Commit Graph

638 Commits

Author SHA1 Message Date
Lucas Smith 3887aa67c8 fix: rework stripe webhooks into idempotent subscription sync (#2977)
Replace per-event webhook handlers with a single sync function that
fetches the current state from Stripe and converges the local
subscription, claim, and organisation type.

- Create organisations upfront before checkout, restricted as
  "pending payment" until the first payment syncs
- Add rate-limited subscription sync route, triggered on checkout
  success so the UI doesn't wait on webhooks
- Surface pending payment state in banner, billing table, and limits
2026-06-12 16:01:03 +10:00
David Nguyen 8c11266747 fix: correctly orphan envelopes and stripe cancel on delete (#2967) 2026-06-09 15:52:14 +10:00
Arun Kumar 184cbd6770 fix: guard missing password reset token and fix broken reset link URL (#2928) 2026-06-08 14:31:26 +10:00
David Nguyen 8448e333cf fix: update new quota and rates UX (#2954) 2026-06-08 14:14:22 +10:00
David Nguyen 4ee789ea37 fix: add multi email transport system (#2942) 2026-06-05 21:19:20 +10:00
David Nguyen ebf5b75a19 fix: add email disable flag (#2931) 2026-06-05 17:55:10 +10:00
David Nguyen 0ecde7ac1e feat: add header metadata to emails (#2927) 2026-06-04 16:48:57 +10:00
David Nguyen 240bef1a66 fix: add org insight document complete stat (#2920) 2026-06-03 16:15:59 +10:00
David Nguyen 993a494784 fix: add email reporting (#2918) 2026-06-03 16:05:39 +10:00
David Nguyen c3135a3ce7 fix: filter ccers from delete email (#2914) 2026-06-02 15:27:36 +10:00
David Nguyen d2f60b13fd fix: correctly log cc emails (#2913) 2026-06-02 15:04:02 +10:00
David Nguyen 536142be03 feat: add admin org stats (#2904) 2026-06-01 17:26:51 +10:00
David Nguyen 44c4826e92 fix: track monthly usage for unlimited quotas (#2894) 2026-05-31 13:34:10 +10:00
David Nguyen 61138cdd81 fix: add dynamic rate limits (#2892) 2026-05-31 00:34:28 +10:00
Lucas Smith 22ceff43e3 feat: admin-configurable email blocklist (#2884) 2026-05-29 01:12:55 +10:00
Lucas Smith a84da2f2c7 chore: disabled account enforcement (#2882) 2026-05-28 22:19:13 +10:00
David Nguyen d304d8720c fix: add temp email rate limit (#2879) 2026-05-28 17:09:09 +10:00
ザヘド 807d094cf2 fix: email dictated direct template signer (#2810) 2026-05-27 12:30:31 +10:00
David Nguyen fec5d55250 fix: move document complete email to a job (#2835) 2026-05-22 14:21:26 +10:00
Ephraim Duncan 2cb4cc29ea feat: allow admins to create users (#2082) 2026-05-19 20:37:03 +10:00
David Nguyen cfaad6efc9 feat: add admin org deletion (#2795) 2026-05-13 15:28:27 +10:00
Lucas Smith bc184d445f feat: support DOCX uploads via Gotenberg (#2801)
Uploaded .docx files are converted to PDF on the server using a
Gotenberg
sidecar before entering the normal envelope pipeline. The feature is
opt-in via NEXT_PRIVATE_DOCUMENT_CONVERSION_URL; when unset, only PDF
uploads are accepted.

A per-process circuit breaker opens for 30s after a conversion failure
to shed load.

Ships a dev Dockerfile that layers Microsoft Core Fonts and additional
language fonts
onto the upstream Gotenberg image for better fidelity.

Co-authored-by: Ephraim Duncan
<55143799+ephraimduncan@users.noreply.github.com>

Co-authored-by: Ephraim Duncan <55143799+ephraimduncan@users.noreply.github.com>
2026-05-13 15:06:21 +10:00
Lucas Smith 0b86ece1d5 feat: add custom branding for signing pages (#2785)
Platform-plan organisations and teams can now customise non-embed
signing pages with six brand colour tokens, a border-radius, and
a free-text custom CSS block (up to 256 KB).

- Stored on OrganisationGlobalSettings / TeamGlobalSettings;
  teams inherit from the org via brandingEnabled === null.
- CSS is sanitised on save (PostCSS) so we can inline it at SSR
  with no per-render parsing.
- Rendered via a nonce'd <style> scoped under .documenso-branded,
  using native CSS nesting so user selectors don't need scoping.
- Gated on the existing embedSigningWhiteLabel claim (or
  self-hosted) — reuses the embed white-label decision.
2026-05-11 13:03:02 +10:00
David Nguyen 8671f269e8 fix: lint project (#2693) 2026-05-08 16:04:22 +10:00
Ephraim Duncan 8c0e029b1b feat: add pending signed PDF downloads (#2730) 2026-05-05 17:25:24 +10:00
David Nguyen f10d3284ba feat: remove default personal orgs from custom sso (#2741) 2026-05-05 14:50:07 +10:00
Lucas Smith aebb5e2067 fix: assistant signing auth (#2753) 2026-05-01 15:51:58 +10:00
Catalin Pit ae497092d7 fix: security improvements (#2593) 2026-04-30 14:43:20 +10:00
David Nguyen 2c7a1be051 feat: add envelope ids to certs (#2733) 2026-04-28 14:54:47 +10:00
Lucas Smith 19c2f7b4a1 docs: add signing reminders guide (#2716) 2026-04-27 10:51:14 +10:00
Lucas Smith dc575f5c80 fix: don't block organisation member removal on billing checks (#2706) 2026-04-22 21:59:22 +10:00
Ephraim Duncan e5da5bca38 fix: unwrap webhook payload before test and resend (#2710) 2026-04-22 15:42:16 +10:00
Lucas Smith f54a8ed72f feat: add turnstile captcha to auth flow (#2703) 2026-04-16 14:29:07 +10:00
Ephraim Duncan 4935f387bf feat: signing reminders (#1749) 2026-04-14 21:01:53 +10:00
David Nguyen 14b0b4805d feat: auto insert email and date fields (#2639) 2026-04-08 15:35:08 +10:00
Lucas Smith 0b9a23c550 fix: handle malformed pdf cropbox/mediabox entries (#2668)
Some PDFs have CropBox or MediaBox entries stored as a PDFDict
instead of the expected PDFArray, causing pdf-lib to throw during
lookup.

Wrap both box lookups in try-catch and fall back to A4 dimensions
when neither can be parsed
2026-04-02 18:58:13 +11:00
David Nguyen e3b7a9e7cb feat: add ability to save documents as template (#2661) 2026-04-01 16:03:26 +11:00
jpsimonsen 1c82595c12 feat: webhook allow private hosts (#2654) 2026-04-01 15:22:07 +11:00
Catalin Pit 5be71cca21 feat: add option to disable Document created from template (#2609) 2026-03-23 15:11:42 +11:00
David Nguyen 48fb066b9a feat: allow editing pending envelope titles (#2604) 2026-03-19 14:03:30 +11:00
David Nguyen 0b605d61c6 feat: add envelope pdf replacement (#2602) 2026-03-18 22:53:28 +11:00
Catalin Pit 455fef70bd fix: folder view all page nested navigation and search filtering (#2450)
Add parentId query param support to documents/templates folder index
pages so View All correctly shows subfolders. Fix search not filtering
unpinned folders on documents page and broken mt- Tailwind class on
templates page.
2026-03-17 12:02:32 +02:00
Ephraim Duncan 36bbd97514 feat: add organisation template type (#2611) 2026-03-17 01:29:34 +11:00
Ephraim Duncan 943a0b50e3 perf: parallelize async operations in duplicateEnvelope (#2619) 2026-03-16 02:34:08 +00:00
Ephraim Duncan ac09a48eaa perf: parallelize independent async operations in createEnvelope (#2618) 2026-03-16 11:13:36 +11:00
Ephraim Duncan 70fb834a6a feat: add more webhook events (#2125) 2026-03-15 19:47:52 +11:00
Lucas Smith 6b1b1d0417 fix: improve webhook execution (#2608)
Webhook URLs were being fetched without validating whether they
resolved to private/loopback addresses, exposing the server to SSRF.

Current SSRF is best effort and fail open, you should never host
services that
you cant risk exposure of.

This extracts webhook execution into a shared module that validates
URLs against private IP ranges (including DNS resolution), enforces
timeouts, and disables redirect following. The resend route now
queues through the job system instead of calling fetch inline.
2026-03-13 15:02:09 +11:00
Lucas Smith 9f680c7a61 perf: set global prisma transaction timeouts and reduce transaction scope (#2607)
Configure default transaction options (5s maxWait, 10s timeout) on the
PrismaClient instead of per-transaction overrides. Move side effects
like email sending, webhook triggers, and job dispatches out of
$transaction blocks to avoid holding database connections open during
network I/O.

Also extracts the direct template email into a background job and fixes
a bug where prisma was used instead of tx inside a transaction.
2026-03-13 14:51:53 +11:00
VIVEK TIWARI a5fd814fbc fix: handle invalid qr share tokens without 500 (#2597) 2026-03-12 13:46:17 +11:00
Lucas Smith 03ca3971a0 perf: upgrade @libpdf/core to 0.3.3 and deduplicate font registration (#2598)
Upgrade @libpdf/core from 0.2.12 to 0.3.3, which includes:
- WebCrypto SHA-256 replacing pure-JS @noble/hashes (10x signing
speedup)
- Iterative collectReachableRefs (fixes stack overflow on large PDFs)
- Iterative Math.max helpers in xref writer (fixes remaining stack
overflow)

Extract duplicated FontLibrary.use() calls from render-certificate,
render-audit-logs, and insert-field-in-pdf-v2 into a shared
ensureFontLibrary() helper with has() guards so fonts are only
registered once per process.
2026-03-11 20:23:18 +11:00