diff --git a/CHANGELOG.md b/CHANGELOG.md index 36acb6c8..e5082e4b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## v1.7.78-alpha (2026-05-20) +- Public Nginx Proxy Manager hosts for Saleor now keep browser GraphQL calls same-origin at `/graphql/` and proxy them to the local API on `8000`, fixing `Failed to fetch` when a public domain such as `noderunner.shop` was loaded from devices that cannot reach the node's private LAN/tailnet API address. - Saleor's validated stack changes are now release-ready: dashboard origins on port `9010` are explicitly allowed for dashboard/API calls, preserving the working test-node install path for production nodes. - NetBird launches now stay pinned to the unified dashboard/proxy origin on port `8087` instead of following stale runtime-discovered server URLs on `8086`. - NetBird's local nginx proxy now routes browser API, OAuth, relay, and WebSocket traffic through `host.containers.internal:8086` instead of a hard-coded rootless Podman gateway IP, and includes the upstream `management.ProxyService` gRPC path. diff --git a/core/Cargo.lock b/core/Cargo.lock index befac9e7..7337e6b6 100644 --- a/core/Cargo.lock +++ b/core/Cargo.lock @@ -80,7 +80,7 @@ checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61" [[package]] name = "archipelago" -version = "1.7.77-alpha" +version = "1.7.78-alpha" dependencies = [ "anyhow", "archipelago-container", diff --git a/core/archipelago/Cargo.toml b/core/archipelago/Cargo.toml index 43ed96a0..40a1b0f3 100644 --- a/core/archipelago/Cargo.toml +++ b/core/archipelago/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "archipelago" -version = "1.7.77-alpha" +version = "1.7.78-alpha" edition = "2021" description = "Archipelago Bitcoin Node OS - Native backend" authors = ["Archipelago Team"] diff --git a/neode-ui/package-lock.json b/neode-ui/package-lock.json index 45e3069d..0b5483cf 100644 --- a/neode-ui/package-lock.json +++ b/neode-ui/package-lock.json @@ -1,12 +1,12 @@ { "name": "neode-ui", - "version": "1.7.77-alpha", + "version": "1.7.78-alpha", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "neode-ui", - "version": "1.7.77-alpha", + "version": "1.7.78-alpha", "dependencies": { "@types/dompurify": "^3.0.5", "@vue-leaflet/vue-leaflet": "^0.10.1", diff --git a/neode-ui/package.json b/neode-ui/package.json index c33b9e0c..89ba7024 100644 --- a/neode-ui/package.json +++ b/neode-ui/package.json @@ -1,7 +1,7 @@ { "name": "neode-ui", "private": true, - "version": "1.7.77-alpha", + "version": "1.7.78-alpha", "type": "module", "scripts": { "start": "./start-dev.sh", diff --git a/neode-ui/src/views/appSession/appSessionConfig.ts b/neode-ui/src/views/appSession/appSessionConfig.ts index e893adea..3eb2b6df 100644 --- a/neode-ui/src/views/appSession/appSessionConfig.ts +++ b/neode-ui/src/views/appSession/appSessionConfig.ts @@ -100,7 +100,7 @@ export const NEW_TAB_APPS = new Set([ export const IFRAME_BLOCKED_APPS = new Set([]) /** Resolve app URL using direct port mapping (source of truth) */ -export function resolveAppUrl(id: string, routeQueryPath?: string, runtimeUrl?: string): string { +export function resolveAppUrl(id: string, routeQueryPath?: string, _runtimeUrl?: string): string { // External HTTPS apps const ext = EXTERNAL_URLS[id] if (ext) return ext diff --git a/release-manifest.json b/release-manifest.json index 977c1e33..ee63daba 100644 --- a/release-manifest.json +++ b/release-manifest.json @@ -1,29 +1,31 @@ { - "version": "1.7.77-alpha", + "version": "1.7.78-alpha", "release_date": "2026-05-20", "changelog": [ - "Saleor first-use now exposes generated credentials through Archipelago instead of leaving users at an unexplained dashboard login: App Details shows copyable `admin@example.com` credentials, and My Apps/mobile icon launches show a pre-launch credentials modal.", - "Saleor installs now create or repair the `admin@example.com` staff account idempotently after sample data loads, use the correct dashboard mount path, and re-check stack containers after startup so stopped containers are caught.", - "NetBird embedded login now uses the upstream-compatible IdP signing-key behavior and sends ID tokens from the dashboard to the management API, fixing the post-signup `Unauthenticated` state while preserving the unified local proxy/logout routes.", - "Transient unnamed Podman helper containers created during app install tasks are hidden