Try to open apps

Closes #2176

.github/workflows/saas.yml

@@ -0,0 +1,125 @@
+name: CI/CD Pipeline
+
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+on:
+    push:
+        tags:
+            - "[0-9]+.[0-9]+.[0-9]+-s.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+    pre-run:
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Start EC2 instances
+              run: |
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances started"
+
+
+    release-arm:
+        name: Build and Release (ARM64)
+        runs-on: [self-hosted, linux, arm64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          AWS_IMAGE: ${{ secrets.aws_account_id }}.dkr.ecr.us-east-1.amazonaws.com/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Login to Amazon ECR
+              id: login-ecr
+              uses: aws-actions/amazon-ecr-login@v2
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - ARM64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  make build-saas tag=$TAG
+                  echo "Built & pushed ARM64 images to: ${{ env.AWS_IMAGE }}:${TAG}"
+              shell: bash
+
+    post-run:
+        needs: [pre-run, release-arm]
+        if: >-
+            ${{
+                always() &&
+                needs.pre-run.result == 'success' &&
+                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure')
+            }}
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Stop EC2 instances
+              run: |
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances stopped"

:w

@@ -1,96 +0,0 @@
-import { db } from "@server/db/pg/driver";
-import { sql } from "drizzle-orm";
-import { __DIRNAME } from "@server/lib/consts";
-
-const version = "1.14.0";
-
-export default async function migration() {
-    console.log(`Running setup script ${version}...`);
-
-    try {
-        await db.execute(sql`BEGIN`);
-
-        await db.execute(sql`
-            CREATE TABLE "loginPageBranding" (
-                "loginPageBrandingId" serial PRIMARY KEY NOT NULL,
-                "logoUrl" text NOT NULL,
-                "logoWidth" integer NOT NULL,
-                "logoHeight" integer NOT NULL,
-                "primaryColor" text,
-                "resourceTitle" text NOT NULL,
-                "resourceSubtitle" text,
-                "orgTitle" text,
-                "orgSubtitle" text
-            );
-        `);
-
-        await db.execute(sql`
-            CREATE TABLE "loginPageBrandingOrg" (
-                "loginPageBrandingId" integer NOT NULL,
-                "orgId" varchar NOT NULL
-            );
-        `);
-
-        await db.execute(sql`
-            CREATE TABLE "resourceHeaderAuthExtendedCompatibility" (
-                "headerAuthExtendedCompatibilityId" serial PRIMARY KEY NOT NULL,
-                "resourceId" integer NOT NULL,
-                "extendedCompatibilityIsActivated" boolean DEFAULT false NOT NULL
-            );
-        `);
-
-        await db.execute(
-            sql`ALTER TABLE "resources" ADD COLUMN "maintenanceModeEnabled" boolean DEFAULT false NOT NULL;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "resources" ADD COLUMN "maintenanceModeType" text DEFAULT 'forced';`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "resources" ADD COLUMN "maintenanceTitle" text;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "resources" ADD COLUMN "maintenanceMessage" text;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "resources" ADD COLUMN "maintenanceEstimatedTime" text;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "siteResources" ADD COLUMN "tcpPortRangeString" varchar;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "siteResources" ADD COLUMN "udpPortRangeString" varchar;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "siteResources" ADD COLUMN "disableIcmp" boolean DEFAULT false NOT NULL;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "loginPageBrandingOrg" ADD CONSTRAINT "loginPageBrandingOrg_loginPageBrandingId_loginPageBranding_loginPageBrandingId_fk" FOREIGN KEY ("loginPageBrandingId") REFERENCES "public"."loginPageBranding"("loginPageBrandingId") ON DELETE cascade ON UPDATE no action;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "loginPageBrandingOrg" ADD CONSTRAINT "loginPageBrandingOrg_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`
-        );
-
-        await db.execute(
-            sql`ALTER TABLE "resourceHeaderAuthExtendedCompatibility" ADD CONSTRAINT "resourceHeaderAuthExtendedCompatibility_resourceId_resources_resourceId_fk" FOREIGN KEY ("resourceId") REFERENCES "public"."resources"("resourceId") ON DELETE cascade ON UPDATE no action;`
-        );
-
-        await db.execute(sql`COMMIT`);
-        console.log("Migrated database");
-    } catch (e) {
-        await db.execute(sql`ROLLBACK`);
-        console.log("Unable to migrate database");
-        console.log(e);
-        throw e;
-    }
-
-    console.log(`${version} migration complete`);
-}

Makefile

@@ -67,6 +67,18 @@ build-ee-postgresql:
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .
 
+build-saas:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build \
+		--build-arg BUILD=saas \
+		--build-arg DATABASE=pg \
+		--platform linux/arm64 \
+		--tag $(AWS_IMAGE):$(tag) \
+		--push .
+
 build-release-arm:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release-arm tag=<tag>"; \

install/config/traefik/traefik_config.yml

@@ -43,9 +43,12 @@ entryPoints:
     http:
       tls:
         certResolver: "letsencrypt"
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true
 
 serversTransport:
   insecureSkipVerify: true
 
 ping:
-  entryPoint: "web"
+  entryPoint: "web"

install/main.go

@@ -340,7 +340,7 @@ func collectUserInput(reader *bufio.Reader) Config {
 	// Basic configuration
 	fmt.Println("\n=== Basic Configuration ===")
 
-	config.IsEnterprise = readBoolNoDefault(reader, "Do you want to install the Enterprise version of Pangolin? The EE is free for persoal use or for businesses making less than 100k USD annually.")
+	config.IsEnterprise = readBoolNoDefault(reader, "Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
 
 	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
 

messages/bg-BG.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Конфигуриране на достъп за организация",
     "idpUpdatedDescription": "Идентификационният доставчик беше актуализиран успешно",
     "redirectUrl": "URL за пренасочване",
+    "orgIdpRedirectUrls": "URL адреси за пренасочване",
     "redirectUrlAbout": "За URL за пренасочване",
     "redirectUrlAboutDescription": "Това е URL адресът, към който потребителите ще бъдат пренасочени след удостоверяване. Трябва да конфигурирате този URL адрес в настройките на доставчика на идентичност.",
     "pangolinAuth": "Authent - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Съгласен съм с",
         "termsOfService": "условията за ползване",
         "and": "и",
-        "privacyPolicy": "политиката за поверителност"
+        "privacyPolicy": "политика за поверителност."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Дръж ме в течение с новини, актуализации и нови функции чрез имейл."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Въведете потвърждение.",
     "blueprintViewDetails": "Подробности.",
     "defaultIdentityProvider": "По подразбиране доставчик на идентичност.",
+    "defaultIdentityProviderDescription": "Когато е избран основен доставчик на идентичност, потребителят ще бъде автоматично пренасочен към доставчика за удостоверяване.",
     "editInternalResourceDialogNetworkSettings": "Мрежови настройки.",
     "editInternalResourceDialogAccessPolicy": "Политика за достъп.",
     "editInternalResourceDialogAddRoles": "Добавяне на роли.",

messages/cs-CZ.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Konfigurace přístupu pro organizaci",
     "idpUpdatedDescription": "Poskytovatel identity byl úspěšně aktualizován",
     "redirectUrl": "Přesměrovat URL",
+    "orgIdpRedirectUrls": "Přesměrovat URL",
     "redirectUrlAbout": "O přesměrování URL",
     "redirectUrlAboutDescription": "Toto je URL, na kterou budou uživatelé po ověření přesměrováni. Tuto URL je třeba nastavit v nastavení poskytovatele identity.",
     "pangolinAuth": "Auth - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Souhlasím s",
         "termsOfService": "podmínky služby",
         "and": "a",
-        "privacyPolicy": "zásady ochrany osobních údajů"
+        "privacyPolicy": "zásady ochrany osobních údajů."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Udržujte mě ve smyčce s novinkami, aktualizacemi a novými funkcemi e-mailem."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Zadejte potvrzení",
     "blueprintViewDetails": "Detaily",
     "defaultIdentityProvider": "Výchozí poskytovatel identity",
+    "defaultIdentityProviderDescription": "Pokud je vybrán výchozí poskytovatel identity, uživatel bude automaticky přesměrován na poskytovatele pro ověření.",
     "editInternalResourceDialogNetworkSettings": "Nastavení sítě",
     "editInternalResourceDialogAccessPolicy": "Přístupová politika",
     "editInternalResourceDialogAddRoles": "Přidat role",

