Nariman Jelveh
acc4796b99
Allow Cache-Control and Pragma headers ( #3198 )
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Notify HeyPuter / notify (push) Has been cancelled
release-please / release-please (push) Has been cancelled
2026-06-03 14:30:33 +02:00
Daniel Salazar
b188942436
feat (PUT-1016 & PUT-1020) ( #3164 )
...
* feat (PUT-1016 & PUT-1020)
temp account preservation on forced relogin
hosted asset cookies to v2 token too
* fix: remove llm dashes and ugly comments
* update agents
2026-05-26 23:35:16 -07:00
Daniel Salazar
5394ccc45c
feat: add verification for v2 auth ( #3155 )
2026-05-26 15:34:54 -07:00
ProgrammerIn-wonderland
0e990da961
import ESM by URL instead of path ( #3129 )
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Notify HeyPuter / notify (push) Has been cancelled
release-please / release-please (push) Has been cancelled
2026-05-18 19:31:03 -04:00
Daniel Salazar
a568ca0f99
fix: expose upstream ai errors as not 500s ( #3123 )
2026-05-17 12:01:22 -07:00
Daniel Salazar
bcc6cc8f00
fix: express proxy chain ( #3112 )
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Notify HeyPuter / notify (push) Has been cancelled
release-please / release-please (push) Has been cancelled
2026-05-13 18:13:39 -07:00
Daniel Salazar
0276420213
fix: treat access tokens as non-auth unless opted in ( #3111 )
...
* fix: treat access tokens as non-auth unless opted in
* fix: tests
2026-05-13 14:20:15 -07:00
Daniel Salazar
b0823449bc
fix: don't allow dav access control credentials ( #3084 )
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Notify HeyPuter / notify (push) Has been cancelled
release-please / release-please (push) Has been cancelled
2026-05-11 19:11:02 -07:00
Daniel Salazar
f80016e4e6
feat: rate limit all ai requests ( #3081 )
...
* chore: cleanup types for metering
* fix: error responses
* wip: rate limit refactor
* rate-limit for some drivers
* fix: ai driver limits
* tests: rate limiting
2026-05-11 16:18:21 -07:00
ProgrammerIn-wonderland
c5b12b61d9
Unconditionally send Access-Control-Allow-Private-Network, fix LNA fix in GUI ( #2954 )
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Notify HeyPuter / notify (push) Has been cancelled
release-please / release-please (push) Has been cancelled
2026-05-07 16:38:04 -07:00
Daniel Salazar
775c9c49e2
test: add harness and some examples ( #2941 )
...
* test: add harness and some examples
* feat: tests ran on pr
2026-05-06 22:43:22 -07:00
Daniel Salazar
c1dacab4c2
extension events after boot fixes ( #2925 )
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Notify HeyPuter / notify (push) Has been cancelled
release-please / release-please (push) Has been cancelled
2026-05-05 17:42:55 -07:00
Nariman Jelveh
1f1149e32e
Block unconfirmed users from API endpoints server-side ( #2916 )
...
Maintain Release Merge PR / update-release-pr (push) Has been cancelled
Notify HeyPuter / notify (push) Has been cancelled
release-please / release-please (push) Has been cancelled
Add a default-on email confirmation gate that rejects users with
`requires_email_confirmation && !email_confirmed` on all authenticated
routes, returning 403 with `email_confirmation_required`.
Previously this was only enforced client-side via a GUI modal, meaning
direct API calls could bypass the check entirely.
Essential routes are exempted via `allowUnconfirmed: true`:
`/whoami`, `/logout`, `/send-confirm-email`, `/confirm-email`,
`/save_account`, `/get-anticsrf-token`, `/get-gui-token`,
`/session/sync-cookie`, `/auth/revoke-session`,
`/user-protected/delete-own-user`
No impact on temp users (`requires_email_confirmation` is false),
self-hosted deployments without email (flag is never set), or
unauthenticated routes (login, signup, password recovery, OIDC).
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com >
2026-05-05 10:08:50 -07:00
Nariman Jelveh
267f464232
Add AGPL license headers to source files ( #2877 )
2026-05-01 13:50:42 -07:00
Daniel Salazar
d4d78ac7db
rework: change backend and backend extensions to use simpler code structure and patterns ( #2815 )
...
