New translations en-us.json (French)

Fixes #2163

.github/workflows/cicd.yml

@@ -99,7 +99,7 @@ jobs:
               id: check-rc
               run: |
                   TAG=${{ env.TAG }}
-                  if [[ "$TAG" == *".rc."* ]]; then
+                  if [[ "$TAG" == *"-rc."* ]]; then
                       echo "IS_RC=true" >> $GITHUB_ENV
                   else
                       echo "IS_RC=false" >> $GITHUB_ENV
@@ -171,7 +171,7 @@ jobs:
               id: check-rc
               run: |
                   TAG=${{ env.TAG }}
-                  if [[ "$TAG" == *".rc."* ]]; then
+                  if [[ "$TAG" == *"-rc."* ]]; then
                       echo "IS_RC=true" >> $GITHUB_ENV
                   else
                       echo "IS_RC=false" >> $GITHUB_ENV
@@ -219,7 +219,7 @@ jobs:
               id: check-rc
               run: |
                   TAG=${{ env.TAG }}
-                  if [[ "$TAG" == *".rc."* ]]; then
+                  if [[ "$TAG" == *"-rc."* ]]; then
                       echo "IS_RC=true" >> $GITHUB_ENV
                   else
                       echo "IS_RC=false" >> $GITHUB_ENV
@@ -322,13 +322,18 @@ jobs:
               shell: bash
 
             - name: Login to GHCR
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
               run: |
+                  mkdir -p "$(dirname "$REGISTRY_AUTH_FILE")"
                   skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
               shell: bash
 
             - name: Copy tag from Docker Hub to GHCR
               # Mirror the already-built image (all architectures) to GHCR so we can sign it
               # Wait a bit for both architectures to be available in Docker Hub manifest
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
               run: |
                   set -euo pipefail
                   TAG=${{ env.TAG }}

.github/workflows/mirror.yaml

@@ -45,7 +45,7 @@ jobs:
         run: |
           set -euo pipefail
           skopeo list-tags --retry-times 3 docker://"${SOURCE_IMAGE}" \
-            | jq -r '.Tags[]' | sort -u > src-tags.txt
+            | jq -r '.Tags[]' | grep -v -e '-arm64' -e '-amd64' | sort -u > src-tags.txt
           echo "Found source tags: $(wc -l < src-tags.txt)"
           head -n 20 src-tags.txt || true
 

:w

@@ -1,96 +0,0 @@
-import { db } from "@server/db/pg/driver";
-import { sql } from "drizzle-orm";
-import { __DIRNAME } from "@server/lib/consts";
-
-const version = "1.14.0";
-
-export default async function migration() {
-    console.log(`Running setup script ${version}...`);
-
-    try {
-        await db.execute(sql`BEGIN`);
-
-        await db.execute(sql`
-            CREATE TABLE "loginPageBranding" (
-                "loginPageBrandingId" serial PRIMARY KEY NOT NULL,
-                "logoUrl" text NOT NULL,
-                "logoWidth" integer NOT NULL,
-                "logoHeight" integer NOT NULL,
-                "primaryColor" text,
-                "resourceTitle" text NOT NULL,
-                "resourceSubtitle" text,
-                "orgTitle" text,
-                "orgSubtitle" text
-            );
-        `);
-
-        await db.execute(sql`
-            CREATE TABLE "loginPageBrandingOrg" (
-                "loginPageBrandingId" integer NOT NULL,
-                "orgId" varchar NOT NULL
-            );
-        `);
-
-        await db.execute(sql`
-            CREATE TABLE "resourceHeaderAuthExtendedCompatibility" (
-                "headerAuthExtendedCompatibilityId" serial PRIMARY KEY NOT NULL,
-                "resourceId" integer NOT NULL,
-                "extendedCompatibilityIsActivated" boolean DEFAULT false NOT NULL
-            );
-        `);
-
-        await db.execute(
-            sql`ALTER TABLE "resources" ADD COLUMN "maintenanceModeEnabled" boolean DEFAULT false NOT NULL;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "resources" ADD COLUMN "maintenanceModeType" text DEFAULT 'forced';`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "resources" ADD COLUMN "maintenanceTitle" text;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "resources" ADD COLUMN "maintenanceMessage" text;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "resources" ADD COLUMN "maintenanceEstimatedTime" text;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "siteResources" ADD COLUMN "tcpPortRangeString" varchar;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "siteResources" ADD COLUMN "udpPortRangeString" varchar;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "siteResources" ADD COLUMN "disableIcmp" boolean DEFAULT false NOT NULL;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "loginPageBrandingOrg" ADD CONSTRAINT "loginPageBrandingOrg_loginPageBrandingId_loginPageBranding_loginPageBrandingId_fk" FOREIGN KEY ("loginPageBrandingId") REFERENCES "public"."loginPageBranding"("loginPageBrandingId") ON DELETE cascade ON UPDATE no action;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "loginPageBrandingOrg" ADD CONSTRAINT "loginPageBrandingOrg_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "resourceHeaderAuthExtendedCompatibility" ADD CONSTRAINT "resourceHeaderAuthExtendedCompatibility_resourceId_resources_resourceId_fk" FOREIGN KEY ("resourceId") REFERENCES "public"."resources"("resourceId") ON DELETE cascade ON UPDATE no action;`
-        );
-
-        await db.execute(sql`COMMIT`);
-        console.log("Migrated database");
-    } catch (e) {
-        await db.execute(sql`ROLLBACK`);
-        console.log("Unable to migrate database");
-        console.log(e);
-        throw e;
-    }
-
-    console.log(`${version} migration complete`);
-}

messages/bg-BG.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Конфигуриране на достъп за организация",
     "idpUpdatedDescription": "Идентификационният доставчик беше актуализиран успешно",
     "redirectUrl": "URL за пренасочване",
+    "orgIdpRedirectUrls": "URL адреси за пренасочване",
     "redirectUrlAbout": "За URL за пренасочване",
     "redirectUrlAboutDescription": "Това е URL адресът, към който потребителите ще бъдат пренасочени след удостоверяване. Трябва да конфигурирате този URL адрес в настройките на доставчика на идентичност.",
     "pangolinAuth": "Authent - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Съгласен съм с",
         "termsOfService": "условията за ползване",
         "and": "и",
-        "privacyPolicy": "политиката за поверителност"
+        "privacyPolicy": "политика за поверителност."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Дръж ме в течение с новини, актуализации и нови функции чрез имейл."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Въведете потвърждение.",
     "blueprintViewDetails": "Подробности.",
     "defaultIdentityProvider": "По подразбиране доставчик на идентичност.",
+    "defaultIdentityProviderDescription": "Когато е избран основен доставчик на идентичност, потребителят ще бъде автоматично пренасочен към доставчика за удостоверяване.",
     "editInternalResourceDialogNetworkSettings": "Мрежови настройки.",
     "editInternalResourceDialogAccessPolicy": "Политика за достъп.",
     "editInternalResourceDialogAddRoles": "Добавяне на роли.",

messages/cs-CZ.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Konfigurace přístupu pro organizaci",
     "idpUpdatedDescription": "Poskytovatel identity byl úspěšně aktualizován",
     "redirectUrl": "Přesměrovat URL",
+    "orgIdpRedirectUrls": "Přesměrovat URL",
     "redirectUrlAbout": "O přesměrování URL",
     "redirectUrlAboutDescription": "Toto je URL, na kterou budou uživatelé po ověření přesměrováni. Tuto URL je třeba nastavit v nastavení poskytovatele identity.",
     "pangolinAuth": "Auth - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Souhlasím s",
         "termsOfService": "podmínky služby",
         "and": "a",
-        "privacyPolicy": "zásady ochrany osobních údajů"
+        "privacyPolicy": "zásady ochrany osobních údajů."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Udržujte mě ve smyčce s novinkami, aktualizacemi a novými funkcemi e-mailem."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Zadejte potvrzení",
     "blueprintViewDetails": "Detaily",
     "defaultIdentityProvider": "Výchozí poskytovatel identity",
+    "defaultIdentityProviderDescription": "Pokud je vybrán výchozí poskytovatel identity, uživatel bude automaticky přesměrován na poskytovatele pro ověření.",
     "editInternalResourceDialogNetworkSettings": "Nastavení sítě",
     "editInternalResourceDialogAccessPolicy": "Přístupová politika",
     "editInternalResourceDialogAddRoles": "Přidat role",

messages/de-DE.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Zugriff für eine Organisation konfigurieren",
     "idpUpdatedDescription": "Identitätsanbieter erfolgreich aktualisiert",
     "redirectUrl": "Weiterleitungs-URL",
+    "orgIdpRedirectUrls": "Umleitungs-URLs",
     "redirectUrlAbout": "Über die Weiterleitungs-URL",
     "redirectUrlAboutDescription": "Dies ist die URL, zu der Benutzer nach der Authentifizierung umgeleitet werden. Sie müssen diese URL in den Einstellungen des Identity Providers konfigurieren.",
     "pangolinAuth": "Authentifizierung - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Ich stimme den",
         "termsOfService": "Nutzungsbedingungen zu",
         "and": "und",
-        "privacyPolicy": "Datenschutzrichtlinie"
+        "privacyPolicy": "datenschutzrichtlinie."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Halten Sie mich auf dem Laufenden mit Neuigkeiten, Updates und neuen Funktionen per E-Mail."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Bestätigung eingeben",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Standard Identitätsanbieter",
+    "defaultIdentityProviderDescription": "Wenn ein Standard-Identity Provider ausgewählt ist, wird der Benutzer zur Authentifizierung automatisch an den Anbieter weitergeleitet.",
     "editInternalResourceDialogNetworkSettings": "Netzwerkeinstellungen",
     "editInternalResourceDialogAccessPolicy": "Zugriffsrichtlinie",
     "editInternalResourceDialogAddRoles": "Rollen hinzufügen",

messages/en-US.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configure access for an organization",
     "idpUpdatedDescription": "Identity provider updated successfully",
     "redirectUrl": "Redirect URL",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "About Redirect URL",
     "redirectUrlAboutDescription": "This is the URL to which users will be redirected after authentication. You need to configure this URL in the identity provider's settings.",
     "pangolinAuth": "Auth - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "I agree to the",
         "termsOfService": "terms of service",
         "and": "and",
-        "privacyPolicy": "privacy policy"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Keep me in the loop with news, updates, and new features by email."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Enter confirmation",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Default Identity Provider",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Network Settings",
     "editInternalResourceDialogAccessPolicy": "Access Policy",
     "editInternalResourceDialogAddRoles": "Add Roles",

messages/es-ES.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configurar acceso para una organización",
     "idpUpdatedDescription": "Proveedor de identidad actualizado correctamente",
     "redirectUrl": "URL de redirección",
+    "orgIdpRedirectUrls": "Redirigir URL",
     "redirectUrlAbout": "Acerca de la URL de redirección",
     "redirectUrlAboutDescription": "Esta es la URL a la que los usuarios serán redireccionados después de la autenticación. Necesitas configurar esta URL en la configuración del proveedor de identidad.",
     "pangolinAuth": "Autenticación - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Estoy de acuerdo con los",
         "termsOfService": "términos del servicio",
         "and": "y",
-        "privacyPolicy": "política de privacidad"
+        "privacyPolicy": "política de privacidad."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Mantenerme en el bucle con noticias, actualizaciones y nuevas características por correo electrónico."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Ingresar confirmación",
     "blueprintViewDetails": "Detalles",
     "defaultIdentityProvider": "Proveedor de identidad predeterminado",
+    "defaultIdentityProviderDescription": "Cuando se selecciona un proveedor de identidad por defecto, el usuario será redirigido automáticamente al proveedor de autenticación.",
     "editInternalResourceDialogNetworkSettings": "Configuración de red",
     "editInternalResourceDialogAccessPolicy": "Política de acceso",
     "editInternalResourceDialogAddRoles": "Agregar roles",

messages/fr-FR.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configurer l'accès pour une organisation",
     "idpUpdatedDescription": "Fournisseur d'identité mis à jour avec succès",
     "redirectUrl": "URL de redirection",
+    "orgIdpRedirectUrls": "URL de redirection",
     "redirectUrlAbout": "À propos de l'URL de redirection",
     "redirectUrlAboutDescription": "C'est l'URL vers laquelle les utilisateurs seront redirigés après l'authentification. Vous devez configurer cette URL dans les paramètres du fournisseur d'identité.",
     "pangolinAuth": "Auth - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Je suis d'accord avec",
         "termsOfService": "les conditions d'utilisation",
         "and": "et",
-        "privacyPolicy": "la politique de confidentialité"
+        "privacyPolicy": "politique de confidentialité."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Gardez-moi dans la boucle avec des nouvelles, des mises à jour et de nouvelles fonctionnalités par courriel."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Entrez la confirmation",
     "blueprintViewDetails": "Détails",
     "defaultIdentityProvider": "Fournisseur d'identité par défaut",
+    "defaultIdentityProviderDescription": "Lorsqu'un fournisseur d'identité par défaut est sélectionné, l'utilisateur sera automatiquement redirigé vers le fournisseur pour authentification.",
     "editInternalResourceDialogNetworkSettings": "Paramètres réseau",
     "editInternalResourceDialogAccessPolicy": "Politique d'accès",
     "editInternalResourceDialogAddRoles": "Ajouter des rôles",

messages/it-IT.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configura l'accesso per un'organizzazione",
     "idpUpdatedDescription": "Provider di identità aggiornato con successo",
     "redirectUrl": "URL di Reindirizzamento",
+    "orgIdpRedirectUrls": "Reindirizza URL",
     "redirectUrlAbout": "Informazioni sull'URL di Reindirizzamento",
     "redirectUrlAboutDescription": "Questo è l'URL a cui gli utenti saranno reindirizzati dopo l'autenticazione. È necessario configurare questo URL nelle impostazioni del provider di identità.",
     "pangolinAuth": "Autenticazione - Pangolina",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Accetto i",
         "termsOfService": "termini di servizio",
         "and": "e",
-        "privacyPolicy": "informativa sulla privacy"
+        "privacyPolicy": "informativa sulla privacy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Tienimi in loop con notizie, aggiornamenti e nuove funzionalità via e-mail."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Inserisci conferma",
     "blueprintViewDetails": "Dettagli",
     "defaultIdentityProvider": "Provider di Identità Predefinito",
+    "defaultIdentityProviderDescription": "Quando viene selezionato un provider di identità predefinito, l'utente verrà automaticamente reindirizzato al provider per l'autenticazione.",
     "editInternalResourceDialogNetworkSettings": "Impostazioni di Rete",
     "editInternalResourceDialogAccessPolicy": "Politica di Accesso",
     "editInternalResourceDialogAddRoles": "Aggiungi Ruoli",

messages/ko-KR.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "조직에 대한 접근을 구성하십시오.",
     "idpUpdatedDescription": "아이덴티티 제공자가 성공적으로 업데이트되었습니다",
     "redirectUrl": "리디렉션 URL",
+    "orgIdpRedirectUrls": "리디렉션 URL",
     "redirectUrlAbout": "리디렉션 URL에 대한 정보",
     "redirectUrlAboutDescription": "사용자가 인증 후 리디렉션될 URL입니다. 이 URL을 신원 제공자 설정에서 구성해야 합니다.",
     "pangolinAuth": "인증 - 판골린",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "동의합니다",
         "termsOfService": "서비스 약관",
         "and": "및",
-        "privacyPolicy": "개인 정보 보호 정책"
+        "privacyPolicy": "개인 정보 보호 정책."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "이메일을 통해 소식, 업데이트 및 새로운 기능을 받아보세요."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "확인 입력",
     "blueprintViewDetails": "세부 정보",
     "defaultIdentityProvider": "기본 아이덴티티 공급자",
+    "defaultIdentityProviderDescription": "기본 ID 공급자가 선택되면, 사용자는 인증을 위해 자동으로 해당 공급자로 리디렉션됩니다.",
     "editInternalResourceDialogNetworkSettings": "네트워크 설정",
     "editInternalResourceDialogAccessPolicy": "액세스 정책",
     "editInternalResourceDialogAddRoles": "역할 추가",

messages/nb-NO.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Konfigurer tilgang for en organisasjon",
     "idpUpdatedDescription": "Identitetsleverandør vellykket oppdatert",
     "redirectUrl": "Omdirigerings-URL",
+    "orgIdpRedirectUrls": "Omadressere URL'er",
     "redirectUrlAbout": "Om omdirigerings-URL",
     "redirectUrlAboutDescription": "Dette er URLen som brukere vil bli omdirigert etter autentisering. Du må konfigurere denne URLen i identitetsleverandørens innstillinger.",
     "pangolinAuth": "Autentisering - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Jeg godtar",
         "termsOfService": "brukervilkårene",
         "and": "og",
-        "privacyPolicy": "personvernerklæringen"
+        "privacyPolicy": "retningslinjer for personvern"
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Hold meg i løken med nyheter, oppdateringer og nye funksjoner via e-post."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Skriv inn bekreftelse",
     "blueprintViewDetails": "Detaljer",
     "defaultIdentityProvider": "Standard identitetsleverandør",
+    "defaultIdentityProviderDescription": "Når en standard identitetsleverandør er valgt, vil brukeren automatisk bli omdirigert til leverandøren for autentisering.",
     "editInternalResourceDialogNetworkSettings": "Nettverksinnstillinger",
     "editInternalResourceDialogAccessPolicy": "Tilgangsregler for tilgang",
     "editInternalResourceDialogAddRoles": "Legg til roller",

