* feat: add QuickBooks Online marketplace plugin
Add a QuickBooks Online Accounting API plugin with OAuth2 authentication,
86 API operations via OpenAPI spec, and @spec/ convention for DB-stored
spec files. Includes server-side spec hosting infrastructure and a fix
for duplicate footer rendering on marketplace OAuth2 datasource config pages.
* chore: update submodule pointers
* fix: use parent transaction for spec file DB operations
storeSpecFiles and updateSpecFilesForReload were wrapping each file
insert/update in a separate dbTransactionWrap call, creating independent
transactions instead of participating in the outer install/upgrade
transaction. This could leave orphan File entities if the plugin save
failed. Now uses the parent manager directly.
* fix: use sandbox API URL, remove testConnection, add state param
- Default to sandbox-quickbooks.api.intuit.com (development apps require it)
- Remove testConnection and customTesting (OAuth flow validates connection)
- Add state parameter to auth URL (required by QuickBooks)
- Add access_token validation guard in run()
- Preserve existing refresh_token if provider doesn't reissue
- Remove environment dropdown and company_id from manifest
- Add debug logging for OAuth flow tracing
* Chore: Migrate all OpenAPI plugins from external URLs to @spec/ convention (#15904)
* chore: migrate all OpenAPI plugins from external URLs to @spec/ convention
Downloads 78 OpenAPI spec files from external URLs (7 plugins from
adishM98/base-repo-testing personal repo, 2 from official provider repos,
1 from S3) and stores them locally in openapi-specs/ directories. Updates
all operations.json files to use @spec/<kind>/<name> references, which
are resolved to DB-stored specs at install time.
Eliminates runtime dependency on external GitHub repos for spec rendering.
* chore: remove one-time spec migration script
* POST string body
---------
Co-authored-by: Rudhra Deep Biswas <rudra21ultra@gmail.com>
Co-authored-by: gsmithun4 <gsmithun4@gmail.com>
* fix: update migration to seed module versions only on the push-modules branch
* fix: drop module origin branch staging table after processing all organizations
* fix: add FK constraints, unique constraint, and down() to group_admins migration
* fix: add explicit FK constraint names to group_admins migration
* feat: add GroupAdmin TypeORM entity
* fix: add Organization relation to GroupAdmin entity
* feat: add group-admin FEATURE_KEY entries and feature configs
* feat: add CE no-op stub for GroupAdminService
* feat: register GroupAdminService/Controller in module; add group-admin controller (CE stub + EE impl)
* feat: pass user to getAllGroup(); update interface and CE service signature
* test: add e2e tests for group-admin assign, revoke, scoped access, and auto-revocation
* fix: correct imports and tsconfig for group-admin e2e test
- fix entity imports: use @entities alias instead of src/entities
- fix module imports: use @modules alias instead of src/modules
- remove unused findEntityOrFail import from test-helper
- add jest to tsconfig types array for test type definitions
- add test-helper path mapping to tsconfig for proper resolution
* fix: register GroupAdmin entity in TypeOrmModule.forFeature for DI
* fix: grant workspace admins all group-admin feature keys in ability factory
* feat: add group-admin service methods
Add getGroupAdmins, getAddableAdmins, assignGroupAdmin, revokeGroupAdmin methods to groupPermissionV2Service following existing fetch pattern.
* feat: allow group-admin builders to access Groups link in workspace settings
Add is_group_admin and canManageGroups to conditionObj (both useState initializer
and subscribe handler). Change Groups link condition from ['admin'] to
['canManageGroups'] to allow admin OR group-admin builders.
* feat: add Group Admins tab to group permission resources
* fix: handle missing default groups for group-admin builders; hide admin-only controls
* feat: make permissions and granular access tabs read-only for group-admin builders; hide role-change in users tab
* feat: implement GroupAdminOrAdminRoute for session validation; enhance group admin management features
* feat: add GET_USER_ADMIN_GROUPS feature and update related permissions; enhance user group management
* feat: enhance group admin functionality; add builder role and improve admin assignment tests
* Fix: Add compiler options to tsconfig.build.json
* refactor: revert configs for test suite
* feat: enhance group admin functionality with feature access checks and user removal permissions
* feat: add option to duplicate group admins in duplicate group
* feat: enhance group permissions management
- Updated FeatureAbilityFactory to include additional checks for builder permissions and group-specific access.
