lee/puter
1
0
Fork 0
mirror of https://github.com/HeyPuter/puter.git synced 2026-05-04 16:40:41 +00:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity
5,252 Commits 11 Branches 12 Tags
8a14871ddebc973a45faaefa4b4aaeda088574fa
Commit Graph

5252 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Daniel Salazar 8a14871dde fix: bad token generation for private apps (#2596)
Docker Image CI / build-and-push-image (push) Has been cancelled
Details
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Details
release-please / release-please (push) Has been cancelled
Details
test / test-backend (24.x) (push) Has been cancelled
Details
test / API tests (node env, api-test) (24.x) (push) Has been cancelled
Details
test / puterjs (node env, vitest) (24.x) (push) Has been cancelled
Details
2026-03-04 10:09:16 -08:00
jelveh 6248a89a59 Add autoplay to iframe allow list
Docker Image CI / build-and-push-image (push) Has been cancelled
Details
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Details
release-please / release-please (push) Has been cancelled
Details
test / test-backend (24.x) (push) Has been cancelled
Details
test / API tests (node env, api-test) (24.x) (push) Has been cancelled
Details
test / puterjs (node env, vitest) (24.x) (push) Has been cancelled
Details
2026-03-03 22:20:31 -08:00
Daniel Salazar 6b6f9b4743 fix: puter site middleware host (#2594) 2026-03-03 22:18:47 -08:00
Daniel Salazar 8380b28d8a fix: reset subdomain if empty (#2593) 2026-03-03 21:07:55 -08:00
Daniel Salazar adf034b120 feat: add subdomain to private asset tokens (#2591) 2026-03-03 20:37:17 -08:00
KernelDeimos 468558f8dc dev(oidc): hide unnecessary div 
I decided not to remove it because I really don't want to introduce a
bug right now while everything is finally working smoothly... I'm making
a note to properly clean this up later when it can be more easily tested
in isolation from everything else.
 2026-03-03 23:08:05 -05:00
Daniel Salazar dbdead9ad1 fix: remove redis cache scan in favour of direct key invalidation (#2589) 2026-03-03 19:55:41 -08:00
jelveh 80cabca7ad Add Google SVG icon to sign-in button 2026-03-03 19:31:39 -08:00
Baptiste Lyet f0d0e1d8ca docs : udpdate current year (#2585) 2026-03-04 10:30:42 +07:00
Daniel Salazar 911c163fc8 feat: private app config to use app urls + app routing (#2587)
Docker Image CI / build-and-push-image (push) Has been cancelled
Details
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Details
release-please / release-please (push) Has been cancelled
Details
test / test-backend (24.x) (push) Has been cancelled
Details
test / API tests (node env, api-test) (24.x) (push) Has been cancelled
Details
test / puterjs (node env, vitest) (24.x) (push) Has been cancelled
Details 
* feat: private app config to use app urls

* fix: launch app

* fix: cookie origin
 2026-03-03 18:34:33 -08:00
KernelDeimos 3cd5268379 fix(oidc): login flow with puter.ui.authenticateWithPuter 
It turns out there are nuances between `puter.ui.authenticateWithPuter`
vs `puter.auth.signIn` - these don't do the same thing. The primary
difference is that `puter.ui.authenticateWithPuter` will display an
override if it's not triggered by a user action, whereas
`puter.auth.signIn` will not. This definitely suggests
`puter.ui.authenticateWithPuter` should be a caller of
`puter.auth.signIn` instead of implementing its own logic for handling
the popup - that makes this part of the code more fagile - but that
refactor is out-of-scope for this bug fix.
 2026-03-03 21:20:46 -05:00
Daniel Salazar 1f975b9d19 fix: private app config to use app urls (#2586) 2026-03-03 15:49:33 -08:00
Daniel Salazar 4f5fec5ee4 feat: resolve private app hosts by index_url fallback (#2583) 
* feat: resolve private app hosts by index_url fallback

Adds a private-app lookup fallback for hosted subdomains without associated_app_id by matching owner-scoped index_url candidates built from request host and configured protocol.

* fix: redirect path

* fix: add new domains too

* fix, bootstrap url

* fix: bootstrap url

* fix: auto sign in puter pirvate app
 2026-03-03 13:52:12 -08:00
KernelDeimos 930cbfb770 fix(ai): additional auth guard (corrected 676b6c3)
Docker Image CI / build-and-push-image (push) Has been cancelled
Details
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Details
release-please / release-please (push) Has been cancelled
Details
test / test-backend (24.x) (push) Has been cancelled
Details
test / API tests (node env, api-test) (24.x) (push) Has been cancelled
Details
test / puterjs (node env, vitest) (24.x) (push) Has been cancelled
Details
2026-03-02 19:55:07 -05:00
KernelDeimos 91b9aa014a Reapply "fix(auth): add explicit check for access token suspension (#2576)" (#2579) 
This reverts commit 8349b0d692.
 2026-03-02 19:45:11 -05:00
KernelDeimos 9fd1d0a2e2 Revert "fix(ai): additional auth guard (#2577)" 
This reverts commit 676b6c31e1.
 2026-03-02 19:37:18 -05:00
Eric Dubé 8349b0d692 Revert "fix(auth): add explicit check for access token suspension (#2576)" (#2579) 
This reverts commit f6b9c69ce6.
 2026-03-02 19:24:15 -05:00
Eric Dubé 8073f73032 Eric/26323 revert 26322 (#2578) 
* fix(ai): additional auth guard

