Commit graph

3905 commits

Author SHA1 Message Date
Ephraim Duncan
70fb834a6a
feat: add more webhook events (#2125) 2026-03-15 19:47:52 +11:00
Ephraim Duncan
66e357c9b3
feat: add email domain restriction for signups (#2266)
Co-authored-by: Lucas Smith <me@lucasjamessmith.me>
2026-03-14 16:32:34 +11:00
Ted Liang
3106fd7483
fix: exclude native modules from Vite dependency optimization (#2615) 2026-03-14 11:51:00 +11:00
Catalin Pit
32c54e1245
fix: hide name/email in embed signing when provided via prop (#2600)
## Description

When signing via embed, recipient name and email provided through the
embed context were ignored if the DB recipient record had empty values.

This fix adds:
- the signing context's fullName and email as fallbacks in the recipient
payload
- keeps the form in sync with values instead of defaultValues
- ensures the override payload is sent even when the form is hidden
2026-03-13 21:59:10 +11:00
Ted Liang
83fbc70a1c
refactor: avoid recipient color duplication (#2355) 2026-03-13 15:52:15 +11:00
Lucas Smith
1ee6ec87a2
chore: add translations (#2614) 2026-03-13 15:22:20 +11:00
Lucas Smith
6b1b1d0417
fix: improve webhook execution (#2608)
Webhook URLs were being fetched without validating whether they
resolved to private/loopback addresses, exposing the server to SSRF.

Current SSRF is best effort and fail open, you should never host
services that
you cant risk exposure of.

This extracts webhook execution into a shared module that validates
URLs against private IP ranges (including DNS resolution), enforces
timeouts, and disables redirect following. The resend route now
queues through the job system instead of calling fetch inline.
2026-03-13 15:02:09 +11:00
Lucas Smith
9f680c7a61
perf: set global prisma transaction timeouts and reduce transaction scope (#2607)
Configure default transaction options (5s maxWait, 10s timeout) on the
PrismaClient instead of per-transaction overrides. Move side effects
like email sending, webhook triggers, and job dispatches out of
$transaction blocks to avoid holding database connections open during
network I/O.

Also extracts the direct template email into a background job and fixes
a bug where prisma was used instead of tx inside a transaction.
2026-03-13 14:51:53 +11:00
github-actions[bot]
76d96d2f65
chore: extract translations (#2583) 2026-03-13 14:50:48 +11:00
David Nguyen
2f2b5dd232
feat: allow creating embeds in folder (#2612)
## Description

Allow passing in a `folderId` when creating an embedded envelope 

## Embed repo changes here

https://github.com/documenso/embeds/pull/69/changes
2026-03-13 14:50:14 +11:00
David Nguyen
8d97f1dcfa
fix: resolve error flash on page refresh (#2606) 2026-03-13 12:37:30 +11:00
David Nguyen
e67e19358a
fix: add hipaa flag (#2603) 2026-03-13 12:06:10 +11:00
Timur Ercan
364537e8fe
chore: update hipaa status in docs (#2599) 2026-03-13 12:00:05 +11:00
Joshua Sharp
4751c9cecc
fix: template description overflow (#2605) 2026-03-12 18:15:21 +11:00
VIVEK TIWARI
a5fd814fbc
fix: handle invalid qr share tokens without 500 (#2597) 2026-03-12 13:46:17 +11:00
Ephraim Duncan
1d2c781a6d
docs: add organisation ownership transfer guide (#2601) 2026-03-12 13:39:37 +11:00
Lucas Smith
03ca3971a0
perf: upgrade @libpdf/core to 0.3.3 and deduplicate font registration (#2598)
Upgrade @libpdf/core from 0.2.12 to 0.3.3, which includes:
- WebCrypto SHA-256 replacing pure-JS @noble/hashes (10x signing
speedup)
- Iterative collectReachableRefs (fixes stack overflow on large PDFs)
- Iterative Math.max helpers in xref writer (fixes remaining stack
overflow)

Extract duplicated FontLibrary.use() calls from render-certificate,
render-audit-logs, and insert-field-in-pdf-v2 into a shared
ensureFontLibrary() helper with has() guards so fonts are only
registered once per process.
2026-03-11 20:23:18 +11:00
Lucas Smith
5ea4060fd7 v2.8.0 2026-03-10 21:43:01 +11:00
Lucas Smith
af346b179c
feat: add recipient role editing and audit log PDF download in admin (#2594)
- Allow admins to update recipient role from document detail page
- Add download button to export audit logs as PDF
- Display recipient status details in accordion
- Add LocalTime component with hover popover for timestamps
2026-03-10 21:41:46 +11:00
Catalin Pit
ab69ee627b
fix: include extra recipient info in missing fields error msg (#2590) 2026-03-10 12:17:24 +11:00
Lucas Smith
4daec44550
fix: move window.__ENV__ script before client bundle to prevent stale fallback (#2592) 2026-03-10 12:15:15 +11:00
Ted Liang
11eb4dd2cd
fix: security CVE-2026-29045 (#2589) 2026-03-09 16:46:11 +11:00
Lucas Smith
cc71c7d9ba
fix: add cmaps (#2588) 2026-03-09 14:07:13 +11:00
Lucas Smith
f82bf97480
fix: only use embed hash name/email as fallback when recipient values are blank (#2586)
For document signing embeds, the hash-provided name and email should
only
be used when the recipient doesn't already have values set. For template
signing, the hash values are always allowed.