- Modified GroupPermissionsController to apply FeatureAbilityGuard for various endpoints, ensuring proper permission checks.
- Enhanced GranularPermissionsController with appropriate guards for better access control.
- Refactored GroupExistenceGuard to improve group validation logic and error handling.
- Updated GroupPermissionsModule to streamline service and utility registrations.
- Added unit tests for FeatureAbilityFactory and GroupExistenceGuard to ensure robust permission handling.
* feat: implement afterUpdateUserRole method in RolesService
* feat: refactor GroupPermissionsUtilService usage in GroupPermissionsModule
* feat: enhance group permissions copyright and icons, minor bug fixes:
* Bug fixes
Co-authored-by: Copilot <copilot@github.com>
* bugz
Co-authored-by: Copilot <copilot@github.com>
---------
Co-authored-by: Rudhra Deep Biswas <rudra21ultra@gmail.com>
Co-authored-by: Copilot <copilot@github.com>
* feat: introduce module_reference_id for stable versioning across environments
* fix: update versionId assignment to use module_reference_id for consistency
* feat: update module version handling to use module_reference_id for stable versioning
* feat: enhance module definition caching for improved content refresh on version switch
* feat: enhance module version handling to differentiate between DRAFT and user-pinned versions
* feat: update moduleReferenceId handling to ensure UUIDs are assigned only for module-type apps
* feat: add moduleReferenceId generation using UUID for module-only migrations
* feat: refactor module version cloning to use UUID for module_reference_id and enhance app version handling
* feat: enhance module export logic to handle branch-local versions and prevent name collisions
* feat: lock source version during cloning to ensure stable app version selection across iterations
* Feature: add self-host AI support in licensing module
* chore: update submodule commits for frontend and server
* Feature: add self-host AI check in LicenseBase class
* chore: update submodule commit for server
* Feature: add AITripleSparkles icon and update icon switch case
* chore: update submodule commit for frontend
* Feature: add BYOK support in LicenseBase and related modules
* Feature: add updateKey function to aiService and new route for LLM key in breadcrumbs
* Feature: add getKeySettings function to aiService and update service exports
* chore: update submodule commits for frontend and server
* Feature: add LLM_KEY_ENV_CONFIGURED to INSTANCE_SYSTEM_SETTINGS and create migration for its initial value
* chore: update submodule commits for frontend and server
* chore: update submodule commits for frontend and server
* chore: update submodule commit for frontend
* refactor: replace selfhostAI and byok with aiPlan in LicenseBase and related files
* chore: update submodule commits for frontend and server
* chore: update submodule commits for frontend and server
refactor: enhance error handling in sendMessage function
* refactor: adjust formatting in generatePayloadForLimits function for consistency
* feat: add EncryptionModule registration and LLM_API_KEY enum to instance settings
* chore: update submodule commits for frontend and server
* feat: implement handleAITextResponse for improved API response handling and update aiPlan logic in LicenseBase
* chore: update submodule commits for frontend and server
* chore: update submodule commits for frontend and server
* chore: update submodule commit for server
* feat: update aiPlan logic to include selfhostai and byok options
* chore: update submodule commit for server
* chore: mark subproject commits as dirty for frontend and server
* feat: simplify AI plan check in LicenseBase class
* feat: add update and get key settings features to AI ability
* feat: implement organization AI key management with rotation and migration
* chore: update submodule commit for server
* chore: update subproject commit for server
* chore: update subproject commit for server
* chore: update subproject commit for server
* chore: update subproject commits for frontend and server
* chore: update subproject commit for frontend
* chore: update subproject commit reference in server/ee
* chore: update subproject commit reference in frontend/ee
---------
Co-authored-by: Kartik Gupta <gupta.kartik18kg@gmail.com>
* feat: Folder permission system
* fix(group-permissions): resolve custom group validation, folder edit check, and UI inconsistencie