messages/nl-NL.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Toegang voor een organisatie configureren",
     "idpUpdatedDescription": "Identity provider succesvol bijgewerkt",
     "redirectUrl": "Omleidings URL",
+    "orgIdpRedirectUrls": "URL's omleiden",
     "redirectUrlAbout": "Over omleidings-URL",
     "redirectUrlAboutDescription": "Dit is de URL waarnaar gebruikers worden doorverwezen na verificatie. U moet deze URL configureren in de instellingen van de identiteitsprovider.",
     "pangolinAuth": "Authenticatie - Pangolin",
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Bevestiging invoeren",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Standaard Identiteitsprovider",
+    "defaultIdentityProviderDescription": "Wanneer een standaard identity provider is geselecteerd, zal de gebruiker automatisch worden doorgestuurd naar de provider voor authenticatie.",
     "editInternalResourceDialogNetworkSettings": "Netwerkinstellingen",
     "editInternalResourceDialogAccessPolicy": "Toegangsbeleid",
     "editInternalResourceDialogAddRoles": "Rollen toevoegen",

messages/pl-PL.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Skonfiguruj dostęp dla organizacji",
     "idpUpdatedDescription": "Dostawca tożsamości został pomyślnie zaktualizowany",
     "redirectUrl": "URL przekierowania",
+    "orgIdpRedirectUrls": "Przekieruj adresy URL",
     "redirectUrlAbout": "O URL przekierowania",
     "redirectUrlAboutDescription": "Jest to adres URL, na który użytkownicy zostaną przekierowani po uwierzytelnieniu. Musisz skonfigurować ten adres URL w ustawieniach dostawcy tożsamości.",
     "pangolinAuth": "Autoryzacja - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Zgadzam się z",
         "termsOfService": "warunkami usługi",
         "and": "oraz",
-        "privacyPolicy": "polityką prywatności"
+        "privacyPolicy": "polityka prywatności."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Zachowaj mnie w pętli z wiadomościami, aktualizacjami i nowymi funkcjami przez e-mail."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Wprowadź potwierdzenie",
     "blueprintViewDetails": "Szczegóły",
     "defaultIdentityProvider": "Domyślny dostawca tożsamości",
+    "defaultIdentityProviderDescription": "Gdy zostanie wybrany domyślny dostawca tożsamości, użytkownik zostanie automatycznie przekierowany do dostawcy w celu uwierzytelnienia.",
     "editInternalResourceDialogNetworkSettings": "Ustawienia sieci",
     "editInternalResourceDialogAccessPolicy": "Polityka dostępowa",
     "editInternalResourceDialogAddRoles": "Dodaj role",

messages/pt-PT.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configurar acesso para uma organização",
     "idpUpdatedDescription": "Provedor de identidade atualizado com sucesso",
     "redirectUrl": "URL de Redirecionamento",
+    "orgIdpRedirectUrls": "Redirecionar URLs",
     "redirectUrlAbout": "Sobre o URL de Redirecionamento",
     "redirectUrlAboutDescription": "Essa é a URL para a qual os usuários serão redirecionados após a autenticação. Você precisa configurar esta URL nas configurações do provedor de identidade.",
     "pangolinAuth": "Autenticação - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Concordo com",
         "termsOfService": "os termos de serviço",
         "and": "e",
-        "privacyPolicy": "política de privacidade"
+        "privacyPolicy": "política de privacidade."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Mantenha-me à disposição com notícias, atualizações e novos recursos por e-mail."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Inserir confirmação",
     "blueprintViewDetails": "Detalhes",
     "defaultIdentityProvider": "Provedor de Identidade Padrão",
+    "defaultIdentityProviderDescription": "Quando um provedor de identidade padrão for selecionado, o usuário será automaticamente redirecionado para o provedor de autenticação.",
     "editInternalResourceDialogNetworkSettings": "Configurações de Rede",
     "editInternalResourceDialogAccessPolicy": "Política de Acesso",
     "editInternalResourceDialogAddRoles": "Adicionar Funções",

messages/ru-RU.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Настроить доступ для организации",
     "idpUpdatedDescription": "Поставщик удостоверений успешно обновлён",
     "redirectUrl": "URL редиректа",
+    "orgIdpRedirectUrls": "Перенаправление URL",
     "redirectUrlAbout": "О редиректе URL",
     "redirectUrlAboutDescription": "Это URL, на который пользователи будут перенаправлены после аутентификации. Вам нужно настроить этот URL в настройках провайдера.",
     "pangolinAuth": "Аутентификация - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Я согласен с",
         "termsOfService": "условия использования",
         "and": "и",
-        "privacyPolicy": "политика конфиденциальности"
+        "privacyPolicy": "политика конфиденциальности."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Держите меня в цикле с новостями, обновлениями и новыми функциями по электронной почте."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Введите подтверждение",
     "blueprintViewDetails": "Подробности",
     "defaultIdentityProvider": "Поставщик удостоверений по умолчанию",
+    "defaultIdentityProviderDescription": "Когда выбран поставщик идентификации по умолчанию, пользователь будет автоматически перенаправлен на провайдер для аутентификации.",
     "editInternalResourceDialogNetworkSettings": "Настройки сети",
     "editInternalResourceDialogAccessPolicy": "Политика доступа",
     "editInternalResourceDialogAddRoles": "Добавить роли",

messages/tr-TR.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Bir kuruluş için erişimi yapılandırın",
     "idpUpdatedDescription": "Kimlik sağlayıcı başarıyla güncellendi",
     "redirectUrl": "Yönlendirme URL'si",
+    "orgIdpRedirectUrls": "Yönlendirme URL'leri",
     "redirectUrlAbout": "Yönlendirme URL'si Hakkında",
     "redirectUrlAboutDescription": "Bu, kimlik doğrulamasından sonra kullanıcıların yönlendirileceği URL'dir. Bu URL'yi kimlik sağlayıcınızın ayarlarında yapılandırmanız gerekir.",
     "pangolinAuth": "Yetkilendirme - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Kabul ediyorum",
         "termsOfService": "hizmet şartları",
         "and": "ve",
-        "privacyPolicy": "gizlilik politikası"
+        "privacyPolicy": "gizlilik politikası."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Bana e-posta yoluyla haberler, güncellemeler ve yeni özellikler hakkında bilgi verin."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Onayı girin",
     "blueprintViewDetails": "Detaylar",
     "defaultIdentityProvider": "Varsayılan Kimlik Sağlayıcı",
+    "defaultIdentityProviderDescription": "Varsayılan bir kimlik sağlayıcı seçildiğinde, kullanıcı kimlik doğrulaması için otomatik olarak sağlayıcıya yönlendirilecektir.",
     "editInternalResourceDialogNetworkSettings": "Ağ Ayarları",
     "editInternalResourceDialogAccessPolicy": "Erişim Politikası",
     "editInternalResourceDialogAddRoles": "Roller Ekle",

messages/zh-CN.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "配置组织访问权限",
     "idpUpdatedDescription": "身份提供商更新成功",
     "redirectUrl": "重定向网址",
+    "orgIdpRedirectUrls": "重定向URL",
     "redirectUrlAbout": "关于重定向网址",
     "redirectUrlAboutDescription": "这是用户在验证后将被重定向到的URL。您需要在身份提供者的设置中配置此URL。",
     "pangolinAuth": "认证 - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "我同意",
         "termsOfService": "服务条款",
         "and": "和",
-        "privacyPolicy": "隐私政策"
+        "privacyPolicy": "隐私政策。"
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "通过电子邮件让我在循环中保持新闻、更新和新功能。"
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "输入确认",
     "blueprintViewDetails": "详细信息",
     "defaultIdentityProvider": "默认身份提供商",
+    "defaultIdentityProviderDescription": "当选择默认身份提供商时，用户将自动重定向到提供商进行身份验证。",
     "editInternalResourceDialogNetworkSettings": "网络设置",
     "editInternalResourceDialogAccessPolicy": "访问策略",
     "editInternalResourceDialogAddRoles": "添加角色",

server/db/pg/schema/schema.ts

@@ -134,13 +134,15 @@ export const resources = pgTable("resources", {
     proxyProtocol: boolean("proxyProtocol").notNull().default(false),
     proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
 
-    maintenanceModeEnabled: boolean("maintenanceModeEnabled").notNull().default(false),
+    maintenanceModeEnabled: boolean("maintenanceModeEnabled")
+        .notNull()
+        .default(false),
     maintenanceModeType: text("maintenanceModeType", {
         enum: ["forced", "automatic"]
     }).default("forced"), // "forced" = always show, "automatic" = only when down
     maintenanceTitle: text("maintenanceTitle"),
     maintenanceMessage: text("maintenanceMessage"),
-    maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
+    maintenanceEstimatedTime: text("maintenanceEstimatedTime")
 });
 
 export const targets = pgTable("targets", {
@@ -223,8 +225,8 @@ export const siteResources = pgTable("siteResources", {
     enabled: boolean("enabled").notNull().default(true),
     alias: varchar("alias"),
     aliasAddress: varchar("aliasAddress"),
-    tcpPortRangeString: varchar("tcpPortRangeString"),
-    udpPortRangeString: varchar("udpPortRangeString"),
+    tcpPortRangeString: varchar("tcpPortRangeString").notNull().default("*"),
+    udpPortRangeString: varchar("udpPortRangeString").notNull().default("*"),
     disableIcmp: boolean("disableIcmp").notNull().default(false)
 });
 
@@ -464,13 +466,22 @@ export const resourceHeaderAuth = pgTable("resourceHeaderAuth", {
     headerAuthHash: varchar("headerAuthHash").notNull()
 });
 
-export const resourceHeaderAuthExtendedCompatibility = pgTable("resourceHeaderAuthExtendedCompatibility", {
-    headerAuthExtendedCompatibilityId: serial("headerAuthExtendedCompatibilityId").primaryKey(),
+export const resourceHeaderAuthExtendedCompatibility = pgTable(
+    "resourceHeaderAuthExtendedCompatibility",
+    {
+        headerAuthExtendedCompatibilityId: serial(
+            "headerAuthExtendedCompatibilityId"
+        ).primaryKey(),
         resourceId: integer("resourceId")
             .notNull()
             .references(() => resources.resourceId, { onDelete: "cascade" }),
-    extendedCompatibilityIsActivated: boolean("extendedCompatibilityIsActivated").notNull().default(true),
-});
+        extendedCompatibilityIsActivated: boolean(
+            "extendedCompatibilityIsActivated"
+        )
+            .notNull()
+            .default(true)
+    }
+);
 
 export const resourceAccessToken = pgTable("resourceAccessToken", {
     accessTokenId: varchar("accessTokenId").primaryKey(),
@@ -872,7 +883,9 @@ export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
 export type ResourceHeaderAuth = InferSelectModel<typeof resourceHeaderAuth>;
-export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<typeof resourceHeaderAuthExtendedCompatibility>;
+export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<
+    typeof resourceHeaderAuthExtendedCompatibility
+>;
 export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
 export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
 export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;

server/db/queries/verifySessionQueries.ts

@@ -1,6 +1,4 @@
-import {
-    db, loginPage, LoginPage, loginPageOrg, Org, orgs,
-} from "@server/db";
+import { db, loginPage, LoginPage, loginPageOrg, Org, orgs } from "@server/db";
 import {
     Resource,
     ResourcePassword,
@@ -27,7 +25,7 @@ export type ResourceWithAuth = {
     pincode: ResourcePincode | null;
     password: ResourcePassword | null;
     headerAuth: ResourceHeaderAuth | null;
-    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null
+    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
     org: Org;
 };
 
@@ -59,12 +57,12 @@ export async function getResourceByDomain(
         )
         .leftJoin(
             resourceHeaderAuthExtendedCompatibility,
-            eq(resourceHeaderAuthExtendedCompatibility.resourceId, resources.resourceId)
+            eq(
+                resourceHeaderAuthExtendedCompatibility.resourceId,
+                resources.resourceId
             )
-        .innerJoin(
-            orgs,
-            eq(orgs.orgId, resources.orgId)
         )
+        .innerJoin(orgs, eq(orgs.orgId, resources.orgId))
         .where(eq(resources.fullDomain, domain))
         .limit(1);
 
@@ -77,7 +75,8 @@ export async function getResourceByDomain(
         pincode: result.resourcePincode,
         password: result.resourcePassword,
         headerAuth: result.resourceHeaderAuth,
-        headerAuthExtendedCompatibility: result.resourceHeaderAuthExtendedCompatibility,
+        headerAuthExtendedCompatibility:
+            result.resourceHeaderAuthExtendedCompatibility,
         org: result.orgs
     };
 }

server/db/sqlite/schema/schema.ts

@@ -147,10 +147,14 @@ export const resources = sqliteTable("resources", {
         onDelete: "set null"
     }),
     headers: text("headers"), // comma-separated list of headers to add to the request
-    proxyProtocol: integer("proxyProtocol", { mode: "boolean" }).notNull().default(false),
+    proxyProtocol: integer("proxyProtocol", { mode: "boolean" })
+        .notNull()
+        .default(false),
     proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
 
-    maintenanceModeEnabled: integer("maintenanceModeEnabled", { mode: "boolean" })
+    maintenanceModeEnabled: integer("maintenanceModeEnabled", {
+        mode: "boolean"
+    })
         .notNull()
         .default(false),
     maintenanceModeType: text("maintenanceModeType", {
@@ -158,8 +162,7 @@ export const resources = sqliteTable("resources", {
     }).default("forced"), // "forced" = always show, "automatic" = only when down
     maintenanceTitle: text("maintenanceTitle"),
     maintenanceMessage: text("maintenanceMessage"),
-    maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
-
+    maintenanceEstimatedTime: text("maintenanceEstimatedTime")
 });
 
 export const targets = sqliteTable("targets", {
@@ -250,9 +253,9 @@ export const siteResources = sqliteTable("siteResources", {
     enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
     alias: text("alias"),
     aliasAddress: text("aliasAddress"),
-    tcpPortRangeString: text("tcpPortRangeString"),
-    udpPortRangeString: text("udpPortRangeString"),
-    disableIcmp: integer("disableIcmp", { mode: "boolean" })
+    tcpPortRangeString: text("tcpPortRangeString").notNull().default("*"),
+    udpPortRangeString: text("udpPortRangeString").notNull().default("*"),
+    disableIcmp: integer("disableIcmp", { mode: "boolean" }).notNull().default(false)
 });
 
 export const clientSiteResources = sqliteTable("clientSiteResources", {
@@ -637,15 +640,25 @@ export const resourceHeaderAuth = sqliteTable("resourceHeaderAuth", {
     headerAuthHash: text("headerAuthHash").notNull()
 });
 
-export const resourceHeaderAuthExtendedCompatibility = sqliteTable("resourceHeaderAuthExtendedCompatibility", {
-    headerAuthExtendedCompatibilityId: integer("headerAuthExtendedCompatibilityId").primaryKey({
+export const resourceHeaderAuthExtendedCompatibility = sqliteTable(
+    "resourceHeaderAuthExtendedCompatibility",
+    {
+        headerAuthExtendedCompatibilityId: integer(
+            "headerAuthExtendedCompatibilityId"
+        ).primaryKey({
             autoIncrement: true
         }),
         resourceId: integer("resourceId")
             .notNull()
             .references(() => resources.resourceId, { onDelete: "cascade" }),
-    extendedCompatibilityIsActivated: integer("extendedCompatibilityIsActivated", {mode: "boolean"}).notNull().default(true)
-});
+        extendedCompatibilityIsActivated: integer(
+            "extendedCompatibilityIsActivated",
+            { mode: "boolean" }
+        )
+            .notNull()
+            .default(true)
+    }
+);
 
 export const resourceAccessToken = sqliteTable("resourceAccessToken", {
     accessTokenId: text("accessTokenId").primaryKey(),
@@ -932,7 +945,9 @@ export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
 export type ResourceHeaderAuth = InferSelectModel<typeof resourceHeaderAuth>;
-export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<typeof resourceHeaderAuthExtendedCompatibility>;
+export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<
+    typeof resourceHeaderAuthExtendedCompatibility
+>;
 export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
 export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
 export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;

server/lib/blueprints/MaintenanceSchema.ts

@@ -0,0 +1,3 @@
+import { z } from "zod";
+
+export const MaintenanceSchema = z.object({});

server/lib/blueprints/applyBlueprint.ts

@@ -1,4 +1,14 @@
-import { db, newts, blueprints, Blueprint, Site, siteResources, roleSiteResources, userSiteResources, clientSiteResources } from "@server/db";
+import {
+    db,
+    newts,
+    blueprints,
+    Blueprint,
+    Site,
+    siteResources,
+    roleSiteResources,
+    userSiteResources,
+    clientSiteResources
+} from "@server/db";
 import { Config, ConfigSchema } from "./types";
 import { ProxyResourcesResults, updateProxyResources } from "./proxyResources";
 import { fromError } from "zod-validation-error";
@@ -134,7 +144,8 @@ export async function applyBlueprint({
                                 userSiteResources.siteResourceId,
                                 result.oldSiteResource.siteResourceId
                             )
-                        ).then((rows) => rows.map((row) => row.userId));
+                        )
+                        .then((rows) => rows.map((row) => row.userId));
 
                     const existingClientIds = await trx
                         .select()
@@ -144,13 +155,19 @@ export async function applyBlueprint({
                                 clientSiteResources.siteResourceId,
                                 result.oldSiteResource.siteResourceId
                             )
-                        ).then((rows) => rows.map((row) => row.clientId));
+                        )
+                        .then((rows) => rows.map((row) => row.clientId));
 
