Merge branch 'master' into copilot/add-admin-check-for-public-uploads

Author: ildyria

.trivyignore

@@ -7,26 +7,9 @@
 # to maintain our own fork of Frankenphp and keep it up to date with the latest security patches, which
 # is not sustainable for us.
 
-# True positive but we expect Lychee to be run behind a reverse proxy that is taking care of the cryptography and TLS configuration.
-# CVSS  7.6
-CVE-2026-25793
-
-# Gnu lib C vulnerbility that is used by the underlying image of frankenphp.
-CVE-2026-0861
-
-# gRPC-Go is the Go language implementation of gRPC. CVSS 9.1
-CVE-2026-33186
-
-# Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. CVSS 10
-CVE-2026-30836
-
-
 # This CVE is stupid and disputed.
 # The "vulnerability" is that php-jwt accepts short HMAC keys without validation.
 # This is not a library bug — key management is the caller's responsibility.
 # PHP's own hash_hmac() and openssl_sign() behave identically and have no CVEs for this.
 # NVD agrees — hence the Disputed tag and no score from NIST.
-CVE-2025-45769
-
-# We do not use JWT on the GOLANG side (frankenphp), so this CVE does not apply to us.
-CVE-2026-34986
+CVE-2025-45769

Dockerfile

@@ -56,7 +56,7 @@ RUN npm run build
 # ============================================================================
 # Stage 3: Production FrankenPHP Image
 # ============================================================================
-FROM dunglas/frankenphp:php8.5-trixie@sha256:93dcc4f16e01f0bc8e9d752bb19559cba4a23c14c9fd7ab825538fb432cd91ed
+FROM dunglas/frankenphp:php8.5-trixie@sha256:d82c11b5f9c96862130ee02c3f4f2513b81b7de5f29275593c526fa385fe9952
 
 ARG USER=appuser
 

app/Actions/Photo/Create.php

@@ -181,6 +181,7 @@ private function handleStandalone(InitDTO $init_dto): Photo
 			Standalone\EncodePlaceholder::class,
 			Standalone\ReplaceOriginalWithBackup::class,
 			Shared\UploadSizeVariantsToS3::class,
+			Shared\GeodecodeLocation::class,
 			Shared\ExtractColourPalette::class,
 			Shared\NotifyAlbums::class,
 		];
@@ -277,6 +278,7 @@ private function handlePhotoLivePartner(InitDTO $init_dto): Photo
 			Standalone\EncodePlaceholder::class,
 			Standalone\ReplaceOriginalWithBackup::class,
 			Shared\UploadSizeVariantsToS3::class,
+			Shared\GeodecodeLocation::class,
 			Shared\ExtractColourPalette::class,
 		];
 		$stand_alone_dto = $this->executePipeOnDTO($stand_alone_pipes, $stand_alone_dto);

app/Actions/Photo/Pipes/Shared/GeodecodeLocation.php

@@ -0,0 +1,55 @@
+<?php
+
+/**
+ * SPDX-License-Identifier: MIT
+ * Copyright (c) 2017-2018 Tobias Reich
+ * Copyright (c) 2018-2026 LycheeOrg.
+ */
+
+namespace App\Actions\Photo\Pipes\Shared;
+
+use App\Contracts\PhotoCreate\PhotoDTO;
+use App\Contracts\PhotoCreate\PhotoPipe;
+use App\Jobs\GeodecodeLocationJob;
+use App\Repositories\ConfigManager;
+use Illuminate\Support\Facades\Log;
+
+/**
+ * Dispatch an asynchronous job to reverse-geocode the GPS coordinates of a
+ * photo and populate its location field.
+ *
+ * The actual HTTP call to Nominatim is intentionally deferred so that photo
+ * uploads are not slowed down by the external network request.
+ */
+class GeodecodeLocation implements PhotoPipe
+{
+	public function __construct(
+		protected readonly ConfigManager $config_manager,
+	) {
+	}
+
+	public function handle(PhotoDTO $state, \Closure $next): PhotoDTO
+	{
+		if (!$this->config_manager->getValueAsBool('location_decoding')) {
+			return $next($state);
+		}
+
+		$photo = $state->getPhoto();
+
+		if ($photo->latitude === null || $photo->longitude === null) {
+			return $next($state);
+		}
+
+		// @codeCoverageIgnoreStart
+		// This is already tested directly in the GeodecodeLocationJobTest.
+		try {
+			GeodecodeLocationJob::dispatch($photo);
+		} catch (\Exception $e) {
+			// Fail silently and continue.
+			Log::error('Failed to dispatch GeodecodeLocationJob: ' . $e->getMessage());
+		}
+
+		return $next($state);
+		// @codeCoverageIgnoreEnd
+	}
+}