messages/de-DE.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Zugriff für eine Organisation konfigurieren",
     "idpUpdatedDescription": "Identitätsanbieter erfolgreich aktualisiert",
     "redirectUrl": "Weiterleitungs-URL",
+    "orgIdpRedirectUrls": "Umleitungs-URLs",
     "redirectUrlAbout": "Über die Weiterleitungs-URL",
     "redirectUrlAboutDescription": "Dies ist die URL, zu der Benutzer nach der Authentifizierung umgeleitet werden. Sie müssen diese URL in den Einstellungen des Identity Providers konfigurieren.",
     "pangolinAuth": "Authentifizierung - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Ich stimme den",
         "termsOfService": "Nutzungsbedingungen zu",
         "and": "und",
-        "privacyPolicy": "Datenschutzrichtlinie"
+        "privacyPolicy": "datenschutzrichtlinie."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Halten Sie mich auf dem Laufenden mit Neuigkeiten, Updates und neuen Funktionen per E-Mail."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Bestätigung eingeben",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Standard Identitätsanbieter",
+    "defaultIdentityProviderDescription": "Wenn ein Standard-Identity Provider ausgewählt ist, wird der Benutzer zur Authentifizierung automatisch an den Anbieter weitergeleitet.",
     "editInternalResourceDialogNetworkSettings": "Netzwerkeinstellungen",
     "editInternalResourceDialogAccessPolicy": "Zugriffsrichtlinie",
     "editInternalResourceDialogAddRoles": "Rollen hinzufügen",

messages/en-US.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configure access for an organization",
     "idpUpdatedDescription": "Identity provider updated successfully",
     "redirectUrl": "Redirect URL",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "About Redirect URL",
     "redirectUrlAboutDescription": "This is the URL to which users will be redirected after authentication. You need to configure this URL in the identity provider's settings.",
     "pangolinAuth": "Auth - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "I agree to the",
         "termsOfService": "terms of service",
         "and": "and",
-        "privacyPolicy": "privacy policy"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Keep me in the loop with news, updates, and new features by email."
@@ -2243,7 +2244,7 @@
     "deviceOrganizationsAccess": "Access to all organizations your account has access to",
     "deviceAuthorize": "Authorize {applicationName}",
     "deviceConnected": "Device Connected!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account.",
+    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
     "pangolinCloud": "Pangolin Cloud",
     "viewDevices": "View Devices",
     "viewDevicesDescription": "Manage your connected devices",

messages/es-ES.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configurar acceso para una organización",
     "idpUpdatedDescription": "Proveedor de identidad actualizado correctamente",
     "redirectUrl": "URL de redirección",
+    "orgIdpRedirectUrls": "Redirigir URL",
     "redirectUrlAbout": "Acerca de la URL de redirección",
     "redirectUrlAboutDescription": "Esta es la URL a la que los usuarios serán redireccionados después de la autenticación. Necesitas configurar esta URL en la configuración del proveedor de identidad.",
     "pangolinAuth": "Autenticación - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Estoy de acuerdo con los",
         "termsOfService": "términos del servicio",
         "and": "y",
-        "privacyPolicy": "política de privacidad"
+        "privacyPolicy": "política de privacidad."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Mantenerme en el bucle con noticias, actualizaciones y nuevas características por correo electrónico."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Ingresar confirmación",
     "blueprintViewDetails": "Detalles",
     "defaultIdentityProvider": "Proveedor de identidad predeterminado",
+    "defaultIdentityProviderDescription": "Cuando se selecciona un proveedor de identidad por defecto, el usuario será redirigido automáticamente al proveedor de autenticación.",
     "editInternalResourceDialogNetworkSettings": "Configuración de red",
     "editInternalResourceDialogAccessPolicy": "Política de acceso",
     "editInternalResourceDialogAddRoles": "Agregar roles",

messages/fr-FR.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configurer l'accès pour une organisation",
     "idpUpdatedDescription": "Fournisseur d'identité mis à jour avec succès",
     "redirectUrl": "URL de redirection",
+    "orgIdpRedirectUrls": "URL de redirection",
     "redirectUrlAbout": "À propos de l'URL de redirection",
     "redirectUrlAboutDescription": "C'est l'URL vers laquelle les utilisateurs seront redirigés après l'authentification. Vous devez configurer cette URL dans les paramètres du fournisseur d'identité.",
     "pangolinAuth": "Auth - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Je suis d'accord avec",
         "termsOfService": "les conditions d'utilisation",
         "and": "et",
-        "privacyPolicy": "la politique de confidentialité"
+        "privacyPolicy": "politique de confidentialité."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Gardez-moi dans la boucle avec des nouvelles, des mises à jour et de nouvelles fonctionnalités par courriel."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Entrez la confirmation",
     "blueprintViewDetails": "Détails",
     "defaultIdentityProvider": "Fournisseur d'identité par défaut",
+    "defaultIdentityProviderDescription": "Lorsqu'un fournisseur d'identité par défaut est sélectionné, l'utilisateur sera automatiquement redirigé vers le fournisseur pour authentification.",
     "editInternalResourceDialogNetworkSettings": "Paramètres réseau",
     "editInternalResourceDialogAccessPolicy": "Politique d'accès",
     "editInternalResourceDialogAddRoles": "Ajouter des rôles",

messages/it-IT.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configura l'accesso per un'organizzazione",
     "idpUpdatedDescription": "Provider di identità aggiornato con successo",
     "redirectUrl": "URL di Reindirizzamento",
+    "orgIdpRedirectUrls": "Reindirizza URL",
     "redirectUrlAbout": "Informazioni sull'URL di Reindirizzamento",
     "redirectUrlAboutDescription": "Questo è l'URL a cui gli utenti saranno reindirizzati dopo l'autenticazione. È necessario configurare questo URL nelle impostazioni del provider di identità.",
     "pangolinAuth": "Autenticazione - Pangolina",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Accetto i",
         "termsOfService": "termini di servizio",
         "and": "e",
-        "privacyPolicy": "informativa sulla privacy"
+        "privacyPolicy": "informativa sulla privacy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Tienimi in loop con notizie, aggiornamenti e nuove funzionalità via e-mail."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Inserisci conferma",
     "blueprintViewDetails": "Dettagli",
     "defaultIdentityProvider": "Provider di Identità Predefinito",
+    "defaultIdentityProviderDescription": "Quando viene selezionato un provider di identità predefinito, l'utente verrà automaticamente reindirizzato al provider per l'autenticazione.",
     "editInternalResourceDialogNetworkSettings": "Impostazioni di Rete",
     "editInternalResourceDialogAccessPolicy": "Politica di Accesso",
     "editInternalResourceDialogAddRoles": "Aggiungi Ruoli",

messages/ko-KR.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "조직에 대한 접근을 구성하십시오.",
     "idpUpdatedDescription": "아이덴티티 제공자가 성공적으로 업데이트되었습니다",
     "redirectUrl": "리디렉션 URL",
+    "orgIdpRedirectUrls": "리디렉션 URL",
     "redirectUrlAbout": "리디렉션 URL에 대한 정보",
     "redirectUrlAboutDescription": "사용자가 인증 후 리디렉션될 URL입니다. 이 URL을 신원 제공자 설정에서 구성해야 합니다.",
     "pangolinAuth": "인증 - 판골린",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "동의합니다",
         "termsOfService": "서비스 약관",
         "and": "및",
-        "privacyPolicy": "개인 정보 보호 정책"
+        "privacyPolicy": "개인 정보 보호 정책."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "이메일을 통해 소식, 업데이트 및 새로운 기능을 받아보세요."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "확인 입력",
     "blueprintViewDetails": "세부 정보",
     "defaultIdentityProvider": "기본 아이덴티티 공급자",
+    "defaultIdentityProviderDescription": "기본 ID 공급자가 선택되면, 사용자는 인증을 위해 자동으로 해당 공급자로 리디렉션됩니다.",
     "editInternalResourceDialogNetworkSettings": "네트워크 설정",
     "editInternalResourceDialogAccessPolicy": "액세스 정책",
     "editInternalResourceDialogAddRoles": "역할 추가",

messages/nb-NO.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Konfigurer tilgang for en organisasjon",
     "idpUpdatedDescription": "Identitetsleverandør vellykket oppdatert",
     "redirectUrl": "Omdirigerings-URL",
+    "orgIdpRedirectUrls": "Omadressere URL'er",
     "redirectUrlAbout": "Om omdirigerings-URL",
     "redirectUrlAboutDescription": "Dette er URLen som brukere vil bli omdirigert etter autentisering. Du må konfigurere denne URLen i identitetsleverandørens innstillinger.",
     "pangolinAuth": "Autentisering - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Jeg godtar",
         "termsOfService": "brukervilkårene",
         "and": "og",
-        "privacyPolicy": "personvernerklæringen"
+        "privacyPolicy": "retningslinjer for personvern"
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Hold meg i løken med nyheter, oppdateringer og nye funksjoner via e-post."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Skriv inn bekreftelse",
     "blueprintViewDetails": "Detaljer",
     "defaultIdentityProvider": "Standard identitetsleverandør",
+    "defaultIdentityProviderDescription": "Når en standard identitetsleverandør er valgt, vil brukeren automatisk bli omdirigert til leverandøren for autentisering.",
     "editInternalResourceDialogNetworkSettings": "Nettverksinnstillinger",
     "editInternalResourceDialogAccessPolicy": "Tilgangsregler for tilgang",
     "editInternalResourceDialogAddRoles": "Legg til roller",