* fix: dynamodb health checks and client recreation (#2789 )
* wip: no nanoServices groundwork
* feat: data clients in new shape
* wip: auth and perms in new system
* more wip
* middlewaters mainly done
* wip: fsv2 in new layout
* old fs v2 migration
* driver system
* driver and old fs fixes
* ai drivers wip
* stream support
* metering in ai chat driver
* wip: new auth
* rate limit and auth routes
* captcha and anti csrf
* fix: types
* auth store
* app logic
* wip most other dricvers
* fs
* mostly kill all legacy stuff
* fs finish
* fix: redis usage
* ai controller
* driver cleanup
* socket io in v2
* broadcast and crudq stuff
* subdomains
* notifcations and shares
* fix bad syntaxes
* auth wip
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
* extensions
* extension setup
* more routes
* sql migrations and default services
* home router
* tier 7
* everything else
* everything else
* remaining missing bits
* server health
* logs
* cleanup
* deps
* cleanup 2
* more cleanup 2
* boot
* fix launch
* config fix
* move file
* fix: tsconfig things
* fix: extension loading
* launching
* fix: drivers
* fix: others
* fix: icons
* fix: file uploads
* fs fixes
* fix: fs api
* fix: dev-center
* config
* add back telemetry
* lint stuff
* husky hooks
* fix: fs oss
* fix: config migration
* config migration
* migrate scripts + replicate
* runner
* fix: merge defafult config
* fix: default region
* fix: api domain
* fix paths in readfile
* fix fs entry default s3
* NS: Remove Referral && Entri Service
* dep cleanups
* fix: static assets
* fix: kv and perms
* fix: driver registrations
* fix: home mapping
* fix: rao
* adding back 500 alarm
* fix: build paths
* fix: fs and kv shapes
* fix: kv shape
* more kv coercing and ai chat matching format as prior
* fix: private app gates
* private app caches
* fix: whole bunch of legacy shape issues
* update template jsonc
* fix caching partial oidc and fs signed paths
* more oidc fixes
* fix: wip
* fix: private apps
* admin route fixes
* fix: last few things hopefully
* claude uploads
* fix security for app only routes
* fix kv system namespace
* stuff
* fix: app and kv and suggested apps
* fix:open item
* fix: FS operations
* fix: default app icons
* add back token-read and WSL support
* metering fixes
* fix: fsEntry
* perm scanners and implicators
* proper download endpoint
* fix: download
* fix anti csrft on v2
* fix file extensions, app icons
* fold in v1 fixes from origin/main into v2 equivalents
Re-applies the v1 fixes that landed on origin/main into their v2
counterparts since the v1 files were deleted on DS/wip during the v2
migration. v1 commits referenced below.
- SQLBatcher: flush immediately when queue hits maxBatchSize instead
of racing the timer (v1 12f48238).
- RedisClient: drop maxRetriesPerRequest from 2 to 1 to shrink failure
window (v1 b6776ab4 ).
- ChatCompletionDriver: default minimumCredits to 1 when unset/zero so
zero-cost precheck doesn't auto-pass (v1 36bd6073 ).
- OpenAiImageProvider: add gpt-image-2 support — open-ended size rules,
token-based cost estimator, arbitrary-size normalizer, isGpt prefix
broadened to gpt-image- (v1 f14f1bf4 ). models.ts auto-merged via
rename detection.
- AppStore: bump row cache TTL from 5m to 24h (v1 6b3196ed ).
Not ported: v1 app-object Redis cache (bdfa12b5/b886dde3) — v2's
#toClient recomputes filetype_associations/created_from_origin per
read; adding a second cache layer is a larger change for a follow-up.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
* remoe anti-csrf from auth routes that had not used them
* more icon fixes
* fix worker functionality
* fix: app and subdomain es
Co-authored-by: Copilot <copilot@github.com >
* fix PUT-761
* fix: PUT-748
* fix: rename fsService
* Add security back to WorkerDriver
* Migrate worker from fsEntry to fs. Fix cache issue
* remove ability to create symlinks
* strict webdav acl
* require auth for wisp
* chore: service renames
* Add metering back to puter peer api
* fix: PUT-760 PUT-749
* fix: PUT-746
* fix: peer cost
Co-authored-by: Copilot <copilot@github.com >
* fix: 771
* change order of peer controller
* fix: create appdata folder for app on get auth token
* fix: align delete site and list sites
* delete: putility
* fix subdomains
* Add support for tilde in subdomains, fix subdomain update
* cleanup PeerController.ts and fix billing oversight (#2844 )
* fix: PUT-786
* fix: bugs
* fix: issues with multiple subdomain queries, or permission checks
* fix: harden response shapes to not contain uneeded fields
* fix: move state to redis
* fix: missing kv methods + better sec
Co-authored-by: Copilot <copilot@github.com >
* fix: subdomainStore limit
* fix: missing path resolution
Co-authored-by: Copilot <copilot@github.com >
* fs fixes
* fix: undef error
* fix fs + cleanup
* fix: npm audit fixes
* heal path entries where missing
Co-authored-by: Copilot <copilot@github.com >
* fix: caching
Co-authored-by: Copilot <copilot@github.com >
* fix: cache inconsistencies
Co-authored-by: Copilot <copilot@github.com >
* fix: app driver metadata
Co-authored-by: Copilot <copilot@github.com >
* remove extraneous comma
* fix: associated app icons
* fix: bad tool call
* Add validation to WorkerDriver#getFilePaths
* misc fs and auth issues
Co-authored-by: Copilot <copilot@github.com >
* fix: oidc errors
Co-authored-by: Copilot <copilot@github.com >
* fix: PUT-797
* fix: legacy appdata_app
Co-authored-by: Copilot <copilot@github.com >
* fix: add alert logs
Co-authored-by: Copilot <copilot@github.com >
* fix: error handling
* Disable sharecontroller
* fix: remove private user identifier for ai
* fix: private app fixes
* Add backback signup_server
* fix: completionId size
Co-authored-by: Copilot <copilot@github.com >
* fix: revalidate path for oidc
* fix: revalidate path for oidc
* fix: email validation
Co-authored-by: Copilot <copilot@github.com >
* fix: user create query
* fix: middleware extensions
Co-authored-by: Copilot <copilot@github.com >
* use x-forwarded-for for req ip forwarded
* fix: missing last_activity ts
* feat: add cache broadcast to subdomains
* fix: update config typing
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
Co-authored-by: ProgrammerIn-wonderland <3838shah@gmail.com >
Co-authored-by: Copilot <copilot@github.com >
Co-authored-by: Nariman Jelveh <nj@puter.com >
Co-authored-by: velzie <velzie@velzie.rip >
2026-04-30 12:13:43 -07:00