Update migration to allow all ports

1.14.0 ready

.github/workflows/cicd.yml

@@ -99,7 +99,7 @@ jobs:
               id: check-rc
               run: |
                   TAG=${{ env.TAG }}
-                  if [[ "$TAG" == *".rc."* ]]; then
+                  if [[ "$TAG" == *"-rc."* ]]; then
                       echo "IS_RC=true" >> $GITHUB_ENV
                   else
                       echo "IS_RC=false" >> $GITHUB_ENV
@@ -171,7 +171,7 @@ jobs:
               id: check-rc
               run: |
                   TAG=${{ env.TAG }}
-                  if [[ "$TAG" == *".rc."* ]]; then
+                  if [[ "$TAG" == *"-rc."* ]]; then
                       echo "IS_RC=true" >> $GITHUB_ENV
                   else
                       echo "IS_RC=false" >> $GITHUB_ENV
@@ -219,7 +219,7 @@ jobs:
               id: check-rc
               run: |
                   TAG=${{ env.TAG }}
-                  if [[ "$TAG" == *".rc."* ]]; then
+                  if [[ "$TAG" == *"-rc."* ]]; then
                       echo "IS_RC=true" >> $GITHUB_ENV
                   else
                       echo "IS_RC=false" >> $GITHUB_ENV
@@ -322,13 +322,18 @@ jobs:
               shell: bash
 
             - name: Login to GHCR
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
               run: |
+                  mkdir -p "$(dirname "$REGISTRY_AUTH_FILE")"
                   skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
               shell: bash
 
             - name: Copy tag from Docker Hub to GHCR
               # Mirror the already-built image (all architectures) to GHCR so we can sign it
               # Wait a bit for both architectures to be available in Docker Hub manifest
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
               run: |
                   set -euo pipefail
                   TAG=${{ env.TAG }}

.github/workflows/mirror.yaml

@@ -45,7 +45,7 @@ jobs:
         run: |
           set -euo pipefail
           skopeo list-tags --retry-times 3 docker://"${SOURCE_IMAGE}" \
-            | jq -r '.Tags[]' | sort -u > src-tags.txt
+            | jq -r '.Tags[]' | grep -v -e '-arm64' -e '-amd64' | sort -u > src-tags.txt
           echo "Found source tags: $(wc -l < src-tags.txt)"
           head -n 20 src-tags.txt || true
 

messages/en-US.json

@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Enter confirmation",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Default Identity Provider",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Network Settings",
     "editInternalResourceDialogAccessPolicy": "Access Policy",
     "editInternalResourceDialogAddRoles": "Add Roles",

server/db/pg/schema/schema.ts

@@ -134,13 +134,15 @@ export const resources = pgTable("resources", {
     proxyProtocol: boolean("proxyProtocol").notNull().default(false),
     proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
 
-    maintenanceModeEnabled: boolean("maintenanceModeEnabled").notNull().default(false),
+    maintenanceModeEnabled: boolean("maintenanceModeEnabled")
+        .notNull()
+        .default(false),
     maintenanceModeType: text("maintenanceModeType", {
         enum: ["forced", "automatic"]
     }).default("forced"), // "forced" = always show, "automatic" = only when down
     maintenanceTitle: text("maintenanceTitle"),
     maintenanceMessage: text("maintenanceMessage"),
-    maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
+    maintenanceEstimatedTime: text("maintenanceEstimatedTime")
 });
 
 export const targets = pgTable("targets", {
@@ -223,8 +225,8 @@ export const siteResources = pgTable("siteResources", {
     enabled: boolean("enabled").notNull().default(true),
     alias: varchar("alias"),
     aliasAddress: varchar("aliasAddress"),
-    tcpPortRangeString: varchar("tcpPortRangeString"),
+    tcpPortRangeString: varchar("tcpPortRangeString").notNull().default("*"),
-    udpPortRangeString: varchar("udpPortRangeString"),
+    udpPortRangeString: varchar("udpPortRangeString").notNull().default("*"),
     disableIcmp: boolean("disableIcmp").notNull().default(false)
 });
 
@@ -464,13 +466,22 @@ export const resourceHeaderAuth = pgTable("resourceHeaderAuth", {
     headerAuthHash: varchar("headerAuthHash").notNull()
 });
 
-export const resourceHeaderAuthExtendedCompatibility = pgTable("resourceHeaderAuthExtendedCompatibility", {
+export const resourceHeaderAuthExtendedCompatibility = pgTable(
-    headerAuthExtendedCompatibilityId: serial("headerAuthExtendedCompatibilityId").primaryKey(),
+    "resourceHeaderAuthExtendedCompatibility",
-    resourceId: integer("resourceId")
+    {
-        .notNull()
+        headerAuthExtendedCompatibilityId: serial(
-        .references(() => resources.resourceId, { onDelete: "cascade" }),
+            "headerAuthExtendedCompatibilityId"
-    extendedCompatibilityIsActivated: boolean("extendedCompatibilityIsActivated").notNull().default(true),
+        ).primaryKey(),
-});
+        resourceId: integer("resourceId")
+            .notNull()
+            .references(() => resources.resourceId, { onDelete: "cascade" }),
+        extendedCompatibilityIsActivated: boolean(
+            "extendedCompatibilityIsActivated"
+        )
+            .notNull()
+            .default(true)
+    }
+);
 
 export const resourceAccessToken = pgTable("resourceAccessToken", {
     accessTokenId: varchar("accessTokenId").primaryKey(),
@@ -872,7 +883,9 @@ export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
 export type ResourceHeaderAuth = InferSelectModel<typeof resourceHeaderAuth>;
-export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<typeof resourceHeaderAuthExtendedCompatibility>;
+export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<
+    typeof resourceHeaderAuthExtendedCompatibility
+>;
 export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
 export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
 export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;

server/db/queries/verifySessionQueries.ts

@@ -1,6 +1,4 @@
-import {
+import { db, loginPage, LoginPage, loginPageOrg, Org, orgs } from "@server/db";
-    db, loginPage, LoginPage, loginPageOrg, Org, orgs,
-} from "@server/db";
 import {
     Resource,
     ResourcePassword,
@@ -27,7 +25,7 @@ export type ResourceWithAuth = {
     pincode: ResourcePincode | null;
     password: ResourcePassword | null;
     headerAuth: ResourceHeaderAuth | null;
-    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null
+    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
     org: Org;
 };
 
@@ -59,12 +57,12 @@ export async function getResourceByDomain(
         )
         .leftJoin(
             resourceHeaderAuthExtendedCompatibility,
-            eq(resourceHeaderAuthExtendedCompatibility.resourceId, resources.resourceId)
+            eq(
-        )
+                resourceHeaderAuthExtendedCompatibility.resourceId,
-        .innerJoin(
+                resources.resourceId
-            orgs,
+            )
-            eq(orgs.orgId, resources.orgId)
         )
+        .innerJoin(orgs, eq(orgs.orgId, resources.orgId))
         .where(eq(resources.fullDomain, domain))
         .limit(1);
 
@@ -77,7 +75,8 @@ export async function getResourceByDomain(
         pincode: result.resourcePincode,
         password: result.resourcePassword,
         headerAuth: result.resourceHeaderAuth,
-        headerAuthExtendedCompatibility: result.resourceHeaderAuthExtendedCompatibility,
+        headerAuthExtendedCompatibility:
+            result.resourceHeaderAuthExtendedCompatibility,
         org: result.orgs
     };
 }

server/db/sqlite/schema/schema.ts

@@ -12,22 +12,22 @@ import { no } from "zod/v4/locales";
 export const domains = sqliteTable("domains", {
     domainId: text("domainId").primaryKey(),
     baseDomain: text("baseDomain").notNull(),
-    configManaged: integer("configManaged", {mode: "boolean"})
+    configManaged: integer("configManaged", { mode: "boolean" })
         .notNull()
         .default(false),
     type: text("type"), // "ns", "cname", "wildcard"
-    verified: integer("verified", {mode: "boolean"}).notNull().default(false),
+    verified: integer("verified", { mode: "boolean" }).notNull().default(false),
-    failed: integer("failed", {mode: "boolean"}).notNull().default(false),
+    failed: integer("failed", { mode: "boolean" }).notNull().default(false),
     tries: integer("tries").notNull().default(0),
     certResolver: text("certResolver"),
-    preferWildcardCert: integer("preferWildcardCert", {mode: "boolean"})
+    preferWildcardCert: integer("preferWildcardCert", { mode: "boolean" })
 });
 
 export const dnsRecords = sqliteTable("dnsRecords", {
-    id: integer("id").primaryKey({autoIncrement: true}),
+    id: integer("id").primaryKey({ autoIncrement: true }),
     domainId: text("domainId")
         .notNull()
-        .references(() => domains.domainId, {onDelete: "cascade"}),
+        .references(() => domains.domainId, { onDelete: "cascade" }),
 
     recordType: text("recordType").notNull(), // "NS" | "CNAME" | "A" | "TXT"
     baseDomain: text("baseDomain"),
@@ -41,7 +41,7 @@ export const orgs = sqliteTable("orgs", {
     subnet: text("subnet"),
     utilitySubnet: text("utilitySubnet"), // this is the subnet for utility addresses
     createdAt: text("createdAt"),
-    requireTwoFactor: integer("requireTwoFactor", {mode: "boolean"}),
+    requireTwoFactor: integer("requireTwoFactor", { mode: "boolean" }),
     maxSessionLengthHours: integer("maxSessionLengthHours"), // hours
     passwordExpiryDays: integer("passwordExpiryDays"), // days
     settingsLogRetentionDaysRequest: integer("settingsLogRetentionDaysRequest") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
@@ -58,23 +58,23 @@ export const orgs = sqliteTable("orgs", {
 export const userDomains = sqliteTable("userDomains", {
     userId: text("userId")
         .notNull()
-        .references(() => users.userId, {onDelete: "cascade"}),
+        .references(() => users.userId, { onDelete: "cascade" }),
     domainId: text("domainId")
         .notNull()
-        .references(() => domains.domainId, {onDelete: "cascade"})
+        .references(() => domains.domainId, { onDelete: "cascade" })
 });
 
 export const orgDomains = sqliteTable("orgDomains", {
     orgId: text("orgId")
         .notNull()
-        .references(() => orgs.orgId, {onDelete: "cascade"}),
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
     domainId: text("domainId")
         .notNull()
-        .references(() => domains.domainId, {onDelete: "cascade"})
+        .references(() => domains.domainId, { onDelete: "cascade" })
 });
 
 export const sites = sqliteTable("sites", {
-    siteId: integer("siteId").primaryKey({autoIncrement: true}),
+    siteId: integer("siteId").primaryKey({ autoIncrement: true }),
     orgId: text("orgId")
         .references(() => orgs.orgId, {
             onDelete: "cascade"
@@ -91,7 +91,7 @@ export const sites = sqliteTable("sites", {
     megabytesOut: integer("bytesOut").default(0),
     lastBandwidthUpdate: text("lastBandwidthUpdate"),
     type: text("type").notNull(), // "newt" or "wireguard"
-    online: integer("online", {mode: "boolean"}).notNull().default(false),
+    online: integer("online", { mode: "boolean" }).notNull().default(false),
 
     // exit node stuff that is how to connect to the site when it has a wg server
     address: text("address"), // this is the address of the wireguard interface in newt
@@ -99,14 +99,14 @@ export const sites = sqliteTable("sites", {
     publicKey: text("publicKey"), // TODO: Fix typo in publicKey
     lastHolePunch: integer("lastHolePunch"),
     listenPort: integer("listenPort"),
-    dockerSocketEnabled: integer("dockerSocketEnabled", {mode: "boolean"})
+    dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
         .notNull()
         .default(true)
 });
 
 export const resources = sqliteTable("resources", {
-    resourceId: integer("resourceId").primaryKey({autoIncrement: true}),
+    resourceId: integer("resourceId").primaryKey({ autoIncrement: true }),
-    resourceGuid: text("resourceGuid", {length: 36})
+    resourceGuid: text("resourceGuid", { length: 36 })
         .unique()
         .notNull()
         .$defaultFn(() => randomUUID()),
@@ -122,35 +122,39 @@ export const resources = sqliteTable("resources", {
     domainId: text("domainId").references(() => domains.domainId, {
         onDelete: "set null"
     }),
-    ssl: integer("ssl", {mode: "boolean"}).notNull().default(false),
+    ssl: integer("ssl", { mode: "boolean" }).notNull().default(false),
-    blockAccess: integer("blockAccess", {mode: "boolean"})
+    blockAccess: integer("blockAccess", { mode: "boolean" })
         .notNull()
         .default(false),
-    sso: integer("sso", {mode: "boolean"}).notNull().default(true),
+    sso: integer("sso", { mode: "boolean" }).notNull().default(true),
-    http: integer("http", {mode: "boolean"}).notNull().default(true),
+    http: integer("http", { mode: "boolean" }).notNull().default(true),
     protocol: text("protocol").notNull(),
     proxyPort: integer("proxyPort"),
-    emailWhitelistEnabled: integer("emailWhitelistEnabled", {mode: "boolean"})
+    emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
         .notNull()
         .default(false),
-    applyRules: integer("applyRules", {mode: "boolean"})
+    applyRules: integer("applyRules", { mode: "boolean" })
         .notNull()
         .default(false),
-    enabled: integer("enabled", {mode: "boolean"}).notNull().default(true),
+    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
-    stickySession: integer("stickySession", {mode: "boolean"})
+    stickySession: integer("stickySession", { mode: "boolean" })
         .notNull()
         .default(false),
     tlsServerName: text("tlsServerName"),
     setHostHeader: text("setHostHeader"),
-    enableProxy: integer("enableProxy", {mode: "boolean"}).default(true),
+    enableProxy: integer("enableProxy", { mode: "boolean" }).default(true),
     skipToIdpId: integer("skipToIdpId").references(() => idp.idpId, {
         onDelete: "set null"
     }),
     headers: text("headers"), // comma-separated list of headers to add to the request
-    proxyProtocol: integer("proxyProtocol", { mode: "boolean" }).notNull().default(false),
+    proxyProtocol: integer("proxyProtocol", { mode: "boolean" })
+        .notNull()
+        .default(false),
     proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
 
