Commit Graph

1600 Commits

Author SHA1 Message Date
Damodar Lohani 4b7ec5569f Merge remote-tracking branch 'origin/1.9.x' into feat-docker-geo-18x
# Conflicts:
#	src/Appwrite/Platform/Modules/Databases/Http/Databases/Logs/XList.php
#	src/Appwrite/Platform/Modules/Databases/Http/TablesDB/Logs/XList.php
2026-04-23 01:19:01 +00:00
Matej Bačo 0d27c59cb8 Merge branch '1.9.x' into feat-public-project-policies 2026-04-22 09:57:48 +02:00
Matej Bačo efc37c68ec Merge branch '1.9.x' into feat-project-smtp-endpoints 2026-04-22 09:50:08 +02:00
Matej Bačo 06eb550e98 Finalize tests 2026-04-21 16:56:00 +02:00
Matej Bačo ba4430801d Merge branch 'feat-project-templates-api' into feat-project-smtp-endpoints 2026-04-20 14:49:04 +02:00
Matej Bačo 2f62cced0a Merge branch '1.9.x' into feat-project-smtp-endpoints 2026-04-20 14:46:42 +02:00
Matej Bačo f040a4dc31 More backwards compatibility 2026-04-20 11:58:55 +02:00
Matej Bačo bc592903db Support reply to name 2026-04-20 11:47:06 +02:00
Matej Bačo 6b66923f18 Fix delete response placeholder audit label 2026-04-19 19:36:24 +02:00
Chirag Aggarwal d86258a6f6 fix: restore runtime guards and widen types missed by PHPStan cleanup
Three follow-ups from CI that the level-4 pass got wrong:

1. `account.php` / `users.php`: `Document::find()` returns `mixed`
   (specifically `Document|false` in practice), not `Document`. The
   earlier `@var Document $oldTarget` docblocks were lies, and the
   runtime `instanceof Document` guards were load-bearing — removing
   them caused `Call to a member function isEmpty() on false` 500s
   on the `PATCH /v1/users/:id/email` and `/phone` endpoints (and the
   analogous `/v1/account/email`, `/v1/account/phone` flows). Dropped
   the misleading `@var` docblocks and restored
   `$oldTarget instanceof Document && !$oldTarget->isEmpty()`.

2. `Installer/Runtime/Config::setEnabledDatabases()` is a boundary
   that actually takes arbitrary user/compose input — not a trusted
   `string[]`. The `is_string($v)` filter was covering for that, and
   `ConfigTest::testSetEnabledDatabasesFiltersInvalid` explicitly
   asserts it. Widened the PHPDoc to `array<mixed>` and restored
   `is_string($v) && $v !== ''` in the filter.

3. `OAuth2/Apple::getAppSecret()` wrapped `json_decode` in a
   `try/catch (\Throwable)` — but `json_decode` without
   `JSON_THROW_ON_ERROR` returns `null` on failure, it doesn't throw.
   PHP 8.3's PHPStan flagged the catch as dead (PHP 8.5 didn't, which
   is why it slipped through locally). Replaced with
   `if (!\is_array($secret)) throw`, which preserves the original
   "invalid secret" guard.
2026-04-19 17:52:51 +05:30
Chirag Aggarwal d2230f8fe7 chore: bump PHPStan to level 4 and fix all new errors
Raises `phpstan.neon` level from 3 to 4 and fixes the 549 new errors
that level 4 surfaces across 157 files. Fixes are root-cause — no
`@phpstan-ignore`, no `@var` casts, no baseline entries, no widened
types. A handful of latent bugs were fixed along the way:

- `app/controllers/general.php`: path-traversal guard was negating
  `\substr(...)` before the strict comparison (`!\substr(...) === $base`
  was always `false === $base`). Rewritten as `\substr(...) !== $base`.
- `src/Appwrite/Platform/Modules/Databases/Http/Databases/Logs/XList.php`
  and `.../TablesDB/Logs/XList.php`: were importing the raw Matomo
  `DeviceDetector` (whose `getDevice()` returns `?int`) but treating the
  result as an array with `deviceName/deviceBrand/deviceModel` keys.
  Swapped to `Appwrite\Detector\Detector`, matching the wrapper already
  used a few lines below for `$os`/`$client`.
- `src/Appwrite/Platform/Modules/Functions/Workers/Builds.php`: a match
  key was checking `$resourceKey === 'functions'` when `$resourceKey`
  is `'functionId'|'siteId'` — always false. Switched to the intended
  `$resource->getCollection() === 'functions'` check.
- `src/Appwrite/OpenSSL/OpenSSL.php`: `encrypt()` return type tightened
  to `string|false` to match `openssl_encrypt`; this lets callers'
  `=== false` error handling remain meaningful.
- `app/controllers/api/messaging.php`: removed a dead
  `array_key_exists('from', [])` branch in the Msg91 provider (empty
  array literal; branch was unreachable).

Large cleanup categories across the 549 fixes:
- Removed redundant `?? default` on array offsets and expressions that
  PHPStan now knows are non-nullable.
- Removed unreachable statements (mostly `return;` after `throw` or
  `markTestSkipped()`).
- Removed redundant `is_array`/`is_string`/`is_bool`/`instanceof` checks
  on already-narrowed types.
- Added `default =>` arms (or throwing arms) to non-exhaustive matches
  on `string`/`mixed` input.
- Removed dead `$document === false` branches where method return types
  were tightened to non-nullable `Document`.
- Removed unused properties (`$version` on Etsy/Zoom OAuth2, `$paths` on
  Installer State, `$source` on MigrationsWorker, `$account2` on two
  GraphQL auth tests), unused traits (`ApiVectorsDB`, `DatabaseFixture`),
  and an unused `cleanupStaleExecutions` task method.
- Replaced `assertTrue(true)` and redundant `assertIsArray`/`assertIsString`/
  `assertNotNull` assertions with `addToAssertionCount(1)` or
  `assertNotEmpty` where the runtime type was already known.
2026-04-19 17:31:20 +05:30
Damodar Lohani 2b30747566 Merge remote-tracking branch 'origin/1.9.x' into feat-docker-geo-18x 2026-04-18 09:30:31 +00:00
Matej Bačo e06b06a21b Merge branch '1.9.x' into feat-fallback-email-template 2026-04-17 11:53:40 +02:00
Matej Bačo 11f23fdcfa Rework email templates PR after discussions 2026-04-17 10:52:21 +02:00
Damodar Lohani aa46fadc03 Merge remote-tracking branch 'origin/1.9.x' into feat-docker-geo-18x 2026-04-16 05:12:43 +00:00
Damodar Lohani cd7cea6b64 fix: inject 'bus' instead of 'queueForMails' for $createSession routes
$createSession expects Bus $bus at position 12 (after the 1.9.x Bus
refactor), but two routes still injected 'queueForMails' (Mail) causing
TypeError at runtime. The third route (deprecated magic URL wrapper)
already had the correct 'bus' injection.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 02:21:10 +00:00
Matej Bačo 590f063694 Remove remaining sms leftover 2026-04-15 18:40:29 +02:00
Matej Bačo 2b42487198 Linter fix 2026-04-15 18:30:06 +02:00
Matej Bačo 0da185e689 Refactor fixes 2026-04-15 18:17:55 +02:00
Matej Bačo dc39af50a1 Support for worldwide fallback custom template for all project emails 2026-04-15 18:05:46 +02:00
Damodar Lohani 3b434a5ae2 Merge origin/1.9.x into feat-docker-geo-18x
Resolve conflicts in app/controllers/api/account.php by keeping HEAD's
GeoRecord injection (the branch's core feature) and adopting main's Bus
pattern for session alerts:

- Drop the local sendSessionAlert() helper function; session alerts are
  now dispatched via Bus
- $createSession signature: replace Mail $queueForMails with Bus $bus
- Same swap in the email/password login action and the deprecated magic
  URL session update action
- Two inline sendSessionAlert() calls replaced with
  $bus->dispatch(new SessionCreated(user, project, session, locale))
- Add 'use Appwrite\Bus\Events\SessionCreated;' and 'use Utopia\Bus\Bus;'
  imports
- Other Mail $queueForMails injections (Magic URL, OTP, verification,
  recovery emails) are unaffected — they remain on the Mail queue

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 03:24:11 +00:00
Damodar Lohani c6e32940f4 Merge branch '1.9.x' into CLO-4175-allow-delete-with-memberships 2026-04-13 07:21:38 +05:45
loks0n dd29967e99 refactor: tighten Mails listener with guard clauses and lean event
- SessionCreated event now carries only domain data (no isFirstSession)
- Mails listener uses ordered guard clauses, deferring the DB query
  until cheaper checks pass
- Drop $user Document allocation in favour of direct array access
- Inline FileName validator and $smtpEnabled into their use sites
- Extract $isBranded to eliminate duplicate APP_BRANDED_EMAIL_BASE_TEMPLATE check

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-09 14:01:13 +01:00
loks0n 4133ec99ae feat: extract session alert email into Mails listener
Moves session alert email side effect out of the account controller
into a dedicated `Mails` listener that reacts to a new `SessionCreated`
bus event. The event is now always dispatched on session creation; the
listener owns all conditional logic (first session, sessionAlerts flag,
email-link sessions, user email presence).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-09 14:01:13 +01:00
Damodar Lohani 0fe78cfb32 Merge branch '1.9.x' into feat-docker-geo-18x 2026-04-09 07:33:02 +05:45
Damodar Lohani d6f51a96a5 Merge branch '1.9.x' into CLO-4175-allow-delete-with-memberships 2026-04-09 07:32:30 +05:45
Harsh Mahajan 929bdcef25 Merge branch '1.9.x' into feat-x-oauth2-provider 2026-04-08 17:55:00 +05:30
Harsh Mahajan 3f725c6be9 changes 2026-04-08 17:44:49 +05:30
Damodar Lohani a926ac23eb Fix geodb resource resolution and rename leftover variable
- Make geodb resource return null gracefully when MaxMind DB is not
  registered (geo service replaces it)
- Rename $geodb -> $geoRecord in magic-url session endpoint for clarity

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 07:46:03 +00:00
Damodar Lohani 1d626d41d2 Merge branch '1.9.x' into feat-docker-geo-18x
Resolve merge conflicts:
- Adapt geo resources to use $container->set() DI pattern
- Keep GeoRecord type hints while adding domainVerification/cookieDomain params
- Remove duplicate resources already moved to request.php

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 07:10:06 +00:00
loks0n 7781d377ae fix: persist session before purging user cache in email/password login
Swap the order of createDocument('sessions') and purgeCachedDocument('users')
in the email/password session creation flow. Previously, the cache was purged
before the session was written, opening a race window in Swoole's async
environment where a concurrent account.get() could re-cache the user with no
sessions, causing sessionVerify to fail with a 401. This matches the correct
ordering already used by the token-based flows (magic URL, OTP, phone).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-07 21:44:24 +01:00
Damodar Lohani 8442a1e612 Merge branch '1.9.x' into CLO-4175-allow-delete-with-memberships 2026-04-07 06:27:57 +05:45
Chirag Aggarwal 1f7fc4bd40 Use request-scoped domain verification 2026-04-06 12:43:05 +05:30
Chirag Aggarwal 221b52bac0 Add request-scoped cookie domain resource 2026-04-06 12:30:25 +05:30
Chirag Aggarwal b8eb0810c2 Make response sensitive mode instance-scoped 2026-04-06 10:24:32 +05:30
Damodar Lohani cc82b1a5cf fix: don't promote non-owners on account deletion, leave team orphaned instead
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 07:15:35 +00:00
Damodar Lohani ba32012744 fix: filter unconfirmed members from owner count, ownership transfer, and primary user transfer
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 07:11:32 +00:00
Damodar Lohani 4297c70f58 fix: address review feedback — safer orphan approach, veteran ordering, deduplicate transfer
- Remove team deletion for sole owner+sole member case; let orphan teams
  be cleaned up by Cloud's inactive project cleanup (safer, avoids
  accidental data loss)
- Add explicit ordering by $createdAt so the most veteran member gets
  ownership transfer, with limit(1) for clarity
- Remove confirm filter on primary user transfer in membership deletion
  so all members (including unconfirmed) are considered
- Remove redundant ownership transfer from Deletes worker since the API
  controller already handles it before queueing

