Drop the AI Infrastructure Support section and the now-orphaned
atlas-cloud-logo.svg asset.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
When the secure session expired (10-minute TTL) and the user invoked a
protected action like enabling a site, the response interceptor opened
the 2FA modal but then fell through to the generic error handler:
- A misleading "Secure Session ID is invalid" toast was shown.
- The original request was rejected, never replayed.
- The user had to click again, which succeeded because the new session
id was now stored.
This change replays the failed request once after a successful 2FA
challenge so the action completes silently in one prompt, and addresses
the failure modes the surrounding flow exposed:
- Sanitize cancel-path rejection: when the user dismisses the modal,
reject with a clean CosyError (empty message, code
`two_factor_cancelled`) so caller `.catch(r => message.error(r.message))`
no longer surfaces the misleading backend text.
- Distinguish user cancel from preflight failure: the catch around
`await otpModal.open()` previously treated `twoFA.status()` /
`secure_session_status()` HTTP errors as if the user had cancelled,
hiding the real network/5xx cause. Use a `TwoFACancelledError` marker
to discriminate and propagate preflight errors.
- Deduplicate concurrent 2FA prompts: a module-level in-flight promise
collapses N parallel 401s into one modal; every awaiter shares the
refreshed session id.
- Defer `secureSessionId` clear until inside `openInternal` so the
fast-path (sibling tab refreshed the session) still has a chance to
recover before forcing the user through OTP entry.
- 403 path now rejects explicitly instead of `return`ing `undefined`,
preventing downstream `await api.x()` callers from receiving
`undefined` and crashing on property access while the route
navigation is still in flight.
- Drop the dead JSON `_preEncryptionData` snapshot. No `crypto: true`
JSON endpoint sits behind `RequireSecureSession()` (login/install are
pre-auth), so the snapshot only existed to retain plaintext
credentials on `error.config` where `console.error(error)` would
expose them.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(cert): add self-signed certificate type and config to model
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(cert): generate self-signed leaf certificates
Add GenerateSelfSigned / SelfSignedOptions plus five new error codes
(50032-50036) and a full TDD test suite covering valid cert output,
multiple key types, empty-SAN rejection, and invalid-IP rejection.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(cert): regenerate self-signed certificates with key reuse
Add RegenerateSelfSigned, SelfSignedOptionsFromModel, deriveSelfSignedCommonName,
loadSelfSignedKey, and parsePrivateKeyPEM to support re-issuing self-signed
certificates for the auto-renewal job, reusing the on-disk private key when possible.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(cert): add self-signed certificate renewal worker
Add auto-renewal worker for self-signed certificates that mirrors the
ACME renewal logic, using a dedicated shouldRenewSelfSignedCert threshold
function verified with TDD.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(cron): schedule self-signed certificate renewal
Register setupSelfSignedCertRenewalJob as a periodic cron job (every
30 minutes) in InitCronJobs, mirroring the existing setupAutoCertJob
pattern.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(api): add self-signed certificate generation endpoints
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(cert): add self-signed certificate frontend API
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(cert): add shared self-signed certificate fields component
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(cert): add self-signed certificate generation modal and list entry
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(cert): support self-signed certificates in the editor
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(site): generate self-signed certificates from the site editor
Extract hasTLSListen/ensureDirective/ensureTLSDirectives into a shared
useTLSDirectives composable, refactor ObtainCert.vue to use it, and add
SelfSignedCert.vue to the site cert tab so users can generate and apply
a self-signed certificate directly from the site editor.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(cert): validate self-signed key type and name IP-only renewals
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor(cert): apply code-review cleanup
- reuse certcrypto.ParsePEMPrivateKey instead of a hand-rolled PEM
private-key parser
- stop exporting the unused ensureDirective from useTLSDirectives
- use the AutoCertState enum instead of integer literals in certColumns
- allocate the renewal Logger only when renewal is attempted, avoiding a
per-tick goroutine and empty-log database write for non-due certificates
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(cert): address PR #1688 review feedback
- clean up the partial certificate directory when the initial write
fails, not just the database row
- log a warning when the existing self-signed private key cannot be
reused so operators notice the public-key fingerprint has changed
- defensively copy the model's Domains and IPAddresses slices in
SelfSignedOptionsFromModel
- require an explicit "Save now" confirmation after generating from the
site editor, and write the directives into the editor first so the
user can review the diff before saving
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(cert): harden self-signed certificate lifecycle
Reuse private keys on manual self-signed edits, make certificate writes safer, clean managed self-signed files on delete, and guard renewal against missing config.
