Commit Graph

418 Commits (c1236392d361368b54b55cee1ad688defda760bb)

Author SHA1 Message Date
boojack d1cef7a9ab feat(auth): add private instance mode derived from instance_url
Run the instance in private mode when instance_url is not configured: the API rejects anonymous requests except the auth-bootstrap set (sign-in, token refresh, instance profile/settings, SSO providers, share-link access) plus first-run user creation, and the web UI redirects anonymous visitors to /auth instead of /explore. Setting instance_url keeps the current public behavior. Access tokens and personal access tokens are never gated.

Enforcement lives in a shared Authorizer used by both the Connect interceptor and the gRPC-gateway middleware; the file server applies the same rule to public-memo attachments and avatars. Also merges the duplicated Authenticate/AuthenticateToUser token dispatch behind resolveBearer, dedups the AuthContext unauthenticated state, extracts the redirect decision into a pure shouldGatePrivateInstance helper, and prints the access mode at startup.
7 days ago
grandpig 76aee4e177
refactor: use the built-in max/min to simplify the code (#6060)
Signed-off-by: grandpig <grandpig@outlook.com>
1 week ago
boojack eb826455b6 chore(webhook): reveal-later signing secret flow
Generate webhook signing secrets server-side and let users reveal them on
demand, replacing the create-dialog secret controls that surfaced internal
mask state (Status / Generate & Copy / Clear / Pending) to users.

- Add owner-gated GetUserWebhookSigningSecret RPC — the only path that
  returns the secret; list/create/update responses still omit it.
- Generate the secret server-side on create (webhook.GenerateSigningSecret),
  so validity no longer depends on the client.
- Rename UserWebhook.has_signing_secret -> signing_secret_set for parity
  with the existing api_key_set field.
- Create dialog drops the secret section to a one-line note; the generated
  secret is shown once right after create and revealable from Edit later.
2 weeks ago
Yiges.M.x. c703b05dab
feat: add webhook edit UI and signing secret status indicator (#6027) 2 weeks ago
boojack 20c19ef82d feat(storage): add insecure_skip_tls_verify option for S3
Adds an opt-in toggle to skip TLS certificate verification when connecting
to the S3 endpoint, for self-hosted S3-compatible backends (e.g. rustfs,
MinIO) that use self-signed certificates. Exposed in both the store/API
protos and the storage settings UI, mirroring the existing use_path_style
toggle. When enabled, the AWS client uses an HTTP transport with
InsecureSkipVerify; default behavior is unchanged.

This governs backend-initiated S3 calls (uploads, deletes, thumbnails, and
image/document streaming). Video/audio playback redirects the browser to a
presigned URL, so that path still requires the browser to trust the cert.

Closes #6039
3 weeks ago
johnnyjoygh 96cb65320b fix(instance): add needs_setup so admin-less instances aren't treated as fresh
The frontend keyed first-run setup off a null InstanceProfile.admin, but a
null admin only means "no admin-role user exists" — which also happens on a
populated instance that has lost all its admins. Such an instance was wrongly
redirected to signup, where the new account is created as a normal user (the
first-user promotion only triggers when there are zero users), leaving the
instance permanently admin-less.

Add an explicit InstanceProfile.needs_setup derived from user count == 0, and
switch the signup redirect and host tip to use it. admin stays for display only.
3 weeks ago
boojack f497f009ce fix(webhook): fail loud on malformed signing secret and add tests
Follow-up to #6013. The signing path silently fell back to using the raw
secret string as the HMAC key when a whsec_-prefixed secret had invalid
base64, producing signatures no receiver could verify with no server-side
signal.

- Extract resolveSigningKey helper that errors on invalid whsec_ base64
- Post returns that error (logged by the async dispatcher); ValidateSigningSecret
  rejects it at write time so a bad secret is never stored
- Fix stale comment referencing a nonexistent Authorization header
- Add Go tests: key derivation, secret validation, end-to-end signature
  round-trip, and the invariant that the secret never leaks into API responses
1 month ago
Yiges.M.x. 063a44498d
feat: add optional webhook signing secret (Standard Webhooks HMAC-SHA256) (#6013) 1 month ago
boojack 9eabb554d5
feat(settings): move tag metadata to user settings (#6017) 1 month ago
boojack bb76949fc0 chore(server): centralize CORS policy 1 month ago
boojack e53b7d96e7
fix: delete user cleanup (#5981) 2 months ago
boojack 3c3382a3c6
fix: avoid update event on memo create attachments (#5961) 2 months ago
boojack 511c04bca2 chore: fix linter 2 months ago
boojack f3f059b2f7 chore: add batch get settings API 2 months ago
boojack 21303e879d fix(sse): stream initial response and refresh tokens 2 months ago
boojack 88ac3ec31e feat(stats): support filtered all-user stats
- Add state and filter inputs to ListAllUserStats and reuse it for explore/archive sidebar stats.
- Reduce duplicate home initialization requests by sharing stats/settings data paths.
- Include memo paragraph regression coverage from the current working tree.
2 months ago
boojack c49e75f91f chore: avoid copying memo protobuf locks 2 months ago
boojack 4a1e401bd9 fix(memo): enforce parent visibility for comments 2 months ago
boojack 5ccba98adc
refactor: split STT and Audio-LLM into separate interfaces (#5928) 2 months ago
boojack 238f27dea1
feat(transcription): explicit STT settings with provider, model, prompt (#5926) 2 months ago
Steven 8daef1dc89 feat(activity-calendar): aggregate by ViewContext.timeBasis
Fixes the inconsistency where switching the memo list to update_time
left the activity heatmap aggregating by created_time. The heatmap
now follows the same time basis as the list it sits next to.

