fix(auth): also move the pacman build to artifacts

## Description

## Tests

.github/workflows/auth-release.yml

@@ -145,7 +145,7 @@ jobs:
         - name: Install dependencies for desktop build
           run: |
             sudo apt-get update -y
-            sudo apt-get install -y libsecret-1-dev libsodium-dev libwebkit2gtk-4.0-dev libfuse2 ninja-build libgtk-3-dev dpkg-dev pkg-config rpm patchelf libsqlite3-dev locate libayatana-appindicator3-dev libffi-dev libtiff5
+            sudo apt-get install -y libsecret-1-dev libsodium-dev libwebkit2gtk-4.0-dev libfuse2 ninja-build libgtk-3-dev dpkg-dev pkg-config rpm patchelf libsqlite3-dev locate libayatana-appindicator3-dev libffi-dev libtiff5 xz-utils libarchive-tools
             sudo updatedb --localpaths='/usr/lib/x86_64-linux-gnu'
 
         - name: Install appimagetool
@@ -157,10 +157,16 @@ jobs:
         - name: Build desktop app
           run: |
             flutter config --enable-linux-desktop
-            dart pub global activate flutter_distributor
+            # dart pub global activate flutter_distributor
+            dart pub global activate --source git https://github.com/prateekmedia/flutter_distributor --git-ref pacman --git-path packages/flutter_distributor
+            # Run below command if it is a beta or nightly
+            if [[ ${{ github.ref }} =~ beta|nightly ]]; then
+              flutter_distributor package --platform=linux --targets=pacman --skip-clean
+              mv dist/**/*-*-linux.pacman artifacts/ente-${{ github.ref_name }}-x86_64.pacman
+            fi
             flutter_distributor package --platform=linux --targets=rpm --skip-clean
-            flutter_distributor package --platform=linux --targets=appimage --skip-clean
             mv dist/**/*-*-linux.rpm artifacts/ente-${{ github.ref_name }}-x86_64.rpm
+            flutter_distributor package --platform=linux --targets=appimage --skip-clean
             mv dist/**/*-*-linux.AppImage artifacts/ente-${{ github.ref_name }}-x86_64.AppImage
 
         - name: Generate checksums

.github/workflows/web-deploy-staging.yml

@@ -1,5 +1,7 @@
 name: "Deploy staging (web)"
 
+# Builds the "staging/web" branch if it exists, "main" otherwise.
+
 on:
     schedule:
         # Run everyday at ~3:00 PM IST
@@ -18,9 +20,20 @@ jobs:
                 working-directory: web
 
         steps:
-            - name: Checkout code
+            - name: Determine branch to build
+              id: select-branch
+              working-directory: ${{ github.workspace }}
+              run: |
+                  if git ls-remote --exit-code --heads https://github.com/ente-io/ente refs/heads/staging/web; then
+                      echo "branch=staging/web" >> $GITHUB_OUTPUT
+                  else
+                      echo "branch=main" >> $GITHUB_OUTPUT
+                  fi
+
+            - name: Checkout ${{ steps.select-branch.outputs.branch }}
               uses: actions/checkout@v4
               with:
+                  ref: ${{ steps.select-branch.outputs.branch }}
                   submodules: recursive
 
             - name: Setup node and enable yarn caching

auth/docs/adding-icons.md

@@ -7,6 +7,15 @@ If you would like to add your own custom icon, please open a pull-request with
 the relevant SVG placed within `assets/custom-icons/icons` and add the
 corresponding entry within `assets/custom-icons/_data/custom-icons.json`.
 
+Please be careful to upload small and optimized icon files. If your icon file 
+is over 50KB, it is likely not optimized.
+
+Note that the correspondence between the icon and the issuer is based on the name 
+of the issuer provided by the user, excluding spaces. Only the text before the 
+first dot "." or left parentheses "(" will be used for icon matching.
+e.g. Issuer name provided: "github.com (Main account)" - Then "github" will be 
+used for matching.
+
 This JSON file contains the following attributes:
 
 | Attribute | Usecase | Required |

auth/lib/core/network.dart

@@ -1,8 +1,10 @@
 import 'dart:io';
 
 import 'package:dio/dio.dart';
+import 'package:dio/io.dart';
 import 'package:ente_auth/core/configuration.dart';
 import 'package:ente_auth/core/event_bus.dart';
+import 'package:ente_auth/core/win_http_client.dart';
 import 'package:ente_auth/events/endpoint_updated_event.dart';
 import 'package:ente_auth/utils/package_info_util.dart';
 import 'package:ente_auth/utils/platform_util.dart';
@@ -50,6 +52,19 @@ class Network {
         },
       ),
     );
+    if (Platform.isWindows) {
+      final customHttpClient = windowsHttpClient();
+      _enteDio.httpClientAdapter = IOHttpClientAdapter(
+        createHttpClient: () {
+          return customHttpClient;
+        },
+      );
+      _dio.httpClientAdapter = IOHttpClientAdapter(
+        createHttpClient: () {
+          return customHttpClient;
+        },
+      );
+    }
     _setupInterceptors(endpoint);
 