app/Enum/AspectRatioCSSType.php

@@ -20,5 +20,5 @@ enum AspectRatioCSSType: string
 	case aspect3by2 = 'aspect-3x2';
 	case aspect1by1 = 'aspect-square';
 	case aspect2by3 = 'aspect-2x3';
-	case aspect1byx9 = 'aspect-video';
+	case aspect16by9 = 'aspect-video';
 }

app/Enum/AspectRatioType.php

@@ -20,7 +20,7 @@ enum AspectRatioType: string
 	case aspect1by1 = '1/1';
 	case aspect2by3 = '2/3';
 	case aspect4by5 = '4/5';
-	case aspect1byx9 = '16/9';
+	case aspect16by9 = '16/9';
 
 	public function css(): AspectRatioCSSType
 	{
@@ -30,7 +30,7 @@ public function css(): AspectRatioCSSType
 			self::aspect3by2 => AspectRatioCSSType::aspect3by2,
 			self::aspect1by1 => AspectRatioCSSType::aspect1by1,
 			self::aspect2by3 => AspectRatioCSSType::aspect2by3,
-			self::aspect1byx9 => AspectRatioCSSType::aspect1byx9,
+			self::aspect16by9 => AspectRatioCSSType::aspect16by9,
 		};
 	}
 }

app/Enum/MapProviders.php

@@ -14,7 +14,6 @@
  */
 enum MapProviders: string
 {
-	case Wikimedia = 'Wikimedia';
 	case OpenStreetMapOrg = 'OpenStreetMap.org';
 	case OpenStreetMapDe = 'OpenStreetMap.de';
 	case OpenStreetMapFr = 'OpenStreetMap.fr';
@@ -23,7 +22,6 @@ enum MapProviders: string
 	public function getLayer(): string
 	{
 		return match ($this) {
-			self::Wikimedia => 'https://maps.wikimedia.org/osm-intl/{z}/{x}/{y}{r}.png',
 			self::OpenStreetMapOrg => 'https://tile.openstreetmap.org/{z}/{x}/{y}.png',
 			self::OpenStreetMapDe => 'https://tile.openstreetmap.de/{z}/{x}/{y}.png ',
 			self::OpenStreetMapFr => 'https://{s}.tile.openstreetmap.fr/osmfr/{z}/{x}/{y}.png ',
@@ -34,7 +32,6 @@ public function getLayer(): string
 	public function getAtributionHtml(): string
 	{
 		return match ($this) {
-			self::Wikimedia => '<a href="https://wikimediafoundation.org/wiki/Maps_Terms_of_Use">Wikimedia</a>',
 			self::OpenStreetMapOrg => '&copy; <a href="https://openstreetmap.org/copyright">' . __('gallery.map.osm_contributors') . '</a>',
 			self::OpenStreetMapDe => '&copy; <a href="https://openstreetmap.org/copyright">' . __('gallery.map.osm_contributors') . '</a>',
 			self::OpenStreetMapFr => '&copy; <a href="https://openstreetmap.org/copyright">' . __('gallery.map.osm_contributors') . '</a>',