                     // delete the existing site resource
                     await trx
                         .delete(siteResources)
                         .where(
-                            and(eq(siteResources.siteResourceId, result.oldSiteResource.siteResourceId))
+                            and(
+                                eq(
+                                    siteResources.siteResourceId,
+                                    result.oldSiteResource.siteResourceId
+                                )
+                            )
                         );
 
                     await rebuildClientAssociationsFromSiteResource(
@@ -161,7 +178,7 @@ export async function applyBlueprint({
                     const [insertedSiteResource] = await trx
                         .insert(siteResources)
                         .values({
-                            ...result.newSiteResource,
+                            ...result.newSiteResource
                         })
                         .returning();
 
@@ -174,7 +191,8 @@ export async function applyBlueprint({
                         await trx.insert(roleSiteResources).values(
                             existingRoleIds.map((roleId) => ({
                                 roleId,
-                                siteResourceId: insertedSiteResource!.siteResourceId
+                                siteResourceId:
+                                    insertedSiteResource!.siteResourceId
                             }))
                         );
                     }
@@ -183,7 +201,8 @@ export async function applyBlueprint({
                         await trx.insert(userSiteResources).values(
                             existingUserIds.map((userId) => ({
                                 userId,
-                                siteResourceId: insertedSiteResource!.siteResourceId
+                                siteResourceId:
+                                    insertedSiteResource!.siteResourceId
                             }))
                         );
                     }
@@ -192,7 +211,8 @@ export async function applyBlueprint({
                         await trx.insert(clientSiteResources).values(
                             existingClientIds.map((clientId) => ({
                                 clientId,
-                                siteResourceId: insertedSiteResource!.siteResourceId
+                                siteResourceId:
+                                    insertedSiteResource!.siteResourceId
                             }))
                         );
                     }
@@ -201,7 +221,6 @@ export async function applyBlueprint({
                         insertedSiteResource,
                         trx
                     );
-
                 } else {
                     const [newSite] = await trx
                         .select()

server/lib/blueprints/proxyResources.ts

@@ -2,7 +2,8 @@ import {
     domains,
     orgDomains,
     Resource,
-    resourceHeaderAuth, resourceHeaderAuthExtendedCompatibility,
+    resourceHeaderAuth,
+    resourceHeaderAuthExtendedCompatibility,
     resourcePincode,
     resourceRules,
     resourceWhitelist,
@@ -30,7 +31,8 @@ import {pickPort} from "@server/routers/target/helpers";
 import { resourcePassword } from "@server/db";
 import { hashPassword } from "@server/auth/password";
 import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
-import {get} from "http";
+import { isLicensedOrSubscribed } from "../isLicencedOrSubscribed";
+import { build } from "@server/build";
 
 export type ProxyResourcesResults = {
     proxyResource: Resource;
@@ -209,6 +211,16 @@ export async function updateProxyResources(
                 resource = existingResource;
             } else {
                 // Update existing resource
+
+                const isLicensed = await isLicensedOrSubscribed(orgId);
+                if (build == "enterprise" && !isLicensed) {
+                    logger.warn(
+                        "Server is not licensed! Clearing set maintenance screen values"
+                    );
+                    // null the maintenance mode fields if not licensed
+                    resourceData.maintenance = undefined;
+                }
+
                 [resource] = await trx
                     .update(resources)
                     .set({
@@ -233,7 +245,14 @@ export async function updateProxyResources(
                             : false,
                         headers: headers || null,
                         applyRules:
-                            resourceData.rules && resourceData.rules.length > 0
+                            resourceData.rules && resourceData.rules.length > 0,
+                        maintenanceModeEnabled:
+                            resourceData.maintenance?.enabled,
+                        maintenanceModeType: resourceData.maintenance?.type,
+                        maintenanceTitle: resourceData.maintenance?.title,
+                        maintenanceMessage: resourceData.maintenance?.message,
+                        maintenanceEstimatedTime:
+                            resourceData.maintenance?.["estimated-time"]
                     })
                     .where(
                         eq(resources.resourceId, existingResource.resourceId)
@@ -303,8 +322,13 @@ export async function updateProxyResources(
                     const headerAuthPassword =
                         resourceData.auth?.["basic-auth"]?.password;
                     const headerAuthExtendedCompatibility =
-                        resourceData.auth?.["basic-auth"]?.extendedCompatibility;
-                    if (headerAuthUser && headerAuthPassword && headerAuthExtendedCompatibility !== null) {
+                        resourceData.auth?.["basic-auth"]
+                            ?.extendedCompatibility;
+                    if (
+                        headerAuthUser &&
+                        headerAuthPassword &&
+                        headerAuthExtendedCompatibility !== null
+                    ) {
                         const headerAuthHash = await hashPassword(
                             Buffer.from(
                                 `${headerAuthUser}:${headerAuthPassword}`
@@ -315,9 +339,12 @@ export async function updateProxyResources(
                                 resourceId: existingResource.resourceId,
                                 headerAuthHash
                             }),
-                            trx.insert(resourceHeaderAuthExtendedCompatibility).values({
+                            trx
+                                .insert(resourceHeaderAuthExtendedCompatibility)
+                                .values({
                                     resourceId: existingResource.resourceId,
-                                extendedCompatibilityIsActivated: headerAuthExtendedCompatibility
+                                    extendedCompatibilityIsActivated:
+                                        headerAuthExtendedCompatibility
                                 })
                         ]);
                     }
@@ -622,6 +649,15 @@ export async function updateProxyResources(
                 );
             }
 
+            const isLicensed = await isLicensedOrSubscribed(orgId);
+            if (build == "enterprise" && !isLicensed) {
+                logger.warn(
+                    "Server is not licensed! Clearing set maintenance screen values"
+                );
+                // null the maintenance mode fields if not licensed
+                resourceData.maintenance = undefined;
+            }
+
             // Create new resource
             const [newResource] = await trx
                 .insert(resources)
@@ -643,7 +679,13 @@ export async function updateProxyResources(
                     ssl: resourceSsl,
                     headers: headers || null,
                     applyRules:
-                        resourceData.rules && resourceData.rules.length > 0
+                        resourceData.rules && resourceData.rules.length > 0,
+                    maintenanceModeEnabled: resourceData.maintenance?.enabled,
+                    maintenanceModeType: resourceData.maintenance?.type,
+                    maintenanceTitle: resourceData.maintenance?.title,
+                    maintenanceMessage: resourceData.maintenance?.message,
+                    maintenanceEstimatedTime:
+                        resourceData.maintenance?.["estimated-time"]
                 })
                 .returning();
 
@@ -674,9 +716,14 @@ export async function updateProxyResources(
                 const headerAuthUser = resourceData.auth?.["basic-auth"]?.user;
                 const headerAuthPassword =
                     resourceData.auth?.["basic-auth"]?.password;
-                const headerAuthExtendedCompatibility = resourceData.auth?.["basic-auth"]?.extendedCompatibility;
+                const headerAuthExtendedCompatibility =
+                    resourceData.auth?.["basic-auth"]?.extendedCompatibility;
 
-                if (headerAuthUser && headerAuthPassword && headerAuthExtendedCompatibility !== null) {
+                if (
+                    headerAuthUser &&
+                    headerAuthPassword &&
+                    headerAuthExtendedCompatibility !== null
+                ) {
                     const headerAuthHash = await hashPassword(
                         Buffer.from(
                             `${headerAuthUser}:${headerAuthPassword}`
@@ -688,10 +735,13 @@ export async function updateProxyResources(
                             resourceId: newResource.resourceId,
                             headerAuthHash
                         }),
-                        trx.insert(resourceHeaderAuthExtendedCompatibility).values({
+                        trx
+                            .insert(resourceHeaderAuthExtendedCompatibility)
+                            .values({
                                 resourceId: newResource.resourceId,
-                            extendedCompatibilityIsActivated: headerAuthExtendedCompatibility
-                        }),
+                                extendedCompatibilityIsActivated:
+                                    headerAuthExtendedCompatibility
+                            })
                     ]);
                 }
             }

server/lib/blueprints/types.ts

@@ -1,5 +1,6 @@
 import { z } from "zod";
 import { portRangeStringSchema } from "@server/lib/ip";
+import { MaintenanceSchema } from "#dynamic/lib/blueprints/MaintenanceSchema";
 
 export const SiteSchema = z.object({
     name: z.string().min(1).max(100),
@@ -53,11 +54,13 @@ export const AuthSchema = z.object({
     // pincode has to have 6 digits
     pincode: z.number().min(100000).max(999999).optional(),
     password: z.string().min(1).optional(),
-    "basic-auth": z.object({
+    "basic-auth": z
+        .object({
             user: z.string().min(1),
             password: z.string().min(1),
             extendedCompatibility: z.boolean().default(true)
-    }).optional(),
+        })
+        .optional(),
     "sso-enabled": z.boolean().optional().default(false),
     "sso-roles": z
         .array(z.string())
@@ -108,32 +111,30 @@ export const RuleSchema = z
     .refine(
         (rule) => {
             if (rule.match === "country") {
-                // Check if it's a valid 2-letter country code
-                return /^[A-Z]{2}$/.test(rule.value);
+                // Check if it's a valid 2-letter country code or "ALL"
+                return /^[A-Z]{2}$/.test(rule.value) || rule.value === "ALL";
             }
             return true;
         },
         {
             path: ["value"],
             message:
-                "Value must be a 2-letter country code when match is 'country'"
+                "Value must be a 2-letter country code or 'ALL' when match is 'country'"
         }
     )
     .refine(
         (rule) => {
             if (rule.match === "asn") {
-                // Check if it's either AS<number> format or just a number
+                // Check if it's either AS<number> format or "ALL"
                 const asNumberPattern = /^AS\d+$/i;
-                const isASFormat = asNumberPattern.test(rule.value);
-                const isNumeric = /^\d+$/.test(rule.value);
-                return isASFormat || isNumeric;
+                return asNumberPattern.test(rule.value) || rule.value === "ALL";
             }
             return true;
         },
         {
             path: ["value"],
             message:
-                "Value must be either 'AS<number>' format or a number when match is 'asn'"
+                "Value must be 'AS<number>' format or 'ALL' when match is 'asn'"
         }
     );
 
@@ -156,7 +157,8 @@ export const ResourceSchema = z
         "host-header": z.string().optional(),
         "tls-server-name": z.string().optional(),
         headers: z.array(HeaderSchema).optional(),
-        rules: z.array(RuleSchema).optional()
+        rules: z.array(RuleSchema).optional(),
+        maintenance: MaintenanceSchema.optional()
     })
     .refine(
         (resource) => {

server/lib/config.ts

@@ -84,6 +84,10 @@ export class Config {
             ?.disable_basic_wireguard_sites
             ? "true"
             : "false";
+        process.env.FLAGS_DISABLE_PRODUCT_HELP_BANNERS = parsedConfig.flags
+            ?.disable_product_help_banners
+            ? "true"
+            : "false";
 
         process.env.PRODUCT_UPDATES_NOTIFICATION_ENABLED = parsedConfig.app
             .notifications.product_updates

server/lib/ip.ts

@@ -4,6 +4,7 @@ import { and, eq, isNotNull } from "drizzle-orm";
 import config from "@server/lib/config";
 import z from "zod";
 import logger from "@server/logger";
+import semver from "semver";
 
 interface IPRange {
     start: bigint;
@@ -318,10 +319,7 @@ export function doCidrsOverlap(cidr1: string, cidr2: string): boolean {
     const range2 = cidrToRange(cidr2);
 
     // Overlap if the ranges intersect
-    return (
-        range1.start <= range2.end &&
-        range2.start <= range1.end
-    );
+    return range1.start <= range2.end && range2.start <= range1.end;
 }
 
 export async function getNextAvailableClientSubnet(
@@ -686,3 +684,35 @@ export function parsePortRangeString(
 
     return result;
 }
+
+export function stripPortFromHost(ip: string, badgerVersion?: string): string {
+    const isNewerBadger =
+        badgerVersion &&
+        semver.valid(badgerVersion) &&
+        semver.gte(badgerVersion, "1.3.1");
+
+    if (isNewerBadger) {
+        return ip;
+    }
+
+    if (ip.startsWith("[") && ip.includes("]")) {
+        // if brackets are found, extract the IPv6 address from between the brackets
+        const ipv6Match = ip.match(/\[(.*?)\]/);
+        if (ipv6Match) {
+            return ipv6Match[1];
+        }
+    }
+
+    // Check if it looks like IPv4 (contains dots and matches IPv4 pattern)
+    // IPv4 format: x.x.x.x where x is 0-255
+    const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}/;
+    if (ipv4Pattern.test(ip)) {
+        const lastColonIndex = ip.lastIndexOf(":");
+        if (lastColonIndex !== -1) {
+            return ip.substring(0, lastColonIndex);
+        }
+    }
+
+    // Return as is
+    return ip;
+}

server/lib/readConfigFile.ts

@@ -216,7 +216,10 @@ export const configSchema = z
                     .default(["newt", "wireguard", "local"]),
                 allow_raw_resources: z.boolean().optional().default(true),
                 file_mode: z.boolean().optional().default(false),
-                pp_transport_prefix: z.string().optional().default("pp-transport-v")
+                pp_transport_prefix: z
+                    .string()
+                    .optional()
+                    .default("pp-transport-v")
             })
             .optional()
             .prefault({}),
@@ -327,7 +330,8 @@ export const configSchema = z
                 enable_integration_api: z.boolean().optional(),
                 disable_local_sites: z.boolean().optional(),
                 disable_basic_wireguard_sites: z.boolean().optional(),
-                disable_config_managed_domains: z.boolean().optional()
+                disable_config_managed_domains: z.boolean().optional(),
+                disable_product_help_banners: z.boolean().optional()
             })
             .optional(),
         dns: z

server/lib/traefik/getTraefikConfig.ts

@@ -41,9 +41,10 @@ type TargetWithSite = Target & {
 export async function getTraefikConfig(
     exitNodeId: number,
     siteTypes: string[],
-    filterOutNamespaceDomains = false,
-    generateLoginPageRouters = false,
-    allowRawResources = true
+    filterOutNamespaceDomains = false, // UNUSED BUT USED IN PRIVATE
+    generateLoginPageRouters = false, // UNUSED BUT USED IN PRIVATE
+    allowRawResources = true,
+    allowMaintenancePage = true, // UNUSED BUT USED IN PRIVATE
 ): Promise<any> {
     // Get resources with their targets and sites in a single optimized query
     // Start from sites on this exit node, then join to targets and resources
@@ -475,9 +476,9 @@ export async function getTraefikConfig(
                         // RECEIVE BANDWIDTH ENDPOINT.
 