-    maintenanceModeEnabled: integer("maintenanceModeEnabled", { mode: "boolean" })
+    maintenanceModeEnabled: integer("maintenanceModeEnabled", {
+        mode: "boolean"
+    })
         .notNull()
         .default(false),
     maintenanceModeType: text("maintenanceModeType", {
@@ -158,12 +162,11 @@ export const resources = sqliteTable("resources", {
     }).default("forced"), // "forced" = always show, "automatic" = only when down
     maintenanceTitle: text("maintenanceTitle"),
     maintenanceMessage: text("maintenanceMessage"),
-    maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
+    maintenanceEstimatedTime: text("maintenanceEstimatedTime")
-
 });
 
 export const targets = sqliteTable("targets", {
-    targetId: integer("targetId").primaryKey({autoIncrement: true}),
+    targetId: integer("targetId").primaryKey({ autoIncrement: true }),
     resourceId: integer("resourceId")
         .references(() => resources.resourceId, {
             onDelete: "cascade"
@@ -178,7 +181,7 @@ export const targets = sqliteTable("targets", {
     method: text("method"),
     port: integer("port").notNull(),
     internalPort: integer("internalPort"),
-    enabled: integer("enabled", {mode: "boolean"}).notNull().default(true),
+    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
     path: text("path"),
     pathMatchType: text("pathMatchType"), // exact, prefix, regex
     rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
@@ -192,8 +195,8 @@ export const targetHealthCheck = sqliteTable("targetHealthCheck", {
     }),
     targetId: integer("targetId")
         .notNull()
-        .references(() => targets.targetId, {onDelete: "cascade"}),
+        .references(() => targets.targetId, { onDelete: "cascade" }),
-    hcEnabled: integer("hcEnabled", {mode: "boolean"})
+    hcEnabled: integer("hcEnabled", { mode: "boolean" })
         .notNull()
         .default(false),
     hcPath: text("hcPath"),
@@ -215,7 +218,7 @@ export const targetHealthCheck = sqliteTable("targetHealthCheck", {
 });
 
 export const exitNodes = sqliteTable("exitNodes", {
-    exitNodeId: integer("exitNodeId").primaryKey({autoIncrement: true}),
+    exitNodeId: integer("exitNodeId").primaryKey({ autoIncrement: true }),
     name: text("name").notNull(),
     address: text("address").notNull(), // this is the address of the wireguard interface in gerbil
     endpoint: text("endpoint").notNull(), // this is how to reach gerbil externally - gets put into the wireguard config
@@ -223,7 +226,7 @@ export const exitNodes = sqliteTable("exitNodes", {
     listenPort: integer("listenPort").notNull(),
     reachableAt: text("reachableAt"), // this is the internal address of the gerbil http server for command control
     maxConnections: integer("maxConnections"),
-    online: integer("online", {mode: "boolean"}).notNull().default(false),
+    online: integer("online", { mode: "boolean" }).notNull().default(false),
     lastPing: integer("lastPing"),
     type: text("type").default("gerbil"), // gerbil, remoteExitNode
     region: text("region")
@@ -236,10 +239,10 @@ export const siteResources = sqliteTable("siteResources", {
     }),
     siteId: integer("siteId")
         .notNull()
-        .references(() => sites.siteId, {onDelete: "cascade"}),
+        .references(() => sites.siteId, { onDelete: "cascade" }),
     orgId: text("orgId")
         .notNull()
-        .references(() => orgs.orgId, {onDelete: "cascade"}),
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
     niceId: text("niceId").notNull(),
     name: text("name").notNull(),
     mode: text("mode").notNull(), // "host" | "cidr" | "port"
@@ -250,9 +253,9 @@ export const siteResources = sqliteTable("siteResources", {
     enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
     alias: text("alias"),
     aliasAddress: text("aliasAddress"),
-    tcpPortRangeString: text("tcpPortRangeString"),
+    tcpPortRangeString: text("tcpPortRangeString").notNull().default("*"),
-    udpPortRangeString: text("udpPortRangeString"),
+    udpPortRangeString: text("udpPortRangeString").notNull().default("*"),
-    disableIcmp: integer("disableIcmp", { mode: "boolean" })
+    disableIcmp: integer("disableIcmp", { mode: "boolean" }).notNull().default(false)
 });
 
 export const clientSiteResources = sqliteTable("clientSiteResources", {
@@ -292,20 +295,20 @@ export const users = sqliteTable("user", {
         onDelete: "cascade"
     }),
     passwordHash: text("passwordHash"),
-    twoFactorEnabled: integer("twoFactorEnabled", {mode: "boolean"})
+    twoFactorEnabled: integer("twoFactorEnabled", { mode: "boolean" })
         .notNull()
         .default(false),
     twoFactorSetupRequested: integer("twoFactorSetupRequested", {
         mode: "boolean"
     }).default(false),
     twoFactorSecret: text("twoFactorSecret"),
-    emailVerified: integer("emailVerified", {mode: "boolean"})
+    emailVerified: integer("emailVerified", { mode: "boolean" })
         .notNull()
         .default(false),
     dateCreated: text("dateCreated").notNull(),
     termsAcceptedTimestamp: text("termsAcceptedTimestamp"),
     termsVersion: text("termsVersion"),
-    serverAdmin: integer("serverAdmin", {mode: "boolean"})
+    serverAdmin: integer("serverAdmin", { mode: "boolean" })
         .notNull()
         .default(false),
     lastPasswordChange: integer("lastPasswordChange")
@@ -339,7 +342,7 @@ export const webauthnChallenge = sqliteTable("webauthnChallenge", {
 export const setupTokens = sqliteTable("setupTokens", {
     tokenId: text("tokenId").primaryKey(),
     token: text("token").notNull(),
-    used: integer("used", {mode: "boolean"}).notNull().default(false),
+    used: integer("used", { mode: "boolean" }).notNull().default(false),
     dateCreated: text("dateCreated").notNull(),
     dateUsed: text("dateUsed")
 });
@@ -378,7 +381,7 @@ export const clients = sqliteTable("clients", {
     lastBandwidthUpdate: text("lastBandwidthUpdate"),
     lastPing: integer("lastPing"),
     type: text("type").notNull(), // "olm"
-    online: integer("online", {mode: "boolean"}).notNull().default(false),
+    online: integer("online", { mode: "boolean" }).notNull().default(false),
     // endpoint: text("endpoint"),
     lastHolePunch: integer("lastHolePunch")
 });
@@ -424,10 +427,10 @@ export const olms = sqliteTable("olms", {
 });
 
 export const twoFactorBackupCodes = sqliteTable("twoFactorBackupCodes", {
-    codeId: integer("id").primaryKey({autoIncrement: true}),
+    codeId: integer("id").primaryKey({ autoIncrement: true }),
     userId: text("userId")
         .notNull()
-        .references(() => users.userId, {onDelete: "cascade"}),
+        .references(() => users.userId, { onDelete: "cascade" }),
     codeHash: text("codeHash").notNull()
 });
 
@@ -435,7 +438,7 @@ export const sessions = sqliteTable("session", {
     sessionId: text("id").primaryKey(),
     userId: text("userId")
         .notNull()
-        .references(() => users.userId, {onDelete: "cascade"}),
+        .references(() => users.userId, { onDelete: "cascade" }),
     expiresAt: integer("expiresAt").notNull(),
     issuedAt: integer("issuedAt"),
     deviceAuthUsed: integer("deviceAuthUsed", { mode: "boolean" })
@@ -447,7 +450,7 @@ export const newtSessions = sqliteTable("newtSession", {
     sessionId: text("id").primaryKey(),
     newtId: text("newtId")
         .notNull()
-        .references(() => newts.newtId, {onDelete: "cascade"}),
+        .references(() => newts.newtId, { onDelete: "cascade" }),
     expiresAt: integer("expiresAt").notNull()
 });
 
@@ -455,14 +458,14 @@ export const olmSessions = sqliteTable("clientSession", {
     sessionId: text("id").primaryKey(),
     olmId: text("olmId")
         .notNull()
-        .references(() => olms.olmId, {onDelete: "cascade"}),
+        .references(() => olms.olmId, { onDelete: "cascade" }),
     expiresAt: integer("expiresAt").notNull()
 });
 
 export const userOrgs = sqliteTable("userOrgs", {
     userId: text("userId")
         .notNull()
-        .references(() => users.userId, {onDelete: "cascade"}),
+        .references(() => users.userId, { onDelete: "cascade" }),
     orgId: text("orgId")
         .references(() => orgs.orgId, {
             onDelete: "cascade"
@@ -471,28 +474,28 @@ export const userOrgs = sqliteTable("userOrgs", {
     roleId: integer("roleId")
         .notNull()
         .references(() => roles.roleId),
-    isOwner: integer("isOwner", {mode: "boolean"}).notNull().default(false),
+    isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
     autoProvisioned: integer("autoProvisioned", {
         mode: "boolean"
     }).default(false)
 });
 
 export const emailVerificationCodes = sqliteTable("emailVerificationCodes", {
-    codeId: integer("id").primaryKey({autoIncrement: true}),
+    codeId: integer("id").primaryKey({ autoIncrement: true }),
     userId: text("userId")
         .notNull()
-        .references(() => users.userId, {onDelete: "cascade"}),
+        .references(() => users.userId, { onDelete: "cascade" }),
     email: text("email").notNull(),
     code: text("code").notNull(),
     expiresAt: integer("expiresAt").notNull()
 });
 
 export const passwordResetTokens = sqliteTable("passwordResetTokens", {
-    tokenId: integer("id").primaryKey({autoIncrement: true}),
+    tokenId: integer("id").primaryKey({ autoIncrement: true }),
     email: text("email").notNull(),
     userId: text("userId")
         .notNull()
-        .references(() => users.userId, {onDelete: "cascade"}),
+        .references(() => users.userId, { onDelete: "cascade" }),
     tokenHash: text("tokenHash").notNull(),
     expiresAt: integer("expiresAt").notNull()
 });
@@ -504,13 +507,13 @@ export const actions = sqliteTable("actions", {
 });
 
 export const roles = sqliteTable("roles", {
-    roleId: integer("roleId").primaryKey({autoIncrement: true}),
+    roleId: integer("roleId").primaryKey({ autoIncrement: true }),
     orgId: text("orgId")
         .references(() => orgs.orgId, {
             onDelete: "cascade"
         })
         .notNull(),
-    isAdmin: integer("isAdmin", {mode: "boolean"}),
+    isAdmin: integer("isAdmin", { mode: "boolean" }),
     name: text("name").notNull(),
     description: text("description")
 });
@@ -518,92 +521,92 @@ export const roles = sqliteTable("roles", {
 export const roleActions = sqliteTable("roleActions", {
     roleId: integer("roleId")
         .notNull()
-        .references(() => roles.roleId, {onDelete: "cascade"}),
+        .references(() => roles.roleId, { onDelete: "cascade" }),
     actionId: text("actionId")
         .notNull()
-        .references(() => actions.actionId, {onDelete: "cascade"}),
+        .references(() => actions.actionId, { onDelete: "cascade" }),
     orgId: text("orgId")
         .notNull()
-        .references(() => orgs.orgId, {onDelete: "cascade"})
+        .references(() => orgs.orgId, { onDelete: "cascade" })
 });
 
 export const userActions = sqliteTable("userActions", {
     userId: text("userId")
         .notNull()
-        .references(() => users.userId, {onDelete: "cascade"}),
+        .references(() => users.userId, { onDelete: "cascade" }),
     actionId: text("actionId")
         .notNull()
-        .references(() => actions.actionId, {onDelete: "cascade"}),
+        .references(() => actions.actionId, { onDelete: "cascade" }),
     orgId: text("orgId")
         .notNull()
-        .references(() => orgs.orgId, {onDelete: "cascade"})
+        .references(() => orgs.orgId, { onDelete: "cascade" })
 });
 
 export const roleSites = sqliteTable("roleSites", {
     roleId: integer("roleId")
         .notNull()
-        .references(() => roles.roleId, {onDelete: "cascade"}),
+        .references(() => roles.roleId, { onDelete: "cascade" }),
     siteId: integer("siteId")
         .notNull()
-        .references(() => sites.siteId, {onDelete: "cascade"})
+        .references(() => sites.siteId, { onDelete: "cascade" })
 });
 
 export const userSites = sqliteTable("userSites", {
     userId: text("userId")
         .notNull()
-        .references(() => users.userId, {onDelete: "cascade"}),
+        .references(() => users.userId, { onDelete: "cascade" }),
     siteId: integer("siteId")
         .notNull()
-        .references(() => sites.siteId, {onDelete: "cascade"})
+        .references(() => sites.siteId, { onDelete: "cascade" })
 });
 
 export const userClients = sqliteTable("userClients", {
     userId: text("userId")
         .notNull()
-        .references(() => users.userId, {onDelete: "cascade"}),
+        .references(() => users.userId, { onDelete: "cascade" }),
     clientId: integer("clientId")
         .notNull()
-        .references(() => clients.clientId, {onDelete: "cascade"})
+        .references(() => clients.clientId, { onDelete: "cascade" })
 });
 
 export const roleClients = sqliteTable("roleClients", {
     roleId: integer("roleId")
         .notNull()
-        .references(() => roles.roleId, {onDelete: "cascade"}),
+        .references(() => roles.roleId, { onDelete: "cascade" }),
     clientId: integer("clientId")
         .notNull()
-        .references(() => clients.clientId, {onDelete: "cascade"})
+        .references(() => clients.clientId, { onDelete: "cascade" })
 });
 
 export const roleResources = sqliteTable("roleResources", {
     roleId: integer("roleId")
         .notNull()
-        .references(() => roles.roleId, {onDelete: "cascade"}),
+        .references(() => roles.roleId, { onDelete: "cascade" }),
     resourceId: integer("resourceId")
         .notNull()
-        .references(() => resources.resourceId, {onDelete: "cascade"})
+        .references(() => resources.resourceId, { onDelete: "cascade" })
 });
 
 export const userResources = sqliteTable("userResources", {
     userId: text("userId")
         .notNull()
-        .references(() => users.userId, {onDelete: "cascade"}),
+        .references(() => users.userId, { onDelete: "cascade" }),
     resourceId: integer("resourceId")
         .notNull()
-        .references(() => resources.resourceId, {onDelete: "cascade"})
+        .references(() => resources.resourceId, { onDelete: "cascade" })
 });
 
 export const userInvites = sqliteTable("userInvites", {
     inviteId: text("inviteId").primaryKey(),
     orgId: text("orgId")
         .notNull()
-        .references(() => orgs.orgId, {onDelete: "cascade"}),
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
     email: text("email").notNull(),
     expiresAt: integer("expiresAt").notNull(),
     tokenHash: text("token").notNull(),
     roleId: integer("roleId")
         .notNull()
-        .references(() => roles.roleId, {onDelete: "cascade"})
+        .references(() => roles.roleId, { onDelete: "cascade" })
 });
 
 export const resourcePincode = sqliteTable("resourcePincode", {
@@ -612,7 +615,7 @@ export const resourcePincode = sqliteTable("resourcePincode", {
     }),
     resourceId: integer("resourceId")
         .notNull()
-        .references(() => resources.resourceId, {onDelete: "cascade"}),
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
     pincodeHash: text("pincodeHash").notNull(),
     digitLength: integer("digitLength").notNull()
 });
@@ -623,7 +626,7 @@ export const resourcePassword = sqliteTable("resourcePassword", {
     }),
     resourceId: integer("resourceId")
         .notNull()
-        .references(() => resources.resourceId, {onDelete: "cascade"}),
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
     passwordHash: text("passwordHash").notNull()
 });
 
@@ -633,28 +636,38 @@ export const resourceHeaderAuth = sqliteTable("resourceHeaderAuth", {
     }),
     resourceId: integer("resourceId")
         .notNull()
-        .references(() => resources.resourceId, {onDelete: "cascade"}),
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
     headerAuthHash: text("headerAuthHash").notNull()
 });
 
-export const resourceHeaderAuthExtendedCompatibility = sqliteTable("resourceHeaderAuthExtendedCompatibility", {
+export const resourceHeaderAuthExtendedCompatibility = sqliteTable(
-    headerAuthExtendedCompatibilityId: integer("headerAuthExtendedCompatibilityId").primaryKey({
+    "resourceHeaderAuthExtendedCompatibility",
-        autoIncrement: true
+    {
-    }),
+        headerAuthExtendedCompatibilityId: integer(
-    resourceId: integer("resourceId")
+            "headerAuthExtendedCompatibilityId"
-        .notNull()
+        ).primaryKey({
-        .references(() => resources.resourceId, {onDelete: "cascade"}),
+            autoIncrement: true
-    extendedCompatibilityIsActivated: integer("extendedCompatibilityIsActivated", {mode: "boolean"}).notNull().default(true)
+        }),
-});
+        resourceId: integer("resourceId")
+            .notNull()
+            .references(() => resources.resourceId, { onDelete: "cascade" }),
+        extendedCompatibilityIsActivated: integer(
+            "extendedCompatibilityIsActivated",
+            { mode: "boolean" }
+        )
+            .notNull()
+            .default(true)
+    }
+);
 
 export const resourceAccessToken = sqliteTable("resourceAccessToken", {
     accessTokenId: text("accessTokenId").primaryKey(),
     orgId: text("orgId")
         .notNull()
-        .references(() => orgs.orgId, {onDelete: "cascade"}),
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
     resourceId: integer("resourceId")
         .notNull()
-        .references(() => resources.resourceId, {onDelete: "cascade"}),
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
     tokenHash: text("tokenHash").notNull(),
     sessionLength: integer("sessionLength").notNull(),
     expiresAt: integer("expiresAt"),
@@ -667,13 +680,13 @@ export const resourceSessions = sqliteTable("resourceSessions", {
     sessionId: text("id").primaryKey(),
     resourceId: integer("resourceId")
         .notNull()
-        .references(() => resources.resourceId, {onDelete: "cascade"}),
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
     expiresAt: integer("expiresAt").notNull(),
     sessionLength: integer("sessionLength").notNull(),
-    doNotExtend: integer("doNotExtend", {mode: "boolean"})
+    doNotExtend: integer("doNotExtend", { mode: "boolean" })
         .notNull()
         .default(false),
-    isRequestToken: integer("isRequestToken", {mode: "boolean"}),
+    isRequestToken: integer("isRequestToken", { mode: "boolean" }),
     userSessionId: text("userSessionId").references(() => sessions.sessionId, {
         onDelete: "cascade"
     }),
@@ -705,11 +718,11 @@ export const resourceSessions = sqliteTable("resourceSessions", {
 });
 
 export const resourceWhitelist = sqliteTable("resourceWhitelist", {
-    whitelistId: integer("id").primaryKey({autoIncrement: true}),
+    whitelistId: integer("id").primaryKey({ autoIncrement: true }),
     email: text("email").notNull(),
     resourceId: integer("resourceId")
         .notNull()
-        .references(() => resources.resourceId, {onDelete: "cascade"})
+        .references(() => resources.resourceId, { onDelete: "cascade" })
 });
 
 export const resourceOtp = sqliteTable("resourceOtp", {
@@ -718,7 +731,7 @@ export const resourceOtp = sqliteTable("resourceOtp", {
     }),
     resourceId: integer("resourceId")
         .notNull()
-        .references(() => resources.resourceId, {onDelete: "cascade"}),
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
     email: text("email").notNull(),
     otpHash: text("otpHash").notNull(),
     expiresAt: integer("expiresAt").notNull()
@@ -730,11 +743,11 @@ export const versionMigrations = sqliteTable("versionMigrations", {
 });
 
 export const resourceRules = sqliteTable("resourceRules", {
-    ruleId: integer("ruleId").primaryKey({autoIncrement: true}),
+    ruleId: integer("ruleId").primaryKey({ autoIncrement: true }),
     resourceId: integer("resourceId")
         .notNull()
-        .references(() => resources.resourceId, {onDelete: "cascade"}),
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
-    enabled: integer("enabled", {mode: "boolean"}).notNull().default(true),
+    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
     priority: integer("priority").notNull(),
     action: text("action").notNull(), // ACCEPT, DROP, PASS
     match: text("match").notNull(), // CIDR, PATH, IP
@@ -742,17 +755,17 @@ export const resourceRules = sqliteTable("resourceRules", {
 });
 
 export const supporterKey = sqliteTable("supporterKey", {
-    keyId: integer("keyId").primaryKey({autoIncrement: true}),
+    keyId: integer("keyId").primaryKey({ autoIncrement: true }),
     key: text("key").notNull(),
     githubUsername: text("githubUsername").notNull(),
     phrase: text("phrase"),
     tier: text("tier"),
-    valid: integer("valid", {mode: "boolean"}).notNull().default(false)
+    valid: integer("valid", { mode: "boolean" }).notNull().default(false)
 });
 
