* wip
* Remove obsolete snapshots
* simplify
* chore(test): Convert mocks to TypeScript and tighten fetch mock types
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* Remove unneccessary patches
* Migrate to msw instead of custom fetch mock
* Address PR review comments
- Split chained vi.useFakeTimers().setSystemTime() into separate calls.
- Switch test setup to dynamic imports so EventEmitter.defaultMaxListeners
assignment runs before module init (static imports were hoisted above it).
- Drop redundant NODE_ENV guard in monkeyPatchSequelizeErrorsForJest; its
sole caller already gates on env.isTest.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix: Ensure OTP is bound to teamId
* fix: Address review feedback on OTP tenant scoping
- Trim whitespace in VerificationCode Redis keys to match DB lookup
normalization.
- Redirect with invalid-code (rather than leaking a backend error)
when no user exists for the email in the resolved team.
- Correct retrieve() JSDoc to state undefined instead of null.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix: Validate host parameter stored in OAuth state on auth failure path
* fix: Validate OAuth state host to prevent open redirect
Sanitize the host parameter from OAuth state before using it in error
redirects. Adds userinfo stripping to parseDomain's normalizeUrl to
prevent bypasses like "subdomain.base@evil.com", validates custom
domains against registered teams, and introduces Team.findByDomain
with input normalization for consistent domain lookups.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* Upgrade @typescript-eslint dependencies from v6.21.0 to v8.33.0
- Updated @typescript-eslint/eslint-plugin from ^6.21.0 to ^8.33.0
- Updated @typescript-eslint/parser from ^6.21.0 to ^8.33.0
- Tested linting functionality to ensure compatibility
- This brings the latest TypeScript ESLint features and bug fixes
* lint
* tsc
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
* feat: Add POST method option to redirectOnClient helper
* Applied automatic fixes
* fix: Add missing closing HTML tag in redirectOnClient GET method
* fix: Use lodash escape for form field values to prevent XSS
* Applied automatic fixes
* fix: Add missing lodash/escape import
* Applied automatic fixes
* fix: Escape all URLs in redirectOnClient function
* Update index.ts
* fix: CSP
* Refactor CSP middleware
* docs, only use for email signin
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
* Add SMTP_SERVICE environment variable for well-known services
* Fix PR #8777: Restore code in teams.ts and users.ts
* The rest of the work
* fix validation
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom.moor@gmail.com>
* helper
* Add script to move notification settings
* wip, removal of NotificationSettings
* event name
* iteration
* test
* test
* Remove last of NotificationSettings model
* refactor
* More fixes
* snapshots
* Change emails to class instances for type safety
* test
* docs
* Update migration for self-hosted
* tsc
Tom Moor