appmsgr_flutter 2.1.2

Official Flutter SDK for AppMsgr chat infrastructure. Provides REST API client and GraphQL subscriptions for real-time messaging.

Changelog

All notable changes to the AppMsgr Flutter SDK will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

2.1.2 - 2026-04-24

Security

• HTTPS enforcement on REST base URL: AppMsgrClient now throws ArgumentError in release builds if baseUrl starts with http://. Previously only the GraphQL URL was checked; the REST path would have sent Authorization: Bearer … over plaintext.
• Auth fields privatized: apiKey and userToken fields on AppMsgrClient are now library-private (_apiKey, _userToken) so they are not visible to crash reporters, DevTools inspection, or third-party widgets that serialize the client object. The class is now marked final to prevent subclass-based header overrides.
• CR/LF header-injection guard: auth tokens containing \r or \n are now rejected at client construction and in BaseService / the GraphQL client.
• URL-encoded emoji path segment: ReactionService.getReactionUsers now Uri.encodeComponents the emoji before inserting it into the URL, preventing path-traversal via adversarial emoji input.
• WebSocket URL rewrite fix: the http(s) → ws(s) conversion in AppMsgrGraphQLClient no longer uses String.replaceFirst (which corrupts URLs where the host also appears in the path) — it now uses Uri.replace.
• Safer response parsing: BaseService now throws a descriptive ApiException when the server returns a non-object JSON payload or malformed JSON, instead of a bare CastError. Error bodies are truncated to 500 chars to prevent HTML pages dominating exception text.

Changed

• Hive offline-queue box renamed from offline_messages to appmsgr_offline_messages to avoid collisions with other packages. Migration: any messages queued under the old box name by v2.1.1 or earlier will no longer be visible; call client.clearQueue() after upgrading if your users had pending queued messages.
• New config option AppMsgrConfig.clearOfflineQueueOnDispose (default false). When true, AppMsgrClient.dispose() wipes queued messages from disk. Set this on logout.
• graphql_flutter constraint tightened from ^5.1.0 to ^5.2.1 for WebSocket reconnection stability fixes.

Removed

• All print() calls from library code. The avoid_print lint rule is now enabled in analysis_options.yaml.

2.1.1 - 2026-04-19

Fixed

• Reaction addReaction() now sends emoji_id field (was incorrectly sending emoji_code, which the server never accepted).

2.1.0 - 2026-04-19

Added

• TLS downgrade protection: graphql_client now throws in release builds when baseUrl uses http://. HTTPS is required for any non-debug build to prevent man-in-the-middle downgrade attacks.

Fixed

• Null-safety: GraphQL subscription handlers now tolerate null payloads emitted by the server during reconnect instead of throwing.
• Sensitive data in crash reports: debug print() calls in message_service and graphql_client are now gated behind kDebugMode, so response bodies and request URLs are no longer captured by release-mode crash reporters.

Breaking

• Apps shipping a release build against an http:// baseUrl will now throw at first request. If you rely on plaintext in dev, use a debug build or a https:// endpoint. This is a security feature with behavioral impact — bumping to 2.1.0 to flag it, though no public API signatures changed.

2.0.6 - 2026-03-09

Changed

• MAJOR: Updated connectivity_plus from 5.0.2 to 6.1.5
  • Fixed breaking change: Now handles List<ConnectivityResult> instead of single value
  • Updated offline queue to support new connectivity API
• MAJOR: Updated flutter_lints from 3.0.2 to 6.0.0
• Updated graphql_flutter from 5.2.0-beta.6 to 5.2.1 (stable)
• Updated http from 1.5.0 to 1.6.0
• Updated json_annotation from 4.9.0 to 4.11.0
• Updated build_runner from 2.10.1 to 2.12.2
• Updated 40+ total dependencies to latest versions

Fixed

• Regenerated JSON serialization code for all models
• Fixed all test files to use new authentication API (authMode/authToken)
• Fixed example app to use AppMsgrClient.withApiKey() instead of deprecated constructor
• Fixed nullable message.id handling in example message list widget
• Removed unnecessary .toList() in spread operator usage

Removed

• Removed discontinued js package dependency

Technical

• ✅ 0 analysis errors (Flutter analyze)
• ✅ 0 pub publish warnings
• ✅ 52 unit tests passing
• ✅ Tested with Flutter 3.41.4

2.0.1 - 2026-02-04

Fixed

• CRITICAL: Fixed sendMessage() endpoint path from /api/v1/messages to /api/v1/channels/:channelId/messages
  • Resolves 404 errors when sending messages
  • Aligns SDK with AppMsgr API v1 specification
• Fixed removeReaction() to use reactionId instead of messageId + emoji
  • Now uses correct endpoint: DELETE /api/v1/reactions/:reactionId
  • Aligns with API's reaction model (reactions have UUIDs)

Changed

• Removed redundant channel_id from sendMessage() request body (now in URL path)

[Unreleased]

Added

• Mail System: Complete mail/inbox functionality with attachment claiming
  • MailService: send mail, get inbox, claim attachments, mark as read, delete mail
  • Mail model with MailAttachment support
  • Webhook integration for mail.attachments.claimed events
  • Example mail screen with inbox UI and attachment claiming
  • Comprehensive documentation in README
• Initial Flutter SDK release with comprehensive REST API support
• GraphQL subscriptions for real-time message updates
• Complete service layer with all AppMsgr API operations:
  • MessageService: send, get, update, delete, search messages, pagination, mark as read
  • ChannelService: create, get, list, update, archive, unarchive, delete channels, member management
  • ReactionService: add, remove, get reactions, summaries, user lists
  • TranslationService: translate messages, detect language, supported languages
• Type-safe Dart models with JSON serialization:
  • Message, Channel, Reaction, MessagePage, ReactionSummary
  • Automatic snake_case to camelCase conversion
• Offline queue system with Hive storage:
  • Automatic message queuing when offline
  • Connectivity monitoring with auto-sync on reconnect
  • Periodic sync timer (30 seconds)
  • Retry logic with exponential backoff
  • Queue status and management APIs
• Comprehensive error handling:
  • ApiException for HTTP errors with status codes
  • NetworkException for connectivity issues
  • AuthException for authentication failures
  • ValidationException for invalid input
• Configurable client with AppMsgrConfig:
  • Custom timeouts, retry attempts, retry delays
  • GraphQL endpoint configuration
  • Logger integration support
  • Offline queue enable/disable
• Complete example app demonstrating:
  • Authentication and channel creation
  • Sending and receiving messages
  • Real-time message subscriptions
  • Reactions and translations
  • Offline queue usage
• Comprehensive test suite (53 tests):
  • Unit tests for all services
  • Model serialization tests
  • Client initialization tests
  • Offline queue tests
  • Error handling validation

Changed

• N/A (initial release)

Deprecated

• N/A (initial release)

Removed

• N/A (initial release)

Fixed

• N/A (initial release)

Security

• API key-based authentication with secure header transmission
• No sensitive data stored in offline queue (user IDs only)

1.0.0 TBD

Initial public release.