* edit folder container && no folder in custom resource
* fix the ui for custom in empty state
* fix: coercion logic for folder permissions
* feat: enhance folder permissions handling in app components
* feat: add folder granular permissions handling in user apps permissions
* feat: implement granular folder permissions in ability guard and service
* feat: improve error handling for folder permissions with specific messages
* feat: enhance EnvironmentSelect component to handle disabled state and improve display logic
* chore: bump ee submodules
* add basic framework to support platform git
* feat: Update permission prop to isEditable in BaseManageGranularAccess component
* chore: bump ee server submodule
* fix: refine folder visibility logic based on user permissions
* feat: enhance MultiValue rendering and styling for "All environments" option
* fix:Uniqueness-of-data-source
* revert folder changes
* fix folder imports
* feat: allow app lazy loading
feat: import all apps of branches
* feat: implement folder ownership checks and enhance app permissions handling
* fix:ui changes
* feat: update WorkspaceGitSyncModal UI
* feat: enhance folder permissions handling for app ownership and actions
* chore: clarify folder creation and deletion permissions in workspace context
* fix: pull commit button & swtich branch visibility
* feat: import app from git repo
* fix: freezed state
* remove reference of activebranchId
* fix linting
* fix: update folder permission labels
* fixed folder permission cases
* fixed css class issue
* fix: datasource UI
* minor fix
* feat: streamline folder permissions handling by removing redundant checks and simplifying access logic
* refactor: made error message consistent
* fix:ui changes and PR fetching on master
* fix: datasource and snapshot creation
* fix: app rendering and stub loading
* fix: add missing permission message for folder deletion action
* refactor: consolidate forbidden messages for folder actions and maintain consistency
* fix: allow pull into current branch
* fix renaming of tags and reload on branch switch
* fix: allow branches import from git
* fix:push or tab removed
* feat: streamline permission handling and improve app visibility logic
* fix: remove default access denial message in AbilityGuard
* fixed all user page functionality falky case
* feat: add workspace-level PR fetch endpoint (returns all repo PRs without app filtering)
* fix: remove app_branch_table
* Fixed profile flaky case
* fixed granular access flaky case
* fix: allow branch creation from tags
* fix: update default branch creation logic to use provider config
* fix: dso and dsv operations on codebase
* fix: constants reloading and refetch org git details on data
* uniquness per branch
* removed comment
* fix: update app version handling and add is_stub column for branch-level tracking
* fix workspace branch backfilling for scoped branches
* added unique constraint - migration
* fix: update app version unique constraint to include branchId for branch-aware handling
* fix: update subproject commit reference in server/ee
* chore: revert package-lock.json
* chore: revert frontend/package-lock.json to main
* removed banner and changed migration
* minor fix
* fix: remove unused import and handle UUID parse error gracefully in AppsUtilService
* fix: update app stub checks to safely access app_versions
* refactor: revert folder operations
* fix: removed branch id logic
* fix: ds migration
* fix encrypted diff logic
* fix: update openCreateAppModal to handle workspace branch lock
* fix: subscriber filtering, freeze priority, meta hash optimization, and co_relation_id backfill
* feat: add script to generate app metadata from app.json files
* fix: meta script
fix: backfilling of co-realtion-ids
* refactor: streamline parameter formatting in workspace git sync adapter methods
* Improves data source handling for workspace git sync
Fixes workspace git sync to properly recognize data sources across branches by improving correlation ID handling and branch-aware data source version creation.
Uses strict equality comparison in deep equal utility to prevent type coercion issues.
Excludes credential_id from data source comparison to prevent unnecessary save button states.
Removes is_active filter from branch data source queries to include all versions for proper synchronization.
