Why:
* In previous commits, the portal code had been updated to use hard
deletion rather than soft deletion of data. The fields used in the soft
deletion were still kept in the DB and the code to allow for zero
downtime rollout and an easy rollback if necessary. To continue with
that work the portal code has now been updated to remove any reference
to the soft deleted fields (e.g. deleted_at, persistent_id, etc...).
While the code has been updated the actual data in the DB will need to
remain for now, to once again allow for a zero downtime rollout. Once
this commit has been deployed to production another PR can follow to
remove the columns from the necessary tables in the DB.
Related: #8187
When Okta returned a 4xx status code from the API, we had updated error
handler to grab the errors from body or headers and return these.
However, the caller was expecting an explicit empty string for 401 and
403 errors in order to trigger the email send behavior.
Since that wasn't being matched, we were logging the error internally
only, and continuing to retry the sync indefinitely without sending the
user an email.
Fixes#8744Fixes#9825
Fixes an issue introduced in #10510 where Web functions (like
VerifiedRoutes) cannot be called from Domain because they are not
available in the release.
This happens to work in dev mode because everything is available under
the same dev context.
Since Elixir 1.18, json encoding and decoding support is included in the
standard library. This is built on OTP's native json support which is
often faster than other implementations.
It mostly has the same API as the popular Jason library, differing
mainly in the format of the error responses returned when decoding
fails.
To minimize dependence on external libraries, we remove the Jason lib in
favor of this external dependency.
Fixes#8011
This doesn't appear to be used anywhere and eliminates one compile
warning due to the seemingly unmaintained
[sizeable](https://github.com/arvidkahl/sizeable) dep.
Bumps Phoenix to 1.8 and Phoenix LiveView to 1.1. As part of the bump a
number of issues had to be addressed. Comments inline provide more
context.
Supersedes #10475
Supersedes #10448
Bumps
[@fontsource-variable/source-sans-3](https://github.com/fontsource/font-files/tree/HEAD/fonts/variable/source-sans-3)
from 5.2.8 to 5.2.9.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/fontsource/font-files/commits/HEAD/fonts/variable/source-sans-3">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [sentry](https://github.com/getsentry/sentry-elixir) from 11.0.2
to 11.0.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-elixir/releases">sentry's
releases</a>.</em></p>
<blockquote>
<h2>11.0.3</h2>
<h4>Various improvements</h4>
<ul>
<li>Allow any version of opentelemetry deps and verify minimum versions
internally - this makes it possible to use <code>sentry</code> <em>with
tracing disabled</em> along with older versions of opentelemetry deps
(<a
href="https://redirect.github.com/getsentry/sentry-elixir/pull/931">#931</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-elixir/blob/master/CHANGELOG.md">sentry's
changelog</a>.</em></p>
<blockquote>
<h2>11.0.3</h2>
<h4>Various improvements</h4>
<ul>
<li>Allow any version of opentelemetry deps and verify minimum versions
internally - this makes it possible to use <code>sentry</code> <em>with
tracing disabled</em> along with older versions of opentelemetry deps
(<a
href="https://redirect.github.com/getsentry/sentry-elixir/pull/931">#931</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="14b95fd900"><code>14b95fd</code></a>
release: 11.0.3</li>
<li><a
href="0f1c3dd957"><code>0f1c3dd</code></a>
Update CHANGELOG.md for 11.0.3 (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/935">#935</a>)</li>
<li><a
href="913ecff4b4"><code>913ecff</code></a>
Relax version reqs on opentelemetry deps (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/931">#931</a>)</li>
<li><a
href="f83b5080ae"><code>f83b508</code></a>
Merge branch 'release/11.0.2'</li>
<li>See full diff in <a
href="https://github.com/getsentry/sentry-elixir/compare/11.0.2...11.0.3">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Clients more than one minor away from a particular won't be able to
connect, so it would be useful to help admins recognize when this might
be the case and encourage them to upgrade.
We accomplish that with two small UX improvements in this PR:
- In the outdated gateways email, we show them a count of clients that
will no longer be able to connect to the new gateway version, linking
them to a sorted view of the clients table
- In the clients table, we add a new sortable `version` column to allow
admins to see which clients are outdated
Fixes#7727Fixes#10385
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
In Firezone, a Client requests an "access authorization" for a Resource
on the fly when it sees the first packet for said Resource going through
the tunnel. If we don't have a connection to the Gateway yet, this is
also where we will establish a connection and create the WireGuard
tunnel.
