Show provisioned users

Add Ferron reverse proxy example to config.md

cmd/publish_unix.go

@@ -1,5 +1,4 @@
 //go:build darwin || linux || dragonfly || freebsd || netbsd || openbsd
-// +build darwin linux dragonfly freebsd netbsd openbsd
 
 package cmd
 

docs/config.md

@@ -1029,6 +1029,36 @@ or the root domain:
         redir @httpget https://{host}{uri}
     }
     ```
+	
+=== "ferron"
+    ``` kdl
+    // /etc/ferron.kdl	
+    // Note that this config is most certainly incomplete. Please help out and let me know what's missing
+    // via Discord/Matrix or in a GitHub issue.
+    // Note: Ferron automatically handles both HTTP and WebSockets with proxy 
+
+    ntfy.sh {
+        auto_tls
+        auto_tls_letsencrypt_production
+        protocols "h1" "h2" "h3"
+
+        proxy "http://127.0.0.1:2586"
+
+        // Redirect HTTP to HTTPS, but only for GET topic addresses, since we want
+        // it to work with curl without the annoying https:// prefix
+
+        no_redirect_to_https #true
+
+        condition "is_get_topic" {
+            is_equal "{method}" "GET"
+            is_regex "{path}" "^/([-_a-z0-9]{0,64}$|docs/|static/)"
+        }
+
+        if "is_get_topic" {
+              no_redirect_to_https #false
+        }
+    }
+    ```
 
 ## Firebase (FCM)
 !!! info
@@ -1531,7 +1561,7 @@ See [Installation for Docker](install.md#docker) for an example of how this coul
 If configured, ntfy can expose a `/metrics` endpoint for [Prometheus](https://prometheus.io/), which can then be used to
 create dashboards and alerts (e.g. via [Grafana](https://grafana.com/)).
 
-To configure the metrics endpoint, either set `enable-metrics` and/or set the `listen-metrics-http` option to a dedicated
+To configure the metrics endpoint, either set `enable-metrics` and/or set the `metrics-listen-http` option to a dedicated
 listen address. Metrics may be considered sensitive information, so before you enable them, be sure you know what you are
 doing, and/or secure access to the endpoint in your reverse proxy.
 

docs/integrations.md

@@ -42,6 +42,7 @@ I've added a ⭐ to projects or posts that have a significant following, or had
 - [Monibot](https://monibot.io/) - Monibot monitors your websites, servers and applications and notifies you if something goes wrong.
 - [Miniflux](https://miniflux.app/docs/ntfy.html) - Minimalist and opinionated feed reader
 - [Beszel](https://beszel.dev/guide/notifications/ntfy) - Server monitoring platform
+- [Simple Observability](https://simpleobservability.com/docs/alerts/ntfy) - Server monitoring and observability platform
 
 ## Integration via HTTP/SMTP/etc.
 

docs/publish.md

@@ -705,8 +705,8 @@ As of today, **Markdown is only supported in the web app.** Here's an example of
 === "Python"
     ``` python
     requests.post("https://ntfy.sh/mytopic", 
-        data="Look ma, **bold text**, *italics*, ..."
-        headers={ "Markdown": "yes" }))
+        data="Look ma, **bold text**, *italics*, ...",
+        headers={ "Markdown": "yes" })
     ```
 
 === "PHP"

docs/releases.md

@@ -2,7 +2,61 @@
 Binaries for all releases can be found on the GitHub releases pages for the [ntfy server](https://github.com/binwiederhier/ntfy/releases)
 and the [ntfy Android app](https://github.com/binwiederhier/ntfy-android/releases).
 
-### ntfy server v2.15.0
+## Current stable releases
+
+| Component                                | Version | Release date |
+|------------------------------------------|---------|--------------|
+| ntfy server                              | v2.15.0 | Nov 16, 2025 |
+| ntfy Android app (_is being rolled out_) | v1.20.0 | Dec 28, 2025 |
+| ntfy iOS app                             | v1.3    | Nov 26, 2023 |
+
+Please check out the release notes for [upcoming releases](#not-released-yet) below.
+
+## ntfy Android app v1.20.0
+Released December 28, 2025
+
+This is the last pure maintenance release for now. It'll bring all dependencies and library version to the latest version,
+and fixes some crashes. I had to drop support for about 4,000 devices (only ~200 installations), because the libraries
+themselves do not support SDK 21 anymore, which was the previous minimum SDK version (Android 5, 2014). Now the minimum
+SDK version is 26 (Android 8, 2017).
+
+**Bug fixes + maintenance:**
+
+* Updated dependencies, minimum SDK version to 26, clean up legacy code, upgrade Gradle ([ntfy-android#140](https://github.com/binwiederhier/ntfy-android/pull/140),
+  thanks to [@cyb3rko](https://github.com/cyb3rko) for the implementation)
+* Updated target SDK version to 36 (Android 8, 2017)
+* Fixed ForegroundServiceDidNotStartInTimeException ([#1520](https://github.com/binwiederhier/ntfy/issues/1520))
+* Fixed crashes with redrawing the list when temporarily muted topics expire
+
+## ntfy Android app v1.19.4
+Released December 21, 2025
+
+This release upgrades the Android app to use [Material 3](https://m3.material.io/) design components and adds the
+ability to use [dynamic colors](https://developer.android.com/develop/ui/views/theming/dynamic-colors).
+**This was a lot of work** and I want to thank [@Bnyro](https://github.com/Bnyro) and [@cyb3rko](https://github.com/cyb3rko) for implementing this. You guys rock!
+
+**Features:**
+
+* Moved the user interface to Material 3 and added dynamic color support ([#580](https://github.com/binwiederhier/ntfy/issues/580),
+  [ntfy-android#56](https://github.com/binwiederhier/ntfy-android/pull/56), [ntfy-android#126](https://github.com/binwiederhier/ntfy-android/pull/126),
+  [ntfy-android#135](https://github.com/binwiederhier/ntfy-android/pull/135), thanks to [@Bnyro](https://github.com/Bnyro)
+  and [@cyb3rko](https://github.com/cyb3rko) for the implementation, and to [@RokeJulianLockhart](https://github.com/RokeJulianLockhart) for reporting)
+
+## ntfy Android app v1.18.0
+Released December 4, 2025
+
+**Features:**
+
+* Added GIF support for preview images ([ntfy-android#76](https://github.com/binwiederhier/ntfy-android/pull/76)/[#532](https://github.com/binwiederhier/ntfy/issues/532), thanks to [@MichaelArkh](https://github.com/MichaelArkh) and [@dimatx](https://github.com/dimatx) for reporting)
+* Added WebP support for preview images ([ntfy-android#81](https://github.com/binwiederhier/ntfy-android/pull/81)/[ntfy-android#80](https://github.com/binwiederhier/ntfy-android/issues/80), thanks to [@jokakilla](https://github.com/jokakilla))
+* Added UnifiedPush distributor selection support ([#137](https://github.com/binwiederhier/ntfy-android/pull/137), thanks to [@p1gp1g](https://github.com/p1gp1g))
+
+**Bug fixes + maintenance:**
+
+* Remove REQUEST_INSTALL_PACKAGES permission ([#684](https://github.com/binwiederhier/ntfy/issues/684))
+* Request to ignore battery optimizations before receiving subscription ([ntfy-android#97](https://github.com/binwiederhier/ntfy-android/pull/97), thanks to [@p1gp1g](https://github.com/p1gp1g))
+
+## ntfy server v2.15.0
 Released Nov 16, 2025
 
 This release adds a `require-login` flag to topics, which forces users to log in before they can
@@ -30,11 +84,11 @@ The policies do not allow directly or indirectly linking to paid plans or donati
 
 **Changes:**
 
-- Remove the "Donate" button from menu (all variants)
-- Change default display name from "ntfy.sh/mytopic" to "mytopic" (all variants)
-- Remove links to ntfy docs and issue tracker (Play variant only)
-- Remove how-to links to ntfy.sh in a few places (Play variant only)
-- Remove "Copy topic address" from subscription menu (Play variant only)
+* Remove the "Donate" button from menu (all variants)
+* Change default display name from "ntfy.sh/mytopic" to "mytopic" (all variants)
+* Remove links to ntfy docs and issue tracker (Play variant only)
+* Remove how-to links to ntfy.sh in a few places (Play variant only)
+* Remove "Copy topic address" from subscription menu (Play variant only)
 
 ## ntfy Android app v1.17.8
 Released September 23, 2025
@@ -1518,4 +1572,18 @@ and the [ntfy Android app](https://github.com/binwiederhier/ntfy-android/release
 
