[full-ci] chore: bump web version to 12.4.0

.github/workflows/acceptance-tests.yml

@@ -340,19 +340,28 @@ jobs:
       matrix:
         include:
           - suite: part-1
-            args: "--total-parts 4 --xsuites search,app-provider,ocm,keycloak --run-part 1"
+            args: "--type playwright --total-parts 4 --xsuites search,app-provider,ocm,keycloak,mfa,oidc --run-part 1"
           - suite: part-2
-            args: "--total-parts 4 --xsuites search,app-provider,ocm,keycloak --run-part 2"
+            args: "--type playwright --total-parts 4 --xsuites search,app-provider,ocm,keycloak,mfa,oidc --run-part 2"
           - suite: part-3
-            args: "--total-parts 4 --xsuites search,app-provider,ocm,keycloak --run-part 3"
+            args: "--type playwright --total-parts 4 --xsuites search,app-provider,ocm,keycloak,mfa,oidc --run-part 3"
           - suite: part-4
-            args: "--total-parts 4 --xsuites search,app-provider,ocm,keycloak --run-part 4"
+            args: "--type playwright --total-parts 4 --xsuites search,app-provider,ocm,keycloak,mfa,oidc --run-part 4"
           - suite: search
-            args: "--suites search"
+            args: "--type playwright --suites search"
             tika: true
           - suite: keycloak
-            args: "--suites journeys,keycloak"
+            args: "--type playwright --suites journeys,keycloak"
             keycloak: true
+          - suite: mfa
+            args: "--type playwright --suites mfa"
+            mfa: true
+          - suite: oidc
+            args: "--type playwright specs/oidc/refreshToken.spec.ts"
+            oidc: true
+          - suite: oidc-iframe
+            args: "--type playwright specs/oidc/iframeTokenRenewal.spec.ts"
+            oidc_iframe: true
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -385,9 +394,9 @@ jobs:
           timeout 120 bash -c 'until curl -sf http://localhost:9998; do sleep 2; done'
           echo "tika ready."
 
-      # --- Keycloak (keycloak suite only) ---
+      # --- Keycloak (keycloak and mfa suites) ---
       - name: Generate Keycloak certs
-        if: matrix.keycloak == true
+        if: matrix.keycloak == true || matrix.mfa == true
         run: |
           mkdir -p keycloak-certs
           openssl req -x509 -newkey rsa:2048 \
@@ -397,7 +406,7 @@ jobs:
           chmod -R 777 keycloak-certs
 
       - name: Start Postgres
-        if: matrix.keycloak == true
+        if: matrix.keycloak == true || matrix.mfa == true
         run: |
           docker run -d --name postgres --network host \
             -e POSTGRES_DB=keycloak \
@@ -407,12 +416,19 @@ jobs:
           timeout 30 bash -c 'until docker exec postgres pg_isready -U keycloak; do sleep 1; done'
 
       - name: Start Keycloak
-        if: matrix.keycloak == true
+        if: matrix.keycloak == true || matrix.mfa == true
         run: |
-          # Patch realm: ocis-ci-realm.dist.json uses ocis-server:9200 as hostname.
-          # GitHub Actions runs on the host network so patch it to 127.0.0.1.
-          sed 's|https://ocis-server:9200|https://127.0.0.1:9200|g' \
-            tests/config/ci/ocis-ci-realm.dist.json > /tmp/ocis-realm.json
+          # The mfa suite needs a different realm with TOTP MFA configured.
+          # ocis-ci-realm uses ocis-server:9200, ocis-mfa-ci-realm uses localhost:9200;
+          # ocis runs on 127.0.0.1:9200 so we rewrite both forms.
+          if [[ "${{ matrix.mfa }}" == "true" ]]; then
+            REALM_FILE=tests/config/ci/ocis-mfa-ci-realm.dist.json
+          else
+            REALM_FILE=tests/config/ci/ocis-ci-realm.dist.json
+          fi
+          sed -e 's|https://ocis-server:9200|https://127.0.0.1:9200|g' \
+              -e 's|https://localhost:9200|https://127.0.0.1:9200|g' \
+            "$REALM_FILE" > /tmp/ocis-realm.json
           docker run -d --name keycloak --network host \
             -e OCIS_DOMAIN=https://127.0.0.1:9200 \
             -e KC_HOSTNAME=localhost \
@@ -441,6 +457,9 @@ jobs:
         env:
           TIKA_NEEDED: ${{ matrix.tika == true && 'true' || 'false' }}
           KEYCLOAK_NEEDED: ${{ matrix.keycloak == true && 'true' || 'false' }}
+          MFA_NEEDED: ${{ matrix.mfa == true && 'true' || 'false' }}
+          OIDC_NEEDED: ${{ matrix.oidc == true && 'true' || 'false' }}
+          OIDC_IFRAME_NEEDED: ${{ matrix.oidc_iframe == true && 'true' || 'false' }}
 