 // Identity Providers
 export const idp = sqliteTable("idp", {
-    idpId: integer("idpId").primaryKey({autoIncrement: true}),
+    idpId: integer("idpId").primaryKey({ autoIncrement: true }),
     name: text("name").notNull(),
     type: text("type").notNull(),
     defaultRoleMapping: text("defaultRoleMapping"),
@@ -772,7 +785,7 @@ export const idpOidcConfig = sqliteTable("idpOidcConfig", {
     variant: text("variant").notNull().default("oidc"),
     idpId: integer("idpId")
         .notNull()
-        .references(() => idp.idpId, {onDelete: "cascade"}),
+        .references(() => idp.idpId, { onDelete: "cascade" }),
     clientId: text("clientId").notNull(),
     clientSecret: text("clientSecret").notNull(),
     authUrl: text("authUrl").notNull(),
@@ -800,22 +813,22 @@ export const apiKeys = sqliteTable("apiKeys", {
     apiKeyHash: text("apiKeyHash").notNull(),
     lastChars: text("lastChars").notNull(),
     createdAt: text("dateCreated").notNull(),
-    isRoot: integer("isRoot", {mode: "boolean"}).notNull().default(false)
+    isRoot: integer("isRoot", { mode: "boolean" }).notNull().default(false)
 });
 
 export const apiKeyActions = sqliteTable("apiKeyActions", {
     apiKeyId: text("apiKeyId")
         .notNull()
-        .references(() => apiKeys.apiKeyId, {onDelete: "cascade"}),
+        .references(() => apiKeys.apiKeyId, { onDelete: "cascade" }),
     actionId: text("actionId")
         .notNull()
-        .references(() => actions.actionId, {onDelete: "cascade"})
+        .references(() => actions.actionId, { onDelete: "cascade" })
 });
 
 export const apiKeyOrg = sqliteTable("apiKeyOrg", {
     apiKeyId: text("apiKeyId")
         .notNull()
-        .references(() => apiKeys.apiKeyId, {onDelete: "cascade"}),
+        .references(() => apiKeys.apiKeyId, { onDelete: "cascade" }),
     orgId: text("orgId")
         .references(() => orgs.orgId, {
             onDelete: "cascade"
@@ -826,10 +839,10 @@ export const apiKeyOrg = sqliteTable("apiKeyOrg", {
 export const idpOrg = sqliteTable("idpOrg", {
     idpId: integer("idpId")
         .notNull()
-        .references(() => idp.idpId, {onDelete: "cascade"}),
+        .references(() => idp.idpId, { onDelete: "cascade" }),
     orgId: text("orgId")
         .notNull()
-        .references(() => orgs.orgId, {onDelete: "cascade"}),
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
     roleMapping: text("roleMapping"),
     orgMapping: text("orgMapping")
 });
@@ -847,19 +860,19 @@ export const blueprints = sqliteTable("blueprints", {
     name: text("name").notNull(),
     source: text("source").notNull(),
     createdAt: integer("createdAt").notNull(),
-    succeeded: integer("succeeded", {mode: "boolean"}).notNull(),
+    succeeded: integer("succeeded", { mode: "boolean" }).notNull(),
     contents: text("contents").notNull(),
     message: text("message")
 });
 export const requestAuditLog = sqliteTable(
     "requestAuditLog",
     {
-        id: integer("id").primaryKey({autoIncrement: true}),
+        id: integer("id").primaryKey({ autoIncrement: true }),
         timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
         orgId: text("orgId").references(() => orgs.orgId, {
             onDelete: "cascade"
         }),
-        action: integer("action", {mode: "boolean"}).notNull(),
+        action: integer("action", { mode: "boolean" }).notNull(),
         reason: integer("reason").notNull(),
         actorType: text("actorType"),
         actor: text("actor"),
@@ -876,7 +889,7 @@ export const requestAuditLog = sqliteTable(
         host: text("host"),
         path: text("path"),
         method: text("method"),
-        tls: integer("tls", {mode: "boolean"})
+        tls: integer("tls", { mode: "boolean" })
     },
     (table) => [
         index("idx_requestAuditLog_timestamp").on(table.timestamp),
@@ -932,7 +945,9 @@ export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
 export type ResourceHeaderAuth = InferSelectModel<typeof resourceHeaderAuth>;
-export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<typeof resourceHeaderAuthExtendedCompatibility>;
+export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<
+    typeof resourceHeaderAuthExtendedCompatibility
+>;
 export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
 export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
 export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;

server/lib/blueprints/MaintenanceSchema.ts

@@ -0,0 +1,3 @@
+import { z } from "zod";
+
+export const MaintenanceSchema = z.object({});

server/lib/blueprints/applyBlueprint.ts

@@ -1,4 +1,14 @@
-import { db, newts, blueprints, Blueprint, Site, siteResources, roleSiteResources, userSiteResources, clientSiteResources } from "@server/db";
+import {
+    db,
+    newts,
+    blueprints,
+    Blueprint,
+    Site,
+    siteResources,
+    roleSiteResources,
+    userSiteResources,
+    clientSiteResources
+} from "@server/db";
 import { Config, ConfigSchema } from "./types";
 import { ProxyResourcesResults, updateProxyResources } from "./proxyResources";
 import { fromError } from "zod-validation-error";
@@ -126,7 +136,7 @@ export async function applyBlueprint({
                         )
                         .then((rows) => rows.map((row) => row.roleId));
 
-                    const existingUserIds= await trx
+                    const existingUserIds = await trx
                         .select()
                         .from(userSiteResources)
                         .where(
@@ -134,7 +144,8 @@ export async function applyBlueprint({
                                 userSiteResources.siteResourceId,
                                 result.oldSiteResource.siteResourceId
                             )
-                        ).then((rows) => rows.map((row) => row.userId));
+                        )
+                        .then((rows) => rows.map((row) => row.userId));
 
                     const existingClientIds = await trx
                         .select()
@@ -144,13 +155,19 @@ export async function applyBlueprint({
                                 clientSiteResources.siteResourceId,
                                 result.oldSiteResource.siteResourceId
                             )
-                        ).then((rows) => rows.map((row) => row.clientId));
+                        )
+                        .then((rows) => rows.map((row) => row.clientId));
 
                     // delete the existing site resource
                     await trx
                         .delete(siteResources)
                         .where(
-                            and(eq(siteResources.siteResourceId, result.oldSiteResource.siteResourceId))
+                            and(
+                                eq(
+                                    siteResources.siteResourceId,
+                                    result.oldSiteResource.siteResourceId
+                                )
+                            )
                         );
 
                     await rebuildClientAssociationsFromSiteResource(
@@ -161,7 +178,7 @@ export async function applyBlueprint({
                     const [insertedSiteResource] = await trx
                         .insert(siteResources)
                         .values({
-                            ...result.newSiteResource,
+                            ...result.newSiteResource
                         })
                         .returning();
 
@@ -172,18 +189,20 @@ export async function applyBlueprint({
 
                     if (existingRoleIds.length > 0) {
                         await trx.insert(roleSiteResources).values(
-                           existingRoleIds.map((roleId) => ({
+                            existingRoleIds.map((roleId) => ({
                                 roleId,
-                                siteResourceId: insertedSiteResource!.siteResourceId
+                                siteResourceId:
+                                    insertedSiteResource!.siteResourceId
                             }))
                         );
                     }
 
                     if (existingUserIds.length > 0) {
                         await trx.insert(userSiteResources).values(
-                           existingUserIds.map((userId) => ({
+                            existingUserIds.map((userId) => ({
                                 userId,
-                                siteResourceId: insertedSiteResource!.siteResourceId
+                                siteResourceId:
+                                    insertedSiteResource!.siteResourceId
                             }))
                         );
                     }
@@ -192,7 +211,8 @@ export async function applyBlueprint({
                         await trx.insert(clientSiteResources).values(
                             existingClientIds.map((clientId) => ({
                                 clientId,
-                                siteResourceId: insertedSiteResource!.siteResourceId
+                                siteResourceId:
+                                    insertedSiteResource!.siteResourceId
                             }))
                         );
                     }
@@ -201,7 +221,6 @@ export async function applyBlueprint({
                         insertedSiteResource,
                         trx
                     );
-
                 } else {
                     const [newSite] = await trx
                         .select()

server/lib/blueprints/proxyResources.ts

@@ -2,7 +2,8 @@ import {
     domains,
     orgDomains,
     Resource,
-    resourceHeaderAuth, resourceHeaderAuthExtendedCompatibility,
+    resourceHeaderAuth,
+    resourceHeaderAuthExtendedCompatibility,
     resourcePincode,
     resourceRules,
     resourceWhitelist,
@@ -16,8 +17,8 @@ import {
     userResources,
     users
 } from "@server/db";
-import {resources, targets, sites} from "@server/db";
+import { resources, targets, sites } from "@server/db";
-import {eq, and, asc, or, ne, count, isNotNull} from "drizzle-orm";
+import { eq, and, asc, or, ne, count, isNotNull } from "drizzle-orm";
 import {
     Config,
     ConfigSchema,
@@ -25,12 +26,13 @@ import {
     TargetData
 } from "./types";
 import logger from "@server/logger";
-import {createCertificate} from "#dynamic/routers/certificates/createCertificate";
+import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
-import {pickPort} from "@server/routers/target/helpers";
+import { pickPort } from "@server/routers/target/helpers";
-import {resourcePassword} from "@server/db";
+import { resourcePassword } from "@server/db";
-import {hashPassword} from "@server/auth/password";
+import { hashPassword } from "@server/auth/password";
-import {isValidCIDR, isValidIP, isValidUrlGlobPattern} from "../validators";
+import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
-import {get} from "http";
+import { isLicensedOrSubscribed } from "../isLicencedOrSubscribed";
+import { build } from "@server/build";
 
 export type ProxyResourcesResults = {
     proxyResource: Resource;
@@ -63,7 +65,7 @@ export async function updateProxyResources(
             if (targetSiteId) {
                 // Look up site by niceId
                 [site] = await trx
-                    .select({siteId: sites.siteId})
+                    .select({ siteId: sites.siteId })
                     .from(sites)
                     .where(
                         and(
@@ -75,7 +77,7 @@ export async function updateProxyResources(
             } else if (siteId) {
                 // Use the provided siteId directly, but verify it belongs to the org
                 [site] = await trx
-                    .select({siteId: sites.siteId})
+                    .select({ siteId: sites.siteId })
                     .from(sites)
                     .where(
                         and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
@@ -93,7 +95,7 @@ export async function updateProxyResources(
 
             let internalPortToCreate;
             if (!targetData["internal-port"]) {
-                const {internalPort, targetIps} = await pickPort(
+                const { internalPort, targetIps } = await pickPort(
                     site.siteId!,
                     trx
                 );
@@ -209,6 +211,16 @@ export async function updateProxyResources(
                 resource = existingResource;
             } else {
                 // Update existing resource
+
+                const isLicensed = await isLicensedOrSubscribed(orgId);
+                if (build == "enterprise" && !isLicensed) {
+                    logger.warn(
+                        "Server is not licensed! Clearing set maintenance screen values"
+                    );
+                    // null the maintenance mode fields if not licensed
+                    resourceData.maintenance = undefined;
+                }
+
                 [resource] = await trx
                     .update(resources)
                     .set({
@@ -228,12 +240,19 @@ export async function updateProxyResources(
                         tlsServerName: resourceData["tls-server-name"] || null,
                         emailWhitelistEnabled: resourceData.auth?.[
                             "whitelist-users"
-                            ]
+                        ]
                             ? resourceData.auth["whitelist-users"].length > 0
                             : false,
                         headers: headers || null,
                         applyRules:
-                            resourceData.rules && resourceData.rules.length > 0
+                            resourceData.rules && resourceData.rules.length > 0,
+                        maintenanceModeEnabled:
+                            resourceData.maintenance?.enabled,
+                        maintenanceModeType: resourceData.maintenance?.type,
+                        maintenanceTitle: resourceData.maintenance?.title,
+                        maintenanceMessage: resourceData.maintenance?.message,
+                        maintenanceEstimatedTime:
+                            resourceData.maintenance?.["estimated-time"]
                     })
                     .where(
                         eq(resources.resourceId, existingResource.resourceId)
@@ -303,8 +322,13 @@ export async function updateProxyResources(
                     const headerAuthPassword =
                         resourceData.auth?.["basic-auth"]?.password;
                     const headerAuthExtendedCompatibility =
-                        resourceData.auth?.["basic-auth"]?.extendedCompatibility;
+                        resourceData.auth?.["basic-auth"]
-                    if (headerAuthUser && headerAuthPassword && headerAuthExtendedCompatibility !== null) {
+                            ?.extendedCompatibility;
+                    if (
+                        headerAuthUser &&
+                        headerAuthPassword &&
+                        headerAuthExtendedCompatibility !== null
+                    ) {
                         const headerAuthHash = await hashPassword(
                             Buffer.from(
                                 `${headerAuthUser}:${headerAuthPassword}`
@@ -315,10 +339,13 @@ export async function updateProxyResources(
                                 resourceId: existingResource.resourceId,
                                 headerAuthHash
                             }),
-                            trx.insert(resourceHeaderAuthExtendedCompatibility).values({
+                            trx
-                                resourceId: existingResource.resourceId,
+                                .insert(resourceHeaderAuthExtendedCompatibility)
-                                extendedCompatibilityIsActivated: headerAuthExtendedCompatibility
+                                .values({
-                            })
+                                    resourceId: existingResource.resourceId,
+                                    extendedCompatibilityIsActivated:
+                                        headerAuthExtendedCompatibility
+                                })
                         ]);
                     }
                 }
@@ -380,7 +407,7 @@ export async function updateProxyResources(
                     if (targetSiteId) {
                         // Look up site by niceId
                         [site] = await trx
-                            .select({siteId: sites.siteId})
+                            .select({ siteId: sites.siteId })
                             .from(sites)
                             .where(
                                 and(
@@ -392,7 +419,7 @@ export async function updateProxyResources(
                     } else if (siteId) {
                         // Use the provided siteId directly, but verify it belongs to the org
                         [site] = await trx
-                            .select({siteId: sites.siteId})
+                            .select({ siteId: sites.siteId })
                             .from(sites)
                             .where(
                                 and(
@@ -437,7 +464,7 @@ export async function updateProxyResources(
                     if (checkIfTargetChanged(existingTarget, updatedTarget)) {
                         let internalPortToUpdate;
                         if (!targetData["internal-port"]) {
-                            const {internalPort, targetIps} = await pickPort(
+                            const { internalPort, targetIps } = await pickPort(
                                 site.siteId!,
                                 trx
                             );
@@ -622,6 +649,15 @@ export async function updateProxyResources(
                 );
             }
 