In order for this to work, the access authorization state between the
Client and the Gateway MUST NOT get out of sync. If the Client thinks it
has access to a Resource, it will just route the traffic to the Gateway.
If the access authorization on the Gateway has expired or vanished
otherwise, the packets will be black-holed.
Starting with #9816, the Gateway sends ICMP errors back to the
application whenever it filters a packet. This can happen either because
the access authorization is gone or because the traffic wasn't allowed
by the specific filter rules on the Resource.
With this patch, the Client will attempt to create a new flow (i.e.
re-authorize) traffic for this resource whenever it sees such an ICMP
error, therefore acting as a way of synchronizing the view of the world
between Client and Gateway should they ever run out of sync.
Testing turned out to be a bit tricky. If we let the authorization on
the Gateway lapse naturally, we portal will also toggle the Resource off
and on on the Client, resulting in "flushing" the current
authorizations. Additionally, it the Client had only access to one
Resource, then the Gateway will gracefully close the connection, also
resulting in the Client creating a new flow for the next packet.
To actually trigger this new behaviour we need to:
- Access at least two resources via the same Gateway
- Directly send `reject_access` to the Gateway for this particular
resource
To achieve this, we dynamically eval some code on the API node and
instruct the Gateway channel to send `reject_access`. The connection
stays intact because there is still another active access authorization
but packets for the other resource are answered with ICMP errors.
To achieve a safe roll-out, the new behaviour is feature-flagged. In
order to still test it, we now also allow feature flags to be set via
env variables.
Resolves: #10074
---------
Co-authored-by: Mariusz Klochowicz <mariusz@klochowicz.com>
Bumps [dialyxir](https://github.com/jeremyjh/dialyxir) from 1.4.5 to
1.4.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jeremyjh/dialyxir/releases">dialyxir's
releases</a>.</em></p>
<blockquote>
<h2>1.4.6</h2>
<h3>Fixed</h3>
<ul>
<li><code>CallWithoutOpaque</code> function clause error on OTP-28</li>
<li><code>invalid_contract</code> warning showed spec twice instead of
success typing</li>
</ul>
<h3>Changed</h3>
<ul>
<li>Update <code>ex_doc</code> to the latest version for an improved
UI</li>
</ul>
<h3>Docs</h3>
<ul>
<li>Add a note about the <code>:unknown</code> flag to the "Default
Flags" section in the README</li>
<li>Fix dead hex doc links by including CI config docs in
<code>mix.exs</code>'s <code>:docs</code></li>
<li>Fix a typo in the README</li>
</ul>
<h3>CI</h3>
<ul>
<li>Update the Ubuntu version used in CI to 24.04</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jeremyjh/dialyxir/blob/master/CHANGELOG.md">dialyxir's
changelog</a>.</em></p>
<blockquote>
<h2>Unreleased changes post [1.4.6]</h2>
<h2>[1.4.6] - 2025-08-09</h2>
<h3>Fixed</h3>
<ul>
<li><code>CallWithoutOpaque</code> function clause error on OTP-28</li>
<li><code>invalid_contract</code> warning showed spec twice instead of
success typing</li>
</ul>
<h3>Changed</h3>
<ul>
<li>Update <code>ex_doc</code> to the latest version for an improved
UI</li>
</ul>
<h3>Docs</h3>
<ul>
<li>Add a note about the <code>:unknown</code> flag to the "Default
Flags" section in the README</li>
<li>Fix dead hex doc links by including CI config docs in
<code>mix.exs</code>'s <code>:docs</code></li>
<li>Fix a typo in the README</li>
</ul>
<h3>CI</h3>
<ul>
<li>Update the Ubuntu version used in CI to 24.04</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="a0e4cf90f4"><code>a0e4cf9</code></a>
