* fix: Unable to link secondary auth provider on custom domain
* doc
* chore: Custom -> Apex transfer token
* Refactor, address security concerns
* Ensure OAuth intent is single-use
* Secure OAuth state actor binding
* Use scrypt for OAuth actor session binding
* wip
* Remove obsolete snapshots
* simplify
* chore(test): Convert mocks to TypeScript and tighten fetch mock types
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* Remove unneccessary patches
* Migrate to msw instead of custom fetch mock
* Address PR review comments
- Split chained vi.useFakeTimers().setSystemTime() into separate calls.
- Switch test setup to dynamic imports so EventEmitter.defaultMaxListeners
assignment runs before module init (static imports were hoisted above it).
- Drop redundant NODE_ENV guard in monkeyPatchSequelizeErrorsForJest; its
sole caller already gates on env.isTest.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* chore: Replace lodash with es-toolkit
Migrate all direct lodash imports to es-toolkit/compat for a smaller,
faster, lodash-compatible utility library. Transitive lodash usage from
other packages remains unchanged.
* fix: Restore isPlainObject semantics in CanCan policy
The lodash migration aliased `isObject` to `lodash/isPlainObject` and
the codemod incorrectly mapped the local name to es-toolkit's `isObject`,
which also returns true for arrays and functions. This caused condition
objects in policy definitions to be skipped, breaking authorization
checks across the codebase.
* fix: Restore unicode-aware length counting in validators
es-toolkit/compat's size() returns string.length, while lodash's _.size()
counts unicode code points. Switch to [...value].length to preserve the
previous behavior so multi-byte characters like emoji count as one.
* chore: resolve no-explicit-any lint warnings in plugins
Replaces uses of `any` in the plugins directory with concrete types,
`unknown`, or structured type assertions, addressing the remaining
typescript-eslint(no-explicit-any) warnings flagged by oxlint.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* chore: address review feedback in GitLabIssueProvider
Drop trailing semicolon from log string and add early return in
`destroyNamespace` when neither `user_id` nor `full_path` is present
to avoid an unnecessary full-scan transaction.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Adds group sync from external authentication providers, allowing team group memberships to be automatically managed based on provider data on sign-in in the future.
* Add ReactionsCreate notification event type
- Add ReactionsCreate to NotificationEventType enum and defaults
- Add notification settings UI with SmileyIcon and proper labels
- Create ReactionsCreateNotificationsTask to handle comment reactions
- Update NotificationsProcessor to handle comments.add_reaction events
- Add eventText and path handling in client Notification model
- Notifications are enabled by default but never send emails
* Applied automatic fixes
* Show the actual emoji in the notification
* Cleanup notifications if reaction is removed
* PR feedback
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
* Fix OIDC well-known discovery for subdirectories
- Fix URL construction in fetchOIDCConfiguration to properly handle issuer URLs with subdirectories
- Replace incorrect use of new URL() constructor that was treating well-known path as absolute
- Add proper path concatenation that preserves subdirectories in issuer URLs
- Add comprehensive test cases for subdirectory scenarios
- Fixes issue where https://auth.example.com/application/o/outline/ would incorrectly resolve to https://auth.example.com/.well-known/openid-configuration instead of https://auth.example.com/application/o/outline/.well-known/openid-configurationFixes#9535
* Refactor to use wellKnownPath variable instead of hardcoded path
- Use wellKnownPath.substring(1) to remove leading slash when appending to pathname
- Eliminates duplication of the .well-known/openid-configuration path
- Improves maintainability by using the existing variable consistently
* Simplify logic by checking pathname does not end with slash
- If pathname doesn't end with slash, append full wellKnownPath (with leading slash)
- If pathname ends with slash, append wellKnownPath without leading slash
- Eliminates need for substring() by using the slash logic more elegantly
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
* Upgrade Prettier to v3.6.2 and eslint-plugin-prettier to v5.5.1
- Upgraded prettier from ^2.8.8 to ^3.6.2 (latest version)
- Upgraded eslint-plugin-prettier from ^4.2.1 to ^5.5.1 for compatibility
- Applied automatic formatting changes from new Prettier version
- All existing ESLint and Prettier configurations remain compatible
* Applied automatic fixes
* Trigger CI
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
* Fall back to id_token if profile does not contain username or email
* More comments
* Add error handling to id_token decode
* simplify username fallback logic using nullish coalescing
Co-authored-by: Tom Moor <tom.moor@gmail.com>
* make id_token decoding more tolerant of malformed or invalid tokens
---------
Co-authored-by: Tom Moor <tom.moor@gmail.com>
* Add Discord Provider Prototype
* Add Discord Logo
* Add Plugin to Plugin Manager
* fixed discord auth support and added icon
* add csv role verification
* grab discord server icon and test server id and roles
* subdomain derived from server name
* use discord server specific nickname if available
* Cleanup and comment
* move discord api types to dev deps
* cleanup of server vs default params
* remove commented out lines
* revert envv.development
* revert in vscode
* update yarn lock
* add gif support for discord server icon
* add comment with docs link
* add env section for discord
* fix errors and clarify env
* add new cannot use without
* fix suggestions
* fix: public env vars using decorator
* fix: relocate
* fix: use env.public
* fix: register public env vars across plugins
* fix: test
* fix: tsc
* fix: mark remaining ones as public
* fix: move oidc ones to plugin
* fix: prevent overwrite
* fix: review
* Separate environment configs
* wip
* wip
* test
* plugins
* test
* test
* .sequelizerc, unfortunately can't go through /utils/environment due to not supporting TS
* docker-compose -> docker compose
* fix: .local wipes .development
* Add custom validation message for invalid SECRET_KEY (often confused)
Tom Moor