The blocker plugin only accepts literal IP/CIDR strings; Caddy's built-in
'private_ranges' shorthand is not understood by third-party modules.
Expand it to the equivalent CIDR list at config-build time.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- CSP script-src 'unsafe-eval' is now dev-only; Next.js HMR needs it in
development but the production standalone build does not
- Remove X-Frame-Options: DENY since frame-ancestors 'none' in CSP supersedes
it in all modern browsers; keeping both creates a maintenance hazard
- Add comment explaining why state check is added alongside PKCE default
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Replace empty string "" salt with Buffer.alloc(0) for explicit intent
in security-critical HKDF call
- Add console.warn when legacy SHA-256 decryption path is taken so
operators can track when all secrets have been re-encrypted
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Change providerSubjectIdx from index to uniqueIndex in schema.ts to
prevent multiple users sharing the same (provider, subject) pair,
which caused non-deterministic sign-in resolution via findFirst.
- Add migration 0008_unique_provider_subject.sql: DROP the existing
non-unique index and CREATE UNIQUE INDEX in its place.
- Validate INSTANCE_SYNC_MAX_BYTES env var in sync route: fall back to
10 MB default when the value is non-numeric (e.g. 'off') or
non-positive, preventing NaN comparisons that silently disabled the
size limit.
- Return a generic error message to callers on applySyncPayload /
applyCaddyConfig failure instead of leaking the raw error string;
the original message is still stored internally via setSlaveLastSync.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New field from upstream plugin: when the real client IP is
indeterminate (trusted proxy present but no usable XFF entry),
fail_closed=true blocks the request instead of passing it through.
- Add fail_closed to GeoBlockSettings type
- Include in mergeGeoBlockSettings (OR semantics: either global or host enables it)
- Emit fail_closed in buildBlockerHandler (only when true)
- Parse geoblock_fail_closed from form in both settings and proxy-host actions
- Add Checkbox UI in the Advanced accordion of GeoBlockFields
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The outpost upstream was being passed directly to Caddy's dial field with the
full URL (http://host:port), but Caddy expects just host:port. This was causing
DNS lookup errors with a leading slash (/authentik.bologna.local.fuo.fi).
Now properly parses the URL to extract just the hostname and port.
The outpost route now preserves the original request host (e.g., email.fuo.fi)
instead of changing it to the upstream host. This allows Authentik to properly
construct redirect URLs after processing authentication callbacks.
