Commit Graph

1018 Commits (release-please--branches--main--components--memos)

Author SHA1 Message Date
boojack d1cef7a9ab feat(auth): add private instance mode derived from instance_url
Run the instance in private mode when instance_url is not configured: the API rejects anonymous requests except the auth-bootstrap set (sign-in, token refresh, instance profile/settings, SSO providers, share-link access) plus first-run user creation, and the web UI redirects anonymous visitors to /auth instead of /explore. Setting instance_url keeps the current public behavior. Access tokens and personal access tokens are never gated.

Enforcement lives in a shared Authorizer used by both the Connect interceptor and the gRPC-gateway middleware; the file server applies the same rule to public-memo attachments and avatars. Also merges the duplicated Authenticate/AuthenticateToUser token dispatch behind resolveBearer, dedups the AuthContext unauthenticated state, extracts the redirect decision into a pure shouldGatePrivateInstance helper, and prints the access mode at startup.
7 days ago
grandpig 76aee4e177
refactor: use the built-in max/min to simplify the code (#6060)
Signed-off-by: grandpig <grandpig@outlook.com>
1 week ago
boojack 0e1d821fb8 feat(mcp): expose create_attachment tool
Add AttachmentService_CreateAttachment to the curated MCP allowlist so
agents can upload files (inline base64 content) alongside memos, closing
the gap where the MCP server could list/get/delete attachments but not
create them.

Closes #6057
2 weeks ago
boojack 047175dbed chore(mcp): improve tool discoverability, add orientation tools and evals
Make the OpenAPI-driven MCP surface more usable by agents, following the
mcp-builder guidance.

- Enrich proto descriptions (single source of truth, flows to OpenAPI + MCP
  tool descriptions): document the memo `filter` CEL grammar with fields and
  examples (replacing the dangling "Refer to Shortcut.filter"), clarify the
  created_ts/updated_ts vs create_time/update_time naming, the visibility
  enum, the declarative replace semantics of Set* ops, and steer tag filters
  to `"x" in tags` (not the unsupported `tag == "x"`).
- Mark SetMemoAttachments / SetMemoRelations idempotent via a per-operation
  override the HTTP-method heuristic can't express.
- Curate two read-only orientation tools: shortcut_list_shortcuts (surfaces
  reusable CEL filters) and auth_get_current_user (the single allowed
  auth/identity op, for resolving the current user); guard test updated to
  keep the rest of the auth/user surface excluded.
- Add a task-level evaluation suite (server/router/mcp/evals) with 10
  verified questions, pinned to the deterministic demo seed.
2 weeks ago
boojack eb826455b6 chore(webhook): reveal-later signing secret flow
Generate webhook signing secrets server-side and let users reveal them on
demand, replacing the create-dialog secret controls that surfaced internal
mask state (Status / Generate & Copy / Clear / Pending) to users.

- Add owner-gated GetUserWebhookSigningSecret RPC — the only path that
  returns the secret; list/create/update responses still omit it.
- Generate the secret server-side on create (webhook.GenerateSigningSecret),
  so validity no longer depends on the client.
- Rename UserWebhook.has_signing_secret -> signing_secret_set for parity
  with the existing api_key_set field.
- Create dialog drops the secret section to a one-line note; the generated
  secret is shown once right after create and revealable from Edit later.
2 weeks ago
Yiges.M.x. c703b05dab
feat: add webhook edit UI and signing secret status indicator (#6027) 2 weeks ago
boojack 20c19ef82d feat(storage): add insecure_skip_tls_verify option for S3
Adds an opt-in toggle to skip TLS certificate verification when connecting
to the S3 endpoint, for self-hosted S3-compatible backends (e.g. rustfs,
MinIO) that use self-signed certificates. Exposed in both the store/API
protos and the storage settings UI, mirroring the existing use_path_style
toggle. When enabled, the AWS client uses an HTTP transport with
InsecureSkipVerify; default behavior is unchanged.

This governs backend-initiated S3 calls (uploads, deletes, thumbnails, and
image/document streaming). Video/audio playback redirects the browser to a
presigned URL, so that path still requires the browser to trust the cert.

