Tinyauth middleware. For example:
