Merge branch 'master' into mikrotik_integration

# Conflicts:
#	internal/app/wireguard/wireguard_interfaces.go

.github/workflows/chart.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'pull_request' }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -60,7 +60,7 @@ jobs:
     permissions:
       packages: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
 
       - uses: docker/login-action@v3
         with:

.github/workflows/docker-publish.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -66,6 +66,10 @@ jobs:
             type=semver,pattern={{major}}
             type=semver,pattern=v{{major}}.{{minor}}
             type=semver,pattern=v{{major}}
+            # add v{{major}} tag, even for beta or release-canidate releases
+            type=match,pattern=(v\d),group=1,enable=${{ contains(github.ref, 'beta') || contains(github.ref, 'rc') }}
+            # add {{major}} tag, even for beta releases or release-canidate releases
+            type=match,pattern=v(\d),group=1,enable=${{ contains(github.ref, 'beta') || contains(github.ref, 'rc') }}
 
       - name: Build and push Docker image
         uses: docker/build-push-action@v6
@@ -110,7 +114,7 @@ jobs:
       contents: write
     steps:
       - name: Download binaries
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v4
         with:
           name: binaries
 

.github/workflows/pages.yml

@@ -15,7 +15,7 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 

Dockerfile

@@ -20,7 +20,7 @@ RUN npm run build
 ######
 # Build backend
 ######
-FROM --platform=${BUILDPLATFORM} golang:1.25-alpine AS builder
+FROM --platform=${BUILDPLATFORM} golang:1.24-alpine AS builder
 # Set the working directory
 WORKDIR /build
 # Download dependencies

docs/documentation/rest-api/swagger.yaml

@@ -403,12 +403,6 @@ definitions:
         type: object
     models.ProvisioningRequest:
         properties:
-            DisplayName:
-                description: |-
-                    DisplayName is an optional name for the new peer.
-                    If unset, a default template value (e.g., "API Peer ...") will be assigned.
-                example: API Peer xyz
-                type: string
             InterfaceIdentifier:
                 description: InterfaceIdentifier is the identifier of the WireGuard interface the peer should be linked to.
                 example: wg0

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/coreos/go-oidc/v3 v3.15.0
 	github.com/glebarez/sqlite v1.11.0
 	github.com/go-ldap/ldap/v3 v3.4.11
-	github.com/go-pkgz/routegroup v1.5.3
+	github.com/go-pkgz/routegroup v1.5.1
 	github.com/go-playground/validator/v10 v10.27.0
 	github.com/go-webauthn/webauthn v0.13.4
 	github.com/google/uuid v1.6.0
@@ -29,7 +29,7 @@ require (
 	gorm.io/driver/mysql v1.6.0
 	gorm.io/driver/postgres v1.6.0
 	gorm.io/driver/sqlserver v1.6.1
-	gorm.io/gorm v1.30.2
+	gorm.io/gorm v1.30.1
 )
 
 require (

go.sum

@@ -70,8 +70,8 @@ github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9Z
 github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk=
 github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU=
 github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0=
-github.com/go-pkgz/routegroup v1.5.3 h1:IvH1KLcQkMap9jucQGBlef3IBloxSAe8USUFvxShFqs=
+github.com/go-pkgz/routegroup v1.5.1 h1:hwVU4w2ltMQXIGEM4WIM0aWyRn7FsZbfbZIlPH7f1Rk=
-github.com/go-pkgz/routegroup v1.5.3/go.mod h1:Pmu04fhgWhRtBMIJ8HXppnnzOPjnL/IEPBIdO2zmeqg=
+github.com/go-pkgz/routegroup v1.5.1/go.mod h1:kDDPDRLRiRY1vnENrZJw1jQAzQX7fvsbsHGRQFNQfKc=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
@@ -374,8 +374,8 @@ gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXD
 gorm.io/driver/sqlserver v1.6.1 h1:XWISFsu2I2pqd1KJhhTZNJMx1jNQ+zVL/Q8ovDcUjtY=
 gorm.io/driver/sqlserver v1.6.1/go.mod h1:VZeNn7hqX1aXoN5TPAFGWvxWG90xtA8erGn2gQmpc6U=
 gorm.io/gorm v1.30.0/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
-gorm.io/gorm v1.30.2 h1:f7bevlVoVe4Byu3pmbWPVHnPsLoWaMjEb7/clyr9Ivs=
+gorm.io/gorm v1.30.1 h1:lSHg33jJTBxs2mgJRfRZeLDG+WZaHYCk3Wtfl6Ngzo4=
-gorm.io/gorm v1.30.2/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
+gorm.io/gorm v1.30.1/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
 modernc.org/cc/v4 v4.26.3 h1:yEN8dzrkRFnn4PUUKXLYIqVf2PJYAEjMTFjO3BDGc3I=
 modernc.org/cc/v4 v4.26.3/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
 modernc.org/ccgo/v4 v4.28.0 h1:rjznn6WWehKq7dG4JtLRKxb52Ecv8OUGah8+Z/SfpNU=

internal/app/api/core/assets/doc/v0_swagger.json

@@ -1781,11 +1781,6 @@
                         "type": "string"
                     }
                 },
-                "Backend": {
-                    "description": "the backend used for this interface e.g., local, mikrotik, ...",
-                    "type": "string",
-                    "example": "local"
-                },
                 "Disabled": {
                     "description": "flag that specifies if the interface is enabled (up) or not (down)",
                     "type": "boolean"
@@ -2254,12 +2249,6 @@
                 "ApiAdminOnly": {
                     "type": "boolean"
                 },
-                "AvailableBackends": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/model.SettingsBackendNames"
-                    }
-                },
                 "LoginFormVisible": {
                     "type": "boolean"
                 },
@@ -2280,17 +2269,6 @@
                 }
             }
         },
-        "model.SettingsBackendNames": {
-            "type": "object",
-            "properties": {
-                "Id": {
-                    "type": "string"
-                },
-                "Name": {
-                    "type": "string"
-                }
-            }
-        },
         "model.User": {
             "type": "object",
             "properties": {

internal/app/api/core/assets/doc/v0_swagger.yaml

@@ -65,10 +65,6 @@ definitions:
         items:
           type: string
         type: array
-      Backend:
-        description: the backend used for this interface e.g., local, mikrotik, ...
-        example: local
-        type: string
       Disabled:
         description: flag that specifies if the interface is enabled (up) or not (down)
         type: boolean
@@ -385,10 +381,6 @@ definitions:
     properties:
       ApiAdminOnly:
         type: boolean
-      AvailableBackends:
-        items:
-          $ref: '#/definitions/model.SettingsBackendNames'
-        type: array
       LoginFormVisible:
         type: boolean
       MailLinkOnly:
@@ -402,13 +394,6 @@ definitions:
       WebAuthnEnabled:
         type: boolean
     type: object
-  model.SettingsBackendNames:
-    properties:
-      Id:
-        type: string
-      Name:
-        type: string
-    type: object
   model.User:
     properties:
       ApiEnabled:

internal/app/api/core/assets/doc/v1_swagger.json

@@ -2086,11 +2086,6 @@
                 "InterfaceIdentifier"
             ],
             "properties": {
-                "DisplayName": {
-                    "description": "DisplayName is an optional name for the new peer.\nIf unset, a default template value (e.g., \"API Peer ...\") will be assigned.",
-                    "type": "string",
-                    "example": "API Peer xyz"
-                },
                 "InterfaceIdentifier": {
                     "description": "InterfaceIdentifier is the identifier of the WireGuard interface the peer should be linked to.",
                     "type": "string",

internal/app/api/core/assets/doc/v1_swagger.yaml

@@ -445,12 +445,6 @@ definitions:
     type: object
   models.ProvisioningRequest:
     properties:
-      DisplayName:
-        description: |-
-          DisplayName is an optional name for the new peer.
-          If unset, a default template value (e.g., "API Peer ...") will be assigned.
-        example: API Peer xyz
-        type: string
       InterfaceIdentifier:
         description: InterfaceIdentifier is the identifier of the WireGuard interface
           the peer should be linked to.

internal/app/api/v1/backend/provisioning_service.go

@@ -162,11 +162,7 @@ func (p ProvisioningService) NewPeer(ctx context.Context, req models.Provisionin
 	if req.PresharedKey != "" {
 		peer.PresharedKey = domain.PreSharedKey(req.PresharedKey)
 	}
-	if req.DisplayName == "" {
 	peer.GenerateDisplayName("API")
-	} else {
-		peer.DisplayName = req.DisplayName
-	}
 
 	// save new peer
 	peer, err = p.peers.CreatePeer(ctx, peer)

internal/app/api/v1/models/models_provisioning.go

@@ -68,10 +68,6 @@ type ProvisioningRequest struct {
 	// If no user identifier is set, the authenticated user is used.
 	UserIdentifier string `json:"UserIdentifier" example:"uid-1234567"`
 
-	// DisplayName is an optional name for the new peer.
-	// If unset, a default template value (e.g., "API Peer ...") will be assigned.
-	DisplayName string `json:"DisplayName" example:"API Peer xyz" binding:"omitempty"`
-
 	// PublicKey is the optional public key of the peer. If no public key is set, a new key pair is generated.
 	PublicKey string `json:"PublicKey" example:"xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=" binding:"omitempty,len=44"`
 	// PresharedKey is the optional pre-shared key of the peer. If no pre-shared key is set, a new key is generated.

internal/app/auth/auth_ldap.go

@@ -54,7 +54,7 @@ func (l LdapAuthenticator) PlaintextAuthentication(userId domain.UserIdentifier,
 
 	attrs := []string{"dn"}
 
-	loginFilter := strings.Replace(l.cfg.LoginFilter, "{{login_identifier}}", ldap.EscapeFilter(string(userId)), -1)
+	loginFilter := strings.Replace(l.cfg.LoginFilter, "{{login_identifier}}", string(userId), -1)
 	searchRequest := ldap.NewSearchRequest(
 		l.cfg.BaseDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 20, false, // 20 second time limit
@@ -100,7 +100,7 @@ func (l LdapAuthenticator) GetUserInfo(_ context.Context, userId domain.UserIden
 
 	attrs := internal.LdapSearchAttributes(&l.cfg.FieldMap)
 
-	loginFilter := strings.Replace(l.cfg.LoginFilter, "{{login_identifier}}", ldap.EscapeFilter(string(userId)), -1)
+	loginFilter := strings.Replace(l.cfg.LoginFilter, "{{login_identifier}}", string(userId), -1)
 	searchRequest := ldap.NewSearchRequest(
 		l.cfg.BaseDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 20, false, // 20 second time limit

internal/app/migrate_v1.go

@@ -47,18 +47,11 @@ func migrateFromV1(db *gorm.DB, source, typ string) error {
 	}
 	latestVersion := "1.0.9"
 	if lastVersion.Version != latestVersion {
-		return fmt.Errorf("unsupported old version, update to database version %s first", latestVersion)
+		return fmt.Errorf("unsupported old version, update to database version %s first: %w", latestVersion, err)
 	}
 
 	slog.Info("found valid V1 database", "version", lastVersion.Version)
 
-	// validate target database
-	if err := validateTargetDatabase(db); err != nil {
-		return fmt.Errorf("target database validation failed: %w", err)
-	}
-
-	slog.Info("found valid target database, starting migration...")
-
 	if err := migrateV1Users(oldDb, db); err != nil {
 		return fmt.Errorf("user migration failed: %w", err)
 	}
@@ -77,36 +70,6 @@ func migrateFromV1(db *gorm.DB, source, typ string) error {
 	return nil
 }
 
-// validateTargetDatabase checks if the target database is empty and ready for migration.
-func validateTargetDatabase(db *gorm.DB) error {
-	var count int64
-	err := db.Model(&domain.User{}).Count(&count).Error
-	if err != nil {
-		return fmt.Errorf("failed to check user table: %w", err)
-	}
-	if count > 0 {
-		return fmt.Errorf("target database contains %d users, please use an empty database for migration", count)
-	}
-
-	err = db.Model(&domain.Interface{}).Count(&count).Error
-	if err != nil {
-		return fmt.Errorf("failed to check interface table: %w", err)
-	}
-	if count > 0 {
-		return fmt.Errorf("target database contains %d interfaces, please use an empty database for migration", count)
-	}
-
-	err = db.Model(&domain.Peer{}).Count(&count).Error
-	if err != nil {
-		return fmt.Errorf("failed to check peer table: %w", err)
-	}
-	if count > 0 {
-		return fmt.Errorf("target database contains %d peers, please use an empty database for migration", count)
-	}
-
-	return nil
-}
-
 func migrateV1Users(oldDb, newDb *gorm.DB) error {
 	type User struct {
 		Email     string `gorm:"primaryKey"`
@@ -160,7 +123,7 @@ func migrateV1Users(oldDb, newDb *gorm.DB) error {
 			LinkedPeerCount: 0,
 		}
 
-		if err := newDb.Create(&newUser).Error; err != nil {
+		if err := newDb.Save(&newUser).Error; err != nil {
 			return fmt.Errorf("failed to migrate user %s: %w", oldUser.Email, err)
 		}
 
@@ -254,8 +217,7 @@ func migrateV1Interfaces(oldDb, newDb *gorm.DB) error {
 			PeerDefPostDown:            "",
 		}
 
-		// Create new interface with associations
+		if err := newDb.Save(&newInterface).Error; err != nil {
-		if err := newDb.Create(&newInterface).Error; err != nil {
 			return fmt.Errorf("failed to migrate device %s: %w", oldDevice.DeviceName, err)
 		}
 
@@ -400,7 +362,7 @@ func migrateV1Peers(oldDb, newDb *gorm.DB) error {
 			},
 		}
 
-		if err := newDb.Create(&newPeer).Error; err != nil {
+		if err := newDb.Save(&newPeer).Error; err != nil {
 			return fmt.Errorf("failed to migrate peer %s (%s): %w", oldPeer.Identifier, oldPeer.PublicKey, err)
 		}
 

internal/app/wireguard/wireguard_interfaces.go

@@ -225,15 +225,6 @@ func (m Manager) RestoreInterfaceState(
 		if err != nil && !iface.IsDisabled() {
 			slog.Debug("creating missing interface", "interface", iface.Identifier)
 
-			// temporarily disable interface in database so that the current state is reflected correctly
-			_ = m.db.SaveInterface(ctx, iface.Identifier,
-				func(in *domain.Interface) (*domain.Interface, error) {
-					now := time.Now()
-					in.Disabled = &now // set
-					in.DisabledReason = domain.DisabledReasonInterfaceMissing
-					return in, nil
-				})
-
 			// try to create a new interface
 			_, err = m.saveInterface(ctx, &iface)
 			if err != nil {