     Bus.instance.on<EndpointUpdatedEvent>().listen((event) {

auth/lib/core/win_http_client.dart

@@ -0,0 +1,71 @@
+import 'dart:convert';
+import 'dart:io';
+
+import 'package:logging/logging.dart';
+
+/*
+Reference from
+https://github.com/realm/realm-dart/blob/main/packages/realm_dart/lib/src/handles/native/default_client.dart
+https://github.com/realm/realm-dart/pull/1378
+ */
+HttpClient windowsHttpClient() {
+  final logger = Logger("WindowsHttpClient");
+  const isrgRootX1CertPEM = // The root certificate used by lets encrypt
+      '''
+subject=CN=ISRG Root X1,O=Internet Security Research Group,C=US
+issuer=CN=DST Root CA X3,O=Digital Signature Trust Co.
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----''';
+
+  if (Platform.isWindows) {
+    final context = SecurityContext(withTrustedRoots: true);
+    try {
+      logger.info('Adding certificate to trusted certificates');
+      context.setTrustedCertificatesBytes(
+        const AsciiEncoder().convert(isrgRootX1CertPEM),
+      );
+      logger.info("Certificate added to trusted certificates");
+      return HttpClient(context: context);
+    } on TlsException catch (e) {
+      logger.warning(
+        "Error adding certificate to trusted certificates: ${e.osError?.message}",
+      );
+      // certificate is already trusted. Nothing to do here
+      if (e.osError?.message.contains("CERT_ALREADY_IN_HASH_TABLE") != true) {
+        rethrow;
+      } else {
+        return HttpClient();
+      }
+    }
+  }
+  throw UnsupportedError("This platform is not supported");
+}

auth/linux/packaging/appimage/make_config.yaml

@@ -1,6 +1,8 @@
 display_name: Auth
 license: GPLv3
 
+metainfo: linux/packaging/ente_auth.appdata.xml
+
 icon: assets/icons/auth-icon.png
 
 keywords:

auth/linux/packaging/deb/make_config.yaml

@@ -10,6 +10,8 @@ license: GPLv3
 icon: assets/icons/auth-icon.png
 installed_size: 36000
 
+metainfo: linux/packaging/ente_auth.appdata.xml
+
 dependencies:
   - libwebkit2gtk-4.0-37
   - libsqlite3-0

auth/linux/packaging/ente_auth.appdata.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<component type="desktop-application">
+    <id>ente_auth</id>
+    <metadata_license>CC0-1.0</metadata_license>
+    <project_license>AGPL-3.0</project_license>
+    <name>Ente Auth</name>
+    <summary>Open source 2FA authenticator, with end-to-end encrypted backups</summary>
+    <description>
+        <p>Auth provides end-to-end encrypted cloud backups so you don't have to worry about losing your tokens. Our cryptography has been externally audited.</p>
+        <p>Auth has an app for every platform. Mobile, desktop and web. Your codes sync across all your devices, end-to-end encrypted.</p>
+        <p>Auth also comes with Offline mode, tags, icons, pins, import/export and more</p>
+    </description>
+    <launchable type="desktop-id">ente_auth.desktop</launchable>
+    <url type="homepage">https://ente.io/auth</url>
+    <screenshots>
+        <screenshot type="default">
+            <image>https://raw.githubusercontent.com/ente-io/ente/main/.github/assets/auth.png</image>
+        </screenshot>
+    </screenshots>
+    <releases>
+        <release version="3.0.12" date="2024-06-17"/>
+    </releases>
+    <provides>
+        <id>ente_auth.desktop</id>
+    </provides>
+    <content_rating type="oars-1.0" />
+    <developer id="io.github.ente-io.ente">
+        <name>Ente.io Developers</name>
+    </developer>
+    <update_contact>human@ente.io</update_contact>
+</component>

