Merge pull request #1391 from fosrl/dev

1.9.3

esbuild.mjs

@@ -63,7 +63,7 @@ esbuild
                 packagePath: getPackagePaths(),
             }),
         ],
-        sourcemap: true,
+        sourcemap: "external",
         target: "node22",
     })
     .then(() => {

install/config/config.yml

@@ -13,6 +13,8 @@ managed:
 app:
     dashboard_url: "https://{{.DashboardDomain}}"
     log_level: "info"
+    telemetry:
+        anonymous_usage: true
 
 domains:
     domain1:

install/config/traefik/traefik_config.yml

@@ -42,6 +42,10 @@ entryPoints:
     address: ":80"
   websecure:
     address: ":443"
+{{if .HybridMode}}    proxyProtocol:
+      trustedIPs:
+        - 0.0.0.0/0
+        - ::1/128{{end}}
     transport:
       respondingTimeouts:
         readTimeout: "30m"

install/go.mod

@@ -3,8 +3,8 @@ module installer
 go 1.24
 
 require (
-	golang.org/x/term v0.33.0
+	golang.org/x/term v0.34.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
-require golang.org/x/sys v0.34.0 // indirect
+require golang.org/x/sys v0.35.0 // indirect

install/go.sum

@@ -1,7 +1,7 @@
-golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
-golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
-golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
+golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

messages/bg-BG.json

@@ -205,6 +205,7 @@
     "resourceSetting": "{resourceName} Settings",
     "alwaysAllow": "Always Allow",
     "alwaysDeny": "Always Deny",
+    "passToAuth": "Pass to Auth",
     "orgSettingsDescription": "Configure your organization's general settings",
     "orgGeneralSettings": "Organization Settings",
     "orgGeneralSettingsDescription": "Manage your organization details and configuration",
@@ -545,6 +546,7 @@
     "rulesActions": "Actions",
     "rulesActionAlwaysAllow": "Always Allow: Bypass all authentication methods",
     "rulesActionAlwaysDeny": "Always Deny: Block all requests; no authentication can be attempted",
+    "rulesActionPassToAuth": "Pass to Auth: Allow authentication methods to be attempted",
     "rulesMatchCriteria": "Matching Criteria",
     "rulesMatchCriteriaIpAddress": "Match a specific IP address",
     "rulesMatchCriteriaIpAddressRange": "Match a range of IP addresses in CIDR notation",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "Update Client",
     "actionListClients": "List Clients",
     "actionGetClient": "Get Client",
+    "actionCreateSiteResource": "Create Site Resource",
+    "actionDeleteSiteResource": "Delete Site Resource",
+    "actionGetSiteResource": "Get Site Resource",
+    "actionListSiteResources": "List Site Resources",
+    "actionUpdateSiteResource": "Update Site Resource",
     "noneSelected": "None selected",
     "orgNotFound2": "No organizations found.",
     "searchProgress": "Search...",
@@ -1450,5 +1457,7 @@
     "autoLoginRedirecting": "Redirecting to login...",
     "autoLoginError": "Auto Login Error",
     "autoLoginErrorNoRedirectUrl": "No redirect URL received from the identity provider.",
-    "autoLoginErrorGeneratingUrl": "Failed to generate authentication URL."
+    "autoLoginErrorGeneratingUrl": "Failed to generate authentication URL.",
+    "internationaldomaindetected": "International Domain Detected",
+    "willbestoredas": "Will be stored as:"
 }

messages/cs-CZ.json

@@ -149,44 +149,44 @@
     "resourceDescription": "Vytvořte bezpečné proxy služby pro přístup k privátním aplikacím",
     "resourcesSearch": "Prohledat zdroje...",
     "resourceAdd": "Přidat zdroj",
-    "resourceErrorDelte": "Error deleting resource",
-    "authentication": "Authentication",
-    "protected": "Protected",
-    "notProtected": "Not Protected",
-    "resourceMessageRemove": "Once removed, the resource will no longer be accessible. All targets associated with the resource will also be removed.",
-    "resourceMessageConfirm": "To confirm, please type the name of the resource below.",
-    "resourceQuestionRemove": "Are you sure you want to remove the resource {selectedResource} from the organization?",
-    "resourceHTTP": "HTTPS Resource",
+    "resourceErrorDelte": "Chyba při odstraňování zdroje",
+    "authentication": "Autentifikace",
+    "protected": "Chráněno",
+    "notProtected": "Nechráněno",
+    "resourceMessageRemove": "Jakmile zdroj odstraníte, nebude dostupný. Všechny související služby a cíle budou také odstraněny.",
+    "resourceMessageConfirm": "Pro potvrzení zadejte prosím název zdroje.",
+    "resourceQuestionRemove": "Opravdu chcete odstranit zdroj {selectedResource} z organizace?",
+    "resourceHTTP": "Zdroj HTTPS",
     "resourceHTTPDescription": "Proxy requests to your app over HTTPS using a subdomain or base domain.",
     "resourceRaw": "Raw TCP/UDP Resource",
     "resourceRawDescription": "Proxy requests to your app over TCP/UDP using a port number.",
-    "resourceCreate": "Create Resource",
-    "resourceCreateDescription": "Follow the steps below to create a new resource",
-    "resourceSeeAll": "See All Resources",
-    "resourceInfo": "Resource Information",
-    "resourceNameDescription": "This is the display name for the resource.",
-    "siteSelect": "Select site",
-    "siteSearch": "Search site",
-    "siteNotFound": "No site found.",
-    "siteSelectionDescription": "This site will provide connectivity to the target.",
-    "resourceType": "Resource Type",
-    "resourceTypeDescription": "Determine how you want to access your resource",
-    "resourceHTTPSSettings": "HTTPS Settings",
-    "resourceHTTPSSettingsDescription": "Configure how your resource will be accessed over HTTPS",
-    "domainType": "Domain Type",
-    "subdomain": "Subdomain",
-    "baseDomain": "Base Domain",
-    "subdomnainDescription": "The subdomain where your resource will be accessible.",
-    "resourceRawSettings": "TCP/UDP Settings",
-    "resourceRawSettingsDescription": "Configure how your resource will be accessed over TCP/UDP",
-    "protocol": "Protocol",
-    "protocolSelect": "Select a protocol",
-    "resourcePortNumber": "Port Number",
-    "resourcePortNumberDescription": "The external port number to proxy requests.",
-    "cancel": "Cancel",
-    "resourceConfig": "Configuration Snippets",
-    "resourceConfigDescription": "Copy and paste these configuration snippets to set up your TCP/UDP resource",
-    "resourceAddEntrypoints": "Traefik: Add Entrypoints",
+    "resourceCreate": "Vytvořit zdroj",
+    "resourceCreateDescription": "Postupujte podle níže uvedených kroků, abyste vytvořili a připojili nový zdroj",
+    "resourceSeeAll": "Zobrazit všechny zdroje",
+    "resourceInfo": "Informace o zdroji",
+    "resourceNameDescription": "Toto je zobrazovaný název zdroje.",
+    "siteSelect": "Vybrat lokalitu",
+    "siteSearch": "Hledat lokalitu",
+    "siteNotFound": "Nebyla nalezena žádná lokalita.",
+    "siteSelectionDescription": "Tato lokalita poskytne připojení k cíli.",
+    "resourceType": "Typ zdroje",
+    "resourceTypeDescription": "Určete, jak chcete přistupovat ke svému zdroji",
+    "resourceHTTPSSettings": "Nastavení HTTPS",
+    "resourceHTTPSSettingsDescription": "Nakonfigurujte, jak bude váš zdroj přístupný přes HTTPS",
+    "domainType": "Typ domény",
+    "subdomain": "Subdoména",
+    "baseDomain": "Základní doména",
+    "subdomnainDescription": "Subdoména, kde bude váš zdroj přístupný.",
+    "resourceRawSettings": "Nastavení TCP/UDP",
+    "resourceRawSettingsDescription": "Nakonfigurujte, jak bude váš dokument přístupný přes TCP/UDP",
+    "protocol": "Protokol",
+    "protocolSelect": "Vybrat protokol",
+    "resourcePortNumber": "Číslo portu",
+    "resourcePortNumberDescription": "Externí port k požadavkům proxy serveru.",
+    "cancel": "Zrušit",
+    "resourceConfig": "Konfigurační snippety",
+    "resourceConfigDescription": "Zkopírujte a vložte tyto konfigurační snippety pro nastavení TCP/UDP zdroje",
+    "resourceAddEntrypoints": "Traefik: Přidat vstupní body",
     "resourceExposePorts": "Gerbil: Expose Ports in Docker Compose",
     "resourceLearnRaw": "Learn how to configure TCP/UDP resources",
     "resourceBack": "Back to Resources",
@@ -205,6 +205,7 @@
     "resourceSetting": "{resourceName} Settings",
     "alwaysAllow": "Always Allow",
     "alwaysDeny": "Always Deny",
+    "passToAuth": "Pass to Auth",
     "orgSettingsDescription": "Configure your organization's general settings",
     "orgGeneralSettings": "Organization Settings",
     "orgGeneralSettingsDescription": "Manage your organization details and configuration",
@@ -545,6 +546,7 @@
     "rulesActions": "Actions",
     "rulesActionAlwaysAllow": "Always Allow: Bypass all authentication methods",
     "rulesActionAlwaysDeny": "Always Deny: Block all requests; no authentication can be attempted",
+    "rulesActionPassToAuth": "Pass to Auth: Allow authentication methods to be attempted",
     "rulesMatchCriteria": "Matching Criteria",
     "rulesMatchCriteriaIpAddress": "Match a specific IP address",
     "rulesMatchCriteriaIpAddressRange": "Match a range of IP addresses in CIDR notation",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "Update Client",
     "actionListClients": "List Clients",
     "actionGetClient": "Get Client",
+    "actionCreateSiteResource": "Create Site Resource",
+    "actionDeleteSiteResource": "Delete Site Resource",
+    "actionGetSiteResource": "Get Site Resource",
+    "actionListSiteResources": "List Site Resources",
+    "actionUpdateSiteResource": "Update Site Resource",
     "noneSelected": "None selected",
     "orgNotFound2": "No organizations found.",
     "searchProgress": "Search...",
@@ -1450,5 +1457,7 @@
     "autoLoginRedirecting": "Redirecting to login...",
     "autoLoginError": "Auto Login Error",
     "autoLoginErrorNoRedirectUrl": "No redirect URL received from the identity provider.",
-    "autoLoginErrorGeneratingUrl": "Failed to generate authentication URL."
+    "autoLoginErrorGeneratingUrl": "Failed to generate authentication URL.",
+    "internationaldomaindetected": "Detekována mezinárodní doména",
+    "willbestoredas": "Bude uloženo jako:"
 }

messages/de-DE.json

@@ -205,6 +205,7 @@
     "resourceSetting": "{resourceName} Einstellungen",
     "alwaysAllow": "Immer erlauben",
     "alwaysDeny": "Immer ablehnen",
+    "passToAuth": "Weiterleiten zur Authentifizierung",
     "orgSettingsDescription": "Konfiguriere die allgemeinen Einstellungen deiner Organisation",
     "orgGeneralSettings": "Organisations-Einstellungen",
     "orgGeneralSettingsDescription": "Organisationsdetails und Konfiguration verwalten",
@@ -545,6 +546,7 @@
     "rulesActions": "Aktionen",
     "rulesActionAlwaysAllow": "Immer erlauben: Alle Authentifizierungsmethoden umgehen",
     "rulesActionAlwaysDeny": "Immer verweigern: Alle Anfragen blockieren; keine Authentifizierung möglich",
+    "rulesActionPassToAuth": "Weiterleiten zur Authentifizierung: Erlaubt das Versuchen von Authentifizierungsmethoden",
     "rulesMatchCriteria": "Übereinstimmungskriterien",
     "rulesMatchCriteriaIpAddress": "Mit einer bestimmten IP-Adresse übereinstimmen",
     "rulesMatchCriteriaIpAddressRange": "Mit einem IP-Adressbereich in CIDR-Notation übereinstimmen",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "Kunde aktualisieren",
     "actionListClients": "Kunden auflisten",
     "actionGetClient": "Kunde holen",
+    "actionCreateSiteResource": "Site-Ressource erstellen",
+    "actionDeleteSiteResource": "Site-Ressource löschen",
+    "actionGetSiteResource": "Site-Ressource abrufen",
+    "actionListSiteResources": "Site-Ressourcen auflisten",
+    "actionUpdateSiteResource": "Site-Ressource aktualisieren",
     "noneSelected": "Keine ausgewählt",
     "orgNotFound2": "Keine Organisationen gefunden.",
     "searchProgress": "Suche...",
@@ -1450,5 +1457,7 @@
     "autoLoginRedirecting": "Weiterleitung zur Anmeldung...",
     "autoLoginError": "Fehler bei der automatischen Anmeldung",
     "autoLoginErrorNoRedirectUrl": "Keine Weiterleitungs-URL vom Identitätsanbieter erhalten.",
-    "autoLoginErrorGeneratingUrl": "Fehler beim Generieren der Authentifizierungs-URL."
+    "autoLoginErrorGeneratingUrl": "Fehler beim Generieren der Authentifizierungs-URL.",
+    "internationaldomaindetected": "Internationale Domäne erkannt",
+    "willbestoredas": "Wird gespeichert als:"
 }

messages/en-US.json

@@ -205,6 +205,7 @@
     "resourceSetting": "{resourceName} Settings",
     "alwaysAllow": "Always Allow",
     "alwaysDeny": "Always Deny",
+    "passToAuth": "Pass to Auth",
     "orgSettingsDescription": "Configure your organization's general settings",
     "orgGeneralSettings": "Organization Settings",
     "orgGeneralSettingsDescription": "Manage your organization details and configuration",
@@ -545,6 +546,7 @@
     "rulesActions": "Actions",
     "rulesActionAlwaysAllow": "Always Allow: Bypass all authentication methods",
     "rulesActionAlwaysDeny": "Always Deny: Block all requests; no authentication can be attempted",
+    "rulesActionPassToAuth": "Pass to Auth: Allow authentication methods to be attempted",
     "rulesMatchCriteria": "Matching Criteria",
     "rulesMatchCriteriaIpAddress": "Match a specific IP address",
     "rulesMatchCriteriaIpAddressRange": "Match a range of IP addresses in CIDR notation",
@@ -1052,6 +1054,12 @@
     "actionUpdateClient": "Update Client",
     "actionListClients": "List Clients",
     "actionGetClient": "Get Client",
+    "actionCreateSiteResource": "Create Site Resource",
+    "actionDeleteSiteResource": "Delete Site Resource",
+    "actionGetSiteResource": "Get Site Resource",
+    "actionListSiteResources": "List Site Resources",
+    "actionUpdateSiteResource": "Update Site Resource",
+    "actionListInvitations": "List Invitations",
     "noneSelected": "None selected",
     "orgNotFound2": "No organizations found.",
     "searchProgress": "Search...",
@@ -1450,5 +1458,43 @@
     "autoLoginRedirecting": "Redirecting to login...",
     "autoLoginError": "Auto Login Error",
     "autoLoginErrorNoRedirectUrl": "No redirect URL received from the identity provider.",
-    "autoLoginErrorGeneratingUrl": "Failed to generate authentication URL."
+    "autoLoginErrorGeneratingUrl": "Failed to generate authentication URL.",
+    "managedSelfHosted": {
+        "title": "Managed Self-Hosted",
+        "description": "More reliable and low-maintenance self-hosted Pangolin server with extra bells and whistles",
+        "introTitle": "Managed Self-Hosted Pangolin",
+        "introDescription": "is a deployment option designed for people who want simplicity and extra reliability while still keeping their data private and self-hosted.",
+        "introDetail": "With this option, you still run your own Pangolin node — your tunnels, SSL termination, and traffic all stay on your server. The difference is that management and monitoring are handled through our cloud dashboard, which unlocks a number of benefits:",
+        "benefitSimplerOperations": {
+            "title": "Simpler operations",
+            "description": "No need to run your own mail server or set up complex alerting. You'll get health checks and downtime alerts out of the box."
+        },
+        "benefitAutomaticUpdates": {
+            "title": "Automatic updates",
+            "description": "The cloud dashboard evolves quickly, so you get new features and bug fixes without having to manually pull new containers every time."
+        },
+        "benefitLessMaintenance": {
+            "title": "Less maintenance",
+            "description": "No database migrations, backups, or extra infrastructure to manage. We handle that in the cloud."
+        },
+        "benefitCloudFailover": {
+            "title": "Cloud failover",
+            "description": "If your node goes down, your tunnels can temporarily fail over to our cloud points of presence until you bring it back online."
+        },
+        "benefitHighAvailability": {
+            "title": "High availability (PoPs)",
+            "description": "You can also attach multiple nodes to your account for redundancy and better performance."
+        },
+        "benefitFutureEnhancements": {
+            "title": "Future enhancements",
+            "description": "We're planning to add more analytics, alerting, and management tools to make your deployment even more robust."
+        },
+        "docsAlert": {
+            "text": "Learn more about the Managed Self-Hosted option in our",
+            "documentation": "documentation"
+        },
+        "convertButton": "Convert This Node to Managed Self-Hosted"
+    },
+    "internationaldomaindetected": "International Domain Detected",
+    "willbestoredas": "Will be stored as:"
 }

messages/es-ES.json

@@ -205,6 +205,7 @@
     "resourceSetting": "Ajustes {resourceName}",
     "alwaysAllow": "Permitir siempre",
     "alwaysDeny": "Denegar siempre",
+    "passToAuth": "Pasar a Autenticación",
     "orgSettingsDescription": "Configurar la configuración general de su organización",
     "orgGeneralSettings": "Configuración de la organización",
     "orgGeneralSettingsDescription": "Administra los detalles y la configuración de tu organización",
@@ -545,6 +546,7 @@
     "rulesActions": "Acciones",
     "rulesActionAlwaysAllow": "Permitir siempre: pasar todos los métodos de autenticación",
     "rulesActionAlwaysDeny": "Denegar siempre: Bloquear todas las peticiones; no se puede intentar autenticación",
+    "rulesActionPassToAuth": "Pasar a Autenticación: Permitir que se intenten los métodos de autenticación",
     "rulesMatchCriteria": "Criterios coincidentes",
     "rulesMatchCriteriaIpAddress": "Coincidir con una dirección IP específica",
     "rulesMatchCriteriaIpAddressRange": "Coincide con un rango de direcciones IP en notación CIDR",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "Actualizar cliente",
     "actionListClients": "Listar clientes",
     "actionGetClient": "Obtener cliente",
+    "actionCreateSiteResource": "Crear Recurso del Sitio",
+    "actionDeleteSiteResource": "Eliminar recurso del sitio",
+    "actionGetSiteResource": "Obtener recurso del sitio",
+    "actionListSiteResources": "Listar recursos del sitio",
+    "actionUpdateSiteResource": "Actualizar recurso del sitio",
     "noneSelected": "Ninguno seleccionado",
     "orgNotFound2": "No se encontraron organizaciones.",
     "searchProgress": "Buscar...",
@@ -1450,5 +1457,7 @@
     "autoLoginRedirecting": "Redirigiendo al inicio de sesión...",
     "autoLoginError": "Error de inicio de sesión automático",
     "autoLoginErrorNoRedirectUrl": "No se recibió URL de redirección del proveedor de identidad.",
-    "autoLoginErrorGeneratingUrl": "Error al generar URL de autenticación."
+    "autoLoginErrorGeneratingUrl": "Error al generar URL de autenticación.",
+    "internationaldomaindetected": "Dominio internacional detectado",
+    "willbestoredas": "Se almacenará como: "
 }

messages/fr-FR.json

@@ -205,6 +205,7 @@
     "resourceSetting": "Réglages {resourceName}",
     "alwaysAllow": "Toujours autoriser",
     "alwaysDeny": "Toujours refuser",
+    "passToAuth": "Paser à l'authentification",
     "orgSettingsDescription": "Configurer les paramètres généraux de votre organisation",
     "orgGeneralSettings": "Paramètres de l'organisation",
     "orgGeneralSettingsDescription": "Gérer les détails et la configuration de votre organisation",
@@ -545,6 +546,7 @@
     "rulesActions": "Actions",
     "rulesActionAlwaysAllow": "Toujours autoriser : Contourner toutes les méthodes d'authentification",
     "rulesActionAlwaysDeny": "Toujours refuser : Bloquer toutes les requêtes ; aucune authentification ne peut être tentée",
+    "rulesActionPassToAuth": "Passer à l'authentification : Autoriser les méthodes d'authentification à être tentées",
     "rulesMatchCriteria": "Critères de correspondance",
     "rulesMatchCriteriaIpAddress": "Correspondre à une adresse IP spécifique",
     "rulesMatchCriteriaIpAddressRange": "Correspondre à une plage d'adresses IP en notation CIDR",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "Mettre à jour le client",
     "actionListClients": "Liste des clients",
     "actionGetClient": "Obtenir le client",
+    "actionCreateSiteResource": "Créer une ressource de site",
+    "actionDeleteSiteResource": "Supprimer une ressource de site",
+    "actionGetSiteResource": "Obtenir une ressource de site",
+    "actionListSiteResources": "Lister les ressources de site",
+    "actionUpdateSiteResource": "Mettre à jour une ressource de site",
     "noneSelected": "Aucune sélection",
     "orgNotFound2": "Aucune organisation trouvée.",
     "searchProgress": "Rechercher...",
@@ -1450,5 +1457,7 @@
     "autoLoginRedirecting": "Redirection vers la connexion...",
     "autoLoginError": "Erreur de connexion automatique",
     "autoLoginErrorNoRedirectUrl": "Aucune URL de redirection reçue du fournisseur d'identité.",
-    "autoLoginErrorGeneratingUrl": "Échec de la génération de l'URL d'authentification."
+    "autoLoginErrorGeneratingUrl": "Échec de la génération de l'URL d'authentification.",
+    "internationaldomaindetected": "Domaine international détecté",
+    "willbestoredas": "Sera stocké comme:"
 }

