chore: update AAGUIDs (#1128)

Co-authored-by: stonith404 <58886915+stonith404@users.noreply.github.com>

.version

@@ -1 +1 @@
-1.15.0
+1.16.0

CHANGELOG.md

@@ -1,3 +1,44 @@
+## v1.16.0
+
+### Bug Fixes
+
+- use `quoted-printable` encoding for mails to prevent line limitation ([5cf73e9](https://github.com/pocket-id/pocket-id/commit/5cf73e9309640d097ba94d97851cf502b7b2e063) by @stonith404)
+- automatically create parent directory of Sqlite db ([cfc9e46](https://github.com/pocket-id/pocket-id/commit/cfc9e464d983b051e7ed4da1620fae61dc73cff2) by @stonith404)
+- global audit log user filter not working ([d98c0a3](https://github.com/pocket-id/pocket-id/commit/d98c0a391a747f9eea70ea01c3f984264a4a7a19) by @stonith404)
+- theme mode not correctly applied if selected manually ([a1cd325](https://github.com/pocket-id/pocket-id/commit/a1cd3251cd2b7d7aca610696ef338c5d01fdce2e) by @stonith404)
+- hide theme switcher on auth pages because of dynamic background ([5d6a7fd](https://github.com/pocket-id/pocket-id/commit/5d6a7fdb58b6b82894dcb9be3b9fe6ca3e53f5fa) by @stonith404)
+
+### Documentation
+
+- add `ENCRYPTION_KEY` to `.env.example` for breaking change preparation ([4eeb06f](https://github.com/pocket-id/pocket-id/commit/4eeb06f29d984164939bf66299075efead87ee19) by @stonith404)
+
+### Features
+
+- light/dark/system mode switcher ([#1081](https://github.com/pocket-id/pocket-id/pull/1081) by @kmendell)
+- add support for S3 storage backend ([#1080](https://github.com/pocket-id/pocket-id/pull/1080) by @stonith404)
+- add support for WEBP profile pictures ([#1090](https://github.com/pocket-id/pocket-id/pull/1090) by @stonith404)
+- add database storage backend ([#1091](https://github.com/pocket-id/pocket-id/pull/1091) by @ItalyPaleAle)
+- adding/removing passkeys creates an entry in audit logs ([#1099](https://github.com/pocket-id/pocket-id/pull/1099) by @ItalyPaleAle)
+- add option to disable S3 integrity check ([a3c9687](https://github.com/pocket-id/pocket-id/commit/a3c968758a17e95b2e55ae179d6601d8ec2cf052) by @stonith404)
+- add `Cache-Control: private, no-store` to all API routes per default ([#1126](https://github.com/pocket-id/pocket-id/pull/1126) by @stonith404)
+
+### Other
+
+- update pnpm to 10.20 ([#1082](https://github.com/pocket-id/pocket-id/pull/1082) by @kmendell)
+- run checks on PR to `breaking/**` branches ([ab9c0f9](https://github.com/pocket-id/pocket-id/commit/ab9c0f9ac092725c70ec3a963f57bc739f425d4f) by @stonith404)
+- use constants for AppEnv values ([#1098](https://github.com/pocket-id/pocket-id/pull/1098) by @ItalyPaleAle)
+- bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /backend in the go_modules group across 1 directory ([#1107](https://github.com/pocket-id/pocket-id/pull/1107) by @dependabot[bot])
+- add Finish files ([ca888b3](https://github.com/pocket-id/pocket-id/commit/ca888b3dd221a209df5e7beb749156f7ea21e1c0) by @stonith404)
+- upgrade dependencies ([4bde271](https://github.com/pocket-id/pocket-id/commit/4bde271b4715f59bd2ed1f7c18a867daf0f26b8b) by @stonith404)
+- fix Dutch validation message ([f523f39](https://github.com/pocket-id/pocket-id/commit/f523f39483a06256892d17dc02528ea009c87a9f) by @stonith404)
+- fix package vulnerabilities ([3d46bad](https://github.com/pocket-id/pocket-id/commit/3d46badb3cecc1ee8eb8bfc9b377108be32d4ffc) by @stonith404)
+- update vscode launch.json ([#1117](https://github.com/pocket-id/pocket-id/pull/1117) by @mnestor)
+- rename file backend value `fs` to `filesystem` ([8d30346](https://github.com/pocket-id/pocket-id/commit/8d30346f642b483653f7a3dec006cb0273927afb) by @stonith404)
+- fix wrong storage value ([b2c718d](https://github.com/pocket-id/pocket-id/commit/b2c718d13d12b6c152e19974d3490c2ed7f5d51d) by @stonith404)
+- run formatter ([14c7471](https://github.com/pocket-id/pocket-id/commit/14c7471b5272cdaf42751701d842348d0d60cd0e) by @stonith404)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v1.15.0...v1.16.0
+
 ## v1.15.0
 