+            const isLicensed = await isLicensedOrSubscribed(orgId);
+            if (build == "enterprise" && !isLicensed) {
+                logger.warn(
+                    "Server is not licensed! Clearing set maintenance screen values"
+                );
+                // null the maintenance mode fields if not licensed
+                resourceData.maintenance = undefined;
+            }
+
             // Create new resource
             const [newResource] = await trx
                 .insert(resources)
@@ -643,7 +679,13 @@ export async function updateProxyResources(
                     ssl: resourceSsl,
                     headers: headers || null,
                     applyRules:
-                        resourceData.rules && resourceData.rules.length > 0
+                        resourceData.rules && resourceData.rules.length > 0,
+                    maintenanceModeEnabled: resourceData.maintenance?.enabled,
+                    maintenanceModeType: resourceData.maintenance?.type,
+                    maintenanceTitle: resourceData.maintenance?.title,
+                    maintenanceMessage: resourceData.maintenance?.message,
+                    maintenanceEstimatedTime:
+                        resourceData.maintenance?.["estimated-time"]
                 })
                 .returning();
 
@@ -674,9 +716,14 @@ export async function updateProxyResources(
                 const headerAuthUser = resourceData.auth?.["basic-auth"]?.user;
                 const headerAuthPassword =
                     resourceData.auth?.["basic-auth"]?.password;
-                const headerAuthExtendedCompatibility = resourceData.auth?.["basic-auth"]?.extendedCompatibility;
+                const headerAuthExtendedCompatibility =
+                    resourceData.auth?.["basic-auth"]?.extendedCompatibility;
 
-                if (headerAuthUser && headerAuthPassword && headerAuthExtendedCompatibility !== null) {
+                if (
+                    headerAuthUser &&
+                    headerAuthPassword &&
+                    headerAuthExtendedCompatibility !== null
+                ) {
                     const headerAuthHash = await hashPassword(
                         Buffer.from(
                             `${headerAuthUser}:${headerAuthPassword}`
@@ -688,10 +735,13 @@ export async function updateProxyResources(
                             resourceId: newResource.resourceId,
                             headerAuthHash
                         }),
-                        trx.insert(resourceHeaderAuthExtendedCompatibility).values({
+                        trx
-                            resourceId: newResource.resourceId,
+                            .insert(resourceHeaderAuthExtendedCompatibility)
-                            extendedCompatibilityIsActivated: headerAuthExtendedCompatibility
+                            .values({
-                        }),
+                                resourceId: newResource.resourceId,
+                                extendedCompatibilityIsActivated:
+                                    headerAuthExtendedCompatibility
+                            })
                     ]);
                 }
             }
@@ -1043,7 +1093,7 @@ async function getDomain(
     trx: Transaction
 ) {
     const [fullDomainExists] = await trx
-        .select({resourceId: resources.resourceId})
+        .select({ resourceId: resources.resourceId })
         .from(resources)
         .where(
             and(

server/lib/blueprints/types.ts

@@ -1,5 +1,6 @@
 import { z } from "zod";
 import { portRangeStringSchema } from "@server/lib/ip";
+import { MaintenanceSchema } from "#dynamic/lib/blueprints/MaintenanceSchema";
 
 export const SiteSchema = z.object({
     name: z.string().min(1).max(100),
@@ -53,11 +54,13 @@ export const AuthSchema = z.object({
     // pincode has to have 6 digits
     pincode: z.number().min(100000).max(999999).optional(),
     password: z.string().min(1).optional(),
-    "basic-auth": z.object({
+    "basic-auth": z
-        user: z.string().min(1),
+        .object({
-        password: z.string().min(1),
+            user: z.string().min(1),
-        extendedCompatibility: z.boolean().default(true)
+            password: z.string().min(1),
-    }).optional(),
+            extendedCompatibility: z.boolean().default(true)
+        })
+        .optional(),
     "sso-enabled": z.boolean().optional().default(false),
     "sso-roles": z
         .array(z.string())
@@ -156,7 +159,8 @@ export const ResourceSchema = z
         "host-header": z.string().optional(),
         "tls-server-name": z.string().optional(),
         headers: z.array(HeaderSchema).optional(),
-        rules: z.array(RuleSchema).optional()
+        rules: z.array(RuleSchema).optional(),
+        maintenance: MaintenanceSchema.optional()
     })
     .refine(
         (resource) => {

server/lib/ip.ts

@@ -318,10 +318,7 @@ export function doCidrsOverlap(cidr1: string, cidr2: string): boolean {
     const range2 = cidrToRange(cidr2);
 
     // Overlap if the ranges intersect
-    return (
+    return range1.start <= range2.end && range2.start <= range1.end;
-        range1.start <= range2.end &&
-        range2.start <= range1.end
-    );
 }
 
 export async function getNextAvailableClientSubnet(

server/lib/readConfigFile.ts

@@ -216,7 +216,10 @@ export const configSchema = z
                     .default(["newt", "wireguard", "local"]),
                 allow_raw_resources: z.boolean().optional().default(true),
                 file_mode: z.boolean().optional().default(false),
-                pp_transport_prefix: z.string().optional().default("pp-transport-v")
+                pp_transport_prefix: z
+                    .string()
+                    .optional()
+                    .default("pp-transport-v")
             })
             .optional()
             .prefault({}),

server/lib/traefik/getTraefikConfig.ts

@@ -294,12 +294,12 @@ export async function getTraefikConfig(
                 certResolver: resolverName,
                 ...(preferWildcard
                     ? {
-                        domains: [
+                          domains: [
-                            {
+                              {
-                                main: wildCard
+                                  main: wildCard
-                            }
+                              }
-                        ]
+                          ]
-                    }
+                      }
                     : {})
             };
 
@@ -475,9 +475,9 @@ export async function getTraefikConfig(
                         // RECEIVE BANDWIDTH ENDPOINT.
 
                         // TODO: HOW TO HANDLE ^^^^^^ BETTER
-                        const anySitesOnline = (
+                        const anySitesOnline = targets.some(
-                            targets
+                            (target) => target.site.online
-                        ).some((target) => target.site.online);
+                        );
 
                         return (
                             targets
@@ -544,14 +544,14 @@ export async function getTraefikConfig(
                     })(),
                     ...(resource.stickySession
                         ? {
-                            sticky: {
+                              sticky: {
-                                cookie: {
+                                  cookie: {
-                                    name: "p_sticky", // TODO: make this configurable via config.yml like other cookies
+                                      name: "p_sticky", // TODO: make this configurable via config.yml like other cookies
-                                    secure: resource.ssl,
+                                      secure: resource.ssl,
-                                    httpOnly: true
+                                      httpOnly: true
-                                }
+                                  }
-                            }
+                              }
-                        }
+                          }
                         : {})
                 }
             };
@@ -603,9 +603,9 @@ export async function getTraefikConfig(
                 loadBalancer: {
                     servers: (() => {
                         // Check if any sites are online
-                        const anySitesOnline = (
+                        const anySitesOnline = targets.some(
-                            targets
+                            (target) => target.site.online
-                        ).some((target) => target.site.online);
+                        );
 
                         return targets
                             .filter((target) => {
@@ -654,18 +654,18 @@ export async function getTraefikConfig(
                     })(),
                     ...(resource.proxyProtocol && protocol == "tcp"
                         ? {
-                            serversTransport: `${ppPrefix}${resource.proxyProtocolVersion || 1}@file` // TODO: does @file here cause issues?
+                              serversTransport: `${ppPrefix}${resource.proxyProtocolVersion || 1}@file` // TODO: does @file here cause issues?
-                        }
+                          }
                         : {}),
                     ...(resource.stickySession
                         ? {
-                            sticky: {
+                              sticky: {
-                                ipStrategy: {
+                                  ipStrategy: {
-                                    depth: 0,
+                                      depth: 0,
-                                    sourcePort: true
+                                      sourcePort: true
-                                }
+                                  }
-                            }
+                              }
-                        }
+                          }
                         : {})
                 }
             };

server/private/lib/blueprints/MaintenanceSchema.ts

@@ -0,0 +1,22 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { z } from "zod";
+
+export const MaintenanceSchema = z.object({
+    enabled: z.boolean().optional(),
+    type: z.enum(["forced", "automatic"]).optional(),
+    title: z.string().max(255).nullable().optional(),
+    message: z.string().max(2000).nullable().optional(),
+    "estimated-time": z.string().max(100).nullable().optional()
+});

server/private/lib/checkOrgAccessPolicy.ts

@@ -23,10 +23,10 @@ import {
 } from "@server/lib/checkOrgAccessPolicy";
 import { UserType } from "@server/types/UserTypes";
 
-export async function enforceResourceSessionLength(
+export function enforceResourceSessionLength(
     resourceSession: ResourceSession,
     org: Org
-): Promise<{ valid: boolean; error?: string }> {
+): { valid: boolean; error?: string } {
     if (org.maxSessionLengthHours) {
         const sessionIssuedAt = resourceSession.issuedAt; // may be null
         const maxSessionLengthHours = org.maxSessionLengthHours;

server/private/lib/traefik/getTraefikConfig.ts

@@ -71,9 +71,9 @@ export async function getTraefikConfig(
     siteTypes: string[],
     filterOutNamespaceDomains = false,
     generateLoginPageRouters = false,
-    allowRawResources = true
+    allowRawResources = true,
+    allowMaintenancePage = true
 ): Promise<any> {
-
     // Get resources with their targets and sites in a single optimized query
     // Start from sites on this exit node, then join to targets and resources
     const resourcesWithTargetsAndSites = await db
@@ -435,17 +435,15 @@ export async function getTraefikConfig(
                 }
             }
 
-            const availableServers = targets.filter(
+            const availableServers = targets.filter((target) => {
-                (target) => {
+                if (!target.enabled) return false;
-                    if (!target.enabled) return false;
 
-                    if (!target.site.online) return false;
+                if (!target.site.online) return false;
 
-                    if (target.health == "unhealthy") return false;
+                if (target.health == "unhealthy") return false;
 
-                    return true;
+                return true;
-                }
+            });
-            );
 
             const hasHealthyServers = availableServers.length > 0;
 
@@ -794,9 +792,9 @@ export async function getTraefikConfig(
                 loadBalancer: {
                     servers: (() => {
                         // Check if any sites are online
-                        const anySitesOnline = (
+                        const anySitesOnline = targets.some(
-                            targets
+                            (target) => target.site.online
-                        ).some((target) => target.site.online);
+                        );
 
                         return targets
                             .filter((target) => {

server/private/routers/hybrid.ts

@@ -40,6 +40,7 @@ import {
     ResourceHeaderAuthExtendedCompatibility,
     orgs,
     requestAuditLog,
+    Org
 } from "@server/db";
 import {
     resources,
@@ -79,6 +80,7 @@ import { maxmindLookup } from "@server/db/maxmind";
 import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
 import semver from "semver";
 import { maxmindAsnLookup } from "@server/db/maxmindAsn";
+import { checkOrgAccessPolicy } from "@server/lib/checkOrgAccessPolicy";
 
 // Zod schemas for request validation
 const getResourceByDomainParamsSchema = z.strictObject({
@@ -94,6 +96,12 @@ const getUserOrgRoleParamsSchema = z.strictObject({
     orgId: z.string().min(1, "Organization ID is required")
 });
 
+const getUserOrgSessionVerifySchema = z.strictObject({
+    userId: z.string().min(1, "User ID is required"),
+    orgId: z.string().min(1, "Organization ID is required"),
+    sessionId: z.string().min(1, "Session ID is required")
+});
+
 const getRoleResourceAccessParamsSchema = z.strictObject({
     roleId: z
         .string()
@@ -178,6 +186,7 @@ export type ResourceWithAuth = {
     password: ResourcePassword | null;
     headerAuth: ResourceHeaderAuth | null;
     headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
+    org: Org
 };
 
 export type UserSessionWithUser = {
@@ -503,8 +512,12 @@ hybridRouter.get(
                 )
                 .leftJoin(
                     resourceHeaderAuthExtendedCompatibility,
-                    eq(resourceHeaderAuthExtendedCompatibility.resourceId, resources.resourceId)
+                    eq(
+                        resourceHeaderAuthExtendedCompatibility.resourceId,
+                        resources.resourceId
+                    )
                 )
+                .innerJoin(orgs, eq(orgs.orgId, resources.orgId))
                 .where(eq(resources.fullDomain, domain))
                 .limit(1);
 
@@ -538,7 +551,9 @@ hybridRouter.get(
                 pincode: result.resourcePincode,
                 password: result.resourcePassword,
                 headerAuth: result.resourceHeaderAuth,
-                headerAuthExtendedCompatibility: result.resourceHeaderAuthExtendedCompatibility
+                headerAuthExtendedCompatibility:
+                    result.resourceHeaderAuthExtendedCompatibility,
+                org: result.orgs
             };
 
             return response<ResourceWithAuth>(res, {
@@ -818,6 +833,69 @@ hybridRouter.get(
     }
 );
 
+// Get user organization role
+hybridRouter.get(
+    "/user/:userId/org/:orgId/session/:sessionId/verify",
+    async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const parsedParams = getUserOrgSessionVerifySchema.safeParse(
+                req.params
+            );
+            if (!parsedParams.success) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        fromError(parsedParams.error).toString()
+                    )
+                );
+            }
+
+            const { userId, orgId, sessionId } = parsedParams.data;
+            const remoteExitNode = req.remoteExitNode;
+
+            if (!remoteExitNode || !remoteExitNode.exitNodeId) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Remote exit node not found"
+                    )
+                );
+            }
+
+            if (await checkExitNodeOrg(remoteExitNode.exitNodeId, orgId)) {
+                return next(
+                    createHttpError(
+                        HttpCode.UNAUTHORIZED,
+                        "User is not authorized to access this organization"
+                    )
+                );
+            }
+
+            const accessPolicy = await checkOrgAccessPolicy({
+                orgId,
+                userId,
+                sessionId
+            });
+
+            return response(res, {
+                data: accessPolicy,
+                success: true,
+                error: false,
+                message: "User org access policy retrieved successfully",
+                status: HttpCode.OK
+            });
+        } catch (error) {
+            logger.error(error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to get user org role"
+                )
+            );
+        }
+    }
+);
+
 // Check if role has access to resource
 hybridRouter.get(
     "/role/:roleId/resource/:resourceId/access",

server/routers/auditLogs/queryRequestAnalytics.ts

@@ -99,12 +99,13 @@ async function query(query: Q) {
         .where(and(baseConditions, not(isNull(requestAuditLog.location))))
         .groupBy(requestAuditLog.location)
         .orderBy(desc(totalQ))
-        .limit(DISTINCT_LIMIT+1);
+        .limit(DISTINCT_LIMIT + 1);
 
     if (requestsPerCountry.length > DISTINCT_LIMIT) {
         // throw an error
         throw createHttpError(
             HttpCode.BAD_REQUEST,
+            // todo: is this even possible?
             `Too many distinct countries. Please narrow your query.`
         );
     }

server/routers/auditLogs/queryRequestAuditLog.ts

@@ -189,22 +189,22 @@ async function queryUniqueFilterAttributes(
             .selectDistinct({ actor: requestAuditLog.actor })
             .from(requestAuditLog)
             .where(baseConditions)
-            .limit(DISTINCT_LIMIT+1),
+            .limit(DISTINCT_LIMIT + 1),
         primaryDb
             .selectDistinct({ locations: requestAuditLog.location })
             .from(requestAuditLog)
             .where(baseConditions)
-            .limit(DISTINCT_LIMIT+1),
+            .limit(DISTINCT_LIMIT + 1),
         primaryDb
             .selectDistinct({ hosts: requestAuditLog.host })
             .from(requestAuditLog)
             .where(baseConditions)
-            .limit(DISTINCT_LIMIT+1),
+            .limit(DISTINCT_LIMIT + 1),
         primaryDb
             .selectDistinct({ paths: requestAuditLog.path })
             .from(requestAuditLog)
             .where(baseConditions)
-            .limit(DISTINCT_LIMIT+1),
+            .limit(DISTINCT_LIMIT + 1),
         primaryDb
             .selectDistinct({
                 id: requestAuditLog.resourceId,
@@ -216,18 +216,20 @@ async function queryUniqueFilterAttributes(
                 eq(requestAuditLog.resourceId, resources.resourceId)
             )
             .where(baseConditions)
-            .limit(DISTINCT_LIMIT+1)
+            .limit(DISTINCT_LIMIT + 1)
     ]);
 
