Merge branch 'dev' into feat-blueprint-ui-on-dashboard

2026-02-10 20:02:26 +00:00 · 2025-10-29 14:46:34 -07:00
parent 39b3b4ef9d 5542873368
commit cc03b97234
15 changed files with 452 additions and 449 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -99,7 +99,7 @@ jobs:
                  make go-build-release 
            - name: Upload artifacts from /install/bin
-              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+              uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
              with:
                  name: install-bin
                  path: install/bin/
--- a/README.md
+++ b/README.md
@@ -45,7 +45,10 @@ Pangolin is a self-hosted tunneled reverse proxy server with identity and contex
 ## Installation
-Check out the [quick install guide](https://docs.pangolin.net/self-host/quick-install) for how to install and set up Pangolin.
+- Check out the [quick install guide](https://docs.pangolin.net/self-host/quick-install) for how to install and set up Pangolin.
 - Install from the [DigitalOcean marketplace](https://marketplace.digitalocean.com/apps/pangolin-ce-1?refcode=edf0480eeb81) for a one-click pre-configured installer.
 <img src="public/screenshots/hero.png" />
 ## Deployment Options
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1813,6 +1813,7 @@
    "securityPolicyChangeConfirmMessage": "I confirm",
    "securityPolicyChangeWarningText": "This will affect all users in the organization",
    "authPageErrorUpdateMessage": "An error occurred while updating the auth page settings",
    "authPageErrorUpdate": "Unable to update auth page",
    "authPageUpdated": "Auth page updated successfully",
    "healthCheckNotAvailable": "Local",
    "rewritePath": "Rewrite Path",
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -67,7 +67,7 @@
        "arctic": "^3.7.0",
        "axios": "^1.12.2",
        "better-sqlite3": "11.7.0",
-        "canvas-confetti": "1.9.3",
+        "canvas-confetti": "1.9.4",
        "class-variance-authority": "^0.7.1",
        "clsx": "2.1.1",
        "cmdk": "1.1.1",
@@ -77,7 +77,7 @@
        "cors": "2.8.5",
        "crypto-js": "^4.2.0",
        "date-fns": "4.1.0",
-        "drizzle-orm": "0.44.6",
+        "drizzle-orm": "0.44.7",
        "eslint": "9.37.0",
        "eslint-config-next": "15.5.6",
        "express": "5.1.0",
@@ -87,7 +87,7 @@
        "http-errors": "2.0.0",
        "i": "^0.3.7",
        "input-otp": "1.4.2",
-        "ioredis": "5.8.1",
+        "ioredis": "5.8.2",
        "jmespath": "^0.16.0",
        "js-yaml": "4.1.0",
        "jsonwebtoken": "^9.0.2",
@@ -100,12 +100,12 @@
        "nextjs-toploader": "^3.9.17",
        "node-cache": "5.1.2",
        "node-fetch": "3.3.2",
-        "nodemailer": "7.0.9",
+        "nodemailer": "7.0.10",
        "npm": "^11.6.2",
        "nprogress": "^0.2.0",
        "oslo": "1.2.1",
        "pg": "^8.16.2",
-        "posthog-node": "^5.9.5",
+        "posthog-node": "^5.10.4",
        "qrcode.react": "4.2.0",
        "react": "19.2.0",
        "react-day-picker": "9.11.1",
@@ -135,37 +135,37 @@
        "@dotenvx/dotenvx": "1.51.0",
        "@esbuild-plugins/tsconfig-paths": "0.1.2",
        "@faker-js/faker": "^10.1.0",
-        "@react-email/preview-server": "4.3.1",
+        "@react-email/preview-server": "4.3.2",
-        "@tailwindcss/postcss": "^4.1.14",
+        "@tailwindcss/postcss": "^4.1.16",
        "@types/better-sqlite3": "7.6.12",
-        "@types/cookie-parser": "1.4.9",
+        "@types/cookie-parser": "1.4.10",
        "@types/cors": "2.8.19",
        "@types/crypto-js": "^4.2.2",
-        "@types/express": "5.0.3",
+        "@types/express": "5.0.5",
        "@types/express-session": "^1.18.2",
        "@types/jmespath": "^0.15.2",
        "@types/js-yaml": "4.0.9",
        "@types/jsonwebtoken": "^9.0.10",
        "@types/node": "24.8.1",
        "@types/nodemailer": "7.0.2",
        "@types/nprogress": "^0.2.3",
-        "@types/pg": "8.15.5",
+        "@types/node": "24.9.2",
        "@types/nodemailer": "7.0.3",
        "@types/pg": "8.15.6",
        "@types/react": "19.2.2",
        "@types/react-dom": "19.2.2",
        "@types/semver": "^7.7.1",
        "@types/swagger-ui-express": "^4.1.8",
        "@types/ws": "8.18.1",
-        "@types/yargs": "17.0.33",
+        "@types/yargs": "17.0.34",
-        "drizzle-kit": "0.31.5",
+        "drizzle-kit": "0.31.6",
        "esbuild": "0.25.11",
        "esbuild-node-externals": "1.18.0",
        "postcss": "^8",
-        "react-email": "4.3.1",
+        "react-email": "4.3.2",
        "tailwindcss": "^4.1.4",
        "tsc-alias": "1.8.16",
        "tsx": "4.20.6",
        "typescript": "^5",
-        "typescript-eslint": "^8.46.0"
+        "typescript-eslint": "^8.46.2"
    },
    "overrides": {
        "emblor": {
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -204,7 +204,8 @@ export const configSchema = z
