Commit graph

41 commits

Author SHA1 Message Date
Cathie Integra
3f096a592b Links: Use canonical trailing-slash form for website URLs 2026-06-24 17:20:30 +02:00
Michael Mayer
9f9fce0976 Tests: Update stale portal paths after frontend URI change 2026-06-12 19:56:38 +00:00
Michael Mayer
487b0c0ec3 Http: Recognize additional reserved IPv4 ranges 2026-06-11 09:37:40 +00:00
Michael Mayer
b88429f557 Cluster: Compact code comments in the OIDC follow-up changes 2026-06-09 10:20:17 +00:00
Michael Mayer
872af5d8fd Cluster: Add cluster OIDC, branded authorize errors, and sign-out
Implements three OIDC follow-ups from specs/portal/cluster-oidc.md:

- Zero-touch instance OIDC RP config: PHOTOPRISM_CLUSTER_OIDC derives the
  OIDC RP client_id/secret from the node client credentials and defaults
  the issuer to the instance's own origin (scheme.OriginURL), so a single
  boot reaches a working Portal login. Explicit oidc-client/secret/uri win.
- Human-friendly authorize errors: redirectable errors 302 back to the
  validated redirect_uri; non-redirectable ones content-negotiate a
  branded HTML page (oauth-error.gohtml) vs JSON via shared helpers in
  internal/api/oauth_error.go. The RP callback surfaces inbound ?error=.
- Cluster-wide Sign-Out (Tier 2): session.logoutEverywhere fans out a
  best-effort DELETE per peer session, clears their storage, then signs
  out locally; session-delete clears the OP cookie on any shared-domain
  OIDC-against-Portal node (OIDCSessionCookieClearPath).
2026-06-09 09:39:01 +00:00
Michael Mayer
51c4eed71e Auth: Serve Portal OIDC OP endpoints under /api/v1/oauth/* #4368 #4369
Move the Portal OIDC OP authorize/token/userinfo onto the shared CE
/api/v1/oauth/* routes (the reserved #4368/#4369 stubs) and drop the parallel
root /oauth/* set.

- Add overridable handler hooks (oauth_handlers.go) mirroring
  server.WebDAVHandler; OAuthToken delegates only the authorization_code grant
  (gated on a form content type) and keeps client_credentials/password/session
  unchanged; userinfo now serves GET and POST.
- Scope the OP session cookie to /api/v1/oauth (base-path aware) so the browser
  still sends it to the moved authorize endpoint instead of looping.
- Stop the proxy re-scoping instance->Portal authorize redirects
  (portalRootPathPrefixes -> /api/v1/oauth/).
- Point discovery at issuer + /api/v1/oauth/*; fix the JWKS URL base-path
  doubling for sub-path deployments (also in CE openid.go).
2026-06-03 15:28:05 +00:00
Michael Mayer
b04233f2f4 Backend: Use strings.SplitSeq for split-and-iterate loops #5599
Replace strings.Split with the lazy strings.SplitSeq iterator (Go 1.23+)
in loops that only range over the tokens, avoiding the intermediate
slice allocation. The yielded substrings are identical to Split, so
behavior is unchanged. Applies the suggestion from #5599 to its three
sites (CIDR parsing, WebDAV hidden-path, overlay path checks) and
extends it to two more split-and-iterate loops in the server compression
negotiator and MCP config-options builder for consistency. The slice
returning splitPath helper is intentionally left on strings.Split.
2026-05-30 09:49:47 +00:00
Michael Mayer
570a563748 Docs: Bump copyright year to 2026 in Go package headers 2026-05-25 14:39:38 +00:00
Michael Mayer
ef7a9db950 Cluster: Add scheme.ResolveAdvertiseURL helper for SiteUrl-aligned paths 2026-05-25 11:49:33 +00:00
Michael Mayer
32902d2c63 Cluster: Skip Location rewrite for Portal-root paths in proxy
The portal proxy was prefixing the per-instance path scope onto absolute
Location headers whose host matched the proxy, breaking instance-to-Portal
redirects like the Pro OIDC RP pointing at the Portal authorize endpoint.
Paths under /oauth/, /.well-known/, and /portal/ are now recognized as
Portal-root and left untouched.
2026-05-24 12:28:02 +00:00
Michael Mayer
91d27f7e6e Docs: Update copyright year in Dockerfiles, scripts, and Go files
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-22 07:56:59 +02:00
Michael Mayer
1b8ea51a2f Config: Normalize Site/CDN base URLs to strip default ports #5590
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-20 16:59:53 +02:00
Michael Mayer
2fc71540a9 Config: Strip default HTTP and HTTPS ports from the site URL #5590
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-19 01:05:23 +02:00
Michael Mayer
ea05645668 Cleanup: Use US English spelling in code comments 2026-05-17 13:46:24 +00:00
Michael Mayer
5c6976355b Header: Add "Range" request header constant 2026-05-03 13:43:26 +00:00
Michael Mayer
0c226fafcf Header: Add ContentTypeEventStream and reuse in MCP code #5024
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-04-13 09:18:40 +02:00
Michael Mayer
20fd49f2ac Media: Improve layered TIFF & PSD preview support #5383
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-06 18:14:48 +01:00
Michael Mayer
7b96a768d5 WebDAV: Harden response headers for interoperability #5472
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-04 15:23:10 +01:00
Michael Mayer
f2aabb9bcd Security: Add gosec fixes with shared URL and fs validation helpers
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-03 16:38:41 +01:00
Michael Mayer
fcb8bc60c4 Proxy: Rename portal-proxy-prefix to portal-proxy-uri
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-02 19:20:41 +01:00
Michael Mayer
2ee5f1337e PWA: Use scope-relative manifest URLs for iOS path-based installs
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-01 23:33:44 +01:00
Michael Mayer
99d34a9c8f Security: Update http/security/scan-paths.go
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-27 00:21:10 +01:00
Michael Mayer
78c0fb897b Pkg: Update http/security/scan-paths.go and hash_test.go
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-26 13:45:07 +01:00
Michael Mayer
038d38d552 Security: Extend denylist coverage for names, paths and extensions #5459
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-26 11:01:15 +01:00
Michael Mayer
31515f9524 Security: Harden web overlay serving via shared security checks
https://github.com/photoprism/photoprism/issues/5459
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-25 17:01:39 +01:00
Michael Mayer
b2f137f240 Security: Generate hashed scan paths from resource list
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-25 03:01:13 +01:00
Michael Mayer
bcb6d39332 Server: Add web overlay handler for unmatched routes #5459
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-24 20:02:58 +01:00
Michael Mayer
d5ecab8827 Proxy: Define /i/ as DefaultPathPrefix for shared-domain deployments
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-24 01:15:23 +01:00
Michael Mayer
c1467cb3f5 Cluster: Rename the "tenant" node role to "instance" for accuracy
This more accurately reflects the multi-instance architecture.

Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-23 04:27:43 +01:00
Michael Mayer
a2b7615c93 Go: Apply go fix modernizations across backend packages
Run `go fix ./...` and keep mechanical modernization updates.

- Replace `interface{}` with `any` in signatures and local types
- Apply formatter/style cleanups from go1.26 tooling
- Keep `omitempty` behavior-preserving simplifications suggested by fix
- No functional feature changes intended

Validation:
- go test ./... -run '^$' -count=1 (Go 1.26.0)
- GOTOOLCHAIN=go1.24.10 go test ./... -run '^$' -count=1

Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-20 03:54:33 +01:00
Michael Mayer
7b2d073a0f Config: Improve NormalizePathPrefix validation & tests #98
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-14 10:46:32 +01:00
Michael Mayer
89f4cb4e34 Config: Add portal-proxy-prefix option for multi-tenant setups #98
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-14 10:26:12 +01:00
Michael Mayer
9fbef7cf64 WebDAV: Improve redirect and read/write request method handling
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-10 11:45:32 +01:00
Michael Mayer
df5efb61a2 Backend: Clean up error handling and unit tests in pkg/...
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-09 12:31:29 +01:00
Michael Mayer
7dbf5dd9ff Cluster: Exclude proxy path prefix from gzip compression and sec headers
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-07 12:43:05 +01:00
Michael Mayer
ebed7fa5b4 Go: Replace strings.Split() with strings.SplitSeq() #5337
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-25 14:26:29 +01:00
Michael Mayer
a02162846b AI: Improve model configuration and documentation #5123 #5232 #5322
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-24 14:41:13 +01:00
Michael Mayer
149f5e5731 CI: Apply Go linter recommendations to remaining "pkg/..." code #5330
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-11-22 16:14:43 +01:00
promalert
5d0aa1068c refactor: use b.Loop() to simplify the code and improve performance
Signed-off-by: promalert <promalert@outlook.com>
2025-11-13 08:54:42 +01:00
Michael Mayer
ce304abd2c API: Update endpoints to return HTTP 201 when a new resource was created
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-10-20 16:46:59 +02:00
Michael Mayer
a921f82a17 Pkg: Move /service/http/... to /http/... and add package /http/dns
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-10-19 21:08:48 +02:00