truehostcloud · kipsang01 · Jan 6, 2026 · Dec 8, 2025 · Dec 9, 2025 · Dec 9, 2025
diff --git a/.env.example b/.env.example
@@ -104,6 +104,19 @@ POSTIZ_OAUTH_CLIENT_ID=""
 POSTIZ_OAUTH_CLIENT_SECRET=""
 # POSTIZ_OAUTH_SCOPE="openid profile email" # default values
 
+# === Elastic APM (optional)
+# Backend / Workers APM configuration
+# Set `ELASTIC_APM_SERVICE_NAME` to identify the service
+ELASTIC_APM_SERVICE_NAME="postiz-backend"
+# APM Server URL (APM Server default port is 8200)
+ELASTIC_APM_SERVER_URL="http://localhost:8200"
+
+# Frontend (RUM) configuration — exposed to the browser
+NEXT_PUBLIC_ELASTIC_APM_SERVER_URL="http://localhost:8200"
+NEXT_PUBLIC_ELASTIC_APM_SERVICE_NAME="postiz-frontend"
+# Public frontend URL used for distributed tracing origins
+NEXT_PUBLIC_FRONTEND_URL="http://localhost:4200"
+
 # Short Link Service Settings
 # DUB_TOKEN="" # Your self-hosted Dub API token
 # DUB_API_ENDPOINT="https://api.dub.co" # Your self-hosted Dub API endpoint

diff --git a/.github/workflows/build-and-push-dockerhub.yml b/.github/workflows/build-and-push-dockerhub.yml
@@ -0,0 +1,86 @@
+name: Build and Push Docker Hub Images
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - staging
+      - dev
+
+jobs:
+  build-push:
+    name: Build and Push
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set short SHA and tag base
+        id: set-vars
+        run: |
+          SHORT_SHA=$(git rev-parse --short=8 HEAD)
+          BRANCH=${GITHUB_REF#refs/heads/}
+          if [ "$BRANCH" = "main" ]; then
+            TAG_BASE=prod
+          elif [ "$BRANCH" = "staging" ] || [ "$BRANCH" = "dev" ]; then
+            TAG_BASE=dev
+          else
+            echo "Branch '$BRANCH' is not configured for Docker push. Exiting.";
+            exit 0
+          fi
+          echo "short_sha=$SHORT_SHA" >> "$GITHUB_OUTPUT"
+          echo "tag_base=$TAG_BASE" >> "$GITHUB_OUTPUT"
+
+      - name: Prepare image tags
+        id: prepare-tags
+        run: |
+          TAG_BASE=${{ steps.set-vars.outputs.tag_base }}
+          SHORT_SHA=${{ steps.set-vars.outputs.short_sha }}
+          USER=${{ secrets.DOCKERHUB_USERNAME }}
+          TAGS="docker.io/${USER}/postiz-app:${TAG_BASE}\ndocker.io/${USER}/postiz-app:${TAG_BASE}-${SHORT_SHA}"
+          if [ "${TAG_BASE}" = "prod" ]; then
+            TAGS="${TAGS}\ndocker.io/${USER}/postiz-app:latest"
+          fi
+          echo "Preparing tags:\n$TAGS"
+          echo "tags<<EOF" >> $GITHUB_OUTPUT
+          echo -e "$TAGS" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+      - name: Build and push multi-arch image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: Dockerfile.dev
+          platforms: linux/amd64,linux/arm64
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: ${{ steps.prepare-tags.outputs.tags }}
+          build-args: |
+            NEXT_PUBLIC_VERSION=${{ steps.set-vars.outputs.short_sha }}
+          labels: |
+            org.opencontainers.image.revision=${{ steps.set-vars.outputs.short_sha }}
+            org.opencontainers.image.source=${{ github.repository }}
+
+      - name: Verify pushed image (list)
+        run: |
+          echo "Pushed tags:"
+          echo "docker.io/${{ secrets.DOCKERHUB_USERNAME }}/postiz-app:${{ steps.set-vars.outputs.tag_base }}"
+          echo "docker.io/${{ secrets.DOCKERHUB_USERNAME }}/postiz-app:${{ steps.set-vars.outputs.tag_base }}-${{ steps.set-vars.outputs.short_sha }}"
diff --git a/.github/workflows/build-containers.yml b/.github/workflows/build-containers.yml
@@ -9,6 +9,7 @@ on:
 
 jobs:
   build-containers-common:
+    if: github.repository == 'gitroomhq/postiz-app'
     runs-on: ubuntu-latest
     outputs:
       containerver: ${{ steps.getcontainerver.outputs.containerver }}
@@ -19,6 +20,7 @@ jobs:
           echo "containerver=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
 
   build-containers:
+    if: github.repository == 'gitroomhq/postiz-app'
     needs: build-containers-common
     strategy:
       matrix:
@@ -53,10 +55,13 @@ jobs:
             -f Dockerfile.dev \
             -t ghcr.io/gitroomhq/postiz-app:${{ env.CONTAINERVER }}-${{ matrix.arch }} \
             --build-arg NEXT_PUBLIC_VERSION=${{ env.NEXT_PUBLIC_VERSION }} \
+            --pull \
+            --no-cache \
             --provenance=false --sbom=false \
             --output "type=registry,name=ghcr.io/gitroomhq/postiz-app:${{ env.CONTAINERVER }}-${{ matrix.arch }}" .
 