                    .optional()
                    .default(["newt", "wireguard", "local"]),
                allow_raw_resources: z.boolean().optional().default(true),
-                file_mode: z.boolean().optional().default(false)
+                file_mode: z.boolean().optional().default(false),
                pp_transport_prefix: z.string().optional().default("pp-transport-v")
            })
            .optional()
            .default({}),
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -265,37 +265,36 @@ export async function getTraefikConfig(
            const domainCertResolver = resource.domainCertResolver;
            const preferWildcardCert = resource.preferWildcardCert;
-             let resolverName: string | undefined;
+            let resolverName: string | undefined;
-                let preferWildcard: boolean | undefined;
+            let preferWildcard: boolean | undefined;
-                // Handle both letsencrypt & custom cases
+            // Handle both letsencrypt & custom cases
-                if (domainCertResolver) {
+            if (domainCertResolver) {
-                    resolverName = domainCertResolver.trim();
+                resolverName = domainCertResolver.trim();
-                } else {
+            } else {
-                    resolverName = globalDefaultResolver;
+                resolverName = globalDefaultResolver;
-                }
+            }
-                if (
+            if (
-                    preferWildcardCert !== undefined &&
+                preferWildcardCert !== undefined &&
-                    preferWildcardCert !== null
+                preferWildcardCert !== null
-                ) {
+            ) {
-                    preferWildcard = preferWildcardCert;
+                preferWildcard = preferWildcardCert;
-                } else {
+            } else {
-                    preferWildcard = globalDefaultPreferWildcard;
+                preferWildcard = globalDefaultPreferWildcard;
-                }
+            }
-                const tls = {
+            const tls = {
-                    certResolver: resolverName,
+                certResolver: resolverName,
-                    ...(preferWildcard
+                ...(preferWildcard
-                        ? {
+                    ? {
-                            domains: [
+                          domains: [
-                                {
+                              {
-                                    main: wildCard
+                                  main: wildCard
-                                }
+                              }
-                            ]
+                          ]
-                        }
+                      }
-                        : {})
+                    : {})
-                };
+            };
            const additionalMiddlewares =
                config.getRawConfig().traefik.additional_middlewares || [];
@@ -534,14 +533,14 @@ export async function getTraefikConfig(
                    })(),
                    ...(resource.stickySession
                        ? {
-                            sticky: {
+                              sticky: {
-                                cookie: {
+                                  cookie: {
-                                    name: "p_sticky", // TODO: make this configurable via config.yml like other cookies
+                                      name: "p_sticky", // TODO: make this configurable via config.yml like other cookies
-                                    secure: resource.ssl,
+                                      secure: resource.ssl,
-                                    httpOnly: true
+                                      httpOnly: true
-                                }
+                                  }
-                            }
+                              }
-                        }
+                          }
                        : {})
                }
            };
@@ -587,6 +586,8 @@ export async function getTraefikConfig(
                ...(protocol === "tcp" ? { rule: "HostSNI(`*`)" } : {})
            };
            const ppPrefix = config.getRawConfig().traefik.pp_transport_prefix;
            config_output[protocol].services[serviceName] = {
                loadBalancer: {
                    servers: (() => {
@@ -642,18 +643,18 @@ export async function getTraefikConfig(
                    })(),
                    ...(resource.proxyProtocol && protocol == "tcp"
                        ? {
-                              serversTransport: `pp-transport-v${resource.proxyProtocolVersion || 1}`
+                              serversTransport: `${ppPrefix}${resource.proxyProtocolVersion || 1}@file` // TODO: does @file here cause issues?
