Full Changelog: https://github.com/spupuz/VibeNVR/compare/v1.17.1...v1.18.0

Release v1.18.0 - Universal API Access & Security Hardening

This release introduces a major infrastructure upgrade: the Universal API Access system. It allows secure, read-only integration with external dashboards and third-party tools via API Tokens, while significantly hardening the system's security posture through conditional response sanitization.

🚀 New Features

🔑 Universal API Access (API Tokens)

• Token Management UI: A new section in Settings allows administrators to generate, list, and revoke permanent API Tokens.
• X-API-Key Authentication: Support for header-based authentication across all core read-only endpoints:
  • GET /api/v1/stats (System statistics)
  • GET /api/v1/cameras (Camera list)
  • GET /api/v1/events (Event timeline)
  • GET /api/v1/groups (Camera groups)
• Dashboard Integration: Official support for Homepage (gethomepage.dev) via a dedicated /api/v1/homepage/stats endpoint.

🏠 Dashboard Integration (Homepage)

• Optimized endpoint for fast, lightweight dashboard updates.
• Provided comprehensive documentation and YAML examples for the customapi widget.
• Included metrics for: Online Cameras, Recording Status, Storage Usage (GB), Today's Events, and System Uptime.

🛡️ Security & Privacy

🧬 Conditional Response Sanitization

A new security layer has been implemented to protect sensitive data:

• Sanitized Schemas: When accessing the API via a Token (3rd party), critical fields like rtsp_url (containing credentials) and external notification tokens are automatically stripped or masked.
• Role-Based Access Control (RBAC): API Tokens are strictly Read-Only. Administrative actions (Create/Update/Delete) still require a secure JWT session.
• Media Protection: Continued enforcement of JWT-based authentication for all static media (video/snapshots) to prevent unauthorized direct access.

🕵️ Internal Security & Stability

• Log Redaction: Upgraded the TokenRedactingFilter to automatically redact X-API-Key headers and RTSP credentials from container logs.
• FastAPI / Pydantic Hardening: Refactored routers to ensure explicit schema conversion, preventing 500 errors and ensuring consistent JSON responses across all user levels.
• Clipboard Fallback: Implemented a fallback for the "Copy Token" button to support non-secure (HTTP) environments where the modern Clipboard API is unavailable.

🔧 Bug Fixes & Refactoring

• Nginx Route Mapping: Fixed a critical 404 error during token creation by aligning Nginx path rewriting with the FastAPI router prefix.
• Circular Dependency Resolution: Reordered Pydantic classes in schemas.py to fix circular references during startup.
• Typing Fixes: Resolved missing Any import in cameras.py which caused container crashes on specific builds.
• Uptime Formatting: Improved uptime string granularity to show minutes for recently started systems.

📂 Documentation Updates

• Updated README.md with the new Homepage integration guide.
• Added docs/API_INTEGRATION.md as a comprehensive reference for developers and power users.
• Anonymized all examples to ensure no test credentials or local IPs are leaked.

Made with ❤️ by the VibeNVR Team.