-    if (
+    // TODO: for stuff like the paths this is too restrictive so lets just show some of the paths and the user needs to
-        uniqueActors.length > DISTINCT_LIMIT ||
+    // refine the time range to see what they need to see
-        uniqueLocations.length > DISTINCT_LIMIT ||
+    // if (
-        uniqueHosts.length > DISTINCT_LIMIT ||
+    //     uniqueActors.length > DISTINCT_LIMIT ||
-        uniquePaths.length > DISTINCT_LIMIT ||
+    //     uniqueLocations.length > DISTINCT_LIMIT ||
-        uniqueResources.length > DISTINCT_LIMIT
+    //     uniqueHosts.length > DISTINCT_LIMIT ||
-    ) {
+    //     uniquePaths.length > DISTINCT_LIMIT ||
-        throw new Error("Too many distinct filter attributes to retrieve. Please refine your time range.");
+    //     uniqueResources.length > DISTINCT_LIMIT
-    }
+    // ) {
+    //     throw new Error("Too many distinct filter attributes to retrieve. Please refine your time range.");
+    // }
 
     return {
         actors: uniqueActors
@@ -307,10 +309,12 @@ export async function queryRequestAuditLogs(
     } catch (error) {
         logger.error(error);
         // if the message is "Too many distinct filter attributes to retrieve. Please refine your time range.", return a 400 and the message
-        if (error instanceof Error && error.message === "Too many distinct filter attributes to retrieve. Please refine your time range.") {
+        if (
-            return next(
+            error instanceof Error &&
-                createHttpError(HttpCode.BAD_REQUEST, error.message)
+            error.message ===
-            );
+                "Too many distinct filter attributes to retrieve. Please refine your time range."
+        ) {
+            return next(createHttpError(HttpCode.BAD_REQUEST, error.message));
         }
         return next(
             createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")

server/routers/badger/exchangeSession.ts

@@ -62,7 +62,26 @@ export async function exchangeSession(
             cleanHost = cleanHost.slice(0, -1 * matched.length);
         }
 
-        const clientIp = requestIp?.split(":")[0];
+        const clientIp = requestIp
+            ? (() => {
+                  if (requestIp.startsWith("[") && requestIp.includes("]")) {
+                      const ipv6Match = requestIp.match(/\[(.*?)\]/);
+                      if (ipv6Match) {
+                          return ipv6Match[1];
+                      }
+                  }
+
+                  const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}/;
+                  if (ipv4Pattern.test(requestIp)) {
+                      const lastColonIndex = requestIp.lastIndexOf(":");
+                      if (lastColonIndex !== -1) {
+                          return requestIp.substring(0, lastColonIndex);
+                      }
+                  }
+
+                  return requestIp;
+              })()
+            : undefined;
 
         const [resource] = await db
             .select()

server/routers/badger/verifySession.ts

@@ -13,7 +13,8 @@ import {
     LoginPage,
     Org,
     Resource,
-    ResourceHeaderAuth, ResourceHeaderAuthExtendedCompatibility,
+    ResourceHeaderAuth,
+    ResourceHeaderAuthExtendedCompatibility,
     ResourcePassword,
     ResourcePincode,
     ResourceRule,
@@ -39,6 +40,8 @@ import {
 } from "#dynamic/lib/checkOrgAccessPolicy";
 import { logRequestAudit } from "./logRequestAudit";
 import cache from "@server/lib/cache";
+import semver from "semver";
+import { APP_VERSION } from "@server/lib/consts";
 
 const verifyResourceSessionSchema = z.object({
     sessions: z.record(z.string(), z.string()).optional(),
@@ -50,7 +53,8 @@ const verifyResourceSessionSchema = z.object({
     path: z.string(),
     method: z.string(),
     tls: z.boolean(),
-    requestIp: z.string().optional()
+    requestIp: z.string().optional(),
+    badgerVersion: z.string().optional()
 });
 
 export type VerifyResourceSessionSchema = z.infer<
@@ -69,6 +73,7 @@ export type VerifyUserResponse = {
     headerAuthChallenged?: boolean;
     redirectUrl?: string;
     userData?: BasicUserData;
+    pangolinVersion?: string;
 };
 
 export async function verifyResourceSession(
@@ -97,7 +102,8 @@ export async function verifyResourceSession(
             requestIp,
             path,
             headers,
-            query
+            query,
+            badgerVersion
         } = parsedBody.data;
 
         // Extract HTTP Basic Auth credentials if present
@@ -105,7 +111,15 @@ export async function verifyResourceSession(
 
         const clientIp = requestIp
             ? (() => {
-                  logger.debug("Request IP:", { requestIp });
+                  const isNewerBadger =
+                      badgerVersion &&
+                      semver.valid(badgerVersion) &&
+                      semver.gte(badgerVersion, "1.3.1");
+
+                  if (isNewerBadger) {
+                      return requestIp;
+                  }
+
                   if (requestIp.startsWith("[") && requestIp.includes("]")) {
                       // if brackets are found, extract the IPv6 address from between the brackets
                       const ipv6Match = requestIp.match(/\[(.*?)\]/);
@@ -114,12 +128,17 @@ export async function verifyResourceSession(
                       }
                   }
 
-                  // ivp4
+                  // Check if it looks like IPv4 (contains dots and matches IPv4 pattern)
-                  // split at last colon
+                  // IPv4 format: x.x.x.x where x is 0-255
-                  const lastColonIndex = requestIp.lastIndexOf(":");
+                  const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}/;
-                  if (lastColonIndex !== -1) {
+                  if (ipv4Pattern.test(requestIp)) {
-                      return requestIp.substring(0, lastColonIndex);
+                      const lastColonIndex = requestIp.lastIndexOf(":");
+                      if (lastColonIndex !== -1) {
+                          return requestIp.substring(0, lastColonIndex);
+                      }
                   }
+
+                  // Return as is
                   return requestIp;
               })()
             : undefined;
@@ -130,9 +149,7 @@ export async function verifyResourceSession(
             ? await getCountryCodeFromIp(clientIp)
             : undefined;
 
-        const ipAsn = clientIp
+        const ipAsn = clientIp ? await getAsnFromIp(clientIp) : undefined;
-            ? await getAsnFromIp(clientIp)
-            : undefined;
 
         let cleanHost = host;
         // if the host ends with :port, strip it
@@ -178,7 +195,13 @@ export async function verifyResourceSession(
             cache.set(resourceCacheKey, resourceData, 5);
         }
 
-        const { resource, pincode, password, headerAuth, headerAuthExtendedCompatibility } = resourceData;
+        const {
+            resource,
+            pincode,
+            password,
+            headerAuth,
+            headerAuthExtendedCompatibility
+        } = resourceData;
 
         if (!resource) {
             logger.debug(`Resource not found ${cleanHost}`);
@@ -474,8 +497,7 @@ export async function verifyResourceSession(
 
                 return notAllowed(res);
             }
-        }
+        } else if (headerAuth) {
-        else if (headerAuth) {
             // if there are no other auth methods we need to return unauthorized if nothing is provided
             if (
                 !sso &&
@@ -713,7 +735,11 @@ export async function verifyResourceSession(
         }
 
         // If headerAuthExtendedCompatibility is activated but no clientHeaderAuth provided, force client to challenge
-        if (headerAuthExtendedCompatibility && headerAuthExtendedCompatibility.extendedCompatibilityIsActivated && !clientHeaderAuth){
+        if (
+            headerAuthExtendedCompatibility &&
+            headerAuthExtendedCompatibility.extendedCompatibilityIsActivated &&
+            !clientHeaderAuth
+        ) {
             return headerAuthChallenged(res, redirectPath, resource.orgId);
         }
 
@@ -825,7 +851,7 @@ async function notAllowed(
     }
 
     const data = {
-        data: { valid: false, redirectUrl },
+        data: { valid: false, redirectUrl, pangolinVersion: APP_VERSION },
         success: true,
         error: false,
         message: "Access denied",
@@ -839,8 +865,8 @@ function allowed(res: Response, userData?: BasicUserData) {
     const data = {
         data:
             userData !== undefined && userData !== null
-                ? { valid: true, ...userData }
+                ? { valid: true, ...userData, pangolinVersion: APP_VERSION }
-                : { valid: true },
+                : { valid: true, pangolinVersion: APP_VERSION },
         success: true,
         error: false,
         message: "Access allowed",
@@ -879,7 +905,12 @@ async function headerAuthChallenged(
     }
 
     const data = {
-        data: { headerAuthChallenged: true, valid: false, redirectUrl },
+        data: {
+            headerAuthChallenged: true,
+            valid: false,
+            redirectUrl,
+            pangolinVersion: APP_VERSION
+        },
         success: true,
         error: false,
         message: "Access denied",

server/routers/client/listClients.ts

@@ -56,12 +56,12 @@ async function getLatestOlmVersion(): Promise<string | null> {
             return null;
         }
 
-        const tags = await response.json();
+        let tags = await response.json();
         if (!Array.isArray(tags) || tags.length === 0) {
             logger.warn("No tags found for Olm repository");
             return null;
         }
-
+        tags = tags.filter((version) => !version.name.includes("rc"));
         const latestVersion = tags[0].name;
 
         olmVersionCache.set("latestOlmVersion", latestVersion);

server/routers/gerbil/getConfig.ts

@@ -52,7 +52,7 @@ export async function getConfig(
         }
 
         // clean up the public key - keep only valid base64 characters (A-Z, a-z, 0-9, +, /, =)
-        const cleanedPublicKey = publicKey.replace(/[^A-Za-z0-9+/=]/g, '');
+        const cleanedPublicKey = publicKey.replace(/[^A-Za-z0-9+/=]/g, "");
 
         const exitNode = await createExitNode(cleanedPublicKey, reachableAt);
 

server/routers/integration.ts

@@ -858,7 +858,6 @@ authenticated.put(
     blueprints.applyJSONBlueprint
 );
 
-
 authenticated.get(
     "/org/:orgId/blueprint/:blueprintId",
     verifyApiKeyOrgAccess,
@@ -866,7 +865,6 @@ authenticated.get(
     blueprints.getBlueprint
 );
 
-
 authenticated.get(
     "/org/:orgId/blueprints",
     verifyApiKeyOrgAccess,

server/routers/org/pickOrgDefaults.ts

@@ -21,8 +21,7 @@ export async function pickOrgDefaults(
         // const subnet = await getNextAvailableOrgSubnet();
         // Just hard code the subnet for now for everyone
         const subnet = config.getRawConfig().orgs.subnet_group;
-        const utilitySubnet =
+        const utilitySubnet = config.getRawConfig().orgs.utility_subnet_group;
-            config.getRawConfig().orgs.utility_subnet_group;
 
         return response<PickOrgDefaultsResponse>(res, {
             data: {

server/routers/resource/getResourceAuthInfo.ts

@@ -1,19 +1,20 @@
-import {Request, Response, NextFunction} from "express";
+import { Request, Response, NextFunction } from "express";
-import {z} from "zod";
+import { z } from "zod";
 import {
     db,
-    resourceHeaderAuth, resourceHeaderAuthExtendedCompatibility,
+    resourceHeaderAuth,
+    resourceHeaderAuthExtendedCompatibility,
     resourcePassword,
     resourcePincode,
     resources
 } from "@server/db";
-import {eq} from "drizzle-orm";
+import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import {fromError} from "zod-validation-error";
+import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
-import {build} from "@server/build";
+import { build } from "@server/build";
 
 const getResourceAuthInfoSchema = z.strictObject({
     resourceGuid: z.string()
@@ -52,68 +53,68 @@ export async function getResourceAuthInfo(
             );
         }
 
-        const {resourceGuid} = parsedParams.data;
+        const { resourceGuid } = parsedParams.data;
 
         const isGuidInteger = /^\d+$/.test(resourceGuid);
 
         const [result] =
             isGuidInteger && build === "saas"
                 ? await db
-                    .select()
+                      .select()
-                    .from(resources)
+                      .from(resources)
-                    .leftJoin(
+                      .leftJoin(
-                        resourcePincode,
+                          resourcePincode,
-                        eq(resourcePincode.resourceId, resources.resourceId)
+                          eq(resourcePincode.resourceId, resources.resourceId)
-                    )
+                      )
-                    .leftJoin(
+                      .leftJoin(
-                        resourcePassword,
+                          resourcePassword,
-                        eq(resourcePassword.resourceId, resources.resourceId)
+                          eq(resourcePassword.resourceId, resources.resourceId)
-                    )
+                      )
 
-                    .leftJoin(
+                      .leftJoin(
-                        resourceHeaderAuth,
+                          resourceHeaderAuth,
-                        eq(
+                          eq(
-                            resourceHeaderAuth.resourceId,
+                              resourceHeaderAuth.resourceId,
-                            resources.resourceId
+                              resources.resourceId
-                        )
+                          )
-                    )
+                      )
-                    .leftJoin(
+                      .leftJoin(
-                        resourceHeaderAuthExtendedCompatibility,
+                          resourceHeaderAuthExtendedCompatibility,
-                        eq(
+                          eq(
-                            resourceHeaderAuthExtendedCompatibility.resourceId,
+                              resourceHeaderAuthExtendedCompatibility.resourceId,
-                            resources.resourceId
+                              resources.resourceId
-                        )
+                          )
-                    )
+                      )
-                    .where(eq(resources.resourceId, Number(resourceGuid)))
+                      .where(eq(resources.resourceId, Number(resourceGuid)))
-                    .limit(1)
+                      .limit(1)
                 : await db
-                    .select()
+                      .select()
-                    .from(resources)
+                      .from(resources)
-                    .leftJoin(
+                      .leftJoin(
-                        resourcePincode,
+                          resourcePincode,
-                        eq(resourcePincode.resourceId, resources.resourceId)
+                          eq(resourcePincode.resourceId, resources.resourceId)
-                    )
+                      )
-                    .leftJoin(
+                      .leftJoin(
-                        resourcePassword,
+                          resourcePassword,
-                        eq(resourcePassword.resourceId, resources.resourceId)
+                          eq(resourcePassword.resourceId, resources.resourceId)
-                    )
+                      )
 
-                    .leftJoin(
+                      .leftJoin(
-                        resourceHeaderAuth,
+                          resourceHeaderAuth,
-                        eq(
+                          eq(
-                            resourceHeaderAuth.resourceId,
+                              resourceHeaderAuth.resourceId,
-                            resources.resourceId
+                              resources.resourceId
-                        )
+                          )
-                    )
+                      )
-                    .leftJoin(
+                      .leftJoin(
-                        resourceHeaderAuthExtendedCompatibility,
+                          resourceHeaderAuthExtendedCompatibility,
-                        eq(
+                          eq(
-                            resourceHeaderAuthExtendedCompatibility.resourceId,
+                              resourceHeaderAuthExtendedCompatibility.resourceId,
-                            resources.resourceId
+                              resources.resourceId
-                        )
+                          )
-                    )
+                      )
-                    .where(eq(resources.resourceGuid, resourceGuid))
+                      .where(eq(resources.resourceGuid, resourceGuid))
-                    .limit(1);
+                      .limit(1);
 
         const resource = result?.resources;
         if (!resource) {
@@ -125,7 +126,8 @@ export async function getResourceAuthInfo(
         const pincode = result?.resourcePincode;
         const password = result?.resourcePassword;
         const headerAuth = result?.resourceHeaderAuth;
-        const headerAuthExtendedCompatibility = result?.resourceHeaderAuthExtendedCompatibility;
+        const headerAuthExtendedCompatibility =
+            result?.resourceHeaderAuthExtendedCompatibility;
 
         const url = `${resource.ssl ? "https" : "http"}://${resource.fullDomain}`;
 
