Merge branch 'develop' into feature/fix-language-settings-behaivour

Author: mindmonk

.github/workflows/build.yml

@@ -18,10 +18,10 @@ jobs:
     name: Run Tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
@@ -36,7 +36,7 @@ jobs:
         working-directory: frontend
         run: npm run dist
       - name: SonarCloud Scan Frontend
-        uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
+        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
         with:
           projectBaseDir: frontend
           args: >
@@ -49,13 +49,13 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
+      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
         with:
           distribution: 'temurin'
           java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
       - name: Cache SonarCloud packages
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
@@ -95,8 +95,8 @@ jobs:
       contents: read
       packages: write
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
@@ -112,7 +112,7 @@ jobs:
         run: ./mvnw versions:set --file pom.xml -DnewVersion=${GITHUB_REF##*/}
       - name: Docker metadata
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ghcr.io/cryptomator/hub
           tags: |

.github/workflows/keycloak.yml

@@ -24,8 +24,8 @@ jobs:
       attestations: write
       packages: write
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
@@ -37,7 +37,7 @@ jobs:
         working-directory: keycloak/themes/cryptomator/common/resources
         run: npm run build
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - name: Login to GHCR

CHANGELOG.md

@@ -7,9 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased](https://github.com/cryptomator/hub/compare/1.4.6...HEAD)
 
+### Added
+
+- Show pictures of the groups in the Vaults member list. (#375)
+
 ### Changed
 
 - Updated Keycloak to 26.4.7
+- Update Quarkus to 3.20.4 LTS
+- Improved efficiency of keycloak-to-hub data sync (#377)
+- Improved efficiency of group-based access permission checks (#372)
+- Migrated aes-siv and base encoding libraries to [`@noble/ciphers`](https://github.com/paulmillr/noble-ciphers) and [`@scure/base`](https://github.com/paulmillr/scure-base/) (#373)
+
+### Security
+
+- CVE-2025-64756, CVE-2025-64118: removed `glob` and `tar` dependencies
+- CVE-2025-64718, CVE-2025-62522: updated `js-yaml` and `vite`
 
 ## [1.4.6](https://github.com/cryptomator/hub/compare/1.4.5...1.4.6)
 

backend/.idea/codeStyles/Project.xml

@@ -10,13 +10,13 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.jdk.version>21</project.jdk.version>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <quarkus.platform.version>3.20.3</quarkus.platform.version>
+    <quarkus.platform.version>3.20.4</quarkus.platform.version>
     <jwt.version>4.5.0</jwt.version>
     <compiler-plugin.version>3.14.1</compiler-plugin.version>
-    <dependency-plugin.version>3.8.1</dependency-plugin.version>
+    <dependency-plugin.version>3.9.0</dependency-plugin.version>
     <surefire-plugin.version>3.5.4</surefire-plugin.version>
     <failsafe-plugin.version>3.5.4</failsafe-plugin.version>
-    <junit-tree-reporter.version>1.4.0</junit-tree-reporter.version>
+    <junit-tree-reporter.version>1.5.1</junit-tree-reporter.version>
   </properties>
 
   <dependencyManagement>

backend/.idea/inspectionProfiles/Project_Default.xml

@@ -8,8 +8,8 @@ public final class GroupDto extends AuthorityDto {
 	@JsonProperty("memberSize")
 	public final Integer memberSize;
 
-	GroupDto(@JsonProperty("id") String id, @JsonProperty("name") String name, @JsonProperty("memberSize") Integer memberSize) {
-		super(id, Type.GROUP, name, null);
+	GroupDto(@JsonProperty("id") String id, @JsonProperty("name") String name, @JsonProperty("pictureUrl") String pictureUrl, @JsonProperty("memberSize") Integer memberSize) {
+		super(id, Type.GROUP, name, pictureUrl);
 		this.memberSize = memberSize;
 	}
 
@@ -19,6 +19,6 @@ public static GroupDto fromEntity(Group group) {
 
 	public static GroupDto fromEntity(Group group, boolean withMemberSize) {
 		Integer memberSize = withMemberSize ? group.getMemberSize() : null;
-		return new GroupDto(group.getId(), group.getName(), memberSize);
+		return new GroupDto(group.getId(), group.getName(), group.getPictureUrl(), memberSize);
 	}
 }

backend/pom.xml

@@ -29,7 +29,7 @@ public static MemberDto fromEntity(User user, VaultAccess.Role role) {
 	}
 
 	public static MemberDto fromEntity(Group group, VaultAccess.Role role) {
-		return new MemberDto(group.getId(), Type.GROUP, group.getName(), null, null, null, role, group.getMemberSize());
+		return new MemberDto(group.getId(), Type.GROUP, group.getName(), group.getPictureUrl(), null, null, role, group.getMemberSize());
 	}
 