                          }
                        : {}),
                    ...(resource.stickySession
                        ? {
-                            sticky: {
+                              sticky: {
-                                ipStrategy: {
+                                  ipStrategy: {
-                                    depth: 0,
+                                      depth: 0,
-                                    sourcePort: true
+                                      sourcePort: true
-                                }
+                                  }
-                            }
+                              }
-                        }
+                          }
                        : {})
                }
            };
--- a/server/private/lib/logAccessAudit.ts
+++ b/server/private/lib/logAccessAudit.ts
@@ -61,7 +61,7 @@ export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
                )
            );
-        logger.info(
+        logger.debug(
            `Cleaned up ${deleteResult.changes} access audit logs older than ${retentionDays} days`
        );
    } catch (error) {
--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -109,7 +109,7 @@ export async function getTraefikConfig(
            domainNamespaceId: domainNamespaces.domainNamespaceId,
            // Certificate
            certificateStatus: certificates.status,
-            domainCertResolver: domains.certResolver,
+            domainCertResolver: domains.certResolver
        })
        .from(sites)
        .innerJoin(targets, eq(targets.siteId, sites.siteId))
@@ -214,7 +214,7 @@ export async function getTraefikConfig(
                rewritePath: row.rewritePath,
                rewritePathType: row.rewritePathType,
                priority: priority, // may be null, we fallback later
-                domainCertResolver: row.domainCertResolver,
+                domainCertResolver: row.domainCertResolver
            });
        }
@@ -330,29 +330,43 @@ export async function getTraefikConfig(
                    wildCard = resource.fullDomain;
                }
-                const configDomain = config.getDomain(resource.domainId);
+                const globalDefaultResolver =
                    config.getRawConfig().traefik.cert_resolver;
                const globalDefaultPreferWildcard =
                    config.getRawConfig().traefik.prefer_wildcard_cert;
-                let certResolver: string, preferWildcardCert: boolean;
+                const domainCertResolver = resource.domainCertResolver;
-                if (!configDomain) {
+                const preferWildcardCert = resource.preferWildcardCert;
-                    certResolver = config.getRawConfig().traefik.cert_resolver;
+
-                    preferWildcardCert =
+                let resolverName: string | undefined;
-                        config.getRawConfig().traefik.prefer_wildcard_cert;
+                let preferWildcard: boolean | undefined;
                // Handle both letsencrypt & custom cases
                if (domainCertResolver) {
                    resolverName = domainCertResolver.trim();
                } else {
-                    certResolver = configDomain.cert_resolver;
+                    resolverName = globalDefaultResolver;
-                    preferWildcardCert = configDomain.prefer_wildcard_cert;
+                }
                if (
                    preferWildcardCert !== undefined &&
                    preferWildcardCert !== null
                ) {
                    preferWildcard = preferWildcardCert;
                } else {
                    preferWildcard = globalDefaultPreferWildcard;
                }
                tls = {
-                    certResolver: certResolver,
+                    certResolver: resolverName,
-                    ...(preferWildcardCert
+                    ...(preferWildcard
                        ? {
-                            domains: [
+                              domains: [
-                                {
+                                  {
-                                    main: wildCard,
+                                      main: wildCard
-                                },
+                                  }
-                            ],
+                              ]
-                        }
+                          }
-                        : {}),
+                        : {})
                };
            } else {
                // find a cert that matches the full domain, if not continue