* Revert "fix(ai): additional auth guard"

This reverts commit 03d4e66e3b.
 2026-03-02 19:12:41 -05:00
Eric Dubé 676b6c31e1 fix(ai): additional auth guard (#2577) 2026-03-02 18:45:33 -05:00
Eric Dubé f6b9c69ce6 fix(auth): add explicit check for access token suspension (#2576) 2026-03-02 17:10:42 -05:00
Miika Kuisma c0583a9095 Fix: When a maximized window gets resized, Puter apps should be resized as well (#2498) 
* Fix: When a maximized window gets resized, Puter apps should be resized as well

* Fix maximixed selector to match any window with data-is_maximized (not just apps)
 2026-03-02 10:48:47 -08:00
jelveh 43b313972c Revert "Permission modal now displays application's icon and title. Read and write access requests have their own text strings. (#2499)"
Docker Image CI / build-and-push-image (push) Has been cancelled
Details
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Details
release-please / release-please (push) Has been cancelled
Details 
This reverts commit 0f33e49335.
 2026-03-01 21:59:10 -08:00
Miika Kuisma 0f33e49335 Permission modal now displays application's icon and title. Read and write access requests have their own text strings. (#2499) 2026-03-01 20:02:20 -08:00
Eric Dubé f2926c948e fix(oidc): bring "Add Existing User" to working state (#2572)
Docker Image CI / build-and-push-image (push) Has been cancelled
Details
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Details
release-please / release-please (push) Has been cancelled
Details
test / test-backend (24.x) (push) Has been cancelled
Details
test / API tests (node env, api-test) (24.x) (push) Has been cancelled
Details
test / puterjs (node env, vitest) (24.x) (push) Has been cancelled
Details
2026-02-28 16:39:20 -05:00
Daniel Salazar 314c671778 fix: redis startup (#2571) 
add event logging and handling to deal with redis startup
 2026-02-28 13:25:42 -08:00
Daniel Salazar bb02fc6e6b fix: hardcode default perm (#2570) 2026-02-28 13:13:05 -08:00
Daniel Salazar 537f3957ed feat: add private app direct-login bootstrap page (#2566) 
* feat: add private app direct-login bootstrap page

Serves a lightweight puter.js sign-in interstitial when private app identity is missing, then retries with a bootstrap token query param while preserving entitlement redirect behavior for authenticated denies.

* fix: allow private app subdomain
 2026-02-28 13:04:14 -08:00
Daniel Salazar 2eb16ceab6 chore: switch private hosting domain to puter.dev (#2565)
Docker Image CI / build-and-push-image (push) Has been cancelled
Details
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Details
release-please / release-please (push) Has been cancelled
Details
test / test-backend (24.x) (push) Has been cancelled
Details
test / API tests (node env, api-test) (24.x) (push) Has been cancelled
Details
test / puterjs (node env, vitest) (24.x) (push) Has been cancelled
Details 
Updates private app hosting defaults and middleware/test expectations from puter.app to puter.dev for current rollout needs.
 2026-02-27 16:24:54 -08:00
Eric Dubé 2cc8cb22f8 [OIDC] allow user deletion for accounts without a password (#2567) 
* fix: user deletion for OIDC accounts

* clean(backend): update copied license header

* clean(backend): replace previously removed comments

* fix: double-encoding
 2026-02-27 18:55:12 -05:00
Eric Dubé 9d4e990b92 dev(oidc): switch login/signup flows where applicable (#2550) 
For convenience, switch flow if the user's action doesn't match the
system state when signing up or logging in with Google:
- If the user chooses "signup" but they already have an account, log
  them into that account.
- If the user chooses "login" but they do not have an account yet,
  create an account where their authenticated email address.
 2026-02-27 18:30:17 -05:00
Daniel Salazar 7e07c3d937 feat: add private access rollout gate and auditing (#2560) 
Adds a config flag to disable private app gate enforcement, structured middleware audit logs for private access decisions, and regression coverage for the disabled-gate path.
 2026-02-27 13:55:15 -08:00
Eric Dubé 866825767b fix(backend): default rate-limit scope instead of error (#2564) 
When a rate-limit scope is not configured, use a default configuration
instead of throwing an error. Display a warning about the unconfigured
rate-limit scope when the default is used.
 2026-02-27 15:58:36 -05:00
Anshuman Tripathi 7c437fabf3 fix: corrected service reference (#2559) 2026-02-27 13:45:01 -05:00
Reynaldi Chernando 613b0482e8 Add nano banana 2 (#2562) 2026-02-27 13:00:36 -05:00
Daniel Salazar 784847b1b1 feat: enforce private app hosting access gate (#2557)
Docker Image CI / build-and-push-image (push) Has been cancelled
Details
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Details
release-please / release-please (push) Has been cancelled
Details
test / test-backend (24.x) (push) Has been cancelled
Details
test / API tests (node env, api-test) (24.x) (push) Has been cancelled
Details
test / puterjs (node env, vitest) (24.x) (push) Has been cancelled
Details 
Add private app access gating in PuterSiteMiddleware with entitlement event checks, bootstrap/private cookie token flow, and camelCase helper/test updates.
 2026-02-26 23:42:32 -08:00
Daniel Salazar 23089901dd perf:remove recents cache (#2558) 2026-02-26 16:38:58 -08:00
Daniel Salazar adce8c64db feat: add private app access extension event contract (#2556)
Docker Image CI / build-and-push-image (push) Has been cancelled
Details
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Details
release-please / release-please (push) Has been cancelled
Details
test / test-backend (24.x) (push) Has been cancelled
Details
test / API tests (node env, api-test) (24.x) (push) Has been cancelled
Details
test / puterjs (node env, vitest) (24.x) (push) Has been cancelled
Details 
* feat: add private app access extension event contract