@@ -138,7 +140,8 @@ export async function getResourceAuthInfo(
                 password: password !== null,
                 pincode: pincode !== null,
                 headerAuth: headerAuth !== null,
-                headerAuthExtendedCompatibility: headerAuthExtendedCompatibility !== null,
+                headerAuthExtendedCompatibility:
+                    headerAuthExtendedCompatibility !== null,
                 sso: resource.sso,
                 blockAccess: resource.blockAccess,
                 url,

server/routers/resource/listResources.ts

@@ -1,6 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import {db, resourceHeaderAuth, resourceHeaderAuthExtendedCompatibility} from "@server/db";
+import {
+    db,
+    resourceHeaderAuth,
+    resourceHeaderAuthExtendedCompatibility
+} from "@server/db";
 import {
     resources,
     userResources,
@@ -109,7 +113,8 @@ function queryResources(accessibleResourceIds: number[], orgId: string) {
             domainId: resources.domainId,
             niceId: resources.niceId,
             headerAuthId: resourceHeaderAuth.headerAuthId,
-            headerAuthExtendedCompatibilityId: resourceHeaderAuthExtendedCompatibility.headerAuthExtendedCompatibilityId,
+            headerAuthExtendedCompatibilityId:
+                resourceHeaderAuthExtendedCompatibility.headerAuthExtendedCompatibilityId,
             targetId: targets.targetId,
             targetIp: targets.ip,
             targetPort: targets.port,
@@ -133,7 +138,10 @@ function queryResources(accessibleResourceIds: number[], orgId: string) {
         )
         .leftJoin(
             resourceHeaderAuthExtendedCompatibility,
-            eq(resourceHeaderAuthExtendedCompatibility.resourceId, resources.resourceId)
+            eq(
+                resourceHeaderAuthExtendedCompatibility.resourceId,
+                resources.resourceId
+            )
         )
         .leftJoin(targets, eq(targets.resourceId, resources.resourceId))
         .leftJoin(

server/routers/resource/setResourceHeaderAuth.ts

@@ -1,14 +1,18 @@
-import {Request, Response, NextFunction} from "express";
+import { Request, Response, NextFunction } from "express";
-import {z} from "zod";
+import { z } from "zod";
-import {db, resourceHeaderAuth, resourceHeaderAuthExtendedCompatibility} from "@server/db";
+import {
-import {eq} from "drizzle-orm";
+    db,
+    resourceHeaderAuth,
+    resourceHeaderAuthExtendedCompatibility
+} from "@server/db";
+import { eq } from "drizzle-orm";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import {fromError} from "zod-validation-error";
+import { fromError } from "zod-validation-error";
-import {response} from "@server/lib/response";
+import { response } from "@server/lib/response";
 import logger from "@server/logger";
-import {hashPassword} from "@server/auth/password";
+import { hashPassword } from "@server/auth/password";
-import {OpenAPITags, registry} from "@server/openApi";
+import { OpenAPITags, registry } from "@server/openApi";
 
 const setResourceAuthMethodsParamsSchema = z.object({
     resourceId: z.string().transform(Number).pipe(z.int().positive())
@@ -67,29 +71,40 @@ export async function setResourceHeaderAuth(
             );
         }
 
-        const {resourceId} = parsedParams.data;
+        const { resourceId } = parsedParams.data;
-        const {user, password, extendedCompatibility} = parsedBody.data;
+        const { user, password, extendedCompatibility } = parsedBody.data;
 
         await db.transaction(async (trx) => {
             await trx
                 .delete(resourceHeaderAuth)
                 .where(eq(resourceHeaderAuth.resourceId, resourceId));
-            await trx.delete(resourceHeaderAuthExtendedCompatibility).where(eq(resourceHeaderAuthExtendedCompatibility.resourceId, resourceId));
+            await trx
+                .delete(resourceHeaderAuthExtendedCompatibility)
+                .where(
+                    eq(
+                        resourceHeaderAuthExtendedCompatibility.resourceId,
+                        resourceId
+                    )
+                );
 
             if (user && password && extendedCompatibility !== null) {
-                const headerAuthHash = await hashPassword(Buffer.from(`${user}:${password}`).toString("base64"));
+                const headerAuthHash = await hashPassword(
+                    Buffer.from(`${user}:${password}`).toString("base64")
+                );
 
                 await Promise.all([
                     trx
                         .insert(resourceHeaderAuth)
-                        .values({resourceId, headerAuthHash}),
+                        .values({ resourceId, headerAuthHash }),
                     trx
                         .insert(resourceHeaderAuthExtendedCompatibility)
-                        .values({resourceId, extendedCompatibilityIsActivated: extendedCompatibility})
+                        .values({
+                            resourceId,
+                            extendedCompatibilityIsActivated:
+                                extendedCompatibility
+                        })
                 ]);
             }
-
-
         });
 
         return response(res, {

server/routers/resource/types.ts

@@ -7,4 +7,4 @@ export type GetMaintenanceInfoResponse = {
     maintenanceTitle: string | null;
     maintenanceMessage: string | null;
     maintenanceEstimatedTime: string | null;
-}
+};

server/routers/resource/updateResource.ts

@@ -343,7 +343,9 @@ async function updateHttpResource(
 
     const isLicensed = await isLicensedOrSubscribed(resource.orgId);
     if (build == "enterprise" && !isLicensed) {
-        logger.warn("Server is not licensed! Clearing set maintenance screen values");
+        logger.warn(
+            "Server is not licensed! Clearing set maintenance screen values"
+        );
         // null the maintenance mode fields if not licensed
         updateData.maintenanceModeEnabled = undefined;
         updateData.maintenanceModeType = undefined;

server/routers/site/listSites.ts

@@ -39,12 +39,12 @@ async function getLatestNewtVersion(): Promise<string | null> {
             return null;
         }
 
-        const tags = await response.json();
+        let tags = await response.json();
         if (!Array.isArray(tags) || tags.length === 0) {
             logger.warn("No tags found for Newt repository");
             return null;
         }
-
+        tags = tags.filter((version) => !version.name.includes("rc"));
         const latestVersion = tags[0].name;
 
         cache.set("latestNewtVersion", latestVersion);

server/routers/siteResource/createSiteResource.ts

@@ -11,7 +11,11 @@ import {
     userSiteResources
 } from "@server/db";
 import { getUniqueSiteResourceName } from "@server/db/names";
-import { getNextAvailableAliasAddress, isIpInCidr, portRangeStringSchema } from "@server/lib/ip";
+import {
+    getNextAvailableAliasAddress,
+    isIpInCidr,
+    portRangeStringSchema
+} from "@server/lib/ip";
 import { rebuildClientAssociationsFromSiteResource } from "@server/lib/rebuildClientAssociations";
 import response from "@server/lib/response";
 import logger from "@server/logger";
@@ -69,7 +73,10 @@ const createSiteResourceSchema = z
                 const domainRegex =
                     /^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)*[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/;
                 const isValidDomain = domainRegex.test(data.destination);
-                const isValidAlias = data.alias !== undefined && data.alias !== null && data.alias.trim() !== "";
+                const isValidAlias =
+                    data.alias !== undefined &&
+                    data.alias !== null &&
+                    data.alias.trim() !== "";
 
                 return isValidDomain && isValidAlias; // require the alias to be set in the case of domain
             }
@@ -182,7 +189,9 @@ export async function createSiteResource(
             .limit(1);
 
         if (!org) {
-            return next(createHttpError(HttpCode.NOT_FOUND, "Organization not found"));
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Organization not found")
+            );
         }
 
         if (!org.subnet || !org.utilitySubnet) {
@@ -195,10 +204,13 @@ export async function createSiteResource(
         }
 
         // Only check if destination is an IP address
-        const isIp = z.union([z.ipv4(), z.ipv6()]).safeParse(destination).success;
+        const isIp = z
+            .union([z.ipv4(), z.ipv6()])
+            .safeParse(destination).success;
         if (
             isIp &&
-            (isIpInCidr(destination, org.subnet) || isIpInCidr(destination, org.utilitySubnet))
+            (isIpInCidr(destination, org.subnet) ||
+                isIpInCidr(destination, org.utilitySubnet))
         ) {
             return next(
                 createHttpError(

server/routers/siteResource/deleteSiteResource.ts

@@ -88,9 +88,7 @@ export async function deleteSiteResource(
             );
         });
 
-        logger.info(
+        logger.info(`Deleted site resource ${siteResourceId}`);
-            `Deleted site resource ${siteResourceId}`
-        );
 
         return response(res, {
             data: { message: "Site resource deleted successfully" },

server/routers/siteResource/updateSiteResource.ts

@@ -204,7 +204,9 @@ export async function updateSiteResource(
             .limit(1);
 
         if (!org) {
-            return next(createHttpError(HttpCode.NOT_FOUND, "Organization not found"));
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Organization not found")
+            );
         }
 
         if (!org.subnet || !org.utilitySubnet) {
@@ -217,10 +219,13 @@ export async function updateSiteResource(
         }
 
         // Only check if destination is an IP address
-        const isIp = z.union([z.ipv4(), z.ipv6()]).safeParse(destination).success;
+        const isIp = z
+            .union([z.ipv4(), z.ipv6()])
+            .safeParse(destination).success;
         if (
             isIp &&
-            (isIpInCidr(destination!, org.subnet) || isIpInCidr(destination!, org.utilitySubnet))
+            (isIpInCidr(destination!, org.subnet) ||
+                isIpInCidr(destination!, org.utilitySubnet))
         ) {
             return next(
                 createHttpError(
@@ -295,7 +300,7 @@ export async function updateSiteResource(
                 const [insertedSiteResource] = await trx
                     .insert(siteResources)
                     .values({
-                        ...existingSiteResource,
+                        ...existingSiteResource
                     })
                     .returning();
 
@@ -517,9 +522,14 @@ export async function handleMessagingForUpdatedSiteResource(
     site: { siteId: number; orgId: string },
     trx: Transaction
 ) {
-
+    logger.debug(
-    logger.debug("handleMessagingForUpdatedSiteResource: existingSiteResource is: ", existingSiteResource);
+        "handleMessagingForUpdatedSiteResource: existingSiteResource is: ",
-    logger.debug("handleMessagingForUpdatedSiteResource: updatedSiteResource is: ", updatedSiteResource);
+        existingSiteResource
+    );
+    logger.debug(
+        "handleMessagingForUpdatedSiteResource: updatedSiteResource is: ",
+        updatedSiteResource
+    );
 
     const { mergedAllClients } =
         await rebuildClientAssociationsFromSiteResource(

server/setup/scriptsPg/1.14.0.ts

@@ -60,11 +60,11 @@ export default async function migration() {
         );
 
         await db.execute(
-            sql`ALTER TABLE "siteResources" ADD COLUMN "tcpPortRangeString" varchar;`
+            sql`ALTER TABLE "siteResources" ADD COLUMN "tcpPortRangeString" varchar NOT NULL DEFAULT '*';`
         );
 
         await db.execute(
-            sql`ALTER TABLE "siteResources" ADD COLUMN "udpPortRangeString" varchar;`
+            sql`ALTER TABLE "siteResources" ADD COLUMN "udpPortRangeString" varchar NOT NULL DEFAULT '*';`
         );
 
         await db.execute(

server/setup/scriptsSqlite/1.14.0.ts

@@ -73,16 +73,18 @@ export default async function migration() {
             ).run();
 
             db.prepare(
-                `ALTER TABLE 'siteResources' ADD 'tcpPortRangeString' text;`
+                `ALTER TABLE 'siteResources' ADD 'tcpPortRangeString' text DEFAULT '*' NOT NULL;`
             ).run();
 
             db.prepare(
-                `ALTER TABLE 'siteResources' ADD 'udpPortRangeString' text;`
+                `ALTER TABLE 'siteResources' ADD 'udpPortRangeString' text DEFAULT '*' NOT NULL;`
             ).run();
 
             db.prepare(
-                `ALTER TABLE 'siteResources' ADD 'disableIcmp' integer;`
+                `ALTER TABLE 'siteResources' ADD 'disableIcmp' integer NOT NULL DEFAULT false;`
             ).run();
+
+
         })();
 
         db.pragma("foreign_keys = ON");

src/app/[orgId]/settings/general/layout.tsx

@@ -71,7 +71,9 @@ export default async function GeneralSettingsPage({
 
                     <div className="space-y-6">
                         <OrgInfoCard />
-                        <HorizontalTabs items={navItems}>{children}</HorizontalTabs>
+                        <HorizontalTabs items={navItems}>
+                            {children}
+                        </HorizontalTabs>
                     </div>
                 </OrgUserProvider>
             </OrgProvider>

src/app/[orgId]/settings/resources/client/page.tsx

@@ -71,7 +71,7 @@ export default async function ClientResourcesPage(
                 niceId: siteResource.niceId,
                 tcpPortRangeString: siteResource.tcpPortRangeString || null,
                 udpPortRangeString: siteResource.udpPortRangeString || null,
-                disableIcmp: siteResource.disableIcmp || false,
+                disableIcmp: siteResource.disableIcmp || false
             };
         }
     );

src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx

@@ -16,7 +16,6 @@ import { SwitchInput } from "@app/components/SwitchInput";
 import { Tag, TagInput } from "@app/components/tags/tag-input";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { Button } from "@app/components/ui/button";
-import { CheckboxWithLabel } from "@app/components/ui/checkbox";
 import {
     Form,
     FormControl,
@@ -184,9 +183,6 @@ export default function ResourceAuthenticationPage() {
 
     const [ssoEnabled, setSsoEnabled] = useState(resource.sso);
 
-    const [autoLoginEnabled, setAutoLoginEnabled] = useState(
-        resource.skipToIdpId !== null && resource.skipToIdpId !== undefined
-    );
     const [selectedIdpId, setSelectedIdpId] = useState<number | null>(
         resource.skipToIdpId || null
     );
@@ -243,19 +239,8 @@ export default function ResourceAuthenticationPage() {
                 text: w.email
             }))
         );
-        if (autoLoginEnabled && !selectedIdpId && orgIdps.length > 0) {
-            setSelectedIdpId(orgIdps[0].idpId);
-        }
         hasInitializedRef.current = true;
-    }, [
+    }, [pageLoading, resourceRoles, resourceUsers, whitelist, orgIdps]);
-        pageLoading,
-        resourceRoles,
-        resourceUsers,
-        whitelist,
-        autoLoginEnabled,
-        selectedIdpId,
-        orgIdps
-    ]);
 
     const [, submitUserRolesForm, loadingSaveUsersRoles] = useActionState(
         onSubmitUsersRoles,
@@ -269,16 +254,6 @@ export default function ResourceAuthenticationPage() {
         const data = usersRolesForm.getValues();
 
         try {
-            // Validate that an IDP is selected if auto login is enabled
-            if (autoLoginEnabled && !selectedIdpId) {
-                toast({
-                    variant: "destructive",
-                    title: t("error"),
-                    description: t("selectIdpRequired")
-                });
-                return;
-            }
-
             const jobs = [
                 api.post(`/resource/${resource.resourceId}/roles`, {
                     roleIds: data.roles.map((i) => parseInt(i.id))
@@ -288,7 +263,7 @@ export default function ResourceAuthenticationPage() {
                 }),
                 api.post(`/resource/${resource.resourceId}`, {
                     sso: ssoEnabled,
-                    skipToIdpId: autoLoginEnabled ? selectedIdpId : null
+                    skipToIdpId: selectedIdpId
                 })
             ];
 
@@ -296,7 +271,7 @@ export default function ResourceAuthenticationPage() {
 
             updateResource({
                 sso: ssoEnabled,
-                skipToIdpId: autoLoginEnabled ? selectedIdpId : null
+                skipToIdpId: selectedIdpId
             });
 
             updateAuthInfo({
@@ -619,88 +594,53 @@ export default function ResourceAuthenticationPage() {
                                     )}
 