messages/it-IT.json

@@ -205,6 +205,7 @@
     "resourceSetting": "Impostazioni {resourceName}",
     "alwaysAllow": "Consenti Sempre",
     "alwaysDeny": "Nega Sempre",
+    "passToAuth": "Passa all'autenticazione",
     "orgSettingsDescription": "Configura le impostazioni generali della tua organizzazione",
     "orgGeneralSettings": "Impostazioni Organizzazione",
     "orgGeneralSettingsDescription": "Gestisci i dettagli dell'organizzazione e la configurazione",
@@ -545,6 +546,7 @@
     "rulesActions": "Azioni",
     "rulesActionAlwaysAllow": "Consenti Sempre: Ignora tutti i metodi di autenticazione",
     "rulesActionAlwaysDeny": "Nega Sempre: Blocca tutte le richieste; nessuna autenticazione può essere tentata",
+    "rulesActionPassToAuth": "Passa all'autenticazione: Consenti di tentare i metodi di autenticazione",
     "rulesMatchCriteria": "Criteri di Corrispondenza",
     "rulesMatchCriteriaIpAddress": "Corrisponde a un indirizzo IP specifico",
     "rulesMatchCriteriaIpAddressRange": "Corrisponde a un intervallo di indirizzi IP in notazione CIDR",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "Aggiorna Client",
     "actionListClients": "Elenco Clienti",
     "actionGetClient": "Ottieni Client",
+    "actionCreateSiteResource": "Crea Risorsa del Sito",
+    "actionDeleteSiteResource": "Elimina Risorsa del Sito",
+    "actionGetSiteResource": "Ottieni Risorsa del Sito",
+    "actionListSiteResources": "Elenca Risorse del Sito",
+    "actionUpdateSiteResource": "Aggiorna Risorsa del Sito",
     "noneSelected": "Nessuna selezione",
     "orgNotFound2": "Nessuna organizzazione trovata.",
     "searchProgress": "Ricerca...",
@@ -1450,5 +1457,7 @@
     "autoLoginRedirecting": "Reindirizzamento al login...",
     "autoLoginError": "Errore di Accesso Automatico",
     "autoLoginErrorNoRedirectUrl": "Nessun URL di reindirizzamento ricevuto dal provider di identità.",
-    "autoLoginErrorGeneratingUrl": "Impossibile generare l'URL di autenticazione."
+    "autoLoginErrorGeneratingUrl": "Impossibile generare l'URL di autenticazione.",
+    "internationaldomaindetected": "Rilevato dominio internazionale",
+    "willbestoredas": "Verrà archiviato come:"
 }

messages/ko-KR.json

@@ -205,6 +205,7 @@
     "resourceSetting": "{resourceName} 설정",
     "alwaysAllow": "항상 허용",
     "alwaysDeny": "항상 거부",
+    "passToAuth": "인증으로 전달",
     "orgSettingsDescription": "조직의 일반 설정을 구성하세요",
     "orgGeneralSettings": "조직 설정",
     "orgGeneralSettingsDescription": "조직 세부정보 및 구성을 관리하세요.",
@@ -545,6 +546,7 @@
     "rulesActions": "작업",
     "rulesActionAlwaysAllow": "항상 허용: 모든 인증 방법 우회",
     "rulesActionAlwaysDeny": "항상 거부: 모든 요청을 차단합니다. 인증을 시도할 수 없습니다.",
+    "rulesActionPassToAuth": "인증으로 전달: 인증 방법 시도를 허용합니다",
     "rulesMatchCriteria": "일치 기준",
     "rulesMatchCriteriaIpAddress": "특정 IP 주소와 일치",
     "rulesMatchCriteriaIpAddressRange": "CIDR 표기법으로 IP 주소 범위를 일치시킵니다",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "클라이언트 업데이트",
     "actionListClients": "클라이언트 목록",
     "actionGetClient": "클라이언트 가져오기",
+    "actionCreateSiteResource": "사이트 리소스 생성",
+    "actionDeleteSiteResource": "사이트 리소스 삭제",
+    "actionGetSiteResource": "사이트 리소스 가져오기",
+    "actionListSiteResources": "사이트 리소스 목록",
+    "actionUpdateSiteResource": "사이트 리소스 업데이트",
     "noneSelected": "선택된 항목 없음",
     "orgNotFound2": "조직이 없습니다.",
     "searchProgress": "검색...",
@@ -1450,5 +1457,7 @@
     "autoLoginRedirecting": "로그인으로 리디렉션 중...",
     "autoLoginError": "자동 로그인 오류",
     "autoLoginErrorNoRedirectUrl": "ID 공급자로부터 리디렉션 URL을 받지 못했습니다.",
-    "autoLoginErrorGeneratingUrl": "인증 URL 생성 실패."
+    "autoLoginErrorGeneratingUrl": "인증 URL 생성 실패.",
+    "internationaldomaindetected": "국제 도메인 감지됨",
+    "willbestoredas": "다음과 같이 저장됩니다."
 }

messages/nb-NO.json

@@ -205,6 +205,7 @@
     "resourceSetting": "{resourceName} Innstillinger",
     "alwaysAllow": "Alltid tillat",
     "alwaysDeny": "Alltid avslå",
+    "passToAuth": "Pass til Autentisering",
     "orgSettingsDescription": "Konfigurer organisasjonens generelle innstillinger",
     "orgGeneralSettings": "Organisasjonsinnstillinger",
     "orgGeneralSettingsDescription": "Administrer dine organisasjonsdetaljer og konfigurasjon",
@@ -545,6 +546,7 @@
     "rulesActions": "Handlinger",
     "rulesActionAlwaysAllow": "Alltid Tillat: Omgå alle autentiserings metoder",
     "rulesActionAlwaysDeny": "Alltid Nekt: Blokker alle forespørsler; ingen autentisering kan forsøkes",
+    "rulesActionPassToAuth": "Pass til Autentisering: Tillat at autentiseringsmetoder forsøkes",
     "rulesMatchCriteria": "Samsvarende kriterier",
     "rulesMatchCriteriaIpAddress": "Samsvar med en spesifikk IP-adresse",
     "rulesMatchCriteriaIpAddressRange": "Samsvar et IP-adresseområde i CIDR-notasjon",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "Oppdater klient",
     "actionListClients": "List klienter",
     "actionGetClient": "Hent klient",
+    "actionCreateSiteResource": "Opprett stedsressurs",
+    "actionDeleteSiteResource": "Slett Stedsressurs",
+    "actionGetSiteResource": "Hent Stedsressurs",
+    "actionListSiteResources": "List opp Stedsressurser",
+    "actionUpdateSiteResource": "Oppdater Stedsressurs",
     "noneSelected": "Ingen valgt",
     "orgNotFound2": "Ingen organisasjoner funnet.",
     "searchProgress": "Søker...",

messages/nl-NL.json

@@ -205,6 +205,7 @@
     "resourceSetting": "{resourceName} instellingen",
     "alwaysAllow": "Altijd toestaan",
     "alwaysDeny": "Altijd weigeren",
+    "passToAuth": "Passeren naar Auth",
     "orgSettingsDescription": "Configureer de algemene instellingen van je organisatie",
     "orgGeneralSettings": "Organisatie Instellingen",
     "orgGeneralSettingsDescription": "Beheer de details en configuratie van uw organisatie",
@@ -545,6 +546,7 @@
     "rulesActions": "acties",
     "rulesActionAlwaysAllow": "Altijd toegestaan: Omzeil alle authenticatiemethoden",
     "rulesActionAlwaysDeny": "Altijd weigeren: Blokkeer alle aanvragen, er kan geen verificatie worden geprobeerd",
+    "rulesActionPassToAuth": "Doorgeven aan Auth: Toestaan dat authenticatiemethoden worden geprobeerd",
     "rulesMatchCriteria": "Overeenkomende criteria",
     "rulesMatchCriteriaIpAddress": "Overeenkomen met een specifiek IP-adres",
     "rulesMatchCriteriaIpAddressRange": "Overeenkomen met een bereik van IP-adressen in de CIDR-notatie",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "Klant bijwerken",
     "actionListClients": "Lijst klanten",
     "actionGetClient": "Client ophalen",
+    "actionCreateSiteResource": "Sitebron maken",
+    "actionDeleteSiteResource": "Document verwijderen van site",
+    "actionGetSiteResource": "Bron van site ophalen",
+    "actionListSiteResources": "Bronnen van site weergeven",
+    "actionUpdateSiteResource": "Document bijwerken van site",
     "noneSelected": "Niet geselecteerd",
     "orgNotFound2": "Geen organisaties gevonden.",
     "searchProgress": "Zoeken...",
@@ -1450,5 +1457,7 @@
     "autoLoginRedirecting": "Redirecting naar inloggen...",
     "autoLoginError": "Auto Login Fout",
     "autoLoginErrorNoRedirectUrl": "Geen redirect URL ontvangen van de identity provider.",
-    "autoLoginErrorGeneratingUrl": "Genereren van authenticatie-URL mislukt."
+    "autoLoginErrorGeneratingUrl": "Genereren van authenticatie-URL mislukt.",
+    "internationaldomaindetected": "Internationaal Domein Gedetecteerd",
+    "willbestoredas": "Wordt opgeslagen als:"
 }

messages/pl-PL.json

@@ -205,6 +205,7 @@
     "resourceSetting": "Ustawienia {resourceName}",
     "alwaysAllow": "Zawsze zezwalaj",
     "alwaysDeny": "Zawsze odmawiaj",
+    "passToAuth": "Przekaż do Autoryzacji",
     "orgSettingsDescription": "Skonfiguruj ustawienia ogólne swojej organizacji",
     "orgGeneralSettings": "Ustawienia organizacji",
     "orgGeneralSettingsDescription": "Zarządzaj szczegółami swojej organizacji i konfiguracją",
@@ -545,6 +546,7 @@
     "rulesActions": "Akcje",
     "rulesActionAlwaysAllow": "Zawsze zezwalaj: Pomiń wszystkie metody uwierzytelniania",
     "rulesActionAlwaysDeny": "Zawsze odmawiaj: Blokuj wszystkie żądania; nie można próbować uwierzytelniania",
+    "rulesActionPassToAuth": "Przekaż do Autoryzacji: Zezwól na próby metod uwierzytelniania",
     "rulesMatchCriteria": "Kryteria dopasowania",
     "rulesMatchCriteriaIpAddress": "Dopasuj konkretny adres IP",
     "rulesMatchCriteriaIpAddressRange": "Dopasuj zakres adresów IP w notacji CIDR",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "Aktualizuj klienta",
     "actionListClients": "Lista klientów",
     "actionGetClient": "Pobierz klienta",
+    "actionCreateSiteResource": "Utwórz zasób witryny",
+    "actionDeleteSiteResource": "Usuń zasób strony",
+    "actionGetSiteResource": "Pobierz zasób strony",
+    "actionListSiteResources": "Lista zasobów strony",
+    "actionUpdateSiteResource": "Aktualizuj zasób strony",
     "noneSelected": "Nie wybrano",
     "orgNotFound2": "Nie znaleziono organizacji.",
     "searchProgress": "Szukaj...",
@@ -1450,5 +1457,7 @@
     "autoLoginRedirecting": "Przekierowanie do logowania...",
     "autoLoginError": "Błąd automatycznego logowania",
     "autoLoginErrorNoRedirectUrl": "Nie otrzymano URL przekierowania od dostawcy tożsamości.",
-    "autoLoginErrorGeneratingUrl": "Nie udało się wygenerować URL uwierzytelniania."
+    "autoLoginErrorGeneratingUrl": "Nie udało się wygenerować URL uwierzytelniania.",
+    "internationaldomaindetected": "Wykryto domenę międzynarodową",
+    "willbestoredas": "Będzie przechowywane jako:"
 }

messages/pt-PT.json

@@ -205,6 +205,7 @@
     "resourceSetting": "Configurações do {resourceName}",
     "alwaysAllow": "Sempre permitir",
     "alwaysDeny": "Sempre negar",
+    "passToAuth": "Passar para Autenticação",
     "orgSettingsDescription": "Configurar as configurações gerais da sua organização",
     "orgGeneralSettings": "Configurações da organização",
     "orgGeneralSettingsDescription": "Gerencie os detalhes e a configuração da sua organização",
@@ -545,6 +546,7 @@
     "rulesActions": "Ações",
     "rulesActionAlwaysAllow": "Sempre Permitir: Ignorar todos os métodos de autenticação",
     "rulesActionAlwaysDeny": "Sempre Negar: Bloquear todas as requisições; nenhuma autenticação pode ser tentada",
+    "rulesActionPassToAuth": "Passar para Autenticação: Permitir que métodos de autenticação sejam tentados",
     "rulesMatchCriteria": "Critérios de Correspondência",
     "rulesMatchCriteriaIpAddress": "Corresponder a um endereço IP específico",
     "rulesMatchCriteriaIpAddressRange": "Corresponder a uma faixa de endereços IP em notação CIDR",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "Atualizar Cliente",
     "actionListClients": "Listar Clientes",
     "actionGetClient": "Obter Cliente",
+    "actionCreateSiteResource": "Criar Recurso do Site",
+    "actionDeleteSiteResource": "Eliminar Recurso do Site",
+    "actionGetSiteResource": "Obter Recurso do Site",
+    "actionListSiteResources": "Listar Recursos do Site",
+    "actionUpdateSiteResource": "Atualizar Recurso do Site",
     "noneSelected": "Nenhum selecionado",
     "orgNotFound2": "Nenhuma organização encontrada.",
     "searchProgress": "Pesquisar...",
@@ -1450,5 +1457,7 @@
     "autoLoginRedirecting": "Redirecionando para login...",
     "autoLoginError": "Erro de Login Automático",
     "autoLoginErrorNoRedirectUrl": "Nenhum URL de redirecionamento recebido do provedor de identidade.",
-    "autoLoginErrorGeneratingUrl": "Falha ao gerar URL de autenticação."
+    "autoLoginErrorGeneratingUrl": "Falha ao gerar URL de autenticação.",
+    "internationaldomaindetected": "Domínio internacional detetado",
+    "willbestoredas": "Será armazenado como:"
 }

messages/ru-RU.json

@@ -205,6 +205,7 @@
     "resourceSetting": "Настройки {resourceName}",
     "alwaysAllow": "Всегда разрешать",
     "alwaysDeny": "Всегда запрещать",
+    "passToAuth": "Переход к аутентификации",
     "orgSettingsDescription": "Настройте общие параметры вашей организации",
     "orgGeneralSettings": "Настройки организации",
     "orgGeneralSettingsDescription": "Управляйте данными и конфигурацией вашей организации",
@@ -545,6 +546,7 @@
     "rulesActions": "Действия",
     "rulesActionAlwaysAllow": "Всегда разрешать: Обойти все методы аутентификации",
     "rulesActionAlwaysDeny": "Всегда запрещать: Блокировать все запросы; аутентификация не может быть выполнена",
+    "rulesActionPassToAuth": "Переход к аутентификации: Разрешить попытки методов аутентификации",
     "rulesMatchCriteria": "Критерии совпадения",
     "rulesMatchCriteriaIpAddress": "Совпадение с конкретным IP адресом",
     "rulesMatchCriteriaIpAddressRange": "Совпадение с диапазоном IP адресов в нотации CIDR",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "Обновить Клиента",
     "actionListClients": "Список Клиентов",
     "actionGetClient": "Получить Клиента",
+    "actionCreateSiteResource": "Создать ресурс сайта",
+    "actionDeleteSiteResource": "Удалить ресурс сайта ",
+    "actionGetSiteResource": "Получить ресурс сайта",
+    "actionListSiteResources": "Список ресурсов сайта",
+    "actionUpdateSiteResource": "Обновить ресурс сайта",
     "noneSelected": "Ничего не выбрано",
     "orgNotFound2": "Организации не найдены.",
     "searchProgress": "Поиск...",
@@ -1450,5 +1457,7 @@
     "autoLoginRedirecting": "Перенаправление к входу...",
     "autoLoginError": "Ошибка автоматического входа",
     "autoLoginErrorNoRedirectUrl": "URL-адрес перенаправления не получен от провайдера удостоверения.",
-    "autoLoginErrorGeneratingUrl": "Не удалось сгенерировать URL-адрес аутентификации."
+    "autoLoginErrorGeneratingUrl": "Не удалось сгенерировать URL-адрес аутентификации.",
+    "internationaldomaindetected": "Обнаружен международный домен",
+    "willbestoredas": "Будет сохранен как:"
 }

messages/tr-TR.json

@@ -205,6 +205,7 @@
     "resourceSetting": "{resourceName} Ayarları",
     "alwaysAllow": "Her Zaman İzin Ver",
     "alwaysDeny": "Her Zaman Reddet",
+    "passToAuth": "Kimlik Doğrulamasına Geç",
     "orgSettingsDescription": "Organizasyonunuzun genel ayarlarını yapılandırın",
     "orgGeneralSettings": "Organizasyon Ayarları",
     "orgGeneralSettingsDescription": "Organizasyon detaylarınızı ve yapılandırmanızı yönetin",
@@ -545,6 +546,7 @@
     "rulesActions": "Aksiyonlar",
     "rulesActionAlwaysAllow": "Her Zaman İzin Ver: Tüm kimlik doğrulama yöntemlerini atlayın",
     "rulesActionAlwaysDeny": "Her Zaman Reddedin: Tüm istekleri engelleyin; kimlik doğrulaması yapılamaz",
+    "rulesActionPassToAuth": "Kimlik Doğrulamasına Geç: Kimlik doğrulama yöntemlerinin denenmesine izin ver",
     "rulesMatchCriteria": "Eşleşme Kriterleri",
     "rulesMatchCriteriaIpAddress": "Belirli bir IP adresi ile eşleşme",
     "rulesMatchCriteriaIpAddressRange": "CIDR gösteriminde bir IP adresi aralığı ile eşleşme",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "Müşteri Güncelle",
     "actionListClients": "Müşterileri Listele",
     "actionGetClient": "Müşteriyi Al",
+    "actionCreateSiteResource": "Site Kaynağı Oluştur",
+    "actionDeleteSiteResource": "Site Kaynağını Sil",
+    "actionGetSiteResource": "Site Kaynağını Al",
+    "actionListSiteResources": "Site Kaynaklarını Listele",
+    "actionUpdateSiteResource": "Site Kaynağını Güncelle",
     "noneSelected": "Hiçbiri seçili değil",
     "orgNotFound2": "Hiçbir organizasyon bulunamadı.",
     "searchProgress": "Ara...",
@@ -1450,5 +1457,7 @@
     "autoLoginRedirecting": "Girişe yönlendiriliyorsunuz...",
     "autoLoginError": "Otomatik Giriş Hatası",
     "autoLoginErrorNoRedirectUrl": "Kimlik sağlayıcıdan yönlendirme URL'si alınamadı.",
-    "autoLoginErrorGeneratingUrl": "Kimlik doğrulama URL'si oluşturulamadı."
+    "autoLoginErrorGeneratingUrl": "Kimlik doğrulama URL'si oluşturulamadı.",
+    "internationaldomaindetected": "Uluslararası Etki Alanı Algılandı",
+    "willbestoredas": "Şu şekilde saklanacaktır:"
 }

messages/zh-CN.json

@@ -205,6 +205,7 @@
     "resourceSetting": "{resourceName} 设置",
     "alwaysAllow": "一律允许",
     "alwaysDeny": "一律拒绝",
+    "passToAuth": "传递至认证",
     "orgSettingsDescription": "配置您组织的一般设置",
     "orgGeneralSettings": "组织设置",
     "orgGeneralSettingsDescription": "管理您的机构详细信息和配置",
@@ -545,6 +546,7 @@
     "rulesActions": "行动",
     "rulesActionAlwaysAllow": "总是允许：绕过所有身份验证方法",
     "rulesActionAlwaysDeny": "总是拒绝：阻止所有请求；无法尝试验证",
+    "rulesActionPassToAuth": "传递至认证：允许尝试身份验证方法",
     "rulesMatchCriteria": "匹配条件",
     "rulesMatchCriteriaIpAddress": "匹配一个指定的 IP 地址",
     "rulesMatchCriteriaIpAddressRange": "在 CIDR 符号中匹配一系列IP地址",
@@ -1052,6 +1054,11 @@
     "actionUpdateClient": "更新客户端",
     "actionListClients": "列出客户端",
     "actionGetClient": "获取客户端",
+    "actionCreateSiteResource": "创建站点资源",
+    "actionDeleteSiteResource": "删除站点资源",
+    "actionGetSiteResource": "获取站点资源",
+    "actionListSiteResources": "列出站点资源",
+    "actionUpdateSiteResource": "更新站点资源",
     "noneSelected": "未选择",
     "orgNotFound2": "未找到组织。",
     "searchProgress": "搜索中...",
@@ -1450,5 +1457,7 @@
     "autoLoginRedirecting": "重定向到登录...",
     "autoLoginError": "自动登录错误",
     "autoLoginErrorNoRedirectUrl": "未从身份提供商收到重定向URL。",
-    "autoLoginErrorGeneratingUrl": "生成身份验证URL失败。"
+    "autoLoginErrorGeneratingUrl": "生成身份验证URL失败。",
+    "internationaldomaindetected": "检测到国际域名",
+    "willbestoredas": "将存储为："
 }