auth/linux/packaging/pacman/make_config.yaml

@@ -0,0 +1,58 @@
+display_name: Auth
+package_name: auth
+maintainer:
+  name: Ente.io Developers
+  email: human@ente.io
+licenses:
+  - GPLv3
+icon: assets/icons/auth-icon.png
+installed_size: 36000
+
+metainfo: linux/packaging/ente_auth.appdata.xml
+
+dependencies:
+  - c-ares
+  - ffmpeg
+  - gtk3
+  - http-parser
+  - libevent
+  - libvpx
+  - libxslt
+  - libxss
+  - minizip
+  - nss
+  - re2
+  - snappy
+  - libnotify
+  - libappindicator-gtk3
+
+keywords:
+  - Authentication
+  - 2FA
+
+generic_name: Ente Authentication
+
+categories:
+  - Utility
+
+supported_mime_type:
+  - x-scheme-handler/enteauth
+
+postinstall_scripts:
+  - gtk-update-icon-cache -q -t -f usr/share/icons/hicolor
+  - update-desktop-database -q
+  - if [ ! -e /usr/lib/libsodium.so.23 ]; then
+  -    ln -s /usr/lib/libsodium.so /usr/lib/libsodium.so.23
+  - fi
+
+postuninstall_scripts:
+  - post_install
+  
+postremove_scripts:
+  - gtk-update-icon-cache -q -t -f usr/share/icons/hicolor
+  - update-desktop-database -q
+  - if [ -e /usr/lib/libsodium.so.23 ]; then
+  -   rm /usr/lib/libsodium.so.23
+  - fi
+
+startup_notify: false

auth/linux/packaging/rpm/make_config.yaml

@@ -9,6 +9,8 @@ url: https://github.com/ente-io/ente
 
 display_name: Auth
 
+metainfo: linux/packaging/ente_auth.appdata.xml
+
 requires:
   - libsqlite3x
   - webkit2gtk4.0

auth/pubspec.yaml

@@ -1,6 +1,6 @@
 name: ente_auth
 description: ente two-factor authenticator
-version: 3.0.14+314
+version: 3.0.17+317
 publish_to: none
 
 environment:

server/configurations/local.yaml

@@ -317,7 +317,7 @@ internal:
 replication:
     enabled: false
     # The Cloudflare worker to use to download files from the primary hot
-    # bucket. Must be specified if replication is enabled.
+    # bucket. If this isn't specified, files will be downloaded directly.
     worker-url:
     # Number of go routines to spawn for replication
     # This is not related to the worker-url above.

server/pkg/controller/replication3.go

@@ -87,10 +87,11 @@ func (c *ReplicationController3) StartReplication() error {
 
 	workerURL := viper.GetString("replication.worker-url")
 	if workerURL == "" {
-		return fmt.Errorf("replication.worker-url was not defined")
+		log.Infof("replication.worker-url was not defined, files will downloaded directly during replication")
+	} else {
+		log.Infof("Worker URL to download objects for replication v3 is: %s", workerURL)
 	}
 	c.workerURL = workerURL
-	log.Infof("Worker URL to download objects for replication v3 is: %s", workerURL)
 
 	c.createMetrics()
 	err := c.createTemporaryStorage()
@@ -414,7 +415,7 @@ func (c *ReplicationController3) downloadFromB2ViaWorker(objectKey string, file
 	q.Add("src", presignedEncodedURL)
 	request.URL.RawQuery = q.Encode()
 
-	if c.S3Config.AreLocalBuckets() {
+	if c.S3Config.AreLocalBuckets() || c.workerURL == "" {
 		originalURL := request.URL
 		request, err = http.NewRequest("GET", presignedURL, nil)
 		if err != nil {

web/apps/accounts/src/services/passkey.ts

@@ -343,8 +343,18 @@ const authenticatorAttestationResponse = (credential: Credential) => {
  * Return `true` if the given {@link redirectURL} (obtained from the redirect
  * query parameter passed around during the passkey verification flow) is one of
  * the whitelisted URLs that we allow redirecting to on success.
+ *
+ * This check is likely not necessary but we've only kept it just to be on the
+ * safer side. However, this gets in the way of people who are self hosting
+ * Ente. So only do this check if we're running on our production servers (or
+ * localhost).
  */
 export const isWhitelistedRedirect = (redirectURL: URL) =>
+    shouldRestrictToWhitelistedRedirect()
+        ? _isWhitelistedRedirect(redirectURL)
+        : true;
+
+const _isWhitelistedRedirect = (redirectURL: URL) =>
     (isDevBuild && redirectURL.hostname.endsWith("localhost")) ||
     redirectURL.host.endsWith(".ente.io") ||
     redirectURL.host.endsWith(".ente.sh") ||
@@ -352,6 +362,16 @@ export const isWhitelistedRedirect = (redirectURL: URL) =>
     redirectURL.protocol == "enteauth:" ||
     redirectURL.protocol == "ente-cli:";
 
+export const shouldRestrictToWhitelistedRedirect = () => {
+    // host includes port, hostname is sans port
+    const hostname = new URL(window.location.origin).hostname;
+    return (
+        hostname.endsWith("localhost") ||
+        hostname.endsWith(".ente.io") ||
+        hostname.endsWith(".ente.sh")
+    );
+};
+
 export interface BeginPasskeyAuthenticationResponse {
     /**
      * An identifier for this authentication ceremony / session.