messages/nl-NL.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Toegang voor een organisatie configureren",
     "idpUpdatedDescription": "Identity provider succesvol bijgewerkt",
     "redirectUrl": "Omleidings URL",
+    "orgIdpRedirectUrls": "URL's omleiden",
     "redirectUrlAbout": "Over omleidings-URL",
     "redirectUrlAboutDescription": "Dit is de URL waarnaar gebruikers worden doorverwezen na verificatie. U moet deze URL configureren in de instellingen van de identiteitsprovider.",
     "pangolinAuth": "Authenticatie - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Ik ga akkoord met de",
         "termsOfService": "servicevoorwaarden",
         "and": "en",
-        "privacyPolicy": "privacybeleid"
+        "privacyPolicy": "privacy beleid"
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Houd me op de hoogte met nieuws, updates en nieuwe functies per e-mail."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Bevestiging invoeren",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Standaard Identiteitsprovider",
+    "defaultIdentityProviderDescription": "Wanneer een standaard identity provider is geselecteerd, zal de gebruiker automatisch worden doorgestuurd naar de provider voor authenticatie.",
     "editInternalResourceDialogNetworkSettings": "Netwerkinstellingen",
     "editInternalResourceDialogAccessPolicy": "Toegangsbeleid",
     "editInternalResourceDialogAddRoles": "Rollen toevoegen",

messages/pl-PL.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Skonfiguruj dostęp dla organizacji",
     "idpUpdatedDescription": "Dostawca tożsamości został pomyślnie zaktualizowany",
     "redirectUrl": "URL przekierowania",
+    "orgIdpRedirectUrls": "Przekieruj adresy URL",
     "redirectUrlAbout": "O URL przekierowania",
     "redirectUrlAboutDescription": "Jest to adres URL, na który użytkownicy zostaną przekierowani po uwierzytelnieniu. Musisz skonfigurować ten adres URL w ustawieniach dostawcy tożsamości.",
     "pangolinAuth": "Autoryzacja - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Zgadzam się z",
         "termsOfService": "warunkami usługi",
         "and": "oraz",
-        "privacyPolicy": "polityką prywatności"
+        "privacyPolicy": "polityka prywatności."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Zachowaj mnie w pętli z wiadomościami, aktualizacjami i nowymi funkcjami przez e-mail."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Wprowadź potwierdzenie",
     "blueprintViewDetails": "Szczegóły",
     "defaultIdentityProvider": "Domyślny dostawca tożsamości",
+    "defaultIdentityProviderDescription": "Gdy zostanie wybrany domyślny dostawca tożsamości, użytkownik zostanie automatycznie przekierowany do dostawcy w celu uwierzytelnienia.",
     "editInternalResourceDialogNetworkSettings": "Ustawienia sieci",
     "editInternalResourceDialogAccessPolicy": "Polityka dostępowa",
     "editInternalResourceDialogAddRoles": "Dodaj role",

messages/pt-PT.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configurar acesso para uma organização",
     "idpUpdatedDescription": "Provedor de identidade atualizado com sucesso",
     "redirectUrl": "URL de Redirecionamento",
+    "orgIdpRedirectUrls": "Redirecionar URLs",
     "redirectUrlAbout": "Sobre o URL de Redirecionamento",
     "redirectUrlAboutDescription": "Essa é a URL para a qual os usuários serão redirecionados após a autenticação. Você precisa configurar esta URL nas configurações do provedor de identidade.",
     "pangolinAuth": "Autenticação - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Concordo com",
         "termsOfService": "os termos de serviço",
         "and": "e",
-        "privacyPolicy": "política de privacidade"
+        "privacyPolicy": "política de privacidade."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Mantenha-me à disposição com notícias, atualizações e novos recursos por e-mail."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Inserir confirmação",
     "blueprintViewDetails": "Detalhes",
     "defaultIdentityProvider": "Provedor de Identidade Padrão",
+    "defaultIdentityProviderDescription": "Quando um provedor de identidade padrão for selecionado, o usuário será automaticamente redirecionado para o provedor de autenticação.",
     "editInternalResourceDialogNetworkSettings": "Configurações de Rede",
     "editInternalResourceDialogAccessPolicy": "Política de Acesso",
     "editInternalResourceDialogAddRoles": "Adicionar Funções",

messages/ru-RU.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Настроить доступ для организации",
     "idpUpdatedDescription": "Поставщик удостоверений успешно обновлён",
     "redirectUrl": "URL редиректа",
+    "orgIdpRedirectUrls": "Перенаправление URL",
     "redirectUrlAbout": "О редиректе URL",
     "redirectUrlAboutDescription": "Это URL, на который пользователи будут перенаправлены после аутентификации. Вам нужно настроить этот URL в настройках провайдера.",
     "pangolinAuth": "Аутентификация - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Я согласен с",
         "termsOfService": "условия использования",
         "and": "и",
-        "privacyPolicy": "политика конфиденциальности"
+        "privacyPolicy": "политика конфиденциальности."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Держите меня в цикле с новостями, обновлениями и новыми функциями по электронной почте."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Введите подтверждение",
     "blueprintViewDetails": "Подробности",
     "defaultIdentityProvider": "Поставщик удостоверений по умолчанию",
+    "defaultIdentityProviderDescription": "Когда выбран поставщик идентификации по умолчанию, пользователь будет автоматически перенаправлен на провайдер для аутентификации.",
     "editInternalResourceDialogNetworkSettings": "Настройки сети",
     "editInternalResourceDialogAccessPolicy": "Политика доступа",
     "editInternalResourceDialogAddRoles": "Добавить роли",

messages/tr-TR.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Bir kuruluş için erişimi yapılandırın",
     "idpUpdatedDescription": "Kimlik sağlayıcı başarıyla güncellendi",
     "redirectUrl": "Yönlendirme URL'si",
+    "orgIdpRedirectUrls": "Yönlendirme URL'leri",
     "redirectUrlAbout": "Yönlendirme URL'si Hakkında",
     "redirectUrlAboutDescription": "Bu, kimlik doğrulamasından sonra kullanıcıların yönlendirileceği URL'dir. Bu URL'yi kimlik sağlayıcınızın ayarlarında yapılandırmanız gerekir.",
     "pangolinAuth": "Yetkilendirme - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Kabul ediyorum",
         "termsOfService": "hizmet şartları",
         "and": "ve",
-        "privacyPolicy": "gizlilik politikası"
+        "privacyPolicy": "gizlilik politikası."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Bana e-posta yoluyla haberler, güncellemeler ve yeni özellikler hakkında bilgi verin."
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Onayı girin",
     "blueprintViewDetails": "Detaylar",
     "defaultIdentityProvider": "Varsayılan Kimlik Sağlayıcı",
+    "defaultIdentityProviderDescription": "Varsayılan bir kimlik sağlayıcı seçildiğinde, kullanıcı kimlik doğrulaması için otomatik olarak sağlayıcıya yönlendirilecektir.",
     "editInternalResourceDialogNetworkSettings": "Ağ Ayarları",
     "editInternalResourceDialogAccessPolicy": "Erişim Politikası",
     "editInternalResourceDialogAddRoles": "Roller Ekle",

messages/zh-CN.json

@@ -850,6 +850,7 @@
     "orgPolicyConfig": "配置组织访问权限",
     "idpUpdatedDescription": "身份提供商更新成功",
     "redirectUrl": "重定向网址",
+    "orgIdpRedirectUrls": "重定向URL",
     "redirectUrlAbout": "关于重定向网址",
     "redirectUrlAboutDescription": "这是用户在验证后将被重定向到的URL。您需要在身份提供者的设置中配置此URL。",
     "pangolinAuth": "认证 - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "我同意",
         "termsOfService": "服务条款",
         "and": "和",
-        "privacyPolicy": "隐私政策"
+        "privacyPolicy": "隐私政策。"
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "通过电子邮件让我在循环中保持新闻、更新和新功能。"
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "输入确认",
     "blueprintViewDetails": "详细信息",
     "defaultIdentityProvider": "默认身份提供商",
+    "defaultIdentityProviderDescription": "当选择默认身份提供商时，用户将自动重定向到提供商进行身份验证。",
     "editInternalResourceDialogNetworkSettings": "网络设置",
     "editInternalResourceDialogAccessPolicy": "访问策略",
     "editInternalResourceDialogAddRoles": "添加角色",