package-lock.json

@@ -112,8 +112,8 @@
                 "@types/node": "^24",
                 "@types/nodemailer": "6.4.17",
                 "@types/pg": "8.15.5",
-                "@types/react": "19.1.10",
-                "@types/react-dom": "19.1.7",
+                "@types/react": "19.1.12",
+                "@types/react-dom": "19.1.9",
                 "@types/semver": "^7.7.0",
                 "@types/swagger-ui-express": "^4.1.8",
                 "@types/ws": "8.18.1",
@@ -125,7 +125,7 @@
                 "react-email": "4.2.8",
                 "tailwindcss": "^4.1.4",
                 "tsc-alias": "1.8.16",
-                "tsx": "4.20.4",
+                "tsx": "4.20.5",
                 "typescript": "^5",
                 "typescript-eslint": "^8.40.0"
             }
@@ -5026,9 +5026,9 @@
             "license": "MIT"
         },
         "node_modules/@types/react": {
-            "version": "19.1.10",
-            "resolved": "https://registry.npmjs.org/@types/react/-/react-19.1.10.tgz",
-            "integrity": "sha512-EhBeSYX0Y6ye8pNebpKrwFJq7BoQ8J5SO6NlvNwwHjSj6adXJViPQrKlsyPw7hLBLvckEMO1yxeGdR82YBBlDg==",
+            "version": "19.1.12",
+            "resolved": "https://registry.npmjs.org/@types/react/-/react-19.1.12.tgz",
+            "integrity": "sha512-cMoR+FoAf/Jyq6+Df2/Z41jISvGZZ2eTlnsaJRptmZ76Caldwy1odD4xTr/gNV9VLj0AWgg/nmkevIyUfIIq5w==",
             "devOptional": true,
             "license": "MIT",
             "dependencies": {
@@ -5036,9 +5036,9 @@
             }
         },
         "node_modules/@types/react-dom": {
-            "version": "19.1.7",
-            "resolved": "https://registry.npmjs.org/@types/react-dom/-/react-dom-19.1.7.tgz",
-            "integrity": "sha512-i5ZzwYpqjmrKenzkoLM2Ibzt6mAsM7pxB6BCIouEVVmgiqaMj1TjaK7hnA36hbW5aZv20kx7Lw6hWzPWg0Rurw==",
+            "version": "19.1.9",
+            "resolved": "https://registry.npmjs.org/@types/react-dom/-/react-dom-19.1.9.tgz",
+            "integrity": "sha512-qXRuZaOsAdXKFyOhRBg6Lqqc0yay13vN7KrIg4L7N4aaHN68ma9OK3NE1BoDFgFOTfM7zg+3/8+2n8rLUH3OKQ==",
             "devOptional": true,
             "license": "MIT",
             "peerDependencies": {
@@ -16268,9 +16268,9 @@
             }
         },
         "node_modules/tsx": {
-            "version": "4.20.4",
-            "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.20.4.tgz",
-            "integrity": "sha512-yyxBKfORQ7LuRt/BQKBXrpcq59ZvSW0XxwfjAt3w2/8PmdxaFzijtMhTawprSHhpzeM5BgU2hXHG3lklIERZXg==",
+            "version": "4.20.5",
+            "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.20.5.tgz",
+            "integrity": "sha512-+wKjMNU9w/EaQayHXb7WA7ZaHY6hN8WgfvHNQ3t1PnU91/7O8TcTnIhCDYTZwnt8JsO9IBqZ30Ln1r7pPF52Aw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {

package.json

@@ -129,8 +129,8 @@
         "@types/node": "^24",
         "@types/nodemailer": "6.4.17",
         "@types/pg": "8.15.5",
-        "@types/react": "19.1.10",
-        "@types/react-dom": "19.1.7",
+        "@types/react": "19.1.12",
+        "@types/react-dom": "19.1.9",
         "@types/semver": "^7.7.0",
         "@types/swagger-ui-express": "^4.1.8",
         "@types/ws": "8.18.1",
@@ -142,7 +142,7 @@
         "react-email": "4.2.8",
         "tailwindcss": "^4.1.4",
         "tsc-alias": "1.8.16",
-        "tsx": "4.20.4",
+        "tsx": "4.20.5",
         "typescript": "^5",
         "typescript-eslint": "^8.40.0"
     },

server/apiServer.ts

@@ -12,7 +12,7 @@ import { router as wsRouter, handleWSUpgrade } from "@server/routers/ws";
 import { logIncomingMiddleware } from "./middlewares/logIncoming";
 import { csrfProtectionMiddleware } from "./middlewares/csrfProtection";
 import helmet from "helmet";
-import rateLimit from "express-rate-limit";
+import rateLimit, { ipKeyGenerator } from "express-rate-limit";
 import createHttpError from "http-errors";
 import HttpCode from "./types/HttpCode";
 import requestTimeoutMiddleware from "./middlewares/requestTimeout";
@@ -70,7 +70,7 @@ export function createApiServer() {
                     60 *
                     1000,
                 max: config.getRawConfig().rate_limits.global.max_requests,
-                keyGenerator: (req) => `apiServerGlobal:${req.ip}:${req.path}`,
+                keyGenerator: (req) => `apiServerGlobal:${ipKeyGenerator(req.ip || "")}:${req.path}`,
                 handler: (req, res, next) => {
                     const message = `Rate limit exceeded. You can make ${config.getRawConfig().rate_limits.global.max_requests} requests every ${config.getRawConfig().rate_limits.global.window_minutes} minute(s).`;
                     return next(

server/db/pg/schema.ts

@@ -430,7 +430,7 @@ export const resourceRules = pgTable("resourceRules", {
         .references(() => resources.resourceId, { onDelete: "cascade" }),
     enabled: boolean("enabled").notNull().default(true),
     priority: integer("priority").notNull(),
-    action: varchar("action").notNull(), // ACCEPT, DROP
+    action: varchar("action").notNull(), // ACCEPT, DROP, PASS
     match: varchar("match").notNull(), // CIDR, PATH, IP
     value: varchar("value").notNull()
 });

server/db/sqlite/schema.ts

@@ -570,7 +570,7 @@ export const resourceRules = sqliteTable("resourceRules", {
         .references(() => resources.resourceId, { onDelete: "cascade" }),
     enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
     priority: integer("priority").notNull(),
-    action: text("action").notNull(), // ACCEPT, DROP
+    action: text("action").notNull(), // ACCEPT, DROP, PASS
     match: text("match").notNull(), // CIDR, PATH, IP
     value: text("value").notNull()
 });

server/lib/geoip.ts

@@ -0,0 +1,32 @@
+import axios from "axios";
+import config from "./config";
+import { tokenManager } from "./tokenManager";
+import logger from "@server/logger";
+
+export async function getCountryCodeForIp(
+    ip: string
+): Promise<string | undefined> {
+    try {
+        const response = await axios.get(
+            `${config.getRawConfig().managed?.endpoint}/api/v1/hybrid/geoip/${ip}`,
+            await tokenManager.getAuthHeader()
+        );
+
+        return response.data.data.countryCode;
+    } catch (error) {
+        if (axios.isAxiosError(error)) {
+            logger.error("Error fetching config in verify session:", {
+                message: error.message,
+                code: error.code,
+                status: error.response?.status,
+                statusText: error.response?.statusText,
+                url: error.config?.url,
+                method: error.config?.method
+            });
+        } else {
+            logger.error("Error fetching config in verify session:", error);
+        }
+    }
+
+    return;
+}

server/lib/index.ts

@@ -1,2 +1,3 @@
 export * from "./response";
 export { tokenManager, TokenManager } from "./tokenManager";
+export * from "./geoip";

server/lib/readConfigFile.ts

@@ -129,7 +129,6 @@ export const configSchema = z
             trust_proxy: z.number().int().gte(0).optional().default(1),
             secret: z
                 .string()
-                .transform(getEnvOrYaml("SERVER_SECRET"))
                 .pipe(z.string().min(8))
                 .optional()
         }).optional().default({
@@ -180,6 +179,7 @@ export const configSchema = z
                     .default("/var/dynamic/router_config.yml"),
                 static_domains: z.array(z.string()).optional().default([]),
                 site_types: z.array(z.string()).optional().default(["newt", "wireguard", "local"]),
+                allow_raw_resources: z.boolean().optional().default(true),
                 file_mode: z.boolean().optional().default(false)
             })
             .optional()
@@ -324,7 +324,10 @@ export const configSchema = z
             if (data.managed) {
                 return true;
             }
-            // If hybrid is not defined, server secret must be defined
+            // If hybrid is not defined, server secret must be defined. If its not defined already then pull it from env
+            if (data.server?.secret === undefined) {
+                data.server.secret = process.env.SERVER_SECRET;
+            }
             return data.server?.secret !== undefined && data.server.secret.length > 0;
         },
         {

server/lib/remoteCertificates/certificates.ts

@@ -10,6 +10,7 @@ export async function getValidCertificatesForDomainsHybrid(domains: Set<string>)
     Array<{
         id: number;
         domain: string;
+        wildcard: boolean | null;
         certFile: string | null;
         keyFile: string | null;
         expiresAt: Date | null;
@@ -68,6 +69,7 @@ export async function getValidCertificatesForDomains(domains: Set<string>): Prom
     Array<{
         id: number;
         domain: string;
+        wildcard: boolean | null;
         certFile: string | null;
         keyFile: string | null;
         expiresAt: Date | null;

server/lib/schemas.ts

@@ -3,7 +3,7 @@ import { z } from "zod";
 export const subdomainSchema = z
     .string()
     .regex(
-        /^(?!:\/\/)([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9-_]+$/,
+        /^(?!:\/\/)([a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\.)*[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$/,
         "Invalid subdomain format"
     )
     .min(1, "Subdomain must be at least 1 character long")
@@ -12,7 +12,8 @@ export const subdomainSchema = z
 export const tlsNameSchema = z
     .string()
     .regex(
-        /^(?!:\/\/)([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9-_]+$|^$/,
+        /^(?!:\/\/)([a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\.)*[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$|^$/,
         "Invalid subdomain format"
     )
-    .transform((val) => val.toLowerCase());
+    .transform((val) => val.toLowerCase());
+

server/lib/traefikConfig.test.ts

@@ -0,0 +1,235 @@
+import { assertEquals } from "@test/assert";
+import { isDomainCoveredByWildcard } from "./traefikConfig";
+
+function runTests() {
+    console.log('Running wildcard domain coverage tests...');
+    
+    // Test case 1: Basic wildcard certificate at example.com
+    const basicWildcardCerts = new Map([
+        ['example.com', { exists: true, wildcard: true }]
+    ]);
+    
+    // Should match first-level subdomains
+    assertEquals(
+        isDomainCoveredByWildcard('level1.example.com', basicWildcardCerts),
+        true,
+        'Wildcard cert at example.com should match level1.example.com'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('api.example.com', basicWildcardCerts),
+        true,
+        'Wildcard cert at example.com should match api.example.com'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('www.example.com', basicWildcardCerts),
+        true,
+        'Wildcard cert at example.com should match www.example.com'
+    );
+    
+    // Should match the root domain (exact match)
+    assertEquals(
+        isDomainCoveredByWildcard('example.com', basicWildcardCerts),
+        true,
+        'Wildcard cert at example.com should match example.com itself'
+    );
+    
+    // Should NOT match second-level subdomains
+    assertEquals(
+        isDomainCoveredByWildcard('level2.level1.example.com', basicWildcardCerts),
+        false,
+        'Wildcard cert at example.com should NOT match level2.level1.example.com'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('deep.nested.subdomain.example.com', basicWildcardCerts),
+        false,
+        'Wildcard cert at example.com should NOT match deep.nested.subdomain.example.com'
+    );
+    
+    // Should NOT match different domains
+    assertEquals(
+        isDomainCoveredByWildcard('test.otherdomain.com', basicWildcardCerts),
+        false,
+        'Wildcard cert at example.com should NOT match test.otherdomain.com'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('notexample.com', basicWildcardCerts),
+        false,
+        'Wildcard cert at example.com should NOT match notexample.com'
+    );
+    
+    // Test case 2: Multiple wildcard certificates
+    const multipleWildcardCerts = new Map([
+        ['example.com', { exists: true, wildcard: true }],
+        ['test.org', { exists: true, wildcard: true }],
+        ['api.service.net', { exists: true, wildcard: true }]
+    ]);
+    
+    assertEquals(
+        isDomainCoveredByWildcard('app.example.com', multipleWildcardCerts),
+        true,
+        'Should match subdomain of first wildcard cert'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('staging.test.org', multipleWildcardCerts),
+        true,
+        'Should match subdomain of second wildcard cert'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('v1.api.service.net', multipleWildcardCerts),
+        true,
+        'Should match subdomain of third wildcard cert'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('deep.nested.api.service.net', multipleWildcardCerts),
+        false,
+        'Should NOT match multi-level subdomain of third wildcard cert'
+    );
+    
+    // Test exact domain matches for multiple certs
+    assertEquals(
+        isDomainCoveredByWildcard('example.com', multipleWildcardCerts),
+        true,
+        'Should match exact domain of first wildcard cert'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('test.org', multipleWildcardCerts),
+        true,
+        'Should match exact domain of second wildcard cert'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('api.service.net', multipleWildcardCerts),
+        true,
+        'Should match exact domain of third wildcard cert'
+    );
+    
+    // Test case 3: Non-wildcard certificates (should not match anything)
+    const nonWildcardCerts = new Map([
+        ['example.com', { exists: true, wildcard: false }],
+        ['specific.domain.com', { exists: true, wildcard: false }]
+    ]);
+    
+    assertEquals(
+        isDomainCoveredByWildcard('sub.example.com', nonWildcardCerts),
+        false,
+        'Non-wildcard cert should not match subdomains'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('example.com', nonWildcardCerts),
+        false,
+        'Non-wildcard cert should not match even exact domain via this function'
+    );
+    
+    // Test case 4: Non-existent certificates (should not match)
+    const nonExistentCerts = new Map([
+        ['example.com', { exists: false, wildcard: true }],
+        ['missing.com', { exists: false, wildcard: true }]
+    ]);
+    
+    assertEquals(
+        isDomainCoveredByWildcard('sub.example.com', nonExistentCerts),
+        false,
+        'Non-existent wildcard cert should not match'
+    );
+    
+    // Test case 5: Edge cases with special domain names
+    const specialDomainCerts = new Map([
+        ['localhost', { exists: true, wildcard: true }],
+        ['127-0-0-1.nip.io', { exists: true, wildcard: true }],
+        ['xn--e1afmkfd.xn--p1ai', { exists: true, wildcard: true }] // IDN domain
+    ]);
+    
+    assertEquals(
+        isDomainCoveredByWildcard('app.localhost', specialDomainCerts),
+        true,
+        'Should match subdomain of localhost wildcard'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('test.127-0-0-1.nip.io', specialDomainCerts),
+        true,
+        'Should match subdomain of nip.io wildcard'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('sub.xn--e1afmkfd.xn--p1ai', specialDomainCerts),
+        true,
+        'Should match subdomain of IDN wildcard'
+    );
+    
+    // Test case 6: Empty input and edge cases
+    const emptyCerts = new Map();
+    
+    assertEquals(
+        isDomainCoveredByWildcard('any.domain.com', emptyCerts),
+        false,
+        'Empty certificate map should not match any domain'
+    );
+    
+    // Test case 7: Domains with single character components
+    const singleCharCerts = new Map([
+        ['a.com', { exists: true, wildcard: true }],
+        ['x.y.z', { exists: true, wildcard: true }]
+    ]);
+    
+    assertEquals(
+        isDomainCoveredByWildcard('b.a.com', singleCharCerts),
+        true,
+        'Should match single character subdomain'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('w.x.y.z', singleCharCerts),
+        true,
+        'Should match single character subdomain of multi-part domain'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('v.w.x.y.z', singleCharCerts),
+        false,
+        'Should NOT match multi-level subdomain of single char domain'
+    );
+    
+    // Test case 8: Domains with numbers and hyphens
+    const numericCerts = new Map([
+        ['api-v2.service-1.com', { exists: true, wildcard: true }],
+        ['123.456.net', { exists: true, wildcard: true }]
+    ]);
+    
+    assertEquals(
+        isDomainCoveredByWildcard('staging.api-v2.service-1.com', numericCerts),
+        true,
+        'Should match subdomain with hyphens and numbers'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('test.123.456.net', numericCerts),
+        true,
+        'Should match subdomain with numeric components'
+    );
+    
+    assertEquals(
+        isDomainCoveredByWildcard('deep.staging.api-v2.service-1.com', numericCerts),
+        false,
+        'Should NOT match multi-level subdomain with hyphens and numbers'
+    );
+    
+    console.log('All wildcard domain coverage tests passed!');
+}
+
+// Run all tests
+try {
+    runTests();
+} catch (error) {
+    console.error('Test failed:', error);
+    process.exit(1);
+}

server/lib/traefikConfig.ts

@@ -29,6 +29,7 @@ export class TraefikConfigManager {
             exists: boolean;
             lastModified: Date | null;
             expiresAt: Date | null;
+            wildcard: boolean | null;
         }
     >();
 
@@ -115,6 +116,7 @@ export class TraefikConfigManager {
                 exists: boolean;
                 lastModified: Date | null;
                 expiresAt: Date | null;
+                wildcard: boolean;
             }
         >
     > {
@@ -136,13 +138,16 @@ export class TraefikConfigManager {
                 const certPath = path.join(domainDir, "cert.pem");
                 const keyPath = path.join(domainDir, "key.pem");
                 const lastUpdatePath = path.join(domainDir, ".last_update");
+                const wildcardPath = path.join(domainDir, ".wildcard");
 
                 const certExists = await this.fileExists(certPath);
                 const keyExists = await this.fileExists(keyPath);
                 const lastUpdateExists = await this.fileExists(lastUpdatePath);
+                const wildcardExists = await this.fileExists(wildcardPath);
 
                 let lastModified: Date | null = null;
                 const expiresAt: Date | null = null;
+                let wildcard = false;
 
                 if (lastUpdateExists) {
                     try {
@@ -161,10 +166,26 @@ export class TraefikConfigManager {
                     }
                 }
 
+                // Check if this is a wildcard certificate
+                if (wildcardExists) {
+                    try {
+                        const wildcardContent = fs
+                            .readFileSync(wildcardPath, "utf8")
+                            .trim();
+                        wildcard = wildcardContent === "true";
+                    } catch (error) {
+                        logger.warn(
+                            `Could not read wildcard file for ${domain}:`,
+                            error
+                        );
+                    }
+                }
+
                 state.set(domain, {
                     exists: certExists && keyExists,
                     lastModified,
-                    expiresAt
+                    expiresAt,
+                    wildcard
                 });
             }
         } catch (error) {
@@ -192,19 +213,36 @@ export class TraefikConfigManager {
             return true;
         }
 
-        // Fetch if domains have changed
+        // Filter out domains covered by wildcard certificates
+        const domainsNeedingCerts = new Set<string>();
+        for (const domain of currentDomains) {
+            if (!isDomainCoveredByWildcard(domain, this.lastLocalCertificateState)) {
+                domainsNeedingCerts.add(domain);
+            }
+        }
+
+        // Fetch if domains needing certificates have changed
+        const lastDomainsNeedingCerts = new Set<string>();
+        for (const domain of this.lastKnownDomains) {
+            if (!isDomainCoveredByWildcard(domain, this.lastLocalCertificateState)) {
+                lastDomainsNeedingCerts.add(domain);
+            }
+        }
+
         if (
-            this.lastKnownDomains.size !== currentDomains.size ||
-            !Array.from(this.lastKnownDomains).every((domain) =>
-                currentDomains.has(domain)
+            domainsNeedingCerts.size !== lastDomainsNeedingCerts.size ||
+            !Array.from(domainsNeedingCerts).every((domain) =>
+                lastDomainsNeedingCerts.has(domain)
             )
         ) {
-            logger.info("Fetching certificates due to domain changes");
+            logger.info(
+                "Fetching certificates due to domain changes (after wildcard filtering)"
+            );
             return true;
         }
 
