Embed Dex as a built-in IdP to simplify self-hosting setup.
Adds an embedded OIDC Identity Provider (Dex) with local user management and optional external IdP connectors (Google/GitHub/OIDC/SAML), plus device-auth flow for CLI login. Introduces instance onboarding/setup endpoints (including owner creation), field-level encryption for sensitive user data, a streamlined self-hosting provisioning script, and expanded APIs + test coverage for IdP management.
more at https://github.com/netbirdio/netbird/pull/5008#issuecomment-3718987393
- Connect on daemon start only if the file existed before
- fixed a bug that happened when the default profile config was removed, which would recreate it and reset the active profile to the default.
- Remove WaitGroup, make SemaphoreGroup a pure semaphore
- Make Add() return error instead of silently failing on context cancel
- Remove context parameter from Done() to prevent slot leaks
- Fix missing Done() call in conn.go error path
The UI can get stuck showing "Connecting" status even after the daemon successfully connects and reports "Connected" status. This occurs because the condition to update the UI to "Connected" state checks the wrong flag.
* updates to client file writing
* numerous
* minor
* - Align OnLoginSuccess behavior with Android (only call on nil error)
- Remove verbose debug logging from WaitToken in device_flow.go
- Improve TUN FD=0 fallback comments and warning messages
- Document why config save after login differs from Android
* Add nolint directive for staticcheck SA1029 in login.go
* Fix CodeRabbit review issues for iOS/tvOS SDK
- Remove goroutine from OnLoginSuccess callback, invoke synchronously
- Stop treating PermissionDenied as success, propagate as permanent error
- Replace context.TODO() with bounded timeout context (30s) in RequestAuthInfo
- Handle DirectUpdateOrCreateConfig errors in IsLoginRequired and LoginForMobile
- Add permission enforcement to DirectUpdateOrCreateConfig for existing configs
- Fix variable shadowing in device_ios.go where err was masked by := in else block
* Address additional CodeRabbit review issues for iOS/tvOS SDK
- Make tunFd == 0 a hard error with exported ErrInvalidTunnelFD (remove dead fallback code)
- Apply defaults in ConfigFromJSON to prevent partially-initialized configs
- Add nil guards for listener/urlOpener interfaces in public SDK entry points
- Reorder config save before OnLoginSuccess to prevent teardown race
- Add explanatory comment for urlOpener.Open goroutine
* Make urlOpener.Open() synchronous in device auth flow
* fix(router): nft tables limit number of peers source batching them, failing at 3277 prefixes on nftables v1.0.9 with Ubuntu 24.04.3 LTS, 6.14.0-35-generic #35~24.04.1-Ubuntu
* fix(router): nft tables limit number of prefixes on ipSet creation
The Fyne framework does not support TTC font files.
Use the default system font (Segoe UI) instead, so Windows can
automatically fall back to a Japanese font when needed.
Adds a per-instance uint64 hash to DefaultServer to detect identical merged host DNS configs (including extra domains). applyHostConfig computes and compares the hash, skips applying if unchanged, treats hash errors as a fail-safe (proceed to apply), and updates the stored hash only after successful hashing and apply.
Expose the profile-manager service for Android. Logout was not part of the manager service implementation. In the future, I recommend moving this logic there.
in some cases iOS and macOS may be locked when looking for management domains during network changes
This change introduce an additional timeout on top of the context call
* [ios] Add a bogus test to check iOS behavior when setting environment variables
* [ios] Revert "Add a bogus test to check iOS behavior when setting environment variables"
This reverts commit 90ca01105a6b0f4471aac07a63fc95e5d4eaef9b.
* [ios] Add EnvList struct to export and import environment variables
* [ios] Add envList parameter to the iOS Client Run method
* [ios] Add some debug logging to exportEnvVarList
* Add "//go:build ios" to client/ios/NetBirdSDK files
* Fix engine shutdown deadlock and message handling races
- Release syncMsgMux before waiting for shutdownWg to prevent deadlock
- Check context inside lock in handleSync and receiveSignalEvents
- Prevents nil pointer access when messages arrive during engine stop
Adds a new NotifyOSLifecycle RPC and server handler to centralize OS sleep/wake handling, introduces Server.sleepTriggeredDown for coordination, updates client UI to call the new RPC, and adjusts the internal sleep event enum zero-value semantics.
* Add OAuth select_account prompt support to PKCE flow
Extends LoginFlag enum with select_account options to enable
multi-account selection during authentication. This allows users
to choose which account to use when multiple accounts have active
sessions with the identity provider.
The new flags are backward compatible - existing LoginFlag values
(0=prompt login, 1=max_age=0) retain their original behavior.
A macOS-specific sleep detection mechanism using IOKit and CoreFoundation via cgo is introduced, with a fallback implementation for unsupported platforms. A public Service wrapper provides an event-driven API translating system sleep/wake events into gRPC calls. The UI client integrates sleep detection to manage connectivity state based on system sleep status.
Two new boolean flags, SearchDomainDisabled and SkipPTRProcess, are added to CustomZone and its protobuf; they are propagated through the engine to DNS host logic. Host matching now uses SearchDomainDisabled directly, and PTR collection skips zones with SkipPTRProcess; reverse zones are initialized with SearchDomainDisabled: true.
Upgrade Go toolchain and golang.org/x/* deps to 1.24.10, standardize GitHub Actions to derive Go version from go.mod and adjust checkout ordering, raise WASM size limit to 55 MB, update FreeBSD tarball and gomobile refs, fix a few format-string/logging calls, treat usernames ending with $ as system accounts, and add Windows tests.
* Open quick settings window if netbird-ui is already running
* [client-ui] fix connection status comparison
* [client-ui] modularize quick actions code
* [client-ui] add netbird-disconnected logo
* [client-ui] change quickactions UI
It now displays the NetBird logo and a single button
with a round icon
* [client-ui] add hint message to quick actions screen
This also updates fyne to v2.7.0
* [client-ui] remove unnecessary default clause
* [client-ui] remove commented code
* [client-ui] remove unused dependency
* [client-ui] close quick actions on connection change
* [client-ui] add function to get image from embed resources
* [client] Return error when calling sendShowWindowSignal from Windows
* [client-ui] Add commentary on empty OnTapped function for toggleConnectionButton
* [client-ui] Fix tests
* [client-ui] Add context to menuUpClick call
* [client-ui] Pass serviceClient app as parameter
To use its clipboard rather than the window's when showing
the upload success dialog
* [client-ui] Replace for select with for range chan
* [client-ui] Replace settings change listener channel
Settings now accept a function callback
* [client-ui] Add missing iconAboutDisconnected to icons_windows.go
* [client] Add quick actions signal handler for Windows with named events
* [client] Run go mod tidy
* [client] Remove line break
* [client] Log unexpected status in separate function
* [client-ui] Refactor quick actions window
To address racing conditions, it also replaces
usage of pause and resume channels with an
atomic bool.
* [client-ui] use derived context from ServiceClient
* [client] Update signal_windows log message
Also, format error when trying to set event on
sendShowWindowSignal
* go mod tidy
* [client-ui] Add struct to pass fewer parameters
to applyQuickActionsUiState function
* [client] Add missing import
---------
Co-authored-by: Viktor Liu <viktor@netbird.io>