server/lib/blueprints/types.ts

@@ -111,32 +111,30 @@ export const RuleSchema = z
     .refine(
         (rule) => {
             if (rule.match === "country") {
-                // Check if it's a valid 2-letter country code
+                // Check if it's a valid 2-letter country code or "ALL"
-                return /^[A-Z]{2}$/.test(rule.value);
+                return /^[A-Z]{2}$/.test(rule.value) || rule.value === "ALL";
             }
             return true;
         },
         {
             path: ["value"],
             message:
-                "Value must be a 2-letter country code when match is 'country'"
+                "Value must be a 2-letter country code or 'ALL' when match is 'country'"
         }
     )
     .refine(
         (rule) => {
             if (rule.match === "asn") {
-                // Check if it's either AS<number> format or just a number
+                // Check if it's either AS<number> format or "ALL"
                 const asNumberPattern = /^AS\d+$/i;
-                const isASFormat = asNumberPattern.test(rule.value);
+                return asNumberPattern.test(rule.value) || rule.value === "ALL";
-                const isNumeric = /^\d+$/.test(rule.value);
-                return isASFormat || isNumeric;
             }
             return true;
         },
         {
             path: ["value"],
             message:
-                "Value must be either 'AS<number>' format or a number when match is 'asn'"
+                "Value must be 'AS<number>' format or 'ALL' when match is 'asn'"
         }
     );
 

server/lib/config.ts

@@ -84,6 +84,10 @@ export class Config {
             ?.disable_basic_wireguard_sites
             ? "true"
             : "false";
+        process.env.FLAGS_DISABLE_PRODUCT_HELP_BANNERS = parsedConfig.flags
+            ?.disable_product_help_banners
+            ? "true"
+            : "false";
 
         process.env.PRODUCT_UPDATES_NOTIFICATION_ENABLED = parsedConfig.app
             .notifications.product_updates

server/lib/ip.ts

@@ -4,6 +4,7 @@ import { and, eq, isNotNull } from "drizzle-orm";
 import config from "@server/lib/config";
 import z from "zod";
 import logger from "@server/logger";
+import semver from "semver";
 
 interface IPRange {
     start: bigint;
@@ -683,3 +684,35 @@ export function parsePortRangeString(
 
     return result;
 }
+
+export function stripPortFromHost(ip: string, badgerVersion?: string): string {
+    const isNewerBadger =
+        badgerVersion &&
+        semver.valid(badgerVersion) &&
+        semver.gte(badgerVersion, "1.3.1");
+
+    if (isNewerBadger) {
+        return ip;
+    }
+
+    if (ip.startsWith("[") && ip.includes("]")) {
+        // if brackets are found, extract the IPv6 address from between the brackets
+        const ipv6Match = ip.match(/\[(.*?)\]/);
+        if (ipv6Match) {
+            return ipv6Match[1];
+        }
+    }
+
+    // Check if it looks like IPv4 (contains dots and matches IPv4 pattern)
+    // IPv4 format: x.x.x.x where x is 0-255
+    const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}/;
+    if (ipv4Pattern.test(ip)) {
+        const lastColonIndex = ip.lastIndexOf(":");
+        if (lastColonIndex !== -1) {
+            return ip.substring(0, lastColonIndex);
+        }
+    }
+
+    // Return as is
+    return ip;
+}

server/lib/readConfigFile.ts

@@ -330,7 +330,8 @@ export const configSchema = z
                 enable_integration_api: z.boolean().optional(),
                 disable_local_sites: z.boolean().optional(),
                 disable_basic_wireguard_sites: z.boolean().optional(),
-                disable_config_managed_domains: z.boolean().optional()
+                disable_config_managed_domains: z.boolean().optional(),
+                disable_product_help_banners: z.boolean().optional()
             })
             .optional(),
         dns: z

server/lib/traefik/getTraefikConfig.ts

@@ -41,9 +41,10 @@ type TargetWithSite = Target & {
 export async function getTraefikConfig(
     exitNodeId: number,
     siteTypes: string[],
-    filterOutNamespaceDomains = false,
+    filterOutNamespaceDomains = false, // UNUSED BUT USED IN PRIVATE
-    generateLoginPageRouters = false,
+    generateLoginPageRouters = false, // UNUSED BUT USED IN PRIVATE
-    allowRawResources = true
+    allowRawResources = true,
+    allowMaintenancePage = true, // UNUSED BUT USED IN PRIVATE
 ): Promise<any> {
     // Get resources with their targets and sites in a single optimized query
     // Start from sites on this exit node, then join to targets and resources

server/private/lib/logAccessAudit.ts

@@ -17,6 +17,7 @@ import logger from "@server/logger";
 import { and, eq, lt } from "drizzle-orm";
 import cache from "@server/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+import { stripPortFromHost } from "@server/lib/ip";
 
 async function getAccessDays(orgId: string): Promise<number> {
     // check cache first
@@ -116,19 +117,7 @@ export async function logAccessAudit(data: {
         }
 
         const clientIp = data.requestIp
-            ? (() => {
+            ? stripPortFromHost(data.requestIp)
-                  if (
-                      data.requestIp.startsWith("[") &&
-                      data.requestIp.includes("]")
-                  ) {
-                      // if brackets are found, extract the IPv6 address from between the brackets
-                      const ipv6Match = data.requestIp.match(/\[(.*?)\]/);
-                      if (ipv6Match) {
-                          return ipv6Match[1];
-                      }
-                  }
-                  return data.requestIp;
-              })()
             : undefined;
 
         const countryCode = data.requestIp

server/private/lib/traefik/getTraefikConfig.ts

@@ -358,18 +358,6 @@ export async function getTraefikConfig(
                 }
             }
 
-            if (resource.ssl) {
-                config_output.http.routers![routerName + "-redirect"] = {
-                    entryPoints: [
-                        config.getRawConfig().traefik.http_entrypoint
-                    ],
-                    middlewares: [redirectHttpsMiddlewareName],
-                    service: serviceName,
-                    rule: rule,
-                    priority: priority
-                };
-            }
-
             let tls = {};
             if (!privateConfig.getRawPrivateConfig().flags.use_pangolin_dns) {
                 const domainParts = fullDomain.split(".");
@@ -435,6 +423,18 @@ export async function getTraefikConfig(
                 }
             }
 
+            if (resource.ssl) {
+                config_output.http.routers![routerName + "-redirect"] = {
+                    entryPoints: [
+                        config.getRawConfig().traefik.http_entrypoint
+                    ],
+                    middlewares: [redirectHttpsMiddlewareName],
+                    service: serviceName,
+                    rule: rule,
+                    priority: priority
+                };
+            }
+
             const availableServers = targets.filter((target) => {
                 if (!target.enabled) return false;
 
@@ -456,15 +456,15 @@ export async function getTraefikConfig(
                     // );
                 } else if (resource.maintenanceModeType === "automatic") {
                     showMaintenancePage = !hasHealthyServers;
-                    if (showMaintenancePage) {
+                    // if (showMaintenancePage) {
-                        logger.warn(
+                    //     logger.warn(
-                            `Resource ${resource.name} (${fullDomain}) has no healthy servers - showing maintenance page (AUTOMATIC mode)`
+                    //         `Resource ${resource.name} (${fullDomain}) has no healthy servers - showing maintenance page (AUTOMATIC mode)`
-                        );
+                    //     );
-                    }
+                    // }
                 }
             }
 
-            if (showMaintenancePage) {
+            if (showMaintenancePage && allowMaintenancePage) {
                 const maintenanceServiceName = `${key}-maintenance-service`;
                 const maintenanceRouterName = `${key}-maintenance-router`;
                 const rewriteMiddlewareName = `${key}-maintenance-rewrite`;

server/private/middlewares/verifySubscription.ts

@@ -27,7 +27,18 @@ export async function verifyValidSubscription(
             return next();
         }
 
-        const tier = await getOrgTierData(req.params.orgId);
+        const orgId = req.params.orgId || req.body.orgId || req.query.orgId || req.userOrgId;
+
+        if (!orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Organization ID is required to verify subscription"
+                )
+            );
+        }
+
+        const tier = await getOrgTierData(orgId);
 
         if (!tier.active) {
             return next(

server/private/routers/external.ts

@@ -436,18 +436,18 @@ authenticated.get(
 
 authenticated.post(
     "/re-key/:clientId/regenerate-client-secret",
+    verifyClientAccess, // this is first to set the org id
     verifyValidLicense,
     verifyValidSubscription,
-    verifyClientAccess,
     verifyUserHasAction(ActionsEnum.reGenerateSecret),
     reKey.reGenerateClientSecret
 );
 
 authenticated.post(
     "/re-key/:siteId/regenerate-site-secret",
+    verifySiteAccess, // this is first to set the org id
     verifyValidLicense,
     verifyValidSubscription,
-    verifySiteAccess,
     verifyUserHasAction(ActionsEnum.reGenerateSecret),
     reKey.reGenerateSiteSecret
 );

server/private/routers/hybrid.ts

@@ -247,7 +247,8 @@ hybridRouter.get(
                 ["newt", "local", "wireguard"], // Allow them to use all the site types
                 true, // But don't allow domain namespace resources
                 false, // Dont include login pages,
-                true // allow raw resources
+                true, // allow raw resources
+                false // dont generate maintenance page
             );
 
             return response(res, {
@@ -617,6 +618,16 @@ hybridRouter.get(
                 )
                 .limit(1);
 