         // Check if any local certificates are missing or appear to be outdated
-        for (const domain of currentDomains) {
+        for (const domain of domainsNeedingCerts) {
             const localState = this.lastLocalCertificateState.get(domain);
             if (!localState || !localState.exists) {
                 logger.info(
@@ -273,6 +311,7 @@ export class TraefikConfigManager {
             let validCertificates: Array<{
                 id: number;
                 domain: string;
+                wildcard: boolean | null;
                 certFile: string | null;
                 keyFile: string | null;
                 expiresAt: Date | null;
@@ -280,23 +319,50 @@ export class TraefikConfigManager {
             }> = [];
 
             if (this.shouldFetchCertificates(domains)) {
-                // Get valid certificates for active domains
-                if (config.isManagedMode()) {
-                    validCertificates =
-                        await getValidCertificatesForDomainsHybrid(domains);
-                } else {
-                    validCertificates =
-                        await getValidCertificatesForDomains(domains);
+                // Filter out domains that are already covered by wildcard certificates
+                const domainsToFetch = new Set<string>();
+                for (const domain of domains) {
+                    if (!isDomainCoveredByWildcard(domain, this.lastLocalCertificateState)) {
+                        domainsToFetch.add(domain);
+                    } else {
+                        logger.debug(
+                            `Domain ${domain} is covered by existing wildcard certificate, skipping fetch`
+                        );
+                    }
                 }
-                this.lastCertificateFetch = new Date();
-                this.lastKnownDomains = new Set(domains);
 
-                logger.info(
-                    `Fetched ${validCertificates.length} certificates from remote`
-                );
+                if (domainsToFetch.size > 0) {
+                    // Get valid certificates for domains not covered by wildcards
+                    if (config.isManagedMode()) {
+                        validCertificates =
+                            await getValidCertificatesForDomainsHybrid(
+                                domainsToFetch
+                            );
+                    } else {
+                        validCertificates =
+                            await getValidCertificatesForDomains(
+                                domainsToFetch
+                            );
+                    }
+                    this.lastCertificateFetch = new Date();
+                    this.lastKnownDomains = new Set(domains);
 
-                // Download and decrypt new certificates
-                await this.processValidCertificates(validCertificates);
+                    logger.info(
+                        `Fetched ${validCertificates.length} certificates from remote (${domains.size - domainsToFetch.size} domains covered by wildcards)`
+                    );
+
+                    // Download and decrypt new certificates
+                    await this.processValidCertificates(validCertificates);
+                } else {
+                    logger.info(
+                        "All domains are covered by existing wildcard certificates, no fetch needed"
+                    );
+                    this.lastCertificateFetch = new Date();
+                    this.lastKnownDomains = new Set(domains);
+                }
+
+                // Always ensure all existing certificates (including wildcards) are in the config
+                await this.updateDynamicConfigFromLocalCerts(domains);
             } else {
                 const timeSinceLastFetch = this.lastCertificateFetch
                     ? Math.round(
@@ -544,7 +610,11 @@ export class TraefikConfigManager {
         // Clear existing certificates and rebuild from local state
         dynamicConfig.tls.certificates = [];
 
+        // Keep track of certificates we've already added to avoid duplicates
+        const addedCertPaths = new Set<string>();
+
         for (const domain of domains) {
+            // First, try to find an exact match certificate
             const localState = this.lastLocalCertificateState.get(domain);
             if (localState && localState.exists) {
                 const domainDir = path.join(
@@ -554,11 +624,47 @@ export class TraefikConfigManager {
                 const certPath = path.join(domainDir, "cert.pem");
                 const keyPath = path.join(domainDir, "key.pem");
 
-                const certEntry = {
-                    certFile: certPath,
-                    keyFile: keyPath
-                };
-                dynamicConfig.tls.certificates.push(certEntry);
+                if (!addedCertPaths.has(certPath)) {
+                    const certEntry = {
+                        certFile: certPath,
+                        keyFile: keyPath
+                    };
+                    dynamicConfig.tls.certificates.push(certEntry);
+                    addedCertPaths.add(certPath);
+                }
+                continue;
+            }
+
+            // If no exact match, check for wildcard certificates that cover this domain
+            for (const [certDomain, certState] of this.lastLocalCertificateState) {
+                if (certState.exists && certState.wildcard) {
+                    // Check if this wildcard certificate covers the domain
+                    if (domain.endsWith("." + certDomain)) {
+                        // Verify it's only one level deep (wildcard only covers one level)
+                        const prefix = domain.substring(
+                            0,
+                            domain.length - ("." + certDomain).length
+                        );
+                        if (!prefix.includes(".")) {
+                            const domainDir = path.join(
+                                config.getRawConfig().traefik.certificates_path,
+                                certDomain
+                            );
+                            const certPath = path.join(domainDir, "cert.pem");
+                            const keyPath = path.join(domainDir, "key.pem");
+
+                            if (!addedCertPaths.has(certPath)) {
+                                const certEntry = {
+                                    certFile: certPath,
+                                    keyFile: keyPath
+                                };
+                                dynamicConfig.tls.certificates.push(certEntry);
+                                addedCertPaths.add(certPath);
+                            }
+                            break; // Found a wildcard that covers this domain
+                        }
+                    }
+                }
             }
         }
 
@@ -577,6 +683,7 @@ export class TraefikConfigManager {
         validCertificates: Array<{
             id: number;
             domain: string;
+            wildcard: boolean | null;
             certFile: string | null;
             keyFile: string | null;
             expiresAt: Date | null;
@@ -651,15 +758,24 @@ export class TraefikConfigManager {
                         "utf8"
                     );
 
+                    // Check if this is a wildcard certificate and store it
+                    const wildcardPath = path.join(domainDir, ".wildcard");
+                    fs.writeFileSync(
+                        wildcardPath,
+                        cert.wildcard ? "true" : "false",
+                        "utf8"
+                    );
+
                     logger.info(
-                        `Certificate updated for domain: ${cert.domain}`
+                        `Certificate updated for domain: ${cert.domain}${cert.wildcard ? " (wildcard)" : ""}`
                     );
 
                     // Update local state tracking
                     this.lastLocalCertificateState.set(cert.domain, {
                         exists: true,
                         lastModified: new Date(),
-                        expiresAt: cert.expiresAt
+                        expiresAt: cert.expiresAt,
+                        wildcard: cert.wildcard
                     });
                 }
 
@@ -810,14 +926,8 @@ export class TraefikConfigManager {
                     this.lastLocalCertificateState.delete(dirName);
 
                     // Remove from dynamic config
-                    const certFilePath = path.join(
-                        domainDir,
-                        "cert.pem"
-                    );
-                    const keyFilePath = path.join(
-                        domainDir,
-                        "key.pem"
-                    );
+                    const certFilePath = path.join(domainDir, "cert.pem");
+                    const keyFilePath = path.join(domainDir, "key.pem");
                     const before = dynamicConfig.tls.certificates.length;
                     dynamicConfig.tls.certificates =
                         dynamicConfig.tls.certificates.filter(
@@ -894,14 +1004,58 @@ export class TraefikConfigManager {
         monitorInterval: number;
         lastCertificateFetch: Date | null;
         localCertificateCount: number;
+        wildcardCertificates: string[];
+        domainsCoveredByWildcards: string[];
     } {
+        const wildcardCertificates: string[] = [];
+        const domainsCoveredByWildcards: string[] = [];
+
+        // Find wildcard certificates
+        for (const [domain, state] of this.lastLocalCertificateState) {
+            if (state.exists && state.wildcard) {
+                wildcardCertificates.push(domain);
+            }
+        }
+
+        // Find domains covered by wildcards
+        for (const domain of this.activeDomains) {
+            if (isDomainCoveredByWildcard(domain, this.lastLocalCertificateState)) {
+                domainsCoveredByWildcards.push(domain);
+            }
+        }
+
         return {
             isRunning: this.isRunning,
             activeDomains: Array.from(this.activeDomains),
             monitorInterval:
                 config.getRawConfig().traefik.monitor_interval || 5000,
             lastCertificateFetch: this.lastCertificateFetch,
-            localCertificateCount: this.lastLocalCertificateState.size
+            localCertificateCount: this.lastLocalCertificateState.size,
+            wildcardCertificates,
+            domainsCoveredByWildcards
         };
     }
 }
+
+/**
+ * Check if a domain is covered by existing wildcard certificates
+ */
+export function isDomainCoveredByWildcard(domain: string, lastLocalCertificateState: Map<string, { exists: boolean; wildcard: boolean | null }>): boolean {
+    for (const [certDomain, state] of lastLocalCertificateState) {
+        if (state.exists && state.wildcard) {
+            // If stored as example.com but is wildcard, check subdomains
+            if (domain.endsWith("." + certDomain)) {
+                // Check that it's only one level deep (wildcard only covers one level)
+                const prefix = domain.substring(
+                    0,
+                    domain.length - ("." + certDomain).length
+                );
+                // If prefix contains a dot, it's more than one level deep
+                if (!prefix.includes(".")) {
+                    return true;
+                }
+            }
+        }
+    }
+    return false;
+}

server/middlewares/integration/index.ts

@@ -11,3 +11,4 @@ export * from "./verifyAccessTokenAccess";
 export * from "./verifyApiKeyIsRoot";
 export * from "./verifyApiKeyApiKeyAccess";
 export * from "./verifyApiKeyClientAccess";
+export * from "./verifyApiKeySiteResourceAccess";

server/middlewares/integration/verifyApiKeySiteResourceAccess.ts

@@ -0,0 +1,97 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { siteResources, apiKeyOrg } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+
+export async function verifyApiKeySiteResourceAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const apiKey = req.apiKey;
+        const siteResourceId = parseInt(req.params.siteResourceId);
+        const siteId = parseInt(req.params.siteId);
+        const orgId = req.params.orgId;
+
+        if (!apiKey) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+            );
+        }
+
+        if (!siteResourceId || !siteId || !orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Missing required parameters"
+                )
+            );
+        }
+
+        if (apiKey.isRoot) {
+            // Root keys can access any resource in any org
+            return next();
+        }
+
+        // Check if the site resource exists and belongs to the specified site and org
+        const [siteResource] = await db
+            .select()
+            .from(siteResources)
+            .where(and(
+                eq(siteResources.siteResourceId, siteResourceId),
+                eq(siteResources.siteId, siteId),
+                eq(siteResources.orgId, orgId)
+            ))
+            .limit(1);
+
+        if (!siteResource) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "Site resource not found"
+                )
+            );
+        }
+
+        // Verify that the API key has access to the organization
+        if (!req.apiKeyOrg) {
+            const apiKeyOrgRes = await db
+                .select()
+                .from(apiKeyOrg)
+                .where(
+                    and(
+                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
+                        eq(apiKeyOrg.orgId, orgId)
+                    )
+                )
+                .limit(1);
+            
+            if (apiKeyOrgRes.length === 0) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Key does not have access to this organization"
+                    )
+                );
+            }
+            
+            req.apiKeyOrg = apiKeyOrgRes[0];
+        }
+
+        // Attach the siteResource to the request for use in the next middleware/route
+        // @ts-ignore - Extending Request type
+        req.siteResource = siteResource;
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying site resource access"
+            )
+        );
+    }
+}

server/middlewares/verifyRoleAccess.ts

@@ -22,7 +22,7 @@ export async function verifyRoleAccess(
         );
     }
 
-    const { roleIds } = req.body;
+    const roleIds = req.body?.roleIds;
     const allRoleIds = roleIds || (isNaN(singleRoleId) ? [] : [singleRoleId]);
 
     if (allRoleIds.length === 0) {

server/routers/badger/verifySession.ts

@@ -5,7 +5,6 @@ import {
     validateResourceSessionToken
 } from "@server/auth/sessions/resource";
 import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
-import { db } from "@server/db";
 import {
     getResourceByDomain,
     getUserSessionWithUser,
@@ -33,6 +32,7 @@ import createHttpError from "http-errors";
 import NodeCache from "node-cache";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
+import { getCountryCodeForIp } from "@server/lib";
 
 // We'll see if this speeds anything up
 const cache = new NodeCache({
@@ -123,8 +123,8 @@ export async function verifyResourceSession(
         let cleanHost = host;
         // if the host ends with :port, strip it
         if (cleanHost.match(/:[0-9]{1,5}$/)) {
-            const matched = ''+cleanHost.match(/:[0-9]{1,5}$/);
-            cleanHost = cleanHost.slice(0, -1*matched.length);
+            const matched = "" + cleanHost.match(/:[0-9]{1,5}$/);
+            cleanHost = cleanHost.slice(0, -1 * matched.length);
         }
 
         const resourceCacheKey = `resource:${cleanHost}`;
@@ -176,6 +176,11 @@ export async function verifyResourceSession(
             } else if (action == "DROP") {
                 logger.debug("Resource denied by rule");
                 return notAllowed(res);
+            } else if (action == "PASS") {
+                logger.debug(
+                    "Resource passed by rule, continuing to auth checks"
+                );
+                // Continue to authentication checks below
             }
 
             // otherwise its undefined and we pass
@@ -193,7 +198,10 @@ export async function verifyResourceSession(
 
         let endpoint: string;
         if (config.isManagedMode()) {
-            endpoint = config.getRawConfig().managed?.redirect_endpoint || config.getRawConfig().managed?.endpoint || "";
+            endpoint =
+                config.getRawConfig().managed?.redirect_endpoint ||
+                config.getRawConfig().managed?.endpoint ||
+                "";
         } else {
             endpoint = config.getRawConfig().app.dashboard_url!;
         }
@@ -576,7 +584,7 @@ async function checkRules(
     resourceId: number,
     clientIp: string | undefined,
     path: string | undefined
-): Promise<"ACCEPT" | "DROP" | undefined> {
+): Promise<"ACCEPT" | "DROP" | "PASS" | undefined> {
     const ruleCacheKey = `rules:${resourceId}`;
 
     let rules: ResourceRule[] | undefined = cache.get(ruleCacheKey);
@@ -613,6 +621,12 @@ async function checkRules(
             isPathAllowed(rule.value, path)
         ) {
             return rule.action as any;
+        } else if (
+            clientIp &&
+            rule.match == "GEOIP" &&
+            (await isIpInGeoIP(clientIp, rule.value))
+        ) {
+            return rule.action as any;
         }
     }
 
@@ -737,3 +751,23 @@ export function isPathAllowed(pattern: string, path: string): boolean {
     logger.debug(`Final result: ${result}`);
     return result;
 }
+
+async function isIpInGeoIP(ip: string, countryCode: string): Promise<boolean> {
+    if (countryCode == "ALL") {
+        return true;
+    }
+
+    const geoIpCacheKey = `geoip:${ip}`;
+
+    let cachedCountryCode: string | undefined = cache.get(geoIpCacheKey);
+
+    if (!cachedCountryCode) {
+        cachedCountryCode = await getCountryCodeForIp(ip);
+        // Cache for longer since IP geolocation doesn't change frequently
+        cache.set(geoIpCacheKey, cachedCountryCode, 300); // 5 minutes
+    }
+
+    logger.debug(`IP ${ip} is in country: ${cachedCountryCode}`);
+
+    return cachedCountryCode?.toUpperCase() === countryCode.toUpperCase();
+}

server/routers/external.ts

@@ -42,7 +42,7 @@ import { createStore } from "@server/lib/rateLimitStore";
 import { ActionsEnum } from "@server/auth/actions";
 import { createNewt, getNewtToken } from "./newt";
 import { getOlmToken } from "./olm";
-import rateLimit from "express-rate-limit";
+import rateLimit, { ipKeyGenerator } from "express-rate-limit";
 import createHttpError from "http-errors";
 import { build } from "@server/build";
 
@@ -82,6 +82,7 @@ authenticated.delete(
     "/org/:orgId",
     verifyOrgAccess,
     verifyUserIsOrgOwner,
+    verifyUserHasAction(ActionsEnum.deleteOrg),
     org.deleteOrg
 );
 
@@ -815,7 +816,7 @@ authRouter.use(
     rateLimit({
         windowMs: config.getRawConfig().rate_limits.auth.window_minutes,
         max: config.getRawConfig().rate_limits.auth.max_requests,
-        keyGenerator: (req) => `authRouterGlobal:${req.ip}:${req.path}`,
+        keyGenerator: (req) => `authRouterGlobal:${ipKeyGenerator(req.ip || "")}:${req.path}`,
         handler: (req, res, next) => {
             const message = `Rate limit exceeded. You can make ${config.getRawConfig().rate_limits.auth.max_requests} requests every ${config.getRawConfig().rate_limits.auth.window_minutes} minute(s).`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -829,7 +830,7 @@ authRouter.put(
     rateLimit({
         windowMs: 15 * 60 * 1000,
         max: 15,
-        keyGenerator: (req) => `signup:${req.ip}:${req.body.email}`,
+        keyGenerator: (req) => `signup:${ipKeyGenerator(req.ip || "")}:${req.body.email}`,
         handler: (req, res, next) => {
             const message = `You can only sign up ${15} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -843,7 +844,7 @@ authRouter.post(
     rateLimit({
         windowMs: 15 * 60 * 1000,
         max: 15,
-        keyGenerator: (req) => `login:${req.body.email || req.ip}`,
+        keyGenerator: (req) => `login:${req.body.email || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only log in ${15} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -858,7 +859,7 @@ authRouter.post(
     rateLimit({
         windowMs: 15 * 60 * 1000,
         max: 900,
-        keyGenerator: (req) => `newtGetToken:${req.body.newtId || req.ip}`,
+        keyGenerator: (req) => `newtGetToken:${req.body.newtId || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only request a Newt token ${900} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -872,7 +873,7 @@ authRouter.post(
     rateLimit({
         windowMs: 15 * 60 * 1000,
         max: 900,
-        keyGenerator: (req) => `olmGetToken:${req.body.newtId || req.ip}`,
+        keyGenerator: (req) => `olmGetToken:${req.body.newtId || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only request an Olm token ${900} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -888,7 +889,7 @@ authRouter.post(
         windowMs: 15 * 60 * 1000,
         max: 15,
         keyGenerator: (req) => {
-            return `signup:${req.body.email || req.user?.userId || req.ip}`;
+            return `signup:${req.body.email || req.user?.userId || ipKeyGenerator(req.ip || "")}`;
         },
         handler: (req, res, next) => {
             const message = `You can only enable 2FA ${15} times every ${15} minutes. Please try again later.`;
@@ -904,7 +905,7 @@ authRouter.post(
         windowMs: 15 * 60 * 1000,
         max: 15,
         keyGenerator: (req) => {
-            return `signup:${req.body.email || req.user?.userId || req.ip}`;
+            return `signup:${req.body.email || req.user?.userId || ipKeyGenerator(req.ip || "")}`;
         },
         handler: (req, res, next) => {
             const message = `You can only request a 2FA code ${15} times every ${15} minutes. Please try again later.`;
@@ -920,7 +921,7 @@ authRouter.post(
     rateLimit({
         windowMs: 15 * 60 * 1000,
         max: 15,
-        keyGenerator: (req) => `signup:${req.user?.userId || req.ip}`,
+        keyGenerator: (req) => `signup:${req.user?.userId || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only disable 2FA ${15} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -934,7 +935,7 @@ authRouter.post(
     rateLimit({
         windowMs: 15 * 60 * 1000,
         max: 15,
-        keyGenerator: (req) => `signup:${req.body.email || req.ip}`,
+        keyGenerator: (req) => `signup:${req.body.email || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only sign up ${15} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -952,7 +953,7 @@ authRouter.post(
         windowMs: 15 * 60 * 1000,
         max: 15,
         keyGenerator: (req) =>
-            `requestEmailVerificationCode:${req.body.email || req.ip}`,
+            `requestEmailVerificationCode:${req.body.email || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only request an email verification code ${15} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -974,7 +975,7 @@ authRouter.post(
         windowMs: 15 * 60 * 1000,
         max: 15,
         keyGenerator: (req) =>
-            `requestPasswordReset:${req.body.email || req.ip}`,
+            `requestPasswordReset:${req.body.email || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only request a password reset ${15} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -989,7 +990,7 @@ authRouter.post(
     rateLimit({
         windowMs: 15 * 60 * 1000,
         max: 15,
-        keyGenerator: (req) => `resetPassword:${req.body.email || req.ip}`,
+        keyGenerator: (req) => `resetPassword:${req.body.email || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only request a password reset ${15} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -1005,7 +1006,7 @@ authRouter.post(
         windowMs: 15 * 60 * 1000,
         max: 15,
         keyGenerator: (req) =>
-            `authWithPassword:${req.ip}:${req.params.resourceId || req.ip}`,
+            `authWithPassword:${ipKeyGenerator(req.ip || "")}:${req.params.resourceId || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only authenticate with password ${15} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -1020,7 +1021,7 @@ authRouter.post(
         windowMs: 15 * 60 * 1000,
         max: 15,
         keyGenerator: (req) =>
-            `authWithPincode:${req.ip}:${req.params.resourceId || req.ip}`,
+            `authWithPincode:${ipKeyGenerator(req.ip || "")}:${req.params.resourceId || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only authenticate with pincode ${15} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -1036,7 +1037,7 @@ authRouter.post(
         windowMs: 15 * 60 * 1000,
         max: 15,
         keyGenerator: (req) =>
-            `authWithWhitelist:${req.ip}:${req.body.email}:${req.params.resourceId}`,
+            `authWithWhitelist:${ipKeyGenerator(req.ip || "")}:${req.body.email}:${req.params.resourceId}`,
         handler: (req, res, next) => {
             const message = `You can only request an email OTP ${15} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -1069,7 +1070,7 @@ authRouter.post(
         windowMs: 15 * 60 * 1000, // 15 minutes
         max: 5, // Allow 5 security key registrations per 15 minutes
         keyGenerator: (req) =>
-            `securityKeyRegister:${req.user?.userId || req.ip}`,
+            `securityKeyRegister:${req.user?.userId || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only register a security key ${5} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
@@ -1089,7 +1090,7 @@ authRouter.post(
         windowMs: 15 * 60 * 1000, // 15 minutes
         max: 10, // Allow 10 authentication attempts per 15 minutes per IP
         keyGenerator: (req) => {
-            return `securityKeyAuth:${req.body.email || req.ip}`;
+            return `securityKeyAuth:${req.body.email || ipKeyGenerator(req.ip || "")}`;
         },
         handler: (req, res, next) => {
             const message = `You can only attempt security key authentication ${10} times every ${15} minutes. Please try again later.`;
@@ -1111,7 +1112,7 @@ authRouter.delete(
     rateLimit({
         windowMs: 15 * 60 * 1000, // 15 minutes
         max: 20, // Allow 10 authentication attempts per 15 minutes per IP
-        keyGenerator: (req) => `securityKeyAuth:${req.user?.userId || req.ip}`,
+        keyGenerator: (req) => `securityKeyAuth:${req.user?.userId || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only delete a security key ${10} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));

server/routers/gerbil/createExitNode.ts

@@ -0,0 +1,58 @@
+import { db, ExitNode, exitNodes } from "@server/db";
+import { getUniqueExitNodeEndpointName } from "@server/db/names";
+import config from "@server/lib/config";
+import { getNextAvailableSubnet } from "@server/lib/exitNodes";
+import logger from "@server/logger";
+import { eq } from "drizzle-orm";
+
+export async function createExitNode(publicKey: string, reachableAt: string | undefined) {
+    // Fetch exit node
+    const [exitNodeQuery] = await db.select().from(exitNodes).limit(1);
+    let exitNode: ExitNode;
+    if (!exitNodeQuery) {
+        const address = await getNextAvailableSubnet();
+        // TODO: eventually we will want to get the next available port so that we can multiple exit nodes
+        // const listenPort = await getNextAvailablePort();
+        const listenPort = config.getRawConfig().gerbil.start_port;
+        let subEndpoint = "";
+        if (config.getRawConfig().gerbil.use_subdomain) {
+            subEndpoint = await getUniqueExitNodeEndpointName();
+        }
+
+        const exitNodeName =
+            config.getRawConfig().gerbil.exit_node_name ||
+            `Exit Node ${publicKey.slice(0, 8)}`;
+
+        // create a new exit node
+        [exitNode] = await db
+            .insert(exitNodes)
+            .values({
+                publicKey,
+                endpoint: `${subEndpoint}${subEndpoint != "" ? "." : ""}${config.getRawConfig().gerbil.base_endpoint}`,
+                address,
+                listenPort,
+                reachableAt,
+                name: exitNodeName
+            })
+            .returning()
+            .execute();
+
+        logger.info(
+            `Created new exit node ${exitNode.name} with address ${exitNode.address} and port ${exitNode.listenPort}`
+        );
+    } else {
+        // update the existing exit node
+        [exitNode] = await db
+            .update(exitNodes)
+            .set({
+                reachableAt,
+                publicKey
+            })
+            .where(eq(exitNodes.publicKey, publicKey))
+            .returning();
+
+        logger.info(`Updated exit node`);
+    }
+
+    return exitNode;
+}

server/routers/gerbil/getConfig.ts

@@ -13,6 +13,8 @@ import { fromError } from "zod-validation-error";
 import { getAllowedIps } from "../target/helpers";
 import { proxyToRemote } from "@server/lib/remoteProxy";
 import { getNextAvailableSubnet } from "@server/lib/exitNodes";
+import { createExitNode } from "./createExitNode";
+
 // Define Zod schema for request validation
 const getConfigSchema = z.object({
     publicKey: z.string(),
@@ -53,46 +55,7 @@ export async function getConfig(
             );
         }
 
-        // Fetch exit node
-        const exitNodeQuery = await db
-            .select()
-            .from(exitNodes)
-            .where(eq(exitNodes.publicKey, publicKey));
-        let exitNode;
-        if (exitNodeQuery.length === 0) {
-            const address = await getNextAvailableSubnet();
-            // TODO: eventually we will want to get the next available port so that we can multiple exit nodes
-            // const listenPort = await getNextAvailablePort();
-            const listenPort = config.getRawConfig().gerbil.start_port;
-            let subEndpoint = "";
-            if (config.getRawConfig().gerbil.use_subdomain) {
-                subEndpoint = await getUniqueExitNodeEndpointName();
-            }
-
-            const exitNodeName =
-                config.getRawConfig().gerbil.exit_node_name ||
-                `Exit Node ${publicKey.slice(0, 8)}`;
-
-            // create a new exit node
-            exitNode = await db
-                .insert(exitNodes)
-                .values({
-                    publicKey,
-                    endpoint: `${subEndpoint}${subEndpoint != "" ? "." : ""}${config.getRawConfig().gerbil.base_endpoint}`,
-                    address,
-                    listenPort,
-                    reachableAt,
-                    name: exitNodeName
-                })
-                .returning()
-                .execute();
-
-            logger.info(
-                `Created new exit node ${exitNode[0].name} with address ${exitNode[0].address} and port ${exitNode[0].listenPort}`
-            );
-        } else {
-            exitNode = exitNodeQuery;
-        }
+        const exitNode = await createExitNode(publicKey, reachableAt);
 
         if (!exitNode) {
             return next(
@@ -107,13 +70,13 @@ export async function getConfig(
         if (config.isManagedMode()) {
             req.body = {
                 ...req.body,
-                endpoint: exitNode[0].endpoint,
-                listenPort: exitNode[0].listenPort
+                endpoint: exitNode.endpoint,
+                listenPort: exitNode.listenPort
             };
             return proxyToRemote(req, res, next, "hybrid/gerbil/get-config");
         }
 
-        const configResponse = await generateGerbilConfig(exitNode[0]);
+        const configResponse = await generateGerbilConfig(exitNode);
 
         logger.debug("Sending config: ", configResponse);
 

server/routers/integration.ts

@@ -9,6 +9,7 @@ import * as client from "./client";
 import * as accessToken from "./accessToken";
 import * as apiKeys from "./apiKeys";
 import * as idp from "./idp";
+import * as siteResource from "./siteResource";
 import {
     verifyApiKey,
     verifyApiKeyOrgAccess,
@@ -22,7 +23,8 @@ import {
     verifyApiKeyAccessTokenAccess,
     verifyApiKeyIsRoot,
     verifyApiKeyClientAccess,
-    verifyClientsEnabled
+    verifyClientsEnabled,
+    verifyApiKeySiteResourceAccess
 } from "@server/middlewares";
 import HttpCode from "@server/types/HttpCode";
 import { Router } from "express";
@@ -128,6 +130,69 @@ authenticated.delete(
     site.deleteSite
 );
 
+authenticated.get(
+    "/org/:orgId/user-resources",
+    verifyApiKeyOrgAccess,
+    resource.getUserResources
+);
+// Site Resource endpoints
+authenticated.put(
+    "/org/:orgId/site/:siteId/resource",
+    verifyApiKeyOrgAccess,
+    verifyApiKeySiteAccess,
+    verifyApiKeyHasAction(ActionsEnum.createSiteResource),
+    siteResource.createSiteResource
+);
+
+authenticated.get(
+    "/org/:orgId/site/:siteId/resources",
+    verifyApiKeyOrgAccess,
+    verifyApiKeySiteAccess,
+    verifyApiKeyHasAction(ActionsEnum.listSiteResources),
+    siteResource.listSiteResources
+);
+
+authenticated.get(
+    "/org/:orgId/site-resources",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.listSiteResources),
+    siteResource.listAllSiteResourcesByOrg
+);
+
+authenticated.get(
+    "/org/:orgId/site/:siteId/resource/:siteResourceId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeySiteAccess,
+    verifyApiKeySiteResourceAccess,
+    verifyApiKeyHasAction(ActionsEnum.getSiteResource),
+    siteResource.getSiteResource
+);
+
+authenticated.post(
+    "/org/:orgId/site/:siteId/resource/:siteResourceId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeySiteAccess,
+    verifyApiKeySiteResourceAccess,
+    verifyApiKeyHasAction(ActionsEnum.updateSiteResource),
+    siteResource.updateSiteResource
+);
+
+authenticated.delete(
+    "/org/:orgId/site/:siteId/resource/:siteResourceId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeySiteAccess,
+    verifyApiKeySiteResourceAccess,
+    verifyApiKeyHasAction(ActionsEnum.deleteSiteResource),
+    siteResource.deleteSiteResource
+);
+
+authenticated.put(
+    "/org/:orgId/resource",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.createResource),
+    resource.createResource
+);
+
 authenticated.put(
     "/org/:orgId/site/:siteId/resource",
     verifyApiKeyOrgAccess,
@@ -156,6 +221,13 @@ authenticated.get(
     domain.listDomains
 );
 
+authenticated.get(
+    "/org/:orgId/invitations",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.listInvitations),
+    user.listInvitations
+);
+
 authenticated.post(
     "/org/:orgId/create-invite",
     verifyApiKeyOrgAccess,

server/routers/org/deleteOrg.ts

@@ -49,19 +49,7 @@ export async function deleteOrg(
         }
 
         const { orgId } = parsedParams.data;
-        // Check if the user has permission to list sites
-        const hasPermission = await checkUserActionPermission(
-            ActionsEnum.deleteOrg,
-            req
-        );
-        if (!hasPermission) {
-            return next(
-                createHttpError(
-                    HttpCode.FORBIDDEN,
-                    "User does not have permission to perform this action"
-                )
-            );
-        }
+
         const [org] = await db
             .select()
             .from(orgs)

server/routers/resource/createResourceRule.ts

@@ -17,7 +17,7 @@ import { OpenAPITags, registry } from "@server/openApi";
 
 const createResourceRuleSchema = z
     .object({
-        action: z.enum(["ACCEPT", "DROP"]),
+        action: z.enum(["ACCEPT", "DROP", "PASS"]),
         match: z.enum(["CIDR", "IP", "PATH"]),
         value: z.string().min(1),
         priority: z.number().int(),

server/routers/resource/setResourceRoles.ts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db } from "@server/db";
+import { db, resources } from "@server/db";
 import { apiKeys, roleResources, roles } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -74,13 +74,18 @@ export async function setResourceRoles(
 
         const { resourceId } = parsedParams.data;
 
-        const orgId = req.userOrg?.orgId || req.apiKeyOrg?.orgId;
+        // get the resource
+        const [resource] = await db
+            .select()
+            .from(resources)
+            .where(eq(resources.resourceId, resourceId))
+            .limit(1);
 
-        if (!orgId) {
+        if (!resource) {
             return next(
                 createHttpError(
                     HttpCode.INTERNAL_SERVER_ERROR,
-                    "Organization not found"
+                    "Resource not found"
                 )
             );
         }
@@ -92,7 +97,7 @@ export async function setResourceRoles(
             .where(
                 and(
                     eq(roles.name, "Admin"),
-                    eq(roles.orgId, orgId)
+                    eq(roles.orgId, resource.orgId)
                 )
             )
             .limit(1);

server/routers/resource/updateResourceRule.ts

@@ -29,7 +29,7 @@ const updateResourceRuleParamsSchema = z
 // Define Zod schema for request body validation
 const updateResourceRuleSchema = z
     .object({
-        action: z.enum(["ACCEPT", "DROP"]).optional(),
+        action: z.enum(["ACCEPT", "DROP", "PASS"]).optional(),
         match: z.enum(["CIDR", "IP", "PATH"]).optional(),
         value: z.string().min(1).optional(),
         priority: z.number().int(),

server/routers/role/listRoles.ts

@@ -60,7 +60,7 @@ export type ListRolesResponse = {
 
 registry.registerPath({
     method: "get",
-    path: "/orgs/{orgId}/roles",
+    path: "/org/{orgId}/roles",
     description: "List roles.",
     tags: [OpenAPITags.Org, OpenAPITags.Role],
     request: {

server/routers/site/createSite.ts

@@ -272,7 +272,7 @@ export async function createSite(
                         type,
                         dockerSocketEnabled: false,
                         online: true,
-                        subnet: "0.0.0.0/0"
+                        subnet: "0.0.0.0/32"
                     })
                     .returning();
             }

server/routers/traefik/getTraefikConfig.ts

@@ -1,6 +1,6 @@
 import { Request, Response } from "express";
 import { db, exitNodes } from "@server/db";
-import { and, eq, inArray, or, isNull, ne } from "drizzle-orm";
+import { and, eq, inArray, or, isNull, ne, isNotNull } from "drizzle-orm";
 import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
 import config from "@server/lib/config";
@@ -149,7 +149,10 @@ export async function getTraefikConfig(
                         eq(sites.exitNodeId, exitNodeId),
                         isNull(sites.exitNodeId)
                     ),
-                    inArray(sites.type, siteTypes)
+                    inArray(sites.type, siteTypes),
+                    config.getRawConfig().traefik.allow_raw_resources
+                        ? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true
+                        : eq(resources.http, true),
                 )
             );
 

server/routers/user/addUserRole.ts

@@ -58,18 +58,23 @@ export async function addUserRole(
             );
         }
 
-        const orgId = req.userOrg?.orgId || req.apiKeyOrg?.orgId;
+        // get the role
+        const [role] = await db
+            .select()
+            .from(roles)
+            .where(eq(roles.roleId, roleId))
+            .limit(1);
 
-        if (!orgId) {
+        if (!role) {
             return next(
-                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID")
             );
         }
 
         const existingUser = await db
             .select()
             .from(userOrgs)
-            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, role.orgId)))
             .limit(1);
 
         if (existingUser.length === 0) {
@@ -93,7 +98,7 @@ export async function addUserRole(
         const roleExists = await db
             .select()
             .from(roles)
-            .where(and(eq(roles.roleId, roleId), eq(roles.orgId, orgId)))
+            .where(and(eq(roles.roleId, roleId), eq(roles.orgId, role.orgId)))
             .limit(1);
 
         if (roleExists.length === 0) {
@@ -108,7 +113,7 @@ export async function addUserRole(
         const newUserRole = await db
             .update(userOrgs)
             .set({ roleId })
-            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, role.orgId)))
             .returning();
 
         return response(res, {

server/setup/scriptsPg/1.9.0.ts

@@ -58,6 +58,12 @@ export default async function migration() {
 
         await db.execute(sql`ALTER TABLE "clientSites" ADD COLUMN "endpoint" varchar;`);
 
+        await db.execute(sql`ALTER TABLE "exitNodes" ADD COLUMN "online" boolean DEFAULT false NOT NULL;`);
+
+        await db.execute(sql`ALTER TABLE "exitNodes" ADD COLUMN "lastPing" integer;`);
+
+        await db.execute(sql`ALTER TABLE "exitNodes" ADD COLUMN "type" text DEFAULT 'gerbil';`);
+
         await db.execute(sql`ALTER TABLE "olms" ADD COLUMN "version" text;`);
 
         await db.execute(sql`ALTER TABLE "orgs" ADD COLUMN "createdAt" text;`);

src/app/[orgId]/settings/access/users/create/page.tsx

@@ -777,15 +777,6 @@ export default function Page() {
                 </SettingsContainer>
 
                 <div className="flex justify-end space-x-2 mt-8">
-                    <Button
-                        type="button"
-                        variant="outline"
-                        onClick={() => {
-                            router.push(`/${orgId}/settings/access/users`);
-                        }}
-                    >
-                        {t("cancel")}
-                    </Button>
                     {userType && dataLoaded && (
                         <Button
                             type={inviteLink ? "button" : "submit"}

src/app/[orgId]/settings/domains/CreateDomainForm.tsx

@@ -7,12 +7,13 @@ import {
     FormField,
     FormItem,
     FormLabel,
-    FormMessage
+    FormMessage,
+    FormDescription
 } from "@app/components/ui/form";
 import { Input } from "@app/components/ui/input";
 import { useToast } from "@app/hooks/useToast";
 import { zodResolver } from "@hookform/resolvers/zod";
-import { useState } from "react";
+import { useState, useMemo } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 import {
@@ -33,7 +34,7 @@ import { CreateDomainResponse } from "@server/routers/domain/createOrgDomain";
 import { StrategySelect } from "@app/components/StrategySelect";
 import { AxiosResponse } from "axios";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
-import { InfoIcon, AlertTriangle } from "lucide-react";
+import { InfoIcon, AlertTriangle, Globe } from "lucide-react";
 import CopyToClipboard from "@app/components/CopyToClipboard";
 import {
     InfoSection,
@@ -43,9 +44,58 @@ import {
 } from "@app/components/InfoSection";
 import { useOrgContext } from "@app/hooks/useOrgContext";
 import { build } from "@server/build";
+import { toASCII, toUnicode } from 'punycode';
+
+
+// Helper functions for Unicode domain handling
+function toPunycode(domain: string): string {
+    try {
+        const parts = toASCII(domain);
+        return parts;
+    } catch (error) {
+        return domain.toLowerCase();
+    }
+}
+
+function fromPunycode(domain: string): string {
+    try {
+        const parts = toUnicode(domain);
+        return parts;
+    } catch (error) {
+        return domain;
+    }
+}
+
+function isValidDomainFormat(domain: string): boolean {
+    const unicodeRegex = /^(?!:\/\/)([^\s.]+\.)*[^\s.]+$/;
+
+    if (!unicodeRegex.test(domain)) {
+        return false;
+    }
+
+    const parts = domain.split('.');
+    for (const part of parts) {
+        if (part.length === 0 || part.startsWith('-') || part.endsWith('-')) {
+            return false;
+        }
+        if (part.length > 63) {
+            return false;
+        }
+    }
+
+    if (domain.length > 253) {
+        return false;
+    }
+
+    return true;
+}
 
 const formSchema = z.object({
-    baseDomain: z.string().min(1, "Domain is required"),
+    baseDomain: z
+        .string()
+        .min(1, "Domain is required")
+        .refine((val) => isValidDomainFormat(val), "Invalid domain format")
+        .transform((val) => toPunycode(val)),
     type: z.enum(["ns", "cname", "wildcard"])
 });
 
@@ -109,8 +159,14 @@ export default function CreateDomainForm({
         }
     }
 
-    const domainType = form.watch("type");
     const baseDomain = form.watch("baseDomain");
+    const domainInputValue = form.watch("baseDomain") || "";
+
+    const punycodePreview = useMemo(() => {
+        if (!domainInputValue) return "";
+        const punycode = toPunycode(domainInputValue);
+        return punycode !== domainInputValue.toLowerCase() ? punycode : "";
+    }, [domainInputValue]);
 
     let domainOptions: any = [];
     if (build == "enterprise" || build == "saas") {
@@ -182,10 +238,23 @@ export default function CreateDomainForm({
                                             <FormLabel>{t("domain")}</FormLabel>
                                             <FormControl>
                                                 <Input
-                                                    placeholder="example.com"
+                                                    placeholder="example.com, café.com, 日本.com"
                                                     {...field}
                                                 />
                                             </FormControl>
+                                            {punycodePreview && (
+                                                <FormDescription className="flex items-center gap-2 text-xs">
+                                                    <Alert>
+                                                        <Globe className="h-4 w-4" />
+                                                        <AlertTitle>{t("internationaldomaindetected")}</AlertTitle>
+                                                        <AlertDescription>
+                                                            <div className="mt-2 space-y-1">
+                                                                <p>{t("willbestoredas")} <code className="font-mono px-1 py-0.5 rounded">{punycodePreview}</code></p>
+                                                            </div>
+                                                        </AlertDescription>
+                                                    </Alert>
+                                                </FormDescription>
+                                            )}
                                             <FormMessage />
                                         </FormItem>
                                     )}
@@ -206,66 +275,73 @@ export default function CreateDomainForm({
 
                             <div className="space-y-4">
                                 {createdDomain.nsRecords &&
-                                createdDomain.nsRecords.length > 0 && (
-                                    <div>
-                                        <h3 className="font-medium mb-3">
-                                            {t("createDomainNsRecords")}
-                                        </h3>
-                                        <InfoSections cols={1}>
-                                            <InfoSection>
-                                                <InfoSectionTitle>
-                                                    {t("createDomainRecord")}
-                                                </InfoSectionTitle>
-                                                <InfoSectionContent>
-                                                    <div className="space-y-2">
-                                                        <div className="flex justify-between items-center">
-                                                            <span className="text-sm font-medium">
-                                                                {t(
-                                                                    "createDomainType"
-                                                                )}
-                                                            </span>
-                                                            <span className="text-sm font-mono">
-                                                                NS
-                                                            </span>
-                                                        </div>
-                                                        <div className="flex justify-between items-center">
-                                                            <span className="text-sm font-medium">
-                                                                {t(
-                                                                    "createDomainName"
-                                                                )}
-                                                            </span>
-                                                            <span className="text-sm font-mono">
-                                                                {baseDomain}
-                                                            </span>
-                                                        </div>
-                                                        <span className="text-sm font-medium">
-                                                            {t(
-                                                                "createDomainValue"
-                                                            )}
-                                                        </span>
-                                                        {createdDomain.nsRecords.map(
-                                                            (
-                                                                nsRecord,
-                                                                index
-                                                            ) => (
-                                                                <div
-                                                                    className="flex justify-between items-center"
-                                                                    key={index}
-                                                                >
-                                                                    <CopyToClipboard
-                                                                        text={
-                                                                            nsRecord
-                                                                        }
-                                                                    />
+                                    createdDomain.nsRecords.length > 0 && (
+                                        <div>
+                                            <h3 className="font-medium mb-3">
+                                                {t("createDomainNsRecords")}
+                                            </h3>
+                                            <InfoSections cols={1}>
+                                                <InfoSection>
+                                                    <InfoSectionTitle>
+                                                        {t("createDomainRecord")}
+                                                    </InfoSectionTitle>
+                                                    <InfoSectionContent>
+                                                        <div className="space-y-2">
+                                                            <div className="flex justify-between items-center">
+                                                                <span className="text-sm font-medium">
+                                                                    {t(
+                                                                        "createDomainType"
+                                                                    )}
+                                                                </span>
+                                                                <span className="text-sm font-mono">
+                                                                    NS
+                                                                </span>
+                                                            </div>
+                                                            <div className="flex justify-between items-center">
+                                                                <span className="text-sm font-medium">
+                                                                    {t(
+                                                                        "createDomainName"
+                                                                    )}
+                                                                </span>
+                                                                <div className="text-right">
+                                                                    <span className="text-sm font-mono block">
+                                                                        {fromPunycode(baseDomain)}
+                                                                    </span>
+                                                                    {fromPunycode(baseDomain) !== baseDomain && (
+                                                                        <span className="text-xs text-muted-foreground font-mono">
+                                                                            ({baseDomain})
+                                                                        </span>
+                                                                    )}
                                                                 </div>
-                                                            )
-                                                        )}
-                                                    </div>
-                                                </InfoSectionContent>
-                                            </InfoSection>
-                                        </InfoSections>
-                                    </div>
-                                )}
+                                                            </div>
+                                                            <span className="text-sm font-medium">
+                                                                {t(
+                                                                    "createDomainValue"
+                                                                )}
+                                                            </span>
+                                                            {createdDomain.nsRecords.map(
+                                                                (
+                                                                    nsRecord,
+                                                                    index
+                                                                ) => (
+                                                                    <div
+                                                                        className="flex justify-between items-center"
+                                                                        key={index}
+                                                                    >
+                                                                        <CopyToClipboard
+                                                                            text={
+                                                                                nsRecord
+                                                                            }
+                                                                        />
+                                                                    </div>
+                                                                )
+                                                            )}
+                                                        </div>
+                                                    </InfoSectionContent>
+                                                </InfoSection>
+                                            </InfoSections>
+                                        </div>
+                                    )}
 
                                 {createdDomain.cnameRecords &&
                                     createdDomain.cnameRecords.length > 0 && (
@@ -307,11 +383,16 @@ export default function CreateDomainForm({
                                                                                 "createDomainName"
                                                                             )}
                                                                         </span>
-                                                                        <span className="text-sm font-mono">
-                                                                            {
-                                                                                cnameRecord.baseDomain
-                                                                            }
-                                                                        </span>
+                                                                        <div className="text-right">
+                                                                            <span className="text-sm font-mono block">
+                                                                                {fromPunycode(cnameRecord.baseDomain)}
+                                                                            </span>
+                                                                            {fromPunycode(cnameRecord.baseDomain) !== cnameRecord.baseDomain && (
+                                                                                <span className="text-xs text-muted-foreground font-mono">
+                                                                                    ({cnameRecord.baseDomain})
+                                                                                </span>
+                                                                            )}
+                                                                        </div>
                                                                     </div>
                                                                     <div className="flex justify-between items-center">
                                                                         <span className="text-sm font-medium">
@@ -374,11 +455,16 @@ export default function CreateDomainForm({
                                                                                 "createDomainName"
                                                                             )}
                                                                         </span>
-                                                                        <span className="text-sm font-mono">
-                                                                            {
-                                                                                aRecord.baseDomain
-                                                                            }
-                                                                        </span>
+                                                                        <div className="text-right">
+                                                                            <span className="text-sm font-mono block">
+                                                                                {fromPunycode(aRecord.baseDomain)}
+                                                                            </span>
+                                                                            {fromPunycode(aRecord.baseDomain) !== aRecord.baseDomain && (
+                                                                                <span className="text-xs text-muted-foreground font-mono">
+                                                                                    ({aRecord.baseDomain})
+                                                                                </span>
+                                                                            )}
+                                                                        </div>
                                                                     </div>
                                                                     <div className="flex justify-between items-center">
                                                                         <span className="text-sm font-medium">
@@ -390,7 +476,7 @@ export default function CreateDomainForm({
                                                                             {
                                                                                 aRecord.value
                                                                             }
-                                                                       </span>
+                                                                        </span>
                                                                     </div>
                                                                 </div>
                                                             </InfoSectionContent>
@@ -440,11 +526,16 @@ export default function CreateDomainForm({
                                                                                 "createDomainName"
                                                                             )}
                                                                         </span>
-                                                                        <span className="text-sm font-mono">
-                                                                            {
-                                                                                txtRecord.baseDomain
-                                                                            }
-                                                                        </span>
+                                                                        <div className="text-right">
+                                                                            <span className="text-sm font-mono block">
+                                                                                {fromPunycode(txtRecord.baseDomain)}
+                                                                            </span>
+                                                                            {fromPunycode(txtRecord.baseDomain) !== txtRecord.baseDomain && (
+                                                                                <span className="text-xs text-muted-foreground font-mono">
+                                                                                    ({txtRecord.baseDomain})
+                                                                                </span>
+                                                                            )}
+                                                                        </div>
                                                                     </div>
                                                                     <div className="flex justify-between items-center">
                                                                         <span className="text-sm font-medium">
@@ -513,4 +604,4 @@ export default function CreateDomainForm({
             </CredenzaContent>
         </Credenza>
     );
-}
+}

src/app/[orgId]/settings/domains/page.tsx

@@ -9,6 +9,7 @@ import { GetOrgResponse } from "@server/routers/org";
 import { redirect } from "next/navigation";
 import OrgProvider from "@app/providers/OrgProvider";
 import { ListDomainsResponse } from "@server/routers/domain";
+import { toUnicode } from 'punycode';
 
 type Props = {
     params: Promise<{ orgId: string }>;
@@ -22,7 +23,13 @@ export default async function DomainsPage(props: Props) {
         const res = await internal.get<
             AxiosResponse<ListDomainsResponse>
         >(`/org/${params.orgId}/domains`, await authCookieHeader());
-        domains = res.data.data.domains as DomainRow[];
+
+        const rawDomains = res.data.data.domains as DomainRow[];
+
+        domains = rawDomains.map((domain) => ({
+            ...domain,
+            baseDomain: toUnicode(domain.baseDomain),
+        }));
     } catch (e) {
         console.error(e);
     }

src/app/[orgId]/settings/resources/[resourceId]/CustomDomainInput.tsx

@@ -9,6 +9,7 @@ import {
     SelectTrigger,
     SelectValue
 } from "@/components/ui/select";
+import { toUnicode } from "punycode";
 
 interface DomainOption {
     baseDomain: string;
@@ -91,7 +92,7 @@ export default function CustomDomainInput({
                                 key={option.domainId}
                                 value={option.domainId}
                             >
-                                .{option.baseDomain}
+                                .{toUnicode(option.baseDomain)}
                             </SelectItem>
                         ))}
                     </SelectContent>

src/app/[orgId]/settings/resources/[resourceId]/ResourceInfoBox.tsx

@@ -12,15 +12,19 @@ import {
 } from "@app/components/InfoSection";
 import { useTranslations } from "next-intl";
 import { build } from "@server/build";
+import { toUnicode } from 'punycode';
 
 type ResourceInfoBoxType = {};
 
-export default function ResourceInfoBox({}: ResourceInfoBoxType) {
+export default function ResourceInfoBox({ }: ResourceInfoBoxType) {
     const { resource, authInfo } = useResourceContext();
 
     const t = useTranslations();
 
-    const fullUrl = `${resource.ssl ? "https" : "http"}://${resource.fullDomain}`;
+
+    const fullUrl = `${resource.ssl ? "https" : "http"}://${toUnicode(resource.fullDomain || "")}`;
+
+
 
     return (
         <Alert>
@@ -34,9 +38,9 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                                 </InfoSectionTitle>
                                 <InfoSectionContent>
                                     {authInfo.password ||
-                                    authInfo.pincode ||
-                                    authInfo.sso ||
-                                    authInfo.whitelist ? (
+                                        authInfo.pincode ||
+                                        authInfo.sso ||
+                                        authInfo.whitelist ? (
                                         <div className="flex items-start space-x-2 text-green-500">
                                             <ShieldCheck className="w-4 h-4 mt-0.5" />
                                             <span>{t("protected")}</span>

src/app/[orgId]/settings/resources/[resourceId]/general/page.tsx

@@ -53,6 +53,9 @@ import {
 import DomainPicker from "@app/components/DomainPicker";
 import { Globe } from "lucide-react";
 import { build } from "@server/build";
+import { finalizeSubdomainSanitize } from "@app/lib/subdomain-utils";
+import { DomainRow } from "../../../domains/DomainsTable";
+import { toASCII, toUnicode } from "punycode";
 
 export default function GeneralForm() {
     const [formKey, setFormKey] = useState(0);
@@ -79,12 +82,13 @@ export default function GeneralForm() {
 
     const [loadingPage, setLoadingPage] = useState(true);
     const [resourceFullDomain, setResourceFullDomain] = useState(
-        `${resource.ssl ? "https" : "http"}://${resource.fullDomain}`
+        `${resource.ssl ? "https" : "http"}://${toUnicode(resource.fullDomain || "")}`
     );
     const [selectedDomain, setSelectedDomain] = useState<{
         domainId: string;
         subdomain?: string;
         fullDomain: string;
+        baseDomain: string;
     } | null>(null);
 
     const GeneralFormSchema = z
@@ -153,7 +157,11 @@ export default function GeneralForm() {
                 });
 
             if (res?.status === 200) {
-                const domains = res.data.data.domains;
+                const rawDomains = res.data.data.domains as DomainRow[];
+                const domains = rawDomains.map((domain) => ({
+                    ...domain,
+                    baseDomain: toUnicode(domain.baseDomain), 
+                }));
                 setBaseDomains(domains);
                 setFormKey((key) => key + 1);
             }
@@ -178,7 +186,7 @@ export default function GeneralForm() {
                 {
                     enabled: data.enabled,
                     name: data.name,
-                    subdomain: data.subdomain,
+                    subdomain: data.subdomain ? toASCII(data.subdomain) : undefined,
                     domainId: data.domainId,
                     proxyPort: data.proxyPort,
                     // ...(!resource.http && {
@@ -317,10 +325,10 @@ export default function GeneralForm() {
                                                                                 .target
                                                                                 .value
                                                                                 ? parseInt(
-                                                                                      e
-                                                                                          .target
-                                                                                          .value
-                                                                                  )
+                                                                                    e
+                                                                                        .target
+                                                                                        .value
+                                                                                )
                                                                                 : undefined
                                                                         )
                                                                     }
@@ -441,7 +449,8 @@ export default function GeneralForm() {
                                     const selected = {
                                         domainId: res.domainId,
                                         subdomain: res.subdomain,
-                                        fullDomain: res.fullDomain
+                                        fullDomain: res.fullDomain,
+                                        baseDomain: res.baseDomain
                                     };
                                     setSelectedDomain(selected);
                                 }}
@@ -454,18 +463,23 @@ export default function GeneralForm() {
                             <Button
                                 onClick={() => {
                                     if (selectedDomain) {
-                                        setResourceFullDomain(
-                                            selectedDomain.fullDomain
-                                        );
-                                        form.setValue(
-                                            "domainId",
-                                            selectedDomain.domainId
-                                        );
-                                        form.setValue(
-                                            "subdomain",
-                                            selectedDomain.subdomain
-                                        );
+                                        const sanitizedSubdomain = selectedDomain.subdomain
+                                            ? finalizeSubdomainSanitize(selectedDomain.subdomain)
+                                            : "";
+
+                                        const sanitizedFullDomain = sanitizedSubdomain
+                                            ? `${sanitizedSubdomain}.${selectedDomain.baseDomain}`
+                                            : selectedDomain.baseDomain;
+
+                                        setResourceFullDomain(sanitizedFullDomain);
+                                        form.setValue("domainId", selectedDomain.domainId);
+                                        form.setValue("subdomain", sanitizedSubdomain);
+
                                         setEditDomainOpen(false);
+
+                                        toast({
+                                            description: `Final domain: ${sanitizedFullDomain}`,
+                                        });
                                     }
                                 }}
                             >

src/app/[orgId]/settings/resources/[resourceId]/proxy/page.tsx

@@ -94,6 +94,7 @@ import {
     CommandList
 } from "@app/components/ui/command";
 import { Badge } from "@app/components/ui/badge";
+import { parseHostTarget } from "@app/lib/parseHostTarget";
 
 const addTargetSchema = z.object({
     ip: z.string().refine(isTargetValid),
@@ -417,11 +418,11 @@ export default function ReverseProxyTargets(props: {
             targets.map((target) =>
                 target.targetId === targetId
                     ? {
-                          ...target,
-                          ...data,
-                          updated: true,
-                          siteType: site?.type || null
-                      }
+                        ...target,
+                        ...data,
+                        updated: true,
+                        siteType: site?.type || null
+                    }
                     : target
             )
         );
@@ -545,7 +546,7 @@ export default function ReverseProxyTargets(props: {
                                     className={cn(
                                         "justify-between flex-1",
                                         !row.original.siteId &&
-                                            "text-muted-foreground"
+                                        "text-muted-foreground"
                                     )}
                                 >
                                     {row.original.siteId
@@ -614,31 +615,31 @@ export default function ReverseProxyTargets(props: {
         },
         ...(resource.http
             ? [
-                  {
-                      accessorKey: "method",
-                      header: t("method"),
-                      cell: ({ row }: { row: Row<LocalTarget> }) => (
-                          <Select
-                              defaultValue={row.original.method ?? ""}
-                              onValueChange={(value) =>
-                                  updateTarget(row.original.targetId, {
-                                      ...row.original,
-                                      method: value
-                                  })
-                              }
-                          >
-                              <SelectTrigger>
-                                  {row.original.method}
-                              </SelectTrigger>
-                              <SelectContent>
-                                  <SelectItem value="http">http</SelectItem>
-                                  <SelectItem value="https">https</SelectItem>
-                                  <SelectItem value="h2c">h2c</SelectItem>
-                              </SelectContent>
-                          </Select>
-                      )
-                  }
-              ]
+                {
+                    accessorKey: "method",
+                    header: t("method"),
+                    cell: ({ row }: { row: Row<LocalTarget> }) => (
+                        <Select
+                            defaultValue={row.original.method ?? ""}
+                            onValueChange={(value) =>
+                                updateTarget(row.original.targetId, {
+                                    ...row.original,
+                                    method: value
+                                })
+                            }
+                        >
+                            <SelectTrigger>
+                                {row.original.method}
+                            </SelectTrigger>
+                            <SelectContent>
+                                <SelectItem value="http">http</SelectItem>
+                                <SelectItem value="https">https</SelectItem>
+                                <SelectItem value="h2c">h2c</SelectItem>
+                            </SelectContent>
+                        </Select>
+                    )
+                }
+            ]
             : []),
         {
             accessorKey: "ip",
@@ -647,13 +648,25 @@ export default function ReverseProxyTargets(props: {
                 <Input
                     defaultValue={row.original.ip}
                     className="min-w-[150px]"
-                    onBlur={(e) =>
-                        updateTarget(row.original.targetId, {
-                            ...row.original,
-                            ip: e.target.value
-                        })
-                    }
+                    onBlur={(e) => {
+                        const parsed = parseHostTarget(e.target.value);
+                        if (parsed) {
+                            updateTarget(row.original.targetId, {
+                                ...row.original,
+                                method: parsed.protocol,
+                                ip: parsed.host,
+                                port: parsed.port
+                            });
+                        } else {
+                            updateTarget(row.original.targetId, {
+                                ...row.original,
+                                ip: e.target.value
+                            });
+                        }
+                    }}
+
                 />
+
             )
         },
         {
@@ -785,21 +798,21 @@ export default function ReverseProxyTargets(props: {
                                                                     className={cn(
                                                                         "justify-between flex-1",
                                                                         !field.value &&
-                                                                            "text-muted-foreground"
+                                                                        "text-muted-foreground"
                                                                     )}
                                                                 >
                                                                     {field.value
                                                                         ? sites.find(
-                                                                              (
-                                                                                  site
-                                                                              ) =>
-                                                                                  site.siteId ===
-                                                                                  field.value
-                                                                          )
-                                                                              ?.name
+                                                                            (
+                                                                                site
+                                                                            ) =>
+                                                                                site.siteId ===
+                                                                                field.value
+                                                                        )
+                                                                            ?.name
                                                                         : t(
-                                                                              "siteSelect"
-                                                                          )}
+                                                                            "siteSelect"
+                                                                        )}
                                                                     <CaretSortIcon className="ml-2 h-4 w-4 shrink-0 opacity-50" />
                                                                 </Button>
                                                             </FormControl>
@@ -865,18 +878,18 @@ export default function ReverseProxyTargets(props: {
                                                                 );
                                                             return selectedSite &&
                                                                 selectedSite.type ===
-                                                                    "newt" ? (() => {
-                                                                const dockerState = getDockerStateForSite(selectedSite.siteId);
-                                                                return (
-                                                                    <ContainersSelector
-                                                                        site={selectedSite}
-                                                                        containers={dockerState.containers}
-                                                                        isAvailable={dockerState.isAvailable}
-                                                                        onContainerSelect={handleContainerSelect}
-                                                                        onRefresh={() => refreshContainersForSite(selectedSite.siteId)}
-                                                                    />
-                                                                );
-                                                            })() : null;
+                                                                "newt" ? (() => {
+                                                                    const dockerState = getDockerStateForSite(selectedSite.siteId);
+                                                                    return (
+                                                                        <ContainersSelector
+                                                                            site={selectedSite}
+                                                                            containers={dockerState.containers}
+                                                                            isAvailable={dockerState.isAvailable}
+                                                                            onContainerSelect={handleContainerSelect}
+                                                                            onRefresh={() => refreshContainersForSite(selectedSite.siteId)}
+                                                                        />
+                                                                    );
+                                                                })() : null;
                                                         })()}
                                                 </div>
                                                 <FormMessage />
@@ -942,11 +955,22 @@ export default function ReverseProxyTargets(props: {
                                         name="ip"
                                         render={({ field }) => (
                                             <FormItem className="relative">
-                                                <FormLabel>
-                                                    {t("targetAddr")}
-                                                </FormLabel>
+                                                <FormLabel>{t("targetAddr")}</FormLabel>
                                                 <FormControl>
-                                                    <Input id="ip" {...field} />
+                                                    <Input
+                                                        id="ip"
+                                                        {...field}
+                                                        onBlur={(e) => {
+                                                            const parsed = parseHostTarget(e.target.value);
+                                                            if (parsed) {
+                                                                addTargetForm.setValue("method", parsed.protocol);
+                                                                addTargetForm.setValue("ip", parsed.host);
+                                                                addTargetForm.setValue("port", parsed.port);
+                                                            } else {
+                                                                field.onBlur();
+                                                            }
+                                                        }}
+                                                    />
                                                 </FormControl>
                                                 <FormMessage />
                                             </FormItem>
@@ -1048,12 +1072,12 @@ export default function ReverseProxyTargets(props: {
                                                                 {header.isPlaceholder
                                                                     ? null
                                                                     : flexRender(
-                                                                          header
-                                                                              .column
-                                                                              .columnDef
-                                                                              .header,
-                                                                          header.getContext()
-                                                                      )}
+                                                                        header
+                                                                            .column
+                                                                            .columnDef
+                                                                            .header,
+                                                                        header.getContext()
+                                                                    )}
                                                             </TableHead>
                                                         )
                                                     )}

src/app/[orgId]/settings/resources/[resourceId]/rules/page.tsx

@@ -76,7 +76,7 @@ import { useTranslations } from "next-intl";
 
 // Schema for rule validation
 const addRuleSchema = z.object({
-    action: z.string(),
+    action: z.enum(["ACCEPT", "DROP", "PASS"]),
     match: z.string(),
     value: z.string(),
     priority: z.coerce.number().int().optional()
@@ -104,7 +104,8 @@ export default function ResourceRules(props: {
 
     const RuleAction = {
         ACCEPT: t('alwaysAllow'),
-        DROP: t('alwaysDeny')
+        DROP: t('alwaysDeny'),
+        PASS: t('passToAuth')
     } as const;
 
     const RuleMatch = {
@@ -113,7 +114,7 @@ export default function ResourceRules(props: {
         CIDR: t('ipAddressRange')
     } as const;
 
-    const addRuleForm = useForm({
+    const addRuleForm = useForm<z.infer<typeof addRuleSchema>>({
         resolver: zodResolver(addRuleSchema),
         defaultValues: {
             action: "ACCEPT",
@@ -437,7 +438,7 @@ export default function ResourceRules(props: {
             cell: ({ row }) => (
                 <Select
                     defaultValue={row.original.action}
-                    onValueChange={(value: "ACCEPT" | "DROP") =>
+                    onValueChange={(value: "ACCEPT" | "DROP" | "PASS") =>
                         updateRule(row.original.ruleId, { action: value })
                     }
                 >
@@ -449,6 +450,7 @@ export default function ResourceRules(props: {
                             {RuleAction.ACCEPT}
                         </SelectItem>
                         <SelectItem value="DROP">{RuleAction.DROP}</SelectItem>
+                        <SelectItem value="PASS">{RuleAction.PASS}</SelectItem>
                     </SelectContent>
                 </Select>
             )
@@ -629,6 +631,9 @@ export default function ResourceRules(props: {
                                                             <SelectItem value="DROP">
                                                                 {RuleAction.DROP}
                                                             </SelectItem>
+                                                            <SelectItem value="PASS">
+                                                                {RuleAction.PASS}
+                                                            </SelectItem>
                                                         </SelectContent>
                                                     </Select>
                                                 </FormControl>

src/app/[orgId]/settings/resources/create/page.tsx

@@ -88,6 +88,9 @@ import { ArrayElement } from "@server/types/ArrayElement";
 import { isTargetValid } from "@server/lib/validators";
 import { ListTargetsResponse } from "@server/routers/target";
 import { DockerManager, DockerState } from "@app/lib/docker";
+import { parseHostTarget } from "@app/lib/parseHostTarget";
+import { toASCII, toUnicode } from 'punycode';
+import { DomainRow } from "../../domains/DomainsTable";
 
 const baseResourceFormSchema = z.object({
     name: z.string().min(1).max(255),
@@ -164,12 +167,12 @@ export default function Page() {
         ...(!env.flags.allowRawResources
             ? []
             : [
-                  {
-                      id: "raw" as ResourceType,
-                      title: t("resourceRaw"),
-                      description: t("resourceRawDescription")
-                  }
-              ])
+                {
+                    id: "raw" as ResourceType,
+                    title: t("resourceRaw"),
+                    description: t("resourceRawDescription")
+                }
+            ])
     ];
 
     const baseForm = useForm<BaseResourceFormValues>({
@@ -301,11 +304,11 @@ export default function Page() {
             targets.map((target) =>
                 target.targetId === targetId
                     ? {
-                          ...target,
-                          ...data,
-                          updated: true,
-                          siteType: site?.type || null
-                      }
+                        ...target,
+                        ...data,
+                        updated: true,
+                        siteType: site?.type || null
+                    }
                     : target
             )
         );
@@ -326,7 +329,7 @@ export default function Page() {
             if (isHttp) {
                 const httpData = httpForm.getValues();
                 Object.assign(payload, {
-                    subdomain: httpData.subdomain,
+                    subdomain: httpData.subdomain ? toASCII(httpData.subdomain) : undefined,
                     domainId: httpData.domainId,
                     protocol: "tcp"
                 });
@@ -468,7 +471,11 @@ export default function Page() {
                     });
 
                 if (res?.status === 200) {
-                    const domains = res.data.data.domains;
+                    const rawDomains = res.data.data.domains as DomainRow[];
+                    const domains = rawDomains.map((domain) => ({
+                        ...domain,
+                        baseDomain: toUnicode(domain.baseDomain),
+                    }));
                     setBaseDomains(domains);
                     // if (domains.length) {
                     //     httpForm.setValue("domainId", domains[0].domainId);
@@ -520,7 +527,7 @@ export default function Page() {
                                     className={cn(
                                         "justify-between flex-1",
                                         !row.original.siteId &&
-                                            "text-muted-foreground"
+                                        "text-muted-foreground"
                                     )}
                                 >
                                     {row.original.siteId
@@ -589,31 +596,31 @@ export default function Page() {
         },
         ...(baseForm.watch("http")
             ? [
-                  {
-                      accessorKey: "method",
-                      header: t("method"),
-                      cell: ({ row }: { row: Row<LocalTarget> }) => (
-                          <Select
-                              defaultValue={row.original.method ?? ""}
-                              onValueChange={(value) =>
-                                  updateTarget(row.original.targetId, {
-                                      ...row.original,
-                                      method: value
-                                  })
-                              }
-                          >
-                              <SelectTrigger>
-                                  {row.original.method}
-                              </SelectTrigger>
-                              <SelectContent>
-                                  <SelectItem value="http">http</SelectItem>
-                                  <SelectItem value="https">https</SelectItem>
-                                  <SelectItem value="h2c">h2c</SelectItem>
-                              </SelectContent>
-                          </Select>
-                      )
-                  }
-              ]
+                {
+                    accessorKey: "method",
+                    header: t("method"),
+                    cell: ({ row }: { row: Row<LocalTarget> }) => (
+                        <Select
+                            defaultValue={row.original.method ?? ""}
+                            onValueChange={(value) =>
+                                updateTarget(row.original.targetId, {
+                                    ...row.original,
+                                    method: value
+                                })
+                            }
+                        >
+                            <SelectTrigger>
+                                {row.original.method}
+                            </SelectTrigger>
+                            <SelectContent>
+                                <SelectItem value="http">http</SelectItem>
+                                <SelectItem value="https">https</SelectItem>
+                                <SelectItem value="h2c">h2c</SelectItem>
+                            </SelectContent>
+                        </Select>
+                    )
+                }
+            ]
             : []),
         {
             accessorKey: "ip",
@@ -622,12 +629,23 @@ export default function Page() {
                 <Input
                     defaultValue={row.original.ip}
                     className="min-w-[150px]"
-                    onBlur={(e) =>
-                        updateTarget(row.original.targetId, {
-                            ...row.original,
-                            ip: e.target.value
-                        })
-                    }
+                    onBlur={(e) => {
+                        const parsed = parseHostTarget(e.target.value);
+
+                        if (parsed) {
+                            updateTarget(row.original.targetId, {
+                                ...row.original,
+                                method: parsed.protocol,
+                                ip: parsed.host,
+                                port: parsed.port ? Number(parsed.port) : undefined,
+                            });
+                        } else {
+                            updateTarget(row.original.targetId, {
+                                ...row.original,
+                                ip: e.target.value,
+                            });
+                        }
+                    }}
                 />
             )
         },
@@ -909,10 +927,10 @@ export default function Page() {
                                                                                     .target
                                                                                     .value
                                                                                     ? parseInt(
-                                                                                          e
-                                                                                              .target
-                                                                                              .value
-                                                                                      )
+                                                                                        e
+                                                                                            .target
+                                                                                            .value
+                                                                                    )
                                                                                     : undefined
                                                                             )
                                                                         }
@@ -1015,21 +1033,21 @@ export default function Page() {
                                                                                     className={cn(
                                                                                         "justify-between flex-1",
                                                                                         !field.value &&
-                                                                                            "text-muted-foreground"
+                                                                                        "text-muted-foreground"
                                                                                     )}
                                                                                 >
                                                                                     {field.value
                                                                                         ? sites.find(
-                                                                                              (
-                                                                                                  site
-                                                                                              ) =>
-                                                                                                  site.siteId ===
-                                                                                                  field.value
-                                                                                          )
-                                                                                              ?.name
+                                                                                            (
+                                                                                                site
+                                                                                            ) =>
+                                                                                                site.siteId ===
+                                                                                                field.value
+                                                                                        )
+                                                                                            ?.name
                                                                                         : t(
-                                                                                              "siteSelect"
-                                                                                          )}
+                                                                                            "siteSelect"
+                                                                                        )}
                                                                                     <CaretSortIcon className="ml-2 h-4 w-4 shrink-0 opacity-50" />
                                                                                 </Button>
                                                                             </FormControl>
@@ -1097,18 +1115,18 @@ export default function Page() {
                                                                                 );
                                                                             return selectedSite &&
                                                                                 selectedSite.type ===
-                                                                                    "newt" ? (() => {
-                                                                                const dockerState = getDockerStateForSite(selectedSite.siteId);
-                                                                                return (
-                                                                                    <ContainersSelector
-                                                                                        site={selectedSite}
-                                                                                        containers={dockerState.containers}
-                                                                                        isAvailable={dockerState.isAvailable}
-                                                                                        onContainerSelect={handleContainerSelect}
-                                                                                        onRefresh={() => refreshContainersForSite(selectedSite.siteId)}
-                                                                                    />
-                                                                                );
-                                                                            })() : null;
+                                                                                "newt" ? (() => {
+                                                                                    const dockerState = getDockerStateForSite(selectedSite.siteId);
+                                                                                    return (
+                                                                                        <ContainersSelector
+                                                                                            site={selectedSite}
+                                                                                            containers={dockerState.containers}
+                                                                                            isAvailable={dockerState.isAvailable}
+                                                                                            onContainerSelect={handleContainerSelect}
+                                                                                            onRefresh={() => refreshContainersForSite(selectedSite.siteId)}
+                                                                                        />
+                                                                                    );
+                                                                                })() : null;
                                                                         })()}
                                                                 </div>
                                                                 <FormMessage />
@@ -1176,21 +1194,25 @@ export default function Page() {
                                                     )}
 
                                                     <FormField
-                                                        control={
-                                                            addTargetForm.control
-                                                        }
+                                                        control={addTargetForm.control}
                                                         name="ip"
                                                         render={({ field }) => (
                                                             <FormItem className="relative">
-                                                                <FormLabel>
-                                                                    {t(
-                                                                        "targetAddr"
-                                                                    )}
-                                                                </FormLabel>
+                                                                <FormLabel>{t("targetAddr")}</FormLabel>
                                                                 <FormControl>
                                                                     <Input
                                                                         id="ip"
                                                                         {...field}
+                                                                        onBlur={(e) => {
+                                                                            const parsed = parseHostTarget(e.target.value);
+                                                                            if (parsed) {
+                                                                                addTargetForm.setValue("method", parsed.protocol);
+                                                                                addTargetForm.setValue("ip", parsed.host);
+                                                                                addTargetForm.setValue("port", parsed.port);
+                                                                            } else {
+                                                                                field.onBlur();
+                                                                            }
+                                                                        }}
                                                                     />
                                                                 </FormControl>
                                                                 <FormMessage />
@@ -1270,12 +1292,12 @@ export default function Page() {
                                                                                     {header.isPlaceholder
                                                                                         ? null
                                                                                         : flexRender(
-                                                                                              header
-                                                                                                  .column
-                                                                                                  .columnDef
-                                                                                                  .header,
-                                                                                              header.getContext()
-                                                                                          )}
+                                                                                            header
+                                                                                                .column
+                                                                                                .columnDef
+                                                                                                .header,
+                                                                                            header.getContext()
+                                                                                        )}
                                                                                 </TableHead>
                                                                             )
                                                                         )}

src/app/[orgId]/settings/resources/page.tsx

@@ -14,6 +14,7 @@ import { GetOrgResponse } from "@server/routers/org";
 import OrgProvider from "@app/providers/OrgProvider";
 import { getTranslations } from "next-intl/server";
 import { pullEnv } from "@app/lib/pullEnv";
+import { toUnicode } from "punycode";
 
 type ResourcesPageProps = {
     params: Promise<{ orgId: string }>;
@@ -75,7 +76,9 @@ export default async function ResourcesPage(props: ResourcesPageProps) {
             id: resource.resourceId,
             name: resource.name,
             orgId: params.orgId,
-            domain: `${resource.ssl ? "https://" : "http://"}${resource.fullDomain}`,
+
+
+            domain: `${resource.ssl ? "https://" : "http://"}${toUnicode(resource.fullDomain || "")}`,
             protocol: resource.protocol,
             proxyPort: resource.proxyPort,
             http: resource.http,

src/app/[orgId]/settings/share-links/CreateShareLinkForm.tsx

@@ -67,6 +67,7 @@ import {
 } from "@app/components/ui/collapsible";
 import AccessTokenSection from "./AccessTokenUsage";
 import { useTranslations } from "next-intl";
+import { toUnicode } from 'punycode';
 
 type FormProps = {
     open: boolean;
@@ -159,7 +160,7 @@ export default function CreateShareLinkForm({
                         .map((r) => ({
                             resourceId: r.resourceId,
                             name: r.name,
-                            resourceUrl: `${r.ssl ? "https://" : "http://"}${r.fullDomain}/`
+                            resourceUrl: `${r.ssl ? "https://" : "http://"}${toUnicode(r.fullDomain || "")}/`
                         }))
                 );
             }

src/app/admin/managed/page.tsx

@@ -1,3 +1,5 @@
+"use client";
+
 import {
     SettingsContainer,
     SettingsSection,
@@ -18,30 +20,27 @@ import {
     ExternalLink
 } from "lucide-react";
 import Link from "next/link";
+import { useTranslations } from "next-intl";
+
+export default function ManagedPage() {
+    const t = useTranslations();
 
-export default async function ManagedPage() {
     return (
         <>
             <SettingsSectionTitle
-                title="Managed Self-Hosted"
-                description="More reliable and low-maintenance self-hosted Pangolin server with extra bells and whistles"
+                title={t("managedSelfHosted.title")}
+                description={t("managedSelfHosted.description")}
             />
 
             <SettingsContainer>
                 <SettingsSection>
                     <SettingsSectionBody>
                         <p className="text-muted-foreground mb-4">
-                            <strong>Managed Self-Hosted Pangolin</strong> is a
-                            deployment option designed for people who want
-                            simplicity and extra reliability while still keeping
-                            their data private and self-hosted.
+                            <strong>{t("managedSelfHosted.introTitle")}</strong>{" "}
+                            {t("managedSelfHosted.introDescription")}
                         </p>
                         <p className="text-muted-foreground mb-6">
-                            With this option, you still run your own Pangolin
-                            node — your tunnels, SSL termination, and traffic
-                            all stay on your server. The difference is that
-                            management and monitoring are handled through our
-                            cloud dashboard, which unlocks a number of benefits:
+                            {t("managedSelfHosted.introDetail")}
                         </p>
 
                         <div className="grid gap-4 md:grid-cols-2 py-4">
@@ -50,13 +49,14 @@ export default async function ManagedPage() {
                                     <CheckCircle className="w-5 h-5 text-green-500 mt-0.5 flex-shrink-0" />
                                     <div>
                                         <h4 className="font-medium">
-                                            Simpler operations
+                                            {t(
+                                                "managedSelfHosted.benefitSimplerOperations.title"
+                                            )}
                                         </h4>
                                         <p className="text-sm text-muted-foreground">
-                                            No need to run your own mail server
-                                            or set up complex alerting. You'll
-                                            get health checks and downtime
-                                            alerts out of the box.
+                                            {t(
+                                                "managedSelfHosted.benefitSimplerOperations.description"
+                                            )}
                                         </p>
                                     </div>
                                 </div>
@@ -65,13 +65,14 @@ export default async function ManagedPage() {
                                     <RefreshCw className="w-5 h-5 text-blue-500 mt-0.5 flex-shrink-0" />
                                     <div>
                                         <h4 className="font-medium">
-                                            Automatic updates
+                                            {t(
+                                                "managedSelfHosted.benefitAutomaticUpdates.title"
+                                            )}
                                         </h4>
                                         <p className="text-sm text-muted-foreground">
-                                            The cloud dashboard evolves quickly,
-                                            so you get new features and bug
-                                            fixes without having to manually
-                                            pull new containers every time.
+                                            {t(
+                                                "managedSelfHosted.benefitAutomaticUpdates.description"
+                                            )}
                                         </p>
                                     </div>
                                 </div>
@@ -80,12 +81,14 @@ export default async function ManagedPage() {
                                     <Wrench className="w-5 h-5 text-orange-500 mt-0.5 flex-shrink-0" />
                                     <div>
                                         <h4 className="font-medium">
-                                            Less maintenance
+                                            {t(
+                                                "managedSelfHosted.benefitLessMaintenance.title"
+                                            )}
                                         </h4>
                                         <p className="text-sm text-muted-foreground">
-                                            No database migrations, backups, or
-                                            extra infrastructure to manage. We
-                                            handle that in the cloud.
+                                            {t(
+                                                "managedSelfHosted.benefitLessMaintenance.description"
+                                            )}
                                         </p>
                                     </div>
                                 </div>
@@ -96,13 +99,14 @@ export default async function ManagedPage() {
                                     <Activity className="w-5 h-5 text-purple-500 mt-0.5 flex-shrink-0" />
                                     <div>
                                         <h4 className="font-medium">
-                                            Cloud failover
+                                            {t(
+                                                "managedSelfHosted.benefitCloudFailover.title"
+                                            )}
                                         </h4>
                                         <p className="text-sm text-muted-foreground">
-                                            If your node goes down, your tunnels
-                                            can temporarily fail over to our
-                                            cloud points of presence until you
-                                            bring it back online.
+                                            {t(
+                                                "managedSelfHosted.benefitCloudFailover.description"
+                                            )}
                                         </p>
                                     </div>
                                 </div>
@@ -110,12 +114,14 @@ export default async function ManagedPage() {
                                     <Shield className="w-5 h-5 text-indigo-500 mt-0.5 flex-shrink-0" />
                                     <div>
                                         <h4 className="font-medium">
-                                            High availability (PoPs)
+                                            {t(
+                                                "managedSelfHosted.benefitHighAvailability.title"
+                                            )}
                                         </h4>
                                         <p className="text-sm text-muted-foreground">
-                                            You can also attach multiple nodes
-                                            to your account for redundancy and
-                                            better performance.
+                                            {t(
+                                                "managedSelfHosted.benefitHighAvailability.description"
+                                            )}
                                         </p>
                                     </div>
                                 </div>
@@ -124,13 +130,14 @@ export default async function ManagedPage() {
                                     <Zap className="w-5 h-5 text-yellow-500 mt-0.5 flex-shrink-0" />
                                     <div>
                                         <h4 className="font-medium">
-                                            Future enhancements
+                                            {t(
+                                                "managedSelfHosted.benefitFutureEnhancements.title"
+                                            )}
                                         </h4>
                                         <p className="text-sm text-muted-foreground">
-                                            We're planning to add more
-                                            analytics, alerting, and management
-                                            tools to make your deployment even
-                                            more robust.
+                                            {t(
+                                                "managedSelfHosted.benefitFutureEnhancements.description"
+                                            )}
                                         </p>
                                     </div>
                                 </div>
@@ -141,15 +148,14 @@ export default async function ManagedPage() {
                             variant="neutral"
                             className="flex items-center gap-1"
                         >
-                            Read the docs to learn more about the Managed
-                            Self-Hosted option in our{" "}
+                            {t("managedSelfHosted.docsAlert.text")}{" "}
                             <Link
-                                href="https://docs.digpangolin.com/self-host/advanced/convert-to-managed"
+                                href="https://docs.digpangolin.com/manage/managed"
                                 target="_blank"
                                 rel="noopener noreferrer"
                                 className="hover:underline text-primary flex items-center gap-1"
                             >
-                                documentation
+                                {t("managedSelfHosted.docsAlert.documentation")}
                                 <ExternalLink className="w-4 h-4" />
                             </Link>
                             .
@@ -157,13 +163,13 @@ export default async function ManagedPage() {
                     </SettingsSectionBody>
                     <SettingsSectionFooter>
                         <Link
-                            href="https://docs.digpangolin.com/self-host/advanced/convert-to-managed"
+                            href="https://docs.digpangolin.com/self-host/convert-managed"
                             target="_blank"
                             rel="noopener noreferrer"
                             className="hover:underline text-primary flex items-center gap-1"
                         >
                             <Button>
-                                Convert This Node to Managed Self-Hosted
+                                {t("managedSelfHosted.convertButton")}
                             </Button>
                         </Link>
                     </SettingsSectionFooter>

src/app/invite/page.tsx

@@ -48,6 +48,7 @@ export default async function InvitePage(props: {
         )
         .catch((e) => {
             error = formatAxiosError(e);
+            console.error(error);
         });
 
     if (res && res.status === 200) {
@@ -55,13 +56,13 @@ export default async function InvitePage(props: {
     }
 
     function cardType() {
-        if (error.includes(t('inviteErrorWrongUser'))) {
+        if (error.includes("Invite is not for this user")) {
             return "wrong_user";
         } else if (
-            error.includes(t('inviteErrorUserNotExists'))
+            error.includes("User does not exist. Please create an account first.")
         ) {
             return "user_does_not_exist";
-        } else if (error.includes(t('inviteErrorLoginRequired'))) {
+        } else if (error.includes("You must be logged in to accept an invite")) {
             return "not_logged_in";
         } else {
             return "rejected";

src/components/DomainPicker.tsx

@@ -37,6 +37,13 @@ import { cn } from "@/lib/cn";
 import { useTranslations } from "next-intl";
 import { build } from "@server/build";
 import { RadioGroup, RadioGroupItem } from "@/components/ui/radio-group";
+import {
+    sanitizeInputRaw,
+    finalizeSubdomainSanitize,
+    validateByDomainType,
+    isValidSubdomainStructure
+} from "@/lib/subdomain-utils";
+import { toUnicode } from "punycode";
 
 type OrganizationDomain = {
     domainId: string;
@@ -120,6 +127,7 @@ export default function DomainPicker2({
                         )
                         .map((domain) => ({
                             ...domain,
+                            baseDomain: toUnicode(domain.baseDomain),
                             type: domain.type as "ns" | "cname" | "wildcard"
                         }));
                     setOrganizationDomains(domains);
@@ -255,108 +263,64 @@ export default function DomainPicker2({
 
     const dropdownOptions = generateDropdownOptions();
 