                         // TODO: HOW TO HANDLE ^^^^^^ BETTER
-                        const anySitesOnline = (
-                            targets
-                        ).some((target) => target.site.online);
+                        const anySitesOnline = targets.some(
+                            (target) => target.site.online
+                        );
 
                         return (
                             targets
@@ -603,9 +604,9 @@ export async function getTraefikConfig(
                 loadBalancer: {
                     servers: (() => {
                         // Check if any sites are online
-                        const anySitesOnline = (
-                            targets
-                        ).some((target) => target.site.online);
+                        const anySitesOnline = targets.some(
+                            (target) => target.site.online
+                        );
 
                         return targets
                             .filter((target) => {

server/private/lib/blueprints/MaintenanceSchema.ts

@@ -0,0 +1,22 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { z } from "zod";
+
+export const MaintenanceSchema = z.object({
+    enabled: z.boolean().optional(),
+    type: z.enum(["forced", "automatic"]).optional(),
+    title: z.string().max(255).nullable().optional(),
+    message: z.string().max(2000).nullable().optional(),
+    "estimated-time": z.string().max(100).nullable().optional()
+});

server/private/lib/checkOrgAccessPolicy.ts

@@ -23,10 +23,10 @@ import {
 } from "@server/lib/checkOrgAccessPolicy";
 import { UserType } from "@server/types/UserTypes";
 
-export async function enforceResourceSessionLength(
+export function enforceResourceSessionLength(
     resourceSession: ResourceSession,
     org: Org
-): Promise<{ valid: boolean; error?: string }> {
+): { valid: boolean; error?: string } {
     if (org.maxSessionLengthHours) {
         const sessionIssuedAt = resourceSession.issuedAt; // may be null
         const maxSessionLengthHours = org.maxSessionLengthHours;

server/private/lib/logAccessAudit.ts

@@ -17,6 +17,7 @@ import logger from "@server/logger";
 import { and, eq, lt } from "drizzle-orm";
 import cache from "@server/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+import { stripPortFromHost } from "@server/lib/ip";
 
 async function getAccessDays(orgId: string): Promise<number> {
     // check cache first
@@ -116,19 +117,7 @@ export async function logAccessAudit(data: {
         }
 
         const clientIp = data.requestIp
-            ? (() => {
-                  if (
-                      data.requestIp.startsWith("[") &&
-                      data.requestIp.includes("]")
-                  ) {
-                      // if brackets are found, extract the IPv6 address from between the brackets
-                      const ipv6Match = data.requestIp.match(/\[(.*?)\]/);
-                      if (ipv6Match) {
-                          return ipv6Match[1];
-                      }
-                  }
-                  return data.requestIp;
-              })()
+            ? stripPortFromHost(data.requestIp)
             : undefined;
 
         const countryCode = data.requestIp

server/private/lib/traefik/getTraefikConfig.ts

@@ -71,9 +71,9 @@ export async function getTraefikConfig(
     siteTypes: string[],
     filterOutNamespaceDomains = false,
     generateLoginPageRouters = false,
-    allowRawResources = true
+    allowRawResources = true,
+    allowMaintenancePage = true
 ): Promise<any> {
-
     // Get resources with their targets and sites in a single optimized query
     // Start from sites on this exit node, then join to targets and resources
     const resourcesWithTargetsAndSites = await db
@@ -358,18 +358,6 @@ export async function getTraefikConfig(
                 }
             }
 
-            if (resource.ssl) {
-                config_output.http.routers![routerName + "-redirect"] = {
-                    entryPoints: [
-                        config.getRawConfig().traefik.http_entrypoint
-                    ],
-                    middlewares: [redirectHttpsMiddlewareName],
-                    service: serviceName,
-                    rule: rule,
-                    priority: priority
-                };
-            }
-
             let tls = {};
             if (!privateConfig.getRawPrivateConfig().flags.use_pangolin_dns) {
                 const domainParts = fullDomain.split(".");
@@ -435,8 +423,19 @@ export async function getTraefikConfig(
                 }
             }
 
-            const availableServers = targets.filter(
-                (target) => {
+            if (resource.ssl) {
+                config_output.http.routers![routerName + "-redirect"] = {
+                    entryPoints: [
+                        config.getRawConfig().traefik.http_entrypoint
+                    ],
+                    middlewares: [redirectHttpsMiddlewareName],
+                    service: serviceName,
+                    rule: rule,
+                    priority: priority
+                };
+            }
+
+            const availableServers = targets.filter((target) => {
                 if (!target.enabled) return false;
 
                 if (!target.site.online) return false;
@@ -444,8 +443,7 @@ export async function getTraefikConfig(
                 if (target.health == "unhealthy") return false;
 
                 return true;
-                }
-            );
+            });
 
             const hasHealthyServers = availableServers.length > 0;
 
@@ -466,7 +464,7 @@ export async function getTraefikConfig(
                 }
             }
 
-            if (showMaintenancePage) {
+            if (showMaintenancePage && allowMaintenancePage) {
                 const maintenanceServiceName = `${key}-maintenance-service`;
                 const maintenanceRouterName = `${key}-maintenance-router`;
                 const rewriteMiddlewareName = `${key}-maintenance-rewrite`;
@@ -794,9 +792,9 @@ export async function getTraefikConfig(
                 loadBalancer: {
                     servers: (() => {
                         // Check if any sites are online
-                        const anySitesOnline = (
-                            targets
-                        ).some((target) => target.site.online);
+                        const anySitesOnline = targets.some(
+                            (target) => target.site.online
+                        );
 
                         return targets
                             .filter((target) => {

server/private/routers/hybrid.ts

@@ -40,6 +40,7 @@ import {
     ResourceHeaderAuthExtendedCompatibility,
     orgs,
     requestAuditLog,
+    Org
 } from "@server/db";
 import {
     resources,
@@ -79,6 +80,7 @@ import { maxmindLookup } from "@server/db/maxmind";
 import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
 import semver from "semver";
 import { maxmindAsnLookup } from "@server/db/maxmindAsn";
+import { checkOrgAccessPolicy } from "@server/lib/checkOrgAccessPolicy";
 
 // Zod schemas for request validation
 const getResourceByDomainParamsSchema = z.strictObject({
@@ -94,6 +96,12 @@ const getUserOrgRoleParamsSchema = z.strictObject({
     orgId: z.string().min(1, "Organization ID is required")
 });
 
+const getUserOrgSessionVerifySchema = z.strictObject({
+    userId: z.string().min(1, "User ID is required"),
+    orgId: z.string().min(1, "Organization ID is required"),
+    sessionId: z.string().min(1, "Session ID is required")
+});
+
 const getRoleResourceAccessParamsSchema = z.strictObject({
     roleId: z
         .string()
@@ -178,6 +186,7 @@ export type ResourceWithAuth = {
     password: ResourcePassword | null;
     headerAuth: ResourceHeaderAuth | null;
     headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
+    org: Org
 };
 
 export type UserSessionWithUser = {
@@ -238,7 +247,8 @@ hybridRouter.get(
                 ["newt", "local", "wireguard"], // Allow them to use all the site types
                 true, // But don't allow domain namespace resources
                 false, // Dont include login pages,
-                true // allow raw resources
+                true, // allow raw resources
+                false // dont generate maintenance page
             );
 
             return response(res, {
@@ -503,8 +513,12 @@ hybridRouter.get(
                 )
                 .leftJoin(
                     resourceHeaderAuthExtendedCompatibility,
-                    eq(resourceHeaderAuthExtendedCompatibility.resourceId, resources.resourceId)
+                    eq(
+                        resourceHeaderAuthExtendedCompatibility.resourceId,
+                        resources.resourceId
                     )
+                )
+                .innerJoin(orgs, eq(orgs.orgId, resources.orgId))
                 .where(eq(resources.fullDomain, domain))
                 .limit(1);
 
@@ -538,7 +552,9 @@ hybridRouter.get(
                 pincode: result.resourcePincode,
                 password: result.resourcePassword,
                 headerAuth: result.resourceHeaderAuth,
-                headerAuthExtendedCompatibility: result.resourceHeaderAuthExtendedCompatibility
+                headerAuthExtendedCompatibility:
+                    result.resourceHeaderAuthExtendedCompatibility,
+                org: result.orgs
             };
 
             return response<ResourceWithAuth>(res, {
@@ -602,6 +618,16 @@ hybridRouter.get(
                 )
                 .limit(1);
 
+            if (!result) {
+                return response<LoginPage | null>(res, {
+                    data: null,
+                    success: true,
+                    error: false,
+                    message: "Login page not found",
+                    status: HttpCode.OK
+                });
+            }
+
             if (
                 await checkExitNodeOrg(
                     remoteExitNode.exitNodeId,
@@ -617,16 +643,6 @@ hybridRouter.get(
                 );
             }
 
-            if (!result) {
-                return response<LoginPage | null>(res, {
-                    data: null,
-                    success: true,
-                    error: false,
-                    message: "Login page not found",
-                    status: HttpCode.OK
-                });
-            }
-
             return response<LoginPage>(res, {
                 data: result.loginPage,
                 success: true,
@@ -818,6 +834,69 @@ hybridRouter.get(
     }
 );
 
+// Get user organization role
+hybridRouter.get(
+    "/user/:userId/org/:orgId/session/:sessionId/verify",
+    async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const parsedParams = getUserOrgSessionVerifySchema.safeParse(
+                req.params
+            );
+            if (!parsedParams.success) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        fromError(parsedParams.error).toString()
+                    )
+                );
+            }
+
+            const { userId, orgId, sessionId } = parsedParams.data;
+            const remoteExitNode = req.remoteExitNode;
+
+            if (!remoteExitNode || !remoteExitNode.exitNodeId) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Remote exit node not found"
+                    )
+                );
+            }
+
+            if (await checkExitNodeOrg(remoteExitNode.exitNodeId, orgId)) {
+                return next(
+                    createHttpError(
+                        HttpCode.UNAUTHORIZED,
+                        "User is not authorized to access this organization"
+                    )
+                );
+            }
+
+            const accessPolicy = await checkOrgAccessPolicy({
+                orgId,
+                userId,
+                sessionId
+            });
+
+            return response(res, {
+                data: accessPolicy,
+                success: true,
+                error: false,
+                message: "User org access policy retrieved successfully",
+                status: HttpCode.OK
+            });
+        } catch (error) {
+            logger.error(error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to get user org role"
+                )
+            );
+        }
+    }
+);
+
 // Check if role has access to resource
 hybridRouter.get(
     "/role/:roleId/resource/:resourceId/access",

server/private/routers/loginPage/loadLoginPage.ts

@@ -40,6 +40,11 @@ async function query(orgId: string | undefined, fullDomain: string) {
                 eq(loginPage.loginPageId, loginPageOrg.loginPageId)
             )
             .limit(1);
+
+        if (!res) {
+            return null;
+        }
+
         return {
             ...res.loginPage,
             orgId: res.loginPageOrg.orgId
@@ -65,6 +70,11 @@ async function query(orgId: string | undefined, fullDomain: string) {
             )
         )
         .limit(1);
+
+    if (!res) {
+        return null;
+    }
+
     return {
         ...res,
         orgId: orgLink.orgId

server/private/routers/loginPage/loadLoginPageBranding.ts

@@ -48,6 +48,11 @@ async function query(orgId: string) {
             )
         )
         .limit(1);
+
+    if (!res) {
+        return null;
+    }
+
     return {
         ...res,
         orgId: orgLink.orgs.orgId,

server/routers/auditLogs/queryRequestAnalytics.ts

@@ -105,6 +105,7 @@ async function query(query: Q) {
         // throw an error
         throw createHttpError(
             HttpCode.BAD_REQUEST,
+            // todo: is this even possible?
             `Too many distinct countries. Please narrow your query.`
         );
     }

server/routers/auditLogs/queryRequestAuditLog.ts

@@ -219,15 +219,17 @@ async function queryUniqueFilterAttributes(
             .limit(DISTINCT_LIMIT + 1)
     ]);
 
-    if (
-        uniqueActors.length > DISTINCT_LIMIT ||
-        uniqueLocations.length > DISTINCT_LIMIT ||
-        uniqueHosts.length > DISTINCT_LIMIT ||
-        uniquePaths.length > DISTINCT_LIMIT ||
-        uniqueResources.length > DISTINCT_LIMIT
-    ) {
-        throw new Error("Too many distinct filter attributes to retrieve. Please refine your time range.");
-    }
+    // TODO: for stuff like the paths this is too restrictive so lets just show some of the paths and the user needs to
+    // refine the time range to see what they need to see
+    // if (
+    //     uniqueActors.length > DISTINCT_LIMIT ||
+    //     uniqueLocations.length > DISTINCT_LIMIT ||
+    //     uniqueHosts.length > DISTINCT_LIMIT ||
+    //     uniquePaths.length > DISTINCT_LIMIT ||
+    //     uniqueResources.length > DISTINCT_LIMIT
+    // ) {
+    //     throw new Error("Too many distinct filter attributes to retrieve. Please refine your time range.");
+    // }
 
     return {
         actors: uniqueActors
@@ -307,10 +309,12 @@ export async function queryRequestAuditLogs(
     } catch (error) {
         logger.error(error);
         // if the message is "Too many distinct filter attributes to retrieve. Please refine your time range.", return a 400 and the message
-        if (error instanceof Error && error.message === "Too many distinct filter attributes to retrieve. Please refine your time range.") {
-            return next(
-                createHttpError(HttpCode.BAD_REQUEST, error.message)
-            );
+        if (
+            error instanceof Error &&
+            error.message ===
+                "Too many distinct filter attributes to retrieve. Please refine your time range."
+        ) {
+            return next(createHttpError(HttpCode.BAD_REQUEST, error.message));
         }
         return next(
             createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")

server/routers/auth/pollDeviceWebAuth.ts

@@ -10,6 +10,7 @@ import { eq, and, gt } from "drizzle-orm";
 import { createSession, generateSessionToken } from "@server/auth/sessions/app";
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
+import { stripPortFromHost } from "@server/lib/ip";
 
 const paramsSchema = z.object({
     code: z.string().min(1, "Code is required")
@@ -27,30 +28,6 @@ export type PollDeviceWebAuthResponse = {
     token?: string;
 };
 
-// Helper function to extract IP from request (same as in startDeviceWebAuth)
-function extractIpFromRequest(req: Request): string | undefined {
-    const ip = req.ip || req.socket.remoteAddress;
-    if (!ip) {
-        return undefined;
-    }
-
-    // Handle IPv6 format [::1] or IPv4 format
-    if (ip.startsWith("[") && ip.includes("]")) {
-        const ipv6Match = ip.match(/\[(.*?)\]/);
-        if (ipv6Match) {
-            return ipv6Match[1];
-        }
-    }
-
-    // Handle IPv4 with port (split at last colon)
-    const lastColonIndex = ip.lastIndexOf(":");
-    if (lastColonIndex !== -1) {
-        return ip.substring(0, lastColonIndex);
-    }
-
-    return ip;
-}
-
 export async function pollDeviceWebAuth(
     req: Request,
     res: Response,
@@ -70,7 +47,7 @@ export async function pollDeviceWebAuth(
     try {
         const { code } = parsedParams.data;
         const now = Date.now();
-        const requestIp = extractIpFromRequest(req);
+        const requestIp = req.ip ? stripPortFromHost(req.ip) : undefined;
 
         // Hash the code before querying
         const hashedCode = hashDeviceCode(code);

server/routers/auth/startDeviceWebAuth.ts

@@ -12,6 +12,7 @@ import { TimeSpan } from "oslo";
 import { maxmindLookup } from "@server/db/maxmind";
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
+import { stripPortFromHost } from "@server/lib/ip";
 
 const bodySchema = z
     .object({
@@ -39,30 +40,6 @@ function hashDeviceCode(code: string): string {
     return encodeHexLowerCase(sha256(new TextEncoder().encode(code)));
 }
 
-// Helper function to extract IP from request
-function extractIpFromRequest(req: Request): string | undefined {
-    const ip = req.ip;
-    if (!ip) {
-        return undefined;
-    }
-
-    // Handle IPv6 format [::1] or IPv4 format
-    if (ip.startsWith("[") && ip.includes("]")) {
-        const ipv6Match = ip.match(/\[(.*?)\]/);
-        if (ipv6Match) {
-            return ipv6Match[1];
-        }
-    }
-
-    // Handle IPv4 with port (split at last colon)
-    const lastColonIndex = ip.lastIndexOf(":");
-    if (lastColonIndex !== -1) {
-        return ip.substring(0, lastColonIndex);
-    }
-
-    return ip;
-}
-
 // Helper function to get city from IP (if available)
 async function getCityFromIp(ip: string): Promise<string | undefined> {
     try {
@@ -112,7 +89,7 @@ export async function startDeviceWebAuth(
         const hashedCode = hashDeviceCode(code);
 
         // Extract IP from request
-        const ip = extractIpFromRequest(req);
+        const ip = req.ip ? stripPortFromHost(req.ip) : undefined;
 
         // Get city (optional, may return undefined)
         const city = ip ? await getCityFromIp(ip) : undefined;

server/routers/badger/exchangeSession.ts

@@ -19,6 +19,7 @@ import {
 import { SESSION_COOKIE_EXPIRES as RESOURCE_SESSION_COOKIE_EXPIRES } from "@server/auth/sessions/resource";
 import config from "@server/lib/config";
 import { response } from "@server/lib/response";
+import { stripPortFromHost } from "@server/lib/ip";
 
 const exchangeSessionBodySchema = z.object({
     requestToken: z.string(),
@@ -62,7 +63,7 @@ export async function exchangeSession(
             cleanHost = cleanHost.slice(0, -1 * matched.length);
         }
 