Backend
- UserStats gains memo_updated_timestamps (additive proto field, tag 8).
- GetUserStats and ListAllUserStats populate it alongside the existing
  memo_created_timestamps. No DB migration; memo.updated_ts already
  exists on every row.

Frontend
- useFilteredMemoStats reads timeBasis from ViewContext and selects
  the matching timestamp source.
- StatisticsView and MonthNavigator forward timeBasis through to
  MonthCalendar / YearCalendar so tooltip text matches the basis
  ("X memos in DATE" vs "X memos updated on DATE").
- Falls back to memoCreatedTimestamps when an old server returns an
  empty memoUpdatedTimestamps array (detected by length divergence,
  since protobuf-es deserializes missing repeated fields as []).

Tests
- Backend: TestGetUserStats_MemoUpdatedTimestamps verifies the field
  is populated and reflects post-creation updates.
- Frontend: filtered-memo-stats covers create/update source switching
  and the old-server fallback path; activity-calendar-tooltip covers
  basis-aware label selection.

Spec and implementation plan committed under docs/superpowers/.
2 months ago
Steven ea0625da45 feat(stats): admin instance resource statistics 2 months ago
Steven cd4f28ae10 feat(notification): add smtp email settings
- Add admin notification email settings UI and test-email RPC
- Dispatch privacy-first comment and mention emails through server notification layer
- Keep SMTP secrets write-only and require passwords when SMTP identity changes
2 months ago
Steven 35bf761b8c fix(security): enforce attachment ownership on memo updates 2 months ago
boojack 1df3fe7955
fix(user): omit internal settings from list responses (#5917) 2 months ago
boojack 9c5c604944 feat: add link metadata endpoints 2 months ago
boojack 94ce1e5347 chore(settings): show build commit in version info 3 months ago
boojack c268551a16
feat(memos): choose created or updated time for memos (#5894) 3 months ago
boojack 0fb83a745d
fix(auth): harden authorization and username validation (#5890) 3 months ago
boojack ee1799851e
feat: redesign account and SSO management (#5886) 3 months ago
boojack 30c0611a82
fix: fix legacy username auth flows (#5885) 3 months ago
boojack d688914b28
feat(auth): add SSO user identity linkage (#5883) 3 months ago
boojack 50638040f6
fix: reduce list memo query overhead (#5880) 3 months ago
George Wu bbded584ce
fix: user resource names can be uuidv4 from idp sub claim (#5856) 3 months ago
boojack 01be01f4b7
fix: mixed-case user resource names (#5853) 3 months ago
boojack ff6389a5ef fix(api): appease image size lint 3 months ago
boojack c45663761d fix(api): reduce memory pressure in backend paths 3 months ago
boojack 8479e1d5a3 test: close SSE response body explicitly 3 months ago
boojack a5ddd5adaf fix(server): close SSE clients during shutdown
Close long-lived SSE streams before HTTP shutdown so graceful shutdown is not held until the deadline. Also wait for background runners before closing the store to make shutdown ordering explicit.
3 months ago
boojack a7fd1dacc9
refactor(ai): use official provider SDKs (#5845) 3 months ago
boojack 101704c8ea
feat(ai): add BYOK audio transcription (#5832) 3 months ago
boojack 0ad0fec8d4 feat(ai): add Anthropic provider option 3 months ago
memoclaw d87539a1e1
feat: add Gemini transcription provider (#5830)
Co-authored-by: memoclaw <265580040+memoclaw@users.noreply.github.com>
3 months ago
memoclaw 83ed32f119
feat(ai): add instance AI providers and transcription (#5829)
Co-authored-by: memoclaw <265580040+memoclaw@users.noreply.github.com>
3 months ago
memoclaw 24fc8ab8ca
feat(mentions): add memo mention parsing, notifications, and rendering (#5811)
Co-authored-by: memoclaw <265580040+memoclaw@users.noreply.github.com>
3 months ago
boojack c3e7e2c316 fix: normalize attachment MIME types before validation 3 months ago
boojack 10a955fd62 refactor: move plugin packages under internal 3 months ago
boojack 4b4e719470
feat(attachments): add Live Photo and Motion Photo support (#5810) 3 months ago
boojack 25feef3aad
fix(api): tolerate missing related users in memo conversions (#5809) 3 months ago
memoclaw 1921b57662
fix(tags): allow blur-only tag metadata (#5800)
Co-authored-by: memoclaw <265580040+memoclaw@users.noreply.github.com>
3 months ago