Commit Graph

15396 Commits

Author SHA1 Message Date
Tam Nguyen 7dd6d2b13c deps: bump cloudflare-ddns to v2.1.2 2026-05-18 14:52:15 +10:00
Khiet Tam Nguyen 919295e9ed Merge branch 'coollabsio:v4.x' into cloudflare-ddns 2026-05-18 14:48:42 +10:00
Andras Bacsai 922950de59 chore(templates): sync service-templates from next (#9884) 2026-04-30 07:05:35 +02:00
Andras Bacsai 51d6795eeb chore(templates): sync service-templates from next
Pulls latest service-templates JSON files from `next` so cloud's hourly
PullTemplatesFromCDN job picks up queued template fixes (Jitsi, Plane,
Cap, Beszel, Langfuse, Twenty, Cal.com, etc.).

`templates/**` is in `paths-ignore` of coolify-production-build.yml so
no image rebuild triggered.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 07:04:12 +02:00
Andras Bacsai 96bfc14543 v4.0.0 (#9818) 2026-04-27 10:51:15 +02:00
Andras Bacsai d0ed4fa4c4 version ++ finally 2026-04-27 09:09:01 +02:00
Andras Bacsai 8deb19e5e4 fix(service): rally invalid next public url (#9041) 2026-04-27 09:08:04 +02:00
Andras Bacsai e1a295ac6c fix(service): add missing database alteration step for Logto latest image (#9376) 2026-04-27 09:07:53 +02:00
Andras Bacsai 5a4f79441c fix(service): Jitsi Meet doesn't work (#9594) 2026-04-27 09:06:57 +02:00
Andras Bacsai 349e9289ad fix(service): twenty fails to deploy due to dependency unhealthy (#9603) 2026-04-27 09:06:41 +02:00
Andras Bacsai 43b8304e02 feat(service): enable plane (#9641) 2026-04-27 09:06:32 +02:00
Andras Bacsai e9a9a32e87 feat(services): add Cap to templates (#9729) 2026-04-27 09:06:09 +02:00
Andras Bacsai 3f736b5afd feat(service): add healthcheck to langfuse-worker (#9772) 2026-04-27 09:05:38 +02:00
Andras Bacsai 66ce3009a3 chore(service): update beszel to 0.18.7 (#9775) 2026-04-27 09:05:22 +02:00
Andras Bacsai d131066701 feat(service): disable calcom (#9776) 2026-04-27 09:04:56 +02:00
Andras Bacsai 968ae97dfc version++ 2026-04-27 09:01:36 +02:00
Andras Bacsai 8ef238d19c fix(helper): stop info icon click from propagating to parent on mobile (#9809) 2026-04-26 13:54:59 +02:00
Andras Bacsai 9cd379e737 fix(helper): add Alpine.js click toggle to info helper popup
Replace CSS-only hover with Alpine.js click-based open/close,
including click.outside to dismiss.
2026-04-26 12:55:34 +02:00
Andras Bacsai cad9fc99d6 docs(sponsors): add ParsecPH to Small sponsors 2026-04-26 12:53:45 +02:00
Andras Bacsai 74cc85139f docs(sponsors): add NetRouting to Small sponsors 2026-04-24 22:33:32 +02:00
ShadowArcanist d2b7dfe92a fix(service): remove volume declaration on jitsi 2026-04-24 09:40:01 +05:30
ShadowArcanist 424a41dbd0 fix(service): add missing category to jitsi 2026-04-24 09:30:57 +05:30
ShadowArcanist cd47711cd0 feat(service): disable calcom
Not maintained anymore by the calcom team
2026-04-24 02:28:08 +05:30
ShadowArcanist 5f45deedce chore(service): update beszel-agent to 0.18.7 2026-04-24 02:22:08 +05:30
ShadowArcanist b3d6877404 chore(service): update beszel to 0.18.7 2026-04-24 02:21:33 +05:30
ShadowArcanist 32ae288a12 fix(service): add port to metadata on plane 2026-04-24 00:12:17 +05:30
Gauthier POGAM--LE MONTAGNER f77fd2161c feat(service): add healthcheck to langfuse-worker 2026-04-23 18:08:40 +02:00
Andras Bacsai c5ce36018c docs(sponsors): add MindedTech to Small sponsors 2026-04-23 14:13:55 +02:00
Andras Bacsai 237313f5c7 docs(sponsors): update PrivateAlps description 2026-04-23 00:17:53 +02:00
ShadowArcanist e26d4e39e6 fix(service): add healthcheck on cap-captcha.yaml 2026-04-23 01:07:14 +05:30
ShadowArcanist 716c741fff fix(service): pin docker image on cap-captcha.yaml 2026-04-23 01:07:00 +05:30
ShadowArcanist d425998476 fix(service): service url variable on cap-captcha.yaml 2026-04-23 01:06:44 +05:30
ShadowArcanist ae1a24a83b fix(service): add category on cap-captcha.yaml 2026-04-23 01:06:25 +05:30
ShadowArcanist 833f5769e5 fix(service): docs link on cap-captcha.yaml 2026-04-23 01:06:07 +05:30
Andras Bacsai 6b00c31ff2 fix(navigation): replace wire:navigate.hover with wire:navigate (#9742) 2026-04-22 20:56:45 +02:00
Andras Bacsai 19767a569b fix(navigation): replace wire:navigate.hover with wire:navigate
Remove hover prefetching variant from SPA navigation helper,
both in the happy path and the exception fallback.
2026-04-22 20:55:09 +02:00
tiago 0c1c5c5831 feat: add Cap to templates 2026-04-22 10:15:18 +01:00
Andras Bacsai 4e561264b4 docs(sponsors): add PrivateAlps to Huge and YouStable to Small sponsors 2026-04-22 08:58:38 +02:00
Andras Bacsai 37518813a6 v4.0.0-beta.474 (#9542) 2026-04-21 12:30:44 +02:00
Andras Bacsai e1aac50b74 refactor(validation): tokenize shell-safe command pattern (#9684) 2026-04-20 22:04:36 +02:00
Andras Bacsai 817128c5af refactor(validation): tokenize shell-safe command pattern
Replace the flat character-class regex for SHELL_SAFE_COMMAND_PATTERN with
a token-aware alternation. The parser now recognizes explicit tokens
(`&&`, `||`, balanced single/double quotes, whitespace, and an unquoted
safe-char run) instead of a bag of characters, which lets us extend the
accepted grammar without loosening the guarantees.

