* chore: Replace lodash with es-toolkit
Migrate all direct lodash imports to es-toolkit/compat for a smaller,
faster, lodash-compatible utility library. Transitive lodash usage from
other packages remains unchanged.
* fix: Restore isPlainObject semantics in CanCan policy
The lodash migration aliased `isObject` to `lodash/isPlainObject` and
the codemod incorrectly mapped the local name to es-toolkit's `isObject`,
which also returns true for arrays and functions. This caused condition
objects in policy definitions to be skipped, breaking authorization
checks across the codebase.
* fix: Restore unicode-aware length counting in validators
es-toolkit/compat's size() returns string.length, while lodash's _.size()
counts unicode code points. Switch to [...value].length to preserve the
previous behavior so multi-byte characters like emoji count as one.
* feat: Extract search into pluggable provider system
Refactors the monolithic SearchHelper into a pluggable search provider
architecture, enabling alternative search backends (Elasticsearch,
Turbopuffer, etc.) while preserving PostgreSQL full-text search as the
default. The SEARCH_PROVIDER env var selects the active provider.
- Add BaseSearchProvider abstract class and SearchProviderManager
- Add Hook.SearchProvider to the plugin system
- Move PostgreSQL search logic into plugins/postgres-search/
- Add SearchIndexProcessor for event-driven index sync
- Update all callers to use the provider manager directly
- Keep SearchHelper as a deprecated thin wrapper for backwards compat
Closes#11347
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: Remove deprecated SearchHelper wrapper
All callers now use SearchProviderManager directly, so the thin
delegation wrapper is no longer needed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: Rename postgres-search plugin to search-postgres
Renames the plugin folder and id so that future search provider plugins
(e.g. search-elasticsearch, search-turbopuffer) will be colocated
alphabetically.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: Remove special-case plugin import from SearchProviderManager
Make PluginManager.loadPlugins resilient to individual plugin load
failures so SearchProviderManager can use the standard getHooks path
without needing to directly import the search-postgres plugin.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* test: Add missing search provider tests for full coverage parity
Adds all tests that existed in the old SearchHelper.test.ts but were missing
from PostgresSearchProvider.test.ts, including searchTitlesForUser status
filters, collection filtering, group memberships, and sorting tests.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feedback
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Adds group sync from external authentication providers, allowing team group memberships to be automatically managed based on provider data on sign-in in the future.
* feat: Add support for configurable proxy IP header in environment settings
* Update server/env.ts
Remove mention of Koa from docs
Co-authored-by: Tom Moor <tom.moor@gmail.com>
* Update .env.sample
Remove mention of Koa from env sample.
Co-authored-by: Tom Moor <tom.moor@gmail.com>
---------
Co-authored-by: Tom Moor <tom.moor@gmail.com>
- Add pr-predeploy script and review environment config in app.json
- Use smaller addon tiers for review apps to reduce costs
- Auto-derive URL from HEROKU_APP_NAME when URL is not set
- Make URL optional for review apps
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* Add ALLOW_IP_ADDRESS_LIST environment variable
This adds support for allowing specific private IP addresses to be accessed
by the request-filtering-agent, which is useful for OIDC providers and
webhooks on private networks.
The environment variable accepts a comma-separated list of IP addresses
that should be allowed even if they are private IP addresses.
Example: ALLOW_IP_ADDRESS_LIST=10.0.0.1,192.168.1.100
Fixes issue with OIDC providers on private IP addresses being blocked.
* Rename environment variable to ALLOWED_PRIVATE_IP_ADDRESSES
Changed from ALLOW_IP_ADDRESS_LIST to ALLOWED_PRIVATE_IP_ADDRESSES
for better clarity and naming consistency.
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
* Improve webhook disabling heuristic with time-based analysis
- Add WEBHOOK_FAILURE_TIME_WINDOW environment variable (default: 24 hours)
- Add WEBHOOK_FAILURE_RATE_THRESHOLD environment variable (default: 80%)
- Replace simple count-based logic with time-window failure rate analysis
- Require minimum 5 deliveries in time window before disabling
- Add comprehensive logging for webhook failure analysis
- Update email template to reflect new time-based approach
Addresses GitHub issue #9788 by making webhook disabling smarter and
considering time factors instead of just consecutive failure counts.