-        const clientIp = requestIp?.split(":")[0];
+        const clientIp = requestIp ? stripPortFromHost(requestIp) : undefined;
 
         const [resource] = await db
             .select()

server/routers/badger/logRequestAudit.ts

@@ -3,6 +3,7 @@ import logger from "@server/logger";
 import { and, eq, lt } from "drizzle-orm";
 import cache from "@server/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+import { stripPortFromHost } from "@server/lib/ip";
 
 /**
 
@@ -208,26 +209,7 @@ export async function logRequestAudit(
         }
 
         const clientIp = body.requestIp
-            ? (() => {
-                  if (
-                      body.requestIp.startsWith("[") &&
-                      body.requestIp.includes("]")
-                  ) {
-                      // if brackets are found, extract the IPv6 address from between the brackets
-                      const ipv6Match = body.requestIp.match(/\[(.*?)\]/);
-                      if (ipv6Match) {
-                          return ipv6Match[1];
-                      }
-                  }
-
-                  // ivp4
-                  // split at last colon
-                  const lastColonIndex = body.requestIp.lastIndexOf(":");
-                  if (lastColonIndex !== -1) {
-                      return body.requestIp.substring(0, lastColonIndex);
-                  }
-                  return body.requestIp;
-              })()
+            ? stripPortFromHost(body.requestIp)
             : undefined;
 
         // Add to buffer instead of writing directly to DB

server/routers/badger/verifySession.ts

@@ -13,14 +13,15 @@ import {
     LoginPage,
     Org,
     Resource,
-    ResourceHeaderAuth, ResourceHeaderAuthExtendedCompatibility,
+    ResourceHeaderAuth,
+    ResourceHeaderAuthExtendedCompatibility,
     ResourcePassword,
     ResourcePincode,
     ResourceRule,
     resourceSessions
 } from "@server/db";
 import config from "@server/lib/config";
-import { isIpInCidr } from "@server/lib/ip";
+import { isIpInCidr, stripPortFromHost } from "@server/lib/ip";
 import { response } from "@server/lib/response";
 import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
@@ -39,6 +40,8 @@ import {
 } from "#dynamic/lib/checkOrgAccessPolicy";
 import { logRequestAudit } from "./logRequestAudit";
 import cache from "@server/lib/cache";
+import semver from "semver";
+import { APP_VERSION } from "@server/lib/consts";
 
 const verifyResourceSessionSchema = z.object({
     sessions: z.record(z.string(), z.string()).optional(),
@@ -50,7 +53,8 @@ const verifyResourceSessionSchema = z.object({
     path: z.string(),
     method: z.string(),
     tls: z.boolean(),
-    requestIp: z.string().optional()
+    requestIp: z.string().optional(),
+    badgerVersion: z.string().optional()
 });
 
 export type VerifyResourceSessionSchema = z.infer<
@@ -69,6 +73,7 @@ export type VerifyUserResponse = {
     headerAuthChallenged?: boolean;
     redirectUrl?: string;
     userData?: BasicUserData;
+    pangolinVersion?: string;
 };
 
 export async function verifyResourceSession(
@@ -97,31 +102,15 @@ export async function verifyResourceSession(
             requestIp,
             path,
             headers,
-            query
+            query,
+            badgerVersion
         } = parsedBody.data;
 
         // Extract HTTP Basic Auth credentials if present
         const clientHeaderAuth = extractBasicAuth(headers);
 
         const clientIp = requestIp
-            ? (() => {
-                  logger.debug("Request IP:", { requestIp });
-                  if (requestIp.startsWith("[") && requestIp.includes("]")) {
-                      // if brackets are found, extract the IPv6 address from between the brackets
-                      const ipv6Match = requestIp.match(/\[(.*?)\]/);
-                      if (ipv6Match) {
-                          return ipv6Match[1];
-                      }
-                  }
-
-                  // ivp4
-                  // split at last colon
-                  const lastColonIndex = requestIp.lastIndexOf(":");
-                  if (lastColonIndex !== -1) {
-                      return requestIp.substring(0, lastColonIndex);
-                  }
-                  return requestIp;
-              })()
+            ? stripPortFromHost(requestIp, badgerVersion)
             : undefined;
 
         logger.debug("Client IP:", { clientIp });
@@ -130,9 +119,7 @@ export async function verifyResourceSession(
             ? await getCountryCodeFromIp(clientIp)
             : undefined;
 
-        const ipAsn = clientIp
-            ? await getAsnFromIp(clientIp)
-            : undefined;
+        const ipAsn = clientIp ? await getAsnFromIp(clientIp) : undefined;
 
         let cleanHost = host;
         // if the host ends with :port, strip it
@@ -178,7 +165,13 @@ export async function verifyResourceSession(
             cache.set(resourceCacheKey, resourceData, 5);
         }
 
-        const { resource, pincode, password, headerAuth, headerAuthExtendedCompatibility } = resourceData;
+        const {
+            resource,
+            pincode,
+            password,
+            headerAuth,
+            headerAuthExtendedCompatibility
+        } = resourceData;
 
         if (!resource) {
             logger.debug(`Resource not found ${cleanHost}`);
@@ -474,8 +467,7 @@ export async function verifyResourceSession(
 
                 return notAllowed(res);
             }
-        }
-        else if (headerAuth) {
+        } else if (headerAuth) {
             // if there are no other auth methods we need to return unauthorized if nothing is provided
             if (
                 !sso &&
@@ -713,7 +705,11 @@ export async function verifyResourceSession(
         }
 
         // If headerAuthExtendedCompatibility is activated but no clientHeaderAuth provided, force client to challenge
-        if (headerAuthExtendedCompatibility && headerAuthExtendedCompatibility.extendedCompatibilityIsActivated && !clientHeaderAuth){
+        if (
+            headerAuthExtendedCompatibility &&
+            headerAuthExtendedCompatibility.extendedCompatibilityIsActivated &&
+            !clientHeaderAuth
+        ) {
             return headerAuthChallenged(res, redirectPath, resource.orgId);
         }
 
@@ -825,7 +821,7 @@ async function notAllowed(
     }
 
     const data = {
-        data: { valid: false, redirectUrl },
+        data: { valid: false, redirectUrl, pangolinVersion: APP_VERSION },
         success: true,
         error: false,
         message: "Access denied",
@@ -839,8 +835,8 @@ function allowed(res: Response, userData?: BasicUserData) {
     const data = {
         data:
             userData !== undefined && userData !== null
-                ? { valid: true, ...userData }
-                : { valid: true },
+                ? { valid: true, ...userData, pangolinVersion: APP_VERSION }
+                : { valid: true, pangolinVersion: APP_VERSION },
         success: true,
         error: false,
         message: "Access allowed",
@@ -879,7 +875,12 @@ async function headerAuthChallenged(
     }
 
     const data = {
-        data: { headerAuthChallenged: true, valid: false, redirectUrl },
+        data: {
+            headerAuthChallenged: true,
+            valid: false,
+            redirectUrl,
+            pangolinVersion: APP_VERSION
+        },
         success: true,
         error: false,
         message: "Access denied",

server/routers/client/getClient.ts

@@ -36,7 +36,7 @@ async function query(clientId?: number, niceId?: string, orgId?: string) {
             .select()
             .from(clients)
             .where(and(eq(clients.niceId, niceId), eq(clients.orgId, orgId)))
-            .leftJoin(olms, eq(olms.clientId, olms.clientId))
+            .leftJoin(olms, eq(clients.clientId, olms.clientId))
             .limit(1);
         return res;
     }

server/routers/client/listClients.ts

@@ -56,12 +56,12 @@ async function getLatestOlmVersion(): Promise<string | null> {
             return null;
         }
 
-        const tags = await response.json();
+        let tags = await response.json();
         if (!Array.isArray(tags) || tags.length === 0) {
             logger.warn("No tags found for Olm repository");
             return null;
         }
-
+        tags = tags.filter((version) => !version.name.includes("rc"));
         const latestVersion = tags[0].name;
 
         olmVersionCache.set("latestOlmVersion", latestVersion);

server/routers/gerbil/getConfig.ts

@@ -52,7 +52,7 @@ export async function getConfig(
         }
 
         // clean up the public key - keep only valid base64 characters (A-Z, a-z, 0-9, +, /, =)
-        const cleanedPublicKey = publicKey.replace(/[^A-Za-z0-9+/=]/g, '');
+        const cleanedPublicKey = publicKey.replace(/[^A-Za-z0-9+/=]/g, "");
 
         const exitNode = await createExitNode(cleanedPublicKey, reachableAt);
 

server/routers/integration.ts

@@ -858,7 +858,6 @@ authenticated.put(
     blueprints.applyJSONBlueprint
 );
 
-
 authenticated.get(
     "/org/:orgId/blueprint/:blueprintId",
     verifyApiKeyOrgAccess,
@@ -866,7 +865,6 @@ authenticated.get(
     blueprints.getBlueprint
 );
 
-
 authenticated.get(
     "/org/:orgId/blueprints",
     verifyApiKeyOrgAccess,

server/routers/newt/handleReceiveBandwidthMessage.ts

@@ -1,7 +1,7 @@
 import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { clients, Newt } from "@server/db";
-import { eq } from "drizzle-orm";
+import { clients } from "@server/db";
+import { eq, sql } from "drizzle-orm";
 import logger from "@server/logger";
 
 interface PeerBandwidth {
@@ -10,13 +10,57 @@ interface PeerBandwidth {
     bytesOut: number;
 }
 
+// Retry configuration for deadlock handling
+const MAX_RETRIES = 3;
+const BASE_DELAY_MS = 50;
+
+/**
+ * Check if an error is a deadlock error
+ */
+function isDeadlockError(error: any): boolean {
+    return (
+        error?.code === "40P01" ||
+        error?.cause?.code === "40P01" ||
+        (error?.message && error.message.includes("deadlock"))
+    );
+}
+
+/**
+ * Execute a function with retry logic for deadlock handling
+ */
+async function withDeadlockRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
 export const handleReceiveBandwidthMessage: MessageHandler = async (
     context
 ) => {
-    const { message, client, sendToClient } = context;
+    const { message } = context;
 
     if (!message.data.bandwidthData) {
         logger.warn("No bandwidth data provided");
+        return;
     }
 
     const bandwidthData: PeerBandwidth[] = message.data.bandwidthData;
@@ -25,30 +69,40 @@ export const handleReceiveBandwidthMessage: MessageHandler = async (
         throw new Error("Invalid bandwidth data");
     }
 
-    await db.transaction(async (trx) => {
-        for (const peer of bandwidthData) {
+    // Sort bandwidth data by publicKey to ensure consistent lock ordering across all instances
+    // This is critical for preventing deadlocks when multiple instances update the same clients
+    const sortedBandwidthData = [...bandwidthData].sort((a, b) =>
+        a.publicKey.localeCompare(b.publicKey)
+    );
+
+    const currentTime = new Date().toISOString();
+
+    // Update each client individually with retry logic
+    // This reduces transaction scope and allows retries per-client
+    for (const peer of sortedBandwidthData) {
         const { publicKey, bytesIn, bytesOut } = peer;
 
-            // Find the client by public key
-            const [client] = await trx
-                .select()
-                .from(clients)
-                .where(eq(clients.pubKey, publicKey))
-                .limit(1);
-
-            if (!client) {
-                continue;
-            }
-
-            // Update the client's bandwidth usage
-            await trx
+        try {
+            await withDeadlockRetry(async () => {
+                // Use atomic SQL increment to avoid SELECT then UPDATE pattern
+                // This eliminates the need to read the current value first
+                await db
                     .update(clients)
                     .set({
-                    megabytesOut: (client.megabytesIn || 0) + bytesIn,
-                    megabytesIn: (client.megabytesOut || 0) + bytesOut,
-                    lastBandwidthUpdate: new Date().toISOString()
+                        // Note: bytesIn from peer goes to megabytesOut (data sent to client)
+                        // and bytesOut from peer goes to megabytesIn (data received from client)
+                        megabytesOut: sql`COALESCE(${clients.megabytesOut}, 0) + ${bytesIn}`,
+                        megabytesIn: sql`COALESCE(${clients.megabytesIn}, 0) + ${bytesOut}`,
+                        lastBandwidthUpdate: currentTime
                     })
-                .where(eq(clients.clientId, client.clientId));
+                    .where(eq(clients.pubKey, publicKey));
+            }, `update client bandwidth ${publicKey}`);
+        } catch (error) {
+            logger.error(
+                `Failed to update bandwidth for client ${publicKey}:`,
+                error
+            );
+            // Continue with other clients even if one fails
+        }
     }
-    });
 };

server/routers/org/pickOrgDefaults.ts

@@ -21,8 +21,7 @@ export async function pickOrgDefaults(
         // const subnet = await getNextAvailableOrgSubnet();
         // Just hard code the subnet for now for everyone
         const subnet = config.getRawConfig().orgs.subnet_group;
-        const utilitySubnet =
-            config.getRawConfig().orgs.utility_subnet_group;
+        const utilitySubnet = config.getRawConfig().orgs.utility_subnet_group;
 
         return response<PickOrgDefaultsResponse>(res, {
             data: {

server/routers/resource/getResourceAuthInfo.ts

@@ -2,7 +2,8 @@ import {Request, Response, NextFunction} from "express";
 import { z } from "zod";
 import {
     db,
-    resourceHeaderAuth, resourceHeaderAuthExtendedCompatibility,
+    resourceHeaderAuth,
+    resourceHeaderAuthExtendedCompatibility,
     resourcePassword,
     resourcePincode,
     resources
@@ -125,7 +126,8 @@ export async function getResourceAuthInfo(
         const pincode = result?.resourcePincode;
         const password = result?.resourcePassword;
         const headerAuth = result?.resourceHeaderAuth;
-        const headerAuthExtendedCompatibility = result?.resourceHeaderAuthExtendedCompatibility;
+        const headerAuthExtendedCompatibility =
+            result?.resourceHeaderAuthExtendedCompatibility;
 
         const url = `${resource.ssl ? "https" : "http"}://${resource.fullDomain}`;
 
@@ -138,7 +140,8 @@ export async function getResourceAuthInfo(
                 password: password !== null,
                 pincode: pincode !== null,
                 headerAuth: headerAuth !== null,
-                headerAuthExtendedCompatibility: headerAuthExtendedCompatibility !== null,
+                headerAuthExtendedCompatibility:
+                    headerAuthExtendedCompatibility !== null,
                 sso: resource.sso,
                 blockAccess: resource.blockAccess,
                 url,

server/routers/resource/listResources.ts

@@ -1,6 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import {db, resourceHeaderAuth, resourceHeaderAuthExtendedCompatibility} from "@server/db";
+import {
+    db,
+    resourceHeaderAuth,
+    resourceHeaderAuthExtendedCompatibility
+} from "@server/db";
 import {
     resources,
     userResources,
@@ -109,7 +113,8 @@ function queryResources(accessibleResourceIds: number[], orgId: string) {
             domainId: resources.domainId,
             niceId: resources.niceId,
             headerAuthId: resourceHeaderAuth.headerAuthId,
-            headerAuthExtendedCompatibilityId: resourceHeaderAuthExtendedCompatibility.headerAuthExtendedCompatibilityId,
+            headerAuthExtendedCompatibilityId:
+                resourceHeaderAuthExtendedCompatibility.headerAuthExtendedCompatibilityId,
             targetId: targets.targetId,
             targetIp: targets.ip,
             targetPort: targets.port,
@@ -133,7 +138,10 @@ function queryResources(accessibleResourceIds: number[], orgId: string) {
         )
         .leftJoin(
             resourceHeaderAuthExtendedCompatibility,
-            eq(resourceHeaderAuthExtendedCompatibility.resourceId, resources.resourceId)
+            eq(
+                resourceHeaderAuthExtendedCompatibility.resourceId,
+                resources.resourceId
+            )
         )
         .leftJoin(targets, eq(targets.resourceId, resources.resourceId))
         .leftJoin(

server/routers/resource/setResourceHeaderAuth.ts

@@ -1,6 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import {db, resourceHeaderAuth, resourceHeaderAuthExtendedCompatibility} from "@server/db";
+import {
+    db,
+    resourceHeaderAuth,
+    resourceHeaderAuthExtendedCompatibility
+} from "@server/db";
 import { eq } from "drizzle-orm";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -74,10 +78,19 @@ export async function setResourceHeaderAuth(
             await trx
                 .delete(resourceHeaderAuth)
                 .where(eq(resourceHeaderAuth.resourceId, resourceId));
-            await trx.delete(resourceHeaderAuthExtendedCompatibility).where(eq(resourceHeaderAuthExtendedCompatibility.resourceId, resourceId));
+            await trx
+                .delete(resourceHeaderAuthExtendedCompatibility)
+                .where(
+                    eq(
+                        resourceHeaderAuthExtendedCompatibility.resourceId,
+                        resourceId
+                    )
+                );
 
             if (user && password && extendedCompatibility !== null) {
-                const headerAuthHash = await hashPassword(Buffer.from(`${user}:${password}`).toString("base64"));
+                const headerAuthHash = await hashPassword(
+                    Buffer.from(`${user}:${password}`).toString("base64")
+                );
 
                 await Promise.all([
                     trx
@@ -85,11 +98,13 @@ export async function setResourceHeaderAuth(
                         .values({ resourceId, headerAuthHash }),
                     trx
                         .insert(resourceHeaderAuthExtendedCompatibility)
-                        .values({resourceId, extendedCompatibilityIsActivated: extendedCompatibility})
+                        .values({
+                            resourceId,
+                            extendedCompatibilityIsActivated:
+                                extendedCompatibility
+                        })
                 ]);
             }
-
-
         });
 
         return response(res, {

server/routers/resource/types.ts

@@ -7,4 +7,4 @@ export type GetMaintenanceInfoResponse = {
     maintenanceTitle: string | null;
     maintenanceMessage: string | null;
     maintenanceEstimatedTime: string | null;
-}
+};

server/routers/resource/updateResource.ts

@@ -343,7 +343,9 @@ async function updateHttpResource(
 
     const isLicensed = await isLicensedOrSubscribed(resource.orgId);
     if (build == "enterprise" && !isLicensed) {
-        logger.warn("Server is not licensed! Clearing set maintenance screen values");
+        logger.warn(
+            "Server is not licensed! Clearing set maintenance screen values"
+        );
         // null the maintenance mode fields if not licensed
         updateData.maintenanceModeEnabled = undefined;
         updateData.maintenanceModeType = undefined;

server/routers/site/listSites.ts

@@ -39,12 +39,12 @@ async function getLatestNewtVersion(): Promise<string | null> {
             return null;
         }
 