 ### Bug Fixes

backend/internal/bootstrap/router_bootstrap.go

@@ -63,6 +63,7 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 	rateLimitMiddleware := middleware.NewRateLimitMiddleware().Add(rate.Every(time.Second), 60)
 
 	// Setup global middleware
+	r.Use(middleware.NewCacheControlMiddleware().Add())
 	r.Use(middleware.NewCorsMiddleware().Add())
 	r.Use(middleware.NewCspMiddleware().Add())
 	r.Use(middleware.NewErrorHandlerMiddleware().Add())

backend/internal/middleware/cache_control.go

@@ -0,0 +1,26 @@
+package middleware
+
+import "github.com/gin-gonic/gin"
+
+// CacheControlMiddleware sets a safe default Cache-Control header on responses
+// that do not already specify one. This prevents proxies from caching
+// authenticated responses that might contain private data.
+type CacheControlMiddleware struct {
+	headerValue string
+}
+
+func NewCacheControlMiddleware() *CacheControlMiddleware {
+	return &CacheControlMiddleware{
+		headerValue: "private, no-store",
+	}
+}
+
+func (m *CacheControlMiddleware) Add() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if c.Writer.Header().Get("Cache-Control") == "" {
+			c.Header("Cache-Control", m.headerValue)
+		}
+
+		c.Next()
+	}
+}

backend/internal/middleware/cache_control_test.go

@@ -0,0 +1,45 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCacheControlMiddlewareSetsDefault(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+	router.Use(NewCacheControlMiddleware().Add())
+
+	router.GET("/test", func(c *gin.Context) {
+		c.Status(http.StatusOK)
+	})
+
+	req := httptest.NewRequest(http.MethodGet, "/test", http.NoBody)
+	w := httptest.NewRecorder()
+
+	router.ServeHTTP(w, req)
+
+	require.Equal(t, "private, no-store", w.Header().Get("Cache-Control"))
+}
+
+func TestCacheControlMiddlewarePreservesExistingHeader(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+	router.Use(NewCacheControlMiddleware().Add())
+
+	router.GET("/custom", func(c *gin.Context) {
+		c.Header("Cache-Control", "public, max-age=60")
+		c.Status(http.StatusOK)
+	})
+
+	req := httptest.NewRequest(http.MethodGet, "/custom", http.NoBody)
+	w := httptest.NewRecorder()
+
+	router.ServeHTTP(w, req)
+
+	require.Equal(t, "public, max-age=60", w.Header().Get("Cache-Control"))
+}

frontend/.prettierrc

@@ -3,6 +3,6 @@
 	"singleQuote": true,
 	"trailingComma": "none",
 	"printWidth": 100,
-	"plugins": ["prettier-plugin-svelte", "prettier-plugin-tailwindcss"],
+	"plugins": ["prettier-plugin-tailwindcss", "prettier-plugin-svelte"],
 	"overrides": [{ "files": "*.svelte", "options": { "parser": "svelte" } }]
 }

frontend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pocket-id-frontend",
-  "version": "1.15.0",
+  "version": "1.16.0",
   "private": true,
   "type": "module",
   "scripts": {
@@ -45,7 +45,7 @@
     "formsnap": "^2.0.1",
     "globals": "^16.5.0",
     "mode-watcher": "^1.1.0",
-    "prettier": "^3.7.0",
+    "prettier": "^3.7.3",
     "prettier-plugin-svelte": "^3.4.0",
     "prettier-plugin-tailwindcss": "^0.7.1",
     "rollup": "^4.53.3",

frontend/src/app.css

@@ -1,6 +1,8 @@
 @import 'tailwindcss';
 @import 'tw-animate-css';
 