* Fix Logger.warn type error
Remove extra 'task' parameter from Logger.warn call to match the correct
signature: Logger.warn(message: string, extra?: Extra)
* Update WEBHOOK_FAILURE_TIME_WINDOW to use seconds instead of hours
- Change default value from 24 (hours) to 86400 (seconds)
- Update time conversion logic from hours*60*60*1000 to seconds*1000
- Rename timeWindowHours variable to timeWindowSeconds for clarity
- Update documentation comments to reflect seconds-based configuration
This provides more granular control while maintaining the same default
behavior (24 hours = 86400 seconds).
* Improve webhook failure logging and analysis threshold
- Only log webhook failure analysis when failedDeliveries.length > 0
- Extract hardcoded minimum deliveries threshold to constant
- Update minimum deliveries threshold from 5 to 10 for more reliable analysis
This reduces log noise when there are no failures and requires more data
points before considering webhook disabling.
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
* Upgrade @typescript-eslint dependencies from v6.21.0 to v8.33.0
- Updated @typescript-eslint/eslint-plugin from ^6.21.0 to ^8.33.0
- Updated @typescript-eslint/parser from ^6.21.0 to ^8.33.0
- Tested linting functionality to ensure compatibility
- This brings the latest TypeScript ESLint features and bug fixes
* lint
* tsc
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
* Add support for individual database environment variables
- Add DATABASE_HOST, DATABASE_PORT, DATABASE_NAME, DATABASE_USER, DATABASE_PASSWORD env vars
- Implement mutual exclusivity validation between DATABASE_URL and individual components
- Add effectiveDatabaseUrl getter to construct URL from individual components
- Update database connection logic to use new configuration options
- Ensure backward compatibility with existing DATABASE_URL configuration
Resolves: https://github.com/outline/outline/discussions/9158
* Refactor database configuration methods
- Move effectiveDatabaseUrl method from env.ts to database.ts as getEffectiveDatabaseUrl function
- Remove validateDatabaseConfiguration method from env.ts as validation is handled by decorators
- Maintain clean separation of concerns between environment and database modules
* Pass database options directly to Sequelize constructor
- Replace URL construction with direct Sequelize configuration object
- Support both DATABASE_URL string and individual component object configurations
- Maintain common Sequelize options for both configuration types
- Improve error messaging for different configuration scenarios
* remove spurious comments
* tsc
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
This PR contains the necessary work to make Outline an OAuth provider including:
- OAuth app registration
- OAuth app management
- Private / public apps (Public in cloud only)
- Full OAuth 2.0 spec compatible authentication flow
- Granular scopes
- User token management screen in settings
- Associated API endpoints for programatic access
* Add SMTP_SERVICE environment variable for well-known services
* Fix PR #8777: Restore code in teams.ts and users.ts
* The rest of the work
* fix validation
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom.moor@gmail.com>
* Add Discord Provider Prototype
* Add Discord Logo
* Add Plugin to Plugin Manager
* fixed discord auth support and added icon
* add csv role verification
* grab discord server icon and test server id and roles
* subdomain derived from server name
* use discord server specific nickname if available
* Cleanup and comment
* move discord api types to dev deps
* cleanup of server vs default params
* remove commented out lines
* revert envv.development
* revert in vscode
* update yarn lock
* add gif support for discord server icon
* add comment with docs link
* add env section for discord
* fix errors and clarify env
* add new cannot use without
* fix suggestions
* fix: public env vars using decorator
* fix: relocate
* fix: use env.public
* fix: register public env vars across plugins
* fix: test
* fix: tsc
* fix: mark remaining ones as public
* fix: move oidc ones to plugin
* fix: prevent overwrite
* fix: review
* Separate environment configs
* wip
* wip
* test
* plugins
* test
* test
* .sequelizerc, unfortunately can't go through /utils/environment due to not supporting TS
* docker-compose -> docker compose
* fix: .local wipes .development
* Add custom validation message for invalid SECRET_KEY (often confused)
Tom Moor