Define app.private-access.check in extension API typings with mutable allow/redirect decision fields for entitlement handlers.

* refactor: camelCase private access event contract

Rename private access extension event and payload fields to camelCase for consistency with repo conventions.
 2026-02-26 15:04:23 -08:00
Daniel Salazar 15e7a3503b feat: add private app asset token auth helpers (#2555) 
* feat: add private app asset token auth helpers

Add mint/verify helpers and hardened cookie option helpers for app-private-asset tokens in AuthService.
Add focused tests for claims validation, mismatch denial, and cookie option defaults.

* fix: add prvate app config for new subdomain
 2026-02-26 14:19:59 -08:00
Daniel Salazar f8560cf0f9 fix: delete redis keys in parallel, don't grant both read and write if just write needed (#2552) 2026-02-26 14:03:21 -08:00
Daniel Salazar 1887352301 fix: don't await cache invalidation for grant app permission (#2551)
Docker Image CI / build-and-push-image (push) Has been cancelled
Details
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Details
release-please / release-please (push) Has been cancelled
Details
test / test-backend (24.x) (push) Has been cancelled
Details
test / API tests (node env, api-test) (24.x) (push) Has been cancelled
Details
test / puterjs (node env, vitest) (24.x) (push) Has been cancelled
Details 
* fix: disable broadcast for cache invalidation

* fix: remove broadcast for redis events for now

* fix: don't await cache invalidation for grant app permission
 2026-02-25 17:26:42 -08:00
Daniel Salazar 2c1b21e197 feat: type extension cache update events (#2548) 
* feat: type extension cache update events

Expose outer.cacheUpdate in extension API typings and consolidate extension service typing via ServicesMap.

* fix: batch broadcast events

* fix: bad import

* fix: import socket io

* fix: bad undefined call

* fix: simplify await for broadcast processing
 2026-02-25 17:05:05 -08:00
Daniel Salazar aa04dfabb4 feat: add is_private to apps (#2546)
Docker Image CI / build-and-push-image (push) Has been cancelled
Details
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Details
release-please / release-please (push) Has been cancelled
Details
test / test-backend (24.x) (push) Has been cancelled
Details
test / API tests (node env, api-test) (24.x) (push) Has been cancelled
Details
test / puterjs (node env, vitest) (24.x) (push) Has been cancelled
Details
2026-02-25 13:26:16 -08:00
Eric Dubé c4346df24e fix(gui): defer login event until listener registered (#2547) 
Fixes an error introduced in 4b8c46e where the page load is attempted to
be triggered by dispatching the login event, however the listener which
handles loading the page has not yet been registered.
 2026-02-25 14:22:06 -05:00
Daniel Salazar 7a1468d070 fix: app icons via subdomain on localhost (#2544) 2026-02-25 10:14:39 -08:00
jelveh 71f7698a46 Await update_auth_data to avoid races
Docker Image CI / build-and-push-image (push) Has been cancelled
Details
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Details
release-please / release-please (push) Has been cancelled
Details
test / test-backend (24.x) (push) Has been cancelled
Details
test / API tests (node env, api-test) (24.x) (push) Has been cancelled
Details
test / puterjs (node env, vitest) (24.x) (push) Has been cancelled
Details
2026-02-24 18:33:30 -08:00
jelveh 0515b65138 Await update_auth_data to avoid race conditions 2026-02-24 18:24:33 -08:00
Daniel Salazar 66f1cd0bc3 fix: remove broadcast for cache updates (#2542) 
* fix: disable broadcast for cache invalidation

* fix: remove broadcast for redis events for now
 2026-02-24 16:45:32 -08:00
Eric Dubé 6658a90b6a fix(backend): invalidate app permission debounce (#2541) 
* fix(backend): debounce app permission invalidation

* fix(backend): debounce app permission invalidation
 2026-02-24 19:00:34 -05:00
Daniel Salazar 4c863cc5bc fix: make invalidations more robust (#2529) 2026-02-24 15:45:46 -08:00
Daniel Salazar 6544e8c250 cleanup,:remove debugger calls in our code (#2535) 2026-02-24 15:42:39 -08:00