+            if (!result) {
+                return response<LoginPage | null>(res, {
+                    data: null,
+                    success: true,
+                    error: false,
+                    message: "Login page not found",
+                    status: HttpCode.OK
+                });
+            }
+
             if (
                 await checkExitNodeOrg(
                     remoteExitNode.exitNodeId,
@@ -632,16 +643,6 @@ hybridRouter.get(
                 );
             }
 
-            if (!result) {
-                return response<LoginPage | null>(res, {
-                    data: null,
-                    success: true,
-                    error: false,
-                    message: "Login page not found",
-                    status: HttpCode.OK
-                });
-            }
-
             return response<LoginPage>(res, {
                 data: result.loginPage,
                 success: true,

server/private/routers/loginPage/loadLoginPage.ts

@@ -40,6 +40,11 @@ async function query(orgId: string | undefined, fullDomain: string) {
                 eq(loginPage.loginPageId, loginPageOrg.loginPageId)
             )
             .limit(1);
+
+        if (!res) {
+            return null;
+        }
+
         return {
             ...res.loginPage,
             orgId: res.loginPageOrg.orgId
@@ -65,6 +70,11 @@ async function query(orgId: string | undefined, fullDomain: string) {
             )
         )
         .limit(1);
+
+    if (!res) {
+        return null;
+    }
+
     return {
         ...res,
         orgId: orgLink.orgId

server/private/routers/loginPage/loadLoginPageBranding.ts

@@ -48,6 +48,11 @@ async function query(orgId: string) {
             )
         )
         .limit(1);
+
+    if (!res) {
+        return null;
+    }
+
     return {
         ...res,
         orgId: orgLink.orgs.orgId,

server/routers/auth/pollDeviceWebAuth.ts

@@ -10,6 +10,7 @@ import { eq, and, gt } from "drizzle-orm";
 import { createSession, generateSessionToken } from "@server/auth/sessions/app";
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
+import { stripPortFromHost } from "@server/lib/ip";
 
 const paramsSchema = z.object({
     code: z.string().min(1, "Code is required")
@@ -27,30 +28,6 @@ export type PollDeviceWebAuthResponse = {
     token?: string;
 };
 
-// Helper function to extract IP from request (same as in startDeviceWebAuth)
-function extractIpFromRequest(req: Request): string | undefined {
-    const ip = req.ip || req.socket.remoteAddress;
-    if (!ip) {
-        return undefined;
-    }
-
-    // Handle IPv6 format [::1] or IPv4 format
-    if (ip.startsWith("[") && ip.includes("]")) {
-        const ipv6Match = ip.match(/\[(.*?)\]/);
-        if (ipv6Match) {
-            return ipv6Match[1];
-        }
-    }
-
-    // Handle IPv4 with port (split at last colon)
-    const lastColonIndex = ip.lastIndexOf(":");
-    if (lastColonIndex !== -1) {
-        return ip.substring(0, lastColonIndex);
-    }
-
-    return ip;
-}
-
 export async function pollDeviceWebAuth(
     req: Request,
     res: Response,
@@ -70,7 +47,7 @@ export async function pollDeviceWebAuth(
     try {
         const { code } = parsedParams.data;
         const now = Date.now();
-        const requestIp = extractIpFromRequest(req);
+        const requestIp = req.ip ? stripPortFromHost(req.ip) : undefined;
 
         // Hash the code before querying
         const hashedCode = hashDeviceCode(code);

server/routers/auth/startDeviceWebAuth.ts

@@ -12,6 +12,7 @@ import { TimeSpan } from "oslo";
 import { maxmindLookup } from "@server/db/maxmind";
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
+import { stripPortFromHost } from "@server/lib/ip";
 
 const bodySchema = z
     .object({
@@ -39,30 +40,6 @@ function hashDeviceCode(code: string): string {
     return encodeHexLowerCase(sha256(new TextEncoder().encode(code)));
 }
 
-// Helper function to extract IP from request
-function extractIpFromRequest(req: Request): string | undefined {
-    const ip = req.ip;
-    if (!ip) {
-        return undefined;
-    }
-
-    // Handle IPv6 format [::1] or IPv4 format
-    if (ip.startsWith("[") && ip.includes("]")) {
-        const ipv6Match = ip.match(/\[(.*?)\]/);
-        if (ipv6Match) {
-            return ipv6Match[1];
-        }
-    }
-
-    // Handle IPv4 with port (split at last colon)
-    const lastColonIndex = ip.lastIndexOf(":");
-    if (lastColonIndex !== -1) {
-        return ip.substring(0, lastColonIndex);
-    }
-
-    return ip;
-}
-
 // Helper function to get city from IP (if available)
 async function getCityFromIp(ip: string): Promise<string | undefined> {
     try {
@@ -112,7 +89,7 @@ export async function startDeviceWebAuth(
         const hashedCode = hashDeviceCode(code);
 
         // Extract IP from request
-        const ip = extractIpFromRequest(req);
+        const ip = req.ip ? stripPortFromHost(req.ip) : undefined;
 
         // Get city (optional, may return undefined)
         const city = ip ? await getCityFromIp(ip) : undefined;

server/routers/badger/exchangeSession.ts

@@ -19,6 +19,7 @@ import {
 import { SESSION_COOKIE_EXPIRES as RESOURCE_SESSION_COOKIE_EXPIRES } from "@server/auth/sessions/resource";
 import config from "@server/lib/config";
 import { response } from "@server/lib/response";
+import { stripPortFromHost } from "@server/lib/ip";
 
 const exchangeSessionBodySchema = z.object({
     requestToken: z.string(),
@@ -62,26 +63,7 @@ export async function exchangeSession(
             cleanHost = cleanHost.slice(0, -1 * matched.length);
         }
 
-        const clientIp = requestIp
+        const clientIp = requestIp ? stripPortFromHost(requestIp) : undefined;
-            ? (() => {
-                  if (requestIp.startsWith("[") && requestIp.includes("]")) {
-                      const ipv6Match = requestIp.match(/\[(.*?)\]/);
-                      if (ipv6Match) {
-                          return ipv6Match[1];
-                      }
-                  }
-
-                  const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}/;
-                  if (ipv4Pattern.test(requestIp)) {
-                      const lastColonIndex = requestIp.lastIndexOf(":");
-                      if (lastColonIndex !== -1) {
-                          return requestIp.substring(0, lastColonIndex);
-                      }
-                  }
-
-                  return requestIp;
-              })()
-            : undefined;
 
         const [resource] = await db
             .select()

server/routers/badger/logRequestAudit.ts

@@ -3,6 +3,7 @@ import logger from "@server/logger";
 import { and, eq, lt } from "drizzle-orm";
 import cache from "@server/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+import { stripPortFromHost } from "@server/lib/ip";
 
 /**
 
@@ -208,26 +209,7 @@ export async function logRequestAudit(
         }
 
         const clientIp = body.requestIp
-            ? (() => {
+            ? stripPortFromHost(body.requestIp)
-                  if (
-                      body.requestIp.startsWith("[") &&
-                      body.requestIp.includes("]")
-                  ) {
-                      // if brackets are found, extract the IPv6 address from between the brackets
-                      const ipv6Match = body.requestIp.match(/\[(.*?)\]/);
-                      if (ipv6Match) {
-                          return ipv6Match[1];
-                      }
-                  }
-
-                  // ivp4
-                  // split at last colon
-                  const lastColonIndex = body.requestIp.lastIndexOf(":");
-                  if (lastColonIndex !== -1) {
-                      return body.requestIp.substring(0, lastColonIndex);
-                  }
-                  return body.requestIp;
-              })()
             : undefined;
 
