57a811eb5d
chore: update utopia-php/database to stable 5.* and run composer update
...
Agent-Logs-Url: https://github.com/appwrite/appwrite/sessions/045dbae8-cb3c-42ae-bfa0-144d0680ba26
Co-authored-by: abnegate <5857008+abnegate@users.noreply.github.com >
2026-04-29 07:29:48 +00:00
e985d8724b
Merge remote-tracking branch 'origin/1.9.x' into unique-exception
...
# Conflicts:
# composer.json
# composer.lock
# tests/e2e/Services/Databases/DatabasesBase.php
Co-authored-by: abnegate <5857008+abnegate@users.noreply.github.com >
2026-04-29 06:49:59 +00:00
dae9cbcf45
Merge pull request #12070 from appwrite/realtime-action-channels
...
Realtime action channels
2026-04-29 10:49:13 +05:30
547709a1d8
Merge pull request #12167 from appwrite/feat/impersonation-query-params
...
feat: add query param fallback for impersonation headers
2026-04-28 19:51:23 +05:30
2a357511ea
fix: use unique emails and phone in query param impersonation test
2026-04-28 19:17:25 +05:30
67d24d3ef1
Merge branch '1.9.x' into feat/impersonation-query-params
2026-04-28 19:11:14 +05:30
87ed7c3817
feat: add query param fallback for all impersonation params and simplify tests
2026-04-28 19:10:55 +05:30
3d3f5934c6
Merge pull request #11993 from appwrite/feat-public-oauth2-endpoints
...
Feat: Public project OAuth2 configuration API
2026-04-28 12:41:50 +02:00
f0cbfbbbe4
fix: use assertEmpty for impersonatorUserId to match response model
2026-04-28 14:31:49 +05:30
cb4cff120b
Add Keycloak oauth support
2026-04-28 10:54:13 +02:00
49e6a38e7f
Add fusionauth oauth
2026-04-28 10:43:16 +02:00
dfa3ae5274
Fix tests
2026-04-28 10:19:36 +02:00
543765a22a
Improve copy
2026-04-28 10:15:45 +02:00
e2bb9a9161
Simplify oauth endpoints
2026-04-28 10:08:39 +02:00
bda823ac0e
chore: format
2026-04-28 13:38:00 +05:30
3dd5a51ba4
style: fix method argument spacing (Pint PSR-12)
2026-04-28 13:34:01 +05:30
5afc8f462d
fix: allow same-site in CSRF guard to support Console on subdomains
2026-04-28 13:26:13 +05:30
ed0c7b4e12
test: add CSRF attack prevention test for impersonateUserId query param
2026-04-28 13:24:15 +05:30
d25707346f
Add console oauth endpoint
2026-04-28 09:47:27 +02:00
a3f6cf4645
fix: restrict CSRF guard to same-origin only, drop same-site
2026-04-28 13:00:18 +05:30
9a175c5098
test: add E2E tests for impersonateUserId query param and CSRF guards
2026-04-28 12:56:17 +05:30
5465be6301
fix: make CSRF guard fail-closed by requiring explicit same-origin Sec-Fetch-Site
2026-04-28 12:27:57 +05:30
46a457bfa3
fix: block impersonateUserId query param on cross-site requests to prevent CSRF
2026-04-28 12:10:51 +05:30
4c989f99c3
fix: cast impersonateUserId query param to string to prevent array injection
2026-04-28 12:05:02 +05:30
8f1d73a6cb
chore: clarify intentional header-only restriction for email/phone impersonation
2026-04-28 12:02:00 +05:30
01b5fa8ecb
fix: restrict impersonation query param fallback to userId only
...
Remove query param fallback for impersonateEmail and impersonatePhone
to avoid PII exposure in server logs, browser history, and Referer
headers. Only impersonateUserId (an opaque internal ID) is safe to
pass via URL query param.
2026-04-28 11:58:25 +05:30
d73b7a70d8
feat: add query param fallback for impersonation headers
...
Allow impersonation to be specified via URL query params
(?impersonateUserId, ?impersonateEmail, ?impersonatePhone) as a
fallback to the existing headers, enabling Console to embed
impersonation in direct file/image URLs where headers cannot be set.
2026-04-28 11:44:39 +05:30
cefd063c55
Merge pull request #12165 from appwrite/fix/CLO-4280-getheader-string-coerce
...
fix: coerce non-string header values in Request::getHeader
2026-04-28 10:43:40 +05:45
c924cbcc59
Merge pull request #12166 from appwrite/fix/CLO-4279-favicon-empty-body
...
fix: guard DOMDocument::loadHTML against empty body in favicon endpoint
2026-04-28 10:32:32 +05:45
81321e82d1
Update src/Appwrite/Platform/Modules/Avatars/Http/Favicon/Get.php
...
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
2026-04-28 10:05:01 +05:45
30a511692b
test: add unit coverage for Request::getHeader non-string coercion
...
Refs CLO-4280
2026-04-28 04:15:00 +00:00
9637409831
fix: coerce non-string header values in Request::getHeader
...
Closes CLO-4280
2026-04-28 03:54:35 +00:00
c4f6b11706
fix: guard DOMDocument::loadHTML against empty body in favicon endpoint
...
Closes CLO-4279
2026-04-28 03:54:34 +00:00
ad4178aa42
Fix missing lib params for domain
2026-04-27 18:33:30 +02:00
1f16b0d9e7
Fix failing startup
2026-04-27 18:21:21 +02:00
015aee087a
Fix write only security
2026-04-27 18:04:22 +02:00
50d86c5b5d
Update ci.yml
2026-04-27 17:45:52 +02:00
3d43530225
Fix failing test
2026-04-27 17:41:13 +02:00
d0d536a2dd
Improve test coverage
2026-04-27 17:40:49 +02:00
4b620bb31a
Improve test coverage
2026-04-27 17:27:23 +02:00
ca7f36a9b8
Fix bugs by improving tests
2026-04-27 17:17:57 +02:00
ec3c7f1ad6
Fix failing oauth tests
2026-04-27 17:02:53 +02:00
ecba11eba5
Brin back removed tests
2026-04-27 16:54:53 +02:00
7a96b024b3
Fix tests
2026-04-27 16:51:01 +02:00
4ba413fcc0
Fix bugs when implementing tests
2026-04-27 16:50:14 +02:00
af95e71244
Add OAUth update tests
2026-04-27 16:02:19 +02:00
ee1eea5c0c
oauth tests setup
2026-04-27 15:51:54 +02:00
b28b851bb2
microsoft oauth endpoint
2026-04-27 15:49:44 +02:00
70b9c60e2c
test(Messaging): validate that bare functions channel is not emitted in published channels
2026-04-27 18:46:04 +05:30
cb8640b56f
feat(Realtime): enhance channel management for user authentication and account actions
2026-04-27 18:24:52 +05:30
copilot-swe-agent[bot]
ArnabChatterjee20k
Harsh Mahajan
harsh mahajan
Matej Bačo
Matej Bačo
Damodar Lohani
Damodar Lohani
ArnabChatterjee20k