-        const tags = await response.json();
+        let tags = await response.json();
         if (!Array.isArray(tags) || tags.length === 0) {
             logger.warn("No tags found for Newt repository");
             return null;
         }
-
+        tags = tags.filter((version) => !version.name.includes("rc"));
         const latestVersion = tags[0].name;
 
         cache.set("latestNewtVersion", latestVersion);

server/routers/siteResource/createSiteResource.ts

@@ -11,7 +11,11 @@ import {
     userSiteResources
 } from "@server/db";
 import { getUniqueSiteResourceName } from "@server/db/names";
-import { getNextAvailableAliasAddress, isIpInCidr, portRangeStringSchema } from "@server/lib/ip";
+import {
+    getNextAvailableAliasAddress,
+    isIpInCidr,
+    portRangeStringSchema
+} from "@server/lib/ip";
 import { rebuildClientAssociationsFromSiteResource } from "@server/lib/rebuildClientAssociations";
 import response from "@server/lib/response";
 import logger from "@server/logger";
@@ -69,7 +73,10 @@ const createSiteResourceSchema = z
                 const domainRegex =
                     /^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)*[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/;
                 const isValidDomain = domainRegex.test(data.destination);
-                const isValidAlias = data.alias !== undefined && data.alias !== null && data.alias.trim() !== "";
+                const isValidAlias =
+                    data.alias !== undefined &&
+                    data.alias !== null &&
+                    data.alias.trim() !== "";
 
                 return isValidDomain && isValidAlias; // require the alias to be set in the case of domain
             }
@@ -182,7 +189,9 @@ export async function createSiteResource(
             .limit(1);
 
         if (!org) {
-            return next(createHttpError(HttpCode.NOT_FOUND, "Organization not found"));
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Organization not found")
+            );
         }
 
         if (!org.subnet || !org.utilitySubnet) {
@@ -195,10 +204,13 @@ export async function createSiteResource(
         }
 
         // Only check if destination is an IP address
-        const isIp = z.union([z.ipv4(), z.ipv6()]).safeParse(destination).success;
+        const isIp = z
+            .union([z.ipv4(), z.ipv6()])
+            .safeParse(destination).success;
         if (
             isIp &&
-            (isIpInCidr(destination, org.subnet) || isIpInCidr(destination, org.utilitySubnet))
+            (isIpInCidr(destination, org.subnet) ||
+                isIpInCidr(destination, org.utilitySubnet))
         ) {
             return next(
                 createHttpError(

server/routers/siteResource/deleteSiteResource.ts

@@ -88,9 +88,7 @@ export async function deleteSiteResource(
             );
         });
 
-        logger.info(
-            `Deleted site resource ${siteResourceId}`
-        );
+        logger.info(`Deleted site resource ${siteResourceId}`);
 
         return response(res, {
             data: { message: "Site resource deleted successfully" },

server/routers/siteResource/updateSiteResource.ts

@@ -204,7 +204,9 @@ export async function updateSiteResource(
             .limit(1);
 
         if (!org) {
-            return next(createHttpError(HttpCode.NOT_FOUND, "Organization not found"));
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Organization not found")
+            );
         }
 
         if (!org.subnet || !org.utilitySubnet) {
@@ -217,10 +219,13 @@ export async function updateSiteResource(
         }
 
         // Only check if destination is an IP address
-        const isIp = z.union([z.ipv4(), z.ipv6()]).safeParse(destination).success;
+        const isIp = z
+            .union([z.ipv4(), z.ipv6()])
+            .safeParse(destination).success;
         if (
             isIp &&
-            (isIpInCidr(destination!, org.subnet) || isIpInCidr(destination!, org.utilitySubnet))
+            (isIpInCidr(destination!, org.subnet) ||
+                isIpInCidr(destination!, org.utilitySubnet))
         ) {
             return next(
                 createHttpError(
@@ -295,7 +300,7 @@ export async function updateSiteResource(
                 const [insertedSiteResource] = await trx
                     .insert(siteResources)
                     .values({
-                        ...existingSiteResource,
+                        ...existingSiteResource
                     })
                     .returning();
 
@@ -517,9 +522,14 @@ export async function handleMessagingForUpdatedSiteResource(
     site: { siteId: number; orgId: string },
     trx: Transaction
 ) {
-
-    logger.debug("handleMessagingForUpdatedSiteResource: existingSiteResource is: ", existingSiteResource);
-    logger.debug("handleMessagingForUpdatedSiteResource: updatedSiteResource is: ", updatedSiteResource);
+    logger.debug(
+        "handleMessagingForUpdatedSiteResource: existingSiteResource is: ",
+        existingSiteResource
+    );
+    logger.debug(
+        "handleMessagingForUpdatedSiteResource: updatedSiteResource is: ",
+        updatedSiteResource
+    );
 
     const { mergedAllClients } =
         await rebuildClientAssociationsFromSiteResource(

server/setup/scriptsPg/1.14.0.ts

@@ -60,11 +60,11 @@ export default async function migration() {
         );
 
         await db.execute(
-            sql`ALTER TABLE "siteResources" ADD COLUMN "tcpPortRangeString" varchar;`
+            sql`ALTER TABLE "siteResources" ADD COLUMN "tcpPortRangeString" varchar NOT NULL DEFAULT '*';`
         );
 
         await db.execute(
-            sql`ALTER TABLE "siteResources" ADD COLUMN "udpPortRangeString" varchar;`
+            sql`ALTER TABLE "siteResources" ADD COLUMN "udpPortRangeString" varchar NOT NULL DEFAULT '*';`
         );
 
         await db.execute(

server/setup/scriptsSqlite/1.14.0.ts

@@ -73,16 +73,18 @@ export default async function migration() {
             ).run();
 
             db.prepare(
-                `ALTER TABLE 'siteResources' ADD 'tcpPortRangeString' text;`
+                `ALTER TABLE 'siteResources' ADD 'tcpPortRangeString' text DEFAULT '*' NOT NULL;`
             ).run();
 
             db.prepare(
-                `ALTER TABLE 'siteResources' ADD 'udpPortRangeString' text;`
+                `ALTER TABLE 'siteResources' ADD 'udpPortRangeString' text DEFAULT '*' NOT NULL;`
             ).run();
 
             db.prepare(
-                `ALTER TABLE 'siteResources' ADD 'disableIcmp' integer;`
+                `ALTER TABLE 'siteResources' ADD 'disableIcmp' integer NOT NULL DEFAULT false;`
             ).run();
+
+
         })();
 
         db.pragma("foreign_keys = ON");

src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx

@@ -62,6 +62,7 @@ export default function GeneralPage() {
     const [variant, setVariant] = useState<"oidc" | "google" | "azure">("oidc");
     const { isUnlocked } = useLicenseStatusContext();
 
+    const dashboardRedirectUrl = `${env.app.dashboardUrl}/auth/idp/${idpId}/oidc/callback`;
     const [redirectUrl, setRedirectUrl] = useState(
         `${env.app.dashboardUrl}/auth/idp/${idpId}/oidc/callback`
     );
@@ -423,11 +424,18 @@ export default function GeneralPage() {
                         <InfoSections cols={3}>
                             <InfoSection>
                                 <InfoSectionTitle>
-                                    {t("redirectUrl")}
+                                    {t("orgIdpRedirectUrls")}
                                 </InfoSectionTitle>
                                 <InfoSectionContent>
                                     <CopyToClipboard text={redirectUrl} />
                                 </InfoSectionContent>
+                                {redirectUrl !== dashboardRedirectUrl && (
+                                    <InfoSectionContent>
+                                        <CopyToClipboard
+                                            text={dashboardRedirectUrl}
+                                        />
+                                    </InfoSectionContent>
+                                )}
                             </InfoSection>
                         </InfoSections>
 

src/app/[orgId]/settings/(private)/idp/create/page.tsx

@@ -285,7 +285,7 @@ export default function Page() {
                 <Button
                     variant="outline"
                     onClick={() => {
-                        router.push("/admin/idp");
+                        router.push(`/${params.orgId}/settings/idp`);
                     }}
                 >
                     {t("idpSeeAll")}

src/app/[orgId]/settings/(private)/idp/page.tsx

@@ -1,17 +1,10 @@
-import { internal, priv } from "@app/lib/api";
+import { internal } from "@app/lib/api";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import IdpTable, { IdpRow } from "@app/components/private/OrgIdpTable";
 import { getTranslations } from "next-intl/server";
-import { Alert, AlertDescription } from "@app/components/ui/alert";
-import { cache } from "react";
-import {
-    GetOrgSubscriptionResponse,
-    GetOrgTierResponse
-} from "@server/routers/billing/types";
-import { TierId } from "@server/lib/billing/tiers";
-import { build } from "@server/build";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 
 type OrgIdpPageProps = {
     params: Promise<{ orgId: string }>;
@@ -35,21 +28,6 @@ export default async function OrgIdpPage(props: OrgIdpPageProps) {
 
     const t = await getTranslations();
 
-    let subscriptionStatus: GetOrgTierResponse | null = null;
-    try {
-        const getSubscription = cache(() =>
-            priv.get<AxiosResponse<GetOrgTierResponse>>(
-                `/org/${params.orgId}/billing/tier`
-            )
-        );
-        const subRes = await getSubscription();
-        subscriptionStatus = subRes.data.data;
-    } catch {}
-    const subscribed =
-        build === "enterprise"
-            ? true
-            : subscriptionStatus?.tier === TierId.STANDARD;
-
     return (
         <>
             <SettingsSectionTitle
@@ -57,13 +35,7 @@ export default async function OrgIdpPage(props: OrgIdpPageProps) {
                 description={t("idpManageDescription")}
             />
 
-            {build === "saas" && !subscribed ? (
-                <Alert variant="info" className="mb-6">
-                    <AlertDescription>
-                        {t("idpDisabled")} {t("subscriptionRequiredToUse")}
-                    </AlertDescription>
-                </Alert>
-            ) : null}
+            <PaidFeaturesAlert />
 
             <IdpTable idps={idps} orgId={params.orgId} />
         </>

src/app/[orgId]/settings/general/layout.tsx

@@ -71,7 +71,9 @@ export default async function GeneralSettingsPage({
 
                     <div className="space-y-6">
                         <OrgInfoCard />
-                        <HorizontalTabs items={navItems}>{children}</HorizontalTabs>
+                        <HorizontalTabs items={navItems}>
+                            {children}
+                        </HorizontalTabs>
                     </div>
                 </OrgUserProvider>
             </OrgProvider>

src/app/[orgId]/settings/resources/client/page.tsx

@@ -71,7 +71,7 @@ export default async function ClientResourcesPage(
                 niceId: siteResource.niceId,
                 tcpPortRangeString: siteResource.tcpPortRangeString || null,
                 udpPortRangeString: siteResource.udpPortRangeString || null,
-                disableIcmp: siteResource.disableIcmp || false,
+                disableIcmp: siteResource.disableIcmp || false
             };
         }
     );

src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx

@@ -16,7 +16,6 @@ import { SwitchInput } from "@app/components/SwitchInput";
 import { Tag, TagInput } from "@app/components/tags/tag-input";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { Button } from "@app/components/ui/button";
-import { CheckboxWithLabel } from "@app/components/ui/checkbox";
 import {
     Form,
     FormControl,
@@ -184,9 +183,6 @@ export default function ResourceAuthenticationPage() {
 
     const [ssoEnabled, setSsoEnabled] = useState(resource.sso);
 
-    const [autoLoginEnabled, setAutoLoginEnabled] = useState(
-        resource.skipToIdpId !== null && resource.skipToIdpId !== undefined
-    );
     const [selectedIdpId, setSelectedIdpId] = useState<number | null>(
         resource.skipToIdpId || null
     );
@@ -243,19 +239,8 @@ export default function ResourceAuthenticationPage() {
                 text: w.email
             }))
         );
-        if (autoLoginEnabled && !selectedIdpId && orgIdps.length > 0) {
-            setSelectedIdpId(orgIdps[0].idpId);
-        }
         hasInitializedRef.current = true;
-    }, [
-        pageLoading,
-        resourceRoles,
-        resourceUsers,
-        whitelist,
-        autoLoginEnabled,
-        selectedIdpId,
-        orgIdps
-    ]);
+    }, [pageLoading, resourceRoles, resourceUsers, whitelist, orgIdps]);
 
     const [, submitUserRolesForm, loadingSaveUsersRoles] = useActionState(
         onSubmitUsersRoles,
@@ -269,16 +254,6 @@ export default function ResourceAuthenticationPage() {
         const data = usersRolesForm.getValues();
 
         try {
-            // Validate that an IDP is selected if auto login is enabled
-            if (autoLoginEnabled && !selectedIdpId) {
-                toast({
-                    variant: "destructive",
-                    title: t("error"),
-                    description: t("selectIdpRequired")
-                });
-                return;
-            }
-
             const jobs = [
                 api.post(`/resource/${resource.resourceId}/roles`, {
                     roleIds: data.roles.map((i) => parseInt(i.id))
@@ -288,7 +263,7 @@ export default function ResourceAuthenticationPage() {
                 }),
                 api.post(`/resource/${resource.resourceId}`, {
                     sso: ssoEnabled,
-                    skipToIdpId: autoLoginEnabled ? selectedIdpId : null
+                    skipToIdpId: selectedIdpId
                 })
             ];
 
@@ -296,7 +271,7 @@ export default function ResourceAuthenticationPage() {
 
             updateResource({
                 sso: ssoEnabled,
-                skipToIdpId: autoLoginEnabled ? selectedIdpId : null
+                skipToIdpId: selectedIdpId
             });
 
             updateAuthInfo({
@@ -619,59 +594,24 @@ export default function ResourceAuthenticationPage() {
                                     )}
 