* refactor: update branch switching logic and improve error handling for data source creation
* fix: migration order
* 🚀 chore: update submodules to latest main after auto-merge (#15628)
Co-authored-by: gsmithun4 <3417097+gsmithun4@users.noreply.github.com>
* chore: update version to 3.21.8-beta across all components
* fix:import app from device
* fix:ui Edit&launch,folderCopy,branching dropdown in apps and ds
* fix:encrypted helper text on master
* fix: import from git flow
* logs cleanup
* fix:migration-datasource-uniqueness
* fix: app on pull
* chore: update server submodule hash
* fix: corelation-id generation and version naming
* fix: last versions deletion error
fix: no multiple version creation
* fix:ui and toast
* chore: update server submodule hash
* feat: add branch handling for app availability and improve error handling
* fix: update encrypted value handling in DynamicForm and improve workspace constant validation logic
* fix: improve formatting of help text in DynamicForm and enhance error message for adding constants on master branch
* fix: correct version creation and pull in default branch
* chore: update server submodule hash
fix: remove logs from other PR
* fix:data source uniquness at workspace level
* fix: update header component logic for path validation and improve version import handling
* chore: update server submodule to latest commit
* fixed folder modal changes
* fix:failed to create a query error inside apps
* feat: add branchId support for data source versioning in app import/export service
* fix: push & pull of tags and versions
* fix: update subproject commit reference in server/ee
* fix:removed gitSync logic from module rename
* fix:removed switchbranch modal & allowed renaming from masted module&workflow creation
* chore: Update server submodule hash
* fix: change stub button to edit
* refactor/git-sync-remove-modules-workflows
* fix:version name for module and workflo
w
* fix:templet app creation
* fix: add author details for branch
---------
Co-authored-by: gsmithun4 <gsmithun4@gmail.com>
Co-authored-by: Pratush <pratush@Pratushs-MBP.lan>
Co-authored-by: Shantanu Mane <maneshantanu.20@gmail.com>
Co-authored-by: parthy007 <parthadhikari1812@gmail.com>
Co-authored-by: Yukti Goyal <yuktigoyal02@gmail.com>
Co-authored-by: Muhsin Shah <muhsinshah21@gmail.com>
Co-authored-by: Adish M <44204658+adishM98@users.noreply.github.com>
Co-authored-by: gsmithun4 <3417097+gsmithun4@users.noreply.github.com>
Co-authored-by: Parth <108089718+parthy007@users.noreply.github.com>
* feat: track last_accessed_at per workspace
- Add migration to add last_accessed_at (NOT NULL, default now()) to organizations table
- Add lastAccessedAt field to Organization entity
- Update validateUserSession() to accept organizationId and fire-and-forget update last_accessed_at (throttled to once per 5 min)
- Update generateLoginResultPayload() to unconditionally update last_accessed_at on login and workspace switch
- Update jwt.strategy.ts to extract organizationId before validateUserSession() call
- Update ISessionService interface to reflect new validateUserSession signature
* public app support and refactor
* time fix
* chore: update version to 3.20.124-lts across all components
---------
Co-authored-by: Shubham Gupta <shubham@Shubhams-MacBook-Air.local>
Co-authored-by: gsmithun4 <gsmithun4@gmail.com>
* feat(custom-domains): add custom domains module for Cloud edition
Full-stack implementation of custom domains feature:
- Backend: entity, migration, repository, CE module stubs, DTOs, ability/guard
- Backend: CloudFeatureGuard on all EE endpoints (Cloud-only)
- Frontend: API service, Zustand store, ManageCustomDomainPage
- License gating via LICENSE_FIELD.CUSTOM_DOMAINS
- Cloudflare Custom Hostnames API integration (EE provider)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(custom-domains): add CORS, cookie, scheduler, and e2e tests
- Dynamic CORS origin with 5-min cache for custom domain support
- Cookie SameSite=None when ENABLE_CUSTOM_DOMAINS is set
- Status polling scheduler for pending Cloudflare domain verification
- E2e test suite with Polly.js record/replay for cloud edition
- UI layout fix for custom domain settings page
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(custom-domains): add frontend domain detection and routing
- Add isCustomDomain() helper to detect non-TOOLJET_HOST hostnames
- Resolve custom domain to workspace in authorizeWorkspace before
session validation
- Resolve custom domain in AuthRoute for login page org config
- Load organization relation in findActiveDomain repository query
- Update e2e test to verify organizationSlug in resolve response
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: make all URLs custom-domain-aware
When a workspace has a custom domain configured, all generated URLs
(emails, SSO redirects, share links, settings pages) now use that
domain instead of TOOLJET_HOST.
Licensing:
- Add customDomains getter to LicenseBase with plan-level defaults
- Register LICENSE_FIELD.CUSTOM_DOMAINS in license helper
- Add customDomain to features response for frontend access
- Add customDomains to Terms interface
Frontend:
- Make getHostURL() custom-domain-aware using isCustomDomain()
- Replace 14 inline TOOLJET_HOST references with getHostURL()
(SSO modals, OAuth callbacks, invite links, app URLs, etc.)