   litmus:
     name: litmus

changelog/unreleased/enhancement-bump-web-version-to-12.4.md

@@ -0,0 +1,21 @@
+Enhancement: Bump Web to 12.4.0
+
+- Bugfix [owncloud/web#13363](https://github.com/owncloud/web/issues/13363): Prevent duplicate call for password protected public links
+- Bugfix [owncloud/web#13578](https://github.com/owncloud/web/pull/13578): Use dynamic viewport units (dvh/dvw) instead of viewport units (vh/vw)
+- Bugfix [owncloud/web#13610](https://github.com/owncloud/web/pull/13610): Cannot edit public link when name is too long
+- Bugfix [owncloud/web#13634](https://github.com/owncloud/web/pull/13634): Fix space key selecting wrong resource
+- Bugfix [owncloud/web#13793](https://github.com/owncloud/web/pull/13793): Fix share invite button being pushed down in space sharing
+- Bugfix [owncloud/web#13799](https://github.com/owncloud/web/pull/13799): Fix upload confirmation not visible on file drop page
+- Enhancement [owncloud/web#13545](https://github.com/owncloud/web/pull/13545): Strip WebDAV prefix
+- Enhancement [owncloud/web#13577](https://github.com/owncloud/web/pull/13577): Use spaceId
+- Enhancement [owncloud/web#13631](https://github.com/owncloud/web/pull/13631): Add theme mode
+- Enhancement [owncloud/web#13632](https://github.com/owncloud/web/issues/13632): Support log and conf files in text editor
+- Enhancement [owncloud/web#13759](https://github.com/owncloud/web/pull/13759): Show correct modal for saveAs and open actions
+- Enhancement [owncloud/web#13769](https://github.com/owncloud/web/pull/13769): Add vault search separation
+- Enhancement [owncloud/web#13795](https://github.com/owncloud/web/pull/13795): Add new theme colors
+- Enhancement [owncloud/web#13802](https://github.com/owncloud/web/pull/13802): Check vault permission
+- Enhancement [owncloud/web#13803](https://github.com/owncloud/web/pull/13803): MFA session expiry warning
+- Enhancement [owncloud/web#13803](https://github.com/owncloud/web/pull/13803): Vault-aware breadcrumbs
+
+https://github.com/owncloud/web/pull/13809
+https://github.com/owncloud/web/releases/tag/v12.4.0

ci.env

@@ -1,4 +1,4 @@
 # Pins the ownCloud Web frontend version used in CI tests.
 # Read by: tests/acceptance/run-e2e.py and .github/workflows/acceptance-tests.yml (Playwright cache key).
-WEB_COMMITID=39d6215da6daa184cd2365966915a659bdbd2c8b
-WEB_BRANCH=stable-12.3
+WEB_COMMITID=7dbf6ee5d4df704d19cc33da5564042e226e6871
+WEB_BRANCH=stable-12.4

go.mod

@@ -97,7 +97,7 @@ require (
 	golang.org/x/crypto v0.51.0
 	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f
 	golang.org/x/image v0.39.0
-	golang.org/x/net v0.53.0
+	golang.org/x/net v0.55.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
 	golang.org/x/term v0.43.0
@@ -340,7 +340,7 @@ require (
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/mod v0.35.0 // indirect
-	golang.org/x/sys v0.44.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
 	golang.org/x/time v0.15.0 // indirect
 	golang.org/x/tools v0.44.0 // indirect
 	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect

go.sum

@@ -1109,6 +1109,8 @@ golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
 golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1203,6 +1205,8 @@ golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
 golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

services/web/Makefile

@@ -1,6 +1,6 @@
 SHELL := bash
 NAME := web
-WEB_ASSETS_VERSION = v12.3.3
+WEB_ASSETS_VERSION = v12.4.0
 
 include ../../.make/recursion.mk
 

tests/acceptance/run-e2e.py

@@ -56,6 +56,11 @@ def main() -> int:
 