 ## Not released yet
 
-_Nothing to see, move along ..._
+### ntfy Android app v1.21.x
+
+**Features:**
+
+* Allow publishing messages through the message bar and publish dialog ([#98](https://github.com/binwiederhier/ntfy/issues/98), [ntfy-android#144](https://github.com/binwiederhier/ntfy-android/pull/144))
+* Define custom HTTP headers to support authenticated proxies, tunnels and SSO ([ntfy-android#116](https://github.com/binwiederhier/ntfy-android/issues/116), [#1018](https://github.com/binwiederhier/ntfy/issues/1018), [ntfy-android#132](https://github.com/binwiederhier/ntfy-android/pull/132), [ntfy-android#146](https://github.com/binwiederhier/ntfy-android/pull/146), thanks to [@CrazyWolf13](https://github.com/CrazyWolf13))
+* Implement UnifiedPush "raise to foreground" requirement ([ntfy-android#98](https://github.com/binwiederhier/ntfy-android/pull/98), [ntfy-android#148](https://github.com/binwiederhier/ntfy-android/pull/148), thanks to [@p1gp1g](https://github.com/p1gp1g))
+* Language selector to allow overriding the system language ([#1508](https://github.com/binwiederhier/ntfy/issues/1508), [ntfy-android#145](https://github.com/binwiederhier/ntfy-android/pull/145), thanks to [@hudsonm62](https://github.com/hudsonm62) for reporting)
+* Highlight phone numbers and email addresses in notifications ([#957](https://github.com/binwiederhier/ntfy/issues/957), [ntfy-android#71](https://github.com/binwiederhier/ntfy-android/pull/71), thanks to [@brennenputh](https://github.com/brennenputh), and [@XylenSky](https://github.com/XylenSky) for reporting)
+* Support for port and display name in [ntfy://](subscribe/phone.md#ntfy-links) links ([ntfy-android#130](https://github.com/binwiederhier/ntfy-android/pull/130), thanks to [@godovski](https://github.com/godovski))
+
+**Bug fixes + maintenance:**
+
+* Add support for (technically incorrect) 'image/jpg' MIME type ([ntfy-android#142](https://github.com/binwiederhier/ntfy-android/pull/142), thanks to [@Murilobeluco](https://github.com/Murilobeluco))
+* Unify "copy to clipboard" notifications, use Android 13 style ([ntfy-android#61](https://github.com/binwiederhier/ntfy-android/pull/61), thanks to [@thgoebel](https://github.com/thgoebel))

docs/subscribe/api.md

@@ -295,7 +295,7 @@ Available filters (all case-insensitive):
 | `message`       | `X-Message`, `m`          | `ntfy.sh/mytopic/json?message=lalala`         | Only return messages that match this exact message string               |
 | `title`         | `X-Title`, `t`            | `ntfy.sh/mytopic/json?title=some+title`       | Only return messages that match this exact title string                 |
 | `priority`      | `X-Priority`, `prio`, `p` | `ntfy.sh/mytopic/json?p=high,urgent`          | Only return messages that match *any priority listed* (comma-separated) |
-| `tags`          | `X-Tags`, `tag`, `ta`     | `ntfy.sh/mytopic?/jsontags=error,alert`       | Only return messages that match *all listed tags* (comma-separated)     |
+| `tags`          | `X-Tags`, `tag`, `ta`     | `ntfy.sh/mytopic/json?tags=error,alert`       | Only return messages that match *all listed tags* (comma-separated)     |
 
 ### Subscribe to multiple topics
 It's possible to subscribe to multiple topics in one HTTP call by providing a comma-separated list of topics 

docs/subscribe/phone.md

@@ -129,10 +129,11 @@ or to simply directly link to a topic from a mobile website.
 
 **Supported link formats:**
 
-| Link format                                                                   | Example                                   | Description                                                                                                                                                                                         |
-|-------------------------------------------------------------------------------|-------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| <span style="white-space: nowrap">`ntfy://<host>/<topic>`</span>              | `ntfy://ntfy.sh/mytopic`                  | Directly opens the Android app detail view for the given topic and server. Subscribes to the topic if not already subscribed. This is equivalent to the web view `https://ntfy.sh/mytopic` (HTTPS!) |
-| <span style="white-space: nowrap">`ntfy://<host>/<topic>?secure=false`</span> | `ntfy://example.com/mytopic?secure=false` | Same as above, except that this will use HTTP instead of HTTPS as topic URL. This is equivalent to the web view `http://example.com/mytopic` (HTTP!)                                                |
+| Link format                                                                     | Example                                   | Description                                                                                                                                                                                         |
+|---------------------------------------------------------------------------------|-------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <span style="white-space: nowrap">`ntfy://<host>/<topic>`</span>                | `ntfy://ntfy.sh/mytopic`                  | Directly opens the Android app detail view for the given topic and server. Subscribes to the topic if not already subscribed. This is equivalent to the web view `https://ntfy.sh/mytopic` (HTTPS!) |
+| <span style="white-space: nowrap">`ntfy://<host>/<topic>?display=<name>`</span> | `ntfy://ntfy.sh/mytopic?display=My+Topic` | Same as above, but also defines a display name for the topic.                                                                                                                                       |
+| <span style="white-space: nowrap">`ntfy://<host>/<topic>?secure=false`</span>   | `ntfy://example.com/mytopic?secure=false` | Same as above, except that this will use HTTP instead of HTTPS as topic URL. This is equivalent to the web view `http://example.com/mytopic` (HTTP!)                                                |
 
 ## Integrations
 

go.mod

@@ -6,22 +6,22 @@ toolchain go1.24.5
 
 require (
 	cloud.google.com/go/firestore v1.20.0 // indirect
-	cloud.google.com/go/storage v1.57.2 // indirect
-	github.com/BurntSushi/toml v1.5.0 // indirect
+	cloud.google.com/go/storage v1.58.0 // indirect
+	github.com/BurntSushi/toml v1.6.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
 	github.com/emersion/go-smtp v0.18.0
-	github.com/gabriel-vasile/mimetype v1.4.11
+	github.com/gabriel-vasile/mimetype v1.4.12
 	github.com/gorilla/websocket v1.5.3
 	github.com/mattn/go-sqlite3 v1.14.32
 	github.com/olebedev/when v1.1.0
 	github.com/stretchr/testify v1.11.1
 	github.com/urfave/cli/v2 v2.27.7
-	golang.org/x/crypto v0.44.0
-	golang.org/x/oauth2 v0.33.0 // indirect
-	golang.org/x/sync v0.18.0
-	golang.org/x/term v0.37.0
+	golang.org/x/crypto v0.46.0
+	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/sync v0.19.0
+	golang.org/x/term v0.38.0
 	golang.org/x/time v0.14.0
-	google.golang.org/api v0.256.0
+	google.golang.org/api v0.258.0
 	gopkg.in/yaml.v2 v2.4.0
 )
 
@@ -35,13 +35,13 @@ require (
 	github.com/microcosm-cc/bluemonday v1.0.27
 	github.com/prometheus/client_golang v1.23.2
 	github.com/stripe/stripe-go/v74 v74.30.0
-	golang.org/x/text v0.31.0
+	golang.org/x/text v0.32.0
 )
 