                                     {ssoEnabled && allIdps.length > 0 && (
-                                        <>
-                                            <div className="space-y-2 mb-3">
-                                                <CheckboxWithLabel
-                                                    label={t(
-                                                        "autoLoginExternalIdp"
-                                                    )}
-                                                    checked={autoLoginEnabled}
-                                                    onCheckedChange={(
-                                                        checked
-                                                    ) => {
-                                                        setAutoLoginEnabled(
-                                                            checked as boolean
-                                                        );
-                                                        if (
-                                                            checked &&
-                                                            allIdps.length > 0
-                                                        ) {
-                                                            setSelectedIdpId(
-                                                                allIdps[0].id
-                                                            );
+                                        <div className="space-y-2">
+                                            <label className="text-sm font-medium">
+                                                {t("defaultIdentityProvider")}
+                                            </label>
+                                            <Select
+                                                onValueChange={(value) => {
+                                                    if (value === "none") {
+                                                        setSelectedIdpId(null);
                                                     } else {
                                                         setSelectedIdpId(
-                                                                null
+                                                            parseInt(value)
                                                         );
                                                     }
                                                 }}
-                                                />
-                                                <p className="text-sm text-muted-foreground">
-                                                    {t(
-                                                        "autoLoginExternalIdpDescription"
-                                                    )}
-                                                </p>
-                                            </div>
-
-                                            {autoLoginEnabled && (
-                                                <div className="space-y-2">
-                                                    <label className="text-sm font-medium">
-                                                        {t(
-                                                            "defaultIdentityProvider"
-                                                        )}
-                                                    </label>
-                                                    <Select
-                                                        onValueChange={(
-                                                            value
-                                                        ) =>
-                                                            setSelectedIdpId(
-                                                                parseInt(value)
-                                                            )
-                                                        }
                                                 value={
                                                     selectedIdpId
                                                         ? selectedIdpId.toString()
-                                                                : undefined
+                                                        : "none"
                                                 }
                                             >
                                                 <SelectTrigger className="w-full mt-1">
@@ -682,25 +622,25 @@ export default function ResourceAuthenticationPage() {
                                                     />
                                                 </SelectTrigger>
                                                 <SelectContent>
-                                                            {allIdps.map(
-                                                                (idp) => (
+                                                    <SelectItem value="none">
+                                                        {t("none")}
+                                                    </SelectItem>
+                                                    {allIdps.map((idp) => (
                                                         <SelectItem
-                                                                        key={
-                                                                            idp.id
-                                                                        }
+                                                            key={idp.id}
                                                             value={idp.id.toString()}
                                                         >
-                                                                        {
-                                                                            idp.text
-                                                                        }
+                                                            {idp.text}
                                                         </SelectItem>
-                                                                )
-                                                            )}
+                                                    ))}
                                                 </SelectContent>
                                             </Select>
-                                                </div>
+                                            <p className="text-sm text-muted-foreground">
+                                                {t(
+                                                    "defaultIdentityProviderDescription"
                                                 )}
-                                        </>
+                                            </p>
+                                        </div>
                                     )}
                                 </form>
                             </Form>

src/app/[orgId]/settings/resources/proxy/[niceId]/general/page.tsx

@@ -164,6 +164,10 @@ function MaintenanceSectionForm({
         return isEnterpriseNotLicensed || isSaasNotSubscribed;
     };
 
+    if (!resource.http) {
+        return null;
+    }
+
     return (
         <SettingsSection>
             <SettingsSectionHeader>
@@ -189,7 +193,7 @@ function MaintenanceSectionForm({
                                 name="maintenanceModeEnabled"
                                 render={({ field }) => {
                                     const isDisabled =
-                                        isSecurityFeatureDisabled();
+                                        isSecurityFeatureDisabled() || resource.http === false;
 
                                     return (
                                         <FormItem>
@@ -437,9 +441,16 @@ export default function GeneralForm() {
     );
 
     const resourceFullDomainName = useMemo(() => {
+        if (!resource.fullDomain) {
+            return "";
+        }
+        try {
             const url = new URL(resourceFullDomain);
             return url.hostname;
-    }, [resourceFullDomain]);
+        } catch {
+            return "";
+        }
+    }, [resourceFullDomain, resource.fullDomain]);
 
     const [selectedDomain, setSelectedDomain] = useState<{
         domainId: string;

src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx

@@ -338,7 +338,7 @@ function ProxyResourceTargetsForm({
                                 <div
                                     className={`flex items-center gap-2 ${status === "healthy" ? "text-green-500" : status === "unhealthy" ? "text-destructive" : ""}`}
                                 >
-                                    <Settings className="h-3 w-3" />
+                                    <Settings className="h-4 w-4 text-foreground" />
                                     {getStatusText(status)}
                                 </div>
                             </Button>

src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx

@@ -118,8 +118,7 @@ export default function ResourceRules(props: {
     const [countrySelectValue, setCountrySelectValue] = useState("");
     const [openAddRuleCountrySelect, setOpenAddRuleCountrySelect] =
         useState(false);
-    const [openAddRuleAsnSelect, setOpenAddRuleAsnSelect] =
-        useState(false);
+    const [openAddRuleAsnSelect, setOpenAddRuleAsnSelect] = useState(false);
     const router = useRouter();
     const t = useTranslations();
     const { env } = useEnvContext();
@@ -542,7 +541,11 @@ export default function ResourceRules(props: {
                         updateRule(row.original.ruleId, {
                             match: value,
                             value:
-                                value === "COUNTRY" ? "US" : value === "ASN" ? "AS15169" : row.original.value
+                                value === "COUNTRY"
+                                    ? "US"
+                                    : value === "ASN"
+                                      ? "AS15169"
+                                      : row.original.value
                         })
                     }
                 >
@@ -559,9 +562,7 @@ export default function ResourceRules(props: {
                             </SelectItem>
                         )}
                         {isMaxmindAsnAvailable && (
-                            <SelectItem value="ASN">
-                                {RuleMatch.ASN}
-                            </SelectItem>
+                            <SelectItem value="ASN">{RuleMatch.ASN}</SelectItem>
                         )}
                     </SelectContent>
                 </Select>
@@ -654,9 +655,7 @@ export default function ResourceRules(props: {
                         </PopoverTrigger>
                         <PopoverContent className="min-w-[200px] p-0">
                             <Command>
-                                <CommandInput
-                                    placeholder="Search ASNs or enter custom..."
-                                />
+                                <CommandInput placeholder="Search ASNs or enter custom..." />
                                 <CommandList>
                                     <CommandEmpty>
                                         No ASN found. Enter a custom ASN below.
@@ -665,7 +664,9 @@ export default function ResourceRules(props: {
                                         {MAJOR_ASNS.map((asn) => (
                                             <CommandItem
                                                 key={asn.code}
-                                                value={asn.name + " " + asn.code}
+                                                value={
+                                                    asn.name + " " + asn.code
+                                                }
                                                 onSelect={() => {
                                                     updateRule(
                                                         row.original.ruleId,
@@ -1088,19 +1089,25 @@ export default function ResourceRules(props: {
                                                                               ?.name +
                                                                               " (" +
                                                                               field.value +
-                                                                          ")" || field.value
+                                                                              ")" ||
+                                                                          field.value
                                                                         : "Select ASN"}
                                                                     <ChevronsUpDown className="ml-2 h-4 w-4 shrink-0 opacity-50" />
                                                                 </Button>
                                                             </PopoverTrigger>
                                                             <PopoverContent className="w-full p-0">
                                                                 <Command>
-                                                                    <CommandInput
-                                                                        placeholder="Search ASNs or enter custom..."
-                                                                    />
+                                                                    <CommandInput placeholder="Search ASNs or enter custom..." />
                                                                     <CommandList>
                                                                         <CommandEmpty>
-                                                                            No ASN found. Use the custom input below.
+                                                                            No
+                                                                            ASN
+                                                                            found.
+                                                                            Use
+                                                                            the
+                                                                            custom
+                                                                            input
+                                                                            below.
                                                                         </CommandEmpty>
                                                                         <CommandGroup>
                                                                             {MAJOR_ASNS.map(
@@ -1112,7 +1119,9 @@ export default function ResourceRules(props: {
                                                                                             asn.code
                                                                                         }
                                                                                         value={
-                                                                                            asn.name + " " + asn.code
+                                                                                            asn.name +
+                                                                                            " " +
+                                                                                            asn.code
                                                                                         }
                                                                                         onSelect={() => {
                                                                                             field.onChange(
@@ -1138,6 +1147,7 @@ export default function ResourceRules(props: {
                                                                                         {
                                                                                             asn.code
                                                                                         }
+
                                                                                         )
                                                                                     </CommandItem>
                                                                                 )
@@ -1148,14 +1158,32 @@ export default function ResourceRules(props: {
                                                                 <div className="border-t p-2">
                                                                     <Input
                                                                         placeholder="Enter custom ASN (e.g., AS15169)"
-                                                                        onKeyDown={(e) => {
-                                                                            if (e.key === "Enter") {
-                                                                                const value = e.currentTarget.value
+                                                                        onKeyDown={(
+                                                                            e
+                                                                        ) => {
+                                                                            if (
+                                                                                e.key ===
+                                                                                "Enter"
+                                                                            ) {
+                                                                                const value =
+                                                                                    e.currentTarget.value
                                                                                         .toUpperCase()
-                                                                                    .replace(/^AS/, "");
-                                                                                if (/^\d+$/.test(value)) {
-                                                                                    field.onChange("AS" + value);
-                                                                                    setOpenAddRuleAsnSelect(false);
+                                                                                        .replace(
+                                                                                            /^AS/,
+                                                                                            ""
+                                                                                        );
+                                                                                if (
+                                                                                    /^\d+$/.test(
+                                                                                        value
+                                                                                    )
+                                                                                ) {
+                                                                                    field.onChange(
+                                                                                        "AS" +
+                                                                                            value
+                                                                                    );
+                                                                                    setOpenAddRuleAsnSelect(
+                                                                                        false
+                                                                                    );
                                                                                 }
                                                                             }
                                                                         }}

src/app/[orgId]/settings/sites/create/page.tsx

@@ -756,7 +756,9 @@ WantedBy=default.target`
                                                     render={({ field }) => (
                                                         <FormItem className="md:col-start-1 md:col-span-2">
                                                             <FormLabel>
-                                                                {t("siteAddress")}
+                                                                {t(
+                                                                    "siteAddress"
+                                                                )}
                                                             </FormLabel>
                                                             <FormControl>
                                                                 <Input
@@ -909,7 +911,7 @@ WantedBy=default.target`
                                                                 ? "squareOutlinePrimary"
                                                                 : "squareOutline"
                                                         }
-                                                        className={`flex-1 min-w-[120px] ${platform === os ? "bg-primary/10" : ""} shadow-none`}
+                                                        className={`flex-1 min-w-30 ${platform === os ? "bg-primary/10" : ""} shadow-none`}
                                                         onClick={() => {
                                                             setPlatform(os);
                                                         }}
@@ -940,7 +942,7 @@ WantedBy=default.target`
                                                                     ? "squareOutlinePrimary"
                                                                     : "squareOutline"
                                                             }
-                                                            className={`flex-1 min-w-[120px] ${architecture === arch ? "bg-primary/10" : ""} shadow-none`}
+                                                            className={`flex-1 min-w-30 ${architecture === arch ? "bg-primary/10" : ""} shadow-none`}
                                                             onClick={() =>
                                                                 setArchitecture(
                                                                     arch

src/app/auth/org/page.tsx

@@ -87,8 +87,6 @@ export default async function OrgAuthPage(props: {
             redirect(env.app.dashboardUrl);
         }
 
-        console.log(user, forceLogin);
-
         if (user && !forceLogin) {
             let redirectToken: string | undefined;
             try {

src/app/globals.css

@@ -162,3 +162,32 @@ p {
 #nprogress .bar {
     background: var(--color-primary) !important;
 }
+
+@keyframes dot-pulse {
+    0%, 80%, 100% {
+        opacity: 0.3;
+        transform: scale(0.8);
+    }
+    40% {
+        opacity: 1;
+        transform: scale(1);
+    }
+}
+
+@layer utilities {
+    .animate-dot-pulse {
+        animation: dot-pulse 1.4s ease-in-out infinite;
+    }
+
+    /* Use JavaScript-set viewport height for mobile to handle keyboard properly */
+    .h-screen-safe {
+        height: 100vh; /* Default for desktop and fallback */
+    }
+
+    /* Only apply custom viewport height on mobile */
+    @media (max-width: 767px) {
+        .h-screen-safe {
+            height: var(--vh, 100vh); /* Use CSS variable set by ViewportHeightFix on mobile */
+        }
+    }
+}

src/app/layout.tsx

@@ -22,6 +22,7 @@ import { TopLoader } from "@app/components/Toploader";
 import Script from "next/script";
 import { TanstackQueryProvider } from "@app/components/TanstackQueryProvider";
 import { TailwindIndicator } from "@app/components/TailwindIndicator";
+import { ViewportHeightFix } from "@app/components/ViewportHeightFix";
 
 export const metadata: Metadata = {
     title: `Dashboard - ${process.env.BRANDING_APP_NAME || "Pangolin"}`,
@@ -77,7 +78,7 @@ export default async function RootLayout({
 
     return (
         <html suppressHydrationWarning lang={locale}>
-            <body className={`${font.className} h-screen overflow-hidden`}>
+            <body className={`${font.className} h-screen-safe overflow-hidden`}>
                 <TopLoader />
                 {build === "saas" && (
                     <Script
@@ -86,6 +87,7 @@ export default async function RootLayout({
                         strategy="afterInteractive"
                     />
                 )}
+                <ViewportHeightFix />
                 <NextIntlClientProvider>
                     <ThemeProvider
                         attribute="class"

src/components/ClientDownloadBanner.tsx

@@ -66,4 +66,3 @@ export const ClientDownloadBanner = () => {
 };
 
 export default ClientDownloadBanner;
-

src/components/ClientResourcesTable.tsx

@@ -99,9 +99,7 @@ export default function ClientResourcesTable({
         siteId: number
     ) => {
         try {
-            await api
-                .delete(`/site-resource/${resourceId}`)
-                .then(() => {
+            await api.delete(`/site-resource/${resourceId}`).then(() => {
                 startTransition(() => {
                     router.refresh();
                     setIsDeleteModalOpen(false);

src/components/CreateInternalResourceDialog.tsx

@@ -87,7 +87,12 @@ const isValidPortRangeString = (val: string | undefined | null): boolean => {
                 return false;
             }
 
-            if (startPort < 1 || startPort > 65535 || endPort < 1 || endPort > 65535) {
+            if (
+                startPort < 1 ||
+                startPort > 65535 ||
+                endPort < 1 ||
+                endPort > 65535
+            ) {
                 return false;
             }
 
@@ -131,7 +136,10 @@ const getPortModeFromString = (val: string | undefined | null): PortMode => {
 };
 
 // Helper to get the port string for API from mode and custom value
-const getPortStringFromMode = (mode: PortMode, customValue: string): string | undefined => {
+const getPortStringFromMode = (
+    mode: PortMode,
+    customValue: string
+): string | undefined => {
     if (mode === "all") return "*";
     if (mode === "blocked") return "";
     return customValue;
@@ -1097,8 +1105,7 @@ export default function CreateInternalResourceDialog({
                                                             size="sm"
                                                             tags={
                                                                 form.getValues()
-                                                                    .roles ||
-                                                                []
+                                                                    .roles || []
                                                             }
                                                             setTags={(
                                                                 newRoles
@@ -1154,8 +1161,7 @@ export default function CreateInternalResourceDialog({
                                                             )}
                                                             tags={
                                                                 form.getValues()
-                                                                    .users ||
-                                                                []
+                                                                    .users || []
                                                             }
                                                             size="sm"
                                                             setTags={(
@@ -1245,9 +1251,7 @@ export default function CreateInternalResourceDialog({
                                                                 restrictTagsToAutocompleteOptions={
                                                                     true
                                                                 }
-                                                                sortTags={
-                                                                    true
-                                                                }
+                                                                sortTags={true}
                                                             />
                                                         </FormControl>
                                                         <FormMessage />

src/components/DismissableBanner.tsx

@@ -1,9 +1,10 @@
 "use client";
 
-import React, { useState, useEffect, type ReactNode } from "react";
+import React, { useState, useEffect, type ReactNode, useEffectEvent } from "react";
 import { Card, CardContent } from "@app/components/ui/card";
 import { X } from "lucide-react";
 import { useTranslations } from "next-intl";
+import { useEnvContext } from "@app/hooks/useEnvContext";
 
 type DismissableBannerProps = {
     storageKey: string;
@@ -25,6 +26,12 @@ export const DismissableBanner = ({
     const [isDismissed, setIsDismissed] = useState(true);
     const t = useTranslations();
 