 }

backend/src/main/java/org/cryptomator/hub/api/GroupDto.java

@@ -3,6 +3,7 @@
 import com.auth0.jwt.JWT;
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import io.quarkus.security.identity.SecurityIdentity;
 import io.vertx.core.http.HttpServerRequest;
@@ -255,7 +256,7 @@ public Response removeAuthority(@PathParam("vaultId") UUID vaultId, @PathParam("
 	@VaultRole(VaultAccess.Role.OWNER) // may throw 403
 	@Transactional
 	@Produces(MediaType.APPLICATION_JSON)
-	@Operation(summary = "list devices requiring access rights", description = "lists all devices owned by vault members, that don't have a device-specific masterkey yet")
+	@Operation(summary = "list users requiring access rights", description = "lists all users, who don't have a user-specific vault key yet")
 	@APIResponse(responseCode = "200")
 	@APIResponse(responseCode = "403", description = "not a vault owner")
 	public List<UserDto> getUsersRequiringAccessGrant(@PathParam("vaultId") UUID vaultId) {
@@ -384,17 +385,14 @@ public Response grantAccess(@PathParam("vaultId") UUID vaultId, @NotEmpty Map<St
 	@GET
 	@Path("/{vaultId}")
 	@RolesAllowed("user")
-	// @VaultRole(VaultAccess.Role.MEMBER) // TODO: members and admin may do this...
+	@VaultRole(value = {VaultAccess.Role.MEMBER, VaultAccess.Role.OWNER}, bypassForRealmRole = true, realmRole = "admin", onMissingVault = VaultRole.OnMissingVault.NOT_FOUND)
 	@Produces(MediaType.APPLICATION_JSON)
 	@Transactional
 	@Operation(summary = "gets a vault")
 	@APIResponse(responseCode = "200")
 	@APIResponse(responseCode = "403", description = "requesting user is neither a vault member nor has the admin role")
 	public VaultDto get(@PathParam("vaultId") UUID vaultId) {
 		Vault vault = vaultRepo.findByIdOptional(vaultId).orElseThrow(NotFoundException::new);
-		if (vault.getEffectiveMembers().stream().noneMatch(u -> u.getId().equals(jwt.getSubject())) && !identity.getRoles().contains("admin")) {
-			throw new ForbiddenException("Requesting user is not a member of the vault");
-		}
 		return VaultDto.fromEntity(vault);
 	}
 
@@ -506,8 +504,8 @@ public Response claimOwnership(@PathParam("vaultId") UUID vaultId, @FormParam("p
 		return Response.ok(VaultDto.fromEntity(vault), MediaType.APPLICATION_JSON).build();
 	}
 
-
-	public record VaultDto(@JsonProperty("id") UUID id,
+	@JsonInclude(JsonInclude.Include.NON_NULL)
+	public record VaultDto(@JsonProperty("id") @NotNull UUID id,
 						   @JsonProperty("name") @NoHtmlOrScriptChars @NotBlank String name,
 						   @JsonProperty("description") @NoHtmlOrScriptChars String description,
 						   @JsonProperty("archived") boolean archived,

backend/src/main/java/org/cryptomator/hub/api/MemberDto.java

@@ -12,6 +12,7 @@
 import jakarta.persistence.NamedQuery;
 import jakarta.persistence.Table;
 
+import java.util.Collection;
 import java.util.List;
 import java.util.Objects;
 import java.util.stream.Stream;
@@ -41,6 +42,9 @@ public class Authority {
 	@Column(name = "name", nullable = false)
 	private String name;
 
+	@Column(name = "picture_url")
+	private String pictureUrl;
+
 	public String getId() {
 		return id;
 	}
@@ -57,6 +61,14 @@ public void setName(String name) {
 		this.name = name;
 	}
 
+	public String getPictureUrl() {
+		return pictureUrl;
+	}
+
+	public void setPictureUrl(String pictureUrl) {
+		this.pictureUrl = pictureUrl;
+	}
+
 	@Override
 	public String toString() {
 		return "Authority{" +
@@ -71,12 +83,13 @@ public boolean equals(Object o) {
 		if (o == null || getClass() != o.getClass()) return false;
 		Authority authority = (Authority) o;
 		return Objects.equals(id, authority.id)
+				&& Objects.equals(pictureUrl, authority.pictureUrl)
 				&& Objects.equals(name, authority.name);
 	}
 
 	@Override
 	public int hashCode() {
-		return Objects.hash(id, name);
+		return Objects.hash(id, name, pictureUrl);
 	}
 
 	@ApplicationScoped
@@ -87,7 +100,10 @@ public Stream<Authority> byName(String name) {
 		}
 
 		public Stream<Authority> findAllInList(List<String> ids) {
-			return find("#Authority.allInList", Parameters.with("ids", ids)).stream();
+			return Batch.of(200).run(ids, Stream.empty(), (batch, result) -> {
+				var partial = find("#Authority.allInList", Parameters.with("ids", batch));
+				return Stream.concat(result, partial.stream());
+			});
 		}
 	}
 }