         // Add to buffer instead of writing directly to DB

server/routers/badger/verifySession.ts

@@ -21,7 +21,7 @@ import {
     resourceSessions
 } from "@server/db";
 import config from "@server/lib/config";
-import { isIpInCidr } from "@server/lib/ip";
+import { isIpInCidr, stripPortFromHost } from "@server/lib/ip";
 import { response } from "@server/lib/response";
 import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
@@ -110,37 +110,7 @@ export async function verifyResourceSession(
         const clientHeaderAuth = extractBasicAuth(headers);
 
         const clientIp = requestIp
-            ? (() => {
+            ? stripPortFromHost(requestIp, badgerVersion)
-                  const isNewerBadger =
-                      badgerVersion &&
-                      semver.valid(badgerVersion) &&
-                      semver.gte(badgerVersion, "1.3.1");
-
-                  if (isNewerBadger) {
-                      return requestIp;
-                  }
-
-                  if (requestIp.startsWith("[") && requestIp.includes("]")) {
-                      // if brackets are found, extract the IPv6 address from between the brackets
-                      const ipv6Match = requestIp.match(/\[(.*?)\]/);
-                      if (ipv6Match) {
-                          return ipv6Match[1];
-                      }
-                  }
-
-                  // Check if it looks like IPv4 (contains dots and matches IPv4 pattern)
-                  // IPv4 format: x.x.x.x where x is 0-255
-                  const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}/;
-                  if (ipv4Pattern.test(requestIp)) {
-                      const lastColonIndex = requestIp.lastIndexOf(":");
-                      if (lastColonIndex !== -1) {
-                          return requestIp.substring(0, lastColonIndex);
-                      }
-                  }
-
-                  // Return as is
-                  return requestIp;
-              })()
             : undefined;
 
         logger.debug("Client IP:", { clientIp });

server/routers/client/getClient.ts

@@ -36,7 +36,7 @@ async function query(clientId?: number, niceId?: string, orgId?: string) {
             .select()
             .from(clients)
             .where(and(eq(clients.niceId, niceId), eq(clients.orgId, orgId)))
-            .leftJoin(olms, eq(olms.clientId, olms.clientId))
+            .leftJoin(olms, eq(clients.clientId, olms.clientId))
             .limit(1);
         return res;
     }

server/routers/newt/handleReceiveBandwidthMessage.ts

@@ -1,7 +1,7 @@
 import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { clients, Newt } from "@server/db";
+import { clients } from "@server/db";
-import { eq } from "drizzle-orm";
+import { eq, sql } from "drizzle-orm";
 import logger from "@server/logger";
 
 interface PeerBandwidth {
@@ -10,13 +10,57 @@ interface PeerBandwidth {
     bytesOut: number;
 }
 
+// Retry configuration for deadlock handling
+const MAX_RETRIES = 3;
+const BASE_DELAY_MS = 50;
+
+/**
+ * Check if an error is a deadlock error
+ */
+function isDeadlockError(error: any): boolean {
+    return (
+        error?.code === "40P01" ||
+        error?.cause?.code === "40P01" ||
+        (error?.message && error.message.includes("deadlock"))
+    );
+}
+
+/**
+ * Execute a function with retry logic for deadlock handling
+ */
+async function withDeadlockRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
 export const handleReceiveBandwidthMessage: MessageHandler = async (
     context
 ) => {
-    const { message, client, sendToClient } = context;
+    const { message } = context;
 
     if (!message.data.bandwidthData) {
         logger.warn("No bandwidth data provided");
+        return;
     }
 
     const bandwidthData: PeerBandwidth[] = message.data.bandwidthData;
@@ -25,30 +69,40 @@ export const handleReceiveBandwidthMessage: MessageHandler = async (
         throw new Error("Invalid bandwidth data");
     }
 
-    await db.transaction(async (trx) => {
+    // Sort bandwidth data by publicKey to ensure consistent lock ordering across all instances
-        for (const peer of bandwidthData) {
+    // This is critical for preventing deadlocks when multiple instances update the same clients
-            const { publicKey, bytesIn, bytesOut } = peer;
+    const sortedBandwidthData = [...bandwidthData].sort((a, b) =>
+        a.publicKey.localeCompare(b.publicKey)
+    );
 
-            // Find the client by public key
+    const currentTime = new Date().toISOString();
-            const [client] = await trx
-                .select()
-                .from(clients)
-                .where(eq(clients.pubKey, publicKey))
-                .limit(1);
 
-            if (!client) {
+    // Update each client individually with retry logic
-                continue;
+    // This reduces transaction scope and allows retries per-client
-            }
+    for (const peer of sortedBandwidthData) {
+        const { publicKey, bytesIn, bytesOut } = peer;
 
-            // Update the client's bandwidth usage
+        try {
-            await trx
+            await withDeadlockRetry(async () => {
-                .update(clients)
+                // Use atomic SQL increment to avoid SELECT then UPDATE pattern
-                .set({
+                // This eliminates the need to read the current value first
-                    megabytesOut: (client.megabytesIn || 0) + bytesIn,
+                await db
-                    megabytesIn: (client.megabytesOut || 0) + bytesOut,
+                    .update(clients)
-                    lastBandwidthUpdate: new Date().toISOString()
+                    .set({
-                })
+                        // Note: bytesIn from peer goes to megabytesOut (data sent to client)
-                .where(eq(clients.clientId, client.clientId));
+                        // and bytesOut from peer goes to megabytesIn (data received from client)
+                        megabytesOut: sql`COALESCE(${clients.megabytesOut}, 0) + ${bytesIn}`,
+                        megabytesIn: sql`COALESCE(${clients.megabytesIn}, 0) + ${bytesOut}`,
+                        lastBandwidthUpdate: currentTime
+                    })
+                    .where(eq(clients.pubKey, publicKey));
+            }, `update client bandwidth ${publicKey}`);
+        } catch (error) {
+            logger.error(
+                `Failed to update bandwidth for client ${publicKey}:`,
+                error
+            );
+            // Continue with other clients even if one fails
         }
-    });
+    }
 };

src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx

@@ -62,6 +62,7 @@ export default function GeneralPage() {
     const [variant, setVariant] = useState<"oidc" | "google" | "azure">("oidc");
     const { isUnlocked } = useLicenseStatusContext();
 
+    const dashboardRedirectUrl = `${env.app.dashboardUrl}/auth/idp/${idpId}/oidc/callback`;
     const [redirectUrl, setRedirectUrl] = useState(
         `${env.app.dashboardUrl}/auth/idp/${idpId}/oidc/callback`
     );
@@ -423,11 +424,18 @@ export default function GeneralPage() {
                         <InfoSections cols={3}>
                             <InfoSection>
                                 <InfoSectionTitle>
-                                    {t("redirectUrl")}
+                                    {t("orgIdpRedirectUrls")}
                                 </InfoSectionTitle>
                                 <InfoSectionContent>
                                     <CopyToClipboard text={redirectUrl} />
                                 </InfoSectionContent>
+                                {redirectUrl !== dashboardRedirectUrl && (
+                                    <InfoSectionContent>
+                                        <CopyToClipboard
+                                            text={dashboardRedirectUrl}
+                                        />
+                                    </InfoSectionContent>
+                                )}
                             </InfoSection>
                         </InfoSections>
 

src/app/[orgId]/settings/(private)/idp/create/page.tsx

@@ -285,7 +285,7 @@ export default function Page() {
                 <Button
                     variant="outline"
                     onClick={() => {
-                        router.push("/admin/idp");
+                        router.push(`/${params.orgId}/settings/idp`);
                     }}
                 >
                     {t("idpSeeAll")}

src/app/[orgId]/settings/(private)/idp/page.tsx

@@ -1,17 +1,10 @@
-import { internal, priv } from "@app/lib/api";
+import { internal } from "@app/lib/api";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import IdpTable, { IdpRow } from "@app/components/private/OrgIdpTable";
 import { getTranslations } from "next-intl/server";
-import { Alert, AlertDescription } from "@app/components/ui/alert";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
-import { cache } from "react";
-import {
-    GetOrgSubscriptionResponse,
-    GetOrgTierResponse
-} from "@server/routers/billing/types";
-import { TierId } from "@server/lib/billing/tiers";
-import { build } from "@server/build";
 
 type OrgIdpPageProps = {
     params: Promise<{ orgId: string }>;
@@ -35,21 +28,6 @@ export default async function OrgIdpPage(props: OrgIdpPageProps) {
 
     const t = await getTranslations();
 
-    let subscriptionStatus: GetOrgTierResponse | null = null;
-    try {
-        const getSubscription = cache(() =>
-            priv.get<AxiosResponse<GetOrgTierResponse>>(
-                `/org/${params.orgId}/billing/tier`
-            )
-        );
-        const subRes = await getSubscription();
-        subscriptionStatus = subRes.data.data;
-    } catch {}
-    const subscribed =
-        build === "enterprise"
-            ? true
-            : subscriptionStatus?.tier === TierId.STANDARD;
-
     return (
         <>
             <SettingsSectionTitle
@@ -57,13 +35,7 @@ export default async function OrgIdpPage(props: OrgIdpPageProps) {
                 description={t("idpManageDescription")}
             />
 
-            {build === "saas" && !subscribed ? (
+            <PaidFeaturesAlert />
-                <Alert variant="info" className="mb-6">
-                    <AlertDescription>
-                        {t("idpDisabled")} {t("subscriptionRequiredToUse")}
-                    </AlertDescription>
-                </Alert>
-            ) : null}
 
             <IdpTable idps={idps} orgId={params.orgId} />
         </>

src/app/[orgId]/settings/resources/proxy/[niceId]/general/page.tsx

@@ -164,6 +164,10 @@ function MaintenanceSectionForm({
         return isEnterpriseNotLicensed || isSaasNotSubscribed;
     };
 
