* feat(server): add OIDC logout URL override option
- Added toggle and field consistent with existing mobile redirect URI override.
- Existing auto-discovery remains default.
- Update tests and docs for new feature.
* fix(server): changes from review for OIDC logout URL override
- Rename 'logoutUri' to 'endSessionEndpoint'
- Remove toggle, just use override if provided
- Moved field in settings UI
* invalidate album data on album update to fix stale page load
* invalidate album data on album update to fix stale page load
* factor out callback, make async and await invalidate
* chore: formatting
---------
Co-authored-by: Jason Rasmussen <jason@rasm.me>
* feat(server): add configurable OAuth prompt parameter
Add a `prompt` field to the OAuth system config, allowing admins to
configure the OIDC `prompt` parameter (e.g. `select_account`, `login`,
`consent`). Defaults to empty string (no prompt sent), preserving
backward compatibility.
This is useful for providers like Google where users want to be prompted
to select an account when multiple accounts are signed in.
Discussed in #20762
* chore: regenerate OpenAPI spec and clients for OAuth prompt field
* Adding e2e test cases
* feat: web setting
* feat: docs
---------
Co-authored-by: Jason Rasmussen <jason@rasm.me>
* chore: pump flutter to 3.41.6
* more isar cleanup
* ignore experimental use for TableMigration
---------
Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com>
* fix(oauth): normalize email claim to lowercase before account lookup and registration
* test(auth): add test for OAuth email case normalization
* chore: clean up
---------
Co-authored-by: Jason Rasmussen <jason@rasm.me>
* fix!: do not allow insecure oauth requests by default
* fix: format
* fix: make open-api
* fix: tests
* nit: casing
* chore: migration to allow insecure if current oauth uses http
Move `showEditFaces` state to `assetViewerManager` so the edit faces
panel open/close state is globally accessible. Add Escape key handling
to `PersonSidePanel` that closes the assign-face sub-panel first, then
the edit faces panel. Guard the asset viewer's global Escape-to-close
action so it doesn't fire while either face panel is open.
Change-Id: I0c947fe0758aef0eac473f4cc72f6a3b6a6a6964
AdaptiveImage stacks quality layers (thumbnail → preview → original) as they load. Without compositor layer promotion on the container, the browser could render a stale frame when the original-quality layer was overlaid on top of the preview-quality layer.
Add `will-change: transform` as a class on AdaptiveImage's root element so it gets a dedicated compositor layer from first paint. This also subsumes the imperative `style.willChange = 'transform'` that zoomImageAction was applying to the same element (the zoom target from photo-viewer is the AdaptiveImage root), so drop that now-redundant code.
Change-Id: Icd866a2bb5a5fce299c36404547fa0546a6a6964
fix(web): cancel video preview fetch when bind:this is cleared early
In Svelte 5.53.9, `bind:this` is now cleared earlier in the unmount
sequence ("better bind:this cleanup timing"). The video thumbnail's
$effect was relying on the old order to read the bound `player` element
and clear its `src` to abort the in-flight `/api/assets/{id}/video/playback`
range request — but the bind is now `undefined` by the time the effect
runs, so the cleanup is silently skipped. The detached <video> keeps
its src, and Firefox does not abort an in-flight media fetch when the
element is detached/GC'd. Long-lived 206 range requests then saturate
Firefox's 6-connection HTTP/1.1 per-host limit and freeze the timeline
(see #27585).
Capture the player reference inside the effect and tear down via the
effect cleanup return — Svelte runs the prior cleanup (with the captured
ref) before `bind:this` is cleared. Use the canonical
`pause() / removeAttribute('src') / load()` sequence which actually aborts
the fetch in Firefox, even on a detached element.
Fixes#27585
Change-Id: I4d9fba859955f5c54f603c345e61d4206a6a6964