+    const { env } = useEnvContext();
+
+    if (env.flags.disableProductHelpBanners) {
+        return null;
+    }
+
     useEffect(() => {
         const dismissedData = localStorage.getItem(storageKey);
         if (dismissedData) {
@@ -95,4 +102,3 @@ export const DismissableBanner = ({
 };
 
 export default DismissableBanner;
-

src/components/EditInternalResourceDialog.tsx

@@ -501,13 +501,19 @@ export default function EditInternalResourceDialog({
             // ]);
 
             await queryClient.invalidateQueries(
-                resourceQueries.siteResourceRoles({ siteResourceId: resource.id })
+                resourceQueries.siteResourceRoles({
+                    siteResourceId: resource.id
+                })
             );
             await queryClient.invalidateQueries(
-                resourceQueries.siteResourceUsers({ siteResourceId: resource.id })
+                resourceQueries.siteResourceUsers({
+                    siteResourceId: resource.id
+                })
             );
             await queryClient.invalidateQueries(
-                resourceQueries.siteResourceClients({ siteResourceId: resource.id })
+                resourceQueries.siteResourceClients({
+                    siteResourceId: resource.id
+                })
             );
 
             toast({

src/components/ExitNodesTable.tsx

@@ -330,7 +330,7 @@ export default function ExitNodesTable({
                 isRefreshing={isRefreshing}
                 columnVisibility={{
                     type: false,
-                    address: false,
+                    address: false
                 }}
                 enableColumnVisibility={true}
             />

src/components/Layout.tsx

@@ -37,7 +37,7 @@ export async function Layout({
         (sidebarStateCookie !== "expanded" && defaultSidebarCollapsed);
 
     return (
-        <div className="flex h-screen overflow-hidden">
+        <div className="flex h-screen-safe overflow-hidden">
             {/* Desktop Sidebar */}
             {showSidebar && (
                 <LayoutSidebar

src/components/LayoutMobileMenu.tsx

@@ -48,7 +48,7 @@ export function LayoutMobileMenu({
     const t = useTranslations();
 
     return (
-        <div className="shrink-0 md:hidden">
+        <div className="shrink-0 md:hidden sticky top-0 z-50">
             <div className="h-16 flex items-center px-2">
                 <div className="flex items-center gap-4">
                     {showSidebar && (
@@ -72,7 +72,7 @@ export function LayoutMobileMenu({
                                     <SheetDescription className="sr-only">
                                         {t("navbarDescription")}
                                     </SheetDescription>
-                                    <div className="flex-1 overflow-y-auto">
+                                    <div className="flex-1 overflow-y-auto relative">
                                         <div className="px-3">
                                             <OrgSelector
                                                 orgId={orgId}
@@ -83,7 +83,7 @@ export function LayoutMobileMenu({
                                         <div className="px-3">
                                             {!isAdminPage &&
                                                 user.serverAdmin && (
-                                                    <div className="pb-3">
+                                                    <div className="py-2">
                                                         <Link
                                                             href="/admin"
                                                             className={cn(
@@ -113,6 +113,7 @@ export function LayoutMobileMenu({
                                                 }
                                             />
                                         </div>
+                                        <div className="sticky bottom-0 left-0 right-0 h-8 pointer-events-none bg-gradient-to-t from-card to-transparent" />
                                     </div>
                                     <div className="px-3 pt-3 pb-3 space-y-4 border-t shrink-0">
                                         <SupporterStatus />

src/components/LayoutSidebar.tsx

@@ -116,10 +116,12 @@ export function LayoutSidebar({
                     isCollapsed={isSidebarCollapsed}
                 />
             </div>
-            <div className={cn(
+            <div
+                className={cn(
                     "w-full border-b border-border",
                     isSidebarCollapsed && "mb-2"
-            )} />
+                )}
+            />
             <div className="flex-1 overflow-y-auto relative">
                 <div className="px-2 pt-1">
                     {!isAdminPage && user.serverAdmin && (

src/components/LoginForm.tsx

@@ -120,7 +120,9 @@ export default function LoginForm({
         const focusInput = () => {
             // Try using the ref first
             if (otpContainerRef.current) {
-                const hiddenInput = otpContainerRef.current.querySelector('input') as HTMLInputElement;
+                const hiddenInput = otpContainerRef.current.querySelector(
+                    "input"
+                ) as HTMLInputElement;
                 if (hiddenInput) {
                     hiddenInput.focus();
                     return;
@@ -128,17 +130,23 @@ export default function LoginForm({
             }
 
             // Fallback: query the DOM
-            const otpContainer = document.querySelector('[data-slot="input-otp"]');
+            const otpContainer = document.querySelector(
+                '[data-slot="input-otp"]'
+            );
             if (!otpContainer) return;
 
-            const hiddenInput = otpContainer.querySelector('input') as HTMLInputElement;
+            const hiddenInput = otpContainer.querySelector(
+                "input"
+            ) as HTMLInputElement;
             if (hiddenInput) {
                 hiddenInput.focus();
                 return;
             }
 
             // Last resort: click the first slot
-            const firstSlot = otpContainer.querySelector('[data-slot="input-otp-slot"]') as HTMLElement;
+            const firstSlot = otpContainer.querySelector(
+                '[data-slot="input-otp-slot"]'
+            ) as HTMLElement;
             if (firstSlot) {
                 firstSlot.click();
             }
@@ -508,7 +516,10 @@ export default function LoginForm({
                                 render={({ field }) => (
                                     <FormItem>
                                         <FormControl>
-                                            <div ref={otpContainerRef} className="flex justify-center">
+                                            <div
+                                                ref={otpContainerRef}
+                                                className="flex justify-center"
+                                            >
                                                 <InputOTP
                                                     maxLength={6}
                                                     {...field}

src/components/MachineClientsBanner.tsx

@@ -11,9 +11,7 @@ type MachineClientsBannerProps = {
     orgId: string;
 };
 
-export const MachineClientsBanner = ({
-    orgId
-}: MachineClientsBannerProps) => {
+export const MachineClientsBanner = ({ orgId }: MachineClientsBannerProps) => {
     const t = useTranslations();
 
     return (
@@ -57,4 +55,3 @@ export const MachineClientsBanner = ({
 };
 
 export default MachineClientsBanner;
-

src/components/OrgInfoCard.tsx

@@ -39,4 +39,3 @@ export default function OrgInfoCard({}: OrgInfoCardProps) {
         </Alert>
     );
 }
-

src/components/OrgLoginPage.tsx

@@ -119,4 +119,3 @@ export default async function OrgLoginPage({
         </div>
     );
 }
-

src/components/OrgSelectionForm.tsx

@@ -95,7 +95,7 @@ export function OrgSelectionForm() {
                             <p className="text-sm text-muted-foreground">
                                 {t("orgAuthWhatsThis")}{" "}
                                 <Link
-                                    href="https://docs.pangolin.net/manage/identity-providers/add-an-idp"
+                                    href="https://docs.pangolin.net/manage/organizations/org-id"
                                     target="_blank"
                                     rel="noopener noreferrer"
                                     className="underline"

src/components/PrivateResourcesBanner.tsx

@@ -51,4 +51,3 @@ export const PrivateResourcesBanner = ({
 };
 
 export default PrivateResourcesBanner;
-

src/components/ProductUpdates.tsx

@@ -41,7 +41,10 @@ export default function ProductUpdates({
 
     const data = useQueries({
         queries: [
-            productUpdatesQueries.list(env.app.notifications.product_updates),
+            productUpdatesQueries.list(
+                env.app.notifications.product_updates,
+                env.app.version
+            ),
             productUpdatesQueries.latestVersion(
                 env.app.notifications.new_releases
             )
@@ -189,7 +192,7 @@ function ProductUpdatesListPopup({
                     <div
                         className={cn(
                             "relative z-1 cursor-pointer block group",
-                            "rounded-md border border-primary/30 bg-gradient-to-br dark:from-primary/20 from-primary/20 via-background to-background p-2 py-3 w-full flex flex-col gap-2 text-sm",
+                            "rounded-md border border-primary/30 bg-linear-to-br dark:from-primary/20 from-primary/20 via-background to-background p-2 py-3 w-full flex flex-col gap-2 text-sm",
                             "transition duration-300 ease-in-out",
                             "data-closed:opacity-0 data-closed:translate-y-full"
                         )}
@@ -343,7 +346,7 @@ function NewVersionAvailable({
                     rel="noopener noreferrer"
                     className={cn(
                         "relative z-2 group cursor-pointer block",
-                        "rounded-md border border-primary/30 bg-gradient-to-br dark:from-primary/20 from-primary/20 via-background to-background p-2 py-3 w-full flex flex-col gap-2 text-sm",
+                        "rounded-md border border-primary/30 bg-linear-to-br dark:from-primary/20 from-primary/20 via-background to-background p-2 py-3 w-full flex flex-col gap-2 text-sm",
                         "transition duration-300 ease-in-out",
                         "data-closed:opacity-0 data-closed:translate-y-full"
                     )}

src/components/ProxyResourcesBanner.tsx

@@ -20,4 +20,3 @@ export const ProxyResourcesBanner = () => {
 };
 
 export default ProxyResourcesBanner;
-

src/components/ProxyResourcesTable.tsx

@@ -198,7 +198,7 @@ export default function ProxyResourcesTable({
 
         if (!targets || targets.length === 0) {
             return (
-                <div className="flex items-center gap-2">
+                <div id="LOOK_FOR_ME" className="flex items-center gap-2">
                     <StatusIcon status="unknown" />
                     <span className="text-sm">
                         {t("resourcesTableNoTargets")}

src/components/ResourceInfoBox.tsx

@@ -32,12 +32,6 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                 <InfoSections
                     cols={resource.http && env.flags.usePangolinDns ? 5 : 4}
                 >
-                    <InfoSection>
-                        <InfoSectionTitle>URL</InfoSectionTitle>
-                        <InfoSectionContent>
-                            <CopyToClipboard text={fullUrl} isLink={true} />
-                        </InfoSectionContent>
-                    </InfoSection>
                     <InfoSection>
                         <InfoSectionTitle>{t("identifier")}</InfoSectionTitle>
                         <InfoSectionContent>
@@ -46,6 +40,12 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                     </InfoSection>
                     {resource.http ? (
                         <>
+                            <InfoSection>
+                                <InfoSectionTitle>URL</InfoSectionTitle>
+                                <InfoSectionContent>
+                                    <CopyToClipboard text={fullUrl} isLink={true} />
+                                </InfoSectionContent>
+                            </InfoSection>
                             <InfoSection>
                                 <InfoSectionTitle>
                                     {t("authentication")}

src/components/SetResourceHeaderAuthForm.tsx

@@ -82,11 +82,14 @@ export default function SetResourceHeaderAuthForm({
     async function onSubmit(data: SetHeaderAuthFormValues) {
         setLoading(true);
 
-        api.post<AxiosResponse<Resource>>(`/resource/${resourceId}/header-auth`, {
+        api.post<AxiosResponse<Resource>>(
+            `/resource/${resourceId}/header-auth`,
+            {
                 user: data.user,
                 password: data.password,
                 extendedCompatibility: data.extendedCompatibility
-        })
+            }
+        )
             .then(() => {
                 toast({
                     title: t("resourceHeaderAuthSetup"),
@@ -100,10 +103,10 @@ export default function SetResourceHeaderAuthForm({
             .catch((e) => {
                 toast({
                     variant: "destructive",
-                    title: t('resourceErrorHeaderAuthSetup'),
+                    title: t("resourceErrorHeaderAuthSetup"),
                     description: formatAxiosError(
                         e,
-                        t('resourceErrorHeaderAuthSetupDescription')
+                        t("resourceErrorHeaderAuthSetupDescription")
                     )
                 });
             })
@@ -180,10 +183,16 @@ export default function SetResourceHeaderAuthForm({
                                             <FormControl>
                                                 <SwitchInput
                                                     id="header-auth-compatibility-toggle"
-                                                    label={t("headerAuthCompatibility")}
-                                                    info={t('headerAuthCompatibilityInfo')}
+                                                    label={t(
+                                                        "headerAuthCompatibility"
+                                                    )}
+                                                    info={t(
+                                                        "headerAuthCompatibilityInfo"
+                                                    )}
                                                     checked={field.value}
-                                                    onCheckedChange={field.onChange}
+                                                    onCheckedChange={
+                                                        field.onChange
+                                                    }
                                                 />
                                             </FormControl>
                                             <FormMessage />

src/components/SetResourcePasswordForm.tsx

@@ -91,10 +91,10 @@ export default function SetResourcePasswordForm({
             .catch((e) => {
                 toast({
                     variant: "destructive",
-                    title: t('resourceErrorPasswordSetup'),
+                    title: t("resourceErrorPasswordSetup"),
                     description: formatAxiosError(
                         e,
-                        t('resourceErrorPasswordSetupDescription')
+                        t("resourceErrorPasswordSetupDescription")
                     )
                 });
             })

src/components/SetResourcePincodeForm.tsx

@@ -97,10 +97,10 @@ export default function SetResourcePincodeForm({
             .catch((e) => {
                 toast({
                     variant: "destructive",
-                    title: t('resourceErrorPincodeSetup'),
+                    title: t("resourceErrorPincodeSetup"),
                     description: formatAxiosError(
                         e,
-                        t('resourceErrorPincodeSetupDescription')
+                        t("resourceErrorPincodeSetupDescription")
                     )
                 });
             })

src/components/SitesBanner.tsx

@@ -37,4 +37,3 @@ export const SitesBanner = () => {
 };
 
 export default SitesBanner;
-

src/components/SwitchInput.tsx

@@ -4,7 +4,11 @@ import {Label} from "./ui/label";
 import { Button } from "@/components/ui/button";
 import { Info } from "lucide-react";
 import { info } from "winston";
-import {Popover, PopoverContent, PopoverTrigger} from "@/components/ui/popover";
+import {
+    Popover,
+    PopoverContent,
+    PopoverTrigger
+} from "@/components/ui/popover";
 
 interface SwitchComponentProps {
     id: string;
@@ -49,7 +53,8 @@ export function SwitchInput({
                     disabled={disabled}
                 />
                 {label && <Label htmlFor={id}>{label}</Label>}
-                {info && <Popover>
+                {info && (
+                    <Popover>
                         <PopoverTrigger asChild>
                             {defaultTrigger}
                         </PopoverTrigger>
@@ -60,7 +65,8 @@ export function SwitchInput({
                                 </p>
                             )}
                         </PopoverContent>
-                </Popover>}
+                    </Popover>
+                )}
             </div>
             {description && (
                 <span className="text-muted-foreground text-sm">

src/components/ViewportHeightFix.tsx

@@ -0,0 +1,79 @@
+"use client";
+
+import { useEffect } from "react";
+
+/**
+ * Fixes mobile viewport height issues when keyboard opens/closes
+ * by setting a CSS variable with a stable viewport height
+ * Only applies on mobile devices (< 768px, matching Tailwind's md breakpoint)
+ */
+export function ViewportHeightFix() {
+    useEffect(() => {
+        // Check if we're on mobile (md breakpoint is typically 768px)
+        const isMobile = () => window.innerWidth < 768;
+        
+        // On desktop, don't set --vh at all, let CSS use 100vh directly
+        if (!isMobile()) {
+            // Remove --vh if it was set, so CSS falls back to 100vh
+            document.documentElement.style.removeProperty("--vh");
+            return;
+        }
+
+        // Mobile-specific logic
+        let maxHeight = window.innerHeight;
+        let resizeTimer: NodeJS.Timeout;
+
+        // Set the viewport height as a CSS variable
+        const setViewportHeight = (height: number) => {
+            document.documentElement.style.setProperty("--vh", `${height}px`);
+        };
+
+        // Set initial value
+        setViewportHeight(maxHeight);
+
+        const handleResize = () => {
+            // If we switched to desktop, remove --vh and stop
+            if (!isMobile()) {
+                document.documentElement.style.removeProperty("--vh");
+                return;
+            }
+
+            clearTimeout(resizeTimer);
+            resizeTimer = setTimeout(() => {
+                const currentHeight = window.innerHeight;
+
+                // Track the maximum height we've seen (when keyboard is closed)
+                if (currentHeight > maxHeight) {
+                    maxHeight = currentHeight;
+                    setViewportHeight(maxHeight);
+                }
+                // If current height is close to max, update max (keyboard closed)
+                else if (currentHeight >= maxHeight * 0.9) {
+                    maxHeight = currentHeight;
+                    setViewportHeight(maxHeight);
+                }
+                // Otherwise, keep using the max height (keyboard is open)
+            }, 100);
+        };
+
+        const handleOrientationChange = () => {
+            // Reset on orientation change
+            setTimeout(() => {
+                maxHeight = window.innerHeight;
+                setViewportHeight(maxHeight);
+            }, 150);
+        };
+
+        window.addEventListener("resize", handleResize);
+        window.addEventListener("orientationchange", handleOrientationChange);
+
+        return () => {
+            window.removeEventListener("resize", handleResize);
+            window.removeEventListener("orientationchange", handleOrientationChange);
+            clearTimeout(resizeTimer);
+        };
+    }, []);
+
+    return null;
+}
+

src/components/private/AuthPageSettings.tsx

@@ -276,14 +276,15 @@ function AuthPageSettings({
         <>
             <SettingsSection>
                 <SettingsSectionHeader>
-                    <SettingsSectionTitle>{t("customDomain")}</SettingsSectionTitle>
+                    <SettingsSectionTitle>
+                        {t("customDomain")}
+                    </SettingsSectionTitle>
                     <SettingsSectionDescription>
                         {t("authPageDescription")}
                     </SettingsSectionDescription>
                 </SettingsSectionHeader>
                 <SettingsSectionBody>
                     <SettingsSectionForm>
-
                         <PaidFeaturesAlert />
 
                         <Form {...form}>

src/components/private/IdpLoginButtons.tsx

@@ -58,12 +58,7 @@ export default function IdpLoginButtons({
 
         let redirectToUrl: string | undefined;
         try {
-            console.log(
-                "generating",
-                idpId,
-                redirect || "/",
-                orgId
-            );
+            console.log("generating", idpId, redirect || "/", orgId);
             const safeRedirect = cleanRedirect(redirect || "/");
             const response = await generateOidcUrlProxy(
                 idpId,