 require (
 	cel.dev/expr v0.25.1 // indirect
 	cloud.google.com/go v0.123.0 // indirect
-	cloud.google.com/go/auth v0.17.0 // indirect
+	cloud.google.com/go/auth v0.18.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/iam v1.5.3 // indirect
@@ -55,11 +55,11 @@ require (
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e // indirect
+	github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 // indirect
 	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
@@ -70,35 +70,35 @@ require (
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
-	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.16.0 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.67.2 // indirect
+	github.com/prometheus/common v0.67.4 // indirect
 	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/detectors/gcp v1.38.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
-	go.opentelemetry.io/otel v1.38.0 // indirect
-	go.opentelemetry.io/otel/metric v1.38.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect
-	go.opentelemetry.io/otel/trace v1.38.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.64.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 // indirect
+	go.opentelemetry.io/otel v1.39.0 // indirect
+	go.opentelemetry.io/otel/metric v1.39.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.39.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.39.0 // indirect
+	go.opentelemetry.io/otel/trace v1.39.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/net v0.48.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
 	google.golang.org/appengine/v2 v2.0.6 // indirect
-	google.golang.org/genproto v0.0.0-20251111163417-95abcf5c77ba // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba // indirect
-	google.golang.org/grpc v1.76.0 // indirect
-	google.golang.org/protobuf v1.36.10 // indirect
+	google.golang.org/genproto v0.0.0-20251213004720-97cd9d5aeac2 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251213004720-97cd9d5aeac2 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 // indirect
+	google.golang.org/grpc v1.77.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -2,8 +2,8 @@ cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
 cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
 cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
 cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
-cloud.google.com/go/auth v0.17.0 h1:74yCm7hCj2rUyyAocqnFzsAYXgJhrG26XCFimrc/Kz4=
-cloud.google.com/go/auth v0.17.0/go.mod h1:6wv/t5/6rOPAX4fJiRjKkJCvswLwdet7G8+UGXt7nCQ=
+cloud.google.com/go/auth v0.18.0 h1:wnqy5hrv7p3k7cShwAU/Br3nzod7fxoqG+k0VZ+/Pk0=
+cloud.google.com/go/auth v0.18.0/go.mod h1:wwkPM1AgE1f2u6dG443MiWoD8C3BtOywNsUMcUTVDRo=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
@@ -18,16 +18,16 @@ cloud.google.com/go/longrunning v0.7.0 h1:FV0+SYF1RIj59gyoWDRi45GiYUMM3K1qO51qob
 cloud.google.com/go/longrunning v0.7.0/go.mod h1:ySn2yXmjbK9Ba0zsQqunhDkYi0+9rlXIwnoAf+h+TPY=
 cloud.google.com/go/monitoring v1.24.3 h1:dde+gMNc0UhPZD1Azu6at2e79bfdztVDS5lvhOdsgaE=
 cloud.google.com/go/monitoring v1.24.3/go.mod h1:nYP6W0tm3N9H/bOw8am7t62YTzZY+zUeQ+Bi6+2eonI=
-cloud.google.com/go/storage v1.57.2 h1:sVlym3cHGYhrp6XZKkKb+92I1V42ks2qKKpB0CF5Mb4=
-cloud.google.com/go/storage v1.57.2/go.mod h1:n5ijg4yiRXXpCu0sJTD6k+eMf7GRrJmPyr9YxLXGHOk=
+cloud.google.com/go/storage v1.58.0 h1:PflFXlmFJjG/nBeR9B7pKddLQWaFaRWx4uUi/LyNxxo=
+cloud.google.com/go/storage v1.58.0/go.mod h1:cMWbtM+anpC74gn6qjLh+exqYcfmB9Hqe5z6adx+CLI=
 cloud.google.com/go/trace v1.11.7 h1:kDNDX8JkaAG3R2nq1lIdkb7FCSi1rCmsEtKVsty7p+U=
 cloud.google.com/go/trace v1.11.7/go.mod h1:TNn9d5V3fQVf6s4SCveVMIBS2LJUqo73GACmq/Tky0s=
 firebase.google.com/go/v4 v4.18.0 h1:S+g0P72oDGqOaG4wlLErX3zQmU9plVdu7j+Bc3R1qFw=
 firebase.google.com/go/v4 v4.18.0/go.mod h1:P7UfBpzc8+Z3MckX79+zsWzKVfpGryr6HLbAe7gCWfs=
 github.com/AlekSi/pointer v1.2.0 h1:glcy/gc4h8HnG2Z3ZECSzZ1IX1x2JxRVuDzaJwQE0+w=
 github.com/AlekSi/pointer v1.2.0/go.mod h1:gZGfd3dpW4vEc/UlyfKKi1roIqcCgwOIvb0tSNSBle0=
-github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
-github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
+github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 h1:sBEjpZlNHzK1voKq9695PJSX2o5NEXl7/OL3coiIY0c=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.54.0 h1:lhhYARPUu3LmHysQ/igznQphfzynnqI3D75oUyw1HXk=
@@ -46,8 +46,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e h1:gt7U1Igw0xbJdyaCM5H2CnlAlPSkzrhsebQB6WQWjLA=
-github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
+github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w=
+github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
 github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo=
 github.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -58,18 +58,18 @@ github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 h1:oP4q0fw+fOSWn3
 github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
 github.com/emersion/go-smtp v0.17.0 h1:tq90evlrcyqRfE6DSXaWVH54oX6OuZOQECEmhWBMEtI=
 github.com/emersion/go-smtp v0.17.0/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
-github.com/envoyproxy/go-control-plane v0.13.4 h1:zEqyPVyku6IvWCFwux4x9RxkLOMUL+1vC9xUFv5l2/M=
-github.com/envoyproxy/go-control-plane v0.13.4/go.mod h1:kDfuBlDVsSj2MjrLEtRWtHlsWIFcGyB2RMO44Dc5GZA=
+github.com/envoyproxy/go-control-plane v0.13.5-0.20251024222203-75eaa193e329 h1:K+fnvUM0VZ7ZFJf0n4L/BRlnsb9pL/GuDG6FqaH+PwM=
+github.com/envoyproxy/go-control-plane v0.13.5-0.20251024222203-75eaa193e329/go.mod h1:Alz8LEClvR7xKsrq3qzoc4N0guvVNSS8KmSChGYr9hs=
 github.com/envoyproxy/go-control-plane/envoy v1.36.0 h1:yg/JjO5E7ubRyKX3m07GF3reDNEnfOboJ0QySbH736g=
 github.com/envoyproxy/go-control-plane/envoy v1.36.0/go.mod h1:ty89S1YCCVruQAm9OtKeEkQLTb+Lkz0k8v9W0Oxsv98=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
-github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8=
-github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
+github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=
+github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/gabriel-vasile/mimetype v1.4.11 h1:AQvxbp830wPhHTqc1u7nzoLT+ZFxGY7emj5DR5DYFik=
-github.com/gabriel-vasile/mimetype v1.4.11/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
+github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
 github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -98,8 +98,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAVrGgAa0f2/R35S4DJwfFaUPFQ=
 github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
-github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
-github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
+github.com/googleapis/gax-go/v2 v2.16.0 h1:iHbQmKLLZrexmb0OSsNGTeSTS0HO4YvFOG8g5E4Zd0Y=
+github.com/googleapis/gax-go/v2 v2.16.0/go.mod h1:o1vfQjjNZn4+dPnRdl/4ZD7S9414Y4xA+a/6Icj6l14=
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
 github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
@@ -131,8 +131,8 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.67.2 h1:PcBAckGFTIHt2+L3I33uNRTlKTplNzFctXcWhPyAEN8=
-github.com/prometheus/common v0.67.2/go.mod h1:63W3KZb1JOKgcjlIr64WW/LvFGAqKPj0atm+knVGEko=
+github.com/prometheus/common v0.67.4 h1:yR3NqWO1/UyO1w2PhUvXlGQs/PtFmoveVO0KZ4+Lvsc=
+github.com/prometheus/common v0.67.4/go.mod h1:gP0fq6YjjNCLssJCQp0yk4M8W6ikLURwkdd/YKtTbyI=
 github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
 github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
@@ -156,24 +156,24 @@ github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342/go.mod h1:Ohn+xnUBi
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/detectors/gcp v1.38.0 h1:ZoYbqX7OaA/TAikspPl3ozPI6iY6LiIY9I8cUfm+pJs=
-go.opentelemetry.io/contrib/detectors/gcp v1.38.0/go.mod h1:SU+iU7nu5ud4oCb3LQOhIZ3nRLj6FNVrKgtflbaf2ts=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 h1:YH4g8lQroajqUwWbq/tr2QX1JFmEXaDLgG+ew9bLMWo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
-go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
-go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0 h1:rixTyDGXFxRy1xzhKrotaHy3/KXdPhlWARrCgK+eqUY=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0/go.mod h1:dowW6UsM9MKbJq5JTz2AMVp3/5iW5I/TStsk8S+CfHw=
-go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
-go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
-go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
-go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
-go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
-go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
-go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
-go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.opentelemetry.io/contrib/detectors/gcp v1.39.0 h1:kWRNZMsfBHZ+uHjiH4y7Etn2FK26LAGkNFw7RHv1DhE=
+go.opentelemetry.io/contrib/detectors/gcp v1.39.0/go.mod h1:t/OGqzHBa5v6RHZwrDBJ2OirWc+4q/w2fTbLZwAKjTk=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.64.0 h1:RN3ifU8y4prNWeEnQp2kRRHz8UwonAEYZl8tUzHEXAk=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.64.0/go.mod h1:habDz3tEWiFANTo6oUE99EmaFUrCNYAAg3wiVmusm70=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
+go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
+go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0 h1:wm/Q0GAAykXv83wzcKzGGqAnnfLFyFe7RslekZuv+VI=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0/go.mod h1:ra3Pa40+oKjvYh+ZD3EdxFZZB0xdMfuileHAm4nNN7w=
+go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
+go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
+go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
+go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
+go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
+go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
+go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
+go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
@@ -184,8 +184,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
-golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@@ -200,10 +200,10 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo=
-golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -211,8 +211,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -225,8 +225,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -236,8 +236,8 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -249,8 +249,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -263,22 +263,22 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.256.0 h1:u6Khm8+F9sxbCTYNoBHg6/Hwv0N/i+V94MvkOSor6oI=
-google.golang.org/api v0.256.0/go.mod h1:KIgPhksXADEKJlnEoRa9qAII4rXcy40vfI8HRqcU964=
+google.golang.org/api v0.258.0 h1:IKo1j5FBlN74fe5isA2PVozN3Y5pwNKriEgAXPOkDAc=
+google.golang.org/api v0.258.0/go.mod h1:qhOMTQEZ6lUps63ZNq9jhODswwjkjYYguA7fA3TBFww=
 google.golang.org/appengine/v2 v2.0.6 h1:LvPZLGuchSBslPBp+LAhihBeGSiRh1myRoYK4NtuBIw=
 google.golang.org/appengine/v2 v2.0.6/go.mod h1:WoEXGoXNfa0mLvaH5sV3ZSGXwVmy8yf7Z1JKf3J3wLI=
-google.golang.org/genproto v0.0.0-20251111163417-95abcf5c77ba h1:Ze6qXW0j37YCqZdCD2LkzVSxgEWez0cO4NUyd44DiDY=
-google.golang.org/genproto v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:4FLPzLA8eGAktPOTemJGDgDYRpLYwrNu4u2JtWINhnI=
-google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba h1:B14OtaXuMaCQsl2deSvNkyPKIzq3BjfxQp8d00QyWx4=
-google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:G5IanEx8/PgI9w6CFcYQf7jMtHQhZruvfM1i3qOqk5U=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba h1:UKgtfRM7Yh93Sya0Fo8ZzhDP4qBckrrxEr2oF5UIVb8=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
-google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
-google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
+google.golang.org/genproto v0.0.0-20251213004720-97cd9d5aeac2 h1:stRtB2UVzFOWnorVuwF0BVVEjQ3AN6SjHWdg811UIQM=
+google.golang.org/genproto v0.0.0-20251213004720-97cd9d5aeac2/go.mod h1:yJ2HH4EHEDTd3JiLmhds6NkJ17ITVYOdV3m3VKOnws0=
+google.golang.org/genproto/googleapis/api v0.0.0-20251213004720-97cd9d5aeac2 h1:7LRqPCEdE4TP4/9psdaB7F2nhZFfBiGJomA5sojLWdU=
+google.golang.org/genproto/googleapis/api v0.0.0-20251213004720-97cd9d5aeac2/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 h1:2I6GHUeJ/4shcDpoUlLs/2WPnhg7yJwvXtqcMJt9liA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
+google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