Closes #6039
3 weeks ago
johnnyjoygh 8fa2ff4423 fix(mcp): allow reverse-proxied instances to serve /mcp
The go-sdk Streamable HTTP handler enables DNS-rebinding protection that
rejects any request whose Host header is non-loopback while the server is
bound to a loopback address. memos is commonly run bound to loopback behind a
reverse proxy (e.g. the public demo), so every /mcp request was rejected with
"403 Forbidden: invalid Host header" before authentication ran.

Disable the SDK's localhost protection and rely on memos' own Origin/Host
allowlist (isAllowedMCPOrigin) for CSRF / DNS-rebinding protection. Add a
regression test covering the proxied shape and confirming disallowed origins
are still rejected.
3 weeks ago
johnnyjoygh 96cb65320b fix(instance): add needs_setup so admin-less instances aren't treated as fresh
The frontend keyed first-run setup off a null InstanceProfile.admin, but a
null admin only means "no admin-role user exists" — which also happens on a
populated instance that has lost all its admins. Such an instance was wrongly
redirected to signup, where the new account is created as a normal user (the
first-user promotion only triggers when there are zero users), leaving the
instance permanently admin-less.

Add an explicit InstanceProfile.needs_setup derived from user count == 0, and
switch the signup redirect and host tip to use it. admin stays for display only.
3 weeks ago
boojack 385fa22056 fix(cors): open API to any origin for token auth, keep cookies same-origin
Reflect any Origin so token-authenticated clients (Access Token V2 / PAT)
can call the API cross-origin, but emit Access-Control-Allow-Credentials
only for trusted origins (same host / configured InstanceURL). This keeps
the SameSite=Lax refresh cookie unreadable by untrusted (incl. same-site
subdomain) origins. Origin: null is not reflected.

Note for operators: cross-origin token access is now open by default; if
you front memos with a caching proxy, ensure it honors `Vary: Origin`.
4 weeks ago
boojack 8080bd10e1 docs: add README for mcp 1 month ago
boojack f497f009ce fix(webhook): fail loud on malformed signing secret and add tests
Follow-up to #6013. The signing path silently fell back to using the raw
secret string as the HMAC key when a whsec_-prefixed secret had invalid
base64, producing signatures no receiver could verify with no server-side
signal.

- Extract resolveSigningKey helper that errors on invalid whsec_ base64
- Post returns that error (logged by the async dispatcher); ValidateSigningSecret
  rejects it at write time so a bad secret is never stored
- Fix stale comment referencing a nonexistent Authorization header
- Add Go tests: key derivation, secret validation, end-to-end signature
  round-trip, and the invariant that the secret never leaks into API responses
1 month ago
Yiges.M.x. 063a44498d
feat: add optional webhook signing secret (Standard Webhooks HMAC-SHA256) (#6013) 1 month ago
boojack 777d227eb9
feat: add OpenAPI-driven MCP support (#6026) 1 month ago
boojack 9eabb554d5
feat(settings): move tag metadata to user settings (#6017) 1 month ago
boojack 2a4638b332 chore: remove MCP server 1 month ago
boojack bb76949fc0 chore(server): centralize CORS policy 1 month ago
boojack e53b7d96e7
fix: delete user cleanup (#5981) 2 months ago
boojack 3c3382a3c6
fix: avoid update event on memo create attachments (#5961) 2 months ago
boojack 7f1f53ffc4 fix(s3presign): preserve motion media payload 2 months ago
boojack 511c04bca2 chore: fix linter 2 months ago
boojack f3f059b2f7 chore: add batch get settings API 2 months ago
boojack 21303e879d fix(sse): stream initial response and refresh tokens 2 months ago
boojack 88ac3ec31e feat(stats): support filtered all-user stats
- Add state and filter inputs to ListAllUserStats and reuse it for explore/archive sidebar stats.
- Reduce duplicate home initialization requests by sharing stats/settings data paths.
- Include memo paragraph regression coverage from the current working tree.
2 months ago
boojack c49e75f91f chore: avoid copying memo protobuf locks 2 months ago
boojack 4a1e401bd9 fix(memo): enforce parent visibility for comments 2 months ago
boojack 02096836c3 test: stabilize backend tests in CI
- Avoid requiring built frontend assets in cache header tests.
- Skip Testcontainers-backed store tests when Docker is unavailable.
2 months ago
boojack 084f40bc9e fix(frontend): correct static cache headers 2 months ago
boojack 5ccba98adc
refactor: split STT and Audio-LLM into separate interfaces (#5928) 2 months ago
boojack 238f27dea1
feat(transcription): explicit STT settings with provider, model, prompt (#5926) 2 months ago
Steven 8daef1dc89 feat(activity-calendar): aggregate by ViewContext.timeBasis
Fixes the inconsistency where switching the memo list to update_time
left the activity heatmap aggregating by created_time. The heatmap
now follows the same time basis as the list it sits next to.