New surface area, with tests:
- logical OR chaining (`make build || make clean`)
- shell globs and bang (`rm *.tmp`, `cp src/?.js dist/`, `! grep -q foo`)
- single-quoted arguments are now treated as balanced runs rather than
  rejected per-character

Preserved surface area:
- && chaining, balanced "..." and '...' quotes, the previous safe path /
  argument characters, and the existing error-path contract in
  ApplicationDeploymentJob::validateShellSafeCommand().

Also refreshes the user-facing validation messages in General.php so the
allow/deny list shown on failure matches the new grammar.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-20 22:00:41 +02:00
Andras Bacsai 8e22360139 refactor(database): align Postgres SSL chown escaping with MySQL (#9682) 2026-04-20 21:44:02 +02:00
Andras Bacsai f0e955bf45 refactor(database): escape postgres_user in SSL chown command
Apply escapeshellarg() to the Postgres username before interpolating it
into the chown command used to fix SSL certificate ownership, matching
the handling already in place for StartMysql. This keeps the sink-side
escaping consistent across database actions, independent of upstream
input validation.

Also adjusts an assertion in DatabaseSslCredentialEscapingTest to match
the actual double-escaped output of executeInDocker, and adds Postgres
regression cases for subshell and semicolon payloads.
2026-04-20 21:41:48 +02:00
Andras Bacsai 1cf6c7d0ae fix(database): tighten Postgres init script filename handling (#9681) 2026-04-20 21:27:56 +02:00
Andras Bacsai a05d4e3a4b fix(database): tighten Postgres init script filename handling
Validate new init-script filenames against path traversal and shell
metacharacters via a new validateFilenameSafe() helper, and harden the
write/delete paths with basename() + escapeshellarg() so legacy rows
still deploy and can be cleaned up without regressions.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-20 21:26:34 +02:00
Andras Bacsai b1a78df58e feat(security): add expiration support for API tokens (#9677) 2026-04-20 14:29:28 +02:00
Andras Bacsai 90ddbb3572 feat(security): support expiration on API tokens with warning notifications
Add optional expiration to personal API tokens. Users pick a duration
(1/7/30/60/90 days or Never) at creation time. Expired tokens are
rejected by Sanctum, pruned hourly by sanctum:prune-expired, and a
team notification fires ~24h before expiry so owners can rotate
before API calls start failing.

- ApiTokens Livewire component stores expires_at from expiresInDays
- Rework issued-tokens UI from card grid to table (matches other views)
- New ApiTokenExpirationWarningJob scheduled hourly (idempotent via RateLimiter)
- New ApiTokenExpiringNotification (email/discord/telegram/slack/pushover)
- api_token_expiring added to alwaysSendEvents so users cannot silence
  expiry warnings from the per-event notification toggle UI
- sanctum:prune-expired cadence moved from daily to hourly

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-20 14:28:38 +02:00
Andras Bacsai bff6d85370 fix(database): credential format validation with dirty-value escape hatch (#9676) 2026-04-20 14:24:06 +02:00
Andras Bacsai 40a9881ef2 fix(database): skip credential pattern validation for unchanged values
Pattern enforcement now conditional on field being dirty (changed vs
saved value). Prevents false validation failures when existing records
hold legacy credential formats that pre-date the stricter regex rules.
2026-04-20 13:58:44 +02:00
Andras Bacsai 03313e54cc fix(database): enforce credential format validation and sanitize init/SSL arguments
Add ValidationPatterns helpers for database identifiers and passwords,
apply them across database Livewire components and the API controller,
encode MongoDB init script values via json_encode, and pass the MySQL
user through escapeshellarg when generating SSL chown commands.
2026-04-20 13:58:36 +02:00