@@ -604,14 +618,14 @@ export async function getTraefikConfig(
                    })(),
                    ...(resource.stickySession
                        ? {
-                            sticky: {
+                              sticky: {
-                                cookie: {
+                                  cookie: {
-                                    name: "p_sticky", // TODO: make this configurable via config.yml like other cookies
+                                      name: "p_sticky", // TODO: make this configurable via config.yml like other cookies
-                                    secure: resource.ssl,
+                                      secure: resource.ssl,
-                                    httpOnly: true
+                                      httpOnly: true
-                                }
+                                  }
-                            }
+                              }
-                        }
+                          }
                        : {})
                }
            };
@@ -657,6 +671,8 @@ export async function getTraefikConfig(
                ...(protocol === "tcp" ? { rule: "HostSNI(`*`)" } : {})
            };
            const ppPrefix = config.getRawConfig().traefik.pp_transport_prefix;
            config_output[protocol].services[serviceName] = {
                loadBalancer: {
                    servers: (() => {
@@ -712,18 +728,18 @@ export async function getTraefikConfig(
                    })(),
                    ...(resource.proxyProtocol && protocol == "tcp" // proxy protocol only works for tcp
                        ? {
-                              serversTransport: `pp-transport-v${resource.proxyProtocolVersion || 1}`
+                              serversTransport: `${ppPrefix}${resource.proxyProtocolVersion || 1}@file` // TODO: does @file here cause issues?
                          }
                        : {}),
                    ...(resource.stickySession
                        ? {
-                            sticky: {
+                              sticky: {
-                                ipStrategy: {
+                                  ipStrategy: {
-                                    depth: 0,
+                                      depth: 0,
-                                    sourcePort: true
+                                      sourcePort: true
-                                }
+                                  }
-                            }
+                              }
-                        }
+                          }
                        : {})
                }
            };
@@ -771,9 +787,10 @@ export async function getTraefikConfig(
                    loadBalancer: {
                        servers: [
                            {
-                                url: `http://${config.getRawConfig().server
+                                url: `http://${
                                    config.getRawConfig().server
                                        .internal_hostname
-                                    }:${config.getRawConfig().server.next_port}`
+                                }:${config.getRawConfig().server.next_port}`
                            }
                        ]
                    }
--- a/server/private/middlewares/logActionAudit.ts
+++ b/server/private/middlewares/logActionAudit.ts
@@ -60,7 +60,7 @@ export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
                )
            );
-        logger.info(
+        logger.debug(
            `Cleaned up ${deleteResult.changes} action audit logs older than ${retentionDays} days`
        );
    } catch (error) {
--- a/server/routers/badger/logRequestAudit.ts
+++ b/server/routers/badger/logRequestAudit.ts
@@ -3,7 +3,7 @@ import logger from "@server/logger";
 import { and, eq, lt } from "drizzle-orm";
 import cache from "@server/lib/cache";
-/** 
+/**
 Reasons:
 100 - Allowed by Rule
@@ -69,7 +69,7 @@ export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
                )
            );
-        logger.info(
+        logger.debug(
            `Cleaned up ${deleteResult.changes} request audit logs older than ${retentionDays} days`
        );
    } catch (error) {
--- a/server/setup/scriptsPg/1.12.0.ts
+++ b/server/setup/scriptsPg/1.12.0.ts
@@ -107,6 +107,26 @@ export default async function migration() {
        await db.execute(sql`ALTER TABLE "resources" ADD CONSTRAINT "resources_skipToIdpId_idp_idpId_fk" FOREIGN KEY ("skipToIdpId") REFERENCES "public"."idp"("idpId") ON DELETE set null ON UPDATE no action;`);