server/server_admin.go

@@ -24,15 +24,17 @@ func (s *Server) handleUsersGet(w http.ResponseWriter, r *http.Request, v *visit
 		userGrants := make([]*apiUserGrantResponse, len(grants[u.ID]))
 		for i, g := range grants[u.ID] {
 			userGrants[i] = &apiUserGrantResponse{
-				Topic:      g.TopicPattern,
-				Permission: g.Permission.String(),
+				Topic:       g.TopicPattern,
+				Permission:  g.Permission.String(),
+				Provisioned: g.Provisioned,
 			}
 		}
 		usersResponse[i] = &apiUserResponse{
-			Username: u.Name,
-			Role:     string(u.Role),
-			Tier:     tier,
-			Grants:   userGrants,
+			Username:    u.Name,
+			Role:        string(u.Role),
+			Tier:        tier,
+			Grants:      userGrants,
+			Provisioned: u.Provisioned,
 		}
 	}
 	return s.writeJSON(w, usersResponse)

server/server_firebase.go

@@ -80,7 +80,7 @@ type firebaseSenderImpl struct {
 }
 
 func newFirebaseSender(credentialsFile string) (firebaseSender, error) {
-	fb, err := firebase.NewApp(context.Background(), nil, option.WithCredentialsFile(credentialsFile))
+	fb, err := firebase.NewApp(context.Background(), nil, option.WithAuthCredentialsFile(option.ServiceAccount, credentialsFile))
 	if err != nil {
 		return nil, err
 	}

server/types.go

@@ -308,15 +308,17 @@ type apiUserAddOrUpdateRequest struct {
 }
 
 type apiUserResponse struct {
-	Username string                  `json:"username"`
-	Role     string                  `json:"role"`
-	Tier     string                  `json:"tier,omitempty"`
-	Grants   []*apiUserGrantResponse `json:"grants,omitempty"`
+	Username    string                  `json:"username"`
+	Role        string                  `json:"role"`
+	Tier        string                  `json:"tier,omitempty"`
+	Grants      []*apiUserGrantResponse `json:"grants,omitempty"`
+	Provisioned bool                    `json:"provisioned,omitempty"`
 }
 
 type apiUserGrantResponse struct {
-	Topic      string `json:"topic"` // This may be a pattern
-	Permission string `json:"permission"`
+	Topic       string `json:"topic"` // This may be a pattern
+	Permission  string `json:"permission"`
+	Provisioned bool   `json:"provisioned,omitempty"`
 }
 
 type apiUserDeleteRequest struct {

tools/fbsend/main.go

@@ -1,3 +1,5 @@
+//go:build !nofirebase
+
 package main
 
 import (
@@ -26,7 +28,7 @@ func main() {
 		}
 		data[kv[0]] = kv[1]
 	}
-	fb, err := firebase.NewApp(context.Background(), nil, option.WithCredentialsFile(*conffile))
+	fb, err := firebase.NewApp(context.Background(), nil, option.WithAuthCredentialsFile(option.ServiceAccount, *conffile))
 	if err != nil {
 		fail(err.Error())
 	}

web/public/static/langs/bg.json

@@ -403,5 +403,7 @@
     "prefs_appearance_theme_system": "Системна (подразбирана)",
     "web_push_subscription_expiring_title": "Известията временно ще бъдат спрени",
     "web_push_subscription_expiring_body": "За да продължите да получавате известия, отворете ntfy",
-    "action_bar_unmute_notifications": "Включване звука на известията"
+    "action_bar_unmute_notifications": "Включване звука на известията",
+    "account_tokens_table_cannot_delete_or_edit_provisioned_token": "Кодът за защита от външна система не може да бъде променян или премахван",
+    "account_basics_cannot_edit_or_delete_provisioned_user": "Потребител от външна система не може да бъде променян или премахван"
 }

web/public/static/langs/ca.json

@@ -3,5 +3,14 @@
     "action_bar_profile_title": "Perfil",
     "action_bar_settings": "Configuració",
     "action_bar_account": "Compte",
-    "common_add": "Afegir"
+    "common_add": "Afegir",
+    "common_cancel": "Cancel·la",
+    "common_save": "Desa",
+    "common_back": "Enrere",
+    "common_copy_to_clipboard": "Copia al portaretalls",
+    "signup_title": "Crea un compte ntfy",
+    "signup_form_username": "Nom d'usuari",
+    "signup_form_password": "Contrasenya",
+    "signup_form_confirm_password": "Confirma la contrasenya",
+    "signup_form_button_submit": "Dona't d'alta"
 }

web/public/static/langs/cu.json

@@ -0,0 +1,8 @@
+{
+    "common_cancel": "Отмѣнити",
+    "common_save": "Сохрани",
+    "common_add": "Приложити",
+    "common_back": "Назадъ",
+    "login_form_button_submit": "Въниди",
+    "signup_form_password": "Таино слово"
+}

web/public/static/langs/de.json

@@ -403,5 +403,7 @@
     "web_push_subscription_expiring_body": "Öffne ntfy um weiterhin Benachrichtigungen zu erhalten",
     "web_push_unknown_notification_title": "Unbekannte Benachrichtigung vom Server empfangen",
     "web_push_unknown_notification_body": "Du musst möglicherweise ntfy aktualisieren, indem du die Web App öffnest",
-    "prefs_notifications_web_push_enabled_description": "Benachrichtigungen werden empfangen, auch wenn die Web App nicht geöffnet ist (via Web Push)"
+    "prefs_notifications_web_push_enabled_description": "Benachrichtigungen werden empfangen, auch wenn die Web App nicht geöffnet ist (via Web Push)",
+    "account_tokens_table_cannot_delete_or_edit_provisioned_token": "Bereitgestelltes Token kann nicht bearbeitet oder gelöscht werden",
+    "account_basics_cannot_edit_or_delete_provisioned_user": "Ein bereitgestellter Benutzer kann nicht bearbeitet oder gelöscht werden"
 }