Also makes the email input editable in V1 embeds when the recipient has
no email, matching V2 behavior.

Ref: documenso/embeds#53
2026-03-09 13:30:27 +11:00
Lucas Smith
0e20d364ef
fix: opt findDocumentsInternal query out of batch fetching (#2585) 2026-03-09 12:47:59 +11:00
David Nguyen
ef57c8448a
fix: dropdown fields (#2584) 2026-03-09 12:19:20 +11:00
Lucas Smith
eaaf8f9e63
chore: add translations (#2582) 2026-03-09 11:56:17 +11:00
David Nguyen
58f0c98038
chore: add embed envelope docs (#2576) 2026-03-09 11:50:13 +11:00
Catalin Pit
da7b5d12f8
fix: make signing page left-hand sidebar collapsible (#2541) 2026-03-09 11:45:28 +11:00
github-actions[bot]
7cfe876762
chore: extract translations (#2577) 2026-03-09 11:39:37 +11:00
Ephraim Duncan
15399cbe8e
feat: auto-disable telemetry when license key is configured (#2562) 2026-03-09 11:24:24 +11:00
Catalin Pit
c4754553c9
feat: implement template search functionality (#2376)
- Added  function to handle template searches based on user input
- Introduced in the TRPC router to facilitate authenticated template
searches
- Updated to include template search results alongside document search
results
- Enhanced query handling by enabling searches only when the input is
valid
- Created corresponding Zod schemas for request and response validation
in
2026-03-09 10:44:51 +11:00
David Nguyen
6c8726b58c
fix: performance improvements (#2581) 2026-03-09 10:22:57 +11:00
Lucas Smith
abd031b58b
chore: add translations (#2575) 2026-03-06 16:10:54 +11:00
github-actions[bot]
1ff8680c32
chore: extract translations (#2566) 2026-03-06 14:15:37 +11:00
David Nguyen
7ea664214a
feat: add embedded envelopes (#2564)
## Description

Add envelopes V2 embedded support

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2026-03-06 14:11:27 +11:00
Ephraim Duncan
7e2cbe46c0
fix: show current month data and add caching (#2573)
### Summary

- Add Cache-Control headers to all route responses (1h s-maxage, 2h
stale-while-revalidate)
- Append current month to chart data so graphs stay up-to-date
(cumulative carries forward, else zero)
- Remove `.limit(12)` from growth queries for full history
- Pass isCumulative flag through addZeroMonth
- Deduplicate TransformedData type, remove transformRepoStats
2026-03-06 13:30:31 +11:00
Konrad
c63b4ca3cc
fix(i18n): mark dropdown and radio placeholder for translation (#2537) 2026-03-06 13:05:03 +11:00
David Nguyen
6faa01d384
feat: add pdf image renderer (#2554)
## Description

Replace the PDF renderer with an custom image renderer.

This allows us to remove the "react-pdf" dependency and allows us to use
a virtual list to improve performance.
2026-03-06 12:39:03 +11:00
Lucas Smith
0ce909a298
refactor: find envelopes (#2557) 2026-03-06 12:38:40 +11:00
Lucas Smith
7f271379b9
fix: upgrade @libpdf/core (#2572) 2026-03-06 10:08:58 +11:00
Lucas Smith
406e77e4be
chore: add translations (#2570) 2026-03-05 17:33:36 +11:00
Lucas Smith
bff360b084
fix: upgrade @libpdf/core (#2569) 2026-03-05 15:34:40 +11:00
Lucas Smith
db1087d76d v2.7.1 2026-03-05 15:16:45 +11:00
Lucas Smith
ef0a5b54ba
fix: verify before re-registering in email sync (#2568) 2026-03-05 15:12:20 +11:00
David Nguyen
1f985e2cd3
fix: invalid po translations (#2567) 2026-03-05 14:54:36 +11:00
Konrad
525dd92a56
fix(i18n): mark SUBSCRIPTION_STATUS_MAP for translation (#2515) 2026-03-05 14:42:40 +11:00
Konrad
d21b99825d
fix(i18n): add pluralization to expiration period picker (#2535) 2026-03-05 14:32:12 +11:00
Konrad
dfbf68e4cd
fix(i18n): mark editor field number form placeholder for translation (#2536) 2026-03-05 14:31:24 +11:00
github-actions[bot]
8b0231825f
chore: extract translations (#2539) 2026-03-05 14:11:53 +11:00