app/Jobs/GeodecodeLocationJob.php

@@ -0,0 +1,100 @@
+<?php
+
+/**
+ * SPDX-License-Identifier: MIT
+ * Copyright (c) 2017-2018 Tobias Reich
+ * Copyright (c) 2018-2026 LycheeOrg.
+ */
+
+namespace App\Jobs;
+
+use App\Enum\JobStatus;
+use App\Metadata\Extractor;
+use App\Metadata\Geodecoder;
+use App\Models\JobHistory;
+use App\Models\Photo;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Queue\Middleware\RateLimited;
+use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Str;
+
+/**
+ * Asynchronously reverse-geocodes the GPS coordinates of a photo and
+ * stores the resolved location string on the photo record.
+ */
+class GeodecodeLocationJob implements ShouldQueue
+{
+	use HasFailedTrait;
+	use Dispatchable;
+	use InteractsWithQueue;
+	use Queueable;
+	use SerializesModels;
+
+	protected JobHistory $history;
+	public string $photo_id;
+
+	/**
+	 * Create a new job instance.
+	 */
+	public function __construct(Photo $photo)
+	{
+		$this->photo_id = $photo->id;
+
+		$this->history = new JobHistory();
+		$this->history->owner_id = $photo->owner_id;
+		$this->history->job = Str::limit(sprintf('Geodecode location for %s [%s].', $photo->title, $this->photo_id), 200);
+		$this->history->status = JobStatus::READY;
+
+		$this->history->save();
+	}
+
+	/**
+	 * Get the middleware the job should pass through.
+	 *
+	 * @return array
+	 */
+	public function middleware()
+	{
+		return [new RateLimited('geo-queue')];
+	}
+
+	/**
+	 * Execute the job.
+	 */
+	public function handle(): void
+	{
+		Log::channel('jobs')->info("Starting geodecode location job for photo ID {$this->photo_id}.");
+		$this->history->status = JobStatus::STARTED;
+		$this->history->save();
+
+		$photo = Photo::findOrFail($this->photo_id);
+
+		if ($photo->latitude === null || $photo->longitude === null) {
+			$this->history->status = JobStatus::SUCCESS;
+			$this->history->save();
+
+			return;
+		}
+
+		$cached_provider = Geodecoder::getGeocoderProvider();
+		$location = Geodecoder::decodeLocation_core($photo->latitude, $photo->longitude, $cached_provider);
+
+		if ($location !== null) {
+			$location = substr($location, 0, Extractor::MAX_LOCATION_STRING_LENGTH);
+		}
+
+		Photo::query()
+			->where('id', '=', $this->photo_id)
+			->where(function ($query): void {
+				$query->whereNull('location')->orWhere('location', '=', '');
+			})
+			->update(['location' => $location]);
+
+		$this->history->status = JobStatus::SUCCESS;
+		$this->history->save();
+	}
+}

app/Metadata/Extractor.php

@@ -8,7 +8,6 @@
 
 namespace App\Metadata;
 
-use App\Exceptions\ExternalComponentFailedException;
 use App\Exceptions\ExternalComponentMissingException;
 use App\Exceptions\Handler;
 use App\Exceptions\MediaFileOperationException;
@@ -23,7 +22,6 @@
 use PHPExif\Reader\PhpExifReaderException;
 use PHPExif\Reader\Reader;
 use Safe\DateTime;
-use Safe\Exceptions\StringsException;
 
 /**
  * Collects normalized EXIF info about an image/video.
@@ -473,20 +471,6 @@ public static function createFromFile(NativeLocalFile $file, int $file_last_modi
 			$metadata->shutter .= self::SUFFIX_SEC_UNIT;
 		}
 
-		// Decode location data, it can be longer than is acceptable for DB that's the reason for substr
-		// but only if return value is not null (= function has been disabled)
-		try {
-			$metadata->location = Geodecoder::decodeLocation($metadata->latitude, $metadata->longitude);
-			if ($metadata->location !== null) {
-				$metadata->location = substr($metadata->location, 0, self::MAX_LOCATION_STRING_LENGTH);
-			}
-			// @codeCoverageIgnoreStart
-		} catch (ExternalComponentFailedException|StringsException $e) {
-			Handler::reportSafely($e);
-			$metadata->location = null;
-		}
-		// @codeCoverageIgnoreEnd
-
 		return $metadata;
 	}
 }

app/Metadata/Geodecoder.php

@@ -39,7 +39,7 @@ public static function getGeocoderProvider(): ProviderCache
 		$config_manager = app(ConfigManager::class);
 		try {
 			$stack = HandlerStack::create();
-			$stack->push(RateLimiterMiddleware::perSecond(1));
+			$stack->push(RateLimiterMiddleware::perSecond(config('features.location_decoding_requests_per_second', 1)));
 
 			$http_client = new \GuzzleHttp\Client([
 				'handler' => $stack,