Bump version to 1.4.6</li>
<li><a
href="51266a5a4d"><code>51266a5</code></a>
Merge pull request <a
href="https://redirect.github.com/jeremyjh/dialyxir/issues/569">#569</a>
from dvic/fix/call-without-opaque-otp28-issue-561</li>
<li><a
href="c564806f70"><code>c564806</code></a>
Merge branch 'master' into fix/call-without-opaque-otp28-issue-561</li>
<li><a
href="bf06a92928"><code>bf06a92</code></a>
Merge pull request <a
href="https://redirect.github.com/jeremyjh/dialyxir/issues/570">#570</a>
from pwcsquared/ci-fix-ubuntu-ver</li>
<li><a
href="d3776d2f78"><code>d3776d2</code></a>
Update ubuntu version used in CI to 24.04 (currently supported)</li>
<li><a
href="431f6c922c"><code>431f6c9</code></a>
Merge branch 'master' into fix/call-without-opaque-otp28-issue-561</li>
<li><a
href="c5da65f9b7"><code>c5da65f</code></a>
Merge pull request <a
href="https://redirect.github.com/jeremyjh/dialyxir/issues/564">#564</a>
from camatcode/master</li>
<li><a
href="684f1bbeba"><code>684f1bb</code></a>
Refactor OTP-28 clause to delegate to existing implementation</li>
<li><a
href="bea2032e4b"><code>bea2032</code></a>
Fix CallWithoutOpaque function clause error on OTP-28</li>
<li><a
href="73529050d3"><code>7352905</code></a>
Docs: Fix dead hex doc links by including CI config docs in mix.exs
'docs'</li>
<li>Additional commits viewable in <a
href="https://github.com/jeremyjh/dialyxir/compare/1.4.5...1.4.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
In order to allow the portal to more easily classify, what kind of
component is connecting, we extend the `get_user_agent` header to
include a component type instead of the generic `connlib/`.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Bumps [ex_cldr](https://github.com/elixir-cldr/cldr) from 2.42.0 to
2.43.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/elixir-cldr/cldr/releases">ex_cldr's
releases</a>.</em></p>
<blockquote>
<h2>Cldr version 2.43.0</h2>
<h3>Deprecations</h3>
<ul>
<li>
<p>Deprecate <code>Cldr.Timezone.fetch/1</code> in favor of
<code>Cldr.Timezone.fetch_short_zone/1</code></p>
</li>
<li>
<p>Deprecate <code>Cldr.Timezone.get/1</code> in favor of
<code>Cldr.Timezone.get_short_zone/1</code></p>
</li>
<li>
<p>Deprecate <code>Cldr.Timezone.timezones_for_territory/0</code> in
favor of <code>Cldr.Timezone.timezones_by_territory/0</code></p>
</li>
<li>
<p>Deprecate <code>Cldr.Timezone.validate_timezone/1</code> in favor of
<code>Cldr.Timezone.validate_short_zone/1</code></p>
</li>
</ul>
<h3>Enhancements</h3>
<ul>
<li>
<p>Adds metazone, metazone mapping and primary zone data to the build
process. This data supports timezone name localisation for a future
release of <a
href="https://github.com/elixir-cldr/cldr_dates_times">ex_cldr_dates_times</a>.
See the <a
href="https://github.com/orgs/elixir-cldr/discussions/258">github
discussion</a> for more background.</p>
<ul>
<li>Adds <code>Cldr.Config.metazones/0</code></li>
<li>Adds <code>Cldr.Config.metazone_mapping/0</code></li>
<li>Adds <code>Cldr.Config.metazone_ids/0</code></li>
<li>Adds <code>Cldr.Config.primary_zones/0</code></li>
</ul>
</li>
<li>
<p>Adds <code>Cldr.Timezone.canonical_timezones/0</code> to return the
mapping of IANA long timezone names to their canonical equivalent.</p>
</li>
<li>
<p>Adds <code>Cldr.Timezone.canonical_timezone/1</code> to return the
canonical timezone name for a given IANA long timezone name, or
<code>{:error, "Etc/Unknown"}</code>.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/elixir-cldr/cldr/blob/main/CHANGELOG.md">ex_cldr's
changelog</a>.</em></p>
<blockquote>
<h2>Cldr v2.43.0</h2>
<p>This is the changelog for Cldr v2.43.0 released on August 25th, 2025.