        await db.execute(sql`ALTER TABLE "orgs" DROP COLUMN "settings";`);
        // get all of the domains
        const domainsQuery = await db.execute(sql`SELECT "domainId", "baseDomain" FROM "domains"`);
        const domains = domainsQuery.rows as {
            domainId: string;
            baseDomain: string;
        }[];
        for (const domain of domains) {
            // insert two records into the dnsRecords table for each domain
            await db.execute(sql`
                INSERT INTO "dnsRecords" ("domainId", "recordType", "baseDomain", "value", "verified")
                VALUES (${domain.domainId}, 'A', ${`*.${domain.baseDomain}`}, ${'Server IP Address'}, true)
            `);
            await db.execute(sql`
                INSERT INTO "dnsRecords" ("domainId", "recordType", "baseDomain", "value", "verified")
                VALUES (${domain.domainId}, 'A', ${domain.baseDomain}, ${'Server IP Address'}, true)
            `);
        }
        await db.execute(sql`COMMIT`);
        console.log("Migrated database");
    } catch (e) {
--- a/server/setup/scriptsSqlite/1.12.0.ts
+++ b/server/setup/scriptsSqlite/1.12.0.ts
@@ -15,7 +15,7 @@ export default async function migration() {
        db.transaction(() => {
            db.prepare(
-                `UPDATE 'resourceRules' SET 'match' = 'COUNTRY' WHERE 'match' = 'GEOIP'`
+                `UPDATE 'resourceRules' SET match = 'COUNTRY' WHERE match = 'GEOIP'`
            ).run();
            db.prepare(
@@ -195,6 +195,29 @@ export default async function migration() {
            db.prepare(
                `ALTER TABLE 'user' ADD 'lastPasswordChange' integer;`
            ).run();
            // get all of the domains
            const domains = db.prepare(`SELECT domainId, baseDomain from domains`).all() as {
                domainId: number;
                baseDomain: string;
            }[];
            for (const domain of domains) {
                // insert two records into the dnsRecords table for each domain
                const insert = db.prepare(
                    `INSERT INTO 'dnsRecords' (domainId, recordType, baseDomain, value, verified) VALUES (?, 'A', ?, ?, 1)`
                );
                insert.run(
                    domain.domainId,
                    `*.${domain.baseDomain}`,
                    `Server IP Address`
                );
                insert.run(
                    domain.domainId,
                    `${domain.baseDomain}`,
                    `Server IP Address`
                );
            }
        })();
        db.pragma("foreign_keys = ON");
--- a/src/app/[orgId]/settings/resources/[niceId]/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/[niceId]/proxy/page.tsx
@@ -733,6 +733,10 @@ export default function ReverseProxyTargets(props: {
            setHttpsTlsLoading(true);
            setProxySettingsLoading(true);
            for (const targetId of targetsToRemove) {
                await api.delete(`/target/${targetId}`);
            }
            // Save targets
            for (const target of targets) {
                const data: any = {
@@ -775,10 +779,6 @@ export default function ReverseProxyTargets(props: {
                }
            }
            for (const targetId of targetsToRemove) {
                await api.delete(`/target/${targetId}`);
            }
            if (resource.http) {
                // Gather all settings
                const stickySessionData = targetsSettingsForm.getValues();
--- a/src/components/ConfirmDeleteDialog.tsx
+++ b/src/components/ConfirmDeleteDialog.tsx
@@ -126,9 +126,11 @@ export default function InviteUserForm({
                            <div>
                                <div className="flex items-center gap-2">
-                                    {t("type")}
+                                    <span>{t("type")}</span>
-                                    <span className="px-2 py-1 rounded-md bg-secondary"><CopyToClipboard text={string} /></span>
+                                    <div className="px-2 py-1 rounded-md bg-secondary max-w-[250px] overflow-x-auto whitespace-nowrap scrollbar-thin scrollbar-thumb-muted scrollbar-track-transparent">
-                                    {t("toConfirm")}
+                                        <CopyToClipboard text={string} />
                                    </div>
                                    <span>{t("toConfirm")}</span>
                                </div>
                            </div>
                        </div>