+@variant dark (&:where(.dark, .dark *));
+
 /*
   The default border color has changed to `currentcolor` in Tailwind CSS v4,
   so we've added these compatibility styles to make sure everything still

frontend/src/lib/components/form/searchable-multi-select.svelte

@@ -4,7 +4,7 @@
 	import * as Command from '$lib/components/ui/command';
 	import * as Popover from '$lib/components/ui/popover';
 	import { cn } from '$lib/utils/style';
-    import { m } from '$lib/paraglide/messages';
+	import { m } from '$lib/paraglide/messages';
 	import { LoaderCircle, LucideCheck, LucideChevronDown } from '@lucide/svelte';
 	import type { FormEventHandler } from 'svelte/elements';
 

frontend/src/lib/components/header/header.svelte

@@ -39,7 +39,9 @@
 			{/if}
 		</div>
 		<div class="flex items-center justify-between gap-4">
-			<ModeSwitcher />
+			{#if !isAuthPage}
+				<ModeSwitcher />
+			{/if}
 			{#if $userStore?.id}
 				<HeaderAvatar />
 			{/if}

frontend/src/lib/components/header/mode-switcher.svelte

@@ -1,11 +1,11 @@
 <script lang="ts">
-	import SunIcon from '@lucide/svelte/icons/sun';
 	import MoonIcon from '@lucide/svelte/icons/moon';
+	import SunIcon from '@lucide/svelte/icons/sun';
 
-	import { mode, resetMode, setMode } from 'mode-watcher';
-	import * as DropdownMenu from '$lib/components/ui/dropdown-menu/index.js';
 	import { buttonVariants } from '$lib/components/ui/button/index.js';
+	import * as DropdownMenu from '$lib/components/ui/dropdown-menu/index.js';
 	import { m } from '$lib/paraglide/messages';
+	import { mode, resetMode, setMode } from 'mode-watcher';
 
 	const isDark = $derived(mode.current === 'dark');
 </script>

frontend/src/lib/components/one-time-link-modal.svelte

@@ -36,7 +36,10 @@
 
 	async function createLoginCode() {
 		try {
-			code = await userService.createOneTimeAccessToken(userId!, availableExpirations[selectedExpiration]);
+			code = await userService.createOneTimeAccessToken(
+				userId!,
+				availableExpirations[selectedExpiration]
+			);
 			oneTimeLink = `${page.url.origin}/lc/${code}`;
 		} catch (e) {
 			axiosErrorToast(e);
@@ -45,7 +48,10 @@
 
 	async function sendLoginCodeEmail() {
 		try {
-			await userService.requestOneTimeAccessEmailAsAdmin(userId!, availableExpirations[selectedExpiration]);
+			await userService.requestOneTimeAccessEmailAsAdmin(
+				userId!,
+				availableExpirations[selectedExpiration]
+			);
 			toast.success(m.login_code_email_success());
 			onOpenChange(false);
 		} catch (e) {

frontend/src/lib/components/ui/skeleton/index.ts

@@ -1,7 +1,7 @@
-import Root from "./skeleton.svelte";
+import Root from './skeleton.svelte';
 
 export {
 	Root,
 	//
-	Root as Skeleton,
+	Root as Skeleton
 };

frontend/src/lib/components/ui/skeleton/skeleton.svelte

@@ -1,6 +1,6 @@
 <script lang="ts">
-	import { cn, type WithElementRef, type WithoutChildren } from "$lib/utils/style.js";
-	import type { HTMLAttributes } from "svelte/elements";
+	import { cn, type WithElementRef, type WithoutChildren } from '$lib/utils/style.js';
+	import type { HTMLAttributes } from 'svelte/elements';
 
 	let {
 		ref = $bindable(null),
@@ -12,6 +12,6 @@
 <div
 	bind:this={ref}
 	data-slot="skeleton"
-	class={cn("bg-accent animate-pulse rounded-md", className)}
+	class={cn('bg-accent animate-pulse rounded-md', className)}
 	{...restProps}
 ></div>

frontend/src/lib/services/api-service.ts

@@ -1,13 +1,13 @@
 import axios from 'axios';
 
 abstract class APIService {
-  protected api = axios.create({ baseURL: '/api' });
+	protected api = axios.create({ baseURL: '/api' });
 