-    const validateSubdomain = (
-        subdomain: string,
-        baseDomain: DomainOption
-    ): boolean => {
-        if (!baseDomain) return false;
+    const finalizeSubdomain = (sub: string, base: DomainOption): string => {
+        const sanitized = finalizeSubdomainSanitize(sub);
 
-        if (baseDomain.type === "provided-search") {
-            return /^[a-zA-Z0-9-]+$/.test(subdomain);
+        if (!sanitized) {
+            toast({
+                variant: "destructive",
+                title: "Invalid subdomain",
+                description: `The input "${sub}" was removed because it's not valid.`,
+            });
+            return "";
         }
 
-        if (baseDomain.type === "organization") {
-            if (baseDomain.domainType === "cname") {
-                return subdomain === "";
-            } else if (baseDomain.domainType === "ns") {
-                return /^[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*$/.test(subdomain);
-            } else if (baseDomain.domainType === "wildcard") {
-                return /^[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*$/.test(subdomain);
-            }
+        const ok = validateByDomainType(sanitized, {
+            type: base.type === "provided-search" ? "provided-search" : "organization",
+            domainType: base.domainType
+        });
+
+        if (!ok) {
+            toast({
+                variant: "destructive",
+                title: "Invalid subdomain",
+                description: `"${sub}" could not be made valid for ${base.domain}.`,
+            });
+            return "";
         }
 
-        return false;
-    };
-
-    // Handle base domain selection
-    const handleBaseDomainSelect = (option: DomainOption) => {
-        setSelectedBaseDomain(option);
-        setOpen(false);
-
-        if (option.domainType === "cname") {
-            setSubdomainInput("");
-        }
-
-        if (option.type === "provided-search") {
-            setUserInput("");
-            setAvailableOptions([]);
-            setSelectedProvidedDomain(null);
-            onDomainChange?.({
-                domainId: option.domainId!,
-                type: "organization",
-                subdomain: undefined,
-                fullDomain: option.domain,
-                baseDomain: option.domain
+        if (sub !== sanitized) {
+            toast({
+                title: "Subdomain sanitized",
+                description: `"${sub}" was corrected to "${sanitized}"`,
             });
         }
 
-        if (option.type === "organization") {
-            if (option.domainType === "cname") {
-                onDomainChange?.({
-                    domainId: option.domainId!,
-                    type: "organization",
-                    subdomain: undefined,
-                    fullDomain: option.domain,
-                    baseDomain: option.domain
-                });
-            } else {
-                onDomainChange?.({
-                    domainId: option.domainId!,
-                    type: "organization",
-                    subdomain: undefined,
-                    fullDomain: option.domain,
-                    baseDomain: option.domain
-                });
-            }
-        }
+        return sanitized;
     };
 
     const handleSubdomainChange = (value: string) => {
-        const validInput = value.replace(/[^a-zA-Z0-9.-]/g, "");
-        setSubdomainInput(validInput);
-
+        const raw = sanitizeInputRaw(value);
+        setSubdomainInput(raw);
         setSelectedProvidedDomain(null);
 
-        if (selectedBaseDomain && selectedBaseDomain.type === "organization") {
-            const isValid = validateSubdomain(validInput, selectedBaseDomain);
-            if (isValid) {
-                const fullDomain = validInput
-                    ? `${validInput}.${selectedBaseDomain.domain}`
-                    : selectedBaseDomain.domain;
-                onDomainChange?.({
-                    domainId: selectedBaseDomain.domainId!,
-                    type: "organization",
-                    subdomain: validInput || undefined,
-                    fullDomain: fullDomain,
-                    baseDomain: selectedBaseDomain.domain
-                });
-            } else if (validInput === "") {
-                onDomainChange?.({
-                    domainId: selectedBaseDomain.domainId!,
-                    type: "organization",
-                    subdomain: undefined,
-                    fullDomain: selectedBaseDomain.domain,
-                    baseDomain: selectedBaseDomain.domain
-                });
-            }
+        if (selectedBaseDomain?.type === "organization") {
+            const fullDomain = raw
+                ? `${raw}.${selectedBaseDomain.domain}`
+                : selectedBaseDomain.domain;
+
+            onDomainChange?.({
+                domainId: selectedBaseDomain.domainId!,
+                type: "organization",
+                subdomain: raw || undefined,
+                fullDomain,
+                baseDomain: selectedBaseDomain.domain
+            });
         }
     };
 
     const handleProvidedDomainInputChange = (value: string) => {
-        const validInput = value.replace(/[^a-zA-Z0-9.-]/g, "");
-        setUserInput(validInput);
-
-        // Clear selected domain when user types
+        setUserInput(value);
         if (selectedProvidedDomain) {
             setSelectedProvidedDomain(null);
             onDomainChange?.({
@@ -369,6 +333,43 @@ export default function DomainPicker2({
         }
     };
 
+    const handleBaseDomainSelect = (option: DomainOption) => {
+        let sub = subdomainInput;
+
+        if (sub && sub.trim() !== "") {
+            sub = finalizeSubdomain(sub, option) || "";
+            setSubdomainInput(sub);
+        } else {
+            sub = "";
+            setSubdomainInput("");
+        }
+
+        if (option.type === "provided-search") {
+            setUserInput("");
+            setAvailableOptions([]);
+            setSelectedProvidedDomain(null);
+        }
+
+        setSelectedBaseDomain(option);
+        setOpen(false);
+
+        if (option.domainType === "cname") {
+            sub = "";
+            setSubdomainInput("");
+        }
+
+        const fullDomain = sub ? `${sub}.${option.domain}` : option.domain;
+
+        onDomainChange?.({
+            domainId: option.domainId || "",
+            domainNamespaceId: option.domainNamespaceId,
+            type: option.type === "provided-search" ? "provided" : "organization",
+            subdomain: sub || undefined,
+            fullDomain,
+            baseDomain: option.domain
+        });
+    };
+
     const handleProvidedDomainSelect = (option: AvailableOption) => {
         setSelectedProvidedDomain(option);
 
@@ -380,15 +381,19 @@ export default function DomainPicker2({
             domainId: option.domainId,
             domainNamespaceId: option.domainNamespaceId,
             type: "provided",
-            subdomain: subdomain,
+            subdomain,
             fullDomain: option.fullDomain,
-            baseDomain: baseDomain
+            baseDomain
         });
     };
 
-    const isSubdomainValid = selectedBaseDomain
-        ? validateSubdomain(subdomainInput, selectedBaseDomain)
+    const isSubdomainValid = selectedBaseDomain && subdomainInput
+        ? validateByDomainType(subdomainInput, {
+            type: selectedBaseDomain.type === "provided-search" ? "provided-search" : "organization",
+            domainType: selectedBaseDomain.domainType
+        })
         : true;
+
     const showSubdomainInput =
         selectedBaseDomain &&
         selectedBaseDomain.type === "organization" &&
@@ -396,7 +401,7 @@ export default function DomainPicker2({
     const showProvidedDomainSearch =
         selectedBaseDomain?.type === "provided-search";
 
-    const sortedAvailableOptions = availableOptions.sort((a, b) => {
+    const sortedAvailableOptions = [...availableOptions].sort((a, b) => {
         const comparison = a.fullDomain.localeCompare(b.fullDomain);
         return sortOrder === "asc" ? comparison : -comparison;
     });
@@ -408,6 +413,7 @@ export default function DomainPicker2({
     const hasMoreProvided =
         sortedAvailableOptions.length > providedDomainsShown;
 
+
     return (
         <div className="space-y-4">
             <div className="grid grid-cols-1 sm:grid-cols-2 gap-4">
@@ -426,16 +432,16 @@ export default function DomainPicker2({
                             showProvidedDomainSearch
                                 ? ""
                                 : showSubdomainInput
-                                  ? ""
-                                  : t("domainPickerNotAvailableForCname")
+                                    ? ""
+                                    : t("domainPickerNotAvailableForCname")
                         }
                         disabled={
                             !showSubdomainInput && !showProvidedDomainSearch
                         }
                         className={cn(
                             !isSubdomainValid &&
-                                subdomainInput &&
-                                "border-red-500"
+                            subdomainInput &&
+                            "border-red-500 focus:border-red-500"
                         )}
                         onChange={(e) => {
                             if (showProvidedDomainSearch) {
@@ -445,6 +451,11 @@ export default function DomainPicker2({
                             }
                         }}
                     />
+                    {showSubdomainInput && subdomainInput && !isValidSubdomainStructure(subdomainInput) && (
+                        <p className="text-sm text-red-500">
+                            This subdomain contains invalid characters or structure. It will be sanitized automatically when you save.
+                        </p>
+                    )}
                     {showSubdomainInput && !subdomainInput && (
                         <p className="text-sm text-muted-foreground">
                             {t("domainPickerEnterSubdomainOrLeaveBlank")}
@@ -470,7 +481,7 @@ export default function DomainPicker2({
                                 {selectedBaseDomain ? (
                                     <div className="flex items-center space-x-2 min-w-0 flex-1">
                                         {selectedBaseDomain.type ===
-                                        "organization" ? null : (
+                                            "organization" ? null : (
                                             <Zap className="h-4 w-4 flex-shrink-0" />
                                         )}
                                         <span className="truncate">
@@ -564,67 +575,67 @@ export default function DomainPicker2({
                                         </CommandGroup>
                                         {(build === "saas" ||
                                             build === "enterprise") && (
-                                            <CommandSeparator className="my-2" />
-                                        )}
+                                                <CommandSeparator className="my-2" />
+                                            )}
                                     </>
                                 )}
 
                                 {(build === "saas" ||
                                     build === "enterprise") && (
-                                    <CommandGroup
-                                        heading={
-                                            build === "enterprise"
-                                                ? t(
-                                                      "domainPickerProvidedDomains"
-                                                  )
-                                                : t("domainPickerFreeDomains")
-                                        }
-                                        className="py-2"
-                                    >
-                                        <CommandList>
-                                            <CommandItem
-                                                key="provided-search"
-                                                onSelect={() =>
-                                                    handleBaseDomainSelect({
-                                                        id: "provided-search",
-                                                        domain:
-                                                            build ===
-                                                            "enterprise"
+                                        <CommandGroup
+                                            heading={
+                                                build === "enterprise"
+                                                    ? t(
+                                                        "domainPickerProvidedDomains"
+                                                    )
+                                                    : t("domainPickerFreeDomains")
+                                            }
+                                            className="py-2"
+                                        >
+                                            <CommandList>
+                                                <CommandItem
+                                                    key="provided-search"
+                                                    onSelect={() =>
+                                                        handleBaseDomainSelect({
+                                                            id: "provided-search",
+                                                            domain:
+                                                                build ===
+                                                                    "enterprise"
+                                                                    ? "Provided Domain"
+                                                                    : "Free Provided Domain",
+                                                            type: "provided-search"
+                                                        })
+                                                    }
+                                                    className="mx-2 rounded-md"
+                                                >
+                                                    <div className="flex items-center justify-center w-8 h-8 rounded-lg bg-primary/10 mr-3">
+                                                        <Zap className="h-4 w-4 text-primary" />
+                                                    </div>
+                                                    <div className="flex flex-col flex-1 min-w-0">
+                                                        <span className="font-medium truncate">
+                                                            {build === "enterprise"
                                                                 ? "Provided Domain"
-                                                                : "Free Provided Domain",
-                                                        type: "provided-search"
-                                                    })
-                                                }
-                                                className="mx-2 rounded-md"
-                                            >
-                                                <div className="flex items-center justify-center w-8 h-8 rounded-lg bg-primary/10 mr-3">
-                                                    <Zap className="h-4 w-4 text-primary" />
-                                                </div>
-                                                <div className="flex flex-col flex-1 min-w-0">
-                                                    <span className="font-medium truncate">
-                                                        {build === "enterprise"
-                                                            ? "Provided Domain"
-                                                            : "Free Provided Domain"}
-                                                    </span>
-                                                    <span className="text-xs text-muted-foreground">
-                                                        {t(
-                                                            "domainPickerSearchForAvailableDomains"
+                                                                : "Free Provided Domain"}
+                                                        </span>
+                                                        <span className="text-xs text-muted-foreground">
+                                                            {t(
+                                                                "domainPickerSearchForAvailableDomains"
+                                                            )}
+                                                        </span>
+                                                    </div>
+                                                    <Check
+                                                        className={cn(
+                                                            "h-4 w-4 text-primary",
+                                                            selectedBaseDomain?.id ===
+                                                                "provided-search"
+                                                                ? "opacity-100"
+                                                                : "opacity-0"
                                                         )}
-                                                    </span>
-                                                </div>
-                                                <Check
-                                                    className={cn(
-                                                        "h-4 w-4 text-primary",
-                                                        selectedBaseDomain?.id ===
-                                                            "provided-search"
-                                                            ? "opacity-100"
-                                                            : "opacity-0"
-                                                    )}
-                                                />
-                                            </CommandItem>
-                                        </CommandList>
-                                    </CommandGroup>
-                                )}
+                                                    />
+                                                </CommandItem>
+                                            </CommandList>
+                                        </CommandGroup>
+                                    )}
                             </Command>
                         </PopoverContent>
                     </Popover>
@@ -680,7 +691,7 @@ export default function DomainPicker2({
                                         htmlFor={option.domainNamespaceId}
                                         data-state={
                                             selectedProvidedDomain?.domainNamespaceId ===
-                                            option.domainNamespaceId
+                                                option.domainNamespaceId
                                                 ? "checked"
                                                 : "unchecked"
                                         }
@@ -760,4 +771,4 @@ function debounce<T extends (...args: any[]) => any>(
             func(...args);
         }, wait);
     };
-}
+}

src/components/LayoutMobileMenu.tsx

@@ -7,7 +7,7 @@ import { cn } from "@app/lib/cn";
 import { ListUserOrgsResponse } from "@server/routers/org";
 import SupporterStatus from "@app/components/SupporterStatus";
 import { Button } from "@app/components/ui/button";
-import { Menu, Server } from "lucide-react";
+import { ExternalLink, Menu, Server } from "lucide-react";
 import Link from "next/link";
 import { usePathname } from "next/navigation";
 import { useUserContext } from "@app/hooks/useUserContext";
@@ -117,7 +117,15 @@ export function LayoutMobileMenu({
                                         <SupporterStatus />
                                         {env?.app?.version && (
                                             <div className="text-xs text-muted-foreground text-center">
-                                                v{env.app.version}
+                                                <Link
+                                                    href={`https://github.com/fosrl/pangolin/releases/tag/${env.app.version}`}
+                                                    target="_blank"
+                                                    rel="noopener noreferrer"
+                                                    className="flex items-center justify-center gap-1"
+                                                >
+                                                    v{env.app.version}
+                                                    <ExternalLink size={12} />
+                                                </Link>
                                             </div>
                                         )}
                                     </div>

src/components/LayoutSidebar.tsx

@@ -7,6 +7,7 @@ import { cn } from "@app/lib/cn";
 import { ListUserOrgsResponse } from "@server/routers/org";
 import SupporterStatus from "@app/components/SupporterStatus";
 import { ExternalLink, Server, BookOpenText, Zap } from "lucide-react";
+import { FaDiscord, FaGithub } from "react-icons/fa";
 import Link from "next/link";
 import { usePathname } from "next/navigation";
 import { useUserContext } from "@app/hooks/useUserContext";
@@ -151,7 +152,7 @@ export function LayoutSidebar({
                                 {!isUnlocked()
                                     ? t("communityEdition")
                                     : t("commercialEdition")}
-                                <ExternalLink size={12} />
+                                <FaGithub size={12} />
                             </Link>
                         </div>
                         <div className="text-xs text-muted-foreground ">
@@ -165,9 +166,28 @@ export function LayoutSidebar({
                                 <BookOpenText size={12} />
                             </Link>
                         </div>
+                        <div className="text-xs text-muted-foreground text-center">
+                            <Link
+                                href="https://discord.gg/HCJR8Xhme4"
+                                target="_blank"
+                                rel="noopener noreferrer"
+                                className="flex items-center justify-center gap-1"
+                            >
+                                Discord
+                                <FaDiscord size={12} />
+                            </Link>
+                        </div>
                         {env?.app?.version && (
                             <div className="text-xs text-muted-foreground text-center">
-                                v{env.app.version}
+                                <Link
+                                    href={`https://github.com/fosrl/pangolin/releases/tag/${env.app.version}`}
+                                    target="_blank"
+                                    rel="noopener noreferrer"
+                                    className="flex items-center justify-center gap-1"
+                                >
+                                    v{env.app.version}
+                                    <ExternalLink size={12} />
+                                </Link>
                             </div>
                         )}
                     </div>

src/components/PermissionsSelectBox.tsx

@@ -24,6 +24,7 @@ function getActionsCategories(root: boolean) {
             [t('actionUpdateOrg')]: "updateOrg",
             [t('actionGetOrgUser')]: "getOrgUser",
             [t('actionInviteUser')]: "inviteUser",
+            [t('actionListInvitations')]: "listInvitations",
             [t('actionRemoveUser')]: "removeUser",
             [t('actionListUsers')]: "listUsers",
             [t('actionListOrgDomains')]: "listOrgDomains"
@@ -51,7 +52,12 @@ function getActionsCategories(root: boolean) {
             [t('actionSetResourcePassword')]: "setResourcePassword",
             [t('actionSetResourcePincode')]: "setResourcePincode",
             [t('actionSetResourceEmailWhitelist')]: "setResourceWhitelist",
-            [t('actionGetResourceEmailWhitelist')]: "getResourceWhitelist"
+            [t('actionGetResourceEmailWhitelist')]: "getResourceWhitelist",
+            [t('actionCreateSiteResource')]: "createSiteResource",
+            [t('actionDeleteSiteResource')]: "deleteSiteResource",
+            [t('actionGetSiteResource')]: "getSiteResource",
+            [t('actionListSiteResources')]: "listSiteResources",
+            [t('actionUpdateSiteResource')]: "updateSiteResource"
         },
 
         Target: {

src/lib/parseHostTarget.ts

@@ -0,0 +1,15 @@
+export function parseHostTarget(input: string) {
+  try {
+    const normalized = input.match(/^https?:\/\//) ? input : `http://${input}`;
+    const url = new URL(normalized);
+
+    const protocol = url.protocol.replace(":", ""); // http | https
+    const host = url.hostname;
+    const port = url.port ? parseInt(url.port, 10) : protocol === "https" ? 443 : 80;
+
+    return { protocol, host, port };
+  } catch {
+    return null;
+  }
+}
+

src/lib/subdomain-utils.ts

@@ -0,0 +1,63 @@
+
+export type DomainType = "organization" | "provided" | "provided-search";
+
+export const SINGLE_LABEL_RE = /^[\p{L}\p{N}-]+$/u; // provided-search (no dots)
+export const MULTI_LABEL_RE = /^[\p{L}\p{N}-]+(\.[\p{L}\p{N}-]+)*$/u; // ns/wildcard
+export const SINGLE_LABEL_STRICT_RE = /^[\p{L}\p{N}](?:[\p{L}\p{N}-]*[\p{L}\p{N}])?$/u; // start/end alnum
+
+
+export function sanitizeInputRaw(input: string): string {
+  if (!input) return "";
+  return input
+    .toLowerCase()
+    .normalize("NFC") // normalize Unicode
+    .replace(/[^\p{L}\p{N}.-]/gu, ""); // allow Unicode letters, numbers, dot, hyphen
+}
+
+export function finalizeSubdomainSanitize(input: string): string {
+  if (!input) return "";
+  return input
+    .toLowerCase()
+    .normalize("NFC")
+    .replace(/[^\p{L}\p{N}.-]/gu, "")  // allow Unicode
+    .replace(/\.{2,}/g, ".")           // collapse multiple dots
+    .replace(/^-+|-+$/g, "")           // strip leading/trailing hyphens
+    .replace(/^\.+|\.+$/g, "")         // strip leading/trailing dots
+    .replace(/(\.-)|(-\.)/g, ".");     // fix illegal dot-hyphen combos
+}
+
+
+export function validateByDomainType(subdomain: string, domainType: { type: "provided-search" | "organization"; domainType?: "ns" | "cname" | "wildcard" } ): boolean {
+  if (!domainType) return false;
+
+  if (domainType.type === "provided-search") {
+    return SINGLE_LABEL_RE.test(subdomain);
+  }
+
+  if (domainType.type === "organization") {
+    if (domainType.domainType === "cname") {
+      return subdomain === "";
+    } else if (domainType.domainType === "ns" || domainType.domainType === "wildcard") {
+      if (subdomain === "") return true;
+      if (!MULTI_LABEL_RE.test(subdomain)) return false;
+      const labels = subdomain.split(".");
+      return labels.every(l => l.length >= 1 && l.length <= 63 && SINGLE_LABEL_RE.test(l));
+    }
+  }
+  return false;
+}
+
+
+
+export const isValidSubdomainStructure = (input: string): boolean => {
+  const regex = /^(?!-)([\p{L}\p{N}-]{1,63})(?<!-)$/u;
+
+  if (!input) return false;
+  if (input.includes("..")) return false;
+
+  return input.split(".").every(label => regex.test(label));
+};
+
+
+
+