web/public/static/langs/en.json

@@ -405,5 +405,48 @@
   "web_push_subscription_expiring_title": "Notifications will be paused",
   "web_push_subscription_expiring_body": "Open ntfy to continue receiving notifications",
   "web_push_unknown_notification_title": "Unknown notification received from server",
-  "web_push_unknown_notification_body": "You may need to update ntfy by opening the web app"
+  "web_push_unknown_notification_body": "You may need to update ntfy by opening the web app",
+  "nav_button_admin": "Admin",
+  "admin_users_title": "Users",
+  "admin_users_description": "Manage users and their access permissions. Admin users cannot be modified via the web interface.",
+  "admin_users_table_username_header": "Username",
+  "admin_users_table_role_header": "Role",
+  "admin_users_table_tier_header": "Tier",
+  "admin_users_table_grants_header": "Access grants",
+  "admin_users_table_actions_header": "Actions",
+  "admin_users_table_grant_tooltip": "Permission: {{permission}}",
+  "admin_users_table_grant_provisioned_tooltip": "Permission: {{permission}} (provisioned, cannot be changed)",
+  "admin_users_table_add_access_tooltip": "Add access grant",
+  "admin_users_table_edit_tooltip": "Edit user",
+  "admin_users_table_delete_tooltip": "Delete user",
+  "admin_users_table_admin_no_actions": "Cannot modify admin users",
+  "admin_users_provisioned_tooltip": "Provisioned user (defined in server config)",
+  "admin_users_provisioned_cannot_edit": "Provisioned users cannot be edited or deleted",
+  "admin_users_role_admin": "Admin",
+  "admin_users_role_user": "User",
+  "admin_users_add_button": "Add user",
+  "admin_users_add_dialog_title": "Add user",
+  "admin_users_add_dialog_username_label": "Username",
+  "admin_users_add_dialog_password_label": "Password",
+  "admin_users_add_dialog_tier_label": "Tier",
+  "admin_users_add_dialog_tier_helper": "Optional. Leave empty for no tier.",
+  "admin_users_edit_dialog_title": "Edit user {{username}}",
+  "admin_users_edit_dialog_password_label": "New password",
+  "admin_users_edit_dialog_password_helper": "Leave empty to keep current password",
+  "admin_users_edit_dialog_tier_label": "Tier",
+  "admin_users_edit_dialog_tier_helper": "Leave empty to keep current tier",
+  "admin_users_delete_dialog_title": "Delete user",
+  "admin_users_delete_dialog_description": "Are you sure you want to delete user {{username}}? This action cannot be undone.",
+  "admin_users_delete_dialog_button": "Delete user",
+  "admin_access_add_dialog_title": "Add access for {{username}}",
+  "admin_access_add_dialog_topic_label": "Topic",
+  "admin_access_add_dialog_topic_helper": "Topic name or pattern (e.g. mytopic or alerts-*)",
+  "admin_access_add_dialog_permission_label": "Permission",
+  "admin_access_permission_read_write": "Read & Write",
+  "admin_access_permission_read_only": "Read only",
+  "admin_access_permission_write_only": "Write only",
+  "admin_access_permission_deny_all": "Deny all",
+  "admin_access_delete_dialog_title": "Remove access",
+  "admin_access_delete_dialog_description": "Are you sure you want to remove access to topic {{topic}} for user {{username}}?",
+  "admin_access_delete_dialog_button": "Remove access"
 }

web/public/static/langs/eo.json

@@ -1 +1,5 @@
-{}
+{
+    "common_cancel": "Nuligi",
+    "common_save": "Konservi",
+    "common_add": "Aldoni"
+}

web/public/static/langs/es.json

@@ -404,5 +404,7 @@
     "prefs_appearance_theme_dark": "Oscuro",
     "web_push_subscription_expiring_body": "Abrir ntfy para seguir recibiendo notificaciones",
     "web_push_unknown_notification_title": "Notificación desconocida recibida del servidor",
-    "web_push_unknown_notification_body": "Puede que necesites actualizar ntfy abriendo la aplicación web"
+    "web_push_unknown_notification_body": "Puede que necesites actualizar ntfy abriendo la aplicación web",
+    "account_basics_cannot_edit_or_delete_provisioned_user": "Un usuario provisionado no se puede editar o eliminar",
+    "account_tokens_table_cannot_delete_or_edit_provisioned_token": "No se puede editar o eliminar un token provisionado"
 }

web/public/static/langs/et.json

@@ -139,7 +139,7 @@
     "display_name_dialog_placeholder": "Kuvatav nimi",
     "publish_dialog_title_no_topic": "Avalda teavitus",
     "publish_dialog_progress_uploading": "Laadin üles…",
-    "publish_dialog_message_published": "Teavitus on saadetud",
+    "publish_dialog_message_published": "Teavitus on avaldatud",
     "publish_dialog_emoji_picker_show": "Vali emoji",
     "publish_dialog_priority_low": "Vähetähtis",
     "publish_dialog_priority_default": "Vaikimisi tähtsus",
@@ -403,5 +403,7 @@
     "account_upgrade_dialog_proration_info": "<strong>Summade jagamine</strong>: Kui muudad teenusepaketti paremaks, siis pead hinnavahe <strong>maksma kohe</strong>. Kui muudad teenusepaketti madalamaks, siis hinnavahe arvelt hüvituvad mõned järgmised maksed.",
     "account_upgrade_dialog_reservations_warning_one": "Sinu praegune teenusepakett võimaldab senise paketiga võrreldes reserveerida vähem teemasid. Enne paketi muutmist <strong>palun esmalt kustuta vähemalt üks reserveering</strong>. Seda saad <Link>teha siin</Link>.",
     "account_upgrade_dialog_reservations_warning_other": "Sinu praegune teenusepakett võimaldab senise paketiga võrreldes reserveerida vähem teemasid. Enne paketi muutmist <strong>palun esmalt kustuta vähemalt {{count}} reserveeringut</strong>. Seda saad <Link>teha siin</Link>.",
-    "prefs_users_description": "Oma kaitstud teemade kasutajaid saad lisada ja eemaldada siin. Palun arvesta, et kasutajanimi ja salasõna on salvestatud veebibrauseri kohalikus andmeruumis."
+    "prefs_users_description": "Oma kaitstud teemade kasutajaid saad lisada ja eemaldada siin. Palun arvesta, et kasutajanimi ja salasõna on salvestatud veebibrauseri kohalikus andmeruumis.",
+    "account_basics_cannot_edit_or_delete_provisioned_user": "Eelsisestatud kasutajat ei saa muuta ega kustutada",
+    "account_tokens_table_cannot_delete_or_edit_provisioned_token": "Eelsisestatud tunnusluba ei saa muuta ega kustutada"
 }

web/public/static/langs/fr.json

@@ -15,7 +15,7 @@
     "notifications_attachment_copy_url_title": "Copier l'URL de la pièce jointe dans le presse-papiers",
     "notifications_attachment_open_title": "Aller à {{url}}",
     "notifications_attachment_link_expired": "lien de téléchargement expiré",
-    "nav_button_publish_message": "Publier la notification",
+    "nav_button_publish_message": "Publier une notification",
     "notifications_copied_to_clipboard": "Copié dans le presse-papiers",
     "alert_not_supported_title": "Notifications non prises en charge",
     "notifications_tags": "Étiquettes",
@@ -64,7 +64,7 @@
     "notifications_actions_not_supported": "Cette action n'est pas supportée dans l'application web",
     "notifications_actions_http_request_title": "Envoyer une requête HTTP {{method}} à {{url}}",
     "publish_dialog_attachment_limits_quota_reached": "quota dépassé, {{remainingBytes}} restants",
-    "publish_dialog_tags_placeholder": "Liste séparée par des virgules d'étiquettes, par ex. avertissement,backup-srv1",
+    "publish_dialog_tags_placeholder": "Liste d'étiquettes séparée par des virgules, par ex. avertissement,backup-srv1",
     "publish_dialog_priority_label": "Priorité",
     "publish_dialog_click_label": "URL du clic",
     "publish_dialog_click_placeholder": "URL ouverte lors d'un clic sur la notification",
@@ -272,7 +272,7 @@
     "account_delete_dialog_button_submit": "Supprimer définitivement le compte",
     "account_delete_dialog_billing_warning": "Supprimer votre compte annule aussi immédiatement votre facturation. Vous n'aurez plus accès à votre tableau de bord de facturation.",
     "account_upgrade_dialog_title": "Changer le tarif du compte",
-    "account_upgrade_dialog_proration_info": "<strong>Facturation</strong> : Lors d'un changement vers un tiers payant, la différence de prix sera débitée <strong>immédiatement</strong>. En passant d'un tiers payant a gratuit, votre solde sera utilisé pour payer de futur factures.",
+    "account_upgrade_dialog_proration_info": "<strong>Proratisation</strong> : Lors d'un changement vers le haut entre plans payants, la différence de prix sera <strong>facturée immédiatement</strong>. En cas de diminutions vers un plan plus économique, la balance sera utilisée pour le paiement des factures suivantes.",
     "account_upgrade_dialog_reservations_warning_other": "Le tarif sélectionné autorise moins de sujets réservés que votre tarif actuel. Avant de changer de tarif, <strong>veuillez supprimer au moins {{count}} sujets réservés</strong>. Vous pouvez supprimer des sujets réservés dans les <Link>Paramètres</Link>.",
     "account_upgrade_dialog_tier_features_reservations_other": "{{reservations}} sujets réservés",
     "account_upgrade_dialog_tier_features_messages_other": "{{messages}} messages journaliers",
@@ -403,5 +403,7 @@
     "web_push_subscription_expiring_title": "Les notifications seront suspendues",
     "web_push_subscription_expiring_body": "Ouvrez ntfy pour continuer à recevoir les notifications",
     "web_push_unknown_notification_title": "Notification inconnue reçue du serveur",
-    "web_push_unknown_notification_body": "Il est possible que vous deviez mettre à jour ntfy en ouvrant l'application web"
+    "web_push_unknown_notification_body": "Il est possible que vous deviez mettre à jour ntfy en ouvrant l'application web",
+    "account_basics_cannot_edit_or_delete_provisioned_user": "Un utilisateur provisionné ne peut pas être modifié ou supprimé",
+    "account_tokens_table_cannot_delete_or_edit_provisioned_token": "Impossible de modifier ou de supprimer le jeton provisionné"
 }

web/public/static/langs/ja.json

@@ -403,5 +403,7 @@
     "prefs_appearance_theme_system": "システム (既定)",
     "prefs_appearance_theme_dark": "ダークモード",
     "web_push_unknown_notification_title": "不明な通知を受信しました",
-    "web_push_unknown_notification_body": "ウェブアプリを開いてntfyをアップデートする必要があります"
+    "web_push_unknown_notification_body": "ウェブアプリを開いてntfyをアップデートする必要があります",
+    "account_basics_cannot_edit_or_delete_provisioned_user": "自動作成されたユーザーの編集や削除はできません",
+    "account_tokens_table_cannot_delete_or_edit_provisioned_token": "自動作成されたトークンは編集や削除はできません"
 }

web/src/app/AdminApi.js

@@ -0,0 +1,82 @@
+import { fetchOrThrow } from "./errors";
+import { withBearerAuth } from "./utils";
+import session from "./Session";
+
+const usersUrl = (baseUrl) => `${baseUrl}/v1/users`;
+const usersAccessUrl = (baseUrl) => `${baseUrl}/v1/users/access`;
+
+class AdminApi {
+  async getUsers() {
+    const url = usersUrl(config.base_url);
+    console.log(`[AdminApi] Fetching users ${url}`);
+    const response = await fetchOrThrow(url, {
+      headers: withBearerAuth({}, session.token()),
+    });
+    return response.json();
+  }
+
+  async addUser(username, password, tier) {
+    const url = usersUrl(config.base_url);
+    const body = { username, password };
+    if (tier) {
+      body.tier = tier;
+    }
+    console.log(`[AdminApi] Adding user ${url}`);
+    await fetchOrThrow(url, {
+      method: "POST",
+      headers: withBearerAuth({}, session.token()),
+      body: JSON.stringify(body),
+    });
+  }
+
+  async updateUser(username, password, tier) {
+    const url = usersUrl(config.base_url);
+    const body = { username };
+    if (password) {
+      body.password = password;
+    }
+    if (tier) {
+      body.tier = tier;
+    }
+    console.log(`[AdminApi] Updating user ${url}`);
+    await fetchOrThrow(url, {
+      method: "PUT",
+      headers: withBearerAuth({}, session.token()),
+      body: JSON.stringify(body),
+    });
+  }
+
+  async deleteUser(username) {
+    const url = usersUrl(config.base_url);
+    console.log(`[AdminApi] Deleting user ${url}`);
+    await fetchOrThrow(url, {
+      method: "DELETE",
+      headers: withBearerAuth({}, session.token()),
+      body: JSON.stringify({ username }),
+    });
+  }
+
+  async allowAccess(username, topic, permission) {
+    const url = usersAccessUrl(config.base_url);
+    console.log(`[AdminApi] Allowing access ${url}`);
+    await fetchOrThrow(url, {
+      method: "PUT",
+      headers: withBearerAuth({}, session.token()),
+      body: JSON.stringify({ username, topic, permission }),
+    });
+  }
+
+  async resetAccess(username, topic) {
+    const url = usersAccessUrl(config.base_url);
+    console.log(`[AdminApi] Resetting access ${url}`);
+    await fetchOrThrow(url, {
+      method: "DELETE",
+      headers: withBearerAuth({}, session.token()),
+      body: JSON.stringify({ username, topic }),
+    });
+  }
+}
+
+const adminApi = new AdminApi();
+export default adminApi;
+

web/src/components/Admin.jsx

@@ -0,0 +1,593 @@
+import * as React from "react";
+import { useContext, useEffect, useState } from "react";
+import {
+  Alert,
+  CardActions,
+  CardContent,
+  Chip,
+  FormControl,
+  Select,
+  Table,
+  TableBody,
+  TableCell,
+  TableHead,
+  TableRow,
+  Tooltip,
+  Typography,
+  Container,
+  Card,
+  Button,
+  Dialog,
+  DialogTitle,
+  DialogContent,
+  TextField,
+  IconButton,
+  MenuItem,
+  DialogContentText,
+  useMediaQuery,
+  useTheme,
+  Stack,
+  CircularProgress,
+  Box,
+} from "@mui/material";
+import EditIcon from "@mui/icons-material/Edit";
+import { useTranslation } from "react-i18next";
+import DeleteOutlineIcon from "@mui/icons-material/DeleteOutline";
+import AddIcon from "@mui/icons-material/Add";
+import CloseIcon from "@mui/icons-material/Close";
+import LockIcon from "@mui/icons-material/Lock";
+import routes from "./routes";
+import { AccountContext } from "./App";
+import DialogFooter from "./DialogFooter";
+import { Paragraph } from "./styles";
+import { UnauthorizedError } from "../app/errors";
+import session from "../app/Session";
+import adminApi from "../app/AdminApi";
+import { Role } from "../app/AccountApi";
+
+const Admin = () => {
+  const { account } = useContext(AccountContext);
+
+  // Redirect non-admins away
+  if (!session.exists() || (account && account.role !== Role.ADMIN)) {
+    window.location.href = routes.app;
+    return null;
+  }
+
+  // Wait for account to load
+  if (!account) {
+    return (
+      <Box sx={{ display: "flex", justifyContent: "center", alignItems: "center", height: "100vh" }}>
+        <CircularProgress />
+      </Box>
+    );
+  }
+
+  return (
+    <Container maxWidth="lg" sx={{ marginTop: 3, marginBottom: 3 }}>
+      <Stack spacing={3}>
+        <Users />
+      </Stack>
+    </Container>
+  );
+};
+
+const Users = () => {
+  const { t } = useTranslation();
+  const [users, setUsers] = useState(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState("");
+  const [addDialogKey, setAddDialogKey] = useState(0);
+  const [addDialogOpen, setAddDialogOpen] = useState(false);
+
+  const loadUsers = async () => {
+    try {
+      setLoading(true);
+      const data = await adminApi.getUsers();
+      setUsers(data);
+      setError("");
+    } catch (e) {
+      console.log(`[Admin] Error loading users`, e);
+      if (e instanceof UnauthorizedError) {
+        await session.resetAndRedirect(routes.login);
+      } else {
+        setError(e.message);
+      }
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  useEffect(() => {
+    loadUsers();
+  }, []);
+
+  const handleAddClick = () => {
+    setAddDialogKey((prev) => prev + 1);
+    setAddDialogOpen(true);
+  };
+
+  const handleDialogClose = () => {
+    setAddDialogOpen(false);
+    loadUsers();
+  };
+
+  return (
+    <Card sx={{ padding: 1 }} aria-label={t("admin_users_title")}>
+      <CardContent sx={{ paddingBottom: 1 }}>
+        <Typography variant="h5" sx={{ marginBottom: 2 }}>
+          {t("admin_users_title")}
+        </Typography>
+        <Paragraph>{t("admin_users_description")}</Paragraph>
+        {error && (
+          <Alert severity="error" sx={{ mb: 2 }}>
+            {error}
+          </Alert>
+        )}
+        {loading && (
+          <Box sx={{ display: "flex", justifyContent: "center", p: 3 }}>
+            <CircularProgress />
+          </Box>
+        )}
+        {!loading && users && (
+          <div style={{ width: "100%", overflowX: "auto" }}>
+            <UsersTable users={users} onUserChanged={loadUsers} />
+          </div>
+        )}
+      </CardContent>
+      <CardActions>
+        <Button onClick={handleAddClick} startIcon={<AddIcon />}>
+          {t("admin_users_add_button")}
+        </Button>
+      </CardActions>
+      <AddUserDialog key={`addUserDialog${addDialogKey}`} open={addDialogOpen} onClose={handleDialogClose} />
+    </Card>
+  );
+};
+
+const UsersTable = (props) => {
+  const { t } = useTranslation();
+  const [editDialogKey, setEditDialogKey] = useState(0);
+  const [editDialogOpen, setEditDialogOpen] = useState(false);
+  const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
+  const [accessDialogKey, setAccessDialogKey] = useState(0);
+  const [accessDialogOpen, setAccessDialogOpen] = useState(false);
+  const [deleteAccessDialogOpen, setDeleteAccessDialogOpen] = useState(false);
+  const [selectedUser, setSelectedUser] = useState(null);
+  const [selectedGrant, setSelectedGrant] = useState(null);
+
+  const { users } = props;
+
+  const handleEditClick = (user) => {
+    setEditDialogKey((prev) => prev + 1);
+    setSelectedUser(user);
+    setEditDialogOpen(true);
+  };
+
+  const handleDeleteClick = (user) => {
+    setSelectedUser(user);
+    setDeleteDialogOpen(true);
+  };
+
+  const handleAddAccessClick = (user) => {
+    setAccessDialogKey((prev) => prev + 1);
+    setSelectedUser(user);
+    setAccessDialogOpen(true);
+  };
+
+  const handleDeleteAccessClick = (user, grant) => {
+    setSelectedUser(user);
+    setSelectedGrant(grant);
+    setDeleteAccessDialogOpen(true);
+  };
+
+  const handleDialogClose = () => {
+    setEditDialogOpen(false);
+    setDeleteDialogOpen(false);
+    setAccessDialogOpen(false);
+    setDeleteAccessDialogOpen(false);
+    setSelectedUser(null);
+    setSelectedGrant(null);
+    props.onUserChanged();
+  };
+
+  return (
+    <>
+      <Table size="small" aria-label={t("admin_users_title")}>
+        <TableHead>
+          <TableRow>
+            <TableCell sx={{ paddingLeft: 0 }}>{t("admin_users_table_username_header")}</TableCell>
+            <TableCell>{t("admin_users_table_role_header")}</TableCell>
+            <TableCell>{t("admin_users_table_tier_header")}</TableCell>
+            <TableCell>{t("admin_users_table_grants_header")}</TableCell>
+            <TableCell align="right">{t("admin_users_table_actions_header")}</TableCell>
+          </TableRow>
+        </TableHead>
+        <TableBody>
+          {users.map((user) => (
+            <TableRow key={user.username} sx={{ "&:last-child td, &:last-child th": { border: 0 } }}>
+              <TableCell component="th" scope="row" sx={{ paddingLeft: 0 }}>
+                <Stack direction="row" spacing={0.5} alignItems="center">
+                  <span>{user.username}</span>
+                  {user.provisioned && (
+                    <Tooltip title={t("admin_users_provisioned_tooltip")}>
+                      <LockIcon fontSize="small" color="disabled" />
+                    </Tooltip>
+                  )}
+                </Stack>
+              </TableCell>
+              <TableCell>
+                <RoleChip role={user.role} />
+              </TableCell>
+              <TableCell>{user.tier || "-"}</TableCell>
+              <TableCell>
+                {user.grants && user.grants.length > 0 ? (
+                  <Stack direction="row" spacing={0.5} flexWrap="wrap" useFlexGap>
+                    {user.grants.map((grant, idx) => {
+                      const canDelete = user.role !== "admin" && !grant.provisioned;
+                      const tooltipText = grant.provisioned
+                        ? t("admin_users_table_grant_provisioned_tooltip", { permission: grant.permission })
+                        : t("admin_users_table_grant_tooltip", { permission: grant.permission });
+                      return (
+                        <Tooltip key={idx} title={tooltipText}>
+                          <Chip
+                            label={grant.topic}
+                            size="small"
+                            variant={grant.provisioned ? "filled" : "outlined"}
+                            color={grant.provisioned ? "default" : "default"}
+                            icon={grant.provisioned ? <LockIcon fontSize="small" /> : undefined}
+                            onDelete={canDelete ? () => handleDeleteAccessClick(user, grant) : undefined}
+                          />
+                        </Tooltip>
+                      );
+                    })}
+                  </Stack>
+                ) : (
+                  "-"
+                )}
+              </TableCell>
+              <TableCell align="right" sx={{ whiteSpace: "nowrap" }}>
+                {user.role !== "admin" && !user.provisioned ? (
+                  <>
+                    <Tooltip title={t("admin_users_table_add_access_tooltip")}>
+                      <IconButton onClick={() => handleAddAccessClick(user)} size="small">
+                        <AddIcon />
+                      </IconButton>
+                    </Tooltip>
+                    <Tooltip title={t("admin_users_table_edit_tooltip")}>
+                      <IconButton onClick={() => handleEditClick(user)} size="small">
+                        <EditIcon />
+                      </IconButton>
+                    </Tooltip>
+                    <Tooltip title={t("admin_users_table_delete_tooltip")}>
+                      <IconButton onClick={() => handleDeleteClick(user)} size="small">
+                        <DeleteOutlineIcon />
+                      </IconButton>
+                    </Tooltip>
+                  </>
+                ) : user.role !== "admin" && user.provisioned ? (
+                  <>
+                    <Tooltip title={t("admin_users_table_add_access_tooltip")}>
+                      <IconButton onClick={() => handleAddAccessClick(user)} size="small">
+                        <AddIcon />
+                      </IconButton>
+                    </Tooltip>
+                    <Tooltip title={t("admin_users_provisioned_cannot_edit")}>
+                      <span>
+                        <IconButton disabled size="small">
+                          <EditIcon />
+                        </IconButton>
+                        <IconButton disabled size="small">
+                          <DeleteOutlineIcon />
+                        </IconButton>
+                      </span>
+                    </Tooltip>
+                  </>
+                ) : (
+                  <Tooltip title={t("admin_users_table_admin_no_actions")}>
+                    <span>
+                      <IconButton disabled size="small">
+                        <EditIcon />
+                      </IconButton>
+                    </span>
+                  </Tooltip>
+                )}
+              </TableCell>
+            </TableRow>
+          ))}
+        </TableBody>
+      </Table>
+      <EditUserDialog key={`editUserDialog${editDialogKey}`} open={editDialogOpen} user={selectedUser} onClose={handleDialogClose} />
+      <DeleteUserDialog open={deleteDialogOpen} user={selectedUser} onClose={handleDialogClose} />
+      <AddAccessDialog key={`addAccessDialog${accessDialogKey}`} open={accessDialogOpen} user={selectedUser} onClose={handleDialogClose} />
+      <DeleteAccessDialog open={deleteAccessDialogOpen} user={selectedUser} grant={selectedGrant} onClose={handleDialogClose} />
+    </>
+  );
+};
+
+const RoleChip = ({ role }) => {
+  const { t } = useTranslation();
+  if (role === "admin") {
+    return <Chip label={t("admin_users_role_admin")} size="small" color="primary" />;
+  }
+  return <Chip label={t("admin_users_role_user")} size="small" variant="outlined" />;
+};
+
+const AddUserDialog = (props) => {
+  const theme = useTheme();
+  const { t } = useTranslation();
+  const [error, setError] = useState("");
+  const [username, setUsername] = useState("");
+  const [password, setPassword] = useState("");
+  const [tier, setTier] = useState("");
+  const fullScreen = useMediaQuery(theme.breakpoints.down("sm"));
+
+  const handleSubmit = async () => {
+    try {
+      await adminApi.addUser(username, password, tier || undefined);
+      props.onClose();
+    } catch (e) {
+      console.log(`[Admin] Error adding user`, e);
+      if (e instanceof UnauthorizedError) {
+        await session.resetAndRedirect(routes.login);
+      } else {
+        setError(e.message);
+      }
+    }
+  };
+
+  return (
+    <Dialog open={props.open} onClose={props.onClose} maxWidth="sm" fullWidth fullScreen={fullScreen}>
+      <DialogTitle>{t("admin_users_add_dialog_title")}</DialogTitle>
+      <DialogContent>
+        <TextField
+          margin="dense"
+          id="username"
+          label={t("admin_users_add_dialog_username_label")}
+          type="text"
+          value={username}
+          onChange={(ev) => setUsername(ev.target.value)}
+          fullWidth
+          variant="standard"
+          autoFocus
+        />
+        <TextField
+          margin="dense"
+          id="password"
+          label={t("admin_users_add_dialog_password_label")}
+          type="password"
+          value={password}
+          onChange={(ev) => setPassword(ev.target.value)}
+          fullWidth
+          variant="standard"
+        />
+        <TextField
+          margin="dense"
+          id="tier"
+          label={t("admin_users_add_dialog_tier_label")}
+          type="text"
+          value={tier}
+          onChange={(ev) => setTier(ev.target.value)}
+          fullWidth
+          variant="standard"
+          helperText={t("admin_users_add_dialog_tier_helper")}
+        />
+      </DialogContent>
+      <DialogFooter status={error}>
+        <Button onClick={props.onClose}>{t("common_cancel")}</Button>
+        <Button onClick={handleSubmit} disabled={!username || !password}>
+          {t("common_add")}
+        </Button>
+      </DialogFooter>
+    </Dialog>
+  );
+};
+
+const EditUserDialog = (props) => {
+  const theme = useTheme();
+  const { t } = useTranslation();
+  const [error, setError] = useState("");
+  const [password, setPassword] = useState("");
+  const [tier, setTier] = useState(props.user?.tier || "");
+  const fullScreen = useMediaQuery(theme.breakpoints.down("sm"));
+
+  const handleSubmit = async () => {
+    try {
+      await adminApi.updateUser(props.user.username, password || undefined, tier || undefined);
+      props.onClose();
+    } catch (e) {
+      console.log(`[Admin] Error updating user`, e);
+      if (e instanceof UnauthorizedError) {
+        await session.resetAndRedirect(routes.login);
+      } else {
+        setError(e.message);
+      }
+    }
+  };
+
+  if (!props.user) {
+    return null;
+  }
+
+  return (
+    <Dialog open={props.open} onClose={props.onClose} maxWidth="sm" fullWidth fullScreen={fullScreen}>
+      <DialogTitle>{t("admin_users_edit_dialog_title", { username: props.user.username })}</DialogTitle>
+      <DialogContent>
+        <TextField
+          margin="dense"
+          id="password"
+          label={t("admin_users_edit_dialog_password_label")}
+          type="password"
+          value={password}
+          onChange={(ev) => setPassword(ev.target.value)}
+          fullWidth
+          variant="standard"
+          helperText={t("admin_users_edit_dialog_password_helper")}
+        />
+        <TextField
+          margin="dense"
+          id="tier"
+          label={t("admin_users_edit_dialog_tier_label")}
+          type="text"
+          value={tier}
+          onChange={(ev) => setTier(ev.target.value)}
+          fullWidth
+          variant="standard"
+          helperText={t("admin_users_edit_dialog_tier_helper")}
+        />
+      </DialogContent>
+      <DialogFooter status={error}>
+        <Button onClick={props.onClose}>{t("common_cancel")}</Button>
+        <Button onClick={handleSubmit} disabled={!password && !tier}>
+          {t("common_save")}
+        </Button>
+      </DialogFooter>
+    </Dialog>
+  );
+};
+
+const DeleteUserDialog = (props) => {
+  const { t } = useTranslation();
+  const [error, setError] = useState("");
+
+  const handleSubmit = async () => {
+    try {
+      await adminApi.deleteUser(props.user.username);
+      props.onClose();
+    } catch (e) {
+      console.log(`[Admin] Error deleting user`, e);
+      if (e instanceof UnauthorizedError) {
+        await session.resetAndRedirect(routes.login);
+      } else {
+        setError(e.message);
+      }
+    }
+  };
+
+  if (!props.user) {
+    return null;
+  }
+
+  return (
+    <Dialog open={props.open} onClose={props.onClose}>
+      <DialogTitle>{t("admin_users_delete_dialog_title")}</DialogTitle>
+      <DialogContent>
+        <DialogContentText>{t("admin_users_delete_dialog_description", { username: props.user.username })}</DialogContentText>
+      </DialogContent>
+      <DialogFooter status={error}>
+        <Button onClick={props.onClose}>{t("common_cancel")}</Button>
+        <Button onClick={handleSubmit} color="error">
+          {t("admin_users_delete_dialog_button")}
+        </Button>
+      </DialogFooter>
+    </Dialog>
+  );
+};
+
+const AddAccessDialog = (props) => {
+  const theme = useTheme();
+  const { t } = useTranslation();
+  const [error, setError] = useState("");
+  const [topic, setTopic] = useState("");
+  const [permission, setPermission] = useState("read-write");
+  const fullScreen = useMediaQuery(theme.breakpoints.down("sm"));
+
+  const handleSubmit = async () => {
+    try {
+      await adminApi.allowAccess(props.user.username, topic, permission);
+      props.onClose();
+    } catch (e) {
+      console.log(`[Admin] Error adding access`, e);
+      if (e instanceof UnauthorizedError) {
+        await session.resetAndRedirect(routes.login);
+      } else {
+        setError(e.message);
+      }
+    }
+  };
+
+  if (!props.user) {
+    return null;
+  }
+
+  return (
+    <Dialog open={props.open} onClose={props.onClose} maxWidth="sm" fullWidth fullScreen={fullScreen}>
+      <DialogTitle>{t("admin_access_add_dialog_title", { username: props.user.username })}</DialogTitle>
+      <DialogContent>
+        <TextField
+          margin="dense"
+          id="topic"
+          label={t("admin_access_add_dialog_topic_label")}
+          type="text"
+          value={topic}
+          onChange={(ev) => setTopic(ev.target.value)}
+          fullWidth
+          variant="standard"
+          autoFocus
+          helperText={t("admin_access_add_dialog_topic_helper")}
+        />
+        <FormControl fullWidth variant="standard" sx={{ mt: 2 }}>
+          <Select
+            value={permission}
+            onChange={(ev) => setPermission(ev.target.value)}
+            label={t("admin_access_add_dialog_permission_label")}
+          >
+            <MenuItem value="read-write">{t("admin_access_permission_read_write")}</MenuItem>
+            <MenuItem value="read-only">{t("admin_access_permission_read_only")}</MenuItem>
+            <MenuItem value="write-only">{t("admin_access_permission_write_only")}</MenuItem>
+            <MenuItem value="deny-all">{t("admin_access_permission_deny_all")}</MenuItem>
+          </Select>
+        </FormControl>
+      </DialogContent>
+      <DialogFooter status={error}>
+        <Button onClick={props.onClose}>{t("common_cancel")}</Button>
+        <Button onClick={handleSubmit} disabled={!topic}>
+          {t("common_add")}
+        </Button>
+      </DialogFooter>
+    </Dialog>
+  );
+};
+
+const DeleteAccessDialog = (props) => {
+  const { t } = useTranslation();
+  const [error, setError] = useState("");
+
+  const handleSubmit = async () => {
+    try {
+      await adminApi.resetAccess(props.user.username, props.grant.topic);
+      props.onClose();
+    } catch (e) {
+      console.log(`[Admin] Error removing access`, e);
+      if (e instanceof UnauthorizedError) {
+        await session.resetAndRedirect(routes.login);
+      } else {
+        setError(e.message);
+      }
+    }
+  };
+
+  if (!props.user || !props.grant) {
+    return null;
+  }
+
+  return (
+    <Dialog open={props.open} onClose={props.onClose}>
+      <DialogTitle>{t("admin_access_delete_dialog_title")}</DialogTitle>
+      <DialogContent>
+        <DialogContentText>
+          {t("admin_access_delete_dialog_description", { username: props.user.username, topic: props.grant.topic })}
+        </DialogContentText>
+      </DialogContent>
+      <DialogFooter status={error}>
+        <Button onClick={props.onClose}>{t("common_cancel")}</Button>
+        <Button onClick={handleSubmit} color="error">
+          {t("admin_access_delete_dialog_button")}
+        </Button>
+      </DialogFooter>
+    </Dialog>
+  );
+};
+
+export default Admin;
+

web/src/components/App.jsx

@@ -20,6 +20,7 @@ import Messaging from "./Messaging";
 import Login from "./Login";
 import Signup from "./Signup";
 import Account from "./Account";
+import Admin from "./Admin";
 import initI18n from "../app/i18n"; // Translations!
 import prefs, { THEME } from "../app/Prefs";
 import RTLCacheProvider from "./RTLCacheProvider";
@@ -80,6 +81,7 @@ const App = () => {
                   <Route element={<Layout />}>
                     <Route path={routes.app} element={<AllSubscriptions />} />
                     <Route path={routes.account} element={<Account />} />
+                    <Route path={routes.admin} element={<Admin />} />
                     <Route path={routes.settings} element={<Preferences />} />
                     <Route path={routes.subscription} element={<SingleSubscription />} />
                     <Route path={routes.subscriptionExternal} element={<SingleSubscription />} />

web/src/components/Navigation.jsx

@@ -25,6 +25,7 @@ import { useContext, useState } from "react";
 import ChatBubbleOutlineIcon from "@mui/icons-material/ChatBubbleOutline";
 import Person from "@mui/icons-material/Person";
 import SettingsIcon from "@mui/icons-material/Settings";
+import AdminPanelSettingsIcon from "@mui/icons-material/AdminPanelSettings";
 import AddIcon from "@mui/icons-material/Add";
 import { useLocation, useNavigate } from "react-router-dom";
 import { ChatBubble, MoreVert, NotificationsOffOutlined, Send } from "@mui/icons-material";
@@ -164,6 +165,14 @@ const NavList = (props) => {
             <ListItemText primary={t("nav_button_account")} />
           </ListItemButton>
         )}
+        {session.exists() && isAdmin && (
+          <ListItemButton onClick={() => navigate(routes.admin)} selected={location.pathname === routes.admin}>
+            <ListItemIcon>
+              <AdminPanelSettingsIcon />
+            </ListItemIcon>
+            <ListItemText primary={t("nav_button_admin")} />
+          </ListItemButton>
+        )}
         <ListItemButton onClick={() => navigate(routes.settings)} selected={location.pathname === routes.settings}>
           <ListItemIcon>
             <SettingsIcon />

web/src/components/routes.js

@@ -6,6 +6,7 @@ const routes = {
   signup: "/signup",
   app: config.app_root,
   account: "/account",
+  admin: "/admin",
   settings: "/settings",
   subscription: "/:topic",
   subscriptionExternal: "/:baseUrl/:topic",