release: 1.13.1

Co-authored-by: Elias Schneider <login@eliasschneider.com>

.github/workflows/backend-linter.yml

@@ -24,10 +24,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: backend/go.mod
 

.github/workflows/build-next.yml

@@ -19,22 +19,20 @@ jobs:
       attestations: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: 22
-          cache: 'pnpm'
-          cache-dependency-path: pnpm-lock.yaml
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
-          go-version-file: 'backend/go.mod'
+          go-version-file: "backend/go.mod"
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -74,7 +72,7 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ env.DOCKER_IMAGE_NAME }}:next
-          file: Dockerfile-prebuilt
+          file: docker/Dockerfile-prebuilt
       - name: Build and push container image (distroless)
         uses: docker/build-push-action@v6
         id: container-build-push-distroless
@@ -83,16 +81,16 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ env.DOCKER_IMAGE_NAME }}:next-distroless
-          file: Dockerfile-distroless
+          file: docker/Dockerfile-distroless
       - name: Container image attestation
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: '${{ env.DOCKER_IMAGE_NAME }}'
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
           subject-digest: ${{ steps.build-push-image.outputs.digest }}
           push-to-registry: true
       - name: Container image attestation (distroless)
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: '${{ env.DOCKER_IMAGE_NAME }}'
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
           subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }}
           push-to-registry: true

.github/workflows/e2e-tests.yml

@@ -3,15 +3,15 @@ on:
   push:
     branches: [main]
     paths-ignore:
-      - 'docs/**'
+      - "docs/**"
-      - '**.md'
+      - "**.md"
-      - '.github/**'
+      - ".github/**"
   pull_request:
     branches: [main]
     paths-ignore:
-      - 'docs/**'
+      - "docs/**"
-      - '**.md'
+      - "**.md"
-      - '.github/**'
+      - ".github/**"
 
 jobs:
   build:
@@ -22,7 +22,7 @@ jobs:
       actions: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -30,6 +30,8 @@ jobs:
       - name: Build and export
         uses: docker/build-push-action@v6
         with:
+          context: .
+          file: docker/Dockerfile
           push: false
           load: false
           tags: pocket-id:test
@@ -57,16 +59,15 @@ jobs:
       matrix:
         db: [sqlite, postgres]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
 
-      - uses: actions/setup-node@v4
+      - name: Setup Node.js
+        uses: actions/setup-node@v5
         with:
           node-version: 22
-          cache: 'pnpm'
-          cache-dependency-path: pnpm-lock.yaml
 
       - name: Cache Playwright Browsers
         uses: actions/cache@v3

.github/workflows/release.yml

@@ -3,7 +3,7 @@ name: Release
 on:
   push:
     tags:
-      - 'v*.*.*'
+      - "v*.*.*"
 
 jobs:
   build:
@@ -19,14 +19,12 @@ jobs:
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: 22
-          cache: 'pnpm'
+      - uses: actions/setup-go@v6
-          cache-dependency-path: pnpm-lock.yaml
-      - uses: actions/setup-go@v5
         with:
-          go-version-file: 'backend/go.mod'
+          go-version-file: "backend/go.mod"
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
@@ -81,7 +79,7 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          file: Dockerfile-prebuilt
+          file: docker/Dockerfile-prebuilt
       - name: Build and push container image (distroless)
         uses: docker/build-push-action@v6
         id: container-build-push-distroless
@@ -91,21 +89,21 @@ jobs:
           push: true
           tags: ${{ steps.meta-distroless.outputs.tags }}
           labels: ${{ steps.meta-distroless.outputs.labels }}
-          file: Dockerfile-distroless
+          file: docker/Dockerfile-distroless
       - name: Binary attestation
         uses: actions/attest-build-provenance@v2
         with:
-          subject-path: 'backend/.bin/pocket-id-**'
+          subject-path: "backend/.bin/pocket-id-**"
       - name: Container image attestation
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: '${{ env.DOCKER_IMAGE_NAME }}'
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
           subject-digest: ${{ steps.container-build-push.outputs.digest }}
           push-to-registry: true
       - name: Container image attestation (distroless)
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: '${{ env.DOCKER_IMAGE_NAME }}'
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
           subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }}
           push-to-registry: true
       - name: Upload binaries to release
@@ -122,6 +120,6 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Mark release as published
         run: gh release edit ${{ github.ref_name }} --draft=false

.github/workflows/svelte-check.yml

@@ -4,21 +4,21 @@ on:
   push:
     branches: [main]
     paths:
-      - 'frontend/src/**'
+      - "frontend/src/**"
-      - '.github/svelte-check-matcher.json'
+      - ".github/svelte-check-matcher.json"
-      - 'frontend/package.json'
+      - "frontend/package.json"
-      - 'frontend/package-lock.json'
+      - "frontend/package-lock.json"
-      - 'frontend/tsconfig.json'
+      - "frontend/tsconfig.json"
-      - 'frontend/svelte.config.js'
+      - "frontend/svelte.config.js"
   pull_request:
     branches: [main]
     paths:
-      - 'frontend/src/**'
+      - "frontend/src/**"
-      - '.github/svelte-check-matcher.json'
+      - ".github/svelte-check-matcher.json"
-      - 'frontend/package.json'
+      - "frontend/package.json"
-      - 'frontend/package-lock.json'
+      - "frontend/package-lock.json"
-      - 'frontend/tsconfig.json'
+      - "frontend/tsconfig.json"
-      - 'frontend/svelte.config.js'
+      - "frontend/svelte.config.js"
   workflow_dispatch:
 
 jobs:
@@ -34,17 +34,15 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: 22
-          cache: 'pnpm'
-          cache-dependency-path: pnpm-lock.yaml
 
       - name: Install dependencies
         run: pnpm --filter pocket-id-frontend install --frozen-lockfile

.github/workflows/unit-tests.yml

@@ -16,8 +16,8 @@ jobs:
       actions: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "backend/go.mod"
           cache-dependency-path: "backend/go.sum"

.github/workflows/update-aaguids.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Fetch JSON data
         run: |

.version

@@ -1 +1 @@
-1.13.0
+1.13.1

CHANGELOG.md

@@ -1,3 +1,16 @@
+## v1.13.1
+
+### Bug Fixes
+
+- uploading a client logo with an URL fails ([#1008](https://github.com/pocket-id/pocket-id/pull/1008) by @CzBiX)
+- mark any callback url as valid if they contain a wildcard ([#1006](https://github.com/pocket-id/pocket-id/pull/1006) by @stonith404)
+
+### Other
+
+- cleanup root of repo, update workflow actions ([#1003](https://github.com/pocket-id/pocket-id/pull/1003) by @kmendell)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v1.13.0...v1.13.1
+
 ## v1.13.0
 
 ### Bug Fixes

backend/internal/dto/validations.go

@@ -67,14 +67,12 @@ func ValidateClientID(clientID string) bool {
 
 // ValidateCallbackURL validates callback URLs with support for wildcards
 func ValidateCallbackURL(raw string) bool {
-	if raw == "*" {
+	// Don't validate if it contains a wildcard
+	if strings.Contains(raw, "*") {
 		return true
 	}
 
-	// Replace all '*' with 'x' to check if the rest is still a valid URI
+	u, err := url.Parse(raw)
-	test := strings.ReplaceAll(raw, "*", "x")
-
-	u, err := url.Parse(test)
 	if err != nil {
 		return false
 	}

backend/internal/service/oidc_service.go

@@ -15,6 +15,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"path/filepath"
 	"regexp"
 	"slices"
 	"strings"
@@ -1937,12 +1938,13 @@ func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, tx *
 		return &common.FileTypeNotSupportedError{}
 	}
 
-	imagePath := common.EnvConfig.UploadPath + "/oidc-client-images/" + clientID + "." + ext
+	folderPath := filepath.Join(common.EnvConfig.UploadPath, "oidc-client-images")
-	err = os.MkdirAll(imagePath, os.ModePerm)
+	err = os.MkdirAll(folderPath, os.ModePerm)
 	if err != nil {
 		return err
 	}
 
+	imagePath := filepath.Join(folderPath, clientID+"."+ext)
 	err = utils.SaveFileStream(io.LimitReader(resp.Body, maxLogoSize+1), imagePath)
 	if err != nil {
 		return err

frontend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pocket-id-frontend",
-  "version": "1.13.0",
+  "version": "1.13.1",
   "private": true,
   "type": "module",
   "scripts": {

frontend/src/lib/utils/zod-util.ts

@@ -14,9 +14,11 @@ export const callbackUrlSchema = z
 	.nonempty()
 	.refine(
 		(val) => {
-			if (val === '*') return true;
+			if (val.includes('*')) {
+				return true;
+			}
 			try {
-				new URL(val.replace(/\*/g, 'x'));
+				new URL(val);
 				return true;
 			} catch {
 				return false;

scripts/development/deploy-development-image.sh

@@ -1 +1 @@
-docker buildx build --push --tag ghcr.io/pocket-id/pocket-id:development --platform linux/amd64,linux/arm64 .
+docker buildx build --push --file docker/Dockerfile --tag ghcr.io/pocket-id/pocket-id:development --platform linux/amd64,linux/arm64 .