                                     {ssoEnabled && allIdps.length > 0 && (
-                                        <>
+                                        <div className="space-y-2">
-                                            <div className="space-y-2 mb-3">
+                                            <label className="text-sm font-medium">
-                                                <CheckboxWithLabel
+                                                {t("defaultIdentityProvider")}
-                                                    label={t(
+                                            </label>
-                                                        "autoLoginExternalIdp"
+                                            <Select
-                                                    )}
+                                                onValueChange={(value) => {
-                                                    checked={autoLoginEnabled}
+                                                    if (value === "none") {
-                                                    onCheckedChange={(
+                                                        setSelectedIdpId(null);
-                                                        checked
+                                                    } else {
-                                                    ) => {
+                                                        setSelectedIdpId(
-                                                        setAutoLoginEnabled(
+                                                            parseInt(value)
-                                                            checked as boolean
                                                         );
-                                                        if (
+                                                    }
-                                                            checked &&
+                                                }}
-                                                            allIdps.length > 0
+                                                value={
-                                                        ) {
+                                                    selectedIdpId
-                                                            setSelectedIdpId(
+                                                        ? selectedIdpId.toString()
-                                                                allIdps[0].id
+                                                        : "none"
-                                                            );
+                                                }
-                                                        } else {
+                                            >
-                                                            setSelectedIdpId(
+                                                <SelectTrigger className="w-full mt-1">
-                                                                null
+                                                    <SelectValue
-                                                            );
+                                                        placeholder={t(
-                                                        }
+                                                            "selectIdpPlaceholder"
-                                                    }}
-                                                />
-                                                <p className="text-sm text-muted-foreground">
-                                                    {t(
-                                                        "autoLoginExternalIdpDescription"
-                                                    )}
-                                                </p>
-                                            </div>
-
-                                            {autoLoginEnabled && (
-                                                <div className="space-y-2">
-                                                    <label className="text-sm font-medium">
-                                                        {t(
-                                                            "defaultIdentityProvider"
                                                         )}
-                                                    </label>
+                                                    />
-                                                    <Select
+                                                </SelectTrigger>
-                                                        onValueChange={(
+                                                <SelectContent>
-                                                            value
+                                                    <SelectItem value="none">
-                                                        ) =>
+                                                        {t("none")}
-                                                            setSelectedIdpId(
+                                                    </SelectItem>
-                                                                parseInt(value)
+                                                    {allIdps.map((idp) => (
-                                                            )
+                                                        <SelectItem
-                                                        }
+                                                            key={idp.id}
-                                                        value={
+                                                            value={idp.id.toString()}
-                                                            selectedIdpId
+                                                        >
-                                                                ? selectedIdpId.toString()
+                                                            {idp.text}
-                                                                : undefined
+                                                        </SelectItem>
-                                                        }
+                                                    ))}
-                                                    >
+                                                </SelectContent>
-                                                        <SelectTrigger className="w-full mt-1">
+                                            </Select>
-                                                            <SelectValue
+                                            <p className="text-sm text-muted-foreground">
-                                                                placeholder={t(
+                                                {t(
-                                                                    "selectIdpPlaceholder"
+                                                    "defaultIdentityProviderDescription"
-                                                                )}
+                                                )}
-                                                            />
+                                            </p>
-                                                        </SelectTrigger>
+                                        </div>
-                                                        <SelectContent>
-                                                            {allIdps.map(
-                                                                (idp) => (
-                                                                    <SelectItem
-                                                                        key={
-                                                                            idp.id
-                                                                        }
-                                                                        value={idp.id.toString()}
-                                                                    >
-                                                                        {
-                                                                            idp.text
-                                                                        }
-                                                                    </SelectItem>
-                                                                )
-                                                            )}
-                                                        </SelectContent>
-                                                    </Select>
-                                                </div>
-                                            )}
-                                        </>
                                     )}
                                 </form>
                             </Form>

src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx

@@ -118,8 +118,7 @@ export default function ResourceRules(props: {
     const [countrySelectValue, setCountrySelectValue] = useState("");
     const [openAddRuleCountrySelect, setOpenAddRuleCountrySelect] =
         useState(false);
-    const [openAddRuleAsnSelect, setOpenAddRuleAsnSelect] =
+    const [openAddRuleAsnSelect, setOpenAddRuleAsnSelect] = useState(false);
-        useState(false);
     const router = useRouter();
     const t = useTranslations();
     const { env } = useEnvContext();
@@ -542,7 +541,11 @@ export default function ResourceRules(props: {
                         updateRule(row.original.ruleId, {
                             match: value,
                             value:
-                                value === "COUNTRY" ? "US" : value === "ASN" ? "AS15169" : row.original.value
+                                value === "COUNTRY"
+                                    ? "US"
+                                    : value === "ASN"
+                                      ? "AS15169"
+                                      : row.original.value
                         })
                     }
                 >
@@ -559,9 +562,7 @@ export default function ResourceRules(props: {
                             </SelectItem>
                         )}
                         {isMaxmindAsnAvailable && (
-                            <SelectItem value="ASN">
+                            <SelectItem value="ASN">{RuleMatch.ASN}</SelectItem>
-                                {RuleMatch.ASN}
-                            </SelectItem>
                         )}
                     </SelectContent>
                 </Select>
@@ -654,9 +655,7 @@ export default function ResourceRules(props: {
                         </PopoverTrigger>
                         <PopoverContent className="min-w-[200px] p-0">
                             <Command>
-                                <CommandInput
+                                <CommandInput placeholder="Search ASNs or enter custom..." />
-                                    placeholder="Search ASNs or enter custom..."
-                                />
                                 <CommandList>
                                     <CommandEmpty>
                                         No ASN found. Enter a custom ASN below.
@@ -665,7 +664,9 @@ export default function ResourceRules(props: {
                                         {MAJOR_ASNS.map((asn) => (
                                             <CommandItem
                                                 key={asn.code}
-                                                value={asn.name + " " + asn.code}
+                                                value={
+                                                    asn.name + " " + asn.code
+                                                }
                                                 onSelect={() => {
                                                     updateRule(
                                                         row.original.ruleId,
@@ -1056,8 +1057,8 @@ export default function ResourceRules(props: {
                                                             </PopoverContent>
                                                         </Popover>
                                                     ) : addRuleForm.watch(
-                                                        "match"
+                                                          "match"
-                                                    ) === "ASN" ? (
+                                                      ) === "ASN" ? (
                                                         <Popover
                                                             open={
                                                                 openAddRuleAsnSelect
@@ -1086,21 +1087,27 @@ export default function ResourceRules(props: {
                                                                                   field.value
                                                                           )
                                                                               ?.name +
-                                                                          " (" +
+                                                                              " (" +
-                                                                          field.value +
+                                                                              field.value +
-                                                                          ")" || field.value
+                                                                              ")" ||
+                                                                          field.value
                                                                         : "Select ASN"}
                                                                     <ChevronsUpDown className="ml-2 h-4 w-4 shrink-0 opacity-50" />
                                                                 </Button>
                                                             </PopoverTrigger>
                                                             <PopoverContent className="w-full p-0">
                                                                 <Command>
-                                                                    <CommandInput
+                                                                    <CommandInput placeholder="Search ASNs or enter custom..." />
-                                                                        placeholder="Search ASNs or enter custom..."
-                                                                    />
                                                                     <CommandList>
                                                                         <CommandEmpty>
-                                                                            No ASN found. Use the custom input below.
+                                                                            No
+                                                                            ASN
+                                                                            found.
+                                                                            Use
+                                                                            the
+                                                                            custom
+                                                                            input
+                                                                            below.
                                                                         </CommandEmpty>
                                                                         <CommandGroup>
                                                                             {MAJOR_ASNS.map(
@@ -1112,7 +1119,9 @@ export default function ResourceRules(props: {
                                                                                             asn.code
                                                                                         }
                                                                                         value={
-                                                                                            asn.name + " " + asn.code
+                                                                                            asn.name +
+                                                                                            " " +
+                                                                                            asn.code
                                                                                         }
                                                                                         onSelect={() => {
                                                                                             field.onChange(
@@ -1138,6 +1147,7 @@ export default function ResourceRules(props: {
                                                                                         {
                                                                                             asn.code
                                                                                         }
+
                                                                                         )
                                                                                     </CommandItem>
                                                                                 )
@@ -1148,14 +1158,32 @@ export default function ResourceRules(props: {
                                                                 <div className="border-t p-2">
                                                                     <Input
                                                                         placeholder="Enter custom ASN (e.g., AS15169)"
-                                                                        onKeyDown={(e) => {
+                                                                        onKeyDown={(
-                                                                            if (e.key === "Enter") {
+                                                                            e
-                                                                                const value = e.currentTarget.value
+                                                                        ) => {
-                                                                                    .toUpperCase()
+                                                                            if (
-                                                                                    .replace(/^AS/, "");
+                                                                                e.key ===
-                                                                                if (/^\d+$/.test(value)) {
+                                                                                "Enter"
-                                                                                    field.onChange("AS" + value);
+                                                                            ) {
-                                                                                    setOpenAddRuleAsnSelect(false);
+                                                                                const value =
+                                                                                    e.currentTarget.value
+                                                                                        .toUpperCase()
+                                                                                        .replace(
+                                                                                            /^AS/,
+                                                                                            ""
+                                                                                        );
+                                                                                if (
+                                                                                    /^\d+$/.test(
+                                                                                        value
+                                                                                    )
+                                                                                ) {
+                                                                                    field.onChange(
+                                                                                        "AS" +
+                                                                                            value
+                                                                                    );
+                                                                                    setOpenAddRuleAsnSelect(
+                                                                                        false
+                                                                                    );
                                                                                 }
                                                                             }
                                                                         }}

src/app/[orgId]/settings/sites/create/page.tsx

@@ -756,7 +756,9 @@ WantedBy=default.target`
                                                     render={({ field }) => (
                                                         <FormItem className="md:col-start-1 md:col-span-2">
                                                             <FormLabel>
-                                                                {t("siteAddress")}
+                                                                {t(
+                                                                    "siteAddress"
+                                                                )}
                                                             </FormLabel>
                                                             <FormControl>
                                                                 <Input
@@ -909,7 +911,7 @@ WantedBy=default.target`
                                                                 ? "squareOutlinePrimary"
                                                                 : "squareOutline"
                                                         }
-                                                        className={`flex-1 min-w-[120px] ${platform === os ? "bg-primary/10" : ""} shadow-none`}
+                                                        className={`flex-1 min-w-30 ${platform === os ? "bg-primary/10" : ""} shadow-none`}
                                                         onClick={() => {
                                                             setPlatform(os);
                                                         }}
@@ -940,7 +942,7 @@ WantedBy=default.target`
                                                                     ? "squareOutlinePrimary"
                                                                     : "squareOutline"
                                                             }
-                                                            className={`flex-1 min-w-[120px] ${architecture === arch ? "bg-primary/10" : ""} shadow-none`}
+                                                            className={`flex-1 min-w-30 ${architecture === arch ? "bg-primary/10" : ""} shadow-none`}
                                                             onClick={() =>
                                                                 setArchitecture(
                                                                     arch

src/app/auth/org/page.tsx

@@ -87,8 +87,6 @@ export default async function OrgAuthPage(props: {
             redirect(env.app.dashboardUrl);
         }
 
-        console.log(user, forceLogin);
-
         if (user && !forceLogin) {
             let redirectToken: string | undefined;
             try {

src/components/ClientDownloadBanner.tsx

@@ -66,4 +66,3 @@ export const ClientDownloadBanner = () => {
 };
 
 export default ClientDownloadBanner;
-

src/components/ClientResourcesTable.tsx

@@ -99,14 +99,12 @@ export default function ClientResourcesTable({
         siteId: number
     ) => {
         try {
-            await api
+            await api.delete(`/site-resource/${resourceId}`).then(() => {
-                .delete(`/site-resource/${resourceId}`)
+                startTransition(() => {
-                .then(() => {
+                    router.refresh();
-                    startTransition(() => {
+                    setIsDeleteModalOpen(false);
-                        router.refresh();
-                        setIsDeleteModalOpen(false);
-                    });
                 });
+            });
         } catch (e) {
             console.error(t("resourceErrorDelete"), e);
             toast({

src/components/CreateInternalResourceDialog.tsx

@@ -87,7 +87,12 @@ const isValidPortRangeString = (val: string | undefined | null): boolean => {
                 return false;
             }
 
-            if (startPort < 1 || startPort > 65535 || endPort < 1 || endPort > 65535) {
+            if (
+                startPort < 1 ||
+                startPort > 65535 ||
+                endPort < 1 ||
+                endPort > 65535
+            ) {
                 return false;
             }
 
@@ -131,7 +136,10 @@ const getPortModeFromString = (val: string | undefined | null): PortMode => {
 };
 
 // Helper to get the port string for API from mode and custom value
-const getPortStringFromMode = (mode: PortMode, customValue: string): string | undefined => {
+const getPortStringFromMode = (
+    mode: PortMode,
+    customValue: string
+): string | undefined => {
     if (mode === "all") return "*";
     if (mode === "blocked") return "";
     return customValue;
@@ -1097,8 +1105,7 @@ export default function CreateInternalResourceDialog({
                                                             size="sm"
                                                             tags={
                                                                 form.getValues()
-                                                                    .roles ||
+                                                                    .roles || []
-                                                                []
                                                             }
                                                             setTags={(
                                                                 newRoles
@@ -1154,8 +1161,7 @@ export default function CreateInternalResourceDialog({
                                                             )}
                                                             tags={
                                                                 form.getValues()
-                                                                    .users ||
+                                                                    .users || []
-                                                                []
                                                             }
                                                             size="sm"
                                                             setTags={(
@@ -1245,9 +1251,7 @@ export default function CreateInternalResourceDialog({
                                                                 restrictTagsToAutocompleteOptions={
                                                                     true
                                                                 }
-                                                                sortTags={
+                                                                sortTags={true}
-                                                                    true
-                                                                }
                                                             />
                                                         </FormControl>
                                                         <FormMessage />

src/components/DismissableBanner.tsx

@@ -95,4 +95,3 @@ export const DismissableBanner = ({
 };
 
 export default DismissableBanner;
-

src/components/EditInternalResourceDialog.tsx

@@ -501,13 +501,19 @@ export default function EditInternalResourceDialog({
             // ]);
 
             await queryClient.invalidateQueries(
-                resourceQueries.siteResourceRoles({ siteResourceId: resource.id })
+                resourceQueries.siteResourceRoles({
+                    siteResourceId: resource.id
+                })
             );
             await queryClient.invalidateQueries(
-                resourceQueries.siteResourceUsers({ siteResourceId: resource.id })
+                resourceQueries.siteResourceUsers({
+                    siteResourceId: resource.id
+                })
             );
             await queryClient.invalidateQueries(
-                resourceQueries.siteResourceClients({ siteResourceId: resource.id })
+                resourceQueries.siteResourceClients({
+                    siteResourceId: resource.id
+                })
             );
 
             toast({

src/components/ExitNodesTable.tsx

@@ -330,7 +330,7 @@ export default function ExitNodesTable({
                 isRefreshing={isRefreshing}
                 columnVisibility={{
                     type: false,
-                    address: false,
+                    address: false
                 }}
                 enableColumnVisibility={true}
             />

src/components/LayoutSidebar.tsx

@@ -116,10 +116,12 @@ export function LayoutSidebar({
                     isCollapsed={isSidebarCollapsed}
                 />
             </div>
-            <div className={cn(
+            <div
-                "w-full border-b border-border",
+                className={cn(
-                isSidebarCollapsed && "mb-2"
+                    "w-full border-b border-border",
-            )} />
+                    isSidebarCollapsed && "mb-2"
+                )}
+            />
             <div className="flex-1 overflow-y-auto relative">
                 <div className="px-2 pt-1">
                     {!isAdminPage && user.serverAdmin && (

src/components/LoginForm.tsx

@@ -120,7 +120,9 @@ export default function LoginForm({
         const focusInput = () => {
             // Try using the ref first
             if (otpContainerRef.current) {
-                const hiddenInput = otpContainerRef.current.querySelector('input') as HTMLInputElement;
+                const hiddenInput = otpContainerRef.current.querySelector(
+                    "input"
+                ) as HTMLInputElement;
                 if (hiddenInput) {
                     hiddenInput.focus();
                     return;
@@ -128,17 +130,23 @@ export default function LoginForm({
             }
 
             // Fallback: query the DOM
-            const otpContainer = document.querySelector('[data-slot="input-otp"]');
+            const otpContainer = document.querySelector(
+                '[data-slot="input-otp"]'
+            );
             if (!otpContainer) return;
 
-            const hiddenInput = otpContainer.querySelector('input') as HTMLInputElement;
+            const hiddenInput = otpContainer.querySelector(
+                "input"
+            ) as HTMLInputElement;
             if (hiddenInput) {
                 hiddenInput.focus();
                 return;
             }
 