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 05:22:02 +00:00
Damodar Lohani 0638797cd7 Merge branch '1.9.x' into feat-docker-geo-18x
Resolve merge conflicts:
- account.php: combine GeoRecord (PR) with plan parameter (base)
- registers.php: keep PHPMailer import (PR side)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 03:41:25 +00:00
Damodar Lohani 16ed60a5c3 Filter unconfirmed members when transferring team ownership
Prevent unconfirmed (pending invite) members from being promoted to
owner or set as the team's primary user during membership/account
deletion by adding a Query::equal('confirm', [true]) filter to the
relevant findOne queries.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 02:02:09 +00:00
Damodar Lohani d831b93934 Allow deleting user account with active memberships
Instead of blocking account deletion when the user has confirmed team
memberships, handle memberships gracefully during deletion:

- Sole owner + sole member: delete the team and queue project cleanup
- Sole owner + other members: transfer ownership to the next member
- Non-owner / multiple owners: no special handling needed (worker cleans up)

Also update the Deletes worker to transfer the team's primary user
reference when removing a deleted user's memberships.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 01:43:05 +00:00
Matej Bačo 7c50bbc500 Merge branch '1.9.x' into feat-disposable-emails 2026-04-02 11:05:19 +02:00
Chirag Aggarwal 33f8e35b62 chore: remove phpstan baseline 2026-04-01 23:01:11 +05:30
Matej Bačo c1dde09070 Merge branch '1.9.x' into feat-disposable-emails 2026-04-01 15:14:10 +02:00
Claude 95168674a3 fix: address PR #10824 review comments for geo service integration
- Add restart policy and logging config to appwrite-geo docker service
- Fix auth denylist condition bug (wrong parentheses) and normalize country codes
- Use geoRecord->isEu() directly instead of re-checking config in general.php
- Add array type guard for geo service JSON response in resources.php
- Add getGeoForIp callable resource with per-IP caching for log endpoints
- Fix all log endpoints to look up geo per log entry IP instead of using
  the viewer's geoRecord, which was returning the same country for all logs

https://claude.ai/code/session_01JUg4bHzgpHrkvZdPeKsTVM
2026-04-01 04:21:23 +00:00
Claude ea54253036 Merge 1.9.x into claude/sync-1.9.x-fix-tests-z2pw7
Resolve conflicts in docker-compose.yml, Documents/Logs/XList.php,
and TablesDB/Rows/Logs/XList.php. Keep geoRecord (new geo service)
while integrating getDatabasesDB from 1.9.x. Fix 6 additional
auto-merged files that incorrectly used geodb/locale instead of
geoRecord.

https://claude.ai/code/session_01Pp3FnMwnJqph6ohBatUFYL
2026-03-29 03:56:36 +00:00
Harsh Mahajan 614db7388e fix: push 2026-03-26 17:59:30 +05:30
Harsh Mahajan 85703d29e1 addressed greptile suggestions 2026-03-23 19:08:12 +05:30
Harsh Mahajan 6f177a0a7a Merge branch '1.9.x' into feat-x-oauth2-provider 2026-03-23 17:50:29 +05:30
Harsh Mahajan dc48bb35ef added pkce to base 2026-03-23 17:49:42 +05:30