+    if (!resource.http) {
+        return null;
+    }
+
     return (
         <SettingsSection>
             <SettingsSectionHeader>
@@ -189,7 +193,7 @@ function MaintenanceSectionForm({
                                 name="maintenanceModeEnabled"
                                 render={({ field }) => {
                                     const isDisabled =
-                                        isSecurityFeatureDisabled();
+                                        isSecurityFeatureDisabled() || resource.http === false;
 
                                     return (
                                         <FormItem>
@@ -437,9 +441,16 @@ export default function GeneralForm() {
     );
 
     const resourceFullDomainName = useMemo(() => {
-        const url = new URL(resourceFullDomain);
+        if (!resource.fullDomain) {
-        return url.hostname;
+            return "";
-    }, [resourceFullDomain]);
+        }
+        try {
+            const url = new URL(resourceFullDomain);
+            return url.hostname;
+        } catch {
+            return "";
+        }
+    }, [resourceFullDomain, resource.fullDomain]);
 
     const [selectedDomain, setSelectedDomain] = useState<{
         domainId: string;

src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx

@@ -338,7 +338,7 @@ function ProxyResourceTargetsForm({
                                 <div
                                     className={`flex items-center gap-2 ${status === "healthy" ? "text-green-500" : status === "unhealthy" ? "text-destructive" : ""}`}
                                 >
-                                    <Settings className="h-3 w-3" />
+                                    <Settings className="h-4 w-4 text-foreground" />
                                     {getStatusText(status)}
                                 </div>
                             </Button>

src/app/auth/login/device/success/page.tsx

@@ -7,6 +7,7 @@ import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext";
 import { CheckCircle2 } from "lucide-react";
 import { useTranslations } from "next-intl";
 import Link from "next/link";
+import { useEffect } from "react";
 
 export default function DeviceAuthSuccessPage() {
     const { env } = useEnvContext();
@@ -20,6 +21,29 @@ export default function DeviceAuthSuccessPage() {
         ? env.branding.logo?.authPage?.height || 58
         : 58;
 
+    useEffect(() => {
+        // Detect if we're on iOS or Android
+        const userAgent = navigator.userAgent || navigator.vendor || (window as any).opera;
+        const isIOS = /iPad|iPhone|iPod/.test(userAgent) && !(window as any).MSStream;
+        const isAndroid = /android/i.test(userAgent);
+
+        if (isIOS || isAndroid) {
+            // Wait 500ms then attempt to open the app
+            setTimeout(() => {
+                // Try to open the app using deep link
+                window.location.href = "pangolin://";
+
+                setTimeout(() => {
+                    if (isIOS) {
+                        window.location.href = "https://apps.apple.com/app/pangolin/net.pangolin.Pangolin.PangoliniOS";
+                    } else if (isAndroid) {
+                        window.location.href = "https://play.google.com/store/apps/details?id=net.pangolin.Pangolin";
+                    }
+                }, 2000);
+            }, 500);
+        }
+    }, []);
+
     return (
         <>
             <Card>

src/app/globals.css

@@ -162,3 +162,32 @@ p {
 #nprogress .bar {
     background: var(--color-primary) !important;
 }
+
+@keyframes dot-pulse {
+    0%, 80%, 100% {
+        opacity: 0.3;
+        transform: scale(0.8);
+    }
+    40% {
+        opacity: 1;
+        transform: scale(1);
+    }
+}
+
+@layer utilities {
+    .animate-dot-pulse {
+        animation: dot-pulse 1.4s ease-in-out infinite;
+    }
+
+    /* Use JavaScript-set viewport height for mobile to handle keyboard properly */
+    .h-screen-safe {
+        height: 100vh; /* Default for desktop and fallback */
+    }
+
+    /* Only apply custom viewport height on mobile */
+    @media (max-width: 767px) {
+        .h-screen-safe {
+            height: var(--vh, 100vh); /* Use CSS variable set by ViewportHeightFix on mobile */
+        }
+    }
+}

src/app/layout.tsx

@@ -22,6 +22,7 @@ import { TopLoader } from "@app/components/Toploader";
 import Script from "next/script";
 import { TanstackQueryProvider } from "@app/components/TanstackQueryProvider";
 import { TailwindIndicator } from "@app/components/TailwindIndicator";
+import { ViewportHeightFix } from "@app/components/ViewportHeightFix";
 
 export const metadata: Metadata = {
     title: `Dashboard - ${process.env.BRANDING_APP_NAME || "Pangolin"}`,
@@ -77,7 +78,7 @@ export default async function RootLayout({
 
     return (
         <html suppressHydrationWarning lang={locale}>
-            <body className={`${font.className} h-screen overflow-hidden`}>
+            <body className={`${font.className} h-screen-safe overflow-hidden`}>
                 <TopLoader />
                 {build === "saas" && (
                     <Script
@@ -86,6 +87,7 @@ export default async function RootLayout({
                         strategy="afterInteractive"
                     />
                 )}
+                <ViewportHeightFix />
                 <NextIntlClientProvider>
                     <ThemeProvider
                         attribute="class"

src/components/ConfirmDeleteDialog.tsx

@@ -63,6 +63,8 @@ export default function ConfirmDeleteDialog({
         }
     });
 
+    const isConfirmed = form.watch("string") === string;
+
     async function onSubmit() {
         try {
             await onConfirm();
@@ -139,7 +141,8 @@ export default function ConfirmDeleteDialog({
                             type="submit"
                             form="confirm-delete-form"
                             loading={loading}
-                            disabled={loading}
+                            disabled={loading || !isConfirmed}
+                            className={!isConfirmed && !loading ? "opacity-50" : ""}
                         >
                             {buttonText}
                         </Button>

src/components/DismissableBanner.tsx

@@ -1,9 +1,10 @@
 "use client";
 
-import React, { useState, useEffect, type ReactNode } from "react";
+import React, { useState, useEffect, type ReactNode, useEffectEvent } from "react";
 import { Card, CardContent } from "@app/components/ui/card";
 import { X } from "lucide-react";
 import { useTranslations } from "next-intl";
+import { useEnvContext } from "@app/hooks/useEnvContext";
 
 type DismissableBannerProps = {
     storageKey: string;
@@ -25,6 +26,12 @@ export const DismissableBanner = ({
     const [isDismissed, setIsDismissed] = useState(true);
     const t = useTranslations();
 
+    const { env } = useEnvContext();
+
+    if (env.flags.disableProductHelpBanners) {
+        return null;
+    }
+
     useEffect(() => {
         const dismissedData = localStorage.getItem(storageKey);
         if (dismissedData) {

src/components/Layout.tsx

@@ -37,7 +37,7 @@ export async function Layout({
         (sidebarStateCookie !== "expanded" && defaultSidebarCollapsed);
 
     return (
-        <div className="flex h-screen overflow-hidden">
+        <div className="flex h-screen-safe overflow-hidden">
             {/* Desktop Sidebar */}
             {showSidebar && (
                 <LayoutSidebar

src/components/LayoutMobileMenu.tsx

@@ -48,7 +48,7 @@ export function LayoutMobileMenu({
     const t = useTranslations();
 
     return (
-        <div className="shrink-0 md:hidden">
+        <div className="shrink-0 md:hidden sticky top-0 z-50">
             <div className="h-16 flex items-center px-2">
                 <div className="flex items-center gap-4">
                     {showSidebar && (
@@ -72,7 +72,7 @@ export function LayoutMobileMenu({
                                     <SheetDescription className="sr-only">
                                         {t("navbarDescription")}
                                     </SheetDescription>
-                                    <div className="flex-1 overflow-y-auto">
+                                    <div className="flex-1 overflow-y-auto relative">
                                         <div className="px-3">
                                             <OrgSelector
                                                 orgId={orgId}
@@ -83,7 +83,7 @@ export function LayoutMobileMenu({
                                         <div className="px-3">
                                             {!isAdminPage &&
                                                 user.serverAdmin && (
-                                                    <div className="pb-3">
+                                                    <div className="py-2">
                                                         <Link
                                                             href="/admin"
                                                             className={cn(
@@ -113,6 +113,7 @@ export function LayoutMobileMenu({
                                                 }
                                             />
                                         </div>
+                                        <div className="sticky bottom-0 left-0 right-0 h-8 pointer-events-none bg-gradient-to-t from-card to-transparent" />
                                     </div>
                                     <div className="px-3 pt-3 pb-3 space-y-4 border-t shrink-0">
                                         <SupporterStatus />

src/components/ProxyResourcesTable.tsx

@@ -198,7 +198,7 @@ export default function ProxyResourcesTable({
 
         if (!targets || targets.length === 0) {
             return (
-                <div className="flex items-center gap-2">
+                <div id="LOOK_FOR_ME" className="flex items-center gap-2">
                     <StatusIcon status="unknown" />
                     <span className="text-sm">
                         {t("resourcesTableNoTargets")}