             // Last resort: click the first slot
-            const firstSlot = otpContainer.querySelector('[data-slot="input-otp-slot"]') as HTMLElement;
+            const firstSlot = otpContainer.querySelector(
+                '[data-slot="input-otp-slot"]'
+            ) as HTMLElement;
             if (firstSlot) {
                 firstSlot.click();
             }
@@ -508,7 +516,10 @@ export default function LoginForm({
                                 render={({ field }) => (
                                     <FormItem>
                                         <FormControl>
-                                            <div ref={otpContainerRef} className="flex justify-center">
+                                            <div
+                                                ref={otpContainerRef}
+                                                className="flex justify-center"
+                                            >
                                                 <InputOTP
                                                     maxLength={6}
                                                     {...field}

src/components/MachineClientsBanner.tsx

@@ -11,9 +11,7 @@ type MachineClientsBannerProps = {
     orgId: string;
 };
 
-export const MachineClientsBanner = ({
+export const MachineClientsBanner = ({ orgId }: MachineClientsBannerProps) => {
-    orgId
-}: MachineClientsBannerProps) => {
     const t = useTranslations();
 
     return (
@@ -57,4 +55,3 @@ export const MachineClientsBanner = ({
 };
 
 export default MachineClientsBanner;
-

src/components/OrgInfoCard.tsx

@@ -39,4 +39,3 @@ export default function OrgInfoCard({}: OrgInfoCardProps) {
         </Alert>
     );
 }
-

src/components/OrgLoginPage.tsx

@@ -119,4 +119,3 @@ export default async function OrgLoginPage({
         </div>
     );
 }
-

src/components/OrgSelectionForm.tsx

@@ -95,7 +95,7 @@ export function OrgSelectionForm() {
                             <p className="text-sm text-muted-foreground">
                                 {t("orgAuthWhatsThis")}{" "}
                                 <Link
-                                    href="https://docs.pangolin.net/manage/identity-providers/add-an-idp"
+                                    href="https://docs.pangolin.net/manage/organizations/org-id"
                                     target="_blank"
                                     rel="noopener noreferrer"
                                     className="underline"

src/components/PrivateResourcesBanner.tsx

@@ -51,4 +51,3 @@ export const PrivateResourcesBanner = ({
 };
 
 export default PrivateResourcesBanner;
-

src/components/ProductUpdates.tsx

@@ -41,7 +41,10 @@ export default function ProductUpdates({
 
     const data = useQueries({
         queries: [
-            productUpdatesQueries.list(env.app.notifications.product_updates),
+            productUpdatesQueries.list(
+                env.app.notifications.product_updates,
+                env.app.version
+            ),
             productUpdatesQueries.latestVersion(
                 env.app.notifications.new_releases
             )
@@ -189,7 +192,7 @@ function ProductUpdatesListPopup({
                     <div
                         className={cn(
                             "relative z-1 cursor-pointer block group",
-                            "rounded-md border border-primary/30 bg-gradient-to-br dark:from-primary/20 from-primary/20 via-background to-background p-2 py-3 w-full flex flex-col gap-2 text-sm",
+                            "rounded-md border border-primary/30 bg-linear-to-br dark:from-primary/20 from-primary/20 via-background to-background p-2 py-3 w-full flex flex-col gap-2 text-sm",
                             "transition duration-300 ease-in-out",
                             "data-closed:opacity-0 data-closed:translate-y-full"
                         )}
@@ -343,7 +346,7 @@ function NewVersionAvailable({
                     rel="noopener noreferrer"
                     className={cn(
                         "relative z-2 group cursor-pointer block",
-                        "rounded-md border border-primary/30 bg-gradient-to-br dark:from-primary/20 from-primary/20 via-background to-background p-2 py-3 w-full flex flex-col gap-2 text-sm",
+                        "rounded-md border border-primary/30 bg-linear-to-br dark:from-primary/20 from-primary/20 via-background to-background p-2 py-3 w-full flex flex-col gap-2 text-sm",
                         "transition duration-300 ease-in-out",
                         "data-closed:opacity-0 data-closed:translate-y-full"
                     )}

src/components/ProxyResourcesBanner.tsx

@@ -20,4 +20,3 @@ export const ProxyResourcesBanner = () => {
 };
 
 export default ProxyResourcesBanner;
-

src/components/SetResourceHeaderAuthForm.tsx

@@ -1,6 +1,6 @@
 "use client";
 
-import {Button} from "@app/components/ui/button";
+import { Button } from "@app/components/ui/button";
 import {
     Form,
     FormControl,
@@ -9,12 +9,12 @@ import {
     FormLabel,
     FormMessage
 } from "@app/components/ui/form";
-import {Input} from "@app/components/ui/input";
+import { Input } from "@app/components/ui/input";
-import {toast} from "@app/hooks/useToast";
+import { toast } from "@app/hooks/useToast";
-import {zodResolver} from "@hookform/resolvers/zod";
+import { zodResolver } from "@hookform/resolvers/zod";
-import {useEffect, useState} from "react";
+import { useEffect, useState } from "react";
-import {useForm} from "react-hook-form";
+import { useForm } from "react-hook-form";
-import {z} from "zod";
+import { z } from "zod";
 import {
     Credenza,
     CredenzaBody,
@@ -25,14 +25,14 @@ import {
     CredenzaHeader,
     CredenzaTitle
 } from "@app/components/Credenza";
-import {formatAxiosError} from "@app/lib/api";
+import { formatAxiosError } from "@app/lib/api";
-import {AxiosResponse} from "axios";
+import { AxiosResponse } from "axios";
-import {Resource} from "@server/db";
+import { Resource } from "@server/db";
-import {createApiClient} from "@app/lib/api";
+import { createApiClient } from "@app/lib/api";
-import {useEnvContext} from "@app/hooks/useEnvContext";
+import { useEnvContext } from "@app/hooks/useEnvContext";
-import {useTranslations} from "next-intl";
+import { useTranslations } from "next-intl";
-import {SwitchInput} from "@/components/SwitchInput";
+import { SwitchInput } from "@/components/SwitchInput";
-import {InfoPopup} from "@/components/ui/info-popup";
+import { InfoPopup } from "@/components/ui/info-popup";
 
 const setHeaderAuthFormSchema = z.object({
     user: z.string().min(4).max(100),
@@ -56,11 +56,11 @@ type SetHeaderAuthFormProps = {
 };
 
 export default function SetResourceHeaderAuthForm({
-                                                      open,
+    open,
-                                                      setOpen,
+    setOpen,
-                                                      resourceId,
+    resourceId,
-                                                      onSetHeaderAuth
+    onSetHeaderAuth
-                                                  }: SetHeaderAuthFormProps) {
+}: SetHeaderAuthFormProps) {
     const api = createApiClient(useEnvContext());
     const t = useTranslations();
 
@@ -82,11 +82,14 @@ export default function SetResourceHeaderAuthForm({
     async function onSubmit(data: SetHeaderAuthFormValues) {
         setLoading(true);
 
-        api.post<AxiosResponse<Resource>>(`/resource/${resourceId}/header-auth`, {
+        api.post<AxiosResponse<Resource>>(
-            user: data.user,
+            `/resource/${resourceId}/header-auth`,
-            password: data.password,
+            {
-            extendedCompatibility: data.extendedCompatibility
+                user: data.user,
-        })
+                password: data.password,
+                extendedCompatibility: data.extendedCompatibility
+            }
+        )
             .then(() => {
                 toast({
                     title: t("resourceHeaderAuthSetup"),
@@ -100,10 +103,10 @@ export default function SetResourceHeaderAuthForm({
             .catch((e) => {
                 toast({
                     variant: "destructive",
-                    title: t('resourceErrorHeaderAuthSetup'),
+                    title: t("resourceErrorHeaderAuthSetup"),
                     description: formatAxiosError(
                         e,
-                        t('resourceErrorHeaderAuthSetupDescription')
+                        t("resourceErrorHeaderAuthSetupDescription")
                     )
                 });
             })
@@ -139,7 +142,7 @@ export default function SetResourceHeaderAuthForm({
                                 <FormField
                                     control={form.control}
                                     name="user"
-                                    render={({field}) => (
+                                    render={({ field }) => (
                                         <FormItem>
                                             <FormLabel>{t("user")}</FormLabel>
                                             <FormControl>
@@ -149,14 +152,14 @@ export default function SetResourceHeaderAuthForm({
                                                     {...field}
                                                 />
                                             </FormControl>
-                                            <FormMessage/>
+                                            <FormMessage />
                                         </FormItem>
                                     )}
                                 />
                                 <FormField
                                     control={form.control}
                                     name="password"
-                                    render={({field}) => (
+                                    render={({ field }) => (
                                         <FormItem>
                                             <FormLabel>
                                                 {t("password")}
@@ -168,25 +171,31 @@ export default function SetResourceHeaderAuthForm({
                                                     {...field}
                                                 />
                                             </FormControl>
-                                            <FormMessage/>
+                                            <FormMessage />
                                         </FormItem>
                                     )}
                                 />
                                 <FormField
                                     control={form.control}
                                     name="extendedCompatibility"
-                                    render={({field}) => (
+                                    render={({ field }) => (
                                         <FormItem>
                                             <FormControl>
                                                 <SwitchInput
                                                     id="header-auth-compatibility-toggle"
-                                                    label={t("headerAuthCompatibility")}
+                                                    label={t(
-                                                    info={t('headerAuthCompatibilityInfo')}
+                                                        "headerAuthCompatibility"
+                                                    )}
+                                                    info={t(
+                                                        "headerAuthCompatibilityInfo"
+                                                    )}
                                                     checked={field.value}
-                                                    onCheckedChange={field.onChange}
+                                                    onCheckedChange={
+                                                        field.onChange
+                                                    }
                                                 />
                                             </FormControl>
-                                            <FormMessage/>
+                                            <FormMessage />
                                         </FormItem>
                                     )}
                                 />

src/components/SetResourcePasswordForm.tsx

@@ -91,10 +91,10 @@ export default function SetResourcePasswordForm({
             .catch((e) => {
                 toast({
                     variant: "destructive",
-                    title: t('resourceErrorPasswordSetup'),
+                    title: t("resourceErrorPasswordSetup"),
                     description: formatAxiosError(
                         e,
-                        t('resourceErrorPasswordSetupDescription')
+                        t("resourceErrorPasswordSetupDescription")
                     )
                 });
             })

src/components/SetResourcePincodeForm.tsx

@@ -97,10 +97,10 @@ export default function SetResourcePincodeForm({
             .catch((e) => {
                 toast({
                     variant: "destructive",
-                    title: t('resourceErrorPincodeSetup'),
+                    title: t("resourceErrorPincodeSetup"),
                     description: formatAxiosError(
                         e,
-                        t('resourceErrorPincodeSetupDescription')
+                        t("resourceErrorPincodeSetupDescription")
                     )
                 });
             })

src/components/SitesBanner.tsx

@@ -37,4 +37,3 @@ export const SitesBanner = () => {
 };
 
 export default SitesBanner;
-

src/components/SwitchInput.tsx

@@ -1,10 +1,14 @@
 import React from "react";
-import {Switch} from "./ui/switch";
+import { Switch } from "./ui/switch";
-import {Label} from "./ui/label";
+import { Label } from "./ui/label";
-import {Button} from "@/components/ui/button";
+import { Button } from "@/components/ui/button";
-import {Info} from "lucide-react";
+import { Info } from "lucide-react";
-import {info} from "winston";
+import { info } from "winston";
-import {Popover, PopoverContent, PopoverTrigger} from "@/components/ui/popover";
+import {
+    Popover,
+    PopoverContent,
+    PopoverTrigger
+} from "@/components/ui/popover";
 
 interface SwitchComponentProps {
     id: string;
@@ -18,22 +22,22 @@ interface SwitchComponentProps {
 }
 
 export function SwitchInput({
-                                id,
+    id,
-                                label,
+    label,
-                                description,
+    description,
-                                info,
+    info,
-                                disabled,
+    disabled,
-                                checked,
+    checked,
-                                defaultChecked = false,
+    defaultChecked = false,
-                                onCheckedChange
+    onCheckedChange
-                            }: SwitchComponentProps) {
+}: SwitchComponentProps) {
     const defaultTrigger = (
         <Button
             variant="ghost"
             size="icon"
             className="h-6 w-6 rounded-full p-0"
         >
-            <Info className="h-4 w-4"/>
+            <Info className="h-4 w-4" />
             <span className="sr-only">Show info</span>
         </Button>
     );
@@ -49,18 +53,20 @@ export function SwitchInput({
                     disabled={disabled}
                 />
                 {label && <Label htmlFor={id}>{label}</Label>}
-                {info && <Popover>
+                {info && (
-                    <PopoverTrigger asChild>
+                    <Popover>
-                        {defaultTrigger}
+                        <PopoverTrigger asChild>
-                    </PopoverTrigger>
+                            {defaultTrigger}
-                    <PopoverContent className="w-80">
+                        </PopoverTrigger>
-                        {info && (
+                        <PopoverContent className="w-80">
-                            <p className="text-sm text-muted-foreground">
+                            {info && (
-                                {info}
+                                <p className="text-sm text-muted-foreground">
-                            </p>
+                                    {info}
-                        )}
+                                </p>
-                    </PopoverContent>
+                            )}
-                </Popover>}
+                        </PopoverContent>
+                    </Popover>
+                )}
             </div>
             {description && (
                 <span className="text-muted-foreground text-sm">

src/components/private/AuthPageSettings.tsx

@@ -276,14 +276,15 @@ function AuthPageSettings({
         <>
             <SettingsSection>
                 <SettingsSectionHeader>
-                    <SettingsSectionTitle>{t("customDomain")}</SettingsSectionTitle>
+                    <SettingsSectionTitle>
+                        {t("customDomain")}
+                    </SettingsSectionTitle>
                     <SettingsSectionDescription>
                         {t("authPageDescription")}
                     </SettingsSectionDescription>
                 </SettingsSectionHeader>
                 <SettingsSectionBody>
                     <SettingsSectionForm>
-
                         <PaidFeaturesAlert />
 
                         <Form {...form}>

src/components/private/IdpLoginButtons.tsx

@@ -58,12 +58,7 @@ export default function IdpLoginButtons({
 
         let redirectToUrl: string | undefined;
         try {
-            console.log(
+            console.log("generating", idpId, redirect || "/", orgId);
-                "generating",
-                idpId,
-                redirect || "/",
-                orgId
-            );
             const safeRedirect = cleanRedirect(redirect || "/");
             const response = await generateOidcUrlProxy(
                 idpId,

src/components/ui/data-table.tsx

@@ -288,7 +288,10 @@ export function DataTable<TData, TValue>({
     useEffect(() => {
         if (persistPageSize && pagination.pageSize !== pageSize) {
             // Only store if user has actually changed it from initial value
-            if (hasUserChangedPageSize.current && pagination.pageSize !== initialPageSize.current) {
+            if (
+                hasUserChangedPageSize.current &&
+                pagination.pageSize !== initialPageSize.current
+            ) {
                 setStoredPageSize(pagination.pageSize, tableId);
             }
             setPageSize(pagination.pageSize);
@@ -298,7 +301,9 @@ export function DataTable<TData, TValue>({
     useEffect(() => {
         // Persist column visibility to localStorage when it changes (but not on initial mount)
         if (shouldPersistColumnVisibility) {
-            const hasChanged = JSON.stringify(columnVisibility) !== JSON.stringify(initialColumnVisibilityState.current);
+            const hasChanged =
+                JSON.stringify(columnVisibility) !==
+                JSON.stringify(initialColumnVisibilityState.current);
             if (hasChanged) {
                 // Mark as user-initiated change and persist
                 hasUserChangedColumnVisibility.current = true;

src/lib/queries.ts

@@ -41,12 +41,13 @@ export type LatestVersionResponse = {
 };
 
 export const productUpdatesQueries = {
-    list: (enabled: boolean) =>
+    list: (enabled: boolean, version?: string) =>
         queryOptions({
             queryKey: ["PRODUCT_UPDATES"] as const,
             queryFn: async ({ signal }) => {
                 const sp = new URLSearchParams({
-                    build
+                    build,
+                    ...(version ? { version } : {})
                 });
                 const data = await remote.get<ResponseT<ProductUpdate[]>>(
                     `/product-updates?${sp.toString()}`,