-  constructor() {
-    if (typeof process !== 'undefined' && process?.env?.DEVELOPMENT_BACKEND_URL) {
-      this.api.defaults.baseURL = process.env.DEVELOPMENT_BACKEND_URL;
-    }
-  }
+	constructor() {
+		if (typeof process !== 'undefined' && process?.env?.DEVELOPMENT_BACKEND_URL) {
+			this.api.defaults.baseURL = process.env.DEVELOPMENT_BACKEND_URL;
+		}
+	}
 }
 
 export default APIService;

frontend/src/lib/services/webauthn-service.ts

@@ -4,35 +4,35 @@ import APIService from './api-service';
 import userStore from '$lib/stores/user-store';
 import type { AuthenticationResponseJSON, RegistrationResponseJSON } from '@simplewebauthn/browser';
 class WebAuthnService extends APIService {
-  getRegistrationOptions = async () => (await this.api.get(`/webauthn/register/start`)).data;
+	getRegistrationOptions = async () => (await this.api.get(`/webauthn/register/start`)).data;
 
-  finishRegistration = async (body: RegistrationResponseJSON) =>
-    (await this.api.post(`/webauthn/register/finish`, body)).data as Passkey;
+	finishRegistration = async (body: RegistrationResponseJSON) =>
+		(await this.api.post(`/webauthn/register/finish`, body)).data as Passkey;
 
-  getLoginOptions = async () => (await this.api.get(`/webauthn/login/start`)).data;
+	getLoginOptions = async () => (await this.api.get(`/webauthn/login/start`)).data;
 
-  finishLogin = async (body: AuthenticationResponseJSON) =>
-    (await this.api.post(`/webauthn/login/finish`, body)).data as User;
+	finishLogin = async (body: AuthenticationResponseJSON) =>
+		(await this.api.post(`/webauthn/login/finish`, body)).data as User;
 
-  logout = async () => {
-    await this.api.post(`/webauthn/logout`);
-    userStore.clearUser();
-  };
+	logout = async () => {
+		await this.api.post(`/webauthn/logout`);
+		userStore.clearUser();
+	};
 
-  listCredentials = async () => (await this.api.get(`/webauthn/credentials`)).data as Passkey[];
+	listCredentials = async () => (await this.api.get(`/webauthn/credentials`)).data as Passkey[];
 
-  removeCredential = async (id: string) => {
-    await this.api.delete(`/webauthn/credentials/${id}`);
-  };
+	removeCredential = async (id: string) => {
+		await this.api.delete(`/webauthn/credentials/${id}`);
+	};
 
-  updateCredentialName = async (id: string, name: string) => {
-    await this.api.patch(`/webauthn/credentials/${id}`, { name });
-  };
+	updateCredentialName = async (id: string, name: string) => {
+		await this.api.patch(`/webauthn/credentials/${id}`, { name });
+	};
 
-  reauthenticate = async (body?: AuthenticationResponseJSON) => {
-    const res = await this.api.post('/webauthn/reauthenticate', body);
-    return res.data.reauthenticationToken as string;
-  };
+	reauthenticate = async (body?: AuthenticationResponseJSON) => {
+		const res = await this.api.post('/webauthn/reauthenticate', body);
+		return res.data.reauthenticationToken as string;
+	};
 }
 
 export default WebAuthnService;

frontend/src/lib/types/advanced-table.type.ts

@@ -3,7 +3,7 @@ import type { Component, Snippet } from 'svelte';
 export type AdvancedTableColumn<T extends Record<string, any>> = {
 	label: string;
 	column?: keyof T & string;
-    key?: string;
+	key?: string;
 	value?: (item: T) => string | number | boolean | undefined;
 	cell?: Snippet<[{ item: T }]>;
 	sortable?: boolean;
@@ -12,9 +12,11 @@ export type AdvancedTableColumn<T extends Record<string, any>> = {
 		value: string | boolean;
 		icon?: Component;
 	}[];
-    hidden?: boolean;
+	hidden?: boolean;
 };
-export type CreateAdvancedTableActions<T extends Record<string, any>> = (item: T) => AdvancedTableAction<T>[];
+export type CreateAdvancedTableActions<T extends Record<string, any>> = (
+	item: T
+) => AdvancedTableAction<T>[];
 
 export type AdvancedTableAction<T> = {
 	label: string;

frontend/src/lib/utils/audit-log-translator.ts

@@ -9,8 +9,8 @@ export const eventTypes: Record<string, string> = {
 	DEVICE_CODE_AUTHORIZATION: m.device_code_authorization(),
 	NEW_DEVICE_CODE_AUTHORIZATION: m.new_device_code_authorization(),
 	PASSKEY_ADDED: m.passkey_added(),
-	PASSKEY_REMOVED: m.passkey_removed(),
-}
+	PASSKEY_REMOVED: m.passkey_removed()
+};
 