Backend:
- Add CustomDomainCacheService (Redis-backed, 5-min TTL)
- Add findActiveByOrganizationId() to repository
- Add optional host param to generateInviteURL/generateOrgInviteURL
- Add getHostForOrganization() helper for resolving org domains
- Inject cache service into EmailService and OauthService
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: remove unvalidated custom domains e2e test
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: add customDomains feature flag to cloud license terms
Update ee submodule — adds customDomains to OrganizationPaymentService
so Pro plan correctly gets false and Team plan gets true.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: extend VerifyDomainResult interface with additional properties
* feat: move custom domain from workspace settings to instance settings
Update frontend/ee submodule to move the custom domain page out of
workspace settings and into instance settings sidebar for both cloud
and EE editions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: align custom domain buttons with white labelling and Figma design
Update frontend/ee submodule - cancel button always clickable,
test connection button sizing matches Figma (14px font, 6px radius),
save button pattern matches white labelling exactly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add CSRF origin check middleware with Sec-Fetch-Site hardening
Add setupCsrfOriginCheck middleware that validates Origin headers on
mutation requests when custom domains are enabled. Rejects requests
from origins not matching TOOLJET_HOST or active custom domains.
Tightens the null-Origin fallback using Sec-Fetch-Site: browser
requests with no Origin but Sec-Fetch-Site: cross-site are now
blocked, closing the stripped-Origin CSRF attack vector while
keeping cURL/Postman/server-to-server calls unaffected.
Also removes the in-memory CORS origin cache in favour of direct
DB lookups via fetchCustomDomainOrigins.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: register CSRF origin check middleware in bootstrap
Wire up setupCsrfOriginCheck in the application bootstrap so the
middleware is active when custom domains are enabled.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: guard sameSite=none cookies with HTTPS check
sameSite=none requires secure=true, which browsers reject on plain
HTTP. Add isHttpsEnabled() guard so custom domain cookie settings
only apply over HTTPS, preventing broken sessions in local dev.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: redirect to main host on custom domain workspace mismatch
When a custom domain resolves to a different workspace than the URL
slug, or when domain resolution fails with no slug fallback, redirect
to TOOLJET_HOST instead of showing a broken state.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: add custom domain dev server hints and update lockfile
Add commented-out webpack devServer options for testing custom domains
locally (host binding, allowed hosts, cache-control). Update lockfile.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: load Pyodide from CDN for cloud builds
For cloud (Cloudflare Pages) builds, load Pyodide from jsDelivr CDN
instead of bundling the 823MB local copy, avoiding the 25MB per-file
limit. Self-hosted/airgapped builds continue using the local bundle.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: update ee submodule for custom domain workspace URL fix
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: update ee submodule for custom domain input fixes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: update ee submodule for custom domain dark mode fixes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: update ee submodule for connection test toast and auto-reset
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: add pre/post build hooks for cloud frontend build
Add prebuild:frontend:cloud and postbuild:frontend:cloud lifecycle hooks
to install devDependencies (webpack, html-webpack-plugin, etc.) before
the cloud build and prune them after, matching the existing
build:frontend pattern.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: CSRF origin check fails closed on DB error
Previously, if fetchCustomDomainOrigins() threw (DB down, connection
timeout), the .catch(() => next()) silently bypassed all CSRF
protection. Now blocks the request with 403 instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: stale custom hostname cleanup and license deadlock on delete/status
Remove license gate from DELETE, GET, STATUS endpoints so admins can
always view and remove custom domains even after license expiry. Add
scheduled cleanup job that removes stale pending domains from both
Cloudflare and DB after a configurable TTL (default 2 days).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: Cloudflare error handling — config validation, 404 tolerance, status mapping
- Update IDomainProvider interface: getHostnameStatus returns null on 404
- Update CE stub to match interface
- Add sslStatus mapping to scheduler (matching provider's mapSslStatus)
- Expand scheduler statusMap with active_redeploying and blocked
- Allow null sslStatus in VerifyDomainResult type
- Update ee submodule
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: update server/ee submodule — correct guard order on custom-domains
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: update frontend/ee submodule — workspace login URL uses custom domain
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: update server/ee submodule — OIDC redirect uses custom domain host
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: route workspace switch to target custom domain
When switching between workspaces with different custom domains, the URL
now navigates to the target workspace's custom domain instead of staying
on the current origin or falling back to TOOLJET_HOST.
Backend enriches GET /api/organizations with custom_domain (batch query,
Cloud edition only). Frontend reads it and applies 3-way routing:
custom domain redirect, fallback to base domain, or same-origin switch.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: email links use custom domain instead of default TOOLJET_HOST
EmailModule was missing the CustomDomainsModule import, so
CustomDomainCacheService was never injected (always undefined due to
@Optional). All email URLs fell back to process.env.TOOLJET_HOST.