Backend
- UserStats gains memo_updated_timestamps (additive proto field, tag 8).
- GetUserStats and ListAllUserStats populate it alongside the existing
  memo_created_timestamps. No DB migration; memo.updated_ts already
  exists on every row.

Frontend
- useFilteredMemoStats reads timeBasis from ViewContext and selects
  the matching timestamp source.
- StatisticsView and MonthNavigator forward timeBasis through to
  MonthCalendar / YearCalendar so tooltip text matches the basis
  ("X memos in DATE" vs "X memos updated on DATE").
- Falls back to memoCreatedTimestamps when an old server returns an
  empty memoUpdatedTimestamps array (detected by length divergence,
  since protobuf-es deserializes missing repeated fields as []).

Tests
- Backend: TestGetUserStats_MemoUpdatedTimestamps verifies the field
  is populated and reflects post-creation updates.
- Frontend: filtered-memo-stats covers create/update source switching
  and the old-server fallback path; activity-calendar-tooltip covers
  basis-aware label selection.

Spec and implementation plan committed under docs/superpowers/.
2 months ago
Steven ea0625da45 feat(stats): admin instance resource statistics 2 months ago
Steven cd4f28ae10 feat(notification): add smtp email settings
- Add admin notification email settings UI and test-email RPC
- Dispatch privacy-first comment and mention emails through server notification layer
- Keep SMTP secrets write-only and require passwords when SMTP identity changes
2 months ago
Steven 35bf761b8c fix(security): enforce attachment ownership on memo updates 2 months ago
Tokenicrat 词元 603781f792
fix(frontend): use correct url path for memos in sitemap.xml (#5921) 2 months ago
boojack 1df3fe7955
fix(user): omit internal settings from list responses (#5917) 2 months ago
boojack 9c5c604944 feat: add link metadata endpoints 2 months ago
memoclaw c7242324a1 fix(fileserver): preserve HDR image metadata in thumbnails 2 months ago
boojack 94ce1e5347 chore(settings): show build commit in version info 3 months ago
boojack c268551a16
feat(memos): choose created or updated time for memos (#5894) 3 months ago
boojack 0fb83a745d
fix(auth): harden authorization and username validation (#5890) 3 months ago
boojack ee1799851e
feat: redesign account and SSO management (#5886) 3 months ago
boojack 30c0611a82
fix: fix legacy username auth flows (#5885) 3 months ago
boojack d688914b28
feat(auth): add SSO user identity linkage (#5883) 3 months ago
boojack 50638040f6
fix: reduce list memo query overhead (#5880) 3 months ago
George Wu bbded584ce
fix: user resource names can be uuidv4 from idp sub claim (#5856) 3 months ago
boojack 01be01f4b7
fix: mixed-case user resource names (#5853) 3 months ago
boojack 583c3d24f4
feat(mcp): harden tool exposure and side effects (#5850) 3 months ago
wndnjs0 0fc1dab28b
fix: add unix socket file permission setting (755 -> 660) (#5849) 3 months ago
boojack ff6389a5ef fix(api): appease image size lint 3 months ago