   build-container-manifest:
+    if: github.repository == 'gitroomhq/postiz-app'
     needs: [build-containers, build-containers-common]
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/build-extension.yaml b/.github/workflows/build-extension.yaml
@@ -5,6 +5,7 @@ on:
 
 jobs:
   submit:
+    if: github.repository == 'gitroomhq/postiz-app'
     runs-on: ubuntu-latest
 
     steps:

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -14,6 +14,9 @@ jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
 
+    # Upstream-only: forks often don't want/need security event uploads
+    if: github.repository == 'gitroomhq/postiz-app'
+
     runs-on: 'ubuntu-latest'
     permissions:
       security-events: write

diff --git a/.github/workflows/eslint.yml → .github/workflows/eslint b/.github/workflows/eslint.yml → .github/workflows/eslint
@@ -21,6 +21,8 @@ on:
 jobs:
   eslint:
     name: Run eslint scanning
+    # Upstream-only: forks often don't want/need SARIF security uploads
+    if: github.repository == 'gitroomhq/postiz-app'
     runs-on: ubuntu-latest
     permissions:
       contents: read

diff --git a/.github/workflows/issue-label-triggers.yml b/.github/workflows/issue-label-triggers.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   closed-public-website:
-    if: github.event.label.name == 'trigger-public-website'
+    if: github.repository == 'gitroomhq/postiz-app' && github.event.label.name == 'trigger-public-website'
     runs-on: ubuntu-latest
     permissions:
       issues: write

diff --git a/.github/workflows/pr-docker-build.yml b/.github/workflows/pr-docker-build.yml
@@ -1,13 +1,14 @@
-name: Build and Publish PR Docker Image
+name: Build and Publish PR Docker Image (manual)
 
 on:
-  pull_request_target:
-    types: [opened, synchronize]
+  workflow_dispatch:
 
-permissions: write-all
+# Automatic PR image pushes are disabled in this fork (PR images not required).
+# Trigger this workflow manually if you ever need to build/push a PR image.
 
 jobs:
   build-and-publish:
+    if: github.repository == 'gitroomhq/postiz-app'
     runs-on: ubuntu-latest
 
     environment: 
@@ -18,7 +19,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ github.sha }}
 
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
@@ -29,7 +30,7 @@ jobs:
 
       - name: Set image tag
         id: vars
-        run: echo "IMAGE_TAG=ghcr.io/gitroomhq/postiz-app-pr:${{ github.event.pull_request.number }}" >> $GITHUB_ENV
+        run: echo "IMAGE_TAG=ghcr.io/gitroomhq/postiz-app-pr:${{ github.run_id }}" >> $GITHUB_ENV
 
       - name: Build Docker image from Dockerfile.dev
         run: docker build -f Dockerfile.dev -t $IMAGE_TAG .

diff --git a/.github/workflows/publish-extension.yml b/.github/workflows/publish-extension.yml
@@ -5,6 +5,7 @@ on:
 
 jobs:
   submit:
+    if: github.repository == 'gitroomhq/postiz-app'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

diff --git a/README.md b/README.md
@@ -119,7 +119,7 @@ Link: https://opencollective.com/postiz
 
 ## Star History
 
-[![Star History Chart](https://api.star-history.com/svg?repos=gitroomhq/postiz-app&type=Date)](https://www.star-history.com/#gitroomhq/postiz-app&Date)
+[![Star History Chart](https://api.star-history.com/svg?repos=gitroomhq/postiz-app&type=date&legend=top-left)](https://www.star-history.com/#gitroomhq/postiz-app&type=date&legend=top-left)
 