Additionally, several email event emissions were missing organizationId
in their payloads, preventing custom domain lookup even with proper DI.
Changes:
- Import CustomDomainsModule in EmailModule for DI wiring
- Pass organizationId in forgotPassword email payload
- Pass organizationId in 5 onboarding welcome-email payloads
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: block custom domain access after plan downgrade to Pro
- Frontend: always redirect to TOOLJET_HOST when custom domain resolve
fails (removes slug-based fallthrough that allowed bypassing the check)
- Frontend: extract redirectToMainHost() helper, add console.error logging
- Update server/ee submodule with license check in resolveCustomDomain
Closes#15228
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: proxy API through Cloudflare Worker to fix incognito sign-in on custom domains
Incognito browsers block third-party cookies, causing silent sign-in
failure on custom domains where the frontend origin differs from the
API server. Three changes:
- Frontend: override config.apiUrl to /api on custom domains so
requests route through the Cloudflare Worker proxy (first-party)
- Worker docs: add API/WebSocket proxy to the Cloudflare Worker with
proper forwarding headers and 502 fallback
- server/ee submodule: add ENABLE_CUSTOM_DOMAINS guard to OIDC cookie
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: update frontend/ee submodule — prefill default domain on clear
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: compare hostnames not origins for custom domain API proxy override
The origin comparison (`localhost:3000` vs `localhost:8082`) triggered the
proxy rewrite in local dev, routing API calls to webpack dev server which
returned index.html instead of JSON — breaking app initialization.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: update server/ee submodule — pass customDomainRepository to EE OrganizationsService
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* revert: remove "prefill default domain on clear" from custom domains
Reverts the frontend/ee submodule from a21b75aed back to e8191629e.
Showing a pre-filled default domain when the input is empty implies
the user owns that domain, which is misleading.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: harden custom domains — CORS caching, error handling, scheduler guards, and frontend safety
PR review fixes for #15228:
Backend:
- Cache CORS/CSRF custom domain origins in-memory (30s TTL) to avoid per-request DB queries
- Normalize TOOLJET_HOST (strip trailing slash) before origin comparison in CORS and CSRF middleware
- Add ENABLE_CUSTOM_DOMAINS guard to scheduler handleCron (was only on handleStaleCleanup)
- Log Cloudflare API errors in scheduler instead of silently continuing
- Fix scheduler stale cleanup TOCTOU: mark domain deleted before remove()
- Invalidate Redis cache after scheduler status transitions and stale cleanup
- Add Redis error handler, connectTimeout, and try-catch with DB fallback in cache service
- Add comment explaining CSRF exempt paths rationale
- Import CustomDomainsModule in AuthModule for @Optional() cache injection
- Remove dead 'no_records' variant from VerifyDomainResult.dnsStatus
- Update server/ee submodule (rate limiting, TOCTOU fix, DNS logging, auth response)
Frontend:
- Guard SwitchWorkspacePage against undefined TOOLJET_HOST
- Add console.error in isCustomDomain() and redirectToMainHost() for config issues
- Defensively strip protocol prefix in getTargetDomainURL()
- Add redirect-to-custom-domain logic in authorizeWorkspace with cooldown
- Enable webpack dev server proxy for custom domain local testing
Docs:
- Fix Cloudflare proxy statement: applies to any CF-hosted domain, not same-account
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: update server/ee submodule — OIDC redirect_uri uses request origin for custom domains
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: prevent flash of base-domain UI during custom domain redirect
- Move redirect check before setUser()/setOrganization() store updates
so no authenticated UI (avatar, org name) renders on the base domain
- Remove no-op clearRedirectAttempt() on custom domain — sessionStorage
is origin-scoped so it can't clear the base domain's flag; the cooldown
expires naturally after REDIRECT_COOLDOWN_MS
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: remove ThrottlerGuard from custom domain resolve endpoint
Update server/ee submodule — ThrottlerGuard on the resolve endpoint
caused a NestJS dependency crash (THROTTLER:MODULE_OPTIONS missing
in CustomDomainsModule). CloudFeatureGuard is sufficient protection
for this unauthenticated, cloud-only endpoint.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: extract applyCustomDomainCookieOptions, fix org list for super admins
- Extract duplicated cookie SameSite/Secure logic into shared applyCustomDomainCookieOptions() helper
- Replace 3 inline copies (session util x2, OIDC service) with one-liner calls
- Rename customDomain → custom_domain in OrganizationWithPlan for consistent API casing
