Merge da22e0777e into c4df89df1f

.version

@@ -1 +1 @@
-2.12.6
+2.12.3

Jenkinsfile

@@ -241,17 +241,12 @@ pipeline {
 					}
 					steps {
 						script {
-							npmGithubPrComment("""Docker Image for build ${BUILD_NUMBER} is available on [DockerHub](https://cloud.docker.com/repository/docker/nginxproxymanager/${IMAGE}-dev):
+							npmGithubPrComment("""Docker Image for build ${BUILD_NUMBER} is available on
-```
+[DockerHub](https://cloud.docker.com/repository/docker/nginxproxymanager/${IMAGE}-dev)
-nginxproxymanager/${IMAGE}-dev:${BRANCH_LOWER}
+as `nginxproxymanager/${IMAGE}-dev:${BRANCH_LOWER}`
-```
 
-> [!NOTE]
+**Note:** ensure you backup your NPM instance before testing this image! Especially if there are database changes
-> Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
+**Note:** this is a different docker image namespace than the official image
-> This is a different docker image namespace than the official image.
-
-> [!WARNING]
-> Changes and additions to DNS Providers require verification by at least 2 members of the community!
 """, true)
 						}
 					}

README.md

@@ -1,7 +1,7 @@
 <p align="center">
 	<img src="https://nginxproxymanager.com/github.png">
 	<br><br>
-	<img src="https://img.shields.io/badge/version-2.12.6-green.svg?style=for-the-badge">
+	<img src="https://img.shields.io/badge/version-2.12.3-green.svg?style=for-the-badge">
 	<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
 		<img src="https://img.shields.io/docker/stars/jc21/nginx-proxy-manager.svg?style=for-the-badge">
 	</a>

backend/index.js

@@ -3,8 +3,6 @@
 const schema = require('./schema');
 const logger = require('./logger').global;
 
-const IP_RANGES_FETCH_ENABLED = process.env.IP_RANGES_FETCH_ENABLED !== 'false';
-
 async function appStart () {
 	const migrate             = require('./migrate');
 	const setup               = require('./setup');
@@ -15,16 +13,7 @@ async function appStart () {
 	return migrate.latest()
 		.then(setup)
 		.then(schema.getCompiledSchema)
-		.then(() => {
+		.then(internalIpRanges.fetch)
-			if (IP_RANGES_FETCH_ENABLED) {
-				logger.info('IP Ranges fetch is enabled');
-				return internalIpRanges.fetch().catch((err) => {
-					logger.error('IP Ranges fetch failed, continuing anyway:', err.message);
-				});
-			} else {
-				logger.info('IP Ranges fetch is disabled by environment variable');
-			}
-		})
 		.then(() => {
 			internalCertificate.initTimer();
 			internalIpRanges.initTimer();

backend/internal/access-list.js

@@ -1,5 +1,5 @@
 const _                     = require('lodash');
-const fs                    = require('node:fs');
+const fs                    = require('fs');
 const batchflow             = require('batchflow');
 const logger                = require('../logger').access;
 const error                 = require('../lib/error');
@@ -38,7 +38,7 @@ const internalAccessList = {
 			.then((row) => {
 				data.id = row.id;
 
-				const promises = [];
+				let promises = [];
 
 				// Now add the items
 				data.items.map((item) => {
@@ -116,7 +116,7 @@ const internalAccessList = {
 			.then((row) => {
 				if (row.id !== data.id) {
 					// Sanity check that something crazy hasn't happened
-					throw new error.InternalValidationError(`Access List could not be updated, IDs do not match: ${row.id} !== ${data.id}`);
+					throw new error.InternalValidationError('Access List could not be updated, IDs do not match: ' + row.id + ' !== ' + data.id);
 				}
 			})
 			.then(() => {
@@ -135,10 +135,10 @@ const internalAccessList = {
 			.then(() => {
 				// Check for items and add/update/remove them
 				if (typeof data.items !== 'undefined' && data.items) {
-					const promises      = [];
+					let promises      = [];
-					const items_to_keep = [];
+					let items_to_keep = [];
 
-					data.items.map((item) => {
+					data.items.map(function (item) {
 						if (item.password) {
 							promises.push(accessListAuthModel
 								.query()
@@ -154,7 +154,7 @@ const internalAccessList = {
 						}
 					});
 
-					const query = accessListAuthModel
+					let query = accessListAuthModel
 						.query()
 						.delete()
 						.where('access_list_id', data.id);
@@ -175,9 +175,9 @@ const internalAccessList = {
 			.then(() => {
 				// Check for clients and add/update/remove them
 				if (typeof data.clients !== 'undefined' && data.clients) {
-					const promises = [];
+					let promises = [];
 
-					data.clients.map((client) => {
+					data.clients.map(function (client) {
 						if (client.address) {
 							promises.push(accessListClientModel
 								.query()
@@ -190,7 +190,7 @@ const internalAccessList = {
 						}
 					});
 
-					const query = accessListClientModel
+					let query = accessListClientModel
 						.query()
 						.delete()
 						.where('access_list_id', data.id);
@@ -249,7 +249,7 @@ const internalAccessList = {
 
 		return access.can('access_lists:get', data.id)
 			.then((access_data) => {
-				const query = accessListModel
+				let query = accessListModel
 					.query()
 					.select('access_list.*', accessListModel.raw('COUNT(proxy_host.id) as proxy_host_count'))
 					.leftJoin('proxy_host', function() {
@@ -267,7 +267,7 @@ const internalAccessList = {
 				}
 
 				if (typeof data.expand !== 'undefined' && data.expand !== null) {
-					query.withGraphFetched(`[${data.expand.join(', ')}]`);
+					query.withGraphFetched('[' + data.expand.join(', ') + ']');
 				}
 
 				return query.then(utils.omitRow(omissions()));
@@ -327,7 +327,7 @@ const internalAccessList = {
 									// 3. reconfigure those hosts, then reload nginx
 
 									// set the access_list_id to zero for these items
-									row.proxy_hosts.map((_val, idx) => {
+									row.proxy_hosts.map(function (val, idx) {
 										row.proxy_hosts[idx].access_list_id = 0;
 									});
 
@@ -340,11 +340,11 @@ const internalAccessList = {
 					})
 					.then(() => {
 						// delete the htpasswd file
-						const htpasswd_file = internalAccessList.getFilename(row);
+						let htpasswd_file = internalAccessList.getFilename(row);
 
 						try {
 							fs.unlinkSync(htpasswd_file);
-						} catch (_err) {
+						} catch (err) {
 							// do nothing
 						}
 					})
@@ -374,7 +374,7 @@ const internalAccessList = {
 	getAll: (access, expand, search_query) => {
 		return access.can('access_lists:list')
 			.then((access_data) => {
-				const query = accessListModel
+				let query = accessListModel
 					.query()
 					.select('access_list.*', accessListModel.raw('COUNT(proxy_host.id) as proxy_host_count'))
 					.leftJoin('proxy_host', function() {
@@ -393,19 +393,19 @@ const internalAccessList = {
 				// Query is used for searching
 				if (typeof search_query === 'string') {
 					query.where(function () {
-						this.where('name', 'like', `%${search_query}%`);
+						this.where('name', 'like', '%' + search_query + '%');
 					});
 				}
 
 				if (typeof expand !== 'undefined' && expand !== null) {
-					query.withGraphFetched(`[${expand.join(', ')}]`);
+					query.withGraphFetched('[' + expand.join(', ') + ']');
 				}
 
 				return query.then(utils.omitRows(omissions()));
 			})
 			.then((rows) => {
 				if (rows) {
-					rows.map((row, idx) => {
+					rows.map(function (row, idx) {
 						if (typeof row.items !== 'undefined' && row.items) {
 							rows[idx] = internalAccessList.maskItems(row);
 						}
@@ -424,7 +424,7 @@ const internalAccessList = {
 	 * @returns {Promise}
 	 */
 	getCount: (user_id, visibility) => {
-		const query = accessListModel
+		let query = accessListModel
 			.query()
 			.count('id as count')
 			.where('is_deleted', 0);
@@ -445,7 +445,7 @@ const internalAccessList = {
 	 */
 	maskItems: (list) => {
 		if (list && typeof list.items !== 'undefined') {
-			list.items.map((val, idx) => {
+			list.items.map(function (val, idx) {
 				let repeat_for = 8;
 				let first_char = '*';
 
@@ -468,7 +468,7 @@ const internalAccessList = {
 	 * @returns {String}
 	 */
 	getFilename: (list) => {
-		return `/data/access/${list.id}`;
+		return '/data/access/' + list.id;
 	},
 
 	/**
@@ -479,15 +479,15 @@ const internalAccessList = {
 	 * @returns {Promise}
 	 */
 	build: (list) => {
-		logger.info(`Building Access file #${list.id} for: ${list.name}`);
+		logger.info('Building Access file #' + list.id + ' for: ' + list.name);
 
 		return new Promise((resolve, reject) => {
-			const htpasswd_file = internalAccessList.getFilename(list);
+			let htpasswd_file = internalAccessList.getFilename(list);
 
 			// 1. remove any existing access file
 			try {
 				fs.unlinkSync(htpasswd_file);
-			} catch (_err) {
+			} catch (err) {
 				// do nothing
 			}
 
@@ -504,14 +504,14 @@ const internalAccessList = {
 				if (list.items.length) {
 					return new Promise((resolve, reject) => {
 						batchflow(list.items).sequential()
-							.each((_i, item, next) => {
+							.each((i, item, next) => {
 								if (typeof item.password !== 'undefined' && item.password.length) {
-									logger.info(`Adding: ${item.username}`);
+									logger.info('Adding: ' + item.username);
 
 									utils.execFile('openssl', ['passwd', '-apr1', item.password])
 										.then((res) => {
 											try {
-												fs.appendFileSync(htpasswd_file, `${item.username}:${res}\n`, {encoding: 'utf8'});
+												fs.appendFileSync(htpasswd_file, item.username + ':' + res + '\n', {encoding: 'utf8'});
 											} catch (err) {
 												reject(err);
 											}
@@ -528,7 +528,7 @@ const internalAccessList = {
 								reject(err);
 							})
 							.end((results) => {
-								logger.success(`Built Access file #${list.id} for: ${list.name}`);
+								logger.success('Built Access file #' + list.id + ' for: ' + list.name);
 								resolve(results);
 							});
 					});

backend/internal/certificate.js

@@ -1,6 +1,6 @@
 const _                = require('lodash');
-const fs               = require('node:fs');
+const fs               = require('fs');
-const https            = require('node:https');
+const https            = require('https');
 const tempWrite        = require('temp-write');
 const moment           = require('moment');
 const archiver         = require('archiver');
@@ -49,7 +49,7 @@ const internalCertificate = {
 	processExpiringHosts: () => {
 		if (!internalCertificate.intervalProcessing) {
 			internalCertificate.intervalProcessing = true;
-			logger.info(`Renewing SSL certs expiring within ${internalCertificate.renewBeforeExpirationBy[0]} ${internalCertificate.renewBeforeExpirationBy[1]} ...`);
+			logger.info('Renewing SSL certs expiring within ' + internalCertificate.renewBeforeExpirationBy[0] + ' ' + internalCertificate.renewBeforeExpirationBy[1] + ' ...');
 
 			const expirationThreshold = moment().add(internalCertificate.renewBeforeExpirationBy[0], internalCertificate.renewBeforeExpirationBy[1]).format('YYYY-MM-DD HH:mm:ss');
 
@@ -70,7 +70,7 @@ const internalCertificate = {
 					 */
 					let sequence = Promise.resolve();
 
-					certificates.forEach((certificate) => {
+					certificates.forEach(function (certificate) {
 						sequence = sequence.then(() =>
 							internalCertificate
 								.renew(
@@ -202,7 +202,7 @@ const internalCertificate = {
 						.then(() => {
 							// At this point, the letsencrypt cert should exist on disk.
 							// Lets get the expiry date from the file and update the row silently
-							return internalCertificate.getCertificateInfoFromFile(`${internalCertificate.getLiveCertPath(certificate.id)}/fullchain.pem`)
+							return internalCertificate.getCertificateInfoFromFile('/etc/letsencrypt/live/npm-' + certificate.id + '/fullchain.pem')
 								.then((cert_info) => {
 									return certificateModel
 										.query()
@@ -263,7 +263,7 @@ const internalCertificate = {
 			.then((row) => {
 				if (row.id !== data.id) {
 					// Sanity check that something crazy hasn't happened
-					throw new error.InternalValidationError(`Certificate could not be updated, IDs do not match: ${row.id} !== ${data.id}`);
+					throw new error.InternalValidationError('Certificate could not be updated, IDs do not match: ' + row.id + ' !== ' + data.id);
 				}
 
 				return certificateModel
@@ -308,7 +308,7 @@ const internalCertificate = {
 
 		return access.can('certificates:get', data.id)
 			.then((access_data) => {
-				const query = certificateModel
+				let query = certificateModel
 					.query()
 					.where('is_deleted', 0)
 					.andWhere('id', data.id)
@@ -323,7 +323,7 @@ const internalCertificate = {
 				}
 
 				if (typeof data.expand !== 'undefined' && data.expand !== null) {
-					query.withGraphFetched(`[${data.expand.join(', ')}]`);
+					query.withGraphFetched('[' + data.expand.join(', ') + ']');
 				}
 
 				return query.then(utils.omitRow(omissions()));
@@ -354,17 +354,17 @@ const internalCertificate = {
 				})
 				.then((certificate) => {
 					if (certificate.provider === 'letsencrypt') {
-						const zipDirectory = internalCertificate.getLiveCertPath(data.id);
+						const zipDirectory = '/etc/letsencrypt/live/npm-' + data.id;
 
 						if (!fs.existsSync(zipDirectory)) {
-							throw new error.ItemNotFoundError(`Certificate ${certificate.nice_name} does not exists`);
+							throw new error.ItemNotFoundError('Certificate ' + certificate.nice_name + ' does not exists');
 						}
 
-						const certFiles    = fs.readdirSync(zipDirectory)
+						let certFiles      = fs.readdirSync(zipDirectory)
 							.filter((fn) => fn.endsWith('.pem'))
 							.map((fn) => fs.realpathSync(path.join(zipDirectory, fn)));
-						const downloadName = `npm-${data.id}-${Date.now()}.zip`;
+						const downloadName = 'npm-' + data.id + '-' + `${Date.now()}.zip`;
-						const opName       = `/tmp/${downloadName}`;
+						const opName       = '/tmp/' + downloadName;
 						internalCertificate.zipFiles(certFiles, opName)
 							.then(() => {
 								logger.debug('zip completed : ', opName);
@@ -392,7 +392,7 @@ const internalCertificate = {
 		return new Promise((resolve, reject) => {
 			source
 				.map((fl) => {
-					const fileName = path.basename(fl);
+					let fileName = path.basename(fl);
 					logger.debug(fl, 'added to certificate zip');
 					archive.file(fl, { name: fileName });
 				});
@@ -462,7 +462,7 @@ const internalCertificate = {
 	getAll: (access, expand, search_query) => {
 		return access.can('certificates:list')
 			.then((access_data) => {
-				const query = certificateModel
+				let query = certificateModel
 					.query()
 					.where('is_deleted', 0)
 					.groupBy('id')
@@ -479,12 +479,12 @@ const internalCertificate = {
 				// Query is used for searching
 				if (typeof search_query === 'string') {
 					query.where(function () {
-						this.where('nice_name', 'like', `%${search_query}%`);
+						this.where('nice_name', 'like', '%' + search_query + '%');
 					});
 				}
 
 				if (typeof expand !== 'undefined' && expand !== null) {
-					query.withGraphFetched(`[${expand.join(', ')}]`);
+					query.withGraphFetched('[' + expand.join(', ') + ']');
 				}
 
 				return query.then(utils.omitRows(omissions()));
@@ -499,7 +499,7 @@ const internalCertificate = {
 	 * @returns {Promise}
 	 */
 	getCount: (user_id, visibility) => {
-		const query = certificateModel
+		let query = certificateModel
 			.query()
 			.count('id as count')
 			.where('is_deleted', 0);
@@ -521,7 +521,7 @@ const internalCertificate = {
 	writeCustomCert: (certificate) => {
 		logger.info('Writing Custom Certificate:', certificate);
 
-		const dir = `/data/custom_ssl/npm-${certificate.id}`;
+		const dir = '/data/custom_ssl/npm-' + certificate.id;
 
 		return new Promise((resolve, reject) => {
 			if (certificate.provider === 'letsencrypt') {
@@ -531,7 +531,7 @@ const internalCertificate = {
 
 			let certData = certificate.meta.certificate;
 			if (typeof certificate.meta.intermediate_certificate !== 'undefined') {
-				certData = `${certData}\n${certificate.meta.intermediate_certificate}`;
+				certData = certData + '\n' + certificate.meta.intermediate_certificate;
 			}
 
 			try {
@@ -543,7 +543,7 @@ const internalCertificate = {
 				return;
 			}
 
-			fs.writeFile(`${dir}/fullchain.pem`, certData, (err) => {
+			fs.writeFile(dir + '/fullchain.pem', certData, function (err) {
 				if (err) {
 					reject(err);
 				} else {
@@ -553,7 +553,7 @@ const internalCertificate = {
 		})
 			.then(() => {
 				return new Promise((resolve, reject) => {
-					fs.writeFile(`${dir}/privkey.pem`, certificate.meta.certificate_key, (err) => {
+					fs.writeFile(dir + '/privkey.pem', certificate.meta.certificate_key, function (err) {
 						if (err) {
 							reject(err);
 						} else {
@@ -591,7 +591,7 @@ const internalCertificate = {
 	validate: (data) => {
 		return new Promise((resolve) => {
 			// Put file contents into an object
-			const files = {};
+			let files = {};
 			_.map(data.files, (file, name) => {
 				if (internalCertificate.allowedSslFiles.indexOf(name) !== -1) {
 					files[name] = file.data.toString();
@@ -603,7 +603,7 @@ const internalCertificate = {
 			.then((files) => {
 				// For each file, create a temp file and write the contents to it
 				// Then test it depending on the file type
-				const promises = [];
+				let promises = [];
 				_.map(files, (content, type) => {
 					promises.push(new Promise((resolve) => {
 						if (type === 'certificate_key') {
@@ -688,11 +688,11 @@ const internalCertificate = {
 						reject(new error.ValidationError('Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.'));
 					}, 10000);
 					utils
-						.exec(`openssl pkey -in ${filepath} -check -noout 2>&1 `)
+						.exec('openssl pkey -in ' + filepath + ' -check -noout 2>&1 ')
 						.then((result) => {
 							clearTimeout(failTimeout);
 							if (!result.toLowerCase().includes('key is valid')) {
-								reject(new error.ValidationError(`Result Validation Error: ${result}`));
+								reject(new error.ValidationError('Result Validation Error: ' + result));
 							}
 							fs.unlinkSync(filepath);
 							resolve(true);
@@ -700,7 +700,7 @@ const internalCertificate = {
 						.catch((err) => {
 							clearTimeout(failTimeout);
 							fs.unlinkSync(filepath);
-							reject(new error.ValidationError(`Certificate Key is not valid (${err.message})`, err));
+							reject(new error.ValidationError('Certificate Key is not valid (' + err.message + ')', err));
 						});
 				});
 			});
@@ -735,9 +735,9 @@ const internalCertificate = {
 	 * @param {Boolean} [throw_expired]  Throw when the certificate is out of date
 	 */
 	getCertificateInfoFromFile: (certificate_file, throw_expired) => {
-		const certData = {};
+		let certData = {};
 
-		return utils.execFile('openssl', ['x509', '-in', certificate_file, '-subject', '-noout'])
+		return utils.exec('openssl x509 -in ' + certificate_file + ' -subject -noout')
 			.then((result) => {
 				// Examples:
 				// subject=CN = *.jc21.com
@@ -745,11 +745,11 @@ const internalCertificate = {
 				const regex = /(?:subject=)?[^=]+=\s+(\S+)/gim;
 				const match = regex.exec(result);
 				if (match && typeof match[1] !== 'undefined') {
-					certData.cn = match[1];
+					certData['cn'] = match[1];
 				}
 			})
 			.then(() => {
-				return utils.execFile('openssl', ['x509', '-in', certificate_file, '-issuer', '-noout']);
+				return utils.exec('openssl x509 -in ' + certificate_file + ' -issuer -noout');
 			})
 
 			.then((result) => {
@@ -760,11 +760,11 @@ const internalCertificate = {
 				const regex = /^(?:issuer=)?(.*)$/gim;
 				const match = regex.exec(result);
 				if (match && typeof match[1] !== 'undefined') {
-					certData.issuer = match[1];
+					certData['issuer'] = match[1];
 				}
 			})
 			.then(() => {
-				return utils.execFile('openssl', ['x509', '-in', certificate_file, '-dates', '-noout']);
+				return utils.exec('openssl x509 -in ' + certificate_file + ' -dates -noout');
 			})
 			.then((result) => {
 				// notBefore=Jul 14 04:04:29 2018 GMT
@@ -773,7 +773,7 @@ const internalCertificate = {
 				let validTo   = null;
 
 				const lines = result.split('\n');
-				lines.map((str) => {
+				lines.map(function (str) {
 					const regex = /^(\S+)=(.*)$/gim;
 					const match = regex.exec(str.trim());
 
@@ -789,21 +789,21 @@ const internalCertificate = {
 				});
 
 				if (!validFrom || !validTo) {
-					throw new error.ValidationError(`Could not determine dates from certificate: ${result}`);
+					throw new error.ValidationError('Could not determine dates from certificate: ' + result);
 				}
 
 				if (throw_expired && validTo < parseInt(moment().format('X'), 10)) {
 					throw new error.ValidationError('Certificate has expired');
 				}
 
-				certData.dates = {
+				certData['dates'] = {
 					from: validFrom,
 					to:   validTo
 				};
 
 				return certData;
 			}).catch((err) => {
-				throw new error.ValidationError(`Certificate is not valid (${err.message})`, err);
+				throw new error.ValidationError('Certificate is not valid (' + err.message + ')', err);
 			});
 	},
 
@@ -814,7 +814,7 @@ const internalCertificate = {
 	 * @param   {Boolean} [remove]
 	 * @returns {Object}
 	 */
-	cleanMeta: (meta, remove) => {
+	cleanMeta: function (meta, remove) {
 		internalCertificate.allowedSslFiles.map((key) => {
 			if (typeof meta[key] !== 'undefined' && meta[key]) {
 				if (remove) {
@@ -834,35 +834,24 @@ const internalCertificate = {
 	 * @returns {Promise}
 	 */
 	requestLetsEncryptSsl: (certificate) => {
-		logger.info(`Requesting LetsEncrypt certificates for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
+		logger.info('Requesting Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
 
-		const args = [
+		const cmd = `${certbotCommand} certonly ` +
-			'certonly',
+			`--config '${letsencryptConfig}' ` +
-			'--config',
+			'--work-dir "/tmp/letsencrypt-lib" ' +
-			letsencryptConfig,
+			'--logs-dir "/tmp/letsencrypt-log" ' +
-			'--work-dir',
+			`--cert-name "npm-${certificate.id}" ` +
-			'/tmp/letsencrypt-lib',
+			'--agree-tos ' +
-			'--logs-dir',
+			'--authenticator webroot ' +
-			'/tmp/letsencrypt-log',
+			`--email '${certificate.meta.letsencrypt_email}' ` +
-			'--cert-name',
+			'--preferred-challenges "dns,http" ' +
-			`npm-${certificate.id}`,
+			`--domains "${certificate.domain_names.join(',')}" ` +
-			'--agree-tos',
+			(letsencryptServer !== null ? `--server '${letsencryptServer}' ` : '') +
-			'--authenticator',
+			(letsencryptStaging && letsencryptServer === null ? '--staging ' : '');
-			'webroot',
-			'--email',
-			certificate.meta.letsencrypt_email,
-			'--preferred-challenges',
-			'dns,http',
-			'--domains',
-			certificate.domain_names.join(','),
-		];
 
-		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id);
+		logger.info('Command:', cmd);
-		args.push(...adds.args);
 
-		logger.info(`Command: ${certbotCommand} ${args ? args.join(' ') : ''}`);
+		return utils.exec(cmd)
-
-		return utils.execFile(certbotCommand, args, adds.opts)
 			.then((result) => {
 				logger.success(result);
 				return result;
@@ -879,48 +868,50 @@ const internalCertificate = {
 	requestLetsEncryptSslWithDnsChallenge: async (certificate) => {
 		await certbot.installPlugin(certificate.meta.dns_provider);
 		const dnsPlugin = dnsPlugins[certificate.meta.dns_provider];
-		logger.info(`Requesting LetsEncrypt certificates via ${dnsPlugin.name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
+		logger.info(`Requesting Let'sEncrypt certificates via ${dnsPlugin.name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
 
-		const credentialsLocation = `/etc/letsencrypt/credentials/credentials-${certificate.id}`;
+		const credentialsLocation = '/etc/letsencrypt/credentials/credentials-' + certificate.id;
 		fs.mkdirSync('/etc/letsencrypt/credentials', { recursive: true });
 		fs.writeFileSync(credentialsLocation, certificate.meta.dns_provider_credentials, {mode: 0o600});
 
 		// Whether the plugin has a --<name>-credentials argument
 		const hasConfigArg = certificate.meta.dns_provider !== 'route53';
 
-		const args = [
+		let mainCmd = certbotCommand + ' certonly ' +
-			'certonly',
+			`--config '${letsencryptConfig}' ` +
-			'--config',
+			'--work-dir "/tmp/letsencrypt-lib" ' +
-			letsencryptConfig,
+			'--logs-dir "/tmp/letsencrypt-log" ' +
-			'--work-dir',
+			`--cert-name 'npm-${certificate.id}' ` +
-			'/tmp/letsencrypt-lib',
+			'--agree-tos ' +
-			'--logs-dir',
+			`--email '${certificate.meta.letsencrypt_email}' ` +
-			'/tmp/letsencrypt-log',
+			`--domains '${certificate.domain_names.join(',')}' ` +
-			'--cert-name',
+			`--authenticator '${dnsPlugin.full_plugin_name}' ` +
-			`npm-${certificate.id}`,
+			(
-			'--agree-tos',
+				hasConfigArg
-			'--email',
+					? `--${dnsPlugin.full_plugin_name}-credentials '${credentialsLocation}' `
-			certificate.meta.letsencrypt_email,
+					: ''
-			'--domains',
+			) +
-			certificate.domain_names.join(','),
+			(
-			'--authenticator',
+				certificate.meta.propagation_seconds !== undefined
-			dnsPlugin.full_plugin_name,
+					? `--${dnsPlugin.full_plugin_name}-propagation-seconds '${certificate.meta.propagation_seconds}' `
-		];
+					: ''
+			) +
+			(letsencryptServer !== null ? `--server '${letsencryptServer}' ` : '') +
+			(letsencryptStaging && letsencryptServer === null ? '--staging ' : '');
 
-		if (hasConfigArg) {
+		// Prepend the path to the credentials file as an environment variable
-			args.push(`--${dnsPlugin.full_plugin_name}-credentials`, credentialsLocation);
+		if (certificate.meta.dns_provider === 'route53') {
-		}
+			mainCmd = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd;
-		if (certificate.meta.propagation_seconds !== undefined) {
-			args.push(`--${dnsPlugin.full_plugin_name}-propagation-seconds`, certificate.meta.propagation_seconds.toString());
 		}
 
-		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id, certificate.meta.dns_provider);
+		if (certificate.meta.dns_provider === 'duckdns') {
-		args.push(...adds.args);
+			mainCmd = mainCmd + ' --dns-duckdns-no-txt-restore';
+		}
 
-		logger.info(`Command: ${certbotCommand} ${args ? args.join(' ') : ''}`);
+		logger.info('Command:', mainCmd);
 
 		try {
-			const result = await utils.execFile(certbotCommand, args, adds.opts);
+			const result = await utils.exec(mainCmd);
 			logger.info(result);
 			return result;
 		} catch (err) {
@@ -948,7 +939,7 @@ const internalCertificate = {
 
 					return renewMethod(certificate)
 						.then(() => {
-							return internalCertificate.getCertificateInfoFromFile(`${internalCertificate.getLiveCertPath(certificate.id)}/fullchain.pem`);
+							return internalCertificate.getCertificateInfoFromFile('/etc/letsencrypt/live/npm-' + certificate.id + '/fullchain.pem');
 						})
 						.then((cert_info) => {
 							return certificateModel
@@ -980,31 +971,22 @@ const internalCertificate = {
 	 * @returns {Promise}
 	 */
 	renewLetsEncryptSsl: (certificate) => {
-		logger.info(`Renewing LetsEncrypt certificates for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
+		logger.info('Renewing Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
 
-		const args = [
+		const cmd = certbotCommand + ' renew --force-renewal ' +
-			'renew',
+			`--config '${letsencryptConfig}' ` +
-			'--force-renewal',
+			'--work-dir "/tmp/letsencrypt-lib" ' +
-			'--config',
+			'--logs-dir "/tmp/letsencrypt-log" ' +
-			letsencryptConfig,
+			`--cert-name 'npm-${certificate.id}' ` +
-			'--work-dir',
+			'--preferred-challenges "dns,http" ' +
-			'/tmp/letsencrypt-lib',
+			'--no-random-sleep-on-renew ' +
-			'--logs-dir',
+			'--disable-hook-validation ' +
-			'/tmp/letsencrypt-log',
+			(letsencryptServer !== null ? `--server '${letsencryptServer}' ` : '') +
-			'--cert-name',
+			(letsencryptStaging && letsencryptServer === null ? '--staging ' : '');
-			`npm-${certificate.id}`,
-			'--preferred-challenges',
-			'dns,http',
-			'--no-random-sleep-on-renew',
-			'--disable-hook-validation',
-		];
 
-		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id, certificate.meta.dns_provider);
+		logger.info('Command:', cmd);
-		args.push(...adds.args);
 
-		logger.info(`Command: ${certbotCommand} ${args ? args.join(' ') : ''}`);
+		return utils.exec(cmd)
-
-		return utils.execFile(certbotCommand, args, adds.opts)
 			.then((result) => {
 				logger.info(result);
 				return result;
@@ -1022,29 +1004,27 @@ const internalCertificate = {
 			throw Error(`Unknown DNS provider '${certificate.meta.dns_provider}'`);
 		}
 
-		logger.info(`Renewing LetsEncrypt certificates via ${dnsPlugin.name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
+		logger.info(`Renewing Let'sEncrypt certificates via ${dnsPlugin.name} for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
 
-		const args = [
+		let mainCmd = certbotCommand + ' renew --force-renewal ' +
-			'renew',
+			`--config "${letsencryptConfig}" ` +
-			'--force-renewal',
+			'--work-dir "/tmp/letsencrypt-lib" ' +
-			'--config',
+			'--logs-dir "/tmp/letsencrypt-log" ' +
-			letsencryptConfig,
+			`--cert-name 'npm-${certificate.id}' ` +
-			'--work-dir',
+			'--disable-hook-validation ' +
-			'/tmp/letsencrypt-lib',
+			'--no-random-sleep-on-renew ' +
-			'--logs-dir',
+			(letsencryptServer !== null ? `--server '${letsencryptServer}' ` : '') +
-			'/tmp/letsencrypt-log',
+			(letsencryptStaging && letsencryptServer === null ? '--staging ' : '');
-			'--cert-name',
-			`npm-${certificate.id}`,
-			'--disable-hook-validation',
-			'--no-random-sleep-on-renew',
-		];
 
-		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id, certificate.meta.dns_provider);
+		// Prepend the path to the credentials file as an environment variable
-		args.push(...adds.args);
+		if (certificate.meta.dns_provider === 'route53') {
+			const credentialsLocation = '/etc/letsencrypt/credentials/credentials-' + certificate.id;
+			mainCmd                   = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd;
+		}
 
-		logger.info(`Command: ${certbotCommand} ${args ? args.join(' ') : ''}`);
+		logger.info('Command:', mainCmd);
 
-		return utils.execFile(certbotCommand, args, adds.opts)
+		return utils.exec(mainCmd)
 			.then(async (result) => {
 				logger.info(result);
 				return result;
@@ -1057,29 +1037,25 @@ const internalCertificate = {
 	 * @returns {Promise}
 	 */
 	revokeLetsEncryptSsl: (certificate, throw_errors) => {
-		logger.info(`Revoking LetsEncrypt certificates for Cert #${certificate.id}: ${certificate.domain_names.join(', ')}`);
+		logger.info('Revoking Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
 
-		const args = [
+		const mainCmd = certbotCommand + ' revoke ' +
-			'revoke',
+			`--config '${letsencryptConfig}' ` +
-			'--config',
+			'--work-dir "/tmp/letsencrypt-lib" ' +
-			letsencryptConfig,
+			'--logs-dir "/tmp/letsencrypt-log" ' +
-			'--work-dir',
+			`--cert-path '/etc/letsencrypt/live/npm-${certificate.id}/fullchain.pem' ` +
-			'/tmp/letsencrypt-lib',
+			'--delete-after-revoke ' +
-			'--logs-dir',
+			(letsencryptServer !== null ? `--server '${letsencryptServer}' ` : '') +
-			'/tmp/letsencrypt-log',
+			(letsencryptStaging && letsencryptServer === null ? '--staging ' : '');
-			'--cert-path',
-			`${internalCertificate.getLiveCertPath(certificate.id)}/fullchain.pem`,
-			'--delete-after-revoke',
-		];
 
-		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id);
+		// Don't fail command if file does not exist
-		args.push(...adds.args);
+		const delete_credentialsCmd = `rm -f '/etc/letsencrypt/credentials/credentials-${certificate.id}' || true`;
 
-		logger.info(`Command: ${certbotCommand} ${args ? args.join(' ') : ''}`);
+		logger.info('Command:', mainCmd + '; ' + delete_credentialsCmd);
 
-		return utils.execFile(certbotCommand, args, adds.opts)
+		return utils.exec(mainCmd)
 			.then(async (result) => {
-				await utils.exec(`rm -f '/etc/letsencrypt/credentials/credentials-${certificate.id}' || true`);
+				await utils.exec(delete_credentialsCmd);
 				logger.info(result);
 				return result;
 			})
@@ -1097,8 +1073,9 @@ const internalCertificate = {
 	 * @returns {Boolean}
 	 */
 	hasLetsEncryptSslCerts: (certificate) => {
-		const letsencryptPath = internalCertificate.getLiveCertPath(certificate.id);
+		const letsencryptPath = '/etc/letsencrypt/live/npm-' + certificate.id;
-		return fs.existsSync(`${letsencryptPath}/fullchain.pem`) && fs.existsSync(`${letsencryptPath}/privkey.pem`);
+
+		return fs.existsSync(letsencryptPath + '/fullchain.pem') && fs.existsSync(letsencryptPath + '/privkey.pem');
 	},
 
 	/**
@@ -1110,7 +1087,7 @@ const internalCertificate = {
 	 */
 	disableInUseHosts: (in_use_result) => {
 		if (in_use_result.total_count) {
-			const promises = [];
+			let promises = [];
 
 			if (in_use_result.proxy_hosts.length) {
 				promises.push(internalNginx.bulkDeleteConfigs('proxy_host', in_use_result.proxy_hosts));
@@ -1140,7 +1117,7 @@ const internalCertificate = {
 	 */
 	enableInUseHosts: (in_use_result) => {
 		if (in_use_result.total_count) {
-			const promises = [];
+			let promises = [];
 
 			if (in_use_result.proxy_hosts.length) {
 				promises.push(internalNginx.bulkGenerateConfigs('proxy_host', in_use_result.proxy_hosts));
@@ -1173,12 +1150,12 @@ const internalCertificate = {
 
 		// Create a test challenge file
 		const testChallengeDir  = '/data/letsencrypt-acme-challenge/.well-known/acme-challenge';
-		const testChallengeFile = `${testChallengeDir}/test-challenge`;
+		const testChallengeFile = testChallengeDir + '/test-challenge';
 		fs.mkdirSync(testChallengeDir, {recursive: true});
 		fs.writeFileSync(testChallengeFile, 'Success', {encoding: 'utf8'});
 
 		async function performTestForDomain (domain) {
-			logger.info(`Testing http challenge for ${domain}`);
+			logger.info('Testing http challenge for ' + domain);
 			const url      = `http://${domain}/.well-known/acme-challenge/test-challenge`;
 			const formBody = `method=G&url=${encodeURI(url)}&bodytype=T&requestbody=&headername=User-Agent&headervalue=None&locationid=1&ch=false&cc=false`;
 			const options  = {
@@ -1192,16 +1169,13 @@ const internalCertificate = {
 
 			const result = await new Promise((resolve) => {
 
-				const req = https.request('https://www.site24x7.com/tools/restapi-tester', options, (res) => {
+				const req = https.request('https://www.site24x7.com/tools/restapi-tester', options, function (res) {
 					let responseBody = '';
 
-					res.on('data', (chunk) => {
+					res.on('data', (chunk) => responseBody = responseBody + chunk);
-						responseBody = responseBody + chunk;
+					res.on('end', function () {
-					});
-
-					res.on('end', () => {
 						try {
-							const parsedBody = JSON.parse(`${responseBody}`);
+							const parsedBody = JSON.parse(responseBody + '');
 							if (res.statusCode !== 200) {
 								logger.warn(`Failed to test HTTP challenge for domain ${domain} because HTTP status code ${res.statusCode} was returned: ${parsedBody.message}`);
 								resolve(undefined);
@@ -1222,7 +1196,7 @@ const internalCertificate = {
 				// Make sure to write the request body.
 				req.write(formBody);
 				req.end();
-				req.on('error', (e) => { logger.warn(`Failed to test HTTP challenge for domain ${domain}`, e);
+				req.on('error', function (e) { logger.warn(`Failed to test HTTP challenge for domain ${domain}`, e);
 					resolve(undefined); });
 			});
 
@@ -1264,34 +1238,6 @@ const internalCertificate = {
 		fs.unlinkSync(testChallengeFile);
 
 		return results;
-	},
-
-	getAdditionalCertbotArgs: (certificate_id, dns_provider) => {
-		const args = [];
-		if (letsencryptServer !== null) {
-			args.push('--server', letsencryptServer);
-		}
-		if (letsencryptStaging && letsencryptServer === null) {
-			args.push('--staging');
-		}
-
-		// For route53, add the credentials file as an environment variable,
-		// inheriting the process env
-		const opts = {};
-		if (certificate_id && dns_provider === 'route53') {
-			opts.env                 = process.env;
-			opts.env.AWS_CONFIG_FILE = `/etc/letsencrypt/credentials/credentials-${certificate_id}`;
-		}
-
-		if (dns_provider === 'duckdns') {
-			args.push('--dns-duckdns-no-txt-restore');
-		}
-
-		return {args: args, opts: opts};
-	},
-
-	getLiveCertPath: (certificate_id) => {
-		return `/etc/letsencrypt/live/npm-${certificate_id}`;
 	}
 };
 

backend/internal/mfa.js

@@ -0,0 +1,97 @@
+const authModel = require('../models/auth');
+const error     = require('../lib/error');
+const speakeasy = require('speakeasy');
+
+module.exports = {
+	validateMfaTokenForUser: (userId, token) => {
+		return authModel
+			.query()
+			.where('user_id', userId)
+			.first()
+			.then((auth) => {
+				if (!auth || !auth.mfa_enabled) {
+					throw new error.AuthError('MFA is not enabled for this user.');
+				}
+				const verified = speakeasy.totp.verify({
+					secret:   auth.mfa_secret,
+					encoding: 'base32',
+					token:    token,
+					window:   2
+				});
+				if (!verified) {
+					throw new error.AuthError('Invalid MFA token.');
+				}
+				return true;
+			});
+	},
+	isMfaEnabledForUser: (userId) => {
+		return authModel
+			.query()
+			.where('user_id', userId)
+			.first()
+			.then((auth) => {
+				console.log(auth);
+				if (!auth) {
+					throw new error.AuthError('User not found.');
+				}
+				return auth.mfa_enabled === true;
+			});
+	},
+	createMfaSecretForUser: (userId) => {
+		const secret = speakeasy.generateSecret({ length: 20 });
+		console.log(secret);
+		return authModel
+			.query()
+			.where('user_id', userId)
+			.update({
+				mfa_secret: secret.base32
+			})
+			.then(() => secret);
+	},
+	enableMfaForUser: (userId, token) => {
+		return authModel
+			.query()
+			.where('user_id', userId)
+			.first()
+			.then((auth) => {
+				if (!auth || !auth.mfa_secret) {
+					throw new error.AuthError('MFA is not set up for this user.');
+				}
+				const verified = speakeasy.totp.verify({
+					secret:   auth.mfa_secret,
+					encoding: 'base32',
+					token:    token,
+					window:   2
+				});
+				if (!verified) {
+					throw new error.AuthError('Invalid MFA token.');
+				}
+				return authModel
+					.query()
+					.where('user_id', userId)
+					.update({ mfa_enabled: true })
+					.then(() => true);
+			});
+	},
+	disableMfaForUser: (data, userId) => {
+		return authModel
+			.query()
+			.where('user_id', userId)
+			.first()
+			.then((auth) => {
+				if (!auth) {
+					throw new error.AuthError('User not found.');
+				}
+				return auth.verifyPassword(data.secret)
+					.then((valid) => {
+						if (!valid) {
+							throw new error.AuthError('Invalid password.');
+						}
+						return authModel
+							.query()
+							.where('user_id', userId)
+							.update({ mfa_enabled: false, mfa_secret: null });
+					});
+			});
+	},
+};

backend/internal/nginx.js

@@ -1,5 +1,5 @@
 const _      = require('lodash');
-const fs     = require('node:fs');
+const fs     = require('fs');
 const logger = require('../logger').nginx;
 const config = require('../lib/config');
 const utils  = require('../lib/utils');
@@ -57,9 +57,9 @@ const internalNginx = {
 						// It will always look like this:
 						//   nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (6: No such device or address)
 
-						const valid_lines = [];
+						let valid_lines = [];
-						const err_lines   = err.message.split('\n');
+						let err_lines   = err.message.split('\n');
-						err_lines.map((line) => {
+						err_lines.map(function (line) {
 							if (line.indexOf('/var/log/nginx/error.log') === -1) {
 								valid_lines.push(line);
 							}
@@ -105,7 +105,7 @@ const internalNginx = {
 			logger.info('Testing Nginx configuration');
 		}
 
-		return utils.execFile('/usr/sbin/nginx', ['-t', '-g', 'error_log off;']);
+		return utils.exec('/usr/sbin/nginx -t -g "error_log off;"');
 	},
 
 	/**
@@ -115,7 +115,7 @@ const internalNginx = {
 		return internalNginx.test()
 			.then(() => {
 				logger.info('Reloading Nginx');
-				return utils.execFile('/usr/sbin/nginx', ['-s', 'reload']);
+				return utils.exec('/usr/sbin/nginx -s reload');
 			});
 	},
 
@@ -128,7 +128,7 @@ const internalNginx = {
 		if (host_type === 'default') {
 			return '/data/nginx/default_host/site.conf';
 		}
-		return `/data/nginx/${internalNginx.getFileFriendlyHostType(host_type)}/${host_id}.conf`;
+		return '/data/nginx/' + internalNginx.getFileFriendlyHostType(host_type) + '/' + host_id + '.conf';
 	},
 
 	/**
@@ -141,7 +141,7 @@ const internalNginx = {
 			let template;
 
 			try {
-				template = fs.readFileSync(`${__dirname}/../templates/_location.conf`, {encoding: 'utf8'});
+				template = fs.readFileSync(__dirname + '/../templates/_location.conf', {encoding: 'utf8'});
 			} catch (err) {
 				reject(new error.ConfigurationError(err.message));
 				return;
@@ -152,7 +152,7 @@ const internalNginx = {
 
 			const locationRendering = async () => {
 				for (let i = 0; i < host.locations.length; i++) {
-					const locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id},
+					let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id},
 						{ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits},
 						{allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support},
 						{hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list},
@@ -183,21 +183,21 @@ const internalNginx = {
 	 */
 	generateConfig: (host_type, host_row) => {
 		// Prevent modifying the original object:
-		const host           = JSON.parse(JSON.stringify(host_row));
+		let host             = JSON.parse(JSON.stringify(host_row));
 		const nice_host_type = internalNginx.getFileFriendlyHostType(host_type);
 
 		if (config.debug()) {
-			logger.info(`Generating ${nice_host_type} Config:`, JSON.stringify(host, null, 2));
+			logger.info('Generating ' + nice_host_type + ' Config:', JSON.stringify(host, null, 2));
 		}
 
 		const renderEngine = utils.getRenderEngine();
 
 		return new Promise((resolve, reject) => {
-			let template   = null;
+			let template = null;
-			const filename = internalNginx.getConfigName(nice_host_type, host.id);
+			let filename = internalNginx.getConfigName(nice_host_type, host.id);
 
 			try {
-				template = fs.readFileSync(`${__dirname}/../templates/${nice_host_type}.conf`, {encoding: 'utf8'});
+				template = fs.readFileSync(__dirname + '/../templates/' + nice_host_type + '.conf', {encoding: 'utf8'});
 			} catch (err) {
 				reject(new error.ConfigurationError(err.message));
 				return;
@@ -252,7 +252,7 @@ const internalNginx = {
 					})
 					.catch((err) => {
 						if (config.debug()) {
-							logger.warn(`Could not write ${filename}:`, err.message);
+							logger.warn('Could not write ' + filename + ':', err.message);
 						}
 
 						reject(new error.ConfigurationError(err.message));
@@ -277,11 +277,11 @@ const internalNginx = {
 		const renderEngine = utils.getRenderEngine();
 
 		return new Promise((resolve, reject) => {
-			let template   = null;
+			let template = null;
-			const filename = `/data/nginx/temp/letsencrypt_${certificate.id}.conf`;
+			let filename = '/data/nginx/temp/letsencrypt_' + certificate.id + '.conf';
 
 			try {
-				template = fs.readFileSync(`${__dirname}/../templates/letsencrypt-request.conf`, {encoding: 'utf8'});
+				template = fs.readFileSync(__dirname + '/../templates/letsencrypt-request.conf', {encoding: 'utf8'});
 			} catch (err) {
 				reject(new error.ConfigurationError(err.message));
 				return;
@@ -302,7 +302,7 @@ const internalNginx = {
 				})
 				.catch((err) => {
 					if (config.debug()) {
-						logger.warn(`Could not write ${filename}:`, err.message);
+						logger.warn('Could not write ' + filename + ':', err.message);
 					}
 
 					reject(new error.ConfigurationError(err.message));
@@ -316,7 +316,7 @@ const internalNginx = {
 	 * @param   {String}  filename
 	 */
 	deleteFile: (filename) => {
-		logger.debug(`Deleting file: ${filename}`);
+		logger.debug('Deleting file: ' + filename);
 		try {
 			fs.unlinkSync(filename);
 		} catch (err) {
@@ -330,7 +330,7 @@ const internalNginx = {
 	 * @returns String
 	 */
 	getFileFriendlyHostType: (host_type) => {
-		return host_type.replace(/-/g, '_');
+		return host_type.replace(new RegExp('-', 'g'), '_');
 	},
 
 	/**
@@ -340,7 +340,7 @@ const internalNginx = {
 	 * @returns {Promise}
 	 */
 	deleteLetsEncryptRequestConfig: (certificate) => {
-		const config_file = `/data/nginx/temp/letsencrypt_${certificate.id}.conf`;
+		const config_file = '/data/nginx/temp/letsencrypt_' + certificate.id + '.conf';
 		return new Promise((resolve/*, reject*/) => {
 			internalNginx.deleteFile(config_file);
 			resolve();
@@ -355,7 +355,7 @@ const internalNginx = {
 	 */
 	deleteConfig: (host_type, host, delete_err_file) => {
 		const config_file     = internalNginx.getConfigName(internalNginx.getFileFriendlyHostType(host_type), typeof host === 'undefined' ? 0 : host.id);
-		const config_file_err = `${config_file}.err`;
+		const config_file_err = config_file + '.err';
 
 		return new Promise((resolve/*, reject*/) => {
 			internalNginx.deleteFile(config_file);
@@ -373,7 +373,7 @@ const internalNginx = {
 	 */
 	renameConfigAsError: (host_type, host) => {
 		const config_file     = internalNginx.getConfigName(internalNginx.getFileFriendlyHostType(host_type), typeof host === 'undefined' ? 0 : host.id);
-		const config_file_err = `${config_file}.err`;
+		const config_file_err = config_file + '.err';
 
 		return new Promise((resolve/*, reject*/) => {
 			fs.unlink(config_file, () => {
@@ -392,8 +392,8 @@ const internalNginx = {
 	 * @returns {Promise}
 	 */
 	bulkGenerateConfigs: (host_type, hosts) => {
-		const promises = [];
+		let promises = [];
-		hosts.map((host) => {
+		hosts.map(function (host) {
 			promises.push(internalNginx.generateConfig(host_type, host));
 		});
 
@@ -406,8 +406,8 @@ const internalNginx = {
 	 * @returns {Promise}
 	 */
 	bulkDeleteConfigs: (host_type, hosts) => {
-		const promises = [];
+		let promises = [];
-		hosts.map((host) => {
+		hosts.map(function (host) {
 			promises.push(internalNginx.deleteConfig(host_type, host, true));
 		});
 
@@ -418,12 +418,14 @@ const internalNginx = {
 	 * @param   {string}  config
 	 * @returns {boolean}
 	 */
-	advancedConfigHasDefaultLocation: (cfg) => !!cfg.match(/^(?:.*;)?\s*?location\s*?\/\s*?{/im),
+	advancedConfigHasDefaultLocation: function (cfg) {
+		return !!cfg.match(/^(?:.*;)?\s*?location\s*?\/\s*?{/im);
+	},
 
 	/**
 	 * @returns {boolean}
 	 */
-	ipv6Enabled: () => {
+	ipv6Enabled: function () {
 		if (typeof process.env.DISABLE_IPV6 !== 'undefined') {
 			const disabled = process.env.DISABLE_IPV6.toLowerCase();
 			return !(disabled === 'on' || disabled === 'true' || disabled === '1' || disabled === 'yes');

backend/internal/stream.js

@@ -369,7 +369,7 @@ const internalStream = {
 					.where('is_deleted', 0)
 					.groupBy('id')
 					.allowGraph('[owner,certificate]')
-					.orderBy('incoming_port', 'ASC');
+					.orderByRaw('CAST(incoming_port AS INTEGER) ASC');
 
 				if (access_data.permission_visibility !== 'all') {
 					query.andWhere('owner_user_id', access.token.getUserId(1));

backend/internal/token.js

@@ -4,6 +4,7 @@ const userModel  = require('../models/user');
 const authModel  = require('../models/auth');
 const helpers    = require('../lib/helpers');
 const TokenModel = require('../models/token');
+const mfa        = require('../internal/mfa'); // <-- added MFA import
 
 const ERROR_MESSAGE_INVALID_AUTH = 'Invalid email or password';
 
@@ -21,6 +22,8 @@ module.exports = {
 	getTokenFromEmail: (data, issuer) => {
 		let Token = new TokenModel();
 
+		console.log(data);
+
 		data.scope  = data.scope || 'user';
 		data.expiry = data.expiry || '1d';
 
@@ -41,34 +44,66 @@ module.exports = {
 						.then((auth) => {
 							if (auth) {
 								return auth.verifyPassword(data.secret)
-									.then((valid) => {
+									.then(async (valid) => {
 										if (valid) {
-
 											if (data.scope !== 'user' && _.indexOf(user.roles, data.scope) === -1) {
-												// The scope requested doesn't exist as a role against the user,
-												// you shall not pass.
 												throw new error.AuthError('Invalid scope: ' + data.scope);
 											}
+											return await mfa.isMfaEnabledForUser(user.id)
+												.then((mfaEnabled) => {
+													if (mfaEnabled) {
+														if (!data.mfa_token) {
+															throw new error.AuthError('MFA token required');
+														}
+														console.log(data.mfa_token);
+														return mfa.validateMfaTokenForUser(user.id, data.mfa_token)
+															.then((mfaValid) => {
+																if (!mfaValid) {
+																	throw new error.AuthError('Invalid MFA token');
+																}
+																// Create a moment of the expiry expression
+																let expiry = helpers.parseDatePeriod(data.expiry);
+																if (expiry === null) {
+																	throw new error.AuthError('Invalid expiry time: ' + data.expiry);
+																}
 
-											// Create a moment of the expiry expression
+																return Token.create({
-											let expiry = helpers.parseDatePeriod(data.expiry);
+																	iss:   issuer || 'api',
-											if (expiry === null) {
+																	attrs: {
-												throw new error.AuthError('Invalid expiry time: ' + data.expiry);
+																		id: user.id
-											}
+																	},
+																	scope:     [data.scope],
+																	expiresIn: data.expiry
+																})
+																	.then((signed) => {
+																		return {
+																			token:   signed.token,
+																			expires: expiry.toISOString()
+																		};
+																	});
+															});
+													} else {
+														// Create a moment of the expiry expression
+														let expiry = helpers.parseDatePeriod(data.expiry);
+														if (expiry === null) {
+															throw new error.AuthError('Invalid expiry time: ' + data.expiry);
+														}
 
-											return Token.create({
+														return Token.create({
-												iss:   issuer || 'api',
+															iss:   issuer || 'api',
-												attrs: {
+															attrs: {
-													id: user.id
+																id: user.id
-												},
+															},
-												scope:     [data.scope],
+															scope:     [data.scope],
-												expiresIn: data.expiry
+															expiresIn: data.expiry
-											})
+														})
-												.then((signed) => {
+															.then((signed) => {
-													return {
+																return {
-														token:   signed.token,
+																	token:   signed.token,
-														expires: expiry.toISOString()
+																	expires: expiry.toISOString()
-													};
+																};
+															});
+													}
 												});
 										} else {
 											throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);

backend/internal/user.js

@@ -507,7 +507,8 @@ const internalUser = {
 			.then((user) => {
 				return internalToken.getTokenFromUser(user);
 			});
-	}
+	},
+
 };
 
 module.exports = internalUser;

backend/lib/certbot.js

@@ -11,7 +11,7 @@ const certbot = {
 	/**
 	 * @param {array} pluginKeys
 	 */
-	installPlugins: async (pluginKeys) => {
+	installPlugins: async function (pluginKeys) {
 		let hasErrors = false;
 
 		return new Promise((resolve, reject) => {
@@ -21,7 +21,7 @@ const certbot = {
 			}
 
 			batchflow(pluginKeys).sequential()
-				.each((_i, pluginKey, next) => {
+				.each((i, pluginKey, next) => {
 					certbot.installPlugin(pluginKey)
 						.then(() => {
 							next();
@@ -51,7 +51,7 @@ const certbot = {
 	 * @param   {string}  pluginKey
 	 * @returns {Object}
 	 */
-	installPlugin: async (pluginKey) => {
+	installPlugin: async function (pluginKey) {
 		if (typeof dnsPlugins[pluginKey] === 'undefined') {
 			// throw Error(`Certbot plugin ${pluginKey} not found`);
 			throw new error.ItemNotFoundError(pluginKey);
@@ -63,15 +63,8 @@ const certbot = {
 		plugin.version      = plugin.version.replace(/{{certbot-version}}/g, CERTBOT_VERSION_REPLACEMENT);
 		plugin.dependencies = plugin.dependencies.replace(/{{certbot-version}}/g, CERTBOT_VERSION_REPLACEMENT);
 
-		// SETUPTOOLS_USE_DISTUTILS is required for certbot plugins to install correctly
+		const cmd = '. /opt/certbot/bin/activate && pip install --no-cache-dir ' + plugin.dependencies + ' ' + plugin.package_name + plugin.version + ' ' + ' && deactivate';
-		// in new versions of Python
+		return utils.exec(cmd)
-		let env = Object.assign({}, process.env, {SETUPTOOLS_USE_DISTUTILS: 'stdlib'});
-		if (typeof plugin.env === 'object') {
-			env = Object.assign(env, plugin.env);
-		}
-
-		const cmd = `. /opt/certbot/bin/activate && pip install --no-cache-dir ${plugin.dependencies} ${plugin.package_name}${plugin.version}  && deactivate`;
-		return utils.exec(cmd, {env})
 			.then((result) => {
 				logger.complete(`Installed ${pluginKey}`);
 				return result;

backend/lib/utils.js

@@ -1,13 +1,13 @@
 const _          = require('lodash');
-const exec       = require('node:child_process').exec;
+const exec       = require('child_process').exec;
-const execFile   = require('node:child_process').execFile;
+const execFile   = require('child_process').execFile;
 const { Liquid } = require('liquidjs');
 const logger     = require('../logger').global;
 const error      = require('./error');
 
 module.exports = {
 
-	exec: async (cmd, options = {}) => {
+	exec: async function(cmd, options = {}) {
 		logger.debug('CMD:', cmd);
 
 		const { stdout, stderr } = await new Promise((resolve, reject) => {
@@ -29,19 +29,15 @@ module.exports = {
 	/**
 	 * @param   {String} cmd
 	 * @param   {Array}  args
-	 * @param   {Object|undefined}  options
 	 * @returns {Promise}
 	 */
-	execFile: (cmd, args, options) => {
+	execFile: function (cmd, args) {
-		logger.debug(`CMD: ${cmd} ${args ? args.join(' ') : ''}`);
+		// logger.debug('CMD: ' + cmd + ' ' + (args ? args.join(' ') : ''));
-		if (typeof options === 'undefined') {
-			options = {};
-		}
 
 		return new Promise((resolve, reject) => {
-			execFile(cmd, args, options, (err, stdout, stderr) => {
+			execFile(cmd, args, function (err, stdout, /*stderr*/) {
 				if (err && typeof err === 'object') {
-					reject(new error.CommandError(stderr, 1, err));
+					reject(err);
 				} else {
 					resolve(stdout.trim());
 				}
@@ -55,7 +51,7 @@ module.exports = {
 	 * @param   {Array}  omissions
 	 * @returns {Function}
 	 */
-	omitRow: (omissions) => {
+	omitRow: function (omissions) {
 		/**
 		 * @param   {Object} row
 		 * @returns {Object}
@@ -71,7 +67,7 @@ module.exports = {
 	 * @param   {Array}  omissions
 	 * @returns {Function}
 	 */
-	omitRows: (omissions) => {
+	omitRows: function (omissions) {
 		/**
 		 * @param   {Array} rows
 		 * @returns {Object}
@@ -87,9 +83,9 @@ module.exports = {
 	/**
 	 * @returns {Object} Liquid render engine
 	 */
-	getRenderEngine: () => {
+	getRenderEngine: function () {
 		const renderEngine = new Liquid({
-			root: `${__dirname}/../templates/`
+			root: __dirname + '/../templates/'
 		});
 
 		/**

backend/migrations/20250115041439_mfa_integeration.js

@@ -0,0 +1,45 @@
+const migrate_name = 'identifier_for_migrate';
+const logger       = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param {Object} knex
+ * @param {Promise} Promise
+ * @returns {Promise}
+ */
+exports.up = function (knex/*, Promise*/) {
+
+	logger.info('[' + migrate_name + '] Migrating Up...');
+
+	return knex.schema.alterTable('auth', (table) => {
+		table.string('mfa_secret');
+		table.boolean('mfa_enabled').defaultTo(false);
+	})
+		.then(() => {
+			logger.info('[' + migrate_name + '] User Table altered');
+			logger.info('[' + migrate_name + '] Migrating Up Complete');
+		});
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param {Object} knex
+ * @param {Promise} Promise
+ * @returns {Promise}
+ */
+exports.down = function (knex/*, Promise*/) {
+	logger.info('[' + migrate_name + '] Migrating Down...');
+
+	return knex.schema.alterTable('auth', (table) => {
+		table.dropColumn('mfa_key');
+		table.dropColumn('mfa_enabled');
+	})
+		.then(() => {
+			logger.info('[' + migrate_name + '] User Table altered');
+			logger.info('[' + migrate_name + '] Migrating Down Complete');
+		});
+};

backend/models/dead_host.js

@@ -12,11 +12,7 @@ Model.knex(db);
 
 const boolFields = [
 	'is_deleted',
-	'ssl_forced',
-	'http2_support',
 	'enabled',
-	'hsts_enabled',
-	'hsts_subdomains',
 ];
 
 class DeadHost extends Model {

backend/models/stream.js

@@ -8,8 +8,8 @@ const now         = require('./now_helper');
 Model.knex(db);
 
 const boolFields = [
-	'is_deleted',
 	'enabled',
+	'is_deleted',
 	'tcp_forwarding',
 	'udp_forwarding',
 ];

backend/package.json

@@ -23,8 +23,10 @@
 		"node-rsa": "^1.0.8",
 		"objection": "3.0.1",
 		"path": "^0.12.7",
+		"qrcode": "^1.5.4",
 		"pg": "^8.13.1",
 		"signale": "1.4.0",
+		"speakeasy": "^2.0.0",
 		"sqlite3": "5.1.6",
 		"temp-write": "^4.0.0"
 	},

backend/routes/main.js

@@ -27,6 +27,7 @@ router.get('/', (req, res/*, next*/) => {
 
 router.use('/schema', require('./schema'));
 router.use('/tokens', require('./tokens'));
+router.use('/mfa', require('./mfa'));
 router.use('/users', require('./users'));
 router.use('/audit-log', require('./audit-log'));
 router.use('/reports', require('./reports'));

backend/routes/mfa.js

@@ -0,0 +1,81 @@
+const express      = require('express');
+const jwtdecode    = require('../lib/express/jwt-decode');
+const apiValidator = require('../lib/validator/api');
+const schema       = require('../schema');
+const internalMfa  = require('../internal/mfa');
+const qrcode       = require('qrcode');
+const speakeasy    = require('speakeasy');
+const userModel    = require('../models/user');
+
+let router = express.Router({
+	caseSensitive: true,
+	strict:        true,
+	mergeParams:   true
+});
+
+router
+	.route('/create')
+	.post(jwtdecode(), (req, res, next) => {
+		if (!res.locals.access) {
+			return next(new Error('Invalid token'));
+		}
+		const userId = res.locals.access.token.getUserId();
+		internalMfa.createMfaSecretForUser(userId)
+			.then((secret) => {
+				return userModel.query()
+					.where('id', '=', userId)
+					.first()
+					.then((user) => {
+						if (!user) {
+							return next(new Error('User not found'));
+						}
+						return { secret, user };
+					});
+			})
+			.then(({ secret, user }) => {
+				const otpAuthUrl = speakeasy.otpauthURL({
+					secret: secret.ascii,
+					label:  user.email,
+					issuer: 'Nginx Proxy Manager'
+				});
+				qrcode.toDataURL(otpAuthUrl, (err, dataUrl) => {
+					if (err) {
+						console.error('Error generating QR code:', err);
+						return next(err);
+					}
+					res.status(200).send({ qrCode: dataUrl });
+				});
+			})
+			.catch(next);
+	});
+
+router
+	.route('/enable')
+	.post(jwtdecode(), (req, res, next) => {
+		apiValidator(schema.getValidationSchema('/mfa/enable', 'post'), req.body).then((params) => {
+			internalMfa.enableMfaForUser(res.locals.access.token.getUserId(), params.token)
+				.then(() => res.status(200).send({ success: true }))
+				.catch(next);
+		}
+		).catch(next);
+	});
+
+router
+	.route('/check')
+	.get(jwtdecode(), (req, res, next) => {
+		internalMfa.isMfaEnabledForUser(res.locals.access.token.getUserId())
+			.then((active) => res.status(200).send({ active }))
+			.catch(next);
+	});
+
+router
+	.route('/delete')
+	.delete(jwtdecode(), (req, res, next) => {
+		apiValidator(schema.getValidationSchema('/mfa/delete', 'delete'), req.body).then((params) => {
+			internalMfa.disableMfaForUser(params, res.locals.access.token.getUserId())
+				.then(() => res.status(200).send({ success: true }))
+				.catch(next);
+		}).catch(next);
+	});
+
+module.exports = router;

backend/routes/nginx/certificates.js

@@ -6,7 +6,7 @@ const apiValidator        = require('../../lib/validator/api');
 const internalCertificate = require('../../internal/certificate');
 const schema              = require('../../schema');
 
-const router = express.Router({
+let router = express.Router({
 	caseSensitive: true,
 	strict:        true,
 	mergeParams:   true
@@ -231,7 +231,7 @@ router
  */
 router
 	.route('/:certificate_id/download')
-	.options((_req, res) => {
+	.options((req, res) => {
 		res.sendStatus(204);
 	})
 	.all(jwtdecode())

backend/routes/users.js

@@ -181,7 +181,7 @@ router
 				return internalUser.setPassword(res.locals.access, payload);
 			})
 			.then((result) => {
-				res.status(200)
+				res.status(201)
 					.send(result);
 			})
 			.catch(next);
@@ -212,7 +212,7 @@ router
 				return internalUser.setPermissions(res.locals.access, payload);
 			})
 			.then((result) => {
-				res.status(200)
+				res.status(201)
 					.send(result);
 			})
 			.catch(next);
@@ -238,7 +238,7 @@ router
 	.post((req, res, next) => {
 		internalUser.loginAs(res.locals.access, {id: parseInt(req.params.user_id, 10)})
 			.then((result) => {
-				res.status(200)
+				res.status(201)
 					.send(result);
 			})
 			.catch(next);

backend/schema/common.json

@@ -110,11 +110,6 @@
 		"caching_enabled": {
 			"description": "Should we cache assets",
 			"type": "boolean"
-		},
-		"email": {
-			"description": "Email address",
-			"type": "string",
-			"pattern": "^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}$"
 		}
 	}
 }

backend/schema/components/certificate-object.json

@@ -69,7 +69,7 @@
 					"type": "object"
 				},
 				"letsencrypt_email": {
-					"$ref": "../common.json#/properties/email"
+					"type": "string"
 				},
 				"propagation_seconds": {
 					"type": "integer",

backend/schema/components/proxy-host-object.json

@@ -22,7 +22,8 @@
 		"enabled",
 		"locations",
 		"hsts_enabled",
-		"hsts_subdomains"
+		"hsts_subdomains",
+		"certificate"
 	],
 	"additionalProperties": false,
 	"properties": {

backend/schema/components/stream-list.json

@@ -1,7 +1,7 @@
 {
 	"type": "array",
-	"description": "Streams list",
+	"description": "Proxy Hosts list",
 	"items": {
-		"$ref": "./stream-object.json"
+		"$ref": "./proxy-host-object.json"
 	}
 }

backend/schema/paths/mfa/delete/delete.json

@@ -0,0 +1,44 @@
+{
+    "operationId": "disableMfa",
+    "summary": "Disable multi-factor authentication for a user",
+    "tags": [
+        "MFA"
+    ],
+    "requestBody": {
+        "description": "Payload to disable MFA",
+        "required": true,
+        "content": {
+            "application/json": {
+                "schema": {
+                    "additionalProperties": false,
+                    "properties": {
+                        "secret": {
+                            "type": "string",
+                            "minLength": 1
+                        }
+                    },
+                    "required": [
+                        "secret"
+                    ]
+                }
+            }
+        }
+    },
+    "responses": {
+        "200": {
+            "description": "MFA disabled successfully",
+            "content": {
+                "application/json": {
+                    "schema": {
+                        "type": "object",
+                        "properties": {
+                            "success": {
+                                "type": "boolean"
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+}

backend/schema/paths/mfa/enable/post.json

@@ -0,0 +1,44 @@
+{
+	"operationId": "enableMfa",
+	"summary": "Enable multi-factor authentication for a user",
+	"tags": [
+		"MFA"
+	],
+	"requestBody": {
+		"description": "MFA Token Payload",
+		"required": true,
+		"content": {
+			"application/json": {
+				"schema": {
+					"additionalProperties": false,
+					"properties": {
+						"token": {
+							"type": "string",
+							"minLength": 1
+						}
+					},
+					"required": [
+						"token"
+					]
+				}
+			}
+		}
+	},
+	"responses": {
+		"200": {
+			"description": "MFA enabled successfully",
+			"content": {
+				"application/json": {
+					"schema": {
+						"type": "object",
+						"properties": {
+							"success": {
+								"type": "boolean"
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+}

backend/schema/paths/tokens/post.json

@@ -22,6 +22,10 @@
 						"secret": {
 							"minLength": 1,
 							"type": "string"
+						},
+						"mfa_token": {
+							"minLength": 1,
+							"type": "string"
 						}
 					},
 					"required": ["identity", "secret"],

backend/schema/paths/users/post.json

@@ -14,7 +14,7 @@
 			"application/json": {
 				"schema": {
 					"type": "object",
-					"additionalProperties": false,
+					"additionalProperties": true,
 					"required": ["name", "nickname", "email"],
 					"properties": {
 						"name": {

backend/schema/swagger.json

@@ -9,21 +9,22 @@
 			"url": "http://127.0.0.1:81/api"
 		}
 	],
-	"components": {
-		"securitySchemes": {
-			"bearerAuth": {
-				"type": "http",
-				"scheme": "bearer",
-				"bearerFormat": "JWT"
-			}
-		}
-	},
 	"paths": {
 		"/": {
 			"get": {
 				"$ref": "./paths/get.json"
 			}
 		},
+		"/mfa/enable": {
+			"post": {
+				"$ref": "./paths/mfa/enable/post.json"
+			}
+		},
+		"/mfa/delete": {
+			"delete": {
+				"$ref": "./paths/mfa/delete/delete.json"
+			}
+		},
 		"/audit-log": {
 			"get": {
 				"$ref": "./paths/audit-log/get.json"

backend/setup.js

@@ -21,10 +21,10 @@ const setupDefaultUser = () => {
 		.then((row) => {
 			if (!row || !row.id) {
 				// Create a new user and set password
-				const email    = (process.env.INITIAL_ADMIN_EMAIL || 'admin@example.com').toLowerCase();
+				const email    = process.env.INITIAL_ADMIN_EMAIL || 'admin@example.com';
 				const password = process.env.INITIAL_ADMIN_PASSWORD || 'changeme';
 
-				logger.info(`Creating a new user: ${email} with password: ${password}`);
+				logger.info('Creating a new user: ' + email + ' with password: ' + password);
 
 				const data = {
 					is_deleted: 0,
@@ -113,20 +113,20 @@ const setupCertbotPlugins = () => {
 		.andWhere('provider', 'letsencrypt')
 		.then((certificates) => {
 			if (certificates && certificates.length) {
-				const plugins  = [];
+				let plugins  = [];
-				const promises = [];
+				let promises = [];
 
-				certificates.map((certificate) => {
+				certificates.map(function (certificate) {
 					if (certificate.meta && certificate.meta.dns_challenge === true) {
 						if (plugins.indexOf(certificate.meta.dns_provider) === -1) {
 							plugins.push(certificate.meta.dns_provider);
 						}
 
 						// Make sure credentials file exists
-						const credentials_loc = `/etc/letsencrypt/credentials/credentials-${certificate.id}`;
+						const credentials_loc = '/etc/letsencrypt/credentials/credentials-' + certificate.id;
 						// Escape single quotes and backslashes
 						const escapedCredentials = certificate.meta.dns_provider_credentials.replaceAll('\'', '\\\'').replaceAll('\\', '\\\\');
-						const credentials_cmd    = `[ -f '${credentials_loc}' ] || { mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo '${escapedCredentials}' > '${credentials_loc}' && chmod 600 '${credentials_loc}'; }`;
+						const credentials_cmd    = '[ -f \'' + credentials_loc + '\' ] || { mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo \'' + escapedCredentials + '\' > \'' + credentials_loc + '\' && chmod 600 \'' + credentials_loc + '\'; }';
 						promises.push(utils.exec(credentials_cmd));
 					}
 				});
@@ -136,7 +136,7 @@ const setupCertbotPlugins = () => {
 						if (promises.length) {
 							return Promise.all(promises)
 								.then(() => {
-									logger.info(`Added Certbot plugins ${plugins.join(', ')}`);
+									logger.info('Added Certbot plugins ' + plugins.join(', '));
 								});
 						}
 					});
@@ -165,7 +165,9 @@ const setupLogrotation = () => {
 	return runLogrotate();
 };
 
-module.exports = () => setupDefaultUser()
+module.exports = function () {
-	.then(setupDefaultSettings)
+	return setupDefaultUser()
-	.then(setupCertbotPlugins)
+		.then(setupDefaultSettings)
-	.then(setupLogrotation);
+		.then(setupCertbotPlugins)
+		.then(setupLogrotation);
+};

backend/yarn.lock

@@ -492,9 +492,9 @@ boxen@^4.2.0:
     widest-line "^3.1.0"
 
 brace-expansion@^1.1.7:
-  version "1.1.12"
+  version "1.1.11"
-  resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.12.tgz#ab9b454466e5a8cc3a187beaad580412a9c5b843"
+  resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd"
-  integrity sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==
+  integrity sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==
   dependencies:
     balanced-match "^1.0.0"
     concat-map "0.0.1"
@@ -2735,67 +2735,11 @@ path@^0.12.7:
     process "^0.11.1"
     util "^0.10.3"
 
-pg-cloudflare@^1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/pg-cloudflare/-/pg-cloudflare-1.1.1.tgz#e6d5833015b170e23ae819e8c5d7eaedb472ca98"
-  integrity sha512-xWPagP/4B6BgFO+EKz3JONXv3YDgvkbVrGw2mTo3D6tVDQRh1e7cqVGvyR3BE+eQgAvx1XhW/iEASj4/jCWl3Q==
-
 pg-connection-string@2.5.0:
   version "2.5.0"
   resolved "https://registry.yarnpkg.com/pg-connection-string/-/pg-connection-string-2.5.0.tgz#538cadd0f7e603fc09a12590f3b8a452c2c0cf34"
   integrity sha512-r5o/V/ORTA6TmUnyWZR9nCj1klXCO2CEKNRlVuJptZe85QuhFayC7WeMic7ndayT5IRIR0S0xFxFi2ousartlQ==
 
-pg-connection-string@^2.7.0:
-  version "2.7.0"
-  resolved "https://registry.yarnpkg.com/pg-connection-string/-/pg-connection-string-2.7.0.tgz#f1d3489e427c62ece022dba98d5262efcb168b37"
-  integrity sha512-PI2W9mv53rXJQEOb8xNR8lH7Hr+EKa6oJa38zsK0S/ky2er16ios1wLKhZyxzD7jUReiWokc9WK5nxSnC7W1TA==
-
-pg-int8@1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/pg-int8/-/pg-int8-1.0.1.tgz#943bd463bf5b71b4170115f80f8efc9a0c0eb78c"
-  integrity sha512-WCtabS6t3c8SkpDBUlb1kjOs7l66xsGdKpIPZsg4wR+B3+u9UAum2odSsF9tnvxg80h4ZxLWMy4pRjOsFIqQpw==
-
-pg-pool@^3.7.0:
-  version "3.7.0"
-  resolved "https://registry.yarnpkg.com/pg-pool/-/pg-pool-3.7.0.tgz#d4d3c7ad640f8c6a2245adc369bafde4ebb8cbec"
-  integrity sha512-ZOBQForurqh4zZWjrgSwwAtzJ7QiRX0ovFkZr2klsen3Nm0aoh33Ls0fzfv3imeH/nw/O27cjdz5kzYJfeGp/g==
-
-pg-protocol@^1.7.0:
-  version "1.7.0"
-  resolved "https://registry.yarnpkg.com/pg-protocol/-/pg-protocol-1.7.0.tgz#ec037c87c20515372692edac8b63cf4405448a93"
-  integrity sha512-hTK/mE36i8fDDhgDFjy6xNOG+LCorxLG3WO17tku+ij6sVHXh1jQUJ8hYAnRhNla4QVD2H8er/FOjc/+EgC6yQ==
-
-pg-types@^2.1.0:
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/pg-types/-/pg-types-2.2.0.tgz#2d0250d636454f7cfa3b6ae0382fdfa8063254a3"
-  integrity sha512-qTAAlrEsl8s4OiEQY69wDvcMIdQN6wdz5ojQiOy6YRMuynxenON0O5oCpJI6lshc6scgAY8qvJ2On/p+CXY0GA==
-  dependencies:
-    pg-int8 "1.0.1"
-    postgres-array "~2.0.0"
-    postgres-bytea "~1.0.0"
-    postgres-date "~1.0.4"
-    postgres-interval "^1.1.0"
-
-pg@^8.13.1:
-  version "8.13.1"
-  resolved "https://registry.yarnpkg.com/pg/-/pg-8.13.1.tgz#6498d8b0a87ff76c2df7a32160309d3168c0c080"
-  integrity sha512-OUir1A0rPNZlX//c7ksiu7crsGZTKSOXJPgtNiHGIlC9H0lO+NC6ZDYksSgBYY/thSWhnSRBv8w1lieNNGATNQ==
-  dependencies:
-    pg-connection-string "^2.7.0"
-    pg-pool "^3.7.0"
-    pg-protocol "^1.7.0"
-    pg-types "^2.1.0"
-    pgpass "1.x"
-  optionalDependencies:
-    pg-cloudflare "^1.1.1"
-
-pgpass@1.x:
-  version "1.0.5"
-  resolved "https://registry.yarnpkg.com/pgpass/-/pgpass-1.0.5.tgz#9b873e4a564bb10fa7a7dbd55312728d422a223d"
-  integrity sha512-FdW9r/jQZhSeohs1Z3sI1yxFQNFvMcnmfuj4WBMUTxOrAyLMaTcE1aAMBiTlbMNaXvBCQuVi0R7hd8udDSP7ug==
-  dependencies:
-    split2 "^4.1.0"
-
 picomatch@^2.0.4, picomatch@^2.2.1:
   version "2.2.2"
   resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-2.2.2.tgz#21f333e9b6b8eaff02468f5146ea406d345f4dad"
@@ -2814,28 +2758,6 @@ pkg-conf@^2.1.0:
     find-up "^2.0.0"
     load-json-file "^4.0.0"
 
-postgres-array@~2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/postgres-array/-/postgres-array-2.0.0.tgz#48f8fce054fbc69671999329b8834b772652d82e"
-  integrity sha512-VpZrUqU5A69eQyW2c5CA1jtLecCsN2U/bD6VilrFDWq5+5UIEVO7nazS3TEcHf1zuPYO/sqGvUvW62g86RXZuA==
-
-postgres-bytea@~1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/postgres-bytea/-/postgres-bytea-1.0.0.tgz#027b533c0aa890e26d172d47cf9ccecc521acd35"
-  integrity sha512-xy3pmLuQqRBZBXDULy7KbaitYqLcmxigw14Q5sj8QBVLqEwXfeybIKVWiqAXTlcvdvb0+xkOtDbfQMOf4lST1w==
-
-postgres-date@~1.0.4:
-  version "1.0.7"
-  resolved "https://registry.yarnpkg.com/postgres-date/-/postgres-date-1.0.7.tgz#51bc086006005e5061c591cee727f2531bf641a8"
-  integrity sha512-suDmjLVQg78nMK2UZ454hAG+OAW+HQPZ6n++TNDUX+L0+uUlLywnoxJKDou51Zm+zTCjrCl0Nq6J9C5hP9vK/Q==
-
-postgres-interval@^1.1.0:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/postgres-interval/-/postgres-interval-1.2.0.tgz#b460c82cb1587507788819a06aa0fffdb3544695"
-  integrity sha512-9ZhXKM/rw350N1ovuWHbGxnGh/SNJ4cnxHiM0rxE4VN41wsg8P8zWn9hv/buK00RP4WvlOyr/RBDiptyxVbkZQ==
-  dependencies:
-    xtend "^4.0.0"
-
 prelude-ls@^1.2.1:
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/prelude-ls/-/prelude-ls-1.2.1.tgz#debc6489d7a6e6b0e7611888cec880337d316396"
@@ -3272,11 +3194,6 @@ socks@^2.6.2:
     ip "^2.0.0"
     smart-buffer "^4.2.0"
 
-split2@^4.1.0:
-  version "4.2.0"
-  resolved "https://registry.yarnpkg.com/split2/-/split2-4.2.0.tgz#c9c5920904d148bab0b9f67145f245a86aadbfa4"
-  integrity sha512-UcjcJOWknrNkF6PLX83qcHM6KHgVKNkV62Y8a5uYDVv9ydGQVwAHMKqHdJje1VTWpljG0WYpCDhrCdAOYH4TWg==
-
 sprintf-js@~1.0.2:
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/sprintf-js/-/sprintf-js-1.0.3.tgz#04e6926f662895354f3dd015203633b857297e2c"
@@ -3748,11 +3665,6 @@ xdg-basedir@^4.0.0:
   resolved "https://registry.yarnpkg.com/xdg-basedir/-/xdg-basedir-4.0.0.tgz#4bc8d9984403696225ef83a1573cbbcb4e79db13"
   integrity sha512-PSNhEJDejZYV7h50BohL09Er9VaIefr2LMAf3OEmpCkjOi34eYyQYAXUTjEQtZJTKcF0E2UKTh+osDLsgNim9Q==
 
-xtend@^4.0.0:
-  version "4.0.2"
-  resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.2.tgz#bb72779f5fa465186b1f438f674fa347fdb5db54"
-  integrity sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==
-
 y18n@^4.0.0:
   version "4.0.1"
   resolved "https://registry.yarnpkg.com/y18n/-/y18n-4.0.1.tgz#8db2b83c31c5d75099bb890b23f3094891e247d4"

docker/docker-compose.ci.mysql.yml

@@ -18,7 +18,6 @@ services:
       MYSQL_DATABASE: 'npm'
       MYSQL_USER: 'npm'
       MYSQL_PASSWORD: 'npmpass'
-      MARIADB_AUTO_UPGRADE: '1'
     volumes:
       - mysql_vol:/var/lib/mysql
     networks:

docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh

@@ -8,53 +8,21 @@ log_info 'Setting ownership ...'
 # root
 chown root /tmp/nginx
 
-locations=(
+# npm user and group
-	"/data"
+chown -R "$PUID:$PGID" /data
-	"/etc/letsencrypt"
+chown -R "$PUID:$PGID" /etc/letsencrypt
-	"/run/nginx"
+chown -R "$PUID:$PGID" /run/nginx
-	"/tmp/nginx"
+chown -R "$PUID:$PGID" /tmp/nginx
-	"/var/cache/nginx"
+chown -R "$PUID:$PGID" /var/cache/nginx
-	"/var/lib/logrotate"
+chown -R "$PUID:$PGID" /var/lib/logrotate
-	"/var/lib/nginx"
+chown -R "$PUID:$PGID" /var/lib/nginx
-	"/var/log/nginx"
+chown -R "$PUID:$PGID" /var/log/nginx
-	"/etc/nginx/nginx"
-	"/etc/nginx/nginx.conf"
-	"/etc/nginx/conf.d"
-)
 
-chownit() {
+# Don't chown entire /etc/nginx folder as this causes crashes on some systems
-	local dir="$1"
+chown -R "$PUID:$PGID" /etc/nginx/nginx
-	local recursive="${2:-true}"
+chown -R "$PUID:$PGID" /etc/nginx/nginx.conf
+chown -R "$PUID:$PGID" /etc/nginx/conf.d
 
-	local have
+# Prevents errors when installing python certbot plugins when non-root
-	have="$(stat -c '%u:%g' "$dir")"
+chown "$PUID:$PGID" /opt/certbot /opt/certbot/bin
-	echo "- $dir ... "
+find /opt/certbot/lib/python*/site-packages -not -user "$PUID" -execdir chown "$PUID:$PGID" {} \+
-
-	if [ "$have" != "$PUID:$PGID" ]; then
-		if [ "$recursive" = 'true' ] && [ -d "$dir" ]; then
-			chown -R "$PUID:$PGID" "$dir"
-		else
-			chown "$PUID:$PGID" "$dir"
-		fi
-		echo "    DONE"
-	else
-		echo "    SKIPPED"
-	fi
-}
-
-for loc in "${locations[@]}"; do
-	chownit "$loc"
-done
-
-if [ "$(is_true "${SKIP_CERTBOT_OWNERSHIP:-}")" = '1' ]; then
-	log_info 'Skipping ownership change of certbot directories'
-else
-	log_info 'Changing ownership of certbot directories, this may take some time ...'
-	chownit "/opt/certbot" false
-	chownit "/opt/certbot/bin" false
-
-	# Handle all site-packages directories efficiently
-	find /opt/certbot/lib -type d -name "site-packages" | while read -r SITE_PACKAGES_DIR; do
-		chownit "$SITE_PACKAGES_DIR"
-	done
-fi

docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh

@@ -5,9 +5,12 @@ set -e
 
 log_info 'Dynamic resolvers ...'
 
+DISABLE_IPV6=$(echo "${DISABLE_IPV6:-}" | tr '[:upper:]' '[:lower:]')
+
 # Dynamically generate resolvers file, if resolver is IPv6, enclose in `[]`
 # thanks @tfmm
-if [ "$(is_true "$DISABLE_IPV6")" = '1' ]; then
+if [ "$DISABLE_IPV6" == "true" ] || [ "$DISABLE_IPV6" == "on" ] || [ "$DISABLE_IPV6" == "1" ] || [ "$DISABLE_IPV6" == "yes" ];
+then
 	echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) ipv6=off valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf
 else
 	echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf

docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh

@@ -8,11 +8,14 @@ set -e
 
 log_info 'IPv6 ...'
 
+# Lowercase
+DISABLE_IPV6=$(echo "${DISABLE_IPV6:-}" | tr '[:upper:]' '[:lower:]')
+
 process_folder () {
 	FILES=$(find "$1" -type f -name "*.conf")
 	SED_REGEX=
 
-	if [ "$(is_true "$DISABLE_IPV6")" = '1' ]; then
+	if [ "$DISABLE_IPV6" == "true" ] || [ "$DISABLE_IPV6" == "on" ] || [ "$DISABLE_IPV6" == "1" ] || [ "$DISABLE_IPV6" == "yes" ]; then
 		# IPV6 is disabled
 		echo "Disabling IPV6 in hosts in: $1"
 		SED_REGEX='s/^([^#]*)listen \[::\]/\1#listen [::]/g'

docker/rootfs/usr/bin/common.sh

@@ -56,13 +56,3 @@ get_group_id () {
 		getent group "$1" | cut -d: -f3
 	fi
 }
-
-# param $1: value
-is_true () {
-	VAL=$(echo "${1:-}" | tr '[:upper:]' '[:lower:]')
-	if [ "$VAL" == 'true' ] || [ "$VAL" == 'on' ] || [ "$VAL" == '1' ] || [ "$VAL" == 'yes' ]; then
-		echo '1'
-	else
-		echo '0'
-	fi
-}

docker/scripts/install-s6

@@ -8,7 +8,7 @@ BLUE='\E[1;34m'
 GREEN='\E[1;32m'
 RESET='\E[0m'
 
-S6_OVERLAY_VERSION=3.2.1.0
+S6_OVERLAY_VERSION=3.2.0.2
 TARGETPLATFORM=${1:-linux/amd64}
 
 # Determine the correct binary file for the architecture given

docs/src/advanced-config/index.md

@@ -161,14 +161,6 @@ The easy fix is to add a Docker environment variable to the Nginx Proxy Manager
       DISABLE_IPV6: 'true'
 ```
 
-## Disabling IP Ranges Fetch
-
-By default, NPM fetches IP ranges from CloudFront and Cloudflare during application startup. In environments with limited internet access or to speed up container startup, this fetch can be disabled:
-
-```yml
-    environment:
-      IP_RANGES_FETCH_ENABLED: 'false'
-```
 
 ## Custom Nginx Configurations
 

docs/src/setup/index.md

@@ -21,7 +21,7 @@ services:
       # Add any other Stream port you want to expose
       # - '21:21' # FTP
 
-    #environment:
+    environment:
       # Uncomment this if you want to change the location of
       # the SQLite DB file within the container
       # DB_SQLITE_FILE: "/data/database.sqlite"

docs/yarn.lock

@@ -1065,9 +1065,9 @@ vfile@^6.0.0:
     vfile-message "^4.0.0"
 
 vite@^5.4.8:
-  version "5.4.19"
+  version "5.4.14"
-  resolved "https://registry.yarnpkg.com/vite/-/vite-5.4.19.tgz#20efd060410044b3ed555049418a5e7d1998f959"
+  resolved "https://registry.yarnpkg.com/vite/-/vite-5.4.14.tgz#ff8255edb02134df180dcfca1916c37a6abe8408"
-  integrity sha512-qO3aKv3HoQC8QKiNSTuUM1l9o/XX3+c+VTgLHbJWHZGeTPVAg2XwazI9UWzoxjIJCGCV2zU60uqMzjeLZuULqA==
+  integrity sha512-EK5cY7Q1D8JNhSaPKVK4pwBFvaTmZxEnoKXLG/U9gmdDcihQGNzFlgIvaxezFR4glP1LsuiedwMBqCXH3wZccA==
   dependencies:
     esbuild "^0.21.3"
     postcss "^8.4.43"

frontend/js/app/api.js

@@ -202,7 +202,49 @@ module.exports = {
         return fetch('get', '');
     },
 
+    Mfa: {
+        create: function () {
+            return fetch('post', 'mfa/create');
+        },
+        enable: function (token) {
+            return fetch('post', 'mfa/enable', {token: token});
+        },
+        check: function () {
+            return fetch('get', 'mfa/check');
+        },
+        delete: function (secret) {
+            return fetch('delete', 'mfa/delete', {secret: secret});
+        }
+    },
+
     Tokens: {
+        
+        /**
+         * 
+         * @param {String} identity 
+         * @param {String} secret 
+         * @param {String} token 
+         * @param {Boolean} wipe 
+         * @returns {Promise}
+         */
+
+        loginWithMFA: function (identity, secret, mfaToken, wipe) {
+            return fetch('post', 'tokens', {identity: identity, secret: secret, mfa_token: mfaToken})
+                .then(response => {
+                    if (response.token) {
+                        if (wipe) {
+                            Tokens.clearTokens();
+                        }
+
+                        // Set storage token
+                        Tokens.addToken(response.token);
+                        return response.token;
+                    } else {
+                        Tokens.clearTokens();
+                        throw(new Error('No token returned'));
+                    }
+                });
+        },
 
         /**
          * @param   {String}  identity

frontend/js/app/user/form.ejs

@@ -25,6 +25,27 @@
                         <div class="invalid-feedback secret-error"></div>
                     </div>
                 </div>
+
+                <div class="col-sm-12 col-md-12">
+                    <label class="form-label mfa-label"><%- i18n('mfa', 'mfa') %></label>
+                    <button type="button" class="btn btn-info mfa-add"><%- i18n('mfa', 'mfa-add') %></button>
+                    <button type="button" class="btn btn-danger mfa-remove" style="display: none;"><%- i18n('mfa', 'mfa-remove') %></button>
+                    <div class="mfa-remove-confirm-container" style="display: none;">
+                        <div class="form-group">
+                            <label class="form-label"><%- i18n('mfa', 'confirm-password') %></label>
+                            <input name="mfa_password" type="password" class="form-control mfa-remove-password-field" placeholder="<%- i18n('mfa', 'enter-password') %>">
+                            <div class="invalid-feedback mfa-error"></div>
+                        </div>
+                        <button type="button" class="btn btn-danger mfa-remove-confirm"><%- i18n('mfa', 'confirm-remove-mfa') %></button>
+                    </div>
+                    <p class="qr-instructions" style="display: none;"><%- i18n('mfa', 'mfa-setup-instruction') %></p>
+                    <div class="mfa-validation-container" style="display: none;">
+                        <label class="form-label"><%- i18n('mfa', 'mfa-token') %> <span class="form-required">*</span></label>
+                        <input name="mfa_validation" type="text" class="form-control" placeholder="000000" value="">
+                        <div class="invalid-feedback mfa-error"></div>
+                    </div>
+                </div>
+
                 <% if (isAdmin() && !isSelf()) { %>
                 <div class="col-sm-12 col-md-12">
                     <div class="form-label"><%- i18n('roles', 'title') %></div>

frontend/js/app/user/form.js

@@ -14,7 +14,15 @@ module.exports = Mn.View.extend({
         buttons: '.modal-footer button',
         cancel:  'button.cancel',
         save:    'button.save',
-        error:   '.secret-error'
+        error:   '.secret-error',
+        mfaError: '.mfa-error',
+        addMfa:  '.mfa-add',
+        mfaValidation: '.mfa-validation-container',
+        qrInstructions: '.qr-instructions',
+        removeMfa: '.mfa-remove',
+        removeMfaConfirmContainer: '.mfa-remove-confirm-container',
+        removeMfaConfirm: '.mfa-remove-confirm',
+        removeMfaPassword: '.mfa-remove-password-field'
     },
 
     events: {
@@ -25,6 +33,10 @@ module.exports = Mn.View.extend({
             let view = this;
             let data = this.ui.form.serializeJSON();
 
+            let mfaToken = data.mfa_validation;
+            delete data.mfa_validation;
+            delete data.mfa_password;
+
             let show_password = this.model.get('email') === 'admin@example.com';
 
             // admin@example.com is not allowed
@@ -62,6 +74,19 @@ module.exports = Mn.View.extend({
                     }
 
                     view.model.set(result);
+
+                    if (mfaToken) {
+                        return App.Api.Mfa.enable(mfaToken)
+                            .then(() => result)
+                            .catch(err => {
+                                view.ui.mfaError.text(err.message).show();
+                                err.mfaHandled = true;
+                                return Promise.reject(err);
+                            });
+                    }
+                    return result;
+                })
+                .then(result => {
                     App.UI.closeModal(function () {
                         if (method === App.Api.Users.create) {
                             // Show permissions dialog immediately
@@ -72,9 +97,50 @@ module.exports = Mn.View.extend({
                     });
                 })
                 .catch(err => {
-                    this.ui.error.text(err.message).show();
+                    if (!err.mfaHandled) {
+                        this.ui.error.text(err.message).show();
+                    }
                     this.ui.buttons.prop('disabled', false).removeClass('btn-disabled');
                 });
+        },
+        'click @ui.addMfa': function (e) {
+            let view = this;
+            App.Api.Mfa.create()
+                .then(response => {
+                    view.ui.addMfa.replaceWith(`<img class="qr-code" src="${response.qrCode}" alt="QR Code">`);
+                    view.ui.qrInstructions.show();
+                    view.ui.mfaValidation.show();
+                    // Add required attribute once MFA is activated
+                    view.ui.mfaValidation.find('input[name="mfa_validation"]').attr('required', true);
+                })
+                .catch(err => {
+                    view.ui.error.text(err.message).show();
+                });
+        },
+        'click @ui.removeMfa': function (e) {
+            // Show confirmation section with a password field and confirm button
+            this.ui.removeMfa.hide();
+            this.ui.removeMfaConfirmContainer.show();
+        },
+        'click @ui.removeMfaConfirm': function (e) {
+            let view = this;
+            let password = view.ui.removeMfaPassword.val();
+            if (!password) {
+                view.ui.error.text('Password required to remove MFA').show();
+                return;
+            }
+            App.Api.Mfa.delete(password)
+                .then(() => {
+                    view.ui.addMfa.show();
+                    view.ui.qrInstructions.hide();
+                    view.ui.mfaValidation.hide();
+                    view.ui.removeMfaConfirmContainer.hide();
+                    view.ui.removeMfa.hide();
+                    view.ui.mfaValidation.find('input[name="mfa_validation"]').removeAttr('required');
+                })
+                .catch(err => {
+                    view.ui.mfaError.text(err.message).show();
+                });
         }
     },
 
@@ -104,5 +170,30 @@ module.exports = Mn.View.extend({
         if (typeof options.model === 'undefined' || !options.model) {
             this.model = new UserModel.Model();
         }
+    },
+
+    onRender: function () {
+        let view = this;
+        App.Api.Mfa.check()
+            .then(response => {
+                if (response.active) {
+                    view.ui.addMfa.hide();
+                    view.ui.qrInstructions.hide();
+                    view.ui.mfaValidation.hide();
+                    view.ui.removeMfa.show();
+                    view.ui.removeMfaConfirmContainer.hide();
+                    view.ui.mfaValidation.find('input[name="mfa_validation"]').removeAttr('required');
+                } else {
+                    view.ui.addMfa.show();
+                    view.ui.qrInstructions.hide();
+                    view.ui.mfaValidation.hide();
+                    view.ui.removeMfa.hide();
+                    view.ui.removeMfaConfirmContainer.hide();
+                    view.ui.mfaValidation.find('input[name="mfa_validation"]').removeAttr('required');
+                }
+            })
+            .catch(err => {
+                view.ui.error.text(err.message).show();
+            });
     }
 });

frontend/js/i18n/messages.json

@@ -37,8 +37,19 @@
       "all": "All",
       "any": "Any"
     },
+    "mfa": {
+      "mfa": "Multi Factor Authentication",
+      "mfa-add": "Add Multi Factor Authentication",
+      "mfa-remove": "Remove Multi Factor Authentication",
+      "mfa-setup-instruction": "Scan this QR code in your authenticator app to set up MFA and then enter the current MFA code in the input field.",
+      "mfa-token": "Multi factor authentication token",
+      "confirm-password": "Please enter your password to confirm",
+      "enter-password": "Enter Password",
+      "confirm-remove-mfa": "Confirm Multi Factor Authentication removal"
+    },
     "login": {
-      "title": "Login to your account"
+      "title": "Login to your account",
+      "mfa-required-text": "Please enter your MFA token to continue"
     },
     "main": {
       "app": "Nginx Proxy Manager",
@@ -60,7 +71,7 @@
     },
     "footer": {
       "fork-me": "Fork me on Github",
-      "copy": "&copy; 2025 <a href=\"{url}\" target=\"_blank\">jc21.com</a>.",
+      "copy": "&copy; 2024 <a href=\"{url}\" target=\"_blank\">jc21.com</a>.",
       "theme": "Theme by <a href=\"{url}\" target=\"_blank\">Tabler</a>"
     },
     "dashboard": {

frontend/js/login/ui/login.ejs

@@ -1,3 +1,4 @@
+
 <div class="container">
     <div class="row">
         <div class="col col-login mx-auto">
@@ -24,6 +25,12 @@
                                     <input name="secret" type="password" class="form-control" placeholder="<%- i18n('str', 'password') %>" required>
                                     <div class="invalid-feedback secret-error"></div>
                                 </div>
+                                <div class="form-group mfa-group" style="display: none;">
+                                    <p class="mfa-info"><%- i18n('login', 'mfa-required-text') %>:</p>
+                                    <label class="form-label"><%- i18n('mfa', 'mfa-token') %></label>
+                                    <input name="mfa_token" type="text" class="form-control" placeholder="<%- i18n('mfa', 'mfa-token') %>">
+                                    <div class="invalid-feedback mfa-error"></div>
+                                </div>
                                 <div class="form-footer">
                                     <button type="submit" class="btn btn-teal btn-block"><%- i18n('str', 'sign-in') %></button>
                                 </div>
@@ -34,4 +41,4 @@
             </form>
         </div>
     </div>
-</div>
+</div>

frontend/js/login/ui/login.js

@@ -13,7 +13,11 @@ module.exports = Mn.View.extend({
         identity: 'input[name="identity"]',
         secret:   'input[name="secret"]',
         error:    '.secret-error',
-        button:   'button'
+        error_mfa:'.mfa-error',
+        button:   'button',
+        mfaGroup: '.mfa-group',    // added MFA group selector
+        mfaToken: 'input[name="mfa_token"]', // added MFA token input
+        mfaInfo:  '.mfa-info' // added MFA info element
     },
 
     events: {
@@ -22,14 +26,36 @@ module.exports = Mn.View.extend({
             this.ui.button.addClass('btn-loading').prop('disabled', true);
             this.ui.error.hide();
 
-            Api.Tokens.login(this.ui.identity.val(), this.ui.secret.val(), true)
+            if(this.ui.mfaToken.val()) {
+                Api.Tokens.loginWithMFA(this.ui.identity.val(), this.ui.secret.val(), this.ui.mfaToken.val(), true)
                 .then(() => {
                     window.location = '/';
                 })
                 .catch(err => {
-                    this.ui.error.text(err.message).show();
+                    if (err.message === 'Invalid MFA token.') {
+                        this.ui.error_mfa.text(err.message).show();
+                    } else {
+                        this.ui.error.text(err.message).show();
+                    }
                     this.ui.button.removeClass('btn-loading').prop('disabled', false);
                 });
+            } else {
+                Api.Tokens.login(this.ui.identity.val(), this.ui.secret.val(), true)
+                .then(() => {
+                    window.location = '/';
+                })
+                .catch(err => {
+                    if (err.message === 'MFA token required') {
+                        this.ui.mfaGroup.show();
+                        this.ui.mfaInfo.show();
+                    } else {
+                        this.ui.error.text(err.message).show();
+                    }
+                    this.ui.button.removeClass('btn-loading').prop('disabled', false);
+                });
+            }
+
+            
         }
     },
 
@@ -40,3 +66,5 @@ module.exports = Mn.View.extend({
         }
     }
 });
+
+

frontend/package.json

@@ -26,8 +26,8 @@
     "messageformat": "^2.3.0",
     "messageformat-loader": "^0.8.1",
     "mini-css-extract-plugin": "^0.9.0",
-    "moment": "^2.30.1",
+    "moment": "^2.29.4",
-    "sass": "^1.92.1",
+    "node-sass": "^9.0.0",
     "nodemon": "^2.0.2",
     "numeral": "^2.0.6",
     "sass-loader": "^10.0.0",

frontend/scss/tabler-extra.scss

@@ -167,5 +167,4 @@ $pink: #f66d9b;
 
 textarea.form-control.text-monospace {
     font-size: 12px;
-    font-family: monospace;
 }

global/certbot-dns-plugins.json

@@ -10,9 +10,9 @@
 	"active24": {
 		"name": "Active24",
 		"package_name": "certbot-dns-active24",
-		"version": "~=2.0.0",
+		"version": "~=1.5.1",
 		"dependencies": "",
-		"credentials": "dns_active24_api_key = <identifier>\ndns_active24_secret = <secret>",
+		"credentials": "dns_active24_token=\"TOKEN\"",
 		"full_plugin_name": "dns-active24"
 	},
 	"aliyun": {
@@ -31,14 +31,6 @@
 		"credentials": "# This plugin supported API authentication using either Service Principals or utilizing a Managed Identity assigned to the virtual machine.\n# Regardless which authentication method used, the identity will need the “DNS Zone Contributor” role assigned to it.\n# As multiple Azure DNS Zones in multiple resource groups can exist, the config file needs a mapping of zone to resource group ID. Multiple zones -> ID mappings can be listed by using the key dns_azure_zoneX where X is a unique number. At least 1 zone mapping is required.\n\n# Using a service principal (option 1)\ndns_azure_sp_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5\ndns_azure_sp_client_secret = E-xqXU83Y-jzTI6xe9fs2YC~mck3ZzUih9\ndns_azure_tenant_id = ed1090f3-ab18-4b12-816c-599af8a88cf7\n\n# Using used assigned MSI (option 2)\n# dns_azure_msi_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5\n\n# Using system assigned MSI (option 3)\n# dns_azure_msi_system_assigned = true\n\n# Zones (at least one always required)\ndns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1\ndns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf2744622/resourceGroups/dns2",
 		"full_plugin_name": "dns-azure"
 	},
-	"baidu": {
-		"name": "baidu",
-		"package_name": "certbot-dns-baidu",
-		"version": "~=0.1.1",
-		"dependencies": "",
-		"credentials": "dns_baidu_access_key = 12345678\ndns_baidu_secret_key = 1234567890abcdef1234567890abcdef",
-		"full_plugin_name": "dns-baidu"
-	},
 	"beget": {
 		"name":"Beget",
 		"package_name": "certbot-beget-plugin",
@@ -55,19 +47,11 @@
 		"credentials": "# Bunny API token used by Certbot (see https://dash.bunny.net/account/settings)\ndns_bunny_api_key = xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
 		"full_plugin_name": "dns-bunny"
 	},
-	"cdmon": {
-		"name": "cdmon",
-		"package_name": "certbot-dns-cdmon",
-		"version": "~=0.4.1",
-		"dependencies": "",
-		"credentials": "dns_cdmon_api_key=your-cdmon-api-token\ndns_cdmon_domain=your_domain_is_optional",
-		"full_plugin_name": "dns-cdmon"
-	},
 	"cloudflare": {
 		"name": "Cloudflare",
 		"package_name": "certbot-dns-cloudflare",
 		"version": "=={{certbot-version}}",
-		"dependencies": "acme=={{certbot-version}}",
+		"dependencies": "cloudflare==2.19.* acme=={{certbot-version}}",
 		"credentials": "# Cloudflare API token\ndns_cloudflare_api_token=0123456789abcdef0123456789abcdef01234567",
 		"full_plugin_name": "dns-cloudflare"
 	},
@@ -106,19 +90,11 @@
 	"cpanel": {
 		"name": "cPanel",
 		"package_name": "certbot-dns-cpanel",
-		"version": "~=0.4.0",
+		"version": "~=0.2.2",
 		"dependencies": "",
-		"credentials": "cpanel_url = https://cpanel.example.com:2083\ncpanel_username = your_username\ncpanel_password = your_password\ncpanel_token = your_api_token",
+		"credentials": "cpanel_url = https://cpanel.example.com:2083\ncpanel_username = user\ncpanel_password = hunter2",
 		"full_plugin_name": "cpanel"
 	},
-	"ddnss": {
-		"name": "DDNSS",
-		"package_name": "certbot-dns-ddnss",
-		"version": "~=1.1.0",
-		"dependencies": "",
-		"credentials": "dns_ddnss_token = YOUR_DDNSS_API_TOKEN",
-		"full_plugin_name": "dns-ddnss"
-	},
 	"desec": {
 		"name": "deSEC",
 		"package_name": "certbot-dns-desec",
@@ -188,7 +164,7 @@
 		"package_name": "certbot-dns-domainoffensive",
 		"version": "~=2.0.0",
 		"dependencies": "",
-		"credentials": "dns_domainoffensive_api_token = YOUR_DO_DE_AUTH_TOKEN",
+		"credentials": "dns_do_api_token = YOUR_DO_DE_AUTH_TOKEN",
 		"full_plugin_name": "dns-domainoffensive"
 	},
 	"domeneshop": {
@@ -223,14 +199,6 @@
 		"credentials": "dns_eurodns_applicationId = myuser\ndns_eurodns_apiKey = mysecretpassword\ndns_eurodns_endpoint = https://rest-api.eurodns.com/user-api-gateway/proxy",
 		"full_plugin_name": "dns-eurodns"
 	},
-	"firstdomains": {
-                "name": "First Domains",
-                "package_name": "certbot-dns-firstdomains",
-                "version": ">=1.0",
-                "dependencies": "",
-                "credentials": "dns_firstdomains_username = myremoteuser\ndns_firstdomains_password = verysecureremoteuserpassword",
-                "full_plugin_name": "dns-firstdomains"
-        },
 	"freedns": {
 		"name": "FreeDNS",
 		"package_name": "certbot-dns-freedns",
@@ -241,8 +209,8 @@
 	},
 	"gandi": {
 		"name": "Gandi Live DNS",
-		"package_name": "certbot-dns-gandi",
+		"package_name": "certbot_plugin_gandi",
-		"version": "~=1.6.1",
+		"version": "~=1.5.0",
 		"dependencies": "",
 		"credentials": "# Gandi personal access token\ndns_gandi_token=PERSONAL_ACCESS_TOKEN",
 		"full_plugin_name": "dns-gandi"
@@ -415,14 +383,6 @@
 		"credentials": "dns_netcup_customer_id  = 123456\ndns_netcup_api_key      = 0123456789abcdef0123456789abcdef01234567\ndns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123",
 		"full_plugin_name": "dns-netcup"
 	},
-	"nicru": {
-		"name": "nic.ru",
-		"package_name": "certbot-dns-nicru",
-		"version": "~=1.0.3",
-		"dependencies": "",
-		"credentials": "dns_nicru_client_id = application-id\ndns_nicru_client_secret = application-token\ndns_nicru_username = 0001110/NIC-D\ndns_nicru_password = password\ndns_nicru_scope = .+:.+/zones/example.com(/.+)?\ndns_nicru_service = DNS_SERVICE_NAME\ndns_nicru_zone = example.com",
-		"full_plugin_name": "dns-nicru"
-	},
 	"njalla": {
 		"name": "Njalla",
 		"package_name": "certbot-dns-njalla",
@@ -511,30 +471,14 @@
 		"credentials": "[default]\naws_access_key_id=AKIAIOSFODNN7EXAMPLE\naws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
 		"full_plugin_name": "dns-route53"
 	},
-	"spaceship": {
-		"name": "Spaceship",
-		"package_name": "certbot-dns-spaceship",
-		"version": "~=1.0.4",
-		"dependencies": "",
-		"credentials": "[spaceship]\napi_key=your_api_key\napi_secret=your_api_secret",
-		"full_plugin_name": "dns-spaceship"
-	},
 	"strato": {
 		"name": "Strato",
 		"package_name": "certbot-dns-strato",
-		"version": "~=0.2.2",
+		"version": "~=0.2.1",
 		"dependencies": "",
 		"credentials": "dns_strato_username = user\ndns_strato_password = pass\n# uncomment if youre using two factor authentication:\n# dns_strato_totp_devicename = 2fa_device\n# dns_strato_totp_secret = 2fa_secret\n#\n# uncomment if domain name contains special characters\n# insert domain display name as seen on your account page here\n# dns_strato_domain_display_name = my-punicode-url.de\n#\n# if youre not using strato.de or another special endpoint you can customise it below\n# you will probably only need to adjust the host, but you can also change the complete endpoint url\n# dns_strato_custom_api_scheme = https\n# dns_strato_custom_api_host = www.strato.de\n# dns_strato_custom_api_port = 443\n# dns_strato_custom_api_path = \"/apps/CustomerService\"",
 		"full_plugin_name": "dns-strato"
 	},
-	        "selectelv2": {
-                "name": "Selectel api v2",
-                "package_name": "certbot-dns-selectel-api-v2",
-                "version": "~=0.3.0",
-                "dependencies": "",
-                "credentials": "dns_selectel_api_v2_account_id = your_account_id\ndns_selectel_api_v2_project_name = your_project\ndns_selectel_api_v2_username = your_username\ndns_selectel_api_v2_password = your_password",
-                "full_plugin_name": "dns-selectel-api-v2"
-        },
 	"timeweb": {
 		"name": "Timeweb Cloud",
 		"package_name": "certbot-dns-timeweb",

test/cypress/e2e/api/Certificates.cy.js

@@ -10,7 +10,7 @@ describe('Certificates endpoints', () => {
 		});
 	});
 
-	it('Validate custom certificate', () => {
+	it('Validate custom certificate', function() {
 		cy.task('backendApiPostFiles', {
 			token: token,
 			path:  '/api/nginx/certificates/validate',
@@ -25,7 +25,7 @@ describe('Certificates endpoints', () => {
 		});
 	});
 
-	it('Custom certificate lifecycle', () => {
+	it('Custom certificate lifecycle', function() {
 		// Create custom cert
 		cy.task('backendApiPost', {
 			token: token,
@@ -73,7 +73,7 @@ describe('Certificates endpoints', () => {
 		});
 	});
 
-	it('Request Certificate - CVE-2024-46256/CVE-2024-46257', () => {
+	it('Request Certificate - CVE-2024-46256/CVE-2024-46257', function() {
 		cy.task('backendApiPost', {
 			token: token,
 			path:  '/api/nginx/certificates',
@@ -96,28 +96,4 @@ describe('Certificates endpoints', () => {
 			expect(data.error.message).to.contain('data/domain_names/0 must match pattern');
 		});
 	});
-
-	it('Request Certificate - LE Email Escaped', () => {
-		cy.task('backendApiPost', {
-			token: token,
-			path:  '/api/nginx/certificates',
-			data:  {
-				domain_names: ['test.com"||echo hello-world||\\\\n test.com"'],
-				meta:         {
-					dns_challenge:     false,
-					letsencrypt_agree: true,
-					letsencrypt_email: "admin@example.com' --version;echo hello-world",
-				},
-				provider: 'letsencrypt',
-			},
-			returnOnError: true,
-		}).then((data) => {
-			cy.validateSwaggerSchema('post', 400, '/nginx/certificates', data);
-			expect(data).to.have.property('error');
-			expect(data.error).to.have.property('message');
-			expect(data.error).to.have.property('code');
-			expect(data.error.code).to.equal(400);
-			expect(data.error.message).to.contain('data/meta/letsencrypt_email must match pattern');
-		});
-	});
 });

test/cypress/e2e/api/Dashboard.cy.js

@@ -1,25 +0,0 @@
-/// <reference types="cypress" />
-
-describe('Dashboard endpoints', () => {
-	let token;
-
-	before(() => {
-		cy.getToken().then((tok) => {
-			token = tok;
-		});
-	});
-
-	it('Should be able to get host counts', () => {
-		cy.task('backendApiGet', {
-			token: token,
-			path:  '/api/reports/hosts'
-		}).then((data) => {
-			cy.validateSwaggerSchema('get', 200, '/reports/hosts', data);
-			expect(data).to.have.property('dead');
-			expect(data).to.have.property('proxy');
-			expect(data).to.have.property('redirection');
-			expect(data).to.have.property('stream');
-		});
-	});
-
-});

test/cypress/e2e/api/FullCertProvision.cy.js

@@ -9,7 +9,7 @@ describe('Full Certificate Provisions', () => {
 		});
 	});
 
-	it('Should be able to create new http certificate', () => {
+	it('Should be able to create new http certificate', function() {
 		cy.task('backendApiPost', {
 			token: token,
 			path:  '/api/nginx/certificates',
@@ -32,7 +32,7 @@ describe('Full Certificate Provisions', () => {
 		});
 	});
 
-	it('Should be able to create new DNS certificate with Powerdns', () => {
+	it('Should be able to create new DNS certificate with Powerdns', function() {
 		cy.task('backendApiPost', {
 			token: token,
 			path:  '/api/nginx/certificates',

test/cypress/e2e/api/Health.cy.js

@@ -1,7 +1,7 @@
 /// <reference types="cypress" />
 
 describe('Basic API checks', () => {
-	it('Should return a valid health payload', () => {
+	it('Should return a valid health payload', function () {
 		cy.task('backendApiGet', {
 			path: '/api/',
 		}).then((data) => {
@@ -10,9 +10,9 @@ describe('Basic API checks', () => {
 		});
 	});
 
-	it('Should return a valid schema payload', () => {
+	it('Should return a valid schema payload', function () {
 		cy.task('backendApiGet', {
-			path: `/api/schema?ts=${Date.now()}`,
+			path: '/api/schema?ts=' + Date.now(),
 		}).then((data) => {
 			expect(data.openapi).to.be.equal('3.1.0');
 		});

test/cypress/e2e/api/Ldap.cy.js

@@ -1,12 +1,12 @@
 /// <reference types="cypress" />
 
 describe('LDAP with Authentik', () => {
-	let _token;
+	let token;
 	if (Cypress.env('skipStackCheck') === 'true' || Cypress.env('stack') === 'postgres') {
 
 		before(() => {
 			cy.getToken().then((tok) => {
-				_token = tok;
+				token = tok;
 
 				// cy.task('backendApiPut', {
 				// 	token: token,
@@ -45,7 +45,7 @@ describe('LDAP with Authentik', () => {
 			});
 		});
 
-		it.skip('Should log in with LDAP', () => {
+		it.skip('Should log in with LDAP', function() {
 			// cy.task('backendApiPost', {
 			// 	token: token,
 			// 	path:  '/api/auth',

test/cypress/e2e/api/OAuth.cy.js

@@ -1,12 +1,12 @@
 /// <reference types="cypress" />
 
 describe('OAuth with Authentik', () => {
-	let _token;
+	let token;
 	if (Cypress.env('skipStackCheck') === 'true' || Cypress.env('stack') === 'postgres') {
 
 		before(() => {
 			cy.getToken().then((tok) => {
-				_token = tok;
+				token = tok;
 
 				// cy.task('backendApiPut', {
 				// 	token: token,
@@ -47,7 +47,7 @@ describe('OAuth with Authentik', () => {
 			});
 		});
 
-		it.skip('Should log in with OAuth', () => {
+		it.skip('Should log in with OAuth', function() {
 			// cy.task('backendApiGet', {
 			// 	path:  '/oauth/login?redirect_base=' + encodeURI(Cypress.config('baseUrl')),
 			// }).then((data) => {

test/cypress/e2e/api/ProxyHosts.cy.js

@@ -9,7 +9,7 @@ describe('Proxy Hosts endpoints', () => {
 		});
 	});
 
-	it('Should be able to create a http host', () => {
+	it('Should be able to create a http host', function() {
 		cy.task('backendApiPost', {
 			token: token,
 			path:  '/api/nginx/proxy-hosts',

test/cypress/e2e/api/Settings.cy.js

@@ -9,7 +9,7 @@ describe('Settings endpoints', () => {
 		});
 	});
 
-	it('Get all settings', () => {
+	it('Get all settings', function() {
 		cy.task('backendApiGet', {
 			token: token,
 			path:  '/api/settings',
@@ -19,7 +19,7 @@ describe('Settings endpoints', () => {
 		});
 	});
 
-	it('Get default-site setting', () => {
+	it('Get default-site setting', function() {
 		cy.task('backendApiGet', {
 			token: token,
 			path:  '/api/settings/default-site',
@@ -30,7 +30,7 @@ describe('Settings endpoints', () => {
 		});
 	});
 
-	it('Default Site congratulations', () => {
+	it('Default Site congratulations', function() {
 		cy.task('backendApiPut', {
 			token: token,
 			path:  '/api/settings/default-site',
@@ -46,7 +46,7 @@ describe('Settings endpoints', () => {
 		});
 	});
 
-	it('Default Site 404', () => {
+	it('Default Site 404', function() {
 		cy.task('backendApiPut', {
 			token: token,
 			path:  '/api/settings/default-site',
@@ -62,7 +62,7 @@ describe('Settings endpoints', () => {
 		});
 	});
 
-	it('Default Site 444', () => {
+	it('Default Site 444', function() {
 		cy.task('backendApiPut', {
 			token: token,
 			path:  '/api/settings/default-site',
@@ -78,7 +78,7 @@ describe('Settings endpoints', () => {
 		});
 	});
 
-	it('Default Site redirect', () => {
+	it('Default Site redirect', function() {
 		cy.task('backendApiPut', {
 			token: token,
 			path:  '/api/settings/default-site',
@@ -100,7 +100,7 @@ describe('Settings endpoints', () => {
 		});
 	});
 
-	it('Default Site html', () => {
+	it('Default Site html', function() {
 		cy.task('backendApiPut', {
 			token: token,
 			path:  '/api/settings/default-site',

test/cypress/e2e/api/Streams.cy.js

@@ -33,7 +33,7 @@ describe('Streams', () => {
 		cy.exec('rm -f /test/results/testssl.json');
 	});
 
-	it('Should be able to create TCP Stream', () => {
+	it('Should be able to create TCP Stream', function() {
 		cy.task('backendApiPost', {
 			token: token,
 			path:  '/api/nginx/streams',
@@ -65,7 +65,7 @@ describe('Streams', () => {
 		});
 	});
 
-	it('Should be able to create UDP Stream', () => {
+	it('Should be able to create UDP Stream', function() {
 		cy.task('backendApiPost', {
 			token: token,
 			path:  '/api/nginx/streams',
@@ -92,7 +92,7 @@ describe('Streams', () => {
 		});
 	});
 
-	it('Should be able to create TCP/UDP Stream', () => {
+	it('Should be able to create TCP/UDP Stream', function() {
 		cy.task('backendApiPost', {
 			token: token,
 			path:  '/api/nginx/streams',
@@ -124,7 +124,7 @@ describe('Streams', () => {
 		});
 	});
 
-	it('Should be able to create SSL TCP Stream', () => {
+	it('Should be able to create SSL TCP Stream', function() {
 		let certID = 0;
 
 		// Create custom cert
@@ -184,7 +184,7 @@ describe('Streams', () => {
 					cy.exec('/testssl/testssl.sh --quiet --add-ca="$(/bin/mkcert -CAROOT)/rootCA.pem" --jsonfile=/test/results/testssl.json website1.example.com:1503', {
 						timeout: 120000, // 2 minutes
 					}).then((result) => {
-						cy.task('log', `[testssl.sh] ${result.stdout}`);
+						cy.task('log', '[testssl.sh] ' + result.stdout);
 
 						const allowedSeverities = ["INFO", "OK", "LOW", "MEDIUM"];
 						const ignoredIDs = [
@@ -210,16 +210,4 @@ describe('Streams', () => {
 		});
 	});
 
-	it('Should be able to List Streams', () => {
-		cy.task('backendApiGet', {
-			token: token,
-			path:  '/api/nginx/streams?expand=owner,certificate',
-		}).then((data) => {
-			cy.validateSwaggerSchema('get', 200, '/nginx/streams', data);
-			expect(data.length).to.be.greaterThan(0);
-			expect(data[0]).to.have.property('id');
-			expect(data[0]).to.have.property('enabled');
-		});
-	});
-
 });

test/cypress/e2e/api/Users.cy.js

@@ -9,7 +9,7 @@ describe('Users endpoints', () => {
 		});
 	});
 
-	it('Should be able to get yourself', () => {
+	it('Should be able to get yourself', function() {
 		cy.task('backendApiGet', {
 			token: token,
 			path:  '/api/users/me'
@@ -20,7 +20,7 @@ describe('Users endpoints', () => {
 		});
 	});
 
-	it('Should be able to get all users', () => {
+	it('Should be able to get all users', function() {
 		cy.task('backendApiGet', {
 			token: token,
 			path:  '/api/users'
@@ -30,7 +30,7 @@ describe('Users endpoints', () => {
 		});
 	});
 
-	it('Should be able to update yourself', () => {
+	it('Should be able to update yourself', function() {
 		cy.task('backendApiPut', {
 			token: token,
 			path:  '/api/users/me',