For older changelogs please consult the release tag on <a
href="https://github.com/elixir-cldr/cldr/tags">GitHub</a></p>
<h3>Deprecations</h3>
<ul>
<li>
<p>Deprecate <code>Cldr.Timezone.fetch/1</code> in favor of
<code>Cldr.Timezone.fetch_short_zone/1</code></p>
</li>
<li>
<p>Deprecate <code>Cldr.Timezone.get/1</code> in favor of
<code>Cldr.Timezone.get_short_zone/1</code></p>
</li>
<li>
<p>Deprecate <code>Cldr.Timezone.timezones_for_territory/0</code> in
favor of <code>Cldr.Timezone.timezones_by_territory/0</code></p>
</li>
<li>
<p>Deprecate <code>Cldr.Timezone.validate_timezone/1</code> in favor of
<code>Cldr.Timezone.validate_short_zone/1</code></p>
</li>
</ul>
<h3>Enhancements</h3>
<ul>
<li>
<p>Adds metazone, metazone mapping and primary zone data to the build
process. This data supports timezone name localisation for a future
release of <a
href="https://github.com/elixir-cldr/cldr_dates_times">ex_cldr_dates_times</a>.
See the <a
href="https://github.com/orgs/elixir-cldr/discussions/258">github
discussion</a> for more background.</p>
<ul>
<li>Adds <code>Cldr.Config.metazones/0</code></li>
<li>Adds <code>Cldr.Config.metazone_mapping/0</code></li>
<li>Adds <code>Cldr.Config.metazone_ids/0</code></li>
<li>Adds <code>Cldr.Config.primary_zones/0</code></li>
</ul>
</li>
<li>
<p>Adds <code>Cldr.Timezone.canonical_timezones/0</code> to return the
mapping of IANA long timezone names to their canonical equivalent.</p>
</li>
<li>
<p>Adds <code>Cldr.Timezone.canonical_timezone/1</code> to return the
canonical timezone name for a given IANA long timezone name, or
<code>{:error, "Etc/Unknown"}</code>.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="581e9b857c"><code>581e9b8</code></a>
Release 2.43.0</li>
<li><a
href="f2e04f3970"><code>f2e04f3</code></a>
Fix timezone.ex</li>
<li><a
href="9363c12bf7"><code>9363c12</code></a>
Correct timezone generation</li>
<li><a
href="5ccb26f955"><code>5ccb26f</code></a>
No territory for utc, gmt, utc.. timezones</li>
<li><a
href="f2bcabf3a4"><code>f2bcabf</code></a>
Add additional substitution pattern</li>
<li><a
href="4d12a2b828"><code>4d12a2b</code></a>
Rename :daylight_savings to :daylight on loading (for now)</li>
<li><a
href="63a0fd7032"><code>63a0fd7</code></a>
daylight_savings => daylight to be consistent</li>
<li><a
href="24312eb7b7"><code>24312eb</code></a>
Mix format</li>
<li><a
href="c376bd3809"><code>c376bd3</code></a>
Add Cldr.Timezone.territories_by_timezone/0</li>
<li><a
href="3df5cdad9b"><code>3df5cda</code></a>
Invert the primary_zones map</li>
<li>Additional commits viewable in <a
href="https://github.com/elixir-cldr/cldr/compare/v2.42.0...v2.43.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [oban](https://github.com/oban-bg/oban) from 2.19.4 to 2.20.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/oban-bg/oban/releases">oban's
releases</a>.</em></p>
<blockquote>
<h2>v2.20.0</h2>
<p>This release brings a fantastic new helper function, an optional
migration to aid pruning, some stability improvements, and a bevy of
documentation updates.</p>
<h2>🦋 Update Job</h2>
<p>This introduces the <code>Oban.update_job/2,3</code> function to
simplify updating existing jobs while ensuring data consistency and
safety. Previously, updating jobs required manually constructing change
operations or complex queries that could lead to race conditions or
invalid state changes.</p>
<p>Only a curated subset of job fields, e.g. <code>:args</code>,
<code>:max_attempts</code>, <code>:meta</code>, etc. may be updated and
they use the same validation rules as insertion to prevent invalid data.
Updates are also wrapped in a transaction with locking clauses to
prevent concurrent modifications.</p>
<p>The function supports direct map changes:</p>
<pre lang="elixir"><code>Oban.update_job(job, %{priority: 0, tags:
["urgent"]})
</code></pre>
<p>It also has a convenient function-based mode for dynamic changes:</p>
<pre lang="elixir"><code>Oban.update_job(job, fn job ->
%{meta: Map.put(job.meta, "processed_by", current_node())}
end)
</code></pre>
<h2>❄️ Unique State Groups</h2>
<p>There are now named unique state groups to replace custom state lists
for unique jobs, promoting better uniqueness design and reducing
configuration errors.</p>
<p>Previously, developers had to manually specify lists of job states
for uniqueness, which was error-prone and could lead to subtle bugs when
states were omitted or incorrectly combined. The new predefined groups
ensure correctness and consistency across applications.</p>
<p>The new state groups are:</p>
<ul>
<li><strong><code>:all</code></strong> - All job states</li>
<li><strong><code>:incomplete</code></strong> - Jobs that haven't
finished (<code>~w(available scheduled executing
retryable)a</code>)</li>
<li><strong><code>:scheduled</code></strong> - Only scheduled jobs
(<code>[:scheduled]</code>)</li>
<li><strong><code>:successful</code></strong> - Jobs that completed
successfully (<code>~w(available scheduled executing retryable
completed)a</code>)</li>
</ul>
<p>These groups eliminate the risk of accidentally creating incomplete
or incorrect state lists that could allow duplicate jobs to be created
when they shouldn't be, or prevent valid job creation when duplicates
should be allowed.</p>
<h2>🪺 Nested Plugin Supervision</h2>
<p>Plugins and the internal Stager are now nested within a secondary
supervision tree to improve system resilience and stability.</p>
<p>Previously, plugins were supervised directly under the main Oban
supervisor alongside core process. This meant that plugin failures could
potentially impact the entire Oban system, and frequent plugin restarts
could trigger cascading failures in the primary supervision tree.</p>
<p>The new supervisor has more lenient restart limits to allow for more
plugin restart attempts before giving up. This change makes Oban more
robust in production environments where plugins may experience transient
failures due to database or connectivity issues.</p>
<h2>v2.20.0 — 2025-08-13</h2>
<h3>Enhancements</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/oban-bg/oban/blob/main/CHANGELOG.md">oban's
changelog</a>.</em></p>
<blockquote>
<h2>v2.20.1 — 2025-08-15</h2>
<h3>Bug Fixes</h3>
<ul>
<li>
<p>[Worker] Handle missing fields in unique Worker validation.</p>
<p>Workers that specified <code>keys</code> without <code>fields</code>
would fail validation at compile time. Now
default values are considered for <code>use Oban.Worker</code> as well
as <code>Job.new/2</code>.</p>
</li>
</ul>
<h2>v2.20.0 — 2025-08-13</h2>
<h3>Enhancements</h3>
<ul>
<li>
<p><code>Migration</code> Add V13 migration for indexing cancelled and
discarded states.</p>
<p>A new V13 migration adds compound indexes to significantly improve
<code>Oban.Plugins.Pruner</code>
performance when cleaning up <code>discarded</code> and
<code>cancelled</code> jobs. This is especially beneficial for
applications that process large volumes of jobs and retain them for
extended periods.</p>
</li>
<li>
<p><code>Repo</code> Expose dynamic repo switching as
<code>with_dynamic_repo/2</code></p>
<p>The function was previously internal, which made impossible to use in
external modules or extend
upon. Now custom plugins and extensions can use
<code>Repo.with_dynamic_repo/2</code> to use the configured
dynamic repo options.</p>
</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li>
<p>[Oban] Allow <code>insert_all/1,3</code> via Oban facade</p>
<p>The <code>insert_all/1</code> and <code>insert_all/3</code> function
variants were missing from the generated Oban
facade functions when using a named instance.</p>
</li>
<li>
<p>[Testing] Generate correct <code>perform_job/1,2,3</code>
clauses.</p>
<p>The <code>perform_job/2,3</code> clauses generated by <code>use
Oban.Testing</code> didn't handle the <code>perform_job/2</code>
variant designed to run jobs created with <code>build_job/3</code>. This
caused test failures when trying
to execute jobs built using the <code>build_job/3</code> helper
function.</p>
<p>The fix generates the missing <code>perform_job/2</code> clause along
with a convenient <code>perform_job/1</code>
variant, ensuring all testing scenarios work seamlessly regardless of
how jobs are constructed.</p>
</li>
<li>
<p>[Testing] Restrict inline execution to <code>available</code> and
<code>scheduled</code> states.</p>
<p>Jobs in the <code>completed</code> state or other non-runnable states
were incorrectly attempted by the
inline engine, potentially causing errors or unexpected behavior during
testing.</p>
</li>
<li>
<p>[Worker] Disallow <code>:keys</code> when <code>:fields</code>
doesn't contain <code>:args</code> or <code>:meta</code></p>
<p>Unique job configurations using <code>:keys</code> were allowed even
when <code>:fields</code> didn't include <code>:args</code>
or <code>:meta</code>, which would result in runtime errors since keys
can only extract values from these</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d177b524ad"><code>d177b52</code></a>
Release v2.20.1</li>
<li><a
href="74756b3269"><code>74756b3</code></a>
Handle missing fields in Worker unique</li>
<li><a
href="65016963a8"><code>6501696</code></a>
Release v2.20.0</li>
<li><a
href="baec2df2ef"><code>baec2df</code></a>
Bump actions/checkout from 4 to 5 (<a
href="https://redirect.github.com/oban-bg/oban/issues/1331">#1331</a>)</li>
<li><a
href="215981e3bb"><code>215981e</code></a>
Restrict inline execution to available/scheduled</li>
<li><a
href="f2c26cc147"><code>f2c26cc</code></a>
Remove commented out dead code from installer</li>
<li><a
href="d07f740f29"><code>d07f740</code></a>
Bump the production-dependencies group with 2 updates (<a
href="https://redirect.github.com/oban-bg/oban/issues/1328">#1328</a>)</li>
<li><a
href="0d462e9d51"><code>0d462e9</code></a>
Fix duplicate word typo (<a
href="https://redirect.github.com/oban-bg/oban/issues/1327">#1327</a>)</li>
<li><a
href="d1124e68df"><code>d1124e6</code></a>
Bump the production-dependencies group with 2 updates (<a
href="https://redirect.github.com/oban-bg/oban/issues/1325">#1325</a>)</li>
<li><a
href="902d8c9b97"><code>902d8c9</code></a>
Nest plugins within a secondary supervision tree</li>
<li>Additional commits viewable in <a
href="https://github.com/oban-bg/oban/compare/v2.19.4...v2.20.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
When redirecting to paths that don't have LiveViews attached to them,
LiveView complains and emits a warning. To reduce alarm noise this PR
attempts to fix the issue.
- recreates the flows actor_group_membership index that didn't get
created due to name collision with an existing index
- adds missing resource_id, actor_group_id indexes on policies
- removes redundant `resource_id` index on resource_connections since
there's a composite index that matches already
Related: #10396
Why:
* Now that hard-delete has been rolled out, we need to make sure that
all cascade deletes are efficient. Some of the foreign key references
didn't have indexes but needed them.
Fixes#10393
In order to support the new, upcoming directory sync implementations, we
need the ability to batch upsert auth_identities, actors, actor_groups,
and actor_group_memberships. We also need the ability to delete entities
that were not upserted at the tail end of a sync job iteration in order
to remove entities that are no longer in the directory.
To support this, we add these functions and related tests here.
Related: #6294
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Why:
* During the refactor to move to hard delete data in the portal there
were a couple places of inconsistency in the directory sync job where
deletion was concerned.
In preparation for transitioning from the portal from soft-delete to
hard-delete some updates to the foreign key constraints were required.
Most of these updates are adding `ON DELETE CASCADE` constraints and
relevant indexes. These new constraints should have no effect on the
current portal code as soft-deletes are still being used.
One other update in this PR is changing the FK constraint names on the
clients table. The names were `devices_*` due to the table originally
being called `devices`. This PR updates them to `clients_*`.
Related: #8187
This adds the option to do socket based postgres connection to the
replication connections. Basically just a copy of the existing config
for the base postgres connection.
---------
Co-authored-by: PatrickDaG <patrickdag@failmail.dev>
When filters are updated for a Resource, we need to first adapt the
resource before rendering it down to the Gateway. Otherwise, the gateway
may see a Resource that does not match its expected schema.
Napkin math shows that we can save substantial memory (~3x or more) on
the API nodes as connected clients/gateways grow if we just store the
fields we need in order to keep the client and gateway state maintained
in the channel pids.
To facilitate this, we create new `Cacheable` structs that represent
their `Domain` cousins, which use byte arrays for `id`s and strip out
unused fields.
Additionally, all business logic involved with maintaining these caches
is now contained within two modules: `Domain.Cache.Client` and
`Domain.Cache.Gateway`, and type specs have been added to aid in static
analysis and code documentation.
Comprehensive testing is now added not only for the cache modules, but
for their associated channel modules as well to ensure we handle
different kinds of edge cases gracefully.
The `Events` nomenclature was renamed to `Changes` to better name what
we are doing: Change-Data-Capture.
Lastly, the following related changes are included in this PR since they
were "in the way" so to speak of getting this done:
- We save the last received LSN in each channel and drop the `change`
with a warning if we receive it twice in a row, or we receive it out of
order
- The client/gateway version compatibility calculations have been moved
to `Domain.Resources` and `Domain.Gateways` and have been simplified to
make them easier to understand and maintain going forward.
Related: #10174Fixes: #9392Fixes: #9965Fixes: #9501Fixes: #10227
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Docker for Mac finally supports IPv6 in general availability. It's time
to add IPv6 to our suite of integration tests.
The thinking behind this PR is try and not slow down CI much, if at all,
by testing IPv6 side-by-side with the existing IPv4 tests.
More comprehensive testing is being developed in #10131 that will test
things like IPv4-in-6 relaying, client / gateway IP stack mismatches,
and so forth.
On the `change_logs` table, we want to minimize write overhead as much
as possible. One major way to do this is the minimize the number of
indexes maintained.
Because `lsn` is guaranteed to be unique, we can use it as the primary,
saving us an index (and column).
**NOTE**: This migration will need to acquire a lock on the table, so
it's added as a manual migration to execute out of band. Since we don't
read ChangeLogs anywhere, it should be fine for the app servers to come
up without this migration applied.
Why:
* There were intermittent issues with accounts updates from Stripe
events. Specifically, when an account would update it's subscription
from Starter to Team. The reason was due to the fact that Stripe does
not guarantee order of delivery for it's webhook events. At times we
were seeing and responding to an event that was a few seconds old after
processing a newer event. This would have the effect of quickly
transitioning an account from Team back to Starter. This commit
refactors our event handler and adds a `processed_stripe_events` DB
table to make sure we don't process duplicate events as well as prevent
processing an event that was created prior to the last event we've
processed for a given account.
* Along with refactoring the billing event handling, the Stripe mock
module has also been refactored to better reflect real Stripe objects.
Related: #8668
Bumps [hackney](https://github.com/benoitc/hackney) from 1.24.1 to
1.25.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/benoitc/hackney/releases">hackney's
releases</a>.</em></p>
<blockquote>
<h2>1.25.0 - 2025-07-24</h2>
<p><strong>IMPORTANT CHANGE</strong></p>
<ul>
<li>
<p>change: <code>insecure_basic_auth</code> now defaults to
<code>true</code> instead of <code>false</code></p>
<p>This restores backward compatibility with pre-1.24.0 behavior where
basic auth
was allowed over HTTP connections. If you need strict HTTPS-only basic
auth:</p>
<ul>
<li>Set globally: <code>application:set_env(hackney,
insecure_basic_auth, false)</code></li>
<li>Or per-request: <code>{insecure_basic_auth, false}</code> in
options</li>
</ul>
</li>
</ul>
<p>Hex.pm : <a
href="https://hex.pm/packages/hackney/1.25.0">https://hex.pm/packages/hackney/1.25.0</a>
Doc: <a
href="https://hexdocs.pm/hackney/readme.html">https://hexdocs.pm/hackney/readme.html</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/benoitc/hackney/blob/master/NEWS.md">hackney's
changelog</a>.</em></p>
<blockquote>
<h2>1.25.0 - 2025-07-24</h2>
<p>** IMPORTANT CHANGE **</p>
<ul>
<li>
<p>change: <code>insecure_basic_auth</code> now defaults to
<code>true</code> instead of <code>false</code></p>
<p>This restores backward compatibility with pre-1.24.0 behavior where
basic auth
was allowed over HTTP connections. If you need strict HTTPS-only basic
auth:</p>
<ul>
<li>Set globally: <code>application:set_env(hackney,
insecure_basic_auth, false)</code></li>
<li>Or per-request: <code>{insecure_basic_auth, false}</code> in
options</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="8c00789e41"><code>8c00789</code></a>
Merge pull request <a
href="https://redirect.github.com/benoitc/hackney/issues/778">#778</a>
from benoitc/insecure-basic-auth-default-true</li>
<li><a
href="a1d4108541"><code>a1d4108</code></a>
change insecure_basic_auth default to true</li>
<li><a
href="e2bbdf741e"><code>e2bbdf7</code></a>
bump unicode compat lib</li>
<li><a
href="3b901a6cf8"><code>3b901a6</code></a>
update readme</li>
<li>See full diff in <a
href="https://github.com/benoitc/hackney/compare/1.24.1...1.25.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [logger_json](https://github.com/Nebo15/logger_json) from 7.0.3 to
7.0.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/Nebo15/logger_json/releases">logger_json's
releases</a>.</em></p>
<blockquote>
<h2>7.0.4</h2>
<h2>What's Changed</h2>
<ul>
<li>Add indentation to the code snippet for docs by <a
href="https://github.com/RudolfMan"><code>@RudolfMan</code></a> in <a
href="https://redirect.github.com/Nebo15/logger_json/pull/160">Nebo15/logger_json#160</a></li>
<li>Google Cloud: Handle non-binary values in
<code>format_affected_user/1</code> by <a
href="https://github.com/raulpe7eira"><code>@raulpe7eira</code></a> in
<a
href="https://redirect.github.com/Nebo15/logger_json/pull/161">Nebo15/logger_json#161</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Nebo15/logger_json/compare/7.0.3...7.0.4">https://github.com/Nebo15/logger_json/compare/7.0.3...7.0.4</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="1524672b6c"><code>1524672</code></a>
Bump version</li>
<li><a
href="88a149b0ac"><code>88a149b</code></a>
fix(google-cloud): <code>format_affected_user/1</code> with non-binary
values (<a
href="https://redirect.github.com/Nebo15/logger_json/issues/161">#161</a>)</li>
<li><a
href="6e7768060e"><code>6e77680</code></a>
Add indentation to the code snippet for docs (<a
href="https://redirect.github.com/Nebo15/logger_json/issues/160">#160</a>)</li>
<li>See full diff in <a
href="https://github.com/Nebo15/logger_json/compare/7.0.3...7.0.4">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [postgrex](https://github.com/elixir-ecto/postgrex) from 0.20.0 to
0.21.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/elixir-ecto/postgrex/blob/master/CHANGELOG.md">postgrex's
changelog</a>.</em></p>
<blockquote>
<h2>v0.21.0 (2025-07-31)</h2>
<p>This release requires Erlang/OTP 25+</p>
<ul>
<li>
<p>Enhancements</p>
<ul>
<li>Add query timeout option on ReplicationConnection</li>
</ul>
</li>
<li>
<p>Bug fixes</p>
<ul>
<li>PGHOST option does not override explicitly given endpoint
configuration</li>
<li>Add ltxtquery support</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/elixir-ecto/postgrex/commits">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This fixes a simple logic bug where we were mistakenly reacting to a
flow deletion event where flows still existed in the cache by sending
`reject_access`. This fixes that bug, and adds more comprehensive
logging to help diagnose issues like this more quickly in the future.
This PR also fixes the following issues found during the investigation:
- We were redundantly reacting to Token deletion in the channel pids.
This is unnecessary: we send a global socket disconnect from the Token
hook module instead.
- We had a bug that would crash the WAL consumer if a "global" token
(i.e. relay) was deleted or expired - these have no `account_id`.
- We now always use `min(max(all_conforming_polices_expiration),
token.expires_at)` when setting expiration on a new flow to minimize the
possibility for access churn.
- We now check to ensure the token and gateway are still undeleted when
re-authorizing a given flow. This prevents us from failing to send
`reject_access` when a token or gateway is deleted corresponding to a
flow, but the other entities would have granted access.
Related: https://firezone.statuspage.io/incidents/xrsm13tml3dh
Related: #10068
Related: #9501
When starting a local client with a local portal, this URL is hit and
times out, causing noise in the local gateway log.
In order to develop against this API in local dev, it might be better to
use the local website URL as well.