- Refactor fetchOrganizations so super admins also get license/custom domain enrichment
- Add @Req() param to OpenID redirect controller for custom domain host detection
- Update server/ee submodule
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: remove dead verifyDomain from IDomainProvider, fix cookie type
- Remove verifyDomain() from IDomainProvider interface and all implementations
(service does inline DNS resolution, method was never called)
- Fix applyCustomDomainCookieOptions type: sameSite accepts string | boolean
- Update server/ee submodule
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* revert: remove dev-only webpack proxy and host overrides for custom domains
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: remove internal custom domains Cloudflare setup doc
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: rename 'Workspace ID' label to 'Workspace URL' on custom domain page
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: match custom domain save button loading style with whitelabelling
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: reduce custom domain redirect cooldown from 5 minutes to 10 seconds
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: strip trailing slash from TOOLJET_HOST in URL helpers
Prevents double-slash URLs when TOOLJET_HOST is configured with a
trailing slash (e.g. `https://example.com/` → `https://example.com//error/404`).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: strip trailing slash from TOOLJET_HOST in workspace switchers
Same defensive fix as the URL helpers — raw TOOLJET_HOST concatenation
in SwitchWorkspacePage and BaseOrganizationList could produce
double-slash URLs when the host has a trailing slash.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(custom-domains): add rebuildOriginsSet/getOriginsSet to cache service
Stores active custom domain origins in a Redis Set for cross-pod
CORS/CSRF consistency. rebuildOriginsSet uses a pipeline (DEL + SADD +
EXPIRE) for atomicity. getOriginsSet returns null on empty/error so
callers can fall back to DB.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(custom-domains): use Redis for CORS/CSRF origins in middleware
fetchCustomDomainOrigins now reads from Redis Set first, falls back to
DB. Local cache TTL reduced from 30s to 5s. Both setupCsrfOriginCheck
and setSecurityHeaders lazily capture CustomDomainCacheService via a
shared tryGetCacheService helper (DRY, CE-safe with strict: false).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(custom-domains): rebuild Redis origins set in scheduler and EE service
Status poll, stale cleanup, and all EE domain lifecycle operations now
trigger rebuildOriginsSet() so CORS origins stay consistent after
background status changes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(custom-domains): seed Redis CORS origins set on startup
Ensures the origins set is populated immediately when the server starts,
before any CORS/CSRF checks are needed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(custom-domains): increase Redis origins TTL and fix success logging
Raise ORIGINS_TTL_SECONDS from 300s to 700s so the key outlasts the
10-minute scheduler interval (avoids sustained DB fallback). Skip the
success log when individual pipeline commands fail.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(custom-domains): add Redis pending-flag methods to cache service
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(custom-domains): gate scheduler polling behind Redis pending flag
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(custom-domains): set pending flag on domain creation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(custom-domains): resolve redirect loop between base and custom domain
After login, excludeWorkspaceIdFromURL stripped the workspace slug from the
redirect URL, producing bare paths like /home. On the custom domain,
getWorkspaceIdOrSlugFromURL then misinterpreted 'home' as a workspace slug,
triggering redirectToMainHost and creating an infinite loop.
- Re-prepend workspace slug to the custom domain redirect URL
- Always trust the resolved slug on custom domains (1:1 mapping)
- Remove mismatch guard in AuthRoute that redirected back to main host
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(custom-domains): session transfer token + OAuth redirect_uri fix
Two problems with the custom domain redirect flow:
1. Session lost on redirect: tj_auth_token cookie is domain-scoped — doesn't
follow the user from gcpstage.tooljet.ai to app.company.com. Added a one-time
Redis transfer token (30s TTL, GETDEL atomic) — the frontend creates a token,
redirects to /api/session/transfer on the custom domain, the CF Worker proxies
to the backend which sets the cookie as first-party via 302.
2. OAuth redirect_uri mismatch: Google/OIDC redirect_uri used the custom domain
hostname via getHostURL()/resolveRedirectHost(). If the IdP doesn't have the
custom domain registered, auth fails. Now always use TOOLJET_HOST for
redirect_uri. Session transfer handles the hop to the custom domain after auth.