     tika_needed = os.environ.get("TIKA_NEEDED", "").lower() == "true"
     keycloak_needed = os.environ.get("KEYCLOAK_NEEDED", "").lower() == "true"
+    mfa_needed = os.environ.get("MFA_NEEDED", "").lower() == "true"
+    oidc_needed = os.environ.get("OIDC_NEEDED", "").lower() == "true"
+    oidc_iframe_needed = os.environ.get("OIDC_IFRAME_NEEDED", "").lower() == "true"
+    # MFA mode runs ocis behind keycloak with TOTP enforced
+    keycloak_needed = keycloak_needed or mfa_needed
 
     repo_root = Path(__file__).resolve().parents[2]
     ocis_bin = repo_root / "ocis/bin/ocis"
@@ -128,6 +133,16 @@ def _patch_urls(obj, old, new):
         return obj
 
     gha_web_cfg = _patch_urls(drone_web_cfg, "https://ocis-server:9200", ocis_url)
+
+    # The web client reads its OIDC scope from openIdConnect.scope in this UI
+    # config, NOT from the WEB_OIDC_SCOPE server env var, so override it here.
+    # - oidc (refresh-token) spec asserts the scope contains `offline_access`.
+    # - mfa flow needs `acr` so Keycloak emits the LoA claim used for step-up.
+    if oidc_needed:
+        gha_web_cfg["openIdConnect"]["scope"] = "openid profile email offline_access"
+    if mfa_needed:
+        gha_web_cfg["openIdConnect"]["scope"] = "openid profile email acr"
+
     gha_web_cfg_path = ocis_config_dir / "web-ui-config.json"
     gha_web_cfg_path.write_text(json.dumps(gha_web_cfg, indent=2))
 
@@ -154,6 +169,14 @@ def _patch_urls(obj, old, new):
         "THUMBNAILS_TXT_FONTMAP_FILE": str(repo_root / "tests/config/ci/fontsMap.json"),
         # extra_server_environment — matches drone e2eTestPipeline()
         "OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST": str(repo_root / "tests/config/ci/banned-password-list.txt"),
+        # Web's e2e tests use simple passwords (e.g. %public%, 123); relax the policy
+        # to match web's own CI (tests/actions/.env.ocis) so the client-side check
+        # doesn't block them.
+        "OCIS_PASSWORD_POLICY_MIN_CHARACTERS": "3",
+        "OCIS_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS": "0",
+        "OCIS_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS": "0",
+        "OCIS_PASSWORD_POLICY_MIN_DIGITS": "0",
+        "OCIS_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS": "0",
         "GRAPH_AVAILABLE_ROLES": "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6,63e64e19-8d43-42ec-a738-2b6af2610efa",
         "FRONTEND_CONFIGURABLE_NOTIFICATIONS": "true",
         # debug addresses
@@ -220,6 +243,24 @@ def _patch_urls(obj, old, new):
             "IDM_CREATE_DEMO_USERS": "false",
         })
 
+    if mfa_needed:
+        server_env.update({
+            "OCIS_MFA_ENABLED": "true",
+            "WEB_OIDC_SCOPE": "openid profile email acr",
+        })
+
+    # The two oidc tests need a short access-token lifetime so token renewal
+    # actually triggers within the test window. refreshToken.spec.ts uses a
+    # refresh token (offline_access scope); iframeTokenRenewal.spec.ts uses
+    # silent iframe renewal (no offline_access).
+    if oidc_needed:
+        server_env.update({
+            "IDP_ACCESS_TOKEN_EXPIRATION": "30",
+            "WEB_OIDC_SCOPE": "openid profile email offline_access",
+        })
+    if oidc_iframe_needed:
+        server_env["IDP_ACCESS_TOKEN_EXPIRATION"] = "30"
+
     procs = []
 
     print("Starting ocis...")
@@ -260,7 +301,9 @@ def cleanup(*_):
             "HEADLESS": "true",
             "RETRY": "3",
             "SKIP_A11Y_TESTS": "true",
-            "REPORT_TRACING": "true",
+            # web 12.4: enabling this both sets `use.trace=on` in playwright.config.ts
+            # AND triggers actor.ts to call tracing.start(), which double-starts and fails.
+            "REPORT_TRACING": "false",
             "NODE_EXTRA_CA_CERTS": str(ocis_cert),
             "BROWSER": "chromium",
         }
@@ -271,6 +314,9 @@ def cleanup(*_):
                 "KEYCLOAK_HOST": "localhost:8443",
             })
 
+        if mfa_needed:
+            playwright_env["MFA"] = "true"
+
         print(f"Running e2e: {e2e_args}")
         result = subprocess.run(
             ["bash", "run-e2e.sh"] + shlex.split(e2e_args),