 /**
  * Translates an audit log event type using paraglide messages.

frontend/src/lib/utils/cached-image-util.ts

@@ -22,9 +22,13 @@ export const cachedApplicationLogo: CachableImage = {
 
 export const cachedDefaultProfilePicture: CachableImage = {
 	getUrl: () =>
-		getCachedImageUrl(new URL('/api/application-images/default-profile-picture', window.location.origin)),
+		getCachedImageUrl(
+			new URL('/api/application-images/default-profile-picture', window.location.origin)
+		),
 	bustCache: () =>
-		bustImageCache(new URL('/api/application-images/default-profile-picture', window.location.origin))
+		bustImageCache(
+			new URL('/api/application-images/default-profile-picture', window.location.origin)
+		)
 };
 
 export const cachedBackgroundImage: CachableImage = {

frontend/src/routes/settings/audit-log/global/+page.svelte

@@ -72,7 +72,7 @@
 							value,
 							label
 						}))
-					]}					
+					]}
 					bind:value={filters.event}
 				/>
 			</div>

pnpm-lock.yaml

@@ -141,14 +141,14 @@ importers:
         specifier: ^1.1.0
         version: 1.1.0(svelte@5.45.2)
       prettier:
-        specifier: ^3.7.0
-        version: 3.7.0
+        specifier: ^3.7.3
+        version: 3.7.3
       prettier-plugin-svelte:
         specifier: ^3.4.0
-        version: 3.4.0(prettier@3.7.0)(svelte@5.45.2)
+        version: 3.4.0(prettier@3.7.3)(svelte@5.45.2)
       prettier-plugin-tailwindcss:
         specifier: ^0.7.1
-        version: 0.7.1(prettier-plugin-svelte@3.4.0(prettier@3.7.0)(svelte@5.45.2))(prettier@3.7.0)
+        version: 0.7.1(prettier-plugin-svelte@3.4.0(prettier@3.7.3)(svelte@5.45.2))(prettier@3.7.3)
       rollup:
         specifier: ^4.53.3
         version: 4.53.3
@@ -2422,6 +2422,11 @@ packages:
     engines: {node: '>=14'}
     hasBin: true
 
+  prettier@3.7.3:
+    resolution: {integrity: sha512-QgODejq9K3OzoBbuyobZlUhznP5SKwPqp+6Q6xw6o8gnhr4O85L2U915iM2IDcfF2NPXVaM9zlo9tdwipnYwzg==}
+    engines: {node: '>=14'}
+    hasBin: true
+
   prismjs@1.30.0:
     resolution: {integrity: sha512-DEvV2ZF2r2/63V+tK8hQvrR2ZGn10srHbXviTlcv7Kpzw8jWiNTqbVgjO3IY8RxrrOUF8VPMQQFysYYYv0YZxw==}
     engines: {node: '>=6'}
@@ -3534,7 +3539,7 @@ snapshots:
   '@react-email/render@2.0.0(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
     dependencies:
       html-to-text: 9.0.5
-      prettier: 3.7.0
+      prettier: 3.7.3
       react: 19.2.0
       react-dom: 19.2.0(react@19.2.0)
 
@@ -4938,19 +4943,21 @@ snapshots:
 
   prelude-ls@1.2.1: {}
 
-  prettier-plugin-svelte@3.4.0(prettier@3.7.0)(svelte@5.45.2):
+  prettier-plugin-svelte@3.4.0(prettier@3.7.3)(svelte@5.45.2):
     dependencies:
-      prettier: 3.7.0
+      prettier: 3.7.3
       svelte: 5.45.2
 
-  prettier-plugin-tailwindcss@0.7.1(prettier-plugin-svelte@3.4.0(prettier@3.7.0)(svelte@5.45.2))(prettier@3.7.0):
+  prettier-plugin-tailwindcss@0.7.1(prettier-plugin-svelte@3.4.0(prettier@3.7.3)(svelte@5.45.2))(prettier@3.7.3):
     dependencies:
-      prettier: 3.7.0
+      prettier: 3.7.3
     optionalDependencies:
-      prettier-plugin-svelte: 3.4.0(prettier@3.7.0)(svelte@5.45.2)
+      prettier-plugin-svelte: 3.4.0(prettier@3.7.3)(svelte@5.45.2)
 
   prettier@3.7.0: {}
 
+  prettier@3.7.3: {}
+
   prismjs@1.30.0: {}
 
   prompts@2.4.2: