Merge branch 'main' into dependabot/npm_and_yarn/npm_and_yarn-2697d138d9

Author: mattwoberts

.example.env

@@ -2,6 +2,7 @@ BASE_URL=http://localhost:3000
 GO_ENV=development
 DATABASE_URL=postgres://fider:fider_pw@localhost:5555/fider?sslmode=disable
 JWT_SECRET=hsjl]W;&ZcHxT&FK;s%bgIQF:#ch=~#Al4:5]N;7V<qPZ3e9lT4'%;go;LIkc%k
+# ALLOW_ALLOWED_SCHEMES=false
 
 LOG_LEVEL=DEBUG
 LOG_CONSOLE=true

.github/workflows/locale.yml

@@ -41,8 +41,9 @@ jobs:
         if: ${{ inputs.dry != 'true' }}
         uses: peter-evans/create-pull-request@v6
         with:
+          base: ${{ github.ref_name }}
           commit-message: "Auto-translate missing keys in locales"
-          title: "Auto-translate missing keys in locales"
+          title: "[${{ github.head_ref || github.ref_name }}] Auto-translate missing keys in locales"
           body: "This PR adds machine-translated values for any missing locale keys."
           branch: auto/translate-missing-keys
           add-paths: |

CLAUDE.md

@@ -0,0 +1,215 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Common Development Commands
+
+### Building
+
+- `make build` - Build both server and UI
+- `make build-server` - Build Go server binary
+- `make build-ui` - Build UI assets with webpack
+- `make build-ssr` - Build SSR script and compile locales
+
+### Running
+
+- `make run` - Run Fider server (requires build first)
+- `make watch` - Start both server and UI in watch mode (recommended for development)
+- `make watch-server` - Run server in watch mode with air
+- `make watch-ui` - Run UI in watch mode with webpack
+- `make migrate` - Run database migrations
+
+### Testing
+
+- `make test` - Run both server and UI tests
+- `make test-server` - Run Go server tests (includes migration)
+- `make test-ui` - Run Jest tests for React components
+- `make coverage-server` - Run server tests with coverage
+- `make test-e2e-server` - Run E2E tests for server features
+- `make test-e2e-ui` - Run E2E tests for UI features
+
+### Linting
+
+- `make lint` - Lint both server and UI code
+- `make lint-server` - Run golangci-lint on Go code
+- `make lint-ui` - Run ESLint on TypeScript/React code
+
+### Other
+
+- `make clean` - Remove build artifacts
+- `make help` - Show all available make targets
+
+## Project Architecture
+
+### Backend (Go)
+
+Fider uses a layered architecture with clean separation of concerns:
+
+**Core Structure:**
+
+- `main.go` - Entry point with command routing (ping, migrate, server)
+- `app/cmd/` - Command implementations and server bootstrap
+- `app/cmd/routes.go` - All routes are defined here
+- `app/handlers/` - HTTP handlers organized by functionality
+- `app/middlewares/` - HTTP middleware chain
+- `app/models/` - Data models (cmd, dto, entity, enum, query)
+- `app/services/` - Service implementations with dependency injection
+- `app/pkg/` - Reusable packages and utilities
+
+**Key Patterns:**
+
+- **Bus Architecture**: Uses `app/pkg/bus` for service registration and dispatch
+- **CQRS**: Commands and queries are separated in `app/models/`
+- **Service Layer**: All external services (email, blob storage, oauth) are abstracted
+- **Middleware Chain**: Authentication, tenant resolution, CORS, etc.
+
+**Database:**
+
+- PostgreSQL with custom migration system in `migrations/`
+- SQL-based data access through service interfaces
+- Tenant-aware data isolation
+
+### Frontend (React/TypeScript)
+
+Modern React application with TypeScript:
+
+**Structure:**
+
+- `public/index.tsx` - Application entry point with React 18
+- `public/components/` - Reusable UI components
+- `public/pages/` - Page-level components organized by feature
+- `public/services/` - Client-side services and utilities
+- `public/hooks/` - Custom React hooks
+
+**Key Features:**
+
+- **SSR Support**: Server-side rendering with hydration
+- **Internationalization**: LinguiJS for i18n with locale switching
+- **Component Library**: Extensive set of reusable components
+- **State Management**: React Context for global state
+- **Error Boundaries**: Comprehensive error handling
+
+**Build System:**
+
+- Webpack for bundling with CSS extraction
+- ESBuild for SSR compilation
+- SCSS for styling with utility classes
+- Asset optimization and code splitting
+
+### API Design
+
+RESTful API with multiple access levels:
+
+- `/api/v1/` - Public API (no auth required)
+- Member API - Authenticated users
+- Staff API - Collaborators and administrators
+- Admin API - Administrators only
+
+### Key Services
+
+The application includes pluggable services for:
+
+- **Email**: SMTP, Mailgun, AWS SES
+- **Blob Storage**: Filesystem, S3, SQL
+- **OAuth**: Custom providers, GitHub, Google, etc.
+- **Billing**: Paddle integration (optional)
+- **Webhooks**: Outbound event notifications
+
+## Development Setup Requirements
+
+1. **Go 1.22+** - Backend development
+2. **Node.js 21/22** - Frontend build tools and TypeScript
+3. **Docker** - PostgreSQL and local SMTP (MailHog)
+4. **Air** - Go hot reload: `go install github.com/cosmtrek/air`
+5. **Godotenv** - Environment loading: `go install github.com/joho/godotenv/cmd/godotenv`
+6. **golangci-lint** - Go linting: `go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.59.1`
+
+**Environment Setup:**
+
+- Copy `.example.env` to `.env` for local configuration
+- Run `docker compose up -d` for PostgreSQL and MailHog
+- MailHog UI available at http://localhost:8025
+
+## Testing Strategy
+
+**Backend Testing:**
+
+- Unit tests alongside source files (`*_test.go`)
+- Integration tests with test database
+- E2E tests using Cucumber for server features
+
+**Frontend Testing:**
+
+- Jest for unit/component tests
+- Testing Library for React components
+- E2E tests using Cucumber + Playwright
+
+**Test Environment:**
+
+- Uses `.test.env` for test-specific configuration
+- Automated database migrations before test runs
+- Coverage reporting available
+
+## Code Organization Principles
+
+### Backend Model Naming Conventions
+
+Follow these strict naming patterns for `app/models/`:
+
+- **`action.<something>`** - User interactions for POST/PUT/PATCH requests, map 1-to-1 with Commands (e.g., `action.CreateNewUser`)
+- **`dto.<something>`** - Data transfer objects between packages/services (e.g., `dto.NewUserInfo`)
+- **`entity.<something>`** - Objects mapped to database tables (e.g., `entity.User`)
+- **`cmd.<something>`** - Commands that must be executed and potentially return values (e.g., `cmd.HttpRequest`, `cmd.LogDebug`, `cmd.SendMail`, `cmd.CreateNewUser`)
+- **`query.<something>`** - Queries to get information from somewhere (e.g., `query.GetUserById`, `query.GetAllPosts`)
+
+### Frontend Structure Conventions
+
+- **Page Organization**: Each page has its own folder under `public/pages/` with:
+  - `index.ts` - Module exporter
+  - `[PageName].page.tsx` - Main page component
+  - `[PageName].page.scss` - Page-specific styles
+  - `[PageName].page.spec.tsx` - Unit tests
+  - `./components/` - Page-specific components
+
+### CSS Naming Conventions
+
+Fider uses BEM methodology combined with utility classes:
+
+- **`p-<page_name>`** - HTML ID for each page component (e.g., `p-home`, `p-user-settings`)
+- **`c-<component_name>`** - Block class for components (e.g., `c-toggle`)
+- **`c-<component_name>__<element>`** - Element classes (e.g., `c-toggle__label`)
+- **`c-<component_name>--<state>`** - State modifiers (e.g., `c-toggle--checked`)
+- **`is-<state>`, `has-<state>`** - Global state modifiers
+- **Utility classes** - No prefix, used for common styling patterns. All utility classes are defined in public/assets/styles/utility/
+
+### General Principles
+
+**Backend:**
+
+- Services are dependency-injected through the bus system
+- All external dependencies are abstracted behind interfaces
+- Database queries are centralized in query objects
+- Handlers focus on HTTP concerns, business logic in services
+
+**Frontend:**
+
+- Page components are lazy-loaded for performance
+- Shared components in `components/common/`
+- Business logic in services, not components
+- Type-safe API calls with proper error handling
+
+## Build and Deployment
+
+**Local Development:**
+
+- `make watch` for development with hot reload
+- Webpack dev server for fast UI rebuilds
+- Air for Go server hot reload
+
+**Production Build:**
+
+- `make build` creates optimized binaries and assets
+- SSR compilation for better SEO and performance
+- Asset optimization and minification
+
+This is a mature, production-ready feedback platform with comprehensive testing, i18n support, and a clean, maintainable architecture.