Changes:
- Add CE session-transfer module stubs (SubModule pattern)
- Add frontend session-transfer service
- Update authorizeWorkspace.js: transfer token flow replaces direct redirect
- Update GoogleSSOLoginButton.jsx: use TOOLJET_HOST for redirect_uri
- Register SessionTransferModule conditionally for Cloud edition in AppModule
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(custom-domains): update server/ee submodule — restore OIDC redirect_uri resolution
Points to server/ee commit that restores request-origin based
redirect_uri for OIDC, supporting both base domain and custom domain
IdP registrations.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(custom-domains): add session transfer to workspace switching
Use session transfer tokens for cross-domain workspace switches so
the auth cookie is set on the target domain. Passes target org ID
in the token to land on the correct workspace immediately.
- Extract useSessionTransferRedirect hook (shared debounce + redirect)
- Add TOOLJET_HOST null guard in BaseOrganizationList
- Debounce new-tab opens with 500ms cooldown
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(custom-domains): defer HttpClient host resolution to request time
HttpClient eagerly captured config.apiUrl at module load time, before
index.jsx overrides it to '/api' on custom domains. This caused
tooljet-db, comments, and plugins services to make cross-origin
requests directly to the backend, bypassing the CF Worker proxy.
The cookie (scoped to the custom domain) wasn't sent, resulting in
401s and an infinite reload loop.
Use a lazy getter so config.apiUrl is read at request time. Also
convert marketplace.service.js to use hostFn callback for the same
lazy resolution.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(custom-domains): cross-domain logout — clear base domain session
Logging out from a custom domain only killed the custom domain's
session. The base domain session survived, causing authorizeWorkspace
to re-authenticate the user via session transfer.
Two fixes:
1. clearCookie now passes matching cookie options (sameSite, secure,
httpOnly) so the browser actually deletes the cookie
2. Frontend makes a parallel cross-origin logout call to the base
domain when on a custom domain (works because cookies are
sameSite=none and CORS allows custom domain origins)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(custom-domains): use base domain for workspace creation on custom domains
When creating a workspace from a custom domain, the workspace link
preview incorrectly showed the custom domain URL and the post-creation
redirect stayed on the custom domain (which is bound to a different
workspace). Now the link preview always shows TOOLJET_HOST and the
redirect uses session transfer to carry auth to the base domain.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(custom-domains): update ee-frontend submodule — SSO redirect URLs
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor(custom-domains): reuse getBaseHostURL() in workspace creation redirect
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(custom-domains): update ee-frontend submodule — SAML ACS URL fix
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(custom-domains): SAML SSO custom domain support + update server/ee submodule
Update CE interfaces and base classes to accept optional host/requestHost
parameters for SAML custom domain resolution. Updates server/ee submodule
with the full SAML custom domain fix.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(custom-domains): update ee-frontend submodule — hide custom domain for non-cloud
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(custom-domains): update server/ee submodule — SAML audience mismatch fix
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(custom-domains): update server/ee submodule — SAML issuer fix + error handling
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(custom-domains): update submodules — SAML ACS URL fix for all topologies
- server/ee: Add #resolveBackendBaseUrl() fallback chain for ACS URL;
only pass host override for custom domains
- frontend/ee: Show correct backend-derived ACS URL in SAML modal
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add conversation management features including listing, creating, and retrieving conversations
* chore: update submodule references for frontend and server components
* chore: update submodule reference for frontend component
* feat: add archived column to ai_conversations entity and migration
* chore: update submodule references for frontend and server components
* feat: clear prompt from navigation state on page refresh in useAppData hook
* feat: improve prompt clearing logic in useAppData hook on page refresh
* feat: add lastOpenedAt column to ai_conversations and update query logic
* chore: update submodule reference for frontend
* feat: add preview column to ai_conversations and create migration for it
* chore: update submodule references for frontend and server
* chore: update submodule references for frontend and server
* feat: remove lastOpenedAt column from ai_conversations and update query logic for conversation retrieval
* feat: update getConversationById method to include userId parameter in IAiService and IAiUtilService interfaces
* chore: update submodule reference for server
* feat: add GET_CONVERSATION feature and update related logic in AI module
* feat: remove fetchConversations from useAppData hook to streamline conversation handling
* fix submodule
* feat: update createConversation endpoint to use a consistent URL
---------
Co-authored-by: Kartik Gupta <gupta.kartik18kg@gmail.com>
Co-authored-by: gsmithun4 <gsmithun4@gmail.com>