from My Apps, so generated names like `eager_keldysh` no longer appear as user applications.", - "Validation passed with catalog/release JSON checks, `npm run type-check`, and `cargo fmt --all --check --manifest-path core/Cargo.toml`; live checks on `100.114.134.21` confirmed Saleor dashboard/API availability, generated Saleor admin login, NetBird OAuth availability, and NetBird logout redirects." + "Public Nginx Proxy Manager hosts for Saleor now keep browser GraphQL calls same-origin at `/graphql/` and proxy them to the local API on `8000`, fixing `Failed to fetch` when a public domain such as `noderunner.shop` was loaded from devices that cannot reach the node's private LAN/tailnet API address.", + "Saleor's validated stack changes are now release-ready: dashboard origins on port `9010` are explicitly allowed for dashboard/API calls, preserving the working test-node install path for production nodes.", + "NetBird launches now stay pinned to the unified dashboard/proxy origin on port `8087` instead of following stale runtime-discovered server URLs on `8086`.", + "NetBird's local nginx proxy now routes browser API, OAuth, relay, and WebSocket traffic through `host.containers.internal:8086` instead of a hard-coded rootless Podman gateway IP, and includes the upstream `management.ProxyService` gRPC path.", + "The mobile credentials interstitial now keeps credential lists scrollable and action buttons reachable in both My Apps and the mobile app icon grid.", + "Android WebView popup windows now hand external popup URLs to the system browser, covering app login/signup flows that open secondary windows.", + "Validation passed with `git diff --check`, `cargo check -p archipelago`, and the focused `npm test -- src/views/appSession/__tests__/appSessionConfig.test.ts` suite." ], "components": [ { "name": "archipelago", - "current_version": "1.7.77-alpha", - "new_version": "1.7.77-alpha", - "download_url": "http://146.59.87.168:3000/lfg2025/archy/releases/download/v1.7.77-alpha/archipelago", - "sha256": "53679077182044f0601bab41e7239d293089f30725c1bedd883f30c40bd7807b", - "size_bytes": 43068640 + "current_version": "1.7.78-alpha", + "new_version": "1.7.78-alpha", + "download_url": "http://146.59.87.168:3000/lfg2025/archy/releases/download/v1.7.78-alpha/archipelago", + "sha256": "49ac959035029fb77cbf001cfabbe7919bc74aee3bb7176067c77ab0d1c97b58", + "size_bytes": 43069480 }, { - "name": "archipelago-frontend-1.7.77-alpha.tar.gz", - "current_version": "1.7.77-alpha", - "new_version": "1.7.77-alpha", - "download_url": "http://146.59.87.168:3000/lfg2025/archy/releases/download/v1.7.77-alpha/archipelago-frontend-1.7.77-alpha.tar.gz", - "sha256": "a083abfcbdbb03a2ba5a02e622d7d496fa5e6b39f2ee5afd41c9f4df0d31b9d6", - "size_bytes": 166486722 + "name": "archipelago-frontend-1.7.78-alpha.tar.gz", + "current_version": "1.7.78-alpha", + "new_version": "1.7.78-alpha", + "download_url": "http://146.59.87.168:3000/lfg2025/archy/releases/download/v1.7.78-alpha/archipelago-frontend-1.7.78-alpha.tar.gz", + "sha256": "a11ed587122fe2150c7439fdb88bfb4f3b999de2c52855bb4ac860b237854943", + "size_bytes": 166486679 } ] } diff --git a/releases/manifest.json b/releases/manifest.json index 977c1e33..ee63daba 100644 --- a/releases/manifest.json +++ b/releases/manifest.json @@ -1,29 +1,31 @@ { - "version": "1.7.77-alpha", + "version": "1.7.78-alpha", "release_date": "2026-05-20", "changelog": [ - "Saleor first-use now exposes generated credentials through Archipelago instead of leaving users at an unexplained dashboard login: App Details shows copyable `admin@example.com` credentials, and My Apps/mobile icon launches show a pre-launch credentials modal.", - "Saleor installs now create or repair the `admin@example.com` staff account idempotently after sample data loads, use the correct dashboard mount path, and re-check stack containers after startup so stopped containers are caught.", - "NetBird embedded login now uses the upstream-compatible IdP signing-key behavior and sends ID tokens from the dashboard to the management API, fixing the post-signup `Unauthenticated` state while preserving the unified local proxy/logout routes.", - "Transient unnamed Podman helper containers created during app install tasks are hidden from My Apps, so generated names like `eager_keldysh` no longer appear as user applications.", - "Validation passed with catalog/release JSON checks, `npm run type-check`, and `cargo fmt --all --check --manifest-path core/Cargo.toml`; live checks on `100.114.134.21` confirmed Saleor dashboard/API availability, generated Saleor admin login, NetBird OAuth availability, and NetBird logout redirects." + "Public Nginx Proxy Manager hosts for Saleor now keep browser GraphQL calls same-origin at `/graphql/` and proxy them to the local API on `8000`, fixing `Failed to fetch` when a public domain such as `noderunner.shop` was loaded from devices that cannot reach the node's private LAN/tailnet API address.", + "Saleor's validated stack changes are now release-ready: dashboard origins on port `9010` are explicitly allowed for dashboard/API calls, preserving the working test-node install path for production nodes.", + "NetBird launches now stay pinned to the unified dashboard/proxy origin on port `8087` instead of following stale runtime-discovered server URLs on `8086`.", + "NetBird's local nginx proxy now routes browser API, OAuth, relay, and WebSocket traffic through `host.containers.internal:8086` instead of a hard-coded rootless Podman gateway IP, and includes the upstream `management.ProxyService` gRPC path.", + "The mobile credentials interstitial now keeps credential lists scrollable and action buttons reachable in both My Apps and the mobile app icon grid.", + "Android WebView popup windows now hand external popup URLs to the system browser, covering app login/signup flows that open secondary windows.", + "Validation passed with `git diff --check`, `cargo check -p archipelago`, and the focused `npm test -- src/views/appSession/__tests__/appSessionConfig.test.ts` suite." ], "components": [ { "name": "archipelago", - "current_version": "1.7.77-alpha", - "new_version": "1.7.77-alpha", - "download_url": "http://146.59.87.168:3000/lfg2025/archy/releases/download/v1.7.77-alpha/archipelago", - "sha256": "53679077182044f0601bab41e7239d293089f30725c1bedd883f30c40bd7807b", - "size_bytes": 43068640 + "current_version": "1.7.78-alpha", + "new_version": "1.7.78-alpha", + "download_url": "http://146.59.87.168:3000/lfg2025/archy/releases/download/v1.7.78-alpha/archipelago", + "sha256": "49ac959035029fb77cbf001cfabbe7919bc74aee3bb7176067c77ab0d1c97b58", + "size_bytes": 43069480 }, { - "name": "archipelago-frontend-1.7.77-alpha.tar.gz", - "current_version": "1.7.77-alpha", - "new_version": "1.7.77-alpha", - "download_url": "http://146.59.87.168:3000/lfg2025/archy/releases/download/v1.7.77-alpha/archipelago-frontend-1.7.77-alpha.tar.gz", - "sha256": "a083abfcbdbb03a2ba5a02e622d7d496fa5e6b39f2ee5afd41c9f4df0d31b9d6", - "size_bytes": 166486722 + "name": "archipelago-frontend-1.7.78-alpha.tar.gz", + "current_version": "1.7.78-alpha", + "new_version": "1.7.78-alpha", + "download_url": "http://146.59.87.168:3000/lfg2025/archy/releases/download/v1.7.78-alpha/archipelago-frontend-1.7.78-alpha.tar.gz", + "sha256": "a11ed587122fe2150c7439fdb88bfb4f3b999de2c52855bb4ac860b237854943", + "size_bytes": 166486679 } ] } diff --git a/scripts/sync-npm-public-hosts.sh b/scripts/sync-npm-public-hosts.sh index c3aa749c..25b4e632 100644 --- a/scripts/sync-npm-public-hosts.sh +++ b/scripts/sync-npm-public-hosts.sh @@ -58,6 +58,32 @@ for row in rows: # NPM containers use this name to reach host-published services; host nginx # itself should use loopback for the same services. nginx_host = "127.0.0.1" if host == "host.containers.internal" else host + try: + forward_port = int(port) + except (TypeError, ValueError): + forward_port = None + is_saleor = forward_port == 9010 + graphql_location = "" + saleor_proxy_headers = "" + if is_saleor: + graphql_location = """ + location ^~ /graphql/ { + proxy_pass http://127.0.0.1:8000/graphql/; + proxy_http_version 1.1; + proxy_set_header Host 127.0.0.1; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Scheme https; + proxy_set_header Origin ""; + } +""" + saleor_proxy_headers = """ + proxy_set_header Accept-Encoding ""; + sub_filter_once off; + sub_filter_types text/html; + sub_filter '' ''; +""" print(f""" server {{ @@ -81,6 +107,8 @@ server {{ ssl_certificate {cert}; ssl_certificate_key {key}; +{graphql_location} + location / {{ proxy_pass {scheme}://{nginx_host}:{port}; proxy_http_version 1.1; @@ -91,6 +119,7 @@ server {{ proxy_set_header X-Forwarded-Scheme https; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; +{saleor_proxy_headers} }} }} """)