app/actions/image.go

@@ -0,0 +1,41 @@
+package actions
+
+import (
+	"context"
+
+	"github.com/getfider/fider/app/models/dto"
+	"github.com/getfider/fider/app/models/entity"
+	"github.com/getfider/fider/app/pkg/validate"
+)
+
+// UploadImage is used to upload an image without associating it with a post or comment
+type UploadImage struct {
+	Image *dto.ImageUpload `json:"image"`
+}
+
+// Initialize the model
+func (input *UploadImage) Initialize() {}
+
+// IsAuthorized returns true if current user is authorized to perform this action
+func (input *UploadImage) IsAuthorized(ctx context.Context, user *entity.User) bool {
+	return user != nil
+}
+
+// Validate if current model is valid
+func (input *UploadImage) Validate(ctx context.Context, user *entity.User) *validate.Result {
+	result := validate.Success()
+
+	messages, err := validate.ImageUpload(ctx, input.Image, validate.ImageUploadOpts{
+		IsRequired:   true,
+		MinHeight:    50,
+		MinWidth:     50,
+		ExactRatio:   false,
+		MaxKilobytes: 5120,
+	})
+
+	if err != nil {
+		return validate.Error(err)
+	}
+	result.AddFieldFailure("image", messages...)
+	return result
+}

app/actions/post.go

@@ -37,16 +37,17 @@ func (input *CreateNewPost) OnPreExecute(ctx context.Context) error {
 			if err := bus.Dispatch(ctx, getTag); err != nil {
 				break
 			}
-			
+
 			input.Tags = append(input.Tags, getTag.Result)
 		}
 	}
-	
+
 	return nil
 }
 
 // IsAuthorized returns true if current user is authorized to perform this action
 func (action *CreateNewPost) IsAuthorized(ctx context.Context, user *entity.User) bool {
+
 	if user == nil {
 		return false
 	} else if env.Config.PostCreationWithTagsEnabled && !user.IsCollaborator() {
@@ -343,21 +344,18 @@ func (action *EditComment) Validate(ctx context.Context, user *entity.User) *val
 	}
 
 	if len(action.Attachments) > 0 {
-		getAttachments := &query.GetAttachments{Post: action.Post, Comment: action.Comment}
-		err := bus.Dispatch(ctx, getAttachments)
-		if err != nil {
-			return validate.Error(err)
+
+		nonRemovedCount := 0
+		for _, v := range action.Attachments {
+			if !v.Remove {
+				nonRemovedCount++
+			}
 		}
 
-		messages, err := validate.MultiImageUpload(ctx, getAttachments.Result, action.Attachments, validate.MultiImageUploadOpts{
-			MaxUploads:   2,
-			MaxKilobytes: 5120,
-			ExactRatio:   false,
-		})
-		if err != nil {
-			return validate.Error(err)
+		if nonRemovedCount > 2 {
+			result.AddFieldFailure("content", i18n.T(ctx, "validation.custom.maxattachments", i18n.Params{"number": 2}))
 		}
-		result.AddFieldFailure("attachments", messages...)
+
 	}
 
 	return result

app/actions/signin.go

@@ -54,22 +54,22 @@ func (action *SignInByEmail) Validate(ctx context.Context, user *entity.User) *v
 	return result
 }
 
-//GetEmail returns the email being verified
+// GetEmail returns the email being verified
 func (action *SignInByEmail) GetEmail() string {
 	return action.Email
 }
 
-//GetName returns empty for this kind of process
+// GetName returns empty for this kind of process
 func (action *SignInByEmail) GetName() string {
 	return ""
 }
 
-//GetUser returns the current user performing this action
+// GetUser returns the current user performing this action
 func (action *SignInByEmail) GetUser() *entity.User {
 	return nil
 }
 
-//GetKind returns EmailVerificationKindSignIn
+// GetKind returns EmailVerificationKindSignIn
 func (action *SignInByEmail) GetKind() enum.EmailVerificationKind {
 	return enum.EmailVerificationKindSignIn
 }

app/actions/tenant.go

@@ -177,7 +177,8 @@ func (action *UpdateTenantSettings) Validate(ctx context.Context, user *entity.U
 
 // UpdateTenantAdvancedSettings is the input model used to update tenant advanced settings
 type UpdateTenantAdvancedSettings struct {
-	CustomCSS string `json:"customCSS"`
+	CustomCSS      string `json:"customCSS"`
+	AllowedSchemes string `json:"allowedSchemes"`
 }
 
 // IsAuthorized returns true if current user is authorized to perform this action