src/components/ResourceInfoBox.tsx

@@ -32,12 +32,6 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                 <InfoSections
                     cols={resource.http && env.flags.usePangolinDns ? 5 : 4}
                 >
-                    <InfoSection>
-                        <InfoSectionTitle>URL</InfoSectionTitle>
-                        <InfoSectionContent>
-                            <CopyToClipboard text={fullUrl} isLink={true} />
-                        </InfoSectionContent>
-                    </InfoSection>
                     <InfoSection>
                         <InfoSectionTitle>{t("identifier")}</InfoSectionTitle>
                         <InfoSectionContent>
@@ -46,6 +40,12 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                     </InfoSection>
                     {resource.http ? (
                         <>
+                            <InfoSection>
+                                <InfoSectionTitle>URL</InfoSectionTitle>
+                                <InfoSectionContent>
+                                    <CopyToClipboard text={fullUrl} isLink={true} />
+                                </InfoSectionContent>
+                            </InfoSection>
                             <InfoSection>
                                 <InfoSectionTitle>
                                     {t("authentication")}

src/components/ViewportHeightFix.tsx

@@ -0,0 +1,79 @@
+"use client";
+
+import { useEffect } from "react";
+
+/**
+ * Fixes mobile viewport height issues when keyboard opens/closes
+ * by setting a CSS variable with a stable viewport height
+ * Only applies on mobile devices (< 768px, matching Tailwind's md breakpoint)
+ */
+export function ViewportHeightFix() {
+    useEffect(() => {
+        // Check if we're on mobile (md breakpoint is typically 768px)
+        const isMobile = () => window.innerWidth < 768;
+        
+        // On desktop, don't set --vh at all, let CSS use 100vh directly
+        if (!isMobile()) {
+            // Remove --vh if it was set, so CSS falls back to 100vh
+            document.documentElement.style.removeProperty("--vh");
+            return;
+        }
+
+        // Mobile-specific logic
+        let maxHeight = window.innerHeight;
+        let resizeTimer: NodeJS.Timeout;
+
+        // Set the viewport height as a CSS variable
+        const setViewportHeight = (height: number) => {
+            document.documentElement.style.setProperty("--vh", `${height}px`);
+        };
+
+        // Set initial value
+        setViewportHeight(maxHeight);
+
+        const handleResize = () => {
+            // If we switched to desktop, remove --vh and stop
+            if (!isMobile()) {
+                document.documentElement.style.removeProperty("--vh");
+                return;
+            }
+
+            clearTimeout(resizeTimer);
+            resizeTimer = setTimeout(() => {
+                const currentHeight = window.innerHeight;
+
+                // Track the maximum height we've seen (when keyboard is closed)
+                if (currentHeight > maxHeight) {
+                    maxHeight = currentHeight;
+                    setViewportHeight(maxHeight);
+                }
+                // If current height is close to max, update max (keyboard closed)
+                else if (currentHeight >= maxHeight * 0.9) {
+                    maxHeight = currentHeight;
+                    setViewportHeight(maxHeight);
+                }
+                // Otherwise, keep using the max height (keyboard is open)
+            }, 100);
+        };
+
+        const handleOrientationChange = () => {
+            // Reset on orientation change
+            setTimeout(() => {
+                maxHeight = window.innerHeight;
+                setViewportHeight(maxHeight);
+            }, 150);
+        };
+
+        window.addEventListener("resize", handleResize);
+        window.addEventListener("orientationchange", handleOrientationChange);
+
+        return () => {
+            window.removeEventListener("resize", handleResize);
+            window.removeEventListener("orientationchange", handleOrientationChange);
+            clearTimeout(resizeTimer);
+        };
+    }, []);
+
+    return null;
+}
+

src/components/private/OrgIdpDataTable.tsx

@@ -27,6 +27,8 @@ export function IdpDataTable<TData, TValue>({
             searchColumn="name"
             addButtonText={t("idpAdd")}
             onAdd={onAdd}
+            enableColumnVisibility={true}
+            stickyRightColumn="actions"
         />
     );
 }

src/components/private/OrgIdpTable.tsx

@@ -118,6 +118,7 @@ export default function IdpTable({ idps, orgId }: Props) {
         },
         {
             id: "actions",
+            enableHiding: false,
             header: () => <span className="p-3">{t("actions")}</span>,
             cell: ({ row }) => {
                 const siteRow = row.original;

src/components/ui/button.tsx

@@ -3,7 +3,6 @@ import { Slot } from "@radix-ui/react-slot";
 import { cva, type VariantProps } from "class-variance-authority";
 
 import { cn } from "@app/lib/cn";
-import { Loader2 } from "lucide-react";
 
 const buttonVariants = cva(
     "cursor-pointer inline-flex items-center justify-center whitespace-nowrap text-sm font-medium ring-offset-background transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-0 disabled:pointer-events-none disabled:opacity-50",
@@ -74,13 +73,30 @@ const Button = React.forwardRef<HTMLButtonElement, ButtonProps>(
             >
                 {asChild ? (
                     props.children
+                ) : loading ? (
+                    <span className="relative inline-flex items-center justify-center">
+                        <span className="inline-flex items-center justify-center opacity-0">
+                            {props.children}
+                        </span>
+                        <span className="absolute inset-0 flex items-center justify-center">
+                            <span className="flex items-center gap-1.5">
+                                <span
+                                    className="h-1 w-1 bg-current animate-dot-pulse"
+                                    style={{ animationDelay: "0ms" }}
+                                />
+                                <span
+                                    className="h-1 w-1 bg-current animate-dot-pulse"
+                                    style={{ animationDelay: "200ms" }}
+                                />
+                                <span
+                                    className="h-1 w-1 bg-current animate-dot-pulse"
+                                    style={{ animationDelay: "400ms" }}
+                                />
+                            </span>
+                        </span>
+                    </span>
                 ) : (
-                    <>
+                    props.children
-                        {loading && (
-                            <Loader2 className="mr-2 h-4 w-4 animate-spin" />
-                        )}
-                        {props.children}
-                    </>
                 )}
             </Comp>
         );

src/components/ui/checkbox.tsx

@@ -14,13 +14,13 @@ const checkboxVariants = cva(
         variants: {
             variant: {
                 outlinePrimary:
-                    "border rounded-[5px] border-primary data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground",
+                    "border rounded-[5px] border-input data-[state=checked]:border-primary data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground",
                 outline:
-                    "border rounded-[5px] border-input data-[state=checked]:bg-muted data-[state=checked]:text-accent-foreground",
+                    "border rounded-[5px] border-input data-[state=checked]:border-primary data-[state=checked]:bg-muted data-[state=checked]:text-accent-foreground",
                 outlinePrimarySquare:
-                    "border rounded-[5px] border-primary data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground",
+                    "border rounded-[5px] border-input data-[state=checked]:border-primary data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground",
                 outlineSquare:
-                    "border rounded-[5px] border-input data-[state=checked]:bg-muted data-[state=checked]:text-accent-foreground"
+                    "border rounded-[5px] border-input data-[state=checked]:border-primary data-[state=checked]:bg-muted data-[state=checked]:text-accent-foreground"
             }
         },
         defaultVariants: {
@@ -30,8 +30,7 @@ const checkboxVariants = cva(
 );
 
 interface CheckboxProps
-    extends
+    extends React.ComponentPropsWithoutRef<typeof CheckboxPrimitive.Root>,
-        React.ComponentPropsWithoutRef<typeof CheckboxPrimitive.Root>,
         VariantProps<typeof checkboxVariants> {}
 
 const Checkbox = React.forwardRef<
@@ -50,9 +49,8 @@ const Checkbox = React.forwardRef<
 ));
 Checkbox.displayName = CheckboxPrimitive.Root.displayName;
 
-interface CheckboxWithLabelProps extends React.ComponentPropsWithoutRef<
+interface CheckboxWithLabelProps
-    typeof Checkbox
+    extends React.ComponentPropsWithoutRef<typeof Checkbox> {
-> {
     label: string;
 }
 

src/lib/pullEnv.ts

@@ -59,7 +59,11 @@ export function pullEnv(): Env {
             hideSupporterKey:
                 process.env.HIDE_SUPPORTER_KEY === "true" ? true : false,
             usePangolinDns:
-                process.env.USE_PANGOLIN_DNS === "true" ? true : false
+                process.env.USE_PANGOLIN_DNS === "true" ? true : false,
+            disableProductHelpBanners:
+                process.env.FLAGS_DISABLE_PRODUCT_HELP_BANNERS === "true"
+                    ? true
+                    : false
         },
 
         branding: {

src/lib/types/env.ts

@@ -33,6 +33,7 @@ export type Env = {
         disableBasicWireguardSites: boolean;
         hideSupporterKey: boolean;
         usePangolinDns: boolean;
+        disableProductHelpBanners: boolean;
     };
     branding: {
         appName?: string;