 ## License
 

diff --git a/apps/backend/src/api/routes/agencies.controller.ts b/apps/backend/src/api/routes/agencies.controller.ts
@@ -10,7 +10,7 @@ import { CreateAgencyDto } from '@gitroom/nestjs-libraries/dtos/agencies/create.
 export class AgenciesController {
   constructor(private _agenciesService: AgenciesService) {}
   @Get('/')
-  async getAgencyByUsers(@GetUserFromRequest() user: User) {
+  async getAgencyByUser(@GetUserFromRequest() user: User) {
     return (await this._agenciesService.getAgencyByUser(user)) || {};
   }
 

diff --git a/apps/backend/src/api/routes/auth.controller.ts b/apps/backend/src/api/routes/auth.controller.ts
@@ -268,4 +268,131 @@ export class AuthController {
       login: true,
     });
   }
+
+  @Get('/sso/:provider')
+  async ssoCallbackGet(
+    @Param('provider') provider: string,
+    @Query('code') code: string,
+    @Query('redirect') redirect: string,
+    @Res({ passthrough: false }) response: Response,
+    @RealIP() ip: string,
+    @UserAgent() userAgent: string
+  ) {
+    return this.handleSso({
+      provider,
+      token: code,
+      response,
+      ip,
+      userAgent,
+      redirect: redirect || process.env.FRONTEND_URL || '/',
+    });
+  }
+
+  @Post('/sso/:provider')
+  async ssoCallbackPost(
+    @Param('provider') provider: string,
+    @Body('code') code: string,
+    @Body('assertion') assertion: string,
+    @Query('redirect') redirect: string,
+    @Res({ passthrough: false }) response: Response,
+    @RealIP() ip: string,
+    @UserAgent() userAgent: string
+  ) {
+    return this.handleSso({
+      provider,
+      token: code || assertion,
+      response,
+      ip,
+      userAgent,
+      redirect: redirect || process.env.FRONTEND_URL || '/',
+    });
+  }
+
+  private async handleSso({
+    provider,
+    token,
+    response,
+    ip,
+    userAgent,
+    redirect,
+  }: {
+    provider: string;
+    token: string;
+    response: Response;
+    ip: string;
+    userAgent: string;
+    redirect?: string;
+  }) {
+    try {
+      const providerValue = Provider[provider?.toUpperCase() as keyof typeof Provider];
+      if (!providerValue) {
+        return response.status(400).send('Unsupported provider');
+      }
+
+      if (!token) {
+        return response.status(400).send('Missing code');
+      }
+
+      const { jwt, addedOrg } = await this._authService.sso(
+        providerValue as unknown as string,
+        token,
+        ip,
+        userAgent
+      );
+
+      response.cookie('auth', jwt, {
+        domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+              sameSite: 'none',
+            }
+          : {}),
+        expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
+      });
+
+      if (process.env.NOT_SECURED) {
+        response.header('auth', jwt);
+      }
+
+      if (typeof addedOrg !== 'boolean' && addedOrg?.organizationId) {
+        response.cookie('showorg', addedOrg.organizationId, {
+          domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
+          ...(!process.env.NOT_SECURED
+            ? {
+                secure: true,
+                httpOnly: true,
+                sameSite: 'none',
+              }
+            : {}),
+          expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
+        });
+
+        if (process.env.NOT_SECURED) {
+          response.header('showorg', addedOrg.organizationId);
+        }
+      }
+
+      if (redirect) {
+        const allowedDomain = new URL(process.env.FRONTEND_URL!).hostname;
+        const redirectUrl = new URL(redirect, process.env.FRONTEND_URL!);
+        if (redirectUrl.hostname !== allowedDomain) {
+          return response.status(400).send('Invalid redirect domain');
+        }
+        return response.redirect(302, redirectUrl.toString());
+      }
+
+      response.header('reload', 'true');
+      return response.status(200).json({ login: true });
+    } catch (e: any) {
+      if (redirect) {
+        const url = new URL(redirect, process.env.FRONTEND_URL || undefined);
+        url.searchParams.set('sso', 'failed');
+        return response.redirect(302, url.toString());
+      }
+
+      return response.status(400).send(e.message || 'SSO failed');
+    }
+  }
 }
diff --git a/apps/backend/src/api/routes/billing.controller.ts b/apps/backend/src/api/routes/billing.controller.ts
@@ -62,6 +62,23 @@ export class BillingController {
     };
   }
 
+  @Post('/embedded')
+  embedded(
+    @GetOrgFromRequest() org: Organization,
+    @GetUserFromRequest() user: User,
+    @Body() body: BillingSubscribeDto,
+    @Req() req: Request
+  ) {
+    const uniqueId = req?.cookies?.track;
+    return this._stripeService.embedded(
+      uniqueId,
+      org.id,
+      user.id,
+      body,
+      org.allowTrial
+    );
+  }
+
   @Post('/subscribe')
   subscribe(
     @GetOrgFromRequest() org: Organization,
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,6 +5,7 @@ on: @@
     jobs:
       submit:
+        if: github.repository == 'gitroomhq/postiz-app'
         runs-on: ubuntu-latest
         steps:
@@ Expand Down @@