* fix(cert): harden self-signed frontend handling
Avoid undefined certificate redirects, rely on payload defaults for self-signed fields, and parse TLS listen directives precisely.
* fix(site): satisfy strict listen regex lint
Escape the IPv6 listen closing bracket explicitly so the strict regexp lint rule accepts TLS listen parsing.
* fix(cert): harden self-signed key handling
Co-authored-by: Jacky <me@jackyu.cn>
* docs(cert): design merging self-signed entry into issue dialog
Spec for collapsing the Certificate list header from three actions to
two by adding a Self-signed option inside the existing Issue Certificate
dialog.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(cert): plan merging self-signed into issue dialog
Step-by-step plan that turns the spec into two scoped commits:
extend DNSIssueCertificate with a self-signed type, then drop the
standalone header button from the certificate list view.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(cert): add self-signed option in issue certificate dialog
Extend the Issue Certificate dialog's Certificate Type select with a
"Self-signed" option that swaps the form body to SelfSignedCertFields
and routes submission through cert.generate_self_signed(). ACME paths
(Wildcard / Custom Domains) are unchanged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor(cert): drop standalone self-signed button from list header
Certificate creation is now consolidated under the Issue Certificate
dialog (which exposes Self-signed as a Certificate Type option), so
the duplicate header entry, its ref, handler, and modal mount are
removed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(cert): design self-signed UX enhancements
Adds a reusable StringListInput, renewal-policy hint in the self-signed
form, and a required Name field (frontend + backend). Builds on the
prior merge spec.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(cert): plan self-signed UX enhancements
Six-task plan: extract StringListInput, require Name backend + test,
refactor SelfSignedCertFields with renewal hint, hide duplicate alert
in editor, seed/filter payloads with Name validation, and adopt
StringListInput in the ACME Custom Domains branch.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(ui): add StringListInput component
Reusable multi-row text input with Add/Remove buttons. Used in the
upcoming refactor of Custom Domains and self-signed Domains / IP
Addresses editors so all three share a single editor pattern.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(ui): simplify StringListInput model write and add a11y label
Replace the captured-index update closure with v-model:value on
items[index] so input events are guaranteed to write to the array
slot currently bound to the DOM input. Add an aria-label suffix
on the Remove button so screen readers can distinguish rows.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(cert): require Name when generating self-signed certificates
Adds binding:"required" to SelfSignedCertRequest.Name so an empty name
is rejected at the request boundary, and covers the contract with a
new API-level test.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(cert): unify self-signed editor and surface renewal hint
Switch Domains and IP Addresses to the shared StringListInput so all
self-signed field editors match the Custom Domains pattern. Add an
auto-renewal hint (suppressible via hideRenewalNote) and mark Name as
required to match the new backend contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore(cert): suppress duplicate renewal alert in cert editor
SelfSignedCertManagement already has its own renewal-status alert;
pass hide-renewal-note to SelfSignedCertFields to avoid showing two
adjacent alerts saying the same thing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(cert): seed and filter self-signed payloads, validate Name
StringListInput preserves empty placeholder rows for editing; seed
arrays with [''] in toSelfSignedPayload / emptySelfSignedPayload /
emptyForm so the editor always renders an empty row to type into.
Each submit/save path trims and filters the arrays before sending and
now rejects an empty Name client-side to match the new server contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor(cert): make SelfSignedCertPayload.name required
Every factory already seeds name as ''; the optional marker forced
defensive (name ?? '').trim() at three call sites. Align the type
with reality.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* refactor(cert): use StringListInput for Custom Domains
Drop the inline multi-row template + add/remove helpers in favour of
the shared StringListInput component, matching the editor used by the
self-signed branch.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore(ui): regenerate components.d.ts for StringListInput
Auto-generated by unplugin-vue-components after the new component
was added under app/src/components/StringListInput/.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(cert): render key_type for both legacy and canonical forms
The backend's helper.GetKeyType normalizes key_type to its canonical
form (EC256, RSA2048…) on every write — self-signed generation as well
as the ModifyCert BeforeExecuteHook. The frontend PrivateKeyTypeMask
was keyed only by the legacy form (P256, 2048…), so maskRender returned
"/" for every cert that took a write path through normalization.
Two reported symptoms with the same root cause:
- New self-signed cert always shows "/" in the Key Type column
- Editing any ACME cert (issue #1697) flips its column to "/" after save
Add formatPrivateKeyType / normalizePrivateKeyType helpers that map both
forms to the frontend's legacy key. Use them in the list column renderer
and when loading certs into the self-signed and ACME editor forms so the
ASelect highlights the correct option.
Fixes#1697.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* style(cert): cap self-signed fields width at 600px
The fields stretched full-width inside the certificate editor page; cap
the form at 600px to match AutoCertManagement and keep the editing area
readable. Modal consumers were already bounded by their own width, so
the change is invisible there.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore: update translations
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Hintay <hintay@me.com>
* feat(dns): support IP version selection for DDNS
- Add ip_version setting (ipv4 / ipv6 / ipv4_ipv6 / ipv6_ipv4 /
both_required) persisted on DDNSConfig and exposed via the API
- Validate target record types against the selected version and reject
inconsistent combinations on save
- Probe public IPv4 and IPv6 endpoints concurrently so a stalled family
no longer eats the shared timeout budget
- Atomically create A/AAAA records when adding missing names and roll
back partial successes on failure
- Surface per-family resolution warnings instead of failing the whole
tick when at least one family resolves
- Frontend exposes an IP version selector and filters record options to
the families allowed by the active selection
* fix(dns): preserve DDNS missing record creation
Co-authored-by: Jacky <me@jackyu.cn>
* fix(dns): restore best-effort dual-stack semantics in record creation
Two fixes after reviewing a cursor agent commit that introduced
regressions:
- DDNSManager.vue: revert mode="tags" back to mode="multiple" and
drop the now-dead findSelectedRecordType helper. The placeholder
text is also updated to remove the misleading "Type or" prefix
since multiple-mode does not allow free input.
- createDDNSRecordsForMissingName: revert the unified "create whatever
family is available" behaviour. best-effort modes (ipv4_ipv6 /
ipv6_ipv4) again create only the first available family in policy
order; both_required keeps creating both atomically.
* refactor(dns): remove both_required DDNS mode
The "all-or-nothing" runtime semantic of both_required conflicts with the
user-accessibility goal of the upcoming sibling cleanup logic, and the
mode itself overlaps with dual-stack best-effort once cleanup exists.
Remove the constant, policy case, validation function, runtime
short-circuit, and error code.
* test(dns): drop both_required test coverage
* feat(dns/ui): drop both_required option from DDNS mode select
* feat(dns): persist cleanup flag and family failure timestamps
Add CleanupConflictingRecords (default true), IPv4FailedSince, and
IPv6FailedSince to model.DDNSConfig and the request/response DTOs.
toDDNSResponse seeds CleanupConflictingRecords=true for unconfigured
domains so the frontend form starts in the desired default state.
The new fields are wired through but no behavior changes yet.
* feat(dns): add isDualStackMode helper
* refactor(dns): silently skip records outside policy during save
UI filters records to the active IP version policy, so an explicit
mismatch error only fires for stale form state or direct API misuse.
Silent skip is more graceful and lets the existing empty-targets
check surface the real failure mode (ErrDDNSTargetRequired).
* feat(dns): auto-pair existing sibling records on save (dual-stack, flag on)
* feat(dns): auto-create missing sibling records on save (dual-stack, flag on)
* feat(dns): delete records of unreachable families on save
When dual-stack mode is active and CleanupConflictingRecords is on,
sibling records at managed names whose family is currently unreachable
get deleted from the provider. The handler returns the deleted-record
list so the frontend can surface a confirmation toast.
* test(dns): cover flag-off and single-stack save-time behavior
* feat(dns): track per-family IP detection failure timestamps
* feat(dns): evict targets of persistently failed families
Dual-stack DDNS configs with CleanupConflictingRecords enabled now
delete records of any family whose public IP has been undetectable for
longer than ddnsFamilyFailureGrace (default 1 hour). Single-stack
modes and the flag-off path skip this branch entirely.
* test(dns): cover runtime no-eviction and delete-failure retry paths
* feat(dns/ui): add cleanup conflicting records toggle (dual-stack only)
* feat(dns/ui): notify users of unmanaged sibling records in single-stack modes
* feat(dns/ui): toast when conflicting records are removed on save
* style(dns/ui): fix indent-binary-ops lint warning
* fix(dns): refuse save when no public IP detected (dual-stack cleanup mode)
Previously the §6.3 completion phase would happily delete every existing
sibling record of unreachable families even when neither family was
detected, leaving cfg.Targets empty and the domain at NXDOMAIN. Now we
short-circuit with ErrDDNSIPUnavailable before running §6.3, preserving
the user's DNS state until they recover connectivity.
* fix(dns): delete in-target records when family IP becomes unreachable
The §6.3 completion phase short-circuited on containsTargetForName
before checking whether the family's IP was still reachable. That meant
a user-selected A record at "home" survived a save under ipv4_ipv6 +
cleanup-on even when IPv4 stopped resolving, contradicting the
Appendix A "✗ / ✓ / on" row of the design spec.
Move the in-targets check inside the IP-detected branch so the
IP-undetected branch can still delete the stale record and pull it
out of targets. Adds tests covering the cross-family pivot plus the
previously-missing spec §10.2 cases (#4, #7, #11, #12, #13).
* fix(dns): persist cleanup flag and preserve failure timestamps on save
UpdateDDNSConfigWithDetails was constructing the new cfg without
carrying CleanupConflictingRecords from the input and without
preserving IPv4FailedSince / IPv6FailedSince from the existing
config. The former meant runtime eviction never triggered in
production (the cfg was always persisted with the flag at zero
value); the latter meant every save reset the family failure
grace timer to nil, indefinitely delaying eviction.
Both gaps slipped through the test matrix because no test
reloaded the cfg from the database after save. Add round-trip
regression tests for both fields plus the new GetDDNSConfig
default alignment.
Also surface delete-record provider failures via a dedicated
ErrDDNSRecordDeleteFailed code so users can distinguish them
from genuine "record not found" cases.
* fix(dns): use standard RFC3339 time format
Co-authored-by: Jacky <me@jackyu.cn>
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Jacky <me@jackyu.cn>
* feat(cert): add Status, LastError, LastAttemptAt fields
* feat(cert): sweep stale pending certs at startup
* feat(cert): invoke SweepStalePending at cron startup
* feat(cert): skip non-success status in auto-renew worker
* feat(cert): persist draft on issuance entry, status transitions on completion
* feat(cert): expose status, last_error, last_attempt_at on Cert type
* feat(cert): show Pending/Failed status badges in cert list
* feat(cert): add RetryCert component and wire into list actions
* feat(cert): inline Retry button on issuance error in wildcard modal
* chore(cert): minor cleanups after retry-on-failure review
- Remove unused model.FirstOrInit helper (last caller was rewritten in the issuance handler change).
- Normalize cleanup_test setupTestDB DSN to ":memory:" for per-test isolation, matching issue_test.go.
- Reset errored state in DNSIssueCertificate.open() as a defensive guard against stale state on modal reopen.
* refactor(cert): extract IssueCertModal wrapper shared by Renew and Retry
Both RenewCert.vue and RetryCert.vue carried near-identical AModal +
ObtainCertLive scaffolding (modalVisible/modalClosable refs, template ref,
modal props). Lift the shared shell into IssueCertModal.vue and expose a
single start() method returning Promise<CertificateResult>. The trigger
components now own only the parts that actually differ: button styling,
emit name, pre-issuance hook (certStore.save for Renew), and success toast.
* chore(cert): fix small bugs with review
- shortError now truncates by rune count instead of bytes, so non-ASCII
error messages (e.g. localized ACME / DNS provider errors) cannot be
split mid-rune. TestShortError gains a CJK case asserting valid UTF-8.
- Cert.last_attempt_at is typed string | null on the frontend to reflect
that the *time.Time pointer serializes as null for legacy / pre-attempt
rows.
- Drop redundant ?. on refModal / refObtainCertLive in the three click
handlers. The refs are bound to components rendered alongside their
trigger button, so they are guaranteed to be mounted by the time the
handler fires.
* fix(cert): guard certificate issuance ref before retry
Co-authored-by: Jacky <me@jackyu.cn>
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Jacky <me@jackyu.cn>
* fix: expand TLS includes for maintenance mode
Preserve maintenance-mode TLS handshake behavior by expanding allowed include files into ssl directives instead of copying include directives verbatim.
* fix: harden maintenance include path validation
Validate maintenance include paths before file-system access and add regression coverage for relative path escapes.
* refactor(site): simplify maintenance include expansion and tests
The advanced log search filters were almost entirely non-functional:
- The status filter issued a text term query against the numeric
"status" field, so it never matched any document.
- The IP and method filters used the field names "remote_addr" and
"request_method", which do not exist in the index ("ip" / "method").
- The path, user agent, referer, browser, OS and device filters were
never wired into the query builder.
Faceting on the numeric "status" field also used a terms facet, which
cannot bucket a numeric field and produced garbage prefix-coded terms.
Changes:
- Correct the IP and method field names in the query builder.
- Match status codes with inclusive numeric range queries.
- Wire in the missing path / user agent / referer (match phrase) and
browser / OS / device (term) filters.
- Split comma-joined browser/OS/device values in the search handler so
multi-select works.
- Facet the numeric status field with numeric ranges so the status
code distribution is accurate.
- Add regression tests covering every filter and the status facet
against a real Bleve index.
Closes#1669
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When the official docker image is fronted by another reverse proxy that
terminates TLS, the container's inner nginx overwrote X-Forwarded-Proto
with its own $scheme (= http, because it listens on plain 80), breaking
CheckWebSocketOrigin's same-origin check on https deployments behind
e.g. Cloudflare or a host nginx.
Trust the inbound X-Forwarded-Proto/Host when present; fall back to
$scheme/$http_host only on direct connections.
The packageManager field in docs/package.json took precedence over the
corepack prepare step, causing pnpm v11 to be used in the documents
workflow despite the pin.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Fixed fatal error 'concurrent map iteration and map write' that caused
nginx-ui nodes to crash and become unresponsive.
The issue occurred when the sitecheck CollectSites() method iterated over
site.IndexedSites while the cache scanner's scanForSite() was concurrently
modifying the same map. This race condition caused sporadic crashes.
Solution:
- Added GetAllIndexedSites() function in internal/site/index.go that safely
returns a snapshot copy of the IndexedSites map while holding the read lock
- Modified CollectSites() in internal/sitecheck/checker.go to use this
thread-safe function instead of